Edit tour

Windows Analysis Report
gZzI6gTYn4.exe

Overview

General Information

Sample name:	gZzI6gTYn4.exe renamed because original name is a hash value
Original sample name:	f2fdf50927663d80056fc0bcd576c461.exe
Analysis ID:	1520447
MD5:	f2fdf50927663d80056fc0bcd576c461
SHA1:	e4a3effdbe933a92869c2b859f2bea4b9f89729a
SHA256:	7af5384d5927029f94ff0639272716c837b7ae7fb6f855f67c6d7a74004c67e7
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

LummaC encrypted strings found

Sample uses string decryption to hide its real strings

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

gZzI6gTYn4.exe (PID: 6984 cmdline: "C:\Users\user\Desktop\gZzI6gTYn4.exe" MD5: F2FDF50927663D80056FC0BCD576C461)

conhost.exe (PID: 7004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 6244 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/ https://censys.com/a-beginners-guide-to-hunting-open-directories/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["vozmeatillu.shop", "gutterydhowi.shop", "fragnantbui.shop", "offensivedzvju.shop", "reinforcenh.shop", "stogeneratmns.shop", "drawzhotdog.shop", "ghostreedmnu.shop", "lootebarrkeyn.shop"], "Build id": "FATE99--"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1690403824.0000000003935000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
2.2.RegAsm.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:18.058775+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.4.136	443	TCP
2024-09-27T11:16:19.009337+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49731	188.114.96.3	443	TCP
2024-09-27T11:16:19.915533+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49732	188.114.97.3	443	TCP
2024-09-27T11:16:20.852879+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49733	188.114.96.3	443	TCP
2024-09-27T11:16:21.793147+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49734	172.67.162.108	443	TCP
2024-09-27T11:16:22.759818+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49735	188.114.96.3	443	TCP
2024-09-27T11:16:23.881986+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49736	188.114.96.3	443	TCP
2024-09-27T11:16:24.820981+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49737	104.21.77.130	443	TCP
2024-09-27T11:16:27.023133+0200	2054653	1	A Network Trojan was detected	192.168.2.4	49739	172.67.128.144	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:18.058775+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.4.136	443	TCP
2024-09-27T11:16:19.009337+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49731	188.114.96.3	443	TCP
2024-09-27T11:16:19.915533+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49732	188.114.97.3	443	TCP
2024-09-27T11:16:20.852879+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49733	188.114.96.3	443	TCP
2024-09-27T11:16:21.793147+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49734	172.67.162.108	443	TCP
2024-09-27T11:16:22.759818+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49735	188.114.96.3	443	TCP
2024-09-27T11:16:23.881986+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49736	188.114.96.3	443	TCP
2024-09-27T11:16:24.820981+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49737	104.21.77.130	443	TCP
2024-09-27T11:16:27.023133+0200	2049836	1	A Network Trojan was detected	192.168.2.4	49739	172.67.128.144	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:21.356055+0200	2056157	1	Domain Observed Used for C2 Detected	192.168.2.4	49734	172.67.162.108	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:22.305456+0200	2056155	1	Domain Observed Used for C2 Detected	192.168.2.4	49735	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:18.559269+0200	2056163	1	Domain Observed Used for C2 Detected	192.168.2.4	49731	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:17.599316+0200	2056165	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	104.21.4.136	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:19.489492+0200	2056161	1	Domain Observed Used for C2 Detected	192.168.2.4	49732	188.114.97.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:24.395791+0200	2056151	1	Domain Observed Used for C2 Detected	192.168.2.4	49737	104.21.77.130	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:23.245653+0200	2056153	1	Domain Observed Used for C2 Detected	192.168.2.4	49736	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:20.406819+0200	2056159	1	Domain Observed Used for C2 Detected	192.168.2.4	49733	188.114.96.3	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:20.854662+0200	2056156	1	Domain Observed Used for C2 Detected	192.168.2.4	56294	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:21.793913+0200	2056154	1	Domain Observed Used for C2 Detected	192.168.2.4	55540	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:18.070792+0200	2056162	1	Domain Observed Used for C2 Detected	192.168.2.4	50969	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:17.117434+0200	2056164	1	Domain Observed Used for C2 Detected	192.168.2.4	52923	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lootebarrkeyn .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:17.101770+0200	2056048	1	Domain Observed Used for C2 Detected	192.168.2.4	59470	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:19.012822+0200	2056160	1	Domain Observed Used for C2 Detected	192.168.2.4	65266	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:23.910047+0200	2056150	1	Domain Observed Used for C2 Detected	192.168.2.4	50904	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:22.761643+0200	2056152	1	Domain Observed Used for C2 Detected	192.168.2.4	49372	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-27T11:16:19.917534+0200	2056158	1	Domain Observed Used for C2 Detected	192.168.2.4	58169	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://steamcommunity.com/profiles/76561199724331900	URL Reputation: Label: malware
Source: https://steamcommunity.com/profiles/76561199724331900/inventory/	URL Reputation: Label: malware

Found malware configuration

Source: 2.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["vozmeatillu.shop", "gutterydhowi.shop", "fragnantbui.shop", "offensivedzvju.shop", "reinforcenh.shop", "stogeneratmns.shop", "drawzhotdog.shop", "ghostreedmnu.shop", "lootebarrkeyn.shop"], "Build id": "FATE99--"}

Multi AV Scanner detection for submitted file

Source: gZzI6gTYn4.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: reinforcenh.shop
Source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stogeneratmns.shop
Source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: fragnantbui.shop
Source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: drawzhotdog.shop
Source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: vozmeatillu.shop
Source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: offensivedzvju.shop
Source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ghostreedmnu.shop
Source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: gutterydhowi.shop
Source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lootebarrkeyn.shop
Source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: FATE99--

Source: gZzI6gTYn4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.130:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.144:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: gZzI6gTYn4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: c:\rje\tg\cv\obj\Release\ojc.pdb source: gZzI6gTYn4.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	2_2_0040F042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0040D470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	2_2_0040F807
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 68677325h	2_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00447AC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	2_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 2EE0190Fh	2_2_00447E1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, esi	2_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	2_2_0044B010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00425030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ecx, dword ptr [esp+eax*4+30h]	2_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 7E28BDA7h	2_2_0044B1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00427230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	2_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	2_2_004142E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 81105F7Ah	2_2_0044B320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+edi+00000090h]	2_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	2_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+08h]	2_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_00412450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	2_2_00442410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0044B430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_004314A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	2_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_00435519
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_00433623
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 0633C81Dh	2_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_00434629
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	2_2_0040F63A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ebx], 00000000h	2_2_00414692
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000668h]	2_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 77DD2217h	2_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+01h], 00000000h	2_2_0040F7E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+000001C8h]	2_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000198h]	2_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_00432830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	2_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+14h]	2_2_00444970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000884h]	2_2_00429978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	2_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	2_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_00420A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 77A9E0C4h	2_2_00440A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	2_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [ecx+eax]	2_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0040FA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], CECD21FDh	2_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CECD21FDh	2_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00421AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1B788DCFh	2_2_00444BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	2_2_0041AB90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 54CA534Eh	2_2_00448B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00430CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	2_2_00405CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	2_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	2_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 0633C81Dh	2_2_00445DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	2_2_00448D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-18h]	2_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	2_2_0042FE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ebx, 02h	2_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esi+04h]	2_2_00413EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then dec ebx	2_2_0043FE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_00426FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp dword ptr [004521ECh]	2_2_0041FFD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+eax+01h], 00000000h	2_2_0042DFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_0043BFF0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2056048 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lootebarrkeyn .shop) : 192.168.2.4:59470 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056164 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop) : 192.168.2.4:52923 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056162 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop) : 192.168.2.4:50969 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056158 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop) : 192.168.2.4:58169 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056160 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop) : 192.168.2.4:65266 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056152 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop) : 192.168.2.4:49372 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056150 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop) : 192.168.2.4:50904 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056163 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI) : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056161 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI) : 192.168.2.4:49732 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2056153 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI) : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056159 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI) : 192.168.2.4:49733 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056157 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI) : 192.168.2.4:49734 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2056165 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI) : 192.168.2.4:49730 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2056156 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop) : 192.168.2.4:56294 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056155 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI) : 192.168.2.4:49735 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2056154 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop) : 192.168.2.4:55540 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2056151 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI) : 192.168.2.4:49737 -> 104.21.77.130:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49739 -> 172.67.128.144:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49733 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49734 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 172.67.162.108:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49737 -> 104.21.77.130:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49739 -> 172.67.128.144:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49737 -> 104.21.77.130:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49731 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49735 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49735 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.4.136:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: vozmeatillu.shop
Source: Malware configuration extractor	URLs: gutterydhowi.shop
Source: Malware configuration extractor	URLs: fragnantbui.shop
Source: Malware configuration extractor	URLs: offensivedzvju.shop
Source: Malware configuration extractor	URLs: reinforcenh.shop
Source: Malware configuration extractor	URLs: stogeneratmns.shop
Source: Malware configuration extractor	URLs: drawzhotdog.shop
Source: Malware configuration extractor	URLs: ghostreedmnu.shop
Source: Malware configuration extractor	URLs: lootebarrkeyn.shop

Source: Joe Sandbox View	IP Address: 104.21.77.130 104.21.77.130
Source: Joe Sandbox View	IP Address: 104.21.4.136 104.21.4.136
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ghostreedmnu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: offensivedzvju.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: vozmeatillu.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: drawzhotdog.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fragnantbui.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stogeneratmns.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: reinforcenh.shop
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: ballotnwu.site

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: lootebarrkeyn.shop
Source: global traffic	DNS traffic detected: DNS query: gutterydhowi.shop
Source: global traffic	DNS traffic detected: DNS query: ghostreedmnu.shop
Source: global traffic	DNS traffic detected: DNS query: offensivedzvju.shop
Source: global traffic	DNS traffic detected: DNS query: vozmeatillu.shop
Source: global traffic	DNS traffic detected: DNS query: drawzhotdog.shop
Source: global traffic	DNS traffic detected: DNS query: fragnantbui.shop
Source: global traffic	DNS traffic detected: DNS query: stogeneratmns.shop
Source: global traffic	DNS traffic detected: DNS query: reinforcenh.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: ballotnwu.site

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: gutterydhowi.shop

Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: RegAsm.exe, 00000002.00000002.1788798759.0000000001190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/
Source: RegAsm.exe, 00000002.00000002.1788798759.0000000001166000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/P
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1788798759.0000000001190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/api
Source: RegAsm.exe, 00000002.00000002.1788798759.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site/apiX
Source: RegAsm.exe, 00000002.00000002.1788798759.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ballotnwu.site:443/apiprofiles/76561199724331900
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/pI
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/publi
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.c
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.~
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xk0
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_respons
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapte
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
Source: RegAsm.exe, 00000002.00000002.1788798759.000000000115D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/
Source: RegAsm.exe, 00000002.00000002.1788798759.000000000115D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/api
Source: RegAsm.exe, 00000002.00000002.1788798759.0000000001190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ghostreedmnu.shop/apiD
Source: RegAsm.exe, 00000002.00000002.1788798759.0000000001166000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://gutterydhowi.shop/api
Source: RegAsm.exe, 00000002.00000002.1788798759.0000000001190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offensivedzvju.shop/)
Source: RegAsm.exe, 00000002.00000002.1788798759.0000000001190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://offensivedzvju.shop/api2
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop/
Source: RegAsm.exe, 00000002.00000002.1788798759.0000000001190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop/apij
Source: RegAsm.exe, 00000002.00000002.1788798759.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://reinforcenh.shop/apio
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1788798759.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: RegAsm.exe, 00000002.00000002.1788798759.000000000117D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/cr
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: RegAsm.exe, 00000002.00000002.1788798759.000000000115D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stogeneratmns.shop/
Source: RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: RegAsm.exe, 00000002.00000002.1788798759.0000000001166000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop/0
Source: RegAsm.exe, 00000002.00000002.1788798759.0000000001166000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop/1
Source: RegAsm.exe, 00000002.00000002.1788798759.0000000001190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop/api
Source: RegAsm.exe, 00000002.00000002.1788798759.0000000001190000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vozmeatillu.shop/apis

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443

Source: unknown	HTTPS traffic detected: 104.21.4.136:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.162.108:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.77.130:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.128.144:443 -> 192.168.2.4:49739 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00439BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00439BD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00439BD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0043A777 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

2_2_0043A777

System Summary

.NET source code contains very large array initializations

Source: gZzI6gTYn4.exe, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 365056

Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Code function: 0_2_00EF0C40	0_2_00EF0C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004103A8	2_2_004103A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00447D38	2_2_00447D38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004480B0	2_2_004480B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00449120	2_2_00449120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040C1C0	2_2_0040C1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042D250	2_2_0042D250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A231	2_2_0040A231
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044A230	2_2_0044A230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004012C7	2_2_004012C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004452E0	2_2_004452E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00415352	2_2_00415352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00407450	2_2_00407450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00405470	2_2_00405470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00409402	2_2_00409402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004404AB	2_2_004404AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044A510	2_2_0044A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004115B0	2_2_004115B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041D610	2_2_0041D610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00449620	2_2_00449620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A6E0	2_2_0040A6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040B6B0	2_2_0040B6B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043F700	2_2_0043F700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041E71A	2_2_0041E71A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044B720	2_2_0044B720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00428833	2_2_00428833
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004338C0	2_2_004338C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004408E6	2_2_004408E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004038A0	2_2_004038A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00434990	2_2_00434990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040ABA0	2_2_0040ABA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042EBBC	2_2_0042EBBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00437CD0	2_2_00437CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00449D22	2_2_00449D22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00407E50	2_2_00407E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00427E6C	2_2_00427E6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00437F30	2_2_00437F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042DFE0	2_2_0042DFE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041D1E0 appears 164 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CC80 appears 44 times

Source: gZzI6gTYn4.exe, 00000000.00000002.1688642267.00000000009BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs gZzI6gTYn4.exe
Source: gZzI6gTYn4.exe, 00000000.00000000.1684691892.000000000051E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameVQP.exeD vs gZzI6gTYn4.exe
Source: gZzI6gTYn4.exe	Binary or memory string: OriginalFilenameVQP.exeD vs gZzI6gTYn4.exe

Source: gZzI6gTYn4.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: gZzI6gTYn4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/2@11/7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0043910C CoCreateInstance,

2_2_0043910C

Source: C:\Users\user\Desktop\gZzI6gTYn4.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gZzI6gTYn4.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7004:120:WilError_03

Source: gZzI6gTYn4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: gZzI6gTYn4.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\gZzI6gTYn4.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gZzI6gTYn4.exe

ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\gZzI6gTYn4.exe "C:\Users\user\Desktop\gZzI6gTYn4.exe"
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: gZzI6gTYn4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: gZzI6gTYn4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: gZzI6gTYn4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\rje\tg\cv\obj\Release\ojc.pdb source: gZzI6gTYn4.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00438B7E push cs; iretd

2_2_00438B85

Source: gZzI6gTYn4.exe

Static PE information: section name: .text entropy: 7.995242302577597

Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Memory allocated: EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Memory allocated: 2930000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Memory allocated: 26C0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\gZzI6gTYn4.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\gZzI6gTYn4.exe TID: 7120	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6212	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\gZzI6gTYn4.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegAsm.exe, 00000002.00000002.1788798759.0000000001155000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1788798759.0000000001190000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_004476D0 LdrInitializeThunk,

2_2_004476D0

Source: C:\Users\user\Desktop\gZzI6gTYn4.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: gZzI6gTYn4.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: gZzI6gTYn4.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")
Source: gZzI6gTYn4.exe, Program.cs	Reference to suspicious API methods: GetProcAddress(LoadLibraryA("kernel32.dll"), "VirtualProtectEx")

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\gZzI6gTYn4.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\gZzI6gTYn4.exe

Code function: 0_2_02932145 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_02932145

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\gZzI6gTYn4.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: gZzI6gTYn4.exe, 00000000.00000002.1690403824.0000000003935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: reinforcenh.shop
Source: gZzI6gTYn4.exe, 00000000.00000002.1690403824.0000000003935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stogeneratmns.shop
Source: gZzI6gTYn4.exe, 00000000.00000002.1690403824.0000000003935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: fragnantbui.shop
Source: gZzI6gTYn4.exe, 00000000.00000002.1690403824.0000000003935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: drawzhotdog.shop
Source: gZzI6gTYn4.exe, 00000000.00000002.1690403824.0000000003935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: vozmeatillu.shop
Source: gZzI6gTYn4.exe, 00000000.00000002.1690403824.0000000003935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: offensivedzvju.shop
Source: gZzI6gTYn4.exe, 00000000.00000002.1690403824.0000000003935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ghostreedmnu.shop
Source: gZzI6gTYn4.exe, 00000000.00000002.1690403824.0000000003935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: gutterydhowi.shop
Source: gZzI6gTYn4.exe, 00000000.00000002.1690403824.0000000003935000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: lootebarrkeyn.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44D000	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 450000	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 460000	Jump to behavior
Source: C:\Users\user\Desktop\gZzI6gTYn4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: E9F008	Jump to behavior

Source: C:\Users\user\Desktop\gZzI6gTYn4.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\gZzI6gTYn4.exe

Queries volume information: C:\Users\user\Desktop\gZzI6gTYn4.exe VolumeInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1690403824.0000000003935000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1690403824.0000000003935000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	411 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Screen Capture	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
gZzI6gTYn4.exe	66%	ReversingLabs	ByteCode-MSIL.Spyware.Lummastealer

Source	Detection	Scanner	Label
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	0%	URL Reputation	safe
http://store.steampowered.com/subscriber_agreement/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	0%	URL Reputation	safe
https://store.steampowered.com/legal/	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	0%	URL Reputation	safe
http://store.steampowered.com/privacy_agreement/	0%	URL Reputation	safe
https://steamcommunity.com/profiles/76561199724331900/inventory/	100%	URL Reputation	malware
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	0%	URL Reputation	safe
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	0%	URL Reputation	safe
http://store.steampowered.com/account/cookiepreferences/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
fragnantbui.shop	188.114.96.3	true	true	unknown
gutterydhowi.shop	104.21.4.136	true	true	unknown
steamcommunity.com	104.102.49.254	true	false	unknown
offensivedzvju.shop	188.114.97.3	true	true	unknown
stogeneratmns.shop	188.114.96.3	true	true	unknown
reinforcenh.shop	104.21.77.130	true	true	unknown
drawzhotdog.shop	172.67.162.108	true	true	unknown
ghostreedmnu.shop	188.114.96.3	true	true	unknown
vozmeatillu.shop	188.114.96.3	true	true	unknown
ballotnwu.site	172.67.128.144	true	true	unknown
lootebarrkeyn.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://drawzhotdog.shop/api	true		unknown
lootebarrkeyn.shop	true		unknown
https://gutterydhowi.shop/api	true		unknown
reinforcenh.shop	true		unknown
stogeneratmns.shop	true		unknown
https://reinforcenh.shop/api	true		unknown
ghostreedmnu.shop	true		unknown
https://ballotnwu.site/api	true		unknown
https://steamcommunity.com/profiles/76561199724331900	true	URL Reputation: malware	unknown
https://vozmeatillu.shop/api	true		unknown
https://stogeneratmns.shop/api	true		unknown
https://ghostreedmnu.shop/api	true		unknown
fragnantbui.shop	true		unknown
gutterydhowi.shop	true		unknown
https://offensivedzvju.shop/api	true		unknown
https://fragnantbui.shop/api	true		unknown
offensivedzvju.shop	true		unknown
drawzhotdog.shop	true		unknown
vozmeatillu.shop	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ballotnwu.site/apiX	RegAsm.exe, 00000002.00000002.1788798759.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/global.js?v=9OzcxMXbaV84&l=english	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reinforcenh.shop/apij	RegAsm.exe, 00000002.00000002.1788798759.0000000001190000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reinforcenh.shop/apio	RegAsm.exe, 00000002.00000002.1788798759.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/shared_respons	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/subscriber_agreement/	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapte	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ballotnwu.site/P	RegAsm.exe, 00000002.00000002.1788798759.0000000001166000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ghostreedmnu.shop/apiD	RegAsm.exe, 00000002.00000002.1788798759.0000000001190000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://vozmeatillu.shop/0	RegAsm.exe, 00000002.00000002.1788798759.0000000001166000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://vozmeatillu.shop/1	RegAsm.exe, 00000002.00000002.1788798759.0000000001166000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.c	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reinforcenh.shop/	RegAsm.exe, 00000002.00000002.1788798759.00000000011D8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/cr	RegAsm.exe, 00000002.00000002.1788798759.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://store.steampowered.com/legal/	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ballotnwu.site/	RegAsm.exe, 00000002.00000002.1788798759.0000000001190000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/pI	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ghostreedmnu.shop/	RegAsm.exe, 00000002.00000002.1788798759.000000000115D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/javascript/modalContent.~	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://offensivedzvju.shop/api2	RegAsm.exe, 00000002.00000002.1788798759.0000000001190000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://offensivedzvju.shop/)	RegAsm.exe, 00000002.00000002.1788798759.0000000001190000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://stogeneratmns.shop/	RegAsm.exe, 00000002.00000002.1788798759.000000000115D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ballotnwu.site:443/apiprofiles/76561199724331900	RegAsm.exe, 00000002.00000002.1788798759.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://store.steampowered.com/privacy_agreement/	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://steamcommunity.com/profiles/76561199724331900/inventory/	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xk0	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/publi	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://store.steampowered.com/account/cookiepreferences/	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://vozmeatillu.shop/apis	RegAsm.exe, 00000002.00000002.1788798759.0000000001190000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://steamcommunity.com/	RegAsm.exe, 00000002.00000002.1788798759.00000000011D8000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1788798759.000000000117D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://community.akamai.	RegAsm.exe, 00000002.00000002.1788798759.00000000011ED000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.77.130	reinforcenh.shop	United States	13335	CLOUDFLARENETUS	true
104.21.4.136	gutterydhowi.shop	United States	13335	CLOUDFLARENETUS	true
188.114.97.3	offensivedzvju.shop	European Union	13335	CLOUDFLARENETUS	true
172.67.162.108	drawzhotdog.shop	United States	13335	CLOUDFLARENETUS	true
172.67.128.144	ballotnwu.site	United States	13335	CLOUDFLARENETUS	true
188.114.96.3	fragnantbui.shop	European Union	13335	CLOUDFLARENETUS	true
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520447
Start date and time:	2024-09-27 11:15:24 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gZzI6gTYn4.exe renamed because original name is a hash value
Original Sample Name:	f2fdf50927663d80056fc0bcd576c461.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/2@11/7
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 14 Number of non-executed functions: 56
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: gZzI6gTYn4.exe

Simulations

Behavior and APIs

Time	Type	Description
05:16:16	API Interceptor	3x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.77.130	Notepad3_v6.23.203.2.exe	Get hash	malicious	Amadey, GO Backdoor	Browse	downloaddining3.com/h9fmdW7/index.php
	am.exe	Get hash	malicious	Amadey	Browse	downloaddining3.com/h9fmdW7/index.php
	am.exe	Get hash	malicious	Amadey	Browse	downloaddining3.com/h9fmdW7/index.php
104.21.4.136	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, Vidar	Browse
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse
	3ZD5tEC5DH.exe	Get hash	malicious	LummaC	Browse
	a7HdB2dU5P.exe	Get hash	malicious	LummaC	Browse
188.114.97.3	9q24V7OSys.exe	Get hash	malicious	FormBook	Browse	www.kzeconomy.top/bopi/?-Z_XO=6kwaqb6m5omublBEUG6Q6qPKP5yOZjcuHwr6+9T02/Tvpmf8nJuTPpmClij6fvBBwm3b&zxltAx=RdCtqlAhlNvlRVfP
	QUOTATION_SEPQTRA071244PDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/mfctuvFf/download
	http://brawllstars.ru/	Get hash	malicious	HTMLPhisher	Browse	brawllstars.ru/
	http://aktiivasi-paylaterr.from-resmi.com/	Get hash	malicious	Unknown	Browse	aktiivasi-paylaterr.from-resmi.com/
	ECChG5eWfZ.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	homker11.uebki.one/GeneratorTest.php
	HpCQgSai4e.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?XtEdZRAP=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4J3RpZHG8N5&8p=DXgPYZ
	QUOTATION_SEPQTRA071244#U00faPDF.scr.exe	Get hash	malicious	Snake Keylogger	Browse	filetransfer.io/data-package/Ky4pZ0WB/download
	ADNOC requesting RFQ.exe	Get hash	malicious	FormBook	Browse	www.1win-moldovia.fun/1g7m/
	http://www.tiktok758.com/	Get hash	malicious	Unknown	Browse	www.tiktok758.com/img/logo.4c830710.svg
	TRmSF36qQG.exe	Get hash	malicious	FormBook	Browse	www.zhxgtlw.top/bopi/?0T5=UL08qvZHLtV&EnAHS=tIrAt1o0vWdNGbj/SzADcCGpASEIYc8Vm+jYIgWXaQC1p/Id9tI9XA8Ni4JOdI1EXss+

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
offensivedzvju.shop	U6b3tLFqN5.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	0UB3FIL25c.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.96.3
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
gutterydhowi.shop	U6b3tLFqN5.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	0UB3FIL25c.exe	Get hash	malicious	LummaC	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	172.67.132.32
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.21.4.136
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.21.4.136
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	104.21.4.136
steamcommunity.com	U6b3tLFqN5.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	zlsXub68El.exe	Get hash	malicious	Vidar	Browse	104.102.49.254
	0UB3FIL25c.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	104.102.49.254
fragnantbui.shop	U6b3tLFqN5.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	0UB3FIL25c.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Vidar	Browse	188.114.97.3
	SecuriteInfo.com.Trojan.Win32.Crypt.24800.18482.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	9q24V7OSys.exe	Get hash	malicious	FormBook	Browse	104.21.69.238
	GfGxum1sf3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	U6b3tLFqN5.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	GEsD6lobvy.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	188.114.97.3
	GfGxum1sf3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	FACTORY NEW PURCHASE ORDER.doc	Get hash	malicious	Unknown	Browse	162.159.130.233
	https://strato.de-sys.online/HJd9cn-2tRRO-rDZDs-D6p99-HbdYU-wK4oY-FICwzl/index.html	Get hash	malicious	HTMLPhisher	Browse	104.18.94.41
	FACTORY NEW PURCHASE ORDER.doc	Get hash	malicious	Unknown	Browse	162.159.130.233
	https://www.vossloh-events.com/EMOS/Login.aspx?ReturnUrl=%2femos	Get hash	malicious	Unknown	Browse	104.18.11.207
	FACTORY NEW PURCHASE ORDER.doc	Get hash	malicious	Unknown	Browse	162.159.130.233
CLOUDFLARENETUS	9q24V7OSys.exe	Get hash	malicious	FormBook	Browse	104.21.69.238
	GfGxum1sf3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	U6b3tLFqN5.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	GEsD6lobvy.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	188.114.97.3
	GfGxum1sf3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	FACTORY NEW PURCHASE ORDER.doc	Get hash	malicious	Unknown	Browse	162.159.130.233
	https://strato.de-sys.online/HJd9cn-2tRRO-rDZDs-D6p99-HbdYU-wK4oY-FICwzl/index.html	Get hash	malicious	HTMLPhisher	Browse	104.18.94.41
	FACTORY NEW PURCHASE ORDER.doc	Get hash	malicious	Unknown	Browse	162.159.130.233
	https://www.vossloh-events.com/EMOS/Login.aspx?ReturnUrl=%2femos	Get hash	malicious	Unknown	Browse	104.18.11.207
	FACTORY NEW PURCHASE ORDER.doc	Get hash	malicious	Unknown	Browse	162.159.130.233
CLOUDFLARENETUS	9q24V7OSys.exe	Get hash	malicious	FormBook	Browse	104.21.69.238
	GfGxum1sf3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	U6b3tLFqN5.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	GEsD6lobvy.hta	Get hash	malicious	Cobalt Strike, Snake Keylogger	Browse	188.114.97.3
	GfGxum1sf3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	FACTORY NEW PURCHASE ORDER.doc	Get hash	malicious	Unknown	Browse	162.159.130.233
	https://strato.de-sys.online/HJd9cn-2tRRO-rDZDs-D6p99-HbdYU-wK4oY-FICwzl/index.html	Get hash	malicious	HTMLPhisher	Browse	104.18.94.41
	FACTORY NEW PURCHASE ORDER.doc	Get hash	malicious	Unknown	Browse	162.159.130.233
	https://www.vossloh-events.com/EMOS/Login.aspx?ReturnUrl=%2femos	Get hash	malicious	Unknown	Browse	104.18.11.207
	FACTORY NEW PURCHASE ORDER.doc	Get hash	malicious	Unknown	Browse	162.159.130.233

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	U6b3tLFqN5.exe	Get hash	malicious	LummaC	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254
	FACTORY NEW PURCHASE ORDER.doc	Get hash	malicious	Unknown	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254
	Dev_Project.xls	Get hash	malicious	Unknown	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254
	Purchase Inquiry-0012.xls	Get hash	malicious	Unknown	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254
	0UB3FIL25c.exe	Get hash	malicious	LummaC	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254
	https://klvegaold.com/clicks/MjM4ODJfMjgzMjU2XzIzLjAwMDg3XzEzXzE3MjczMjgwNzU5NDEwMDQ5MTcyXzIwXjkwMGMwZGQ5NzJkYzQ2OTYzZTUyM2Y4ZDA1YzJjOGM4XjA4LjkuMjYuMjAyNA==	Get hash	malicious	Unknown	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254
	file.exe	Get hash	malicious	LummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254
	https://trivedikavya.github.io/netflix_clone/	Get hash	malicious	HTMLPhisher	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254
	http://intesa-it.serv00.net/it/conto/	Get hash	malicious	Unknown	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254
	file.exe	Get hash	malicious	LummaC, RDPWrap Tool, LummaC Stealer, Vidar	Browse	104.21.77.130 104.21.4.136 188.114.97.3 172.67.162.108 172.67.128.144 188.114.96.3 104.102.49.254

Process:	C:\Users\user\Desktop\gZzI6gTYn4.exe
File Type:	CSV text
Category:	modified
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\gZzI6gTYn4.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	33
Entropy (8bit):	2.2845972159140855
Encrypted:	false
SSDEEP:	3:i6vvRyMivvRya:iKvHivD
MD5:	45B4C82B8041BF0F9CCED0D6A18D151A
SHA1:	B4DAD3FFFEF507CBB78671EE620BB495F8CE22F1
SHA-256:	7CFA461ED1FC8611AB74878EDB1FBBDE3596F5D042946A42A7F31EB6D462E628
SHA-512:	B29C3696A8A311EFAF9B9709BA082FF2C8D45A6912D79BC1DE7FEEFBEF8F8DDEFCD6650B5E1165D0A79800C8AED399E2B11BC2431E3837DD8587516BDE50EAB5
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	0..1..2..3..4..0..1..2..3..4.....

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.98896500834466
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	gZzI6gTYn4.exe
File size:	375'296 bytes
MD5:	f2fdf50927663d80056fc0bcd576c461
SHA1:	e4a3effdbe933a92869c2b859f2bea4b9f89729a
SHA256:	7af5384d5927029f94ff0639272716c837b7ae7fb6f855f67c6d7a74004c67e7
SHA512:	0c6ed639c044cc22f2f53ba4bd40011efaeeab61d9b03e4c0a15480cdd874a678d1d7c36dd3c78699a7f29692104cb2954906f50cf67b81d8a392b37b0f122d7
SSDEEP:	6144:oyb/4fldXvqrKLs4n/43+rkCSQ7w2AxoKwwHmQQt6nSbEyUWRa/wBNG9S3/Yw86o:zcKKu3+QxBwQI6SbEyp0/GNp3H86T0
TLSH:	27842390B3C04978D73F417E50732879A9B8FDBAEEB609CDD580621E072A672F146DB4
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f............................>.... ........@.. ....................... ............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x45ce3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66F5AE1A [Thu Sep 26 18:55:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5cde8	0x53	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5e000	0x5c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x60000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x5ccb0	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x5ae44	0x5b000	1eb48f2f23d576636d87889b53239878	False	0.993657709478022	data	7.995242302577597	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x5e000	0x5c8	0x600	a589a4206018b0dca6ae47d5c97f9001	False	0.4375	data	4.119926545451393	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x60000	0xc	0x200	ef500bd10f72fd04b5e7aed0b41ff3fd	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x5e0a0	0x334	data			0.4426829268292683
RT_MANIFEST	0x5e3d8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-27T11:16:17.101770+0200	2056048	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (lootebarrkeyn .shop)	1	192.168.2.4	59470	1.1.1.1	53	UDP
2024-09-27T11:16:17.117434+0200	2056164	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (gutterydhowi .shop)	1	192.168.2.4	52923	1.1.1.1	53	UDP
2024-09-27T11:16:17.599316+0200	2056165	ET MALWARE Observed Win32/Lumma Stealer Related Domain (gutterydhowi .shop in TLS SNI)	1	192.168.2.4	49730	104.21.4.136	443	TCP
2024-09-27T11:16:18.058775+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.4.136	443	TCP
2024-09-27T11:16:18.058775+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.4.136	443	TCP
2024-09-27T11:16:18.070792+0200	2056162	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ghostreedmnu .shop)	1	192.168.2.4	50969	1.1.1.1	53	UDP
2024-09-27T11:16:18.559269+0200	2056163	ET MALWARE Observed Win32/Lumma Stealer Related Domain (ghostreedmnu .shop in TLS SNI)	1	192.168.2.4	49731	188.114.96.3	443	TCP
2024-09-27T11:16:19.009337+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49731	188.114.96.3	443	TCP
2024-09-27T11:16:19.009337+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49731	188.114.96.3	443	TCP
2024-09-27T11:16:19.012822+0200	2056160	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (offensivedzvju .shop)	1	192.168.2.4	65266	1.1.1.1	53	UDP
2024-09-27T11:16:19.489492+0200	2056161	ET MALWARE Observed Win32/Lumma Stealer Related Domain (offensivedzvju .shop in TLS SNI)	1	192.168.2.4	49732	188.114.97.3	443	TCP
2024-09-27T11:16:19.915533+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49732	188.114.97.3	443	TCP
2024-09-27T11:16:19.915533+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	188.114.97.3	443	TCP
2024-09-27T11:16:19.917534+0200	2056158	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (vozmeatillu .shop)	1	192.168.2.4	58169	1.1.1.1	53	UDP
2024-09-27T11:16:20.406819+0200	2056159	ET MALWARE Observed Win32/Lumma Stealer Related Domain (vozmeatillu .shop in TLS SNI)	1	192.168.2.4	49733	188.114.96.3	443	TCP
2024-09-27T11:16:20.852879+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49733	188.114.96.3	443	TCP
2024-09-27T11:16:20.852879+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49733	188.114.96.3	443	TCP
2024-09-27T11:16:20.854662+0200	2056156	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (drawzhotdog .shop)	1	192.168.2.4	56294	1.1.1.1	53	UDP
2024-09-27T11:16:21.356055+0200	2056157	ET MALWARE Observed Win32/Lumma Stealer Related Domain (drawzhotdog .shop in TLS SNI)	1	192.168.2.4	49734	172.67.162.108	443	TCP
2024-09-27T11:16:21.793147+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49734	172.67.162.108	443	TCP
2024-09-27T11:16:21.793147+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49734	172.67.162.108	443	TCP
2024-09-27T11:16:21.793913+0200	2056154	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (fragnantbui .shop)	1	192.168.2.4	55540	1.1.1.1	53	UDP
2024-09-27T11:16:22.305456+0200	2056155	ET MALWARE Observed Win32/Lumma Stealer Related Domain (fragnantbui .shop in TLS SNI)	1	192.168.2.4	49735	188.114.96.3	443	TCP
2024-09-27T11:16:22.759818+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49735	188.114.96.3	443	TCP
2024-09-27T11:16:22.759818+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49735	188.114.96.3	443	TCP
2024-09-27T11:16:22.761643+0200	2056152	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (stogeneratmns .shop)	1	192.168.2.4	49372	1.1.1.1	53	UDP
2024-09-27T11:16:23.245653+0200	2056153	ET MALWARE Observed Win32/Lumma Stealer Related Domain (stogeneratmns .shop in TLS SNI)	1	192.168.2.4	49736	188.114.96.3	443	TCP
2024-09-27T11:16:23.881986+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49736	188.114.96.3	443	TCP
2024-09-27T11:16:23.881986+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49736	188.114.96.3	443	TCP
2024-09-27T11:16:23.910047+0200	2056150	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (reinforcenh .shop)	1	192.168.2.4	50904	1.1.1.1	53	UDP
2024-09-27T11:16:24.395791+0200	2056151	ET MALWARE Observed Win32/Lumma Stealer Related Domain (reinforcenh .shop in TLS SNI)	1	192.168.2.4	49737	104.21.77.130	443	TCP
2024-09-27T11:16:24.820981+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49737	104.21.77.130	443	TCP
2024-09-27T11:16:24.820981+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49737	104.21.77.130	443	TCP
2024-09-27T11:16:27.023133+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49739	172.67.128.144	443	TCP
2024-09-27T11:16:27.023133+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49739	172.67.128.144	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 11:16:17.136641979 CEST	49730	443	192.168.2.4	104.21.4.136
Sep 27, 2024 11:16:17.136693001 CEST	443	49730	104.21.4.136	192.168.2.4
Sep 27, 2024 11:16:17.136774063 CEST	49730	443	192.168.2.4	104.21.4.136
Sep 27, 2024 11:16:17.139940977 CEST	49730	443	192.168.2.4	104.21.4.136
Sep 27, 2024 11:16:17.139955044 CEST	443	49730	104.21.4.136	192.168.2.4
Sep 27, 2024 11:16:17.599225044 CEST	443	49730	104.21.4.136	192.168.2.4
Sep 27, 2024 11:16:17.599315882 CEST	49730	443	192.168.2.4	104.21.4.136
Sep 27, 2024 11:16:17.602829933 CEST	49730	443	192.168.2.4	104.21.4.136
Sep 27, 2024 11:16:17.602840900 CEST	443	49730	104.21.4.136	192.168.2.4
Sep 27, 2024 11:16:17.603137970 CEST	443	49730	104.21.4.136	192.168.2.4
Sep 27, 2024 11:16:17.642851114 CEST	49730	443	192.168.2.4	104.21.4.136
Sep 27, 2024 11:16:17.653002024 CEST	49730	443	192.168.2.4	104.21.4.136
Sep 27, 2024 11:16:17.653037071 CEST	49730	443	192.168.2.4	104.21.4.136
Sep 27, 2024 11:16:17.653107882 CEST	443	49730	104.21.4.136	192.168.2.4
Sep 27, 2024 11:16:18.058787107 CEST	443	49730	104.21.4.136	192.168.2.4
Sep 27, 2024 11:16:18.058886051 CEST	443	49730	104.21.4.136	192.168.2.4
Sep 27, 2024 11:16:18.058954954 CEST	49730	443	192.168.2.4	104.21.4.136
Sep 27, 2024 11:16:18.068094015 CEST	49730	443	192.168.2.4	104.21.4.136
Sep 27, 2024 11:16:18.068121910 CEST	443	49730	104.21.4.136	192.168.2.4
Sep 27, 2024 11:16:18.084466934 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:18.084528923 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:18.084620953 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:18.084906101 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:18.084924936 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:18.559137106 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:18.559268951 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:18.604198933 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:18.604232073 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:18.604598999 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:18.605871916 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:18.605900049 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:18.605971098 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:19.009354115 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:19.009444952 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:19.009515047 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:19.009737015 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:19.009761095 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:19.009772062 CEST	49731	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:19.009778976 CEST	443	49731	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:19.028042078 CEST	49732	443	192.168.2.4	188.114.97.3
Sep 27, 2024 11:16:19.028076887 CEST	443	49732	188.114.97.3	192.168.2.4
Sep 27, 2024 11:16:19.028156996 CEST	49732	443	192.168.2.4	188.114.97.3
Sep 27, 2024 11:16:19.028491020 CEST	49732	443	192.168.2.4	188.114.97.3
Sep 27, 2024 11:16:19.028501987 CEST	443	49732	188.114.97.3	192.168.2.4
Sep 27, 2024 11:16:19.489367962 CEST	443	49732	188.114.97.3	192.168.2.4
Sep 27, 2024 11:16:19.489491940 CEST	49732	443	192.168.2.4	188.114.97.3
Sep 27, 2024 11:16:19.491270065 CEST	49732	443	192.168.2.4	188.114.97.3
Sep 27, 2024 11:16:19.491283894 CEST	443	49732	188.114.97.3	192.168.2.4
Sep 27, 2024 11:16:19.491550922 CEST	443	49732	188.114.97.3	192.168.2.4
Sep 27, 2024 11:16:19.492974043 CEST	49732	443	192.168.2.4	188.114.97.3
Sep 27, 2024 11:16:19.493012905 CEST	49732	443	192.168.2.4	188.114.97.3
Sep 27, 2024 11:16:19.493041992 CEST	443	49732	188.114.97.3	192.168.2.4
Sep 27, 2024 11:16:19.915591002 CEST	443	49732	188.114.97.3	192.168.2.4
Sep 27, 2024 11:16:19.915837049 CEST	443	49732	188.114.97.3	192.168.2.4
Sep 27, 2024 11:16:19.915910006 CEST	49732	443	192.168.2.4	188.114.97.3
Sep 27, 2024 11:16:19.915990114 CEST	49732	443	192.168.2.4	188.114.97.3
Sep 27, 2024 11:16:19.916035891 CEST	443	49732	188.114.97.3	192.168.2.4
Sep 27, 2024 11:16:19.916064978 CEST	49732	443	192.168.2.4	188.114.97.3
Sep 27, 2024 11:16:19.916080952 CEST	443	49732	188.114.97.3	192.168.2.4
Sep 27, 2024 11:16:19.933520079 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:19.933592081 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:19.933680058 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:19.934009075 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:19.934041977 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:20.406665087 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:20.406819105 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:20.408745050 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:20.408773899 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:20.409077883 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:20.410226107 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:20.410263062 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:20.410310984 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:20.852891922 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:20.852998018 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:20.853075981 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:20.853306055 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:20.853322983 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:20.853342056 CEST	49733	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:20.853348017 CEST	443	49733	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:20.867274046 CEST	49734	443	192.168.2.4	172.67.162.108
Sep 27, 2024 11:16:20.867292881 CEST	443	49734	172.67.162.108	192.168.2.4
Sep 27, 2024 11:16:20.867366076 CEST	49734	443	192.168.2.4	172.67.162.108
Sep 27, 2024 11:16:20.867696047 CEST	49734	443	192.168.2.4	172.67.162.108
Sep 27, 2024 11:16:20.867707014 CEST	443	49734	172.67.162.108	192.168.2.4
Sep 27, 2024 11:16:21.355879068 CEST	443	49734	172.67.162.108	192.168.2.4
Sep 27, 2024 11:16:21.356055021 CEST	49734	443	192.168.2.4	172.67.162.108
Sep 27, 2024 11:16:21.371876001 CEST	49734	443	192.168.2.4	172.67.162.108
Sep 27, 2024 11:16:21.371922970 CEST	443	49734	172.67.162.108	192.168.2.4
Sep 27, 2024 11:16:21.372286081 CEST	443	49734	172.67.162.108	192.168.2.4
Sep 27, 2024 11:16:21.381237030 CEST	49734	443	192.168.2.4	172.67.162.108
Sep 27, 2024 11:16:21.381278038 CEST	49734	443	192.168.2.4	172.67.162.108
Sep 27, 2024 11:16:21.381376982 CEST	443	49734	172.67.162.108	192.168.2.4
Sep 27, 2024 11:16:21.790282011 CEST	443	49734	172.67.162.108	192.168.2.4
Sep 27, 2024 11:16:21.790509939 CEST	443	49734	172.67.162.108	192.168.2.4
Sep 27, 2024 11:16:21.790601969 CEST	49734	443	192.168.2.4	172.67.162.108
Sep 27, 2024 11:16:21.790707111 CEST	49734	443	192.168.2.4	172.67.162.108
Sep 27, 2024 11:16:21.790707111 CEST	49734	443	192.168.2.4	172.67.162.108
Sep 27, 2024 11:16:21.790771961 CEST	443	49734	172.67.162.108	192.168.2.4
Sep 27, 2024 11:16:21.790798903 CEST	443	49734	172.67.162.108	192.168.2.4
Sep 27, 2024 11:16:21.816788912 CEST	49735	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:21.816832066 CEST	443	49735	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:21.816912889 CEST	49735	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:21.817199945 CEST	49735	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:21.817215919 CEST	443	49735	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:22.305351019 CEST	443	49735	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:22.305455923 CEST	49735	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:22.307152987 CEST	49735	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:22.307163954 CEST	443	49735	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:22.307415009 CEST	443	49735	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:22.308681011 CEST	49735	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:22.308706045 CEST	49735	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:22.308741093 CEST	443	49735	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:22.759819984 CEST	443	49735	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:22.759928942 CEST	443	49735	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:22.760020971 CEST	49735	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:22.760313988 CEST	49735	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:22.760338068 CEST	443	49735	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:22.760349989 CEST	49735	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:22.760355949 CEST	443	49735	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:22.777270079 CEST	49736	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:22.777306080 CEST	443	49736	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:22.777390957 CEST	49736	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:22.777832985 CEST	49736	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:22.777842999 CEST	443	49736	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:23.245515108 CEST	443	49736	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:23.245652914 CEST	49736	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:23.247993946 CEST	49736	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:23.248028040 CEST	443	49736	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:23.248290062 CEST	443	49736	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:23.249866962 CEST	49736	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:23.249866962 CEST	49736	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:23.249943018 CEST	443	49736	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:23.882044077 CEST	443	49736	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:23.882287979 CEST	443	49736	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:23.882411003 CEST	49736	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:23.891047001 CEST	49736	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:23.891047955 CEST	49736	443	192.168.2.4	188.114.96.3
Sep 27, 2024 11:16:23.891125917 CEST	443	49736	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:23.891158104 CEST	443	49736	188.114.96.3	192.168.2.4
Sep 27, 2024 11:16:23.926038980 CEST	49737	443	192.168.2.4	104.21.77.130
Sep 27, 2024 11:16:23.926103115 CEST	443	49737	104.21.77.130	192.168.2.4
Sep 27, 2024 11:16:23.926184893 CEST	49737	443	192.168.2.4	104.21.77.130
Sep 27, 2024 11:16:23.926613092 CEST	49737	443	192.168.2.4	104.21.77.130
Sep 27, 2024 11:16:23.926624060 CEST	443	49737	104.21.77.130	192.168.2.4
Sep 27, 2024 11:16:24.395603895 CEST	443	49737	104.21.77.130	192.168.2.4
Sep 27, 2024 11:16:24.395791054 CEST	49737	443	192.168.2.4	104.21.77.130
Sep 27, 2024 11:16:24.397910118 CEST	49737	443	192.168.2.4	104.21.77.130
Sep 27, 2024 11:16:24.397938013 CEST	443	49737	104.21.77.130	192.168.2.4
Sep 27, 2024 11:16:24.398792982 CEST	443	49737	104.21.77.130	192.168.2.4
Sep 27, 2024 11:16:24.400116920 CEST	49737	443	192.168.2.4	104.21.77.130
Sep 27, 2024 11:16:24.400156975 CEST	49737	443	192.168.2.4	104.21.77.130
Sep 27, 2024 11:16:24.400286913 CEST	443	49737	104.21.77.130	192.168.2.4
Sep 27, 2024 11:16:24.820945024 CEST	443	49737	104.21.77.130	192.168.2.4
Sep 27, 2024 11:16:24.821047068 CEST	443	49737	104.21.77.130	192.168.2.4
Sep 27, 2024 11:16:24.821168900 CEST	49737	443	192.168.2.4	104.21.77.130
Sep 27, 2024 11:16:24.821649075 CEST	49737	443	192.168.2.4	104.21.77.130
Sep 27, 2024 11:16:24.821693897 CEST	443	49737	104.21.77.130	192.168.2.4
Sep 27, 2024 11:16:24.821780920 CEST	49737	443	192.168.2.4	104.21.77.130
Sep 27, 2024 11:16:24.821796894 CEST	443	49737	104.21.77.130	192.168.2.4
Sep 27, 2024 11:16:24.830847025 CEST	49738	443	192.168.2.4	104.102.49.254
Sep 27, 2024 11:16:24.830908060 CEST	443	49738	104.102.49.254	192.168.2.4
Sep 27, 2024 11:16:24.830985069 CEST	49738	443	192.168.2.4	104.102.49.254
Sep 27, 2024 11:16:24.831361055 CEST	49738	443	192.168.2.4	104.102.49.254
Sep 27, 2024 11:16:24.831402063 CEST	443	49738	104.102.49.254	192.168.2.4
Sep 27, 2024 11:16:25.472348928 CEST	443	49738	104.102.49.254	192.168.2.4
Sep 27, 2024 11:16:25.472436905 CEST	49738	443	192.168.2.4	104.102.49.254
Sep 27, 2024 11:16:25.474181890 CEST	49738	443	192.168.2.4	104.102.49.254
Sep 27, 2024 11:16:25.474191904 CEST	443	49738	104.102.49.254	192.168.2.4
Sep 27, 2024 11:16:25.474467993 CEST	443	49738	104.102.49.254	192.168.2.4
Sep 27, 2024 11:16:25.476138115 CEST	49738	443	192.168.2.4	104.102.49.254
Sep 27, 2024 11:16:25.523405075 CEST	443	49738	104.102.49.254	192.168.2.4
Sep 27, 2024 11:16:25.968822956 CEST	443	49738	104.102.49.254	192.168.2.4
Sep 27, 2024 11:16:25.968847036 CEST	443	49738	104.102.49.254	192.168.2.4
Sep 27, 2024 11:16:25.968862057 CEST	443	49738	104.102.49.254	192.168.2.4
Sep 27, 2024 11:16:25.968940973 CEST	49738	443	192.168.2.4	104.102.49.254
Sep 27, 2024 11:16:25.968969107 CEST	443	49738	104.102.49.254	192.168.2.4
Sep 27, 2024 11:16:25.968998909 CEST	49738	443	192.168.2.4	104.102.49.254
Sep 27, 2024 11:16:25.969019890 CEST	49738	443	192.168.2.4	104.102.49.254
Sep 27, 2024 11:16:26.066400051 CEST	443	49738	104.102.49.254	192.168.2.4
Sep 27, 2024 11:16:26.066425085 CEST	443	49738	104.102.49.254	192.168.2.4
Sep 27, 2024 11:16:26.066472054 CEST	49738	443	192.168.2.4	104.102.49.254
Sep 27, 2024 11:16:26.066499949 CEST	443	49738	104.102.49.254	192.168.2.4
Sep 27, 2024 11:16:26.066515923 CEST	49738	443	192.168.2.4	104.102.49.254
Sep 27, 2024 11:16:26.066541910 CEST	49738	443	192.168.2.4	104.102.49.254
Sep 27, 2024 11:16:26.072217941 CEST	443	49738	104.102.49.254	192.168.2.4
Sep 27, 2024 11:16:26.072283030 CEST	49738	443	192.168.2.4	104.102.49.254
Sep 27, 2024 11:16:26.072294950 CEST	443	49738	104.102.49.254	192.168.2.4
Sep 27, 2024 11:16:26.072350025 CEST	49738	443	192.168.2.4	104.102.49.254
Sep 27, 2024 11:16:26.072374105 CEST	49738	443	192.168.2.4	104.102.49.254
Sep 27, 2024 11:16:26.072392941 CEST	443	49738	104.102.49.254	192.168.2.4
Sep 27, 2024 11:16:26.072410107 CEST	49738	443	192.168.2.4	104.102.49.254
Sep 27, 2024 11:16:26.072417021 CEST	443	49738	104.102.49.254	192.168.2.4
Sep 27, 2024 11:16:26.092116117 CEST	49739	443	192.168.2.4	172.67.128.144
Sep 27, 2024 11:16:26.092156887 CEST	443	49739	172.67.128.144	192.168.2.4
Sep 27, 2024 11:16:26.092211008 CEST	49739	443	192.168.2.4	172.67.128.144
Sep 27, 2024 11:16:26.093735933 CEST	49739	443	192.168.2.4	172.67.128.144
Sep 27, 2024 11:16:26.093755960 CEST	443	49739	172.67.128.144	192.168.2.4
Sep 27, 2024 11:16:26.567764044 CEST	443	49739	172.67.128.144	192.168.2.4
Sep 27, 2024 11:16:26.567985058 CEST	49739	443	192.168.2.4	172.67.128.144
Sep 27, 2024 11:16:26.569741964 CEST	49739	443	192.168.2.4	172.67.128.144
Sep 27, 2024 11:16:26.569761038 CEST	443	49739	172.67.128.144	192.168.2.4
Sep 27, 2024 11:16:26.569998980 CEST	443	49739	172.67.128.144	192.168.2.4
Sep 27, 2024 11:16:26.571363926 CEST	49739	443	192.168.2.4	172.67.128.144
Sep 27, 2024 11:16:26.571399927 CEST	49739	443	192.168.2.4	172.67.128.144
Sep 27, 2024 11:16:26.571436882 CEST	443	49739	172.67.128.144	192.168.2.4
Sep 27, 2024 11:16:27.023149014 CEST	443	49739	172.67.128.144	192.168.2.4
Sep 27, 2024 11:16:27.023233891 CEST	443	49739	172.67.128.144	192.168.2.4
Sep 27, 2024 11:16:27.023305893 CEST	49739	443	192.168.2.4	172.67.128.144
Sep 27, 2024 11:16:27.023511887 CEST	49739	443	192.168.2.4	172.67.128.144
Sep 27, 2024 11:16:27.023533106 CEST	443	49739	172.67.128.144	192.168.2.4
Sep 27, 2024 11:16:27.023544073 CEST	49739	443	192.168.2.4	172.67.128.144
Sep 27, 2024 11:16:27.023549080 CEST	443	49739	172.67.128.144	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 11:16:17.101769924 CEST	59470	53	192.168.2.4	1.1.1.1
Sep 27, 2024 11:16:17.113583088 CEST	53	59470	1.1.1.1	192.168.2.4
Sep 27, 2024 11:16:17.117434025 CEST	52923	53	192.168.2.4	1.1.1.1
Sep 27, 2024 11:16:17.130867958 CEST	53	52923	1.1.1.1	192.168.2.4
Sep 27, 2024 11:16:18.070791960 CEST	50969	53	192.168.2.4	1.1.1.1
Sep 27, 2024 11:16:18.083748102 CEST	53	50969	1.1.1.1	192.168.2.4
Sep 27, 2024 11:16:19.012821913 CEST	65266	53	192.168.2.4	1.1.1.1
Sep 27, 2024 11:16:19.027097940 CEST	53	65266	1.1.1.1	192.168.2.4
Sep 27, 2024 11:16:19.917534113 CEST	58169	53	192.168.2.4	1.1.1.1
Sep 27, 2024 11:16:19.932708025 CEST	53	58169	1.1.1.1	192.168.2.4
Sep 27, 2024 11:16:20.854661942 CEST	56294	53	192.168.2.4	1.1.1.1
Sep 27, 2024 11:16:20.866497040 CEST	53	56294	1.1.1.1	192.168.2.4
Sep 27, 2024 11:16:21.793912888 CEST	55540	53	192.168.2.4	1.1.1.1
Sep 27, 2024 11:16:21.815943003 CEST	53	55540	1.1.1.1	192.168.2.4
Sep 27, 2024 11:16:22.761642933 CEST	49372	53	192.168.2.4	1.1.1.1
Sep 27, 2024 11:16:22.776314974 CEST	53	49372	1.1.1.1	192.168.2.4
Sep 27, 2024 11:16:23.910047054 CEST	50904	53	192.168.2.4	1.1.1.1
Sep 27, 2024 11:16:23.922789097 CEST	53	50904	1.1.1.1	192.168.2.4
Sep 27, 2024 11:16:24.823056936 CEST	54016	53	192.168.2.4	1.1.1.1
Sep 27, 2024 11:16:24.830071926 CEST	53	54016	1.1.1.1	192.168.2.4
Sep 27, 2024 11:16:26.074409008 CEST	54332	53	192.168.2.4	1.1.1.1
Sep 27, 2024 11:16:26.090845108 CEST	53	54332	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 27, 2024 11:16:17.101769924 CEST	192.168.2.4	1.1.1.1	0x78ce	Standard query (0)	lootebarrkeyn.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:17.117434025 CEST	192.168.2.4	1.1.1.1	0x9fef	Standard query (0)	gutterydhowi.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:18.070791960 CEST	192.168.2.4	1.1.1.1	0xf709	Standard query (0)	ghostreedmnu.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:19.012821913 CEST	192.168.2.4	1.1.1.1	0xa710	Standard query (0)	offensivedzvju.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:19.917534113 CEST	192.168.2.4	1.1.1.1	0xf8ec	Standard query (0)	vozmeatillu.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:20.854661942 CEST	192.168.2.4	1.1.1.1	0xcb3f	Standard query (0)	drawzhotdog.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:21.793912888 CEST	192.168.2.4	1.1.1.1	0x94bf	Standard query (0)	fragnantbui.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:22.761642933 CEST	192.168.2.4	1.1.1.1	0x4b51	Standard query (0)	stogeneratmns.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:23.910047054 CEST	192.168.2.4	1.1.1.1	0xe3e	Standard query (0)	reinforcenh.shop	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:24.823056936 CEST	192.168.2.4	1.1.1.1	0xe4f9	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:26.074409008 CEST	192.168.2.4	1.1.1.1	0x8688	Standard query (0)	ballotnwu.site	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 27, 2024 11:16:17.113583088 CEST	1.1.1.1	192.168.2.4	0x78ce	Name error (3)	lootebarrkeyn.shop	none	none	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:17.130867958 CEST	1.1.1.1	192.168.2.4	0x9fef	No error (0)	gutterydhowi.shop		104.21.4.136	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:17.130867958 CEST	1.1.1.1	192.168.2.4	0x9fef	No error (0)	gutterydhowi.shop		172.67.132.32	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:18.083748102 CEST	1.1.1.1	192.168.2.4	0xf709	No error (0)	ghostreedmnu.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:18.083748102 CEST	1.1.1.1	192.168.2.4	0xf709	No error (0)	ghostreedmnu.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:19.027097940 CEST	1.1.1.1	192.168.2.4	0xa710	No error (0)	offensivedzvju.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:19.027097940 CEST	1.1.1.1	192.168.2.4	0xa710	No error (0)	offensivedzvju.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:19.932708025 CEST	1.1.1.1	192.168.2.4	0xf8ec	No error (0)	vozmeatillu.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:19.932708025 CEST	1.1.1.1	192.168.2.4	0xf8ec	No error (0)	vozmeatillu.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:20.866497040 CEST	1.1.1.1	192.168.2.4	0xcb3f	No error (0)	drawzhotdog.shop		172.67.162.108	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:20.866497040 CEST	1.1.1.1	192.168.2.4	0xcb3f	No error (0)	drawzhotdog.shop		104.21.58.182	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:21.815943003 CEST	1.1.1.1	192.168.2.4	0x94bf	No error (0)	fragnantbui.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:21.815943003 CEST	1.1.1.1	192.168.2.4	0x94bf	No error (0)	fragnantbui.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:22.776314974 CEST	1.1.1.1	192.168.2.4	0x4b51	No error (0)	stogeneratmns.shop		188.114.96.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:22.776314974 CEST	1.1.1.1	192.168.2.4	0x4b51	No error (0)	stogeneratmns.shop		188.114.97.3	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:23.922789097 CEST	1.1.1.1	192.168.2.4	0xe3e	No error (0)	reinforcenh.shop		104.21.77.130	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:23.922789097 CEST	1.1.1.1	192.168.2.4	0xe3e	No error (0)	reinforcenh.shop		172.67.208.139	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:24.830071926 CEST	1.1.1.1	192.168.2.4	0xe4f9	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:26.090845108 CEST	1.1.1.1	192.168.2.4	0x8688	No error (0)	ballotnwu.site		172.67.128.144	A (IP address)	IN (0x0001)	false
Sep 27, 2024 11:16:26.090845108 CEST	1.1.1.1	192.168.2.4	0x8688	No error (0)	ballotnwu.site		104.21.2.13	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

gutterydhowi.shop

ghostreedmnu.shop

offensivedzvju.shop

vozmeatillu.shop

drawzhotdog.shop

fragnantbui.shop

stogeneratmns.shop

reinforcenh.shop

steamcommunity.com

ballotnwu.site

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.4.136	443	6244	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 09:16:17 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: gutterydhowi.shop
2024-09-27 09:16:17 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-27 09:16:18 UTC	810	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 09:16:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0h2157ljuhpmihef4vp0ioanej; expires=Tue, 21 Jan 2025 03:02:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0QwrxypGqPFzpYuDWDY7ISU6VVQu77nd2y1ZVSovrPONRpBJ%2BNZUp5qG2riHI5YhiTmL2Un91j%2BfQhL1ml%2BQKflGXbAlwU2F23dgA%2Ful%2FYsW2h8yuAwG1zl3R1tsK6s0%2FddDhQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9a64e2afd14370-EWR alt-svc: h3=":443"; ma=86400
2024-09-27 09:16:18 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-27 09:16:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	188.114.96.3	443	6244	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 09:16:18 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ghostreedmnu.shop
2024-09-27 09:16:18 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-27 09:16:19 UTC	772	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 09:16:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lf2ogd43tca3vq8ie31qv0gv2k; expires=Tue, 21 Jan 2025 03:02:57 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t3Uiot8VQ465gJCv8jgSZokbjcCJ%2B07phIvW6vpimz6SgkChmuMwMZq7YJCGAJiVrOkoNkh2Z1RUUlfABGI0Z126wAsLW3Maki07uQeJayB27FFUVbL%2FnuSACVQLVl76ON293g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9a64e89f4c433e-EWR
2024-09-27 09:16:19 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-27 09:16:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	188.114.97.3	443	6244	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 09:16:19 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: offensivedzvju.shop
2024-09-27 09:16:19 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-27 09:16:19 UTC	774	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 09:16:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lfh4m0ogd5pe27k4ofot9lqgae; expires=Tue, 21 Jan 2025 03:02:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gqLCqZX%2FvddX7xrkFOmVdOUkR%2BZRLMouJzoWGaCEVxU3Ea7U1SH%2FtjxmHzDUSnT36pqj6QYN3q9WzpS%2BOSojwETuaqvGGMGKkx7BMsRe31FkBFu%2BnGyZfRmlcwY2mQNQbiqceX97"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9a64ee4ddb8cbf-EWR
2024-09-27 09:16:19 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-27 09:16:19 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	188.114.96.3	443	6244	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 09:16:20 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: vozmeatillu.shop
2024-09-27 09:16:20 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-27 09:16:20 UTC	762	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 09:16:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d64pboi4u4cvq52h4f2aa2mr09; expires=Tue, 21 Jan 2025 03:02:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=okfKGDIfdKyau62YjB7KGMGTqRrKJQVqSr17j6TAAkSNN988WpYH23tCk3CNqVq8GRaB7iKacMdOdhJ%2BhjpiBBNdw1CNlNNiZOj2jEgY78nEze5vvG4ashZ8mEuBImTrpE6S"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9a64f41e3442bb-EWR
2024-09-27 09:16:20 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-27 09:16:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	172.67.162.108	443	6244	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 09:16:21 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: drawzhotdog.shop
2024-09-27 09:16:21 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-27 09:16:21 UTC	766	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 09:16:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=40scbo87pj55pe0hrsu5u5j57g; expires=Tue, 21 Jan 2025 03:03:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GnlEfnBxqNuvDJbFxbt7wFGeYJxQ6TXif9gQkLRbba8AzYDDmt5y4xSW0v6iLlJ6N2POBHbxxNnChCJtQmQrDHU4KYMmUpKJXkZ4eUM6SBCCEOpW%2FdVmafrlna3%2BZVS8X%2FIO"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9a64fa091d72b7-EWR
2024-09-27 09:16:21 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-27 09:16:21 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	188.114.96.3	443	6244	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 09:16:22 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: fragnantbui.shop
2024-09-27 09:16:22 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-27 09:16:22 UTC	784	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 09:16:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0reamkgmp82h3rm8soofegd763; expires=Tue, 21 Jan 2025 03:03:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2gIqUDPaH%2BX2h3vU6FG2bVBcbbh22VqsU%2Btv9GJdmh6Ni%2BYkxVRY%2BLpY2W%2BBtRPbcq7T%2FBPY%2BNm%2FlFyta4i%2B1SPU%2BzmHV4gasNXj%2Fc4Xs0DGBZsI7mY6eBAm4MKJWlhs%2BhHR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9a64ffec9d0f8d-EWR
2024-09-27 09:16:22 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-27 09:16:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49736	188.114.96.3	443	6244	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 09:16:23 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: stogeneratmns.shop
2024-09-27 09:16:23 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-27 09:16:23 UTC	778	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 09:16:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3ufff4nfsj754cqj6rkhsn6thm; expires=Tue, 21 Jan 2025 03:03:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1%2FuxGyBPRFV%2BAfaetDEtIqsWIsjQmtQgraWxBHhL8JzsR0cDTyBFO3kkEdwhKoRZV3RNa%2FZaiuHHZVNeov8NdtBijgnau7F%2BearQ6Gyy6mwkkLQM%2FPNNNjgQB%2FPyq4635S39nk0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9a6505bf3143ab-EWR
2024-09-27 09:16:23 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-27 09:16:23 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49737	104.21.77.130	443	6244	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 09:16:24 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: reinforcenh.shop
2024-09-27 09:16:24 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-27 09:16:24 UTC	774	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 09:16:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=nmi3i2al3o2kp538bm7at592h0; expires=Tue, 21 Jan 2025 03:03:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cuXq%2Bmj3WxqFHRZ78tCoCYWTzhDYxMiS%2FD5gEIQOL4ma0MCAxEP%2Fpjvjp7tnRA%2Bli9yr3Pf0rZMNBHiblY6SvQTOXrrIA%2FkNBoMbl2yzk%2BB2MYCHs%2FZxfZfj1t2JEshnEjhR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9a650cfd2d5e79-EWR
2024-09-27 09:16:24 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-27 09:16:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49738	104.102.49.254	443	6244	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 09:16:25 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-09-27 09:16:25 UTC	1870	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Fri, 27 Sep 2024 09:16:25 GMT Content-Length: 34663 Connection: close Set-Cookie: sessionid=d8c2abb613f3727c7ce9b009; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
2024-09-27 09:16:25 UTC	14514	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-09-27 09:16:26 UTC	16384	IN	Data Raw: 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 5f 6d 65 6e 75 22 20 61 Data Ascii: ernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_action_menu" a
2024-09-27 09:16:26 UTC	3765	IN	Data Raw: 65 20 69 6e 66 6f 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 09 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 20 24 4a 28 20 66 75 6e 63 74 69 6f 6e 28 29 20 7b 20 49 6e 69 74 50 72 6f 66 69 6c 65 53 75 6d 6d 61 72 79 28 20 67 5f 72 67 50 72 6f 66 69 6c 65 44 61 74 61 5b 27 73 75 6d 6d 61 72 79 27 5d 20 29 3b 20 7d 20 29 3b 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 09 09 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 3c 2f 64 69 76 3e 0d 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 72 6f 66 69 6c 65 5f 63 6f 6e 74 65 6e 74 20 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 Data Ascii: e info</span></div><script type="text/javascript"> $J( function() { InitProfileSummary( g_rgProfileData['summary'] ); } ); </script></div></div></div></div></div><div class="profile_content "><div class="p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49739	172.67.128.144	443	6244	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-27 09:16:26 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: ballotnwu.site
2024-09-27 09:16:26 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-09-27 09:16:27 UTC	774	IN	HTTP/1.1 200 OK Date: Fri, 27 Sep 2024 09:16:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=2k5b071hkjkra7r51tim241u93; expires=Tue, 21 Jan 2025 03:03:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4ympG%2BNIevTa2TemQic37vIG9a2EhZnZ1Ckk8eYE%2F3yokUnIKzy%2F8PHG0VJdqmNoD84sv9jkaQnbT9omTL89o7YydKfljU9wXV%2BEkJY%2F0XSp5y6m3y6YMo19arkusXsQ0g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8c9a651a9e927cfc-EWR
2024-09-27 09:16:27 UTC	15	IN	Data Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a Data Ascii: aerror #D12
2024-09-27 09:16:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	05:16:16
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\gZzI6gTYn4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\gZzI6gTYn4.exe"
Imagebase:	0x4c0000
File size:	375'296 bytes
MD5 hash:	F2FDF50927663D80056FC0BCD576C461
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1690403824.0000000003935000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	05:16:16
Start date:	27/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	05:16:16
Start date:	27/09/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0xd20000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	32.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	30%
Total number of Nodes:	20
Total number of Limit Nodes:	0

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02932145 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,029320B7,029320A7), ref: 029322B4
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 029322C7
Wow64GetThreadContext.KERNEL32(0000009C,00000000), ref: 029322E5
ReadProcessMemory.KERNELBASE(00000098,?,029320FB,00000004,00000000), ref: 02932309
VirtualAllocEx.KERNELBASE(00000098,?,?,00003000,00000040), ref: 02932334
WriteProcessMemory.KERNELBASE(00000098,00000000,?,?,00000000,?), ref: 0293238C
WriteProcessMemory.KERNELBASE(00000098,00400000,?,?,00000000,?,00000028), ref: 029323D7
WriteProcessMemory.KERNELBASE(00000098,-00000008,?,00000004,00000000), ref: 02932415
Wow64SetThreadContext.KERNEL32(0000009C,02890000), ref: 02932451
ResumeThread.KERNELBASE(0000009C), ref: 02932460

Strings

GetP, xrefs: 029321C7
WriteProcessMemory, xrefs: 02932258
SetThreadContext, xrefs: 0293226B
VirtualAllocEx, xrefs: 02932245
ReadProcessMemory, xrefs: 02932232
GetThreadContext, xrefs: 0293221F
ResumeThread, xrefs: 02932281
aryA, xrefs: 0293218B
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 029322B3
VirtualAlloc, xrefs: 0293220C
Load, xrefs: 02932183
TerminateProcess, xrefs: 02932343
ress, xrefs: 029321CF
CreateProcessA, xrefs: 029321F9

Memory Dump Source

Source File: 00000000.00000002.1689655751.0000000002931000.00000040.00000800.00020000.00000000.sdmp, Offset: 02931000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2931000_gZzI6gTYn4.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: 677c33fa472a5e0bb0a747f57e71ce07daf0f2eb682dcd44e8f10137be6436ee
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: CEB1E57664024AAFDB60CF68CC80BDA77A9FF88714F158524EA0CAB341D774FA41CB94

Function 00EF0C40 Relevance: .3, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1689530670.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_gZzI6gTYn4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af57b8bf417159448ca0b8d3ae7d7bfe260af2597073cabac5a46165835eed63
Instruction ID: c16de95b231d04118f4959ea3b966d865c0bed4eef0cc3f09a55d22b07aec2a1
Opcode Fuzzy Hash: af57b8bf417159448ca0b8d3ae7d7bfe260af2597073cabac5a46165835eed63
Instruction Fuzzy Hash: 63D19C71A042588FCB15CFA8C8806ECFBF2EF88314F248569E555F7256C735AD81CB94

Function 00EF1218 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00EF12A0

Memory Dump Source

Source File: 00000000.00000002.1689530670.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_gZzI6gTYn4.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5ab03348fffec088768531866e9364f912ebc35a2ecd0a45e999962afd9f5d47
Instruction ID: 98f080650023c23753b485b3f0ce2e7ff80ee48b1cceab26842296227e389437
Opcode Fuzzy Hash: 5ab03348fffec088768531866e9364f912ebc35a2ecd0a45e999962afd9f5d47
Instruction Fuzzy Hash: 0721F3B19002599FCB10DFAAC880AEEFBF5FF48310F108429E959A7250C7759944CBA1

Function 00EF1220 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,?,?,?,?), ref: 00EF12A0

Memory Dump Source

Source File: 00000000.00000002.1689530670.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ef0000_gZzI6gTYn4.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 9de424f7a31d6f36153cc4f6399ad4b3ff38e291f5865aa9dd54a3d176a65343
Instruction ID: 07d83c30051b75b03d855c99ac7ac7d02f37711cac550a5a4af153179e653b37
Opcode Fuzzy Hash: 9de424f7a31d6f36153cc4f6399ad4b3ff38e291f5865aa9dd54a3d176a65343
Instruction Fuzzy Hash: AA2104B1D0025D9FCB10DF9AC880ADEFBF5FF48310F108429E959A7250C775A944CBA5

Analysis Process: RegAsm.exePID: 6244, Parent PID: 6984COMMON

Execution Graph

Execution Coverage:	1.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	48.4%
Total number of Nodes:	122
Total number of Limit Nodes:	11

Executed Functions

Function 0040D470 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 153
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetInputState.USER32 ref: 0040D481
GetCurrentThreadId.KERNEL32 ref: 0040D496
GetCurrentProcessId.KERNEL32 ref: 0040D49C
ExitProcess.KERNEL32 ref: 0040D650

Strings

qpsr, xrefs: 0040D613, 0040D61B
mlon, xrefs: 0040D5EE

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentProcess$ExitInputStateThread
String ID: mlon$qpsr
API String ID: 1029096631-2320206279
Opcode ID: 7930aff37ba72ce8264af3c29ed56ea6ce6d8b229feb210a3e04cfecf3ed9881
Instruction ID: 0b5985bc83f50576ef1f085b5a0d62e7e6efba06dbaf663de6811bcd9dd79fdb
Opcode Fuzzy Hash: 7930aff37ba72ce8264af3c29ed56ea6ce6d8b229feb210a3e04cfecf3ed9881
Instruction Fuzzy Hash: 7D416C7480C240ABD301BFA8D544A1EFBE5EF56705F148C2EE4C4A7392C23AC818CB6B

Function 00447AC9 Relevance: 5.3, Strings: 4, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}D, xrefs: 00447D03
%sgh, xrefs: 00447B40
4`[b, xrefs: 00447CE0
{D, xrefs: 00447BCE

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: }D$%sgh$4`[b${D
API String ID: 0-1200795032
Opcode ID: 05b3149f2a3e830b37f71957d57e1fb7ca9e9332a621777ac5fd2e0c82385c56
Instruction ID: e9ff087d7b6ba292c07e2a373faf3cf3d0a9800b043d4ee0ae862f7c510f9595
Opcode Fuzzy Hash: 05b3149f2a3e830b37f71957d57e1fb7ca9e9332a621777ac5fd2e0c82385c56
Instruction Fuzzy Hash: 05817A7060C3419FE710EF28D890A2EBBE5EB99315F148C6DF1C597262C739E891CB1A

Function 004476D0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(0044B41F,?,00000004,?,?,00000018,?), ref: 004476FE

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00447E1B Relevance: 1.3, Strings: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@, xrefs: 00447E85

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 2042c984cff8e36586f157c90dfe1e22c009bb683d2571c29aa94926772e1527
Instruction ID: cdf6f297f13441fe2925969da6b6994966f8396d0ae99224b9e918e95d5920a6
Opcode Fuzzy Hash: 2042c984cff8e36586f157c90dfe1e22c009bb683d2571c29aa94926772e1527
Instruction Fuzzy Hash: 9B31A97180C3018BE714DF28C89072BB7F1EF95305F44596EF8C9A72A1E7399845CB9A

Function 00447D38 Relevance: .5, Instructions: 487
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5fa1b09104253a195c0fe57cdf171331a83f09fff8ede92eb3ccc747820151f
Instruction ID: 8bcc6fb386cb15c142638edae28a52624d13c148528c1f92ba7a2a6e1e143af4
Opcode Fuzzy Hash: f5fa1b09104253a195c0fe57cdf171331a83f09fff8ede92eb3ccc747820151f
Instruction Fuzzy Hash: A7021036A08341CFD700DF28E89052EB7E1FB89312F194A7EE49487392D735E955CB86

Function 0040F807 Relevance: .4, Instructions: 390
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12b76bd1cddf45bbd6207310afd8c4b1868e0259217c3cf0ed6db9d5703ced3b
Instruction ID: cd89484c1d0e19e46c954de61e31bbebaec41b12b1ade970bd1187d44bb00fae
Opcode Fuzzy Hash: 12b76bd1cddf45bbd6207310afd8c4b1868e0259217c3cf0ed6db9d5703ced3b
Instruction Fuzzy Hash: B8C11574904256CFCB25CF68C8506BFB7B1FF46300F18497AE451AB792D339A85ACB98

Function 0040F042 Relevance: .3, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4472624897f6057df6c8ffb23683dd2a6b038d4d54d03cf02992a55fdc48f7
Instruction ID: ef9271f13a37813059f82d7b2aef6f9b9132d2b5a11f53dfc547668204b89559
Opcode Fuzzy Hash: ca4472624897f6057df6c8ffb23683dd2a6b038d4d54d03cf02992a55fdc48f7
Instruction Fuzzy Hash: 6CA17DB6C14214DFDB109FA0EC915BEBBB1FB0A309F04047AE805BB362E7759914CB69

Function 0044445C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00444474

Strings

|DD, xrefs: 00444476

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: |DD
API String ID: 1279760036-1192118190
Opcode ID: 4cbc25f787769cefebd05a7767c6a86754462c7e8b1f71f112afd27836c89513
Instruction ID: 3820a18ae079cb7e4426f798123fe2c3e110840b7bb1f0220b84c6f01d08581c
Opcode Fuzzy Hash: 4cbc25f787769cefebd05a7767c6a86754462c7e8b1f71f112afd27836c89513
Instruction Fuzzy Hash: A6B01230146210BCD03113111CC5FFF3C2CAF83F5EF101014B208180C047549001D07D

Function 00444470 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00444474

Strings

|DD, xrefs: 00444476

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: |DD
API String ID: 1279760036-1192118190
Opcode ID: 624b63b64e6b03db0bd12635e7aa1ed08730c5fdf8c669e26ca804604db2a04b
Instruction ID: e0ccf817579d59bbce23a8ee5fc248487fbde0254dbb899775f0dc122b38b7e8
Opcode Fuzzy Hash: 624b63b64e6b03db0bd12635e7aa1ed08730c5fdf8c669e26ca804604db2a04b
Instruction Fuzzy Hash: D2A00231145211EDD16117556C95F6F3968AB82A5EF100064B2081809586649041D56D

Function 00444490 Relevance: 1.6, APIs: 1, Instructions: 62
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(4B6A4902,00000000), ref: 00444530

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 7303358f5359f19ca23f0687a22b433efaff00f6e34e09b9e2f94b9ea2ceaedc
Instruction ID: caa5a61c1fc6514fa69d27dc7abdf64d4e2d01bb00e12b800d78490065dd5173
Opcode Fuzzy Hash: 7303358f5359f19ca23f0687a22b433efaff00f6e34e09b9e2f94b9ea2ceaedc
Instruction Fuzzy Hash: 5A01803550C240DFD210AB18ED80A1ABBF8EF8A716F054868E5C48B252C335EC50DB6A

Non-executed Functions

Function 0041E71A Relevance: 30.0, Strings: 23, Instructions: 1251COMMON

Download Yara Rule

Strings

,-*+, xrefs: 0041EEE4
0, xrefs: 0041F04F
z%, xrefs: 0041F11F
[ZED, xrefs: 0041F00D
XYVW, xrefs: 0041EF73
x{z}, xrefs: 0041F0F3
LMJK, xrefs: 0041EF3C
HIFG, xrefs: 0041EF47
ONIH, xrefs: 0041F02E
turs, xrefs: 0041EFD6
(qM, xrefs: 0041F109
<=:;, xrefs: 0041EF10
!>?, xrefs: 0041EF05
\]Z[, xrefs: 0041EF68
PQno, xrefs: 0041EF89
4523, xrefs: 0041EF26
dgfi, xrefs: 0041F114
HKJM, xrefs: 0041F177
DEBC, xrefs: 0041EF52
xyvw, xrefs: 0041EFCB
()&', xrefs: 0041EEEF
01NO, xrefs: 0041EF31
@A^_, xrefs: 0041EF5D

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: !>?$ z%$()&'$(qM$,-*+$0$01NO$4523$<=:;$@A^_$DEBC$HIFG$HKJM$LMJK$ONIH$PQno$XYVW$[ZED$\]Z[$dgfi$turs$xyvw$x{z}
API String ID: 0-2038966068
Opcode ID: f90f97c9c9ee660e4de228bad1591d79a832447606f1d05447c21198192b42ed
Instruction ID: dd8c9a11170efe247047064befbb3e8e17caaf51c98d00186aa99d3ab3198a48
Opcode Fuzzy Hash: f90f97c9c9ee660e4de228bad1591d79a832447606f1d05447c21198192b42ed
Instruction Fuzzy Hash: F2A2ABB55083819FD730CF11D884BEBBBE1AFC5304F54492EE9C88B251DB399885CB9A

Function 00439BD0 Relevance: 29.8, APIs: 6, Strings: 11, Instructions: 99clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00439BE0
GetWindowLongW.USER32 ref: 00439C05
GetClipboardData.USER32 ref: 00439C15
GlobalLock.KERNEL32 ref: 00439C2E
GlobalUnlock.KERNEL32 ref: 00439D1C
CloseClipboard.USER32 ref: 00439D25

Strings

|, xrefs: 00439C84
G, xrefs: 00439C7A
}, xrefs: 00439C61
N, xrefs: 00439C8E
S, xrefs: 00439C93
{, xrefs: 00439C66
s, xrefs: 00439C6B
H, xrefs: 00439C98
F, xrefs: 00439C70
u, xrefs: 00439C7F
z, xrefs: 00439C75

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: F$G$H$N$S$s$u$z${$|$}
API String ID: 2832541153-1941974359
Opcode ID: c2f3d5519ab13067e96e8a8e1554d226321cbd2039ebb6754a01b94ca404930a
Instruction ID: 1a35188d04eb71108be36436a893f0745e74d17b360d7727ff600e0e31ba3cd0
Opcode Fuzzy Hash: c2f3d5519ab13067e96e8a8e1554d226321cbd2039ebb6754a01b94ca404930a
Instruction Fuzzy Hash: B341617150C3808ED301EF78D48831FBFE0AB96318F05596EE4DA86292D6BD8949C79B

Function 00429978 Relevance: 24.3, Strings: 19, Instructions: 551COMMON

Download Yara Rule

Strings

`a, xrefs: 00429B37
sAuC, xrefs: 0042A004
Q%e', xrefs: 00429A8B
MI, xrefs: 004299F1
37, xrefs: 00429DCB
<:, xrefs: 00429DC0
31, xrefs: 0042A2D2
O=|?, xrefs: 00429ACD
TW, xrefs: 0042A6BA
/-, xrefs: 0042A2F3
9), xrefs: 0042A4F2
sq, xrefs: 0042A222
53, xrefs: 0042A4FD
[Y, xrefs: 004299E6
n)l+, xrefs: 00429A96
<&, xrefs: 0042A4E7
.,, xrefs: 00429DB5
#!, xrefs: 0042A2FE
75, xrefs: 0042A2DD

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: .,$37$53$9)$<&$<:$MI$O=|?$Q%e'$TW$[Y$`a$n)l+$sAuC$#!$/-$31$75$sq
API String ID: 0-518734598
Opcode ID: b3b08317d2e0cfa541fc023eb25e697968bc4af5299184a1130a56b36b739f48
Instruction ID: 03ea407fed1d32f28916693174b9482451e2888c3307ff2ead53aff0a4ec171c
Opcode Fuzzy Hash: b3b08317d2e0cfa541fc023eb25e697968bc4af5299184a1130a56b36b739f48
Instruction Fuzzy Hash: D362D6B55093828AE3748F01E680BDFBBF1BB96344F90892DE5D89B241DB748449CF97

Function 004404AB Relevance: 19.9, APIs: 8, Strings: 3, Instructions: 644memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0044050C
SysAllocString.OLEAUT32 ref: 004405CC
VariantInit.OLEAUT32(080B0A0D), ref: 00440658

Strings

<],[, xrefs: 00440531
4`[b, xrefs: 00440C00
4`[b, xrefs: 00440DA0

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocString$InitVariant
String ID: 4`[b$4`[b$<],[
API String ID: 3074814690-2254285042
Opcode ID: 0ea8b8889e0bb4a45b6034501902803b8855704a2f451e5abac1be5342d0fdbe
Instruction ID: 3b70daff5964ce097363bec6f93c74fecd6cdfee96da66d185794e42f4892200
Opcode Fuzzy Hash: 0ea8b8889e0bb4a45b6034501902803b8855704a2f451e5abac1be5342d0fdbe
Instruction Fuzzy Hash: 6022CA756083409FE714DF28D880B2FBBE1FF85309F14882DE6858B2A1D739E955CB5A

Function 00432830 Relevance: 18.6, APIs: 1, Strings: 9, Instructions: 1081COMMON

Download Yara Rule

Strings

::, xrefs: 00433158
[X^", xrefs: 00433726
#6C, xrefs: 004332B4, 00433344
xdaa, xrefs: 004328F2
SQ, xrefs: 00433825
vT^:, xrefs: 00433623
VVOT, xrefs: 00432C91
%W U, xrefs: 0043382F
,"@, xrefs: 004328D4

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ,"@$#6C$%W U$::$VVOT$[X^"$vT^:$xdaa$SQ
API String ID: 0-3977809258
Opcode ID: 687946c3e46dcd2fef14dd3dc931c1ff83cc1edd7a341014e5edc793b6e60020
Instruction ID: 6a30e320bc9aa03169a315c8e403c78acd1a2c3e87340e59c740f6ce2ae395c4
Opcode Fuzzy Hash: 687946c3e46dcd2fef14dd3dc931c1ff83cc1edd7a341014e5edc793b6e60020
Instruction Fuzzy Hash: 06827A70405B818AE7318F25C590BA3BBF0AF1B306F14189ED4EB9B293D739A545CF69

Function 00434990 Relevance: 13.1, APIs: 1, Strings: 6, Instructions: 824COMMON

Download Yara Rule

Strings

--',, xrefs: 00435299
, xrefs: 004349C8
$8r?, xrefs: 00434DA9
u}|, xrefs: 00434EAE
, xrefs: 004349E3
nLv(, xrefs: 00434D9F

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: $ $$8r?$--',$nLv($u}|
API String ID: 0-457197051
Opcode ID: 68e599e8ffaa50a487a7f43620eb8ee021e6b6941ac51a7c1ed568df97d2eee9
Instruction ID: 8b41d4da4bcd42269ea7739c650f07c77f5b2283e083b4b23c58f1815274c948
Opcode Fuzzy Hash: 68e599e8ffaa50a487a7f43620eb8ee021e6b6941ac51a7c1ed568df97d2eee9
Instruction Fuzzy Hash: 9352CF70504B418BE7258F35C494BA7BBE1AF4A305F14886EE5EB8B392CB3AF405CB55

Function 004408E6 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 348COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(00000008), ref: 004408F3
SysFreeString.OLEAUT32(?), ref: 00440920
SysFreeString.OLEAUT32(?), ref: 00440929
SysFreeString.OLEAUT32(?), ref: 00440940

Strings

4`[b, xrefs: 00440C00
4`[b, xrefs: 00440DA0

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FreeString$ClearVariant
String ID: 4`[b$4`[b
API String ID: 3349467263-3640500014
Opcode ID: e385970683e39f11de06317a4428018e5c6c996f516a19f857f1be5293d116c9
Instruction ID: 09d7fc534b87bbdf8393991c9ef56cf577bcdd1ce3a6edc29adcf294396d53e5
Opcode Fuzzy Hash: e385970683e39f11de06317a4428018e5c6c996f516a19f857f1be5293d116c9
Instruction Fuzzy Hash: CFB1CF756083009FE710DF64E891B2FB7E5EB8530AF14883DE685CB252D739E815CB5A

Function 00401000 Relevance: 10.7, Strings: 7, Instructions: 1914COMMON

Download Yara Rule

Strings

0123456789ABCDEFXP, xrefs: 00401445, 004014B3
gfff, xrefs: 00402249
gfff, xrefs: 004021E6
gfff, xrefs: 0040228F
A, xrefs: 0040144A
0123456789abcdefxp, xrefs: 00401451, 004014C3
-, xrefs: 00402196

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: -$0123456789ABCDEFXP$0123456789abcdefxp$A$gfff$gfff$gfff
API String ID: 0-947532036
Opcode ID: e06ab667e6b9483aab09583229f0419af3f4093797c2ed4d09b53c95b9789ffe
Instruction ID: 21de5e691bd859abbc2be4e82a4dcaafefefd4727c911ae8c5553d0c2646aee4
Opcode Fuzzy Hash: e06ab667e6b9483aab09583229f0419af3f4093797c2ed4d09b53c95b9789ffe
Instruction Fuzzy Hash: 4EE2D2716083418FD714CF29C49476BBBE2ABC9314F188A3EE895A73D1D379DA05CB86

Function 00412450 Relevance: 9.7, APIs: 4, Strings: 1, Instructions: 916COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0041254E
CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00412570
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0041289E

Strings

q-s, xrefs: 00412746

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Initialize$DirectorySecuritySystem
String ID: q-s
API String ID: 1379780170-2538240376
Opcode ID: 574801d40f12a725b9c9cb71e3c2e1c5558239a08317548fb3447c718f303320
Instruction ID: e90c699da80fdbf97deba592771adfca9ffecd6f7c132f23d46d425fcbc939e9
Opcode Fuzzy Hash: 574801d40f12a725b9c9cb71e3c2e1c5558239a08317548fb3447c718f303320
Instruction Fuzzy Hash: AA62D0B45007419FD3219F26D481627BBF1FF06308F14495DE4DA8BBA2D33AE896CB99

Function 0040FA20 Relevance: 7.9, Strings: 6, Instructions: 380COMMON

Download Yara Rule

Strings

f`E, xrefs: 0040FEA7
J<BJ, xrefs: 0040FD7D
f`E, xrefs: 0040FEC4
{3, xrefs: 0040FB32
v{, xrefs: 0040FB42
~, xrefs: 0040FC4F

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: J<BJ$f`E$f`E$v{${3$~
API String ID: 0-1732740514
Opcode ID: 76f2aed4a057638f363fd031f3dbe0569a69028984208c497ec39f2097cc7ed5
Instruction ID: 4e670058078cea7fd43884a886fc8be73a26d202e8482742903b49392826d215
Opcode Fuzzy Hash: 76f2aed4a057638f363fd031f3dbe0569a69028984208c497ec39f2097cc7ed5
Instruction Fuzzy Hash: 53D1687050C3818BD321DF18C49062EBBE1AF92744F54093EE5D1AB7A2D339D949CBAB

Function 004338C0 Relevance: 7.5, Strings: 5, Instructions: 1246COMMON

Download Yara Rule

Strings

CIBH, xrefs: 004348CB
)FC, xrefs: 00433FD1, 004341EA, 004341F0
{vry, xrefs: 00433B15
?*$2, xrefs: 0043413A
drG, xrefs: 00433CE5

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: drG$)FC$?*$2$CIBH${vry
API String ID: 0-1492907507
Opcode ID: 76d7692e372014387e47a71721219990899b7678fcf2bf8cf459b591c2ce3725
Instruction ID: ae17b6820417c1f5d865f6f8db41105b67f97988771920ed6e8cdea7b43e7d9c
Opcode Fuzzy Hash: 76d7692e372014387e47a71721219990899b7678fcf2bf8cf459b591c2ce3725
Instruction Fuzzy Hash: 87A28B70405B818AE7328F35C590BE3BBF1AF1A305F04589ED4EA9B282DB3AB545CB55

Function 0043A777 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043A7B1
GetSystemMetrics.USER32 ref: 0043A7C0

Strings

, xrefs: 0043A86B

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 6d15c560a22f2f746b61e91c69fede85cce94a29c4e560c9bab8bff2291995dd
Instruction ID: 04cec409040a24a7638083f5cbef6eeda66da4d91f8b2fb747c19da65d0b6118
Opcode Fuzzy Hash: 6d15c560a22f2f746b61e91c69fede85cce94a29c4e560c9bab8bff2291995dd
Instruction Fuzzy Hash: 62319FB49182009FDB00EF68D98565EBBF0BB89304F11853EE898D7360D774A959CF86

Function 00433623 Relevance: 5.2, Strings: 4, Instructions: 178COMMON

Download Yara Rule

Strings

::, xrefs: 00433158
[X^", xrefs: 00433726
#6C, xrefs: 004332B4, 00433344
xdaa, xrefs: 004328F2
SQ, xrefs: 00433825
vT^:, xrefs: 00433623
VVOT, xrefs: 00432C91
%W U, xrefs: 0043382F
,"@, xrefs: 004328D4

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ,"@$#6C$%W U$::$VVOT$[X^"$vT^:$xdaa$SQ
API String ID: 0-3977809258
Opcode ID: 5316a4421e8038fc09d359bae9942a20de967b06b3305538db8130970f2136b8
Instruction ID: 47a7bdd0108c2fb9dd8588cd9d3ff781ee98881393f00aa1a63237223b76b1bc
Opcode Fuzzy Hash: 5316a4421e8038fc09d359bae9942a20de967b06b3305538db8130970f2136b8
Instruction Fuzzy Hash: 4A615B70005B808AE7718F34C494BE7BBE0BF1A306F44589ED4EA9B292DB3AA505CF55

Function 0041FFD8 Relevance: 4.2, Strings: 3, Instructions: 450COMMON

Download Yara Rule

Strings

4`[b, xrefs: 004205F0
4`[b, xrefs: 00420540
D, xrefs: 0042031C

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$4`[b$D
API String ID: 0-2855741908
Opcode ID: ed9ea28e12b6c3f2a80f412645aefceee75c8d90be7708955877a316dca48e77
Instruction ID: 31d3bb4f6c8ef88d8f7c367f3412f89acc0e11c248f3c087f24487996a868f02
Opcode Fuzzy Hash: ed9ea28e12b6c3f2a80f412645aefceee75c8d90be7708955877a316dca48e77
Instruction Fuzzy Hash: 5DE1BBB0608381DFD720CF24E895BABB7E2FF85305F54496EE4889B352D3799850CB5A

Function 00427230 Relevance: 4.2, Strings: 3, Instructions: 429COMMON

Download Yara Rule

Strings

`cb], xrefs: 0042745A
hi, xrefs: 00427252
4`[b, xrefs: 00427680

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$`cb]$hi
API String ID: 0-188674353
Opcode ID: 1f5791c10a8d9b9034cf8b33a2b296a3773450a9b318bd1f49d32c9470c40f7b
Instruction ID: e8b149cf807d1c003d5c69b0e71323098e2fb5bb7a12dbfc9662ce51d29e78b9
Opcode Fuzzy Hash: 1f5791c10a8d9b9034cf8b33a2b296a3773450a9b318bd1f49d32c9470c40f7b
Instruction Fuzzy Hash: FDC1BE7160C3209BD710EF18E881A2BB7E4EF96354F84095EF8C597351E339E954C7AA

Function 00420A70 Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

|}, xrefs: 00420C9D
IO, xrefs: 00420D00
M"C, xrefs: 00420D07

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: |}$IO$M"C
API String ID: 0-2140647755
Opcode ID: a38601d3fca04be0643588d29395e0164f5203bdcff9d00cb4cb4415e9c9f1d7
Instruction ID: 95a8a3ba117dcb61b299199237c9eeeb104e0e6ef4a4d217e90056a207d5ce29
Opcode Fuzzy Hash: a38601d3fca04be0643588d29395e0164f5203bdcff9d00cb4cb4415e9c9f1d7
Instruction Fuzzy Hash: A7E1ACB5D00269DBDF04CFD4E881AEEBBB1BF06304F640859E850AB346D3759A45CBA9

Function 0042FE26 Relevance: 4.1, Strings: 3, Instructions: 362COMMON

Download Yara Rule

Strings

4`[b, xrefs: 004301C0
((*, xrefs: 0042FFED
KJML, xrefs: 00430183, 0043018B

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ((*$4`[b$KJML
API String ID: 0-1972290462
Opcode ID: dec8e1f1a6e47717e73a8b1603991c167e71ac5dd27e416a59c03452828de5c7
Instruction ID: fe7f7a316f197fe0042526b9999b7c3ec2d399551d2672056d428c2cb04b8ed6
Opcode Fuzzy Hash: dec8e1f1a6e47717e73a8b1603991c167e71ac5dd27e416a59c03452828de5c7
Instruction Fuzzy Hash: ADC10371E00205CFDF09CFA8D851BAEBBB2EF4A305F248269E415B7392D7399945CB58

Function 00421AD0 Relevance: 3.0, Strings: 2, Instructions: 527COMMON

Download Yara Rule

Strings

fL[D, xrefs: 00421ED8
wcjn, xrefs: 00421F03, 00421F0B

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: fL[D$wcjn
API String ID: 0-3212404223
Opcode ID: f7381f910d54b45702fc34180e1fe2687b4c52f9d4af3e67fb7e363e571e8373
Instruction ID: f42574bc615607f6af951fa0bda80222cba276cb5f891ef9b4a55e7d3f85a151
Opcode Fuzzy Hash: f7381f910d54b45702fc34180e1fe2687b4c52f9d4af3e67fb7e363e571e8373
Instruction Fuzzy Hash: CF029C75608350ABD311EF25E841B2FBBE4AF95308F44492EF5C897262D239E914CB9B

Function 0042CAD0 Relevance: 2.8, Strings: 2, Instructions: 344COMMON

Download Yara Rule

Strings

KJML, xrefs: 0042CBB3, 0042CBBB
w, xrefs: 0042CE40

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: KJML$w
API String ID: 2994545307-3028343826
Opcode ID: 4633c47ec76e09bc5f344fa9432b6b331caf1fae4f0c009488e9d39b1f9fd13b
Instruction ID: 080b7696ce438855e2865b836230b873bea6a0c21e24f15a690f1c4f281cc9ae
Opcode Fuzzy Hash: 4633c47ec76e09bc5f344fa9432b6b331caf1fae4f0c009488e9d39b1f9fd13b
Instruction Fuzzy Hash: B0B101706083118BE714DF25E881B2FBBE1EF96314F54492EE5C997352E339E844CB9A

Function 00440A70 Relevance: 2.8, Strings: 2, Instructions: 277COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00440C00
4`[b, xrefs: 00440DA0

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$4`[b
API String ID: 0-3640500014
Opcode ID: d1b627fec911b8c28985ab63311d4cc2010a42749d977885f13158c72016bf89
Instruction ID: 4a5db5bc531862a3fafa49679c1da16283dda6f39ad5b5a5d790b33b14943aa6
Opcode Fuzzy Hash: d1b627fec911b8c28985ab63311d4cc2010a42749d977885f13158c72016bf89
Instruction Fuzzy Hash: 3081D3B160C3409BE710DF65E981B2FB7E5EB85709F04482DF6C487252D739E824CB6A

Function 004452E0 Relevance: 1.9, Strings: 1, Instructions: 662COMMON

Download Yara Rule

Strings

f, xrefs: 004454BB

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: f
API String ID: 0-1993550816
Opcode ID: 0a82051139f66ddf593a476851d42ce7362ebefd45d52c377741e50279ceb0fc
Instruction ID: 69f14e0446ed55d0bc363b11fecc12665fd0227c7f6396fa499844b82b808001
Opcode Fuzzy Hash: 0a82051139f66ddf593a476851d42ce7362ebefd45d52c377741e50279ceb0fc
Instruction Fuzzy Hash: 5D32AF716087419FEB14CF18C880B2FBBE1ABC8354F58892EF895973A2D778D845CB56

Function 00413EEC Relevance: 1.8, Strings: 1, Instructions: 559COMMON

Download Yara Rule

Strings

p9A, xrefs: 004140B0

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: p9A
API String ID: 0-2767146494
Opcode ID: cc4438e265543dc60c17e4af3816322dfc04a26b990f0c8e12e52939bdc12f3d
Instruction ID: 2c8aa80ce659a15c762eb3e1e81ca8c73c00eafc5f89e39574f9bbbba22e0185
Opcode Fuzzy Hash: cc4438e265543dc60c17e4af3816322dfc04a26b990f0c8e12e52939bdc12f3d
Instruction Fuzzy Hash: 5812BCB5500B008FD725CF24D980B67B7F2AF86309F14892ED49A87B92E739F845CB59

Function 00426FC0 Relevance: 1.7, APIs: 1, Instructions: 245comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0044EB80,00000000,00000001,0044EB70), ref: 00426FE9

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 6b857c024720ac7b7e352e76ddfa4817e7e42bf3c285e39b0cfbbb18e45e5121
Instruction ID: 6c14e4c9a293253992b80aceda0b72b65ad673230c86ebd3f60838f3fce4d3ea
Opcode Fuzzy Hash: 6b857c024720ac7b7e352e76ddfa4817e7e42bf3c285e39b0cfbbb18e45e5121
Instruction Fuzzy Hash: DE61FEB03082209BDB209B24DC96B7733A4EF82358F144559F986CB390E379E809C76A

Function 004314A0 Relevance: 1.6, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

", xrefs: 00431788

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 3a375ffb791029574d5d487153f84a713dd1c5f8a93d4cec6e8116d322515391
Instruction ID: dac99c5dab73986a5260e87837a74846541daf9fe20671a14200a52273f6332c
Opcode Fuzzy Hash: 3a375ffb791029574d5d487153f84a713dd1c5f8a93d4cec6e8116d322515391
Instruction Fuzzy Hash: CCC159B2A043045BD7148F24C49176BB7E9AF89354F1C9A2FE895873A1D73CDC44C79A

Function 00449620 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

P, xrefs: 004497C7

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: P
API String ID: 0-3110715001
Opcode ID: 096e396a3b36b829a6566558fd17d7f7d8ce7d5dba024e2e843d7647ff22d511
Instruction ID: dd4241a5a5a1caa29915f85dd6641d1f89e5dc2f7704d5486d9f392ef1a7eae6
Opcode Fuzzy Hash: 096e396a3b36b829a6566558fd17d7f7d8ce7d5dba024e2e843d7647ff22d511
Instruction Fuzzy Hash: E9D104329082714FE725CE18989071FB6E1EB85718F168A3DE8B5AB381CB75DC06D7C6

Function 0042DFE0 Relevance: 1.6, Strings: 1, Instructions: 313COMMON

Download Yara Rule

Strings

2B, xrefs: 0042E224

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 2B
API String ID: 0-2489582833
Opcode ID: e7c9954c64a2a2e716abb4006260575443ff31ca00f66fa76071335e070d8145
Instruction ID: 1648f17e86a6f30225877104b632deb72bbb2998103f50de6865a7bf14004587
Opcode Fuzzy Hash: e7c9954c64a2a2e716abb4006260575443ff31ca00f66fa76071335e070d8145
Instruction Fuzzy Hash: 26A15731608391DFD3158F39EC5132A7BE2BF8A312F0986BDE491873A2D739DA458B05

Function 00434629 Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

CIBH, xrefs: 004348CB
)FC, xrefs: 00433FD1, 004341EA, 004341F0
{vry, xrefs: 00433B15
?*$2, xrefs: 0043413A
drG, xrefs: 00433CE5

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: drG$)FC$?*$2$CIBH${vry
API String ID: 0-1492907507
Opcode ID: bc606f07fc9a9b37c0bbc1281e8971c1ba7d3ec63685693cc84bf1c889e06ed2
Instruction ID: cd923c6c2a59a948de96ec4fde7e4145b598f3882073ecf6b485000af5a54b7d
Opcode Fuzzy Hash: bc606f07fc9a9b37c0bbc1281e8971c1ba7d3ec63685693cc84bf1c889e06ed2
Instruction Fuzzy Hash: 40B15C70404B818AE776CF39C490BE3BBE0AF5A304F44589ED4EA87792DB3AB445CB55

Function 00448D80 Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00448F90

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 4`[b
API String ID: 2994545307-3962175265
Opcode ID: d7efba24f39cafc4f8138a2c0540639fa06f185e091667fb1a290be13ed1cba3
Instruction ID: 65037cb4b131e6f69ae25d9d0f844069ac1afd20bdace3c3e68c66be08e3ab69
Opcode Fuzzy Hash: d7efba24f39cafc4f8138a2c0540639fa06f185e091667fb1a290be13ed1cba3
Instruction Fuzzy Hash: 3291C371608341ABF720DB15DC41B6FB7E6EB85354F54882EF98487352EB34E840DB9A

Function 00448B90 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00448D40

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: a9deb8d38d84d4afaf040186a8d67045d647737b27c5b75a10c779e7b3d72402
Instruction ID: c5202ddbdcec288203f215c2c9f34064d5f6e2a8da8471ef5e17f24a05bd36fb
Opcode Fuzzy Hash: a9deb8d38d84d4afaf040186a8d67045d647737b27c5b75a10c779e7b3d72402
Instruction Fuzzy Hash: DB511371A09310ABEB159B189C90B3FB7E5EB89314F148A2DF8E5573E1CA35EC01C75A

Function 00425030 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

@QB, xrefs: 0042513A

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: @QB
API String ID: 0-3030980731
Opcode ID: fa7d8ae5b693dd60f6850cd017a17b0abae062ab4b2c1048713c2209d971f0dc
Instruction ID: 6d0cb73502d01e38b06274afbc8596ab77b17627c4c691baab7245b414bc2194
Opcode Fuzzy Hash: fa7d8ae5b693dd60f6850cd017a17b0abae062ab4b2c1048713c2209d971f0dc
Instruction Fuzzy Hash: C8219F74A093109BC310AB18D851A3BB7F5EF93755F848A1DE4D59B392E338CD10CBA6

Function 0044B320 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

@, xrefs: 0044B370

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 405783dcd224cdf1397306dffb70641e0a1f7fae826e9b44d4411e2f7100f4cf
Instruction ID: a91349f1e9a40293b62091c3c1e01b002cddce6e5b6639776973f8a2a5a102dc
Opcode Fuzzy Hash: 405783dcd224cdf1397306dffb70641e0a1f7fae826e9b44d4411e2f7100f4cf
Instruction Fuzzy Hash: 493156705093009BE714DF25D980A2BFBF9FF8A314F14892DF9C897252D339D9048BAA

Function 0040C1C0 Relevance: .8, Instructions: 778COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4631f2e57031adde87b200ba4790210232e1e318b6d81c4360bce7a359158444
Instruction ID: 956be2415fbe3cf17e3c2b9217a92116aac390c51ce612f86c4722e2567f76f6
Opcode Fuzzy Hash: 4631f2e57031adde87b200ba4790210232e1e318b6d81c4360bce7a359158444
Instruction Fuzzy Hash: BF42B331508315CBC725DF18E88026BB3E2FFD4314F258A3ED996A7385D739A951CB8A

Function 00407450 Relevance: .7, Instructions: 658COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4890b7e1405b60d2036cc250fc21e402b4f197dab0f25acee06565f4f699a01d
Instruction ID: e9f524300c54591016e612151c2e6d16e79c1b555d40a7684eed9594cd61b04f
Opcode Fuzzy Hash: 4890b7e1405b60d2036cc250fc21e402b4f197dab0f25acee06565f4f699a01d
Instruction Fuzzy Hash: 9152B331A0C3458FCB15CF24C0906AABBE1BF85314F19897EE89A67391D778E945CF86

Function 0044A510 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7a94d621f91307b6425b2df28a6db3f3defc87c09105d060c306e6a5a959a9
Instruction ID: 12bdd899994ea3f390c2677d5a8b46d1064a99c9932b785e2cc315b4497e3188
Opcode Fuzzy Hash: 0a7a94d621f91307b6425b2df28a6db3f3defc87c09105d060c306e6a5a959a9
Instruction Fuzzy Hash: EFB1BE31A09254DFD704DF28D99166EB7F1FB8A312F0A8829E889D7352D335ED20CB95

Function 00449D22 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfd3633d6ed618898280b2bfa9fcdb0017dbfca5d3d0489a1ceccd4b7ddeeab4
Instruction ID: ba77fbe9a575c5c0e3916e552f8b9e900528f4925402827c04f08fa9a54957d4
Opcode Fuzzy Hash: bfd3633d6ed618898280b2bfa9fcdb0017dbfca5d3d0489a1ceccd4b7ddeeab4
Instruction Fuzzy Hash: 6FB1BA76A04316CFDB00CF64E8A466EB7B1FB4A302F194869D9019B362D3349854DB95

Function 004142E4 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b39d16f317e8d19da953c30fd6ba31bcb37fca65e178eef6612cf70bcdbf204
Instruction ID: 777062db379b90a3490bb9d039b80cdec0e37db8c352507ae385cde0aeea2dbb
Opcode Fuzzy Hash: 4b39d16f317e8d19da953c30fd6ba31bcb37fca65e178eef6612cf70bcdbf204
Instruction Fuzzy Hash: 3AB159B4500B419FD3218F24CA80B67BBF5FF46705F04891DE8AA97A91E339F854CB69

Function 0044B430 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 9d4a0865f99f740c6db4d1f545baa4b7358d8cded0662193f7d95dc8b470dc04
Instruction ID: 71323470c014a4a126a73179cc5a1ef60c16c30d165a2ed76876cba0ed87e0d4
Opcode Fuzzy Hash: 9d4a0865f99f740c6db4d1f545baa4b7358d8cded0662193f7d95dc8b470dc04
Instruction Fuzzy Hash: 0181C0706083019BE7109F68D880A2FB7E6FF95744F25882DE5C58B362D739EC54CB9A

Function 0040F7E3 Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc8c1bd5ce96e5f68242ff809a3884e59ac652b41232c3f29468b36261b81fa
Instruction ID: 70c147ec3628391604478acdee8e0d2f37a7db2c632e37ade1ef48e142da4b81
Opcode Fuzzy Hash: 6bc8c1bd5ce96e5f68242ff809a3884e59ac652b41232c3f29468b36261b81fa
Instruction Fuzzy Hash: 8E711075A142158BCB25CF68C8502BFB7B2BF9A301F18457AD841A77E2D3399809CB58

Function 00445DE0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7831cf32dc2c0b8a978041a18ff1a4a9518294b4dfe30571e244d26eee5d1997
Instruction ID: b5ff81ec9e9af75986a4fac7fb74df821215003c5149bce377154884bf3d8d24
Opcode Fuzzy Hash: 7831cf32dc2c0b8a978041a18ff1a4a9518294b4dfe30571e244d26eee5d1997
Instruction Fuzzy Hash: B561E030608701ABEB10DF15D880B2BF7E6EB85314F24892EF59887362D739EC55CB5A

Function 00444970 Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742f14a2709897ecdbb5e48ca64229ac29e7b7e0da12c54bddaaaaba9491ebdf
Instruction ID: dc97e09a7f7da624c8807c98710862b4dce587ce3812b6c05e15904d13e63158
Opcode Fuzzy Hash: 742f14a2709897ecdbb5e48ca64229ac29e7b7e0da12c54bddaaaaba9491ebdf
Instruction Fuzzy Hash: 31518F716083409BE714DF29D880B2FB7E5EB85325F14892EF58497352C739E8148BAA

Function 0040F63A Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d69a286e2430bbf8d7d29ed6800b71f8178752ddf9001bef238cf64567d83a
Instruction ID: 305a687461efa61535f20c4e30c50516a1adfbbcd579c48b290b171d3c892896
Opcode Fuzzy Hash: 05d69a286e2430bbf8d7d29ed6800b71f8178752ddf9001bef238cf64567d83a
Instruction Fuzzy Hash: BD413835A04210CFCB29CF28D8903BEB3B2FF5A311F18417AD801A7792D739A845C759

Function 00444BC0 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8fe51a964e94862e6280fd4530e8e23ea3388074881357ebe8cc1fa4d45db18
Instruction ID: dec6aa83464d3b4264dd44e35dd919ff3509ff86f22b815f22340c26f882f573
Opcode Fuzzy Hash: e8fe51a964e94862e6280fd4530e8e23ea3388074881357ebe8cc1fa4d45db18
Instruction Fuzzy Hash: 8951B3746092009BEB24DF55E980B2BB7E6EBC5305F18882EF4C587321D739DC10CB6A

Function 00405CF0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49a934ef247a52156d8ec0288b7fb744e74ccf73bfd21c8170fa558b5e02194
Instruction ID: a93e7bb16f79f5bee52f37b023afbee245ecc507bf95419d7e2d32b41e93770e
Opcode Fuzzy Hash: b49a934ef247a52156d8ec0288b7fb744e74ccf73bfd21c8170fa558b5e02194
Instruction Fuzzy Hash: 8E51A0B5A046009FC714DF14C480927B7A1FF89328F15467EE899AB392D635ED42CFDA

Function 0044B010 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e751b8f787bac87f8cfd85bdda4c79210fa0da3de7a9e49238e203542471c3f4
Instruction ID: 67ff51331bc586e3258e30a007c696559b29967afb165d85162e472efda89275
Opcode Fuzzy Hash: e751b8f787bac87f8cfd85bdda4c79210fa0da3de7a9e49238e203542471c3f4
Instruction Fuzzy Hash: AB41CF74208300ABE7149F24DD91B2FB7E6EB85755F24882DF58897352D339EC10CB9A

Function 0044B1A0 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d7b21b20dac4ed1bd6ec73c56021cf920500350a9747a94f58476bfd9bcc6f6
Instruction ID: 7bb1e064a9e3fe809587a2e583d5bbbc0ac817289a77bfc4f351f9a1e2f1ca79
Opcode Fuzzy Hash: 0d7b21b20dac4ed1bd6ec73c56021cf920500350a9747a94f58476bfd9bcc6f6
Instruction Fuzzy Hash: F741AF34208300ABE7149F25ED94B2FB7E6FB85715F14886DF88957351D379E810CB9A

Function 00435519 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e24e261311531be54728c1f7de490a8c5844de532af9053c9630d86519809ba
Instruction ID: 7a9764bf3efe6304778dabb77bcc631861f8f1a38c5e90041bb2cad766b257b8
Opcode Fuzzy Hash: 7e24e261311531be54728c1f7de490a8c5844de532af9053c9630d86519809ba
Instruction Fuzzy Hash: 11416A72505F418FC324CB29C491363B7E2AF59324F699A1EC4AA47B91E338F805CB59

Function 00414692 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a6c332c5d3211bb44ff9af79ab587ffb2f10c5d39c5de35afcf0ad077f2112
Instruction ID: a376e7b36b3188e4cd9addea55493a65cc0f09d2769b96ef42937a54c16a89e2
Opcode Fuzzy Hash: 57a6c332c5d3211bb44ff9af79ab587ffb2f10c5d39c5de35afcf0ad077f2112
Instruction Fuzzy Hash: 02313EB4500B009BD735CF24C480AA3BBF5BB59300F154A2ED49787752E779F989CB99

Function 0043FE90 Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f0085e10853b1e2969aa1028db42883cbeaeadcd86b2518a4c6ae1f0978dd0f
Instruction ID: a7d9893a673cfc8e199ffc65db64a738f37302f500c8e91188f8a16d540f37a9
Opcode Fuzzy Hash: 9f0085e10853b1e2969aa1028db42883cbeaeadcd86b2518a4c6ae1f0978dd0f
Instruction Fuzzy Hash: 9C210332D082104BC3249B59848152BF7E5EB9E704F16A62FED84973A5E3389C1887EA

Function 00404CB0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 609c9fe2b85b6fa7177e1b6ed724a188d16551f5cddb16224451ebaab9e6e429
Instruction ID: d5cb594caa8decbb0462b1d43e6d8ce9a9ace7f061841147579c4ba8b6174a16
Opcode Fuzzy Hash: 609c9fe2b85b6fa7177e1b6ed724a188d16551f5cddb16224451ebaab9e6e429
Instruction Fuzzy Hash: 5131BBB16042009BD7149F19D88092BB7E1EFC4319F14493EE999AB3D5D339EC42CB4A

Function 0043BFF0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 5cf3d3f30d9613fe2714edcff59f0b0304f0c98455ce6f2d5f572e95ba5a2b3d
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 10114C33A051D04EC31A8D7C844056ABFF30A97274F2D939AF4F5AB2D2D6278D8B8359

Function 00430CC0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaac78c8cd68a7ef2a1be881b231878366a9c247148d4d2edc3e404ad033c8a4
Instruction ID: ed189d3e896a10b0522a78e84ad2b8f9b6df22bdec7557734b8ad8c6367bbd7f
Opcode Fuzzy Hash: aaac78c8cd68a7ef2a1be881b231878366a9c247148d4d2edc3e404ad033c8a4
Instruction Fuzzy Hash: 4E019EB160030187E7209F65E4E072BA2E86F98708F18273EE80957342DB79EC098299

Function 0043910C Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59f5e468a665b6614cdaf652ec57e02a503b3cbdf54c46e0d058b3155dca0263
Instruction ID: 1143063129ae067a2310e813a7ac3cd5872c45bc9fc8c24add8bef49e4b85578
Opcode Fuzzy Hash: 59f5e468a665b6614cdaf652ec57e02a503b3cbdf54c46e0d058b3155dca0263
Instruction Fuzzy Hash: 3711F3F0901B00AFD360EF3AC94A747BAE8FB45350F508A0DE8AA87391D735A4048B96

Function 0041AB90 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6741416765b83c74a1c2c5cba02842341f77218c3f9d8f562cc197a6a78b22bd
Instruction ID: de6e10c6ac35777bcd7977231f09f0839b9338373d8b97cfe4fbdb5b7db4e514
Opcode Fuzzy Hash: 6741416765b83c74a1c2c5cba02842341f77218c3f9d8f562cc197a6a78b22bd
Instruction Fuzzy Hash: 31F027B1A0819017DB218D449C80FB7BBADCB87228F190456EA8157202E1356C9083EE

Function 00442410 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: e276e2e20c09421a09e08c01a3586b5c7f2cd1a113514abf4008fb378859171c
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: D1D0A72160832146AB788E1AA500977F7F0EAC7B11FC9A55FF582E3248D634DC41C2BD

Function 0043ACD2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043AD1D
GetSystemMetrics.USER32 ref: 0043AD2C

Strings

, xrefs: 0043AE00

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 7c882c57007ae2b99843c88eb0c07b372622de9aeed33002503f8c382e2d4657
Instruction ID: d31701c45078c7d4269a8adf496a0dfe1e86747451595843b7a2005472f7adb8
Opcode Fuzzy Hash: 7c882c57007ae2b99843c88eb0c07b372622de9aeed33002503f8c382e2d4657
Instruction Fuzzy Hash: 9A5180B4E142189FDB40EFACD985A9EBBF0BB48310F11852DE858E7350D734A949CF86

Function 0043A77C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0043A7B1
GetSystemMetrics.USER32 ref: 0043A7C0

Strings

, xrefs: 0043A86B

Memory Dump Source

Source File: 00000002.00000002.1788555062.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 013dc761e4909440771d46bafdb638bb20e567719734dc29c98b96e9aaa0edbc
Instruction ID: 5819706d29ef5a07fa912cd141edfc67d55658e54de8dc311193a39933180409
Opcode Fuzzy Hash: 013dc761e4909440771d46bafdb638bb20e567719734dc29c98b96e9aaa0edbc
Instruction Fuzzy Hash: 5C319FB49182009FDB00EF78D985A1EBBF4BB89304F11853DE898D7360D774A949CF86

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gZzI6gTYn4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\gZzI6gTYn4.exe.log

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
gZzI6gTYn4.exe

Function 02932145 Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 00EF0C40 Relevance: .3, Instructions: 320
COMMON

Function 00EF1218 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Function 00EF1220 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Function 0040D470 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 153
threadCOMMON

Function 00447AC9 Relevance: 5.3, Strings: 4, Instructions: 253
COMMON

Function 004476D0 Relevance: 1.5, APIs: 1, Instructions: 14
libraryCOMMON

Function 00447E1B Relevance: 1.3, Strings: 1, Instructions: 97
COMMON

Function 00447D38 Relevance: .5, Instructions: 487
COMMON

Function 0040F807 Relevance: .4, Instructions: 390
COMMON

Function 0040F042 Relevance: .3, Instructions: 268
COMMON

Function 0044445C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23
memoryCOMMON

Function 00444470 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5
memoryCOMMON

Function 00444490 Relevance: 1.6, APIs: 1, Instructions: 62
memoryCOMMON